Release v10.6.0

externalReferences urls are now validated and filtered. Thanks @timmyteo. There is a new option to use maven dependency tree plugin for Java, instead of the cyclonedx plugin. Set the environment variable PREFER_MAVEN_DEPS_TREE=true to try this out.

What's Changed

• Fallback on 'cdx' or 'bom' JSON files for Java BOM by @nekhtan in #1127
• Switch to pnpm by @prabhu in #1134
• build: update biomejs by @setchy in #1138
• Add IRI Validation for externalReference URL by @timmyteo in #1140
• Feature/dotnet roll forward by @prabhu in #1139
• Feature/component duplicate tracking by @prabhu in #1146

New Contributors

• @nekhtan made their first contribution in #1127
• @timmyteo made their first contribution in #1140

Full Changelog: v10.5.2...v10.6.0

Release v10.5.2

What's Changed

• [fix] seperate npm-release to seperate jobs by @aryan-rajoria in #1050
• [Fix] Docker Build fails almalinux:9.3 by @aryan-rajoria in #1052
• build(vscode) enable always signoff by @setchy in #1063
• fix(biome): noUselessTernary by @setchy in #1062
• docs: add project types by @setchy in #1057
• docs: add NODE_OPTIONS by @setchy in #1056
• docs: update community support by @setchy in #1059
• build: add codeowners file by @setchy in #1058
• docs: link to contribute labels by @setchy in #1060
• docs: ref to new project types page by @setchy in #1067
• feat(docker): default to docker.io registry by @setchy in #1073
• docs: enterprise and community support by @setchy in #1071
• docs: remove unused media. should be in _media/ folder by @setchy in #1070
• docs: env variables by @setchy in #1069
• docs: type args ref to docs by @setchy in #1068
• Fix: Docker-deno and Docker-bun build fails by @aryan-rajoria in #1077
• docs: add documentation section by @setchy in #1079
• docs: update h1 by @setchy in #1080
• docs: fix broken queries.json link by @setchy in #1083
• docs: nodejs permissions by @setchy in #1082
• build: update contributors by @setchy in #1078
• docs: use link labels by @setchy in #1081
• feat: increase yargs terminal width by @setchy in #1087
• feat: increase yargs terminal width by @setchy in #1091
• Improved troubleshooting for go by @prabhu in #1096
• Issue 763 by @cerrussell in #1090
• Fix: Handle TAR_ENTRY_INVALID error by @aryan-rajoria in #1095
• Adding The Installation Of Root Dependencies For Npm by @g-kaz in #1100
• Fix: Split linux-tests job into two jobs by @aryan-rajoria in #1103
• cargo deep mode by @prabhu in #1102
• Fix ppc64 build issue by @prabhu in #1104
• docs: fix repo link by @setchy in #1114
• build(biome): apply safe changes. add script to filter summary for errors only by @setchy in #1111
• build(biome): update formatter options to ignore types/** by @setchy in #1110
• docs(server): add openapi specification by @setchy in #1113
• Adds new vulnerabilities command to the repl by @prabhu in #1120
• Support for dotnet framework. Dependency tree for csproj files by @prabhu in #1119
• Update spdx schema. Update packages by @prabhu in #1121

New Contributors

• @aryan-rajoria made their first contribution in #1050
• @g-kaz made their first contribution in #1100

Full Changelog: v10.5.1...v10.5.2

Release v10.5.1

The cdxgen container image now uses node 22 with compile cache. This offers significant performance improvements compared to the current node 20 based images, especially with server mode. With no breaking changes, we feel this is a patch release for the cdxgen node package rather than a minor release.

What's Changed

• Remove bun lock file by @prabhu in #1030
• Improve deno compatibility by using jar command fallback by @prabhu in #1031
• Enable node 22 tests by @prabhu in #1034
• Use node 22 via nvm in docker. Enable NODE_COMPILE_CACHE by @prabhu in #1036

Full Changelog: v10.5.0...v10.5.1

Release v10.5.0 - Python CBOM for everyone

Introduction

You can now generate CBOM for Python applications. It is as easy as invoking the cbom command.

cbom -t python

cdxi REPL can natively understand CBOM. Simply load the generated CBOM, and try the new commands .cryptos and .provides.

We have also added support for compliance-as-code via standards. Invoke cdxgen with the new --standard arguments to automatically include their definitions.

Example:

cdxgen -t java --standard asvs-4.0.3

What's Changed

• Add support for executing dependencies task in parallel for Gradle by @ajmalab in #1007
• Feature/swh by @prabhu in #1012
• Update jdk to 21.0.3-tem by @prabhu in #1013
• Remove bun frozen install mode by @prabhu in #1017
• Python cbom by @prabhu in #1026
• Update atom. Regenerate types by @prabhu in #1028
• Support for standard templates by @prabhu in #1029

Full Changelog: v10.4.3...v10.5.0

Release v10.4.3

What's Changed

• Removed docsify which is not required for generating docs by @prabhu in #1001
• Adding directories starting with __ to ignore by @almaz045 in #1004
• Adds bun image by @prabhu in #1002

New Contributors

• @almaz045 made their first contribution in #1004

Full Changelog: v10.4.2...v10.4.3

Release v10.4.2

We have applied numerous linting fixes reported by biome (Thanks @setchy). The lock file was deleted and regenerated, since the dependency tree was looking a lot better when compared with the existing one.

What's Changed

• chore(biome): fix use single var declarator by @setchy in #984
• chore(biome): fix use template by @setchy in #985
• chore(biome): remove unused rule overrides by @setchy in #986
• chore(biome): fix optional chaining cases by @setchy in #987
• chore(biome): fix useless else cases by @setchy in #988
• chore(biome): fix unused template literals by @setchy in #989
• Feature/maven private repos by @prabhu in #992
• chore(biome): fix no double equals by @setchy in #991
• chore: update biome by @setchy in #998
• Regenerate lock file and types. Adds vuln scanning by @prabhu in #999

Full Changelog: v10.4.1...v10.4.2

Release v10.4.1

What's Changed

• Applied a number of unsafe fixes using biome by @prabhu in #983
• Bugfix for a problematic yaml file

Full Changelog: v10.4.0...v10.4.1

Release v10.4.0

What's Changed

• docs: update downloads badge by @setchy in #968
• Follow CycloneDX 1.5 spec for SPDX license expressions by @validide in #975
• Export proto support for 1.6 by @prabhu in #974
• Include cyclonedx-maven-plugin under tools for java by @prabhu in #976
• feat: switch to biomejs formatter + linter by @setchy in #977

Full Changelog: v10.3.5...v10.4.0

Release v10.3.5 - cdx 1.6++

Introduction

This release is to formally announce cdxgen with support for 1.6 specifications. To recap, below are the features that are part of the 10.3.x release.

Cryptography Bill of Materials (CBOM) support

Quatum-based threats and Harvest now, decrypt later attacks are closer than we think. A precise inventory of all crypto libraries, assets such as keys, secrets, algorithms in use at an organization is important to give us an early start.

cdxgen now includes a brand new command called cbom to generate a Cryptography Bill of Materials (CBOM) document. This is supported for Java projects at launch and is powered by atom.

cbom -t java

Crypto properties

cdxgen can identify a range of crypto properties such as the algorithm names and their Object IDs. It can also identify the package that provides the implementation for the detected algorithms and add both occurrence and call-stack evidences to the CBOM document to help locate them.

Detailed formulation

cdxgen can identify a range of platform components that are used to compile, build, test, and deploy applications. We can now identify possible crypto libraries that might get statically-linked to the applications.

One more thing

cdxgen can now include components from the git tree and set an OmniBOR ID for git projects.

This feature is currently part of the --include-formulation argument although could become a dedicated command with a future release.

Full Changelog: v10.2.6...v10.3.5

Release v10.3.4

The previous release actually broke the cbom command since the variable options was not declared prior to use. This is the problem with doing a rush job.

Full Changelog: v10.3.3...v10.3.4