drop Python 3.8 and vcr support so we can update urllib3

.github/workflows/unit-tests.yml

@@ -19,7 +19,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        python-version: ["3.8", "3.9", "3.10", "3.11", "3.12", "3.13"]
+        python-version: ["3.9", "3.10", "3.11", "3.12", "3.13"]
 
     steps:
     - uses: actions/checkout@v3

ChangeLog.md

@@ -5,6 +5,10 @@
 
 # CaPyCli - Clearing Automation Python Command Line Tool for SW360
 
+## NEXT
+
+* drop support for Python 3.8, so we can update urllib3 to fix CVE-2025-50181 and -50182
+
 ## 2.9.0.dev1
 
 * CaPyCLI now marks components, releases and projects as created by CaPyCLI,

Readme.md

@@ -9,7 +9,7 @@
 
 [![License](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/sw360/capycli/blob/main/License.md)
 [![PyPI](https://shields.io/pypi/v/capycli)](https://pypi.org/project/capycli/)
-[![Python Version](https://img.shields.io/badge/python-3.8%2C3.9%2C3.10%2C3.11-yellow?logo=python)](https://www.python.org/doc/versions/)
+[![Python Version](https://img.shields.io/badge/python-3.9%2C3.10%2C3.11-yellow?logo=python)](https://www.python.org/doc/versions/)
 [![Static Checks](https://github.com/sw360/capycli/actions/workflows/static-checks.yml/badge.svg)](https://github.com/sw360/capycli/actions/workflows/static-checks.yml)
 [![Unit Tests](https://github.com/sw360/capycli/actions/workflows/unit-tests.yml/badge.svg)](https://github.com/sw360/capycli/actions/workflows/unit-tests.yml)
 [![Coverage](https://img.shields.io/endpoint?url=https://gist.githubusercontent.com/tngraf/c8f15831ecdcf6e86ab2b69cbb2d4f89/raw/df1a91c074c5ee34dc1f0dcf82bc0e76e39b5b4e/capycli-cobertura-coverage.json&color=green)](https://github.com/sw360/capycli/actions/workflows/unit-tests.yml)

capycli/bom/findsources.py

@@ -133,7 +133,7 @@ def get_github_info(repository_url: str, username: str = "",
            encounter projects with tens of thousands of tags.
         """
         raise NotImplementedError(
-            "Removed with introduction of get_matchting_source_tag!")
+            "Removed with introduction of get_matching_source_tag!")
 
     def _get_github_repo(self, github_ref: str) -> Dict[str, Any]:
         """Fetch GitHub API object identified by @github_ref.
@@ -404,21 +404,22 @@ def get_matching_tag(self, tag_info: List[Dict[str, Any]], version: str, github_
         for tag in tag_info:
             try:
                 if version_prefix:
-                    name = tag.get("name")
+                    name = tag.get("name", "")
                     if name and name.rpartition("/")[0] != version_prefix:
                         continue
 
                 version_diff = semver.VersionInfo.parse(
-                    self.to_semver_string(tag.get("name", None))).compare(
+                    self.to_semver_string(tag.get("name", ""))).compare(
                     self.to_semver_string(version))
             except Exception as e:
+                cname = e.__class__.__name__ if e.__class__ else ""
                 print(
                     Fore.LIGHTYELLOW_EX +
-                    "      Warning: semver.compare() threw " + e.__class__.__name__ +
+                    "      Warning: semver.compare() threw " + cname +
                     " Exception :" + github_url + " " + version +
-                    ", released version: " + tag.get("name", None)
+                    ", released version: " + tag.get("name", "")
                     + Style.RESET_ALL)
-                version_diff = 0 if tag.get("name", None) == version else 2
+                version_diff = 0 if tag.get("name", "") == version else 2
             # If versions are equal, version_diff shall be 0.
             # 1 and -1 have different meanings that doesn't be checked below
             if version_diff == 0:

capycli/dependencies/maven_pom.py

@@ -1,5 +1,5 @@
 # -------------------------------------------------------------------------------
-# Copyright (c) 2020-2023 Siemens
+# Copyright (c) 2020-2025 Siemens
 # All Rights Reserved.
 # Author: [email protected]
 #
@@ -47,7 +47,7 @@ def parse_xmlns(self, file: str) -> ET.ElementTree:
                 if root is None:
                     root = elem
                 for prefix, uri in ns_map:
-                    elem.set("xmlns:" + prefix, uri)
+                    elem.set("xmlns:" + prefix, uri)  # type: ignore
                 ns_map = []
 
         return ET.ElementTree(root)
@@ -61,6 +61,9 @@ def process_pom_file(self, pom_file: str) -> Bom:
             sys.exit(ResultCode.RESULT_ERROR_READING_BOM)
 
         root = tree.getroot()
+        if not root:
+            print_red("This seems not to be a pom.xml file!")
+            sys.exit(ResultCode.RESULT_GENERAL_ERROR)
 
         ns = ""
         for key, value in root.items():

capycli/dependencies/nuget.py

@@ -174,11 +174,13 @@ def convert_project_file(self, csproj_file: str) -> Bom:
                     version = s.attributes["Version"].value
                 else:
                     # option b) version as sub tag
-                    version = s.getElementsByTagName("Version")
-                    if (not version) or (version.length < 1):
+                    version_elem = s.getElementsByTagName("Version")
+                    if (not version_elem) or (version_elem.length < 1):
                         print_yellow("No version for for package " + name)
                     else:
-                        version = version.item(0).childNodes.item(0).nodeValue
+                        first = version_elem.item(0)
+                        if first and first.childNodes and first.childNodes.length > 0:
+                            version = first.childNodes.item(0).nodeValue  # type: ignore
 
                 purl = PackageURL("nuget", "", name, version, "", "")
                 cxcomp = Component(
@@ -205,7 +207,7 @@ def is_test_project(self, csproj_file: str) -> bool:
 
         if data.getElementsByTagName("IsTestProject"):
             for s in data.getElementsByTagName("IsTestProject"):
-                if s.firstChild and s.firstChild.nodeValue == "true":  # type: ignore
+                if s.firstChild and s.firstChild.nodeValue == "true":
                     return True
 
         return False