CycloneDX
diff --git a/‎.editorconfig‎
Lines changed: 1 addition & 1 deletion b/‎.editorconfig‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/dotnetcore.yml‎
Lines changed: 19 additions & 2 deletions b/‎.github/workflows/dotnetcore.yml‎
Lines changed: 19 additions & 2 deletions
diff --git a/‎.github/workflows/release.yml‎
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/release.yml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎.gitignore‎
Lines changed: 4 additions & 0 deletions b/‎.gitignore‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎CHANGELOG.md‎
Lines changed: 113 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 113 additions & 0 deletions
@@ -202,5 +202,5 @@ dotnet_diagnostic.CA2007.severity = suggestion
 dotnet_diagnostic.CA2000.severity = suggestion
 dotnet_style_operator_placement_when_wrapping = beginning_of_line
 tab_width = 2
-end_of_line = crlf
+end_of_line = lf
 
@@ -65,7 +65,7 @@ jobs:
         with:
           dotnet-version: '8.x'
       - name: Tests
-        run: dotnet test --framework ${{ matrix.framework }}  --collect:"XPlat Code Coverage;Format=cobertura" --results-directory "TestResults"
+        run: dotnet test CycloneDX.Tests --framework ${{ matrix.framework }}  --collect:"XPlat Code Coverage;Format=cobertura" --results-directory "TestResults"
       # see https://github.com/danielpalme/ReportGenerator/blob/main/.github/workflows/ci.yml
       - name: ReportGenerator
         uses: danielpalme/ReportGenerator-GitHub-Action@ee0ae774f6d3afedcbd1683c1ab21b83670bdf8e # v5.5.1
@@ -85,7 +85,24 @@ jobs:
         shell: bash
       - name: Upload coverage report artifact
         if: ${{ matrix.os == 'ubuntu-latest' && matrix.framework == 'net10.0' }}
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: CoverageReport_${{ matrix.framework }}_${{ matrix.os }}
           path: coveragereport
+
+  # E2E tests require Docker (Testcontainers) and only target net10.0.
+  # Run exclusively on ubuntu-latest where Docker is available on the runner.
+  e2e-test:
+    name: E2E Tests (ubuntu-latest, net10.0)
+    runs-on: ubuntu-latest
+    timeout-minutes: 60
+    steps:
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - name: Setup dotnet 10
+        uses: actions/setup-dotnet@2016bd2012dba4e32de620c46fe006a3ac9f0602 # v5.0.1
+        with:
+          dotnet-version: '10.x'
+      - name: Locked restore
+        run: dotnet restore --locked-mode
+      - name: E2E Tests
+        run: dotnet test CycloneDX.E2ETests --framework net10.0 --results-directory "TestResults"
@@ -44,7 +44,7 @@ jobs:
 
       # The tests should have already been run during the PR workflow, so this is really just a sanity check
       - name: Tests
-        run: dotnet test --framework net10.0
+        run: dotnet test CycloneDX.Tests --framework net10.0
 
       # Build and package everything, including the Docker image
       - name: Package release
@@ -73,7 +73,7 @@ jobs:
 
       # Generate the JSON with the docker container as additional smoke test
       - name: Generate JSON SBOM
-        run: docker run --rm -v ${GITHUB_WORKSPACE}:/usr/src/project cyclonedx/cyclonedx-dotnet:${{ steps.package_release.outputs.version }} /usr/src/project/CycloneDX.sln -j -o /usr/src/project
+        run: docker run --rm --user $(id -u):$(id -g) -v ${GITHUB_WORKSPACE}:/usr/src/project cyclonedx/cyclonedx-dotnet:${{ steps.package_release.outputs.version }} /usr/src/project/CycloneDX.sln --output-format json -o /usr/src/project
 
       - name: Publish package to NuGet
         env:
 
@@ -17,4 +17,8 @@ SBOM/
 TestResults/
 CycloneDX/Properties/launchSettings.json
 *.binlog
+*.DotSettings.user
 MSBuild_Logs/
+/.agent/
+bom.xml
+AGENTS.md
@@ -0,0 +1,113 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+## [6.0.0] - 2026-02-08
+
+> **⚠️ WARNING: This is a MAJOR release with breaking changes.**
+> 
+> This release includes multiple significant changes that may affect compatibility:
+> 
+> 1. **Removed deprecated CLI arguments** - Several CLI flags have been removed. Scripts, CI/CD pipelines, and automation using these flags will break.
+> 2. **Upgraded to .NET 10** - Runtime requirements have changed.
+> 3. **Updated System.CommandLine** - Upgraded from beta4 to v2.0.0 final, which includes breaking API changes that may affect command-line behavior.
+> 4. **Updated dependency versions** - NuGet packages, System.IO.Abstractions, and other dependencies have been upgraded.
+> 
+> **Action required:** Test thoroughly in a non-production environment before upgrading. Review all sections below for changes that may affect your use case.
+
+### Breaking Changes
+
+- **Remove deprecated CLI arguments** (#996, 0ae5d6a)
+  - Removed `--json`/`-j` flag (replaced by `--output-format json`)
+  - Removed `-f` flag (replaced by `-fn`/`--filename`)
+  - Removed `-d` flag (replaced by `-ed`/`--exclude-dev`)
+  - Removed `-r` flag (replaced by `-rs`/`--scan-project-references`)
+  - Removed `--disable-github-licenses`/`-dgl` flag (already default behavior)
+  - Removed `json` property from `RunOptions` model
+  - Updated all tests to use `outputFormat` enum instead of boolean `json` flag
+  - Cleaned up legacy flag handling logic in `Program.cs` and `Runner.cs`
+  - **Note:** `--out` flag was restored before release for backward compatibility (see Fixed section below)
+
+- **Upgraded System.CommandLine to v2.0.0** (#989, e11f8e7)
+  - Upgraded from `2.0.0-beta4.22272.1` to `2.0.0` (stable release)
+  - This version includes breaking API changes from the beta
+  - Command-line parsing behavior may differ in edge cases
+
+- **Minimum .NET runtime requirement** (#989, e11f8e7)
+  - Now requires .NET 10 runtime (upgraded from .NET 9)
+  - Docker images now use `mcr.microsoft.com/dotnet/sdk:10.0`
+
+### Added
+
+- **Documentation update** (#987, f041ac2)
+  - Added `.slnx` format to supported file types in README
+
+### Changed
+
+- **Dockerfile improvements** (#993, edf2bd9)
+  - Implemented multi-stage build (build + runtime stages) for smaller images
+  - Changed from tool installation to direct publish deployment
+  - Added environment variables for non-root execution: `DOTNET_CLI_HOME`, `NUGET_PACKAGES`
+  - Made `/tmp/dotnet-home` and `/tmp/nuget-packages` writable for any user (chmod 0755)
+  - Changed entrypoint from `CycloneDX` to `dotnet /app/CycloneDX.dll`
+  - Fixed handling when no path argument is provided (now shows help instead of error)
+  - Made `path` argument optional with `ArgumentArity.ZeroOrOne`
+
+- **Upgrade to .NET 10** (#989, e11f8e7)
+  - Updated target framework to `net10.0`
+  - Updated SDK image to `mcr.microsoft.com/dotnet/sdk:10.0`
+  - Updated System.IO.Abstractions from 21.0.2 to 22.1.0
+  - Updated test runner packages (xunit.runner.visualstudio, coverlet.collector)
+  - Fixed devcontainer Ubuntu 22.04 Dockerfile
+
+- **Dependency updates**
+  - actions/checkout: 5.0.0 → 6.0.1 (#986, #991)
+  - actions/upload-artifact: 4.6.2 → 5.0.0 (#979)
+  - actions/setup-dotnet: 5.0.0 → 5.0.1 (#988)
+  - danielpalme/ReportGenerator-GitHub-Action (version bump) (#992)
+
+### Fixed
+
+- **Restore `--out` parameter for backward compatibility**
+  - Reintroduced `--out` flag as a deprecated alias for `--output`/`-o` to maintain compatibility with existing GitHub Actions and CI/CD pipelines
+  - The parameter is marked as deprecated with a message directing users to use `--output` instead
+  - If both `--output` and `--out` are provided, `--output` takes precedence
+  - Prevents breaking existing automation while encouraging migration to the new flag
+
+- **Restore `--json` parameter for backward compatibility**
+  - Reintroduced `--json` flag as a deprecated alias for `--output-format json` to maintain compatibility with existing GitHub Actions and CI/CD pipelines
+  - The parameter is marked as deprecated with a message directing users to use `--output-format` instead
+  - If `--json` is provided, it sets the output format to JSON
+  - Prevents breaking existing automation while encouraging migration to the new flag
+
+- **Missing using statement** (161766f)
+  - Added missing `using System;` directive in Program.cs
+
+### Security
+
+- **Workflow security hardening** (#975, 39b8986)
+  - Changed global `permissions: contents: read` to `permissions: read-all`
+  - Follows principle of least privilege by limiting default permissions
+
+- **Pin GitHub Actions versions** (1145c82)
+  - Pinned all GitHub Actions to specific commit SHAs for reproducibility
+
+- **Enable NuGet package locking** (#972, fad44df)
+  - Added `packages.lock.json` files for both main and test projects
+  - Enabled `RestorePackagesWithLockFile` in Directory.Build.props
+  - Updated CI/CD workflows to use locked restore
+
+- **Update NuGet dependencies** (#973, e930da1)
+  - Bumped `NuGet.ProjectModel` from 6.9.1 to 6.14.0
+  - Bumped `NuGet.Protocol` from 6.9.1 to 6.14.0
+
+## [5.5.0] - 2025-10-06
+
+### Changed
+
+- Initial baseline for changelog tracking