CycloneDX
diff --git a/‎.github/PULL_REQUEST_TEMPLATE.md‎
Lines changed: 39 additions & 0 deletions b/‎.github/PULL_REQUEST_TEMPLATE.md‎
Lines changed: 39 additions & 0 deletions
diff --git a/‎.github/workflows/python.yml‎
Lines changed: 11 additions & 24 deletions b/‎.github/workflows/python.yml‎
Lines changed: 11 additions & 24 deletions
diff --git a/‎.github/workflows/release.yml‎
Lines changed: 3 additions & 3 deletions b/‎.github/workflows/release.yml‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎.readthedocs.yaml‎
Lines changed: 2 additions & 2 deletions b/‎.readthedocs.yaml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎CHANGELOG.md‎
Lines changed: 14 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎cyclonedx/__init__.py‎
Lines changed: 1 addition & 1 deletion b/‎cyclonedx/__init__.py‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎cyclonedx/builder/__init__.py‎
Lines changed: 2 additions & 0 deletions b/‎cyclonedx/builder/__init__.py‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎cyclonedx/builder/this.py‎
Lines changed: 41 additions & 59 deletions b/‎cyclonedx/builder/this.py‎
Lines changed: 41 additions & 59 deletions
diff --git a/‎cyclonedx/contrib/README.md‎
Lines changed: 20 additions & 0 deletions b/‎cyclonedx/contrib/README.md‎
Lines changed: 20 additions & 0 deletions
diff --git a/‎cyclonedx/_internal/hash.py‎ ‎cyclonedx/contrib/__init__.py‎cyclonedx/_internal/hash.py renamed to cyclonedx/contrib/__init__.py
Lines changed: 6 additions & 22 deletions b/‎cyclonedx/_internal/hash.py‎ ‎cyclonedx/contrib/__init__.py‎cyclonedx/_internal/hash.py renamed to cyclonedx/contrib/__init__.py
Lines changed: 6 additions & 22 deletions
@@ -0,0 +1,39 @@
+<!--🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅
+
+You can expedite processing of your PR by using this template to provide context
+and additional information. Before actually opening a PR please make sure that it
+does NOT fall into any of the following categories
+
+🚫 Spam PRs (accidental or intentional) - these will result in a 30-days or even
+∞ ban from interacting with the project depending on reoccurrence and severity.
+
+🚫 Lazy typo fixing PRs - if you fix a typo in a file, your PR will only be merged
+if all other typos in the same file are also fixed with the same PR
+
+🚫 If you fail to provide any _Description_ below, your PR will be considered spam.
+If you do not check the _Affirmation_ box below, your PR will not be merged.
+
+🚫 If you do not check one of the _AI Tool Disclosure_ boxes below, your PR will
+not be merged. If you used AI tools to assist you in writing code, but fail to
+provide the required disclosure, your PR will not be merged.
+
+🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅-->
+
+### Description
+
+<!-- ✍️-->
+A clear and concise summary of the change and which issue (if any) it fixes. Should also include relevant motivation and context.
+
+Resolves or fixes issue: <!-- ✍️ Add GitHub issue number in format `#0000` or `none` -->
+
+### AI Tool Disclosure
+
+- [ ] My contribution does not include any AI-generated content
+- [ ] My contribution includes AI-generated content, as disclosed below:
+  - AI Tools: `[e.g. GitHub CoPilot, ChatGPT, JetBrains Junie etc.]`
+  - LLMs and versions: `[e.g. GPT-4.1, Claude Haiku 4.5, Gemini 2.5 Pro etc.]`
+  - Prompts: `[Summarize the key prompts or instructions given to the AI tools]`
+
+### Affirmation
+
+- [ ] My code follows the [CONTRIBUTING.md](https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/CONTRIBUTING.md) guidelines
@@ -33,7 +33,7 @@ jobs:
     steps:
       - name: Checkout
         # see https://github.com/actions/checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Setup Python Environment
         # see https://github.com/actions/setup-python
         uses: actions/setup-python@v6
@@ -57,7 +57,7 @@ jobs:
     steps:
       - name: Checkout
         # see https://github.com/actions/checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Setup Python Environment
         # see https://github.com/actions/setup-python
         uses: actions/setup-python@v6
@@ -81,7 +81,7 @@ jobs:
     steps:
       - name: Checkout
         # see https://github.com/actions/checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Setup Python Environment
         # see https://github.com/actions/setup-python
         uses: actions/setup-python@v6
@@ -105,7 +105,7 @@ jobs:
     steps:
       - name: Checkout
         # see https://github.com/actions/checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Setup Python Environment
         # see https://github.com/actions/setup-python
         uses: actions/setup-python@v6
@@ -141,7 +141,7 @@ jobs:
     steps:
       - name: Checkout
         # see https://github.com/actions/checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Setup Python Environment
         # see https://github.com/actions/setup-python
         uses: actions/setup-python@v6
@@ -180,31 +180,18 @@ jobs:
           - "-allExtras"
           - "-noExtras"
         exclude:
-          - os: macos-latest
+          - os: macos-latest  # macos-latest is incompatible with some PY versions
             python-version: "3.10"
-          - os: macos-latest
+          - os: macos-latest  # macos-latest is incompatible with some PY versions
             python-version: "3.9"
-        include:
-          - os: macos-13
-            python-version: "3.10"
-            toxenv-factors: "-allExtras"
-          - os: macos-13
-            python-version: "3.10"
-            toxenv-factors: "-noExtras"
-          - os: macos-13
-            python-version: "3.9"
-            toxenv-factors: "-allExtras"
-          - os: macos-13
-            python-version: "3.9"
-            toxenv-factors: "-noExtras"
     steps:
       - name: Disabled Git auto EOL CRLF transforms
         run: |
           git config --global core.autocrlf false
           git config --global core.eol lf
       - name: Checkout
         # see https://github.com/actions/checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Create reports directory
         run: mkdir ${{ env.REPORTS_DIR }}
       - name: Setup Python Environment
@@ -239,7 +226,7 @@ jobs:
       - name: Artifact reports
         if: ${{ ! cancelled() }}
         # see https://github.com/actions/upload-artifact
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v6
         with:
           name: ${{ env.TESTS_REPORTS_ARTIFACT }}-${{ matrix.os }}-py${{ matrix.python-version }}${{ matrix.toxenv-factors }}
           path: ${{ env.REPORTS_DIR }}
@@ -253,7 +240,7 @@ jobs:
     steps:
       - name: fetch test artifacts
         # see https://github.com/actions/download-artifact
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@v7
         with:
           path: ${{ env.REPORTS_DIR }}
           pattern: ${{ env.TESTS_REPORTS_ARTIFACT }}-*
@@ -282,7 +269,7 @@ jobs:
     steps:
       - name: Checkout
         # see https://github.com/actions/checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Setup Python Environment
         # see https://github.com/actions/setup-python
         uses: actions/setup-python@v6
 
@@ -48,7 +48,7 @@ jobs:
     steps:
       - name: Checkout code
         # see https://github.com/actions/checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Setup Python Environment
         # see https://github.com/actions/setup-python
         uses: actions/setup-python@v6
@@ -70,7 +70,7 @@ jobs:
     steps:
       - name: Checkout code
         # see https://github.com/actions/checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Setup Python Environment
         # see https://github.com/actions/setup-python
         uses: actions/setup-python@v6
@@ -105,7 +105,7 @@ jobs:
     steps:
       - name: Checkout code
         # see https://github.com/actions/checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
 
 
@@ -6,9 +6,9 @@ version: 2
 
 # Set the version of Python and other tools you might need
 build:
-  os: ubuntu-22.04
+  os: ubuntu-lts-latest
   tools:
-    python: "3.11"
+    python: "3.14"
     # You can also specify other tool versions:
     # nodejs: "16"
     # rust: "1.55"
 
@@ -2,6 +2,20 @@
 
 <!-- version list -->
 
+## v11.6.0 (2025-12-02)
+
+### Documentation
+
+- Update 1.7 ([#920](https://github.com/CycloneDX/cyclonedx-python-lib/pull/920),
+  [`7e6771b`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/7e6771b0c1166d384ee438460e45794914937b6e))
+
+### Features
+
+- Moved non‑standard implementations to Contrib area
+  ([#916](https://github.com/CycloneDX/cyclonedx-python-lib/pull/916),
+  [`15a9023`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/15a902374bc6507788853a854256d3570ab250a7))
+
+
 ## v11.5.0 (2025-10-31)
 
 ### Features
 
@@ -22,4 +22,4 @@
 
 # !! version is managed by semantic_release
 # do not use typing here, or else `semantic_release` might have issues finding the variable
-__version__ = "11.5.0"  # noqa:Q000
+__version__ = "11.6.0"  # noqa:Q000
@@ -17,4 +17,6 @@
 
 """
 Builders used in this library.
+
+.. deprecated:: next
 """
@@ -15,69 +15,51 @@
 # SPDX-License-Identifier: Apache-2.0
 # Copyright (c) OWASP Foundation. All Rights Reserved.
 
-"""Representation of this very python library."""
+"""Representation of this very python library.
 
-__all__ = ['this_component', 'this_tool', ]
+.. deprecated:: next
+"""
 
-from .. import __version__ as __ThisVersion  # noqa: N812
-from ..model import ExternalReference, ExternalReferenceType, XsUri
-from ..model.component import Component, ComponentType
-from ..model.license import DisjunctiveLicense, LicenseAcknowledgement
-from ..model.tool import Tool
+__all__ = ['this_component', 'this_tool']
 
-# !!! keep this file in sync with `pyproject.toml`
+import sys
+from typing import TYPE_CHECKING
 
+if sys.version_info >= (3, 13):
+    from warnings import deprecated
+else:
+    from typing_extensions import deprecated
 
-def this_component() -> Component:
-    """Representation of this very python library as a :class:`Component`."""
-    return Component(
-        type=ComponentType.LIBRARY,
-        group='CycloneDX',
-        name='cyclonedx-python-lib',
-        version=__ThisVersion or 'UNKNOWN',
-        description='Python library for CycloneDX',
-        licenses=(DisjunctiveLicense(id='Apache-2.0',
-                                     acknowledgement=LicenseAcknowledgement.DECLARED),),
-        external_references=(
-            # let's assume this is not a fork
-            ExternalReference(
-                type=ExternalReferenceType.WEBSITE,
-                url=XsUri('https://github.com/CycloneDX/cyclonedx-python-lib/#readme')
-            ),
-            ExternalReference(
-                type=ExternalReferenceType.DOCUMENTATION,
-                url=XsUri('https://cyclonedx-python-library.readthedocs.io/')
-            ),
-            ExternalReference(
-                type=ExternalReferenceType.VCS,
-                url=XsUri('https://github.com/CycloneDX/cyclonedx-python-lib')
-            ),
-            ExternalReference(
-                type=ExternalReferenceType.BUILD_SYSTEM,
-                url=XsUri('https://github.com/CycloneDX/cyclonedx-python-lib/actions')
-            ),
-            ExternalReference(
-                type=ExternalReferenceType.ISSUE_TRACKER,
-                url=XsUri('https://github.com/CycloneDX/cyclonedx-python-lib/issues')
-            ),
-            ExternalReference(
-                type=ExternalReferenceType.LICENSE,
-                url=XsUri('https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/LICENSE')
-            ),
-            ExternalReference(
-                type=ExternalReferenceType.RELEASE_NOTES,
-                url=XsUri('https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/CHANGELOG.md')
-            ),
-            # we cannot assert where the lib was fetched from, but we can give a hint
-            ExternalReference(
-                type=ExternalReferenceType.DISTRIBUTION,
-                url=XsUri('https://pypi.org/project/cyclonedx-python-lib/')
-            ),
-        ),
-        # to be extended...
-    )
+from ..contrib.this.builders import this_component as _this_component, this_tool as _this_tool
 
+# region deprecated re-export
 
-def this_tool() -> Tool:
-    """Representation of this very python library as a :class:`Tool`."""
-    return Tool.from_component(this_component())
+if TYPE_CHECKING:
+    from ..model.component import Component
+    from ..model.tool import Tool
+
+
+@deprecated('Deprecated re-export location - see docstring of "this_component" for details.')
+def this_component() -> 'Component':
+    """Deprecated — Alias of :func:`cyclonedx.contrib.this.builders.this_component`.
+
+    .. deprecated:: next
+        This re-export location is deprecated.
+        Use ``from cyclonedx.contrib.this.builders import this_component`` instead.
+        The exported symbol itself is NOT deprecated — only this import path.
+    """
+    return _this_component()
+
+
+@deprecated('Deprecated re-export location - see docstring of "this_tool" for details.')
+def this_tool() -> 'Tool':
+    """Deprecated — Alias of :func:`cyclonedx.contrib.this.builders.this_tool`.
+
+    .. deprecated:: next
+        This re-export location is deprecated.
+        Use ``from cyclonedx.contrib.this.builders import this_tool`` instead.
+        The exported symbol itself is NOT deprecated — only this import path.
+    """
+    return _this_tool()
+
+# endregion deprecated re-export
@@ -0,0 +1,20 @@
+# CycloneDX Contrib Extensions
+
+This directory contains community-contributed functionality that extends the capabilities of the CycloneDX core library.  
+Unlike the modules in `../`, these features are not part of the official CycloneDX specification and may vary in stability, scope, or compatibility.
+
+## Contents
+- Utilities, helpers, and experimental features developed by the community
+- Optional add-ons that may facilitate or enhance use of the CycloneDX core library
+- Code that evolves independently of the CycloneDX specification
+
+## Notes
+- Contrib modules are optional and not required for strict compliance with the CycloneDX standard.
+- They may change more frequently than the core and are not guaranteed to follow the same versioning rules.
+- Users should evaluate these modules carefully and consult documentation or source comments for details.
+
+## Contributing
+Contributions are welcome. To add an extension:
+1. Follow the contribution guidelines in the main repository.
+2. Place your code in a clearly named subfolder or file under `contrib/`.
+3. Provide documentation and tests to ensure clarity and maintainability.  
@@ -17,27 +17,11 @@
 
 
 """
-!!! ALL SYMBOLS IN HERE ARE INTERNAL.
-Everything might change without any notice.
+Some features in this library are marked as contrib.
+These are community-provided extensions and are not part of the official standard.
+They are optional and may evolve independently from the core.
 """
 
-
-from hashlib import sha1
-
-
-def file_sha1sum(filename: str) -> str:
-    """
-    Generate a SHA1 hash of the provided file.
-
-    Args:
-        filename:
-            Absolute path to file to hash as `str`
-
-    Returns:
-        SHA-1 hash
-    """
-    h = sha1()  # nosec B303, B324
-    with open(filename, 'rb') as f:
-        for byte_block in iter(lambda: f.read(4096), b''):
-            h.update(byte_block)
-    return h.hexdigest()
+__all__ = [
+    # there is no intention to export anything in here.
+]