Releases: CycloneDX/cdxgen
Release v10.4.0
What's Changed
- docs: update downloads badge by @setchy in #968
- Follow CycloneDX 1.5 spec for SPDX license expressions by @validide in #975
- Export proto support for 1.6 by @prabhu in #974
- Include cyclonedx-maven-plugin under tools for java by @prabhu in #976
- feat: switch to biomejs formatter + linter by @setchy in #977
Full Changelog: v10.3.5...v10.4.0
Contributors
Assets 3
Release v10.3.5 - cdx 1.6++
Introduction
This release is to formally announce cdxgen with support for 1.6 specifications. To recap, below are the features that are part of the 10.3.x release.
Cryptography Bill of Materials (CBOM) support
Quatum-based threats and Harvest now, decrypt later attacks are closer than we think. A precise inventory of all crypto libraries, assets such as keys, secrets, algorithms in use at an organization is important to give us an early start.
cdxgen now includes a brand new command called cbom to generate a Cryptography Bill of Materials (CBOM) document. This is supported for Java projects at launch and is powered by atom.
cbom -t javaCrypto properties
cdxgen can identify a range of crypto properties such as the algorithm names and their Object IDs. It can also identify the package that provides the implementation for the detected algorithms and add both occurrence and call-stack evidences to the CBOM document to help locate them.
Detailed formulation
cdxgen can identify a range of platform components that are used to compile, build, test, and deploy applications. We can now identify possible crypto libraries that might get statically-linked to the applications.
One more thing
cdxgen can now include components from the git tree and set an OmniBOR ID for git projects.
This feature is currently part of the --include-formulation argument although could become a dedicated command with a future release.
Full Changelog: v10.2.6...v10.3.5
Release v10.3.4
The previous release actually broke the cbom command since the variable options was not declared prior to use. This is the problem with doing a rush job.
Full Changelog: v10.3.3...v10.3.4
Release v10.3.3
Some tweaks to the cbom command
Full Changelog: v10.3.2...v10.3.3
Release v10.3.2
What's Changed
Full Changelog: v10.3.1...v10.3.2
Contributors
Assets 3
Release v10.3.1
Contributors
Assets 3
Release v10.3.0 - Hey 1.6
Introduction
This is a major release. We have added support for CycloneDX 1.6 specification in preview mode. Since the specification itself is not final, there will be changes in the coming days but the implementation must be stable enough for testing purposes.
There are also a couple of BREAKING changes in purl generation logic for go and npm to make it compatible with Dependency Track and OSV.
Thanks to @Lucasljungberg, we now have good support for Cargo including dependency tree support. @scrocquesel added a few important fixes for dotnet.
What's Changed
- resolve project reference for nuget without debug mode by @scrocquesel in #941
- cdx 1.6 spec support with some goodies by @prabhu in #935
- Add dependency tree for Rust projects by @Lucasljungberg in #931
- Remove sae builds by @prabhu in #946
- Remove caxa by @prabhu in #947
- OS release info was not read for alpine by @prabhu in #955
- Cargo parent components from cargo.toml by @prabhu in #949
- Include csproj files during restore by @prabhu in #959
- Schema updates by @prabhu in #945
- Add evidence for Cargo.lock parsed components by @Lucasljungberg in #960
Full Changelog: v10.2.6...v10.3.0
Contributors
Assets 3
Release v10.2.6
Single application executable builds are not available for this version. Apologies.
Improvements to dotnet packages.lock.json parsing
What's Changed
Full Changelog: v10.2.5...v10.2.6
Contributors
Assets 2
Release v10.2.5
Single application executable builds are not available for this version. Apologies.
What's Changed
- dedups dependsOn from packages.lock.file by @scrocquesel in #932
- Fallback to location based lookups for npm when integrity is unavailable by @prabhu in #936
New Contributors
- @scrocquesel made their first contribution in #932
Full Changelog: v10.2.4...v10.2.5
Contributors
Assets 2
Release v10.2.4
What's Changed
- feat: resolve ssh type url in swift package.resolved by @JingLeiTalan in #922
- go post build sbom by @prabhu in #924
New Contributors
- @JingLeiTalan made their first contribution in #922
Full Changelog: v10.2.3...v10.2.4
