feat(sbom): added support for specifying --sbom-spec-version

[hooloovooo]

Currently only supported for cyclonedx. Allowed values are 1.5, 1.6, and 1.7 (defaulting to 1.7); the lower bound is 1.5 because the generated JSON uses fields (e.g. metadata.lifecycles) that are only valid from CycloneDX 1.5+.

Summary by CodeRabbit

• New Features

  • CLI flag to set CycloneDX SBOM spec version (defaults to 1.7).
  • Generated CycloneDX SBOMs include the chosen spec version in both the schema URL and the specVersion field.

• Validation

  • Accepts CycloneDX versions 1.5, 1.6, 1.7; errors for invalid values or when used with SPDX.

• Tests

  • Added tests for valid, invalid, and format-mismatch scenarios.

[zkochan]

@coderabbitai full review

[coderabbitai]

✅ Actions performed

Full review triggered.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 15d87c8d-44c2-45cd-87ea-238e78fb219e

📥 Commits

Reviewing files that changed from the base of the PR and between 6e26319 and 1768881.

📒 Files selected for processing (1)

• deps/compliance/commands/src/sbom/sbom.ts

✅ Files skipped from review due to trivial changes (1)

• deps/compliance/commands/src/sbom/sbom.ts

---

📝 Walkthrough

Walkthrough

Adds a CycloneDX-only CLI flag --sbom-spec-version, threads it from SbomCommandOptions through the sbom command handler into serializeCycloneDx, and uses it to set the emitted CycloneDX BOM $schema and specVersion. Includes tests and a changeset for a minor release.

Changes

SBOM Specification Version Configuration

Layer / File(s)	Summary
Type / Options deps/compliance/commands/src/sbom/sbom.ts, deps/compliance/sbom/src/serializeCycloneDx.ts	SbomCommandOptions adds sbomSpecVersion?: string; CycloneDxOptions adds specVersion?: string.
CLI Option Registration / Help deps/compliance/commands/src/sbom/sbom.ts	Registers --sbom-spec-version <version> in CLI option types and documents it in help().
Validation deps/compliance/commands/src/sbom/sbom.ts	Adds SUPPORTED_CYCLONEDX_SPEC_VERSIONS = ['1.5','1.6','1.7'] and validateSbomSpecVersion() that validates values and errors if used with non-CycloneDX formats.
Handler Wiring deps/compliance/commands/src/sbom/sbom.ts	handler() validates opts.sbomSpecVersion and forwards it as specVersion into serializeCycloneDx(...); SPDX path unchanged.
Serialization Implementation deps/compliance/sbom/src/serializeCycloneDx.ts	serializeCycloneDx computes `version = opts?.specVersion
Tests deps/compliance/commands/test/sbom/index.ts, deps/compliance/sbom/test/serializeCycloneDx.test.ts	Adds tests: successful CycloneDX run with --sbom-spec-version 1.6, invalid version (1.4) error, error when used with --sbom-format spdx, and a unit test asserting $schema and specVersion reflect the option.
Changeset / Release Note .changeset/honest-moose-grin.md	Adds changeset entry noting --sbom-spec-version and minor release bumps for the packages.

Sequence Diagram

sequenceDiagram
    participant CLI
    participant CommandHandler
    participant Serializer
    CLI->>CommandHandler: parse args (includes --sbom-spec-version)
    CommandHandler->>CommandHandler: validate sbomSpecVersion (format & allowed values)
    CommandHandler->>Serializer: serializeCycloneDx(project, { specVersion })
    Serializer->>Serializer: version = specVersion || "1.7"
    Serializer->>CLI: emit CycloneDX BOM with $schema and specVersion set

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 A tiny flag I tugged with care,
From CLI hop to serializer's lair.
CycloneDX now wears the version I feed,
Default still steady, for when none I heed.
A neat little hop—quick, precise, and fair.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: adding support for the --sbom-spec-version flag. It is concise, directly related to the primary feature addition across the changeset.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

deps/compliance/commands/src/sbom/sbom.ts (1)

220-227: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Validate --sbom-spec-version before passing it through.

Line 226 forwards raw user input without checks. This allows invalid CycloneDX versions and silently ignores the flag for SPDX, which can produce confusing/non-compliant output. Fail fast with explicit validation and format gating.

💡 Suggested patch

@@
   const sbomType = validateSbomType(opts.sbomType)
+  const sbomSpecVersion = validateSbomSpecVersion(opts.sbomSpecVersion, format)
@@
   const output = format === 'cyclonedx'
     ? serializeCycloneDx(result, {
       pnpmVersion: packageManager.version,
       lockfileOnly: opts.lockfileOnly,
       sbomAuthors: opts.sbomAuthors?.split(',').map((s) => s.trim()).filter(Boolean),
       sbomSupplier: opts.sbomSupplier,
-      specVersion: opts.sbomSpecVersion,
+      specVersion: sbomSpecVersion,
     })
     : serializeSpdx(result)
@@
 function validateSbomType (value: string | undefined): SbomComponentType {
   if (!value || value === 'library') return 'library'
   if (value === 'application') return 'application'
   throw new PnpmError(
@@
   )
 }
+
+function validateSbomSpecVersion (value: string | undefined, format: SbomFormat): string | undefined {
+  if (value == null) return undefined
+
+  if (format !== 'cyclonedx') {
+    throw new PnpmError(
+      'SBOM_SPEC_VERSION_UNSUPPORTED_FORMAT',
+      'The --sbom-spec-version option is supported only with --sbom-format cyclonedx.'
+    )
+  }
+
+  const normalized = value.trim()
+  const match = /^(\d+)\.(\d+)$/.exec(normalized)
+  if (!match) {
+    throw new PnpmError(
+      'SBOM_INVALID_SPEC_VERSION',
+      `Invalid CycloneDX spec version "${value}". Use a version >= 1.5 (for example: 1.5, 1.6, 1.7).`
+    )
+  }
+
+  const major = Number(match[1])
+  const minor = Number(match[2])
+  if (major < 1 || (major === 1 && minor < 5)) {
+    throw new PnpmError(
+      'SBOM_INVALID_SPEC_VERSION',
+      `Invalid CycloneDX spec version "${value}". Use a version >= 1.5.`
+    )
+  }
+
+  return `${major}.${minor}`
+}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@deps/compliance/commands/src/sbom/sbom.ts` around lines 220 - 227, Before
calling serializeCycloneDx, validate opts.sbomSpecVersion when format ===
'cyclonedx': check that opts.sbomSpecVersion is one of the supported CycloneDX
spec versions (use a small whitelist constant) and if not, throw or exit with a
clear error message; do not forward raw input to serializeCycloneDx. Also ensure
that when format !== 'cyclonedx' the presence of --sbom-spec-version is ignored
or produces a helpful error/warning (fail fast) instead of being silently
dropped. Locate this logic around the serializeCycloneDx call and the format
variable, and perform validation prior to invoking serializeCycloneDx.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@deps/compliance/commands/src/sbom/sbom.ts`:
- Around line 220-227: Before calling serializeCycloneDx, validate
opts.sbomSpecVersion when format === 'cyclonedx': check that
opts.sbomSpecVersion is one of the supported CycloneDX spec versions (use a
small whitelist constant) and if not, throw or exit with a clear error message;
do not forward raw input to serializeCycloneDx. Also ensure that when format !==
'cyclonedx' the presence of --sbom-spec-version is ignored or produces a helpful
error/warning (fail fast) instead of being silently dropped. Locate this logic
around the serializeCycloneDx call and the format variable, and perform
validation prior to invoking serializeCycloneDx.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 7a1cbe83-e34f-4468-b50e-ebbb647ac9e1

📥 Commits

Reviewing files that changed from the base of the PR and between 3f37d17 and 84f3ad6.

📒 Files selected for processing (3)

• .changeset/honest-moose-grin.md
• deps/compliance/commands/src/sbom/sbom.ts
• deps/compliance/sbom/src/serializeCycloneDx.ts

[Copilot]

Pull request overview

Adds a new --sbom-spec-version CLI option so pnpm sbom --sbom-format cyclonedx can emit a caller-selected CycloneDX specVersion/$schema instead of always hardcoding 1.7.

Changes:

• Added sbomSpecVersion to the SBOM command options and CLI help.
• Threaded the selected spec version from the CLI into CycloneDX serialization.
• Added a changeset for the new SBOM version-selection feature.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File	Description
deps/compliance/sbom/src/serializeCycloneDx.ts	Makes CycloneDX $schema and specVersion configurable.
deps/compliance/commands/src/sbom/sbom.ts	Exposes --sbom-spec-version on the SBOM command and passes it to the serializer.
.changeset/honest-moose-grin.md	Records the release note for the new SBOM option.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@deps/compliance/commands/src/sbom/sbom.ts`:
- Around line 247-262: In validateSbomSpecVersion, trim the incoming value
string before performing the null/format/allowed-version checks so inputs like
"1.6 " succeed; specifically, call value = value.trim() (or equivalent) after
the initial null check, then proceed to verify format (format !== 'cyclonedx'),
membership against SUPPORTED_CYCLONEDX_SPEC_VERSIONS, and return the trimmed
value; keep the same PnpmError codes ('SBOM_SPEC_VERSION_UNSUPPORTED_FORMAT' and
'SBOM_INVALID_SPEC_VERSION') on failure.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: de7c7e7c-b864-48d0-bc26-94ac64c6fdf6

📥 Commits

Reviewing files that changed from the base of the PR and between 2082689 and 6e26319.

📒 Files selected for processing (3)

• deps/compliance/commands/src/sbom/sbom.ts
• deps/compliance/commands/test/sbom/index.ts
• deps/compliance/sbom/test/serializeCycloneDx.test.ts

✅ Files skipped from review due to trivial changes (1)

• deps/compliance/commands/test/sbom/index.ts

[welcome]

Congrats on merging your first pull request! 🎉🎉🎉