- Suppress vulnerabilities that a formula's patches declare as resolved (via
patches[].resolvesinbrew info --json=v2, Homebrew 6.0.4+); list them separately in text/JSON output, exclude them from SARIF output, and exclude them from the exit code - CycloneDX output: emit patched vulnerabilities with
analysis.state = resolvedand include formula patches aspedigree.patcheson each component - Add
--no-ignore-patchesto report patched vulnerabilities as open findings - Fix invalid SARIF output when no vulnerabilities are found (GitHub code scanning rejected the file)
Full Changelog: v0.3.0...v0.4.0