Skip to content

v0.5.0

Latest
Latest

Choose a tag to compare

View all tags
@mfahlandt mfahlandt released this 03 Jun 13:05
· 3 commits to main since this release
v0.5.0
f3dc8d2
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Multi-Cluster, Multi-Format & Project Views

This release transforms SeeBOM into a multi-cluster, multi-format SBOM platform with project-level grouping, optional API authentication, and significant Kubernetes deployment improvements. The API grows from 19 to 24 endpoints.

New Features

Project List View (#8)

  • Projects page (/projects): Groups all SBOMs by project with aggregated package count, vulnerability count, and latest ingestion timestamp
  • Depth-aware S3 path parsing: Automatically derives org/project (5+ path segments) or project (4 segments) from S3 source paths
  • Document name fallback: Non-S3 SBOMs extract project name from the document_name field (text before -)
  • Search with debounce: Instant filtering across all projects

Multi-Format SBOM Parsing (#55)

  • CycloneDX JSON (1.0–1.7) — built-in parser with component, license, and dependency mapping
  • Protobom backend (opt-in via USE_PROTOBOM=true) for maximum format coverage
  • Format auto-detection: Any .json file is accepted — format is determined at parse time by probing JSON fields (spdxVersion, bomFormat, predicateType)

Multi-Cluster Support (#131, #132, #133)

  • Cluster-aware data model: New cluster LowCardinality(String) column on all core tables (migration 012)
  • Per-bucket cluster assignment: Set "cluster": "prod-eu" in S3_BUCKETS JSON config
  • Cluster endpoints: GET /api/v1/clusters, GET /api/v1/clusters/{name}/stats, GET /api/v1/clusters/{name}/sboms
  • Fully optional — single-instance deployments need no config changes

API Authentication (#134)

  • Opt-in auth middleware: AUTH_ENABLED=true + SERVICE_TOKEN and/or API_KEYS
  • Accepts Authorization: Bearer, X-Service-Token, and X-API-Key headers
  • Timing-attack safe via crypto/subtle.ConstantTimeCompare
  • UI auto-wiring: nginx proxy injects SERVICE_TOKEN upstream — browser never sees the secret
  • Public paths (/healthz, /livez, /readyz, OPTIONS) always bypass auth

SBOM Download (#144)

  • GET /api/v1/sboms/{id}/download — streams original SBOM file from S3 or local filesystem
  • Content-Disposition header with original filename
  • Download button in SBOM list and detail views

Kubernetes Enhancements

  • Health probes (#137): /livez (liveness), /readyz (readiness with ClickHouse ping)
  • Ingress template (#59): Controller-agnostic, supports any IngressClass (Envoy Gateway, Contour, ALB)
  • Headless mode (#139): ui.enabled=false skips all UI Kubernetes resources

Ingestion Improvements

  • SBOM_IGNORE_PREFIX env var (default _) to skip demo/example files during scanning
  • S3 shared settings inheritance — JSON-configured buckets inherit S3_ENDPOINT, S3_REGION, etc.
  • Generic .json file acceptance (format auto-detected at parse time)

Security

  • Go 1.25.11 — fixes GO-2026-5037, GO-2026-5038, GO-2026-5039 (stdlib)
  • golang.org/x/crypto v0.50.0 → v0.52.0, golang.org/x/net v0.53.0 → v0.55.0 — fixes 19 advisories (#149)
  • Fuzz parser hardeningrecover() from goccy/go-json panics on malformed input
  • Example SBOMs updated — lodash 4.18.0, express 4.21.2 (clears Scorecard findings)
  • .osv-scanner.toml added for example SBOM false positive suppression

Tests

  • 5 new backend test functions (scanner ignore prefix, generic JSON, config shared settings)
  • 3 new frontend tests (project list: create, load, search debounce)
  • Total: 16 Go packages passing, 15 Angular spec files with 57 tests passing

Resolved Issues

# Title
#8 Project List View — aggregated multi-version SBOM overview
#55 CycloneDX Support — parse CycloneDX 1.4+ SBOMs
#59 Expose API externally — Ingress, TLS, and public access
#131 Cluster-aware data model — support multi-cluster/fleet SBOM management
#132 Cluster listing endpoint — discover clusters with SBOM coverage
#133 Cluster-detail endpoints — per-cluster SBOM and vulnerability views
#134 API authentication — service token and API key support
#137 Enhanced health checks — readiness, liveness, and dependency checks
#139 Headless mode — API-only deployment without Angular UI
#144 Make SBOMs Downloadable
#149 fix(security): bump golang.org/x/* and qs to patch May 2026 advisories

Helm Chart Fixes (ArgoCD compatibility)

  • Make batch job cleanup optional for argocd by - @koksay
  • Remove lookup function from helm chart (not working with ArgoCD) by - @koksay
  • Fix secret lookup issue in the helm chart by - @koksay

Maintenance

Dependency Updates

  • go directive: 1.25.10 → 1.25.11 (fixes 3 stdlib CVEs)
  • golang.org/x/crypto: v0.50.0 → v0.52.0
  • golang.org/x/net: v0.53.0 → v0.55.0
  • golang.org/x/sys: v0.43.0 → v0.45.0
  • minio/minio-go/v7: bumped (#164)
  • @angular/cli, build, cdk: 21.2.11 → 21.2.12 (#158, #159, #161)
  • vitest: 4.1.6 → 4.1.7
  • qs: 6.15.1 → 6.15.2 (fixes GHSA-q8mj-m7cp-5q26)
  • Dockerfile: golang:1.24-alpinegolang:1.25-alpine

GitHub Actions Updates

  • docker/login-action: 4.1.0 → 4.2.0 (#151)
  • docker/setup-buildx-action: 4.0.0 → 4.1.0 (#150)
  • docker/build-push-action: 7.1.0 → 7.2.0 (#152)
  • github/codeql-action: 4.35.3 → 4.36.0 (#130)

CI/Build Fixes

  • UI Dockerfile: --platform=$BUILDPLATFORM on builder stage (fixes ARM64 QEMU crash)
  • Deploy-docs workflow: Go version pinned to 1.25.11

Documentation

  • Complete API reference with all 24 endpoints (#146)
  • Multi-format SBOM support documented across landing page, architecture, FAQ, and README
  • Testing guide updated (366 test invocations across backend + frontend)
  • Release checklist and major version policy added
  • Architecture decisions #33#36 added to decision log

Contributors

Container Images

All images are signed with cosign (keyless) and attested with SLSA provenance.

docker pull ghcr.io/seebom-labs/seebom/api-gateway:0.5.0
docker pull ghcr.io/seebom-labs/seebom/parsing-worker:0.5.0
docker pull ghcr.io/seebom-labs/seebom/ingestion-watcher:0.5.0
docker pull ghcr.io/seebom-labs/seebom/cve-refresher:0.5.0
docker pull ghcr.io/seebom-labs/seebom/ui:0.5.0

Verify signatures:

cosign verify --certificate-identity-regexp="https://github.com/seebom-labs/seebom" \
  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
  ghcr.io/seebom-labs/seebom/api-gateway:0.5.0

Helm Chart

helm install seebom oci://ghcr.io/seebom-labs/seebom/charts/seebom --version 0.5.0

SBOM

An SPDX SBOM for this release is attached as seebom-0.5.0.spdx.json.

Upgrade Notes

  • Schema migration: 012_add_cluster_column.up.sql runs automatically (adds cluster column with empty default — non-breaking)
  • No breaking changes: All new features are opt-in or additive
  • Drop-in upgrade: update container images and restart
  • New Helm values available: apiGateway.auth.*, ingress.*, ui.enabled

What's Changed

  • feat: add multi-format SBOM parsing (CycloneDX + protobom backend) by @mfahlandt
  • feat(#131): cluster-aware data model with per-bucket assignment by @mfahlandt
  • feat(#132,#133,#137): cluster endpoints + health probes by @mfahlandt
  • feat(#134): optional API authentication with service token + API keys by @mfahlandt
  • feat(#134): wire UI nginx proxy to inject SERVICE_TOKEN upstream by @mfahlandt
  • feat(#139): headless mode (API-only deployment) by @mfahlandt
  • feat: SBOM download endpoint (#144) by @mfahlandt
  • feat(helm): add optional Ingress template (#59) by @mfahlandt
  • feat: add Project List View (#8) by @mfahlandt
  • feat: project list view with depth-aware grouping and multi-format docs by @mfahlandt
  • fix(security): bump golang.org/x/* and qs to patch May 2026 advisories by @mfahlandt
  • fix(spdx,vex): recover from goccy/go-json decoder panics on malformed input by @mfahlandt
  • fix(docker): pin UI builder to host platform — fixes ARM64 QEMU crash by @mfahlandt
  • fix(ci): bump Go to 1.25.11 in deploy-docs workflow by @mfahlandt
  • chore: update Go to 1.25.11 — fixes 3 stdlib CVEs by @mfahlandt
  • fix(helm): make batch job cleanup optional for ArgoCD by @korayoksay
  • fix(helm): remove lookup function (not compatible with ArgoCD) by @korayoksay
  • fix(helm): secret lookup issue by @korayoksay
  • deps(go): bump github.com/minio/minio-go/v7 by @dependabot in #164
  • deps(npm): bump @angular/build from 21.2.11 to 21.2.12 by @dependabot in #159
  • deps(npm): bump @angular/cdk from 21.2.11 to 21.2.12 by @dependabot in #158
  • deps(npm): bump @angular/cli from 21.2.11 to 21.2.12 by @dependabot in #161
  • deps(actions): bump docker/login-action from 4.1.0 to 4.2.0 by @dependabot in #151
  • deps(actions): bump docker/setup-buildx-action from 4.0.0 to 4.1.0 by @dependabot in #150
  • deps(actions): bump docker/build-push-action from 7.1.0 to 7.2.0 by @dependabot in #152
  • deps(actions): bump github/codeql-action from 4.35.3 to 4.36.0 by @dependabot in #130
    Full Changelog: v0.4.0...v0.5.0

Contributors

koksay, mfahlandt, and 2 other contributors
Assets 6
Loading