Skip to content

Releases: sktelecom/bomlens

Release v1.8.0

Choose a tag to compare

@github-actions github-actions released this 13 Jul 13:13
7bd7a3e

BomLens v1.8.0

Generate a CycloneDX SBOM, an open-source notice (고지문), and a security report from your source code — or assess the open-source risk of an SBOM or firmware you receive.

Changes

Added

  • Components past their published end-of-life are now flagged, offline by default. A bundled endoflife.date snapshot is matched by PURL coordinate (accuracy-first closed mapping — an unmapped component is left untouched, never guessed), and the result is surfaced in the web UI results. A runtime or framework past EOL receives no upstream fixes, so this answers a supply-chain question distinct from CVEs.
  • Component version currency: the same snapshot reports when a component is behind the newest patch of its own release line (offline, default on — a safe in-cycle upgrade signal). With STALENESS_ENRICH=true, deps.dev is queried per package (opt-in, default off) for the absolute newest version, releases-behind, and last-release date across npm, PyPI, Maven, Go, Cargo, NuGet, and RubyGems.
  • Opt-in SPDX output: --spdx (env GENERATE_SPDX, included in --all) additionally exports the finished BOM as SPDX 2.3 JSON ({prefix}_bom.spdx.json) after every enrichment step, with its own signature under --sign and byte-stable output under --byte-stable. The web UI gains an "SPDX export" toggle. CycloneDX remains the working and upload format; CycloneDX-only data (vulnerabilities, bomlens:* properties) is not carried over.
  • The web UI can scan directories outside the launch folder — including the running host OS. scan-sbom.sh --ui --mount <dir> (repeatable; SBOM_UI_MOUNT_DIR for the Windows launcher) mounts each directory read-only and the Directory path input offers them as scan locations. The desktop app adds an in-app folder picker that persists the mounts across restarts. Scanning a live / excludes /proc, /sys, /dev, and /run.
  • The sidebar rail and the overview jump card now show the conformance coverage figure (G7 element coverage for AI SBOMs, passed/total format checks otherwise), like the component and vulnerability counts.
  • THIRD_PARTY_LICENSES.md now records the web UI's bundled fonts (Inter and JetBrains Mono, both OFL-1.1) with the attribution the license requires.

Changed

  • Supplier-SBOM conformance now enforces two more submission requirements as mandatory checks: the spec version must be in the accepted range (CycloneDX 1.3–1.6 and SPDX 2.2–2.3, overridable via CYCLONEDX_SPEC_VERSIONS/SPDX_SPEC_VERSIONS; AI SBOMs also accept CycloneDX 1.7, which the AIBOM toolchain emits), and every PURL must follow the standard pkg:type/name@version shape — colon coordinates, a missing pkg: prefix, a missing version, or raw spaces now fail with the offending PURLs listed. Previously only PURL presence and the pkg:generic ban were enforced, so a schema-valid SBOM with malformed PURLs passed.
  • Firmware CVE matching no longer bundles cve-bin-tool's ~1.5 GB NVD database, which could not be built reliably — cve-bin-tool's NVD api2 fetch is rate-limited into multi-hour stalls (and blocked outright from cloud runner IPs), and its json-mirror source is dead. cve-bin-tool now only identifies firmware binaries; their CPEs are matched against a compact index (~130 MB) distilled at build time from the NVD data feeds (fkie-cad/nvd-json-data-feeds, a plain git clone with no rate limit or API key). The firmware image builds on standard cloud runners again — no NVD key, no BuildKit secret, and no self-hosted runner — while offline/air-gap matching and the security-report contract are unchanged.

Fixed

  • scan-sbom.sh --ui no longer requires a TTY, so the documented web UI entry point works from CI, pipes, and wrappers instead of dying with the input device is not a TTY.
  • When a zip created by PowerShell Compress-Archive is rejected by the container's unzip (backslash-separated entries), the scan now explains the cause and suggests re-zipping with Explorer instead of printing a bare unzip failed.
  • Web UI layout defects found in a full-screen visual audit: the new-scan settings panel fits one screen again (advanced options and upload are collapsed disclosures with an enabled-count badge), large dependency graphs snap to a legible zoom instead of rendering as a dot cloud (the snap handler was attached after the synchronous initial layout and never fired), small result tables no longer pad to an empty 256px box, the overview card grid no longer leaves a lopsided empty tail, and the security artifact card no longer shows two identical "JSON" chips.

Installation

Desktop app (double-click, no CLI)

Download BomLens-Setup.exe (Windows) or BomLens-Setup.dmg (macOS) from the assets below. Unsigned for now; if Windows SmartScreen warns, choose "More info", then "Run anyway".

Scripts

curl -O https://raw.githubusercontent.com/sktelecom/sbom-tools/main/scripts/scan-sbom.sh
chmod +x scan-sbom.sh

Docker Image

docker pull ghcr.io/sktelecom/sbom-generator:1.8.0   # legacy alias: sbom-scanner

Documentation

Release v1.7.0

Choose a tag to compare

@github-actions github-actions released this 08 Jul 15:00
2a19fc2

BomLens v1.7.0

Generate a CycloneDX SBOM, an open-source notice (고지문), and a security report from your source code — or assess the open-source risk of an SBOM or firmware you receive.

Changes

Added

  • iOS apps are now supported: a CocoaPods Podfile.lock or a Swift Package Manager Package.resolved is read into the SBOM with the full transitive pod/package set, and — for CocoaPods — the dependency graph reconstructed from the lockfile. Resolution is lockfile-first, so it runs offline and needs neither the pod CLI nor macOS. (cdxgen's own CocoaPods path requires pod, which the Swift image does not carry, and it aborted the scan when a Podfile was present.)
  • The web UI can upload the generated SBOM to a Dependency-Track or TRUSCA server (previously CLI-only). New scan has an optional Upload section for the destination, server URL, API token, and — for TRUSCA — the project id. The token is stashed single-use and the server URL and token are used for that run only, never stored.
  • New scan exposes a "Reproducible output" toggle in the advanced options, surfacing the byte-stable mode that was previously CLI-only. When on, re-scanning the same source produces a byte-for-byte identical SBOM. The toggle is hidden for supplier-SBOM analysis and AI model scans, where it does not apply.

Changed

  • Best-effort post-processing steps (normalize, CPE and AIBOM enrichment, conformance, vendored-OSS suggestion) no longer swallow real failures. They kept the never-abort guarantee by ending in || true, which also hid genuine errors; each step now logs a WARN and stamps bomlens:pipeline-step-failed on the SBOM when it fails, so a degraded run is visible instead of silently incomplete.

Fixed

  • Maven source scans no longer inflate the SBOM with the test and provided toolchain (junit, lombok, etc.). The scan is scoped to the deployable runtime set using cdxgen's resolved scope tags — compile and runtime dependencies are kept, test and provided ones are dropped — the Maven analogue of the Android and npm release-scope fixes. Set BOMLENS_MAVEN_FULL_GRAPH=1 to keep the full graph.
  • Android product-flavor projects now scope to the release runtime classpath instead of silently falling back to the full build + test graph. The release-config selection dropped every candidate when a project had no plain releaseRuntimeClasspath (only flavored variants such as freeReleaseRuntimeClasspath), so flavored apps were reported with their whole toolchain. It now prefers the plain classpath and otherwise takes the first flavored release variant.
  • Node.js (npm) source scans no longer inflate the SBOM with the devDependencies tree (jest, eslint, the Babel toolchain, etc.). The scan is scoped to the deployed dependencies, so build and test tooling the app never ships is excluded — the npm analogue of the Android release-scope fix. Set BOMLENS_NODE_FULL_GRAPH=1 to keep the dev + prod superset.
  • Android (AGP) source scans no longer inflate the SBOM with the build and test toolchain. The scan is scoped to the deployable release runtime classpath, so only the components shipped in the APK are recorded.
  • Firmware scans no longer silently report zero CVEs from a vulnerability database that lacks NVD data. The build gate now rejects a bundled CVE database without a real NVD advisory corpus instead of shipping it.
  • Native Windows source scans work under Git for Windows: docker bind mounts and the Git Bash resolution in scan-sbom.bat were corrected so a Windows (MSYS) shell can run a scan instead of failing at container start.
  • Windows web/desktop UI source scans resolve transitive dependencies again. The cdxgen (and firmware/AIBOM) sibling containers were bind-mounted by a Windows drive path (C:/…) that the in-container Linux docker CLI cannot consume, so the scan silently fell back to syft (direct dependencies only). The siblings now inherit the UI container's mounts with --volumes-from, so they run on every host OS — verified on Windows, where UI and CLI scans now produce identical SBOMs.
  • Firmware security reports are no longer empty. The bundled Trivy could not decode the firmware SBOM's firmware root component type and failed the whole scan; Trivy is now retried on an input copy whose root type is coerced to one it accepts, so the vulnerability report is populated while the delivered SBOM keeps its accurate firmware type.

Installation

Desktop app (double-click, no CLI)

Download BomLens-Setup.exe (Windows) or BomLens-Setup.dmg (macOS) from the assets below. Unsigned for now; if Windows SmartScreen warns, choose "More info", then "Run anyway".

Scripts

curl -O https://raw.githubusercontent.com/sktelecom/sbom-tools/main/scripts/scan-sbom.sh
chmod +x scan-sbom.sh

Docker Image

docker pull ghcr.io/sktelecom/sbom-generator:1.7.0   # legacy alias: sbom-scanner

Documentation

Release v1.6.0

Choose a tag to compare

@github-actions github-actions released this 03 Jul 04:27
5e91764

BomLens v1.6.0

Generate a CycloneDX SBOM, an open-source notice (고지문), and a security report from your source code — or assess the open-source risk of an SBOM or firmware you receive.

Changes

Added

  • AI SBOM conformance now covers the full G7 minimum-elements checklist: seven clusters rendered as 51 checks, each tagged as read from the SBOM, inferred from signals, or requiring human review. The web UI groups the results by cluster, and the AI model guide explains what the checklist is, its EU AI Act context, and how to read the report.
  • The desktop app checks for a newer release on startup and offers the download page.
  • The desktop app recovers without a relaunch: the Docker-missing and failure screens have retry buttons, a scanner container that dies after the UI loads is detected and reported, containers left behind by a crash are cleaned up on the next start, and a second launch focuses the running window instead of starting a duplicate.
  • Desktop quality of life: the version is visible on the start screen and About panel, window size and position are remembered, startup progress is written to a log file, and the start screens support light mode, a language toggle, and per-OS Docker installation guidance.
  • New scan prefills the project name and version from the scan source (git URL, Docker image tag, uploaded file name, or SBOM metadata), marks required fields, and validates them inline.
  • The macOS installer is universal: it now runs on Intel Macs as well as Apple Silicon.
  • The desktop installers are covered by the release's SHA256SUMS.txt, so downloads can be integrity-checked.

Changed

  • Advanced scan option labels lead with what they do ("Per-file license scan", "Detect copied-in open source", "More vulnerability advisories"); the tool names moved into the hints.
  • The desktop app pulls the documented image tag (ghcr.io/sktelecom/bomlens) — the same image it used before, under its current name.
  • Installer code signing and notarization turn on automatically once certificates are registered as CI secrets; installers remain unsigned until then.

Fixed

  • OS package CVE matching in SBOM security scans was restored.
  • syft output is pinned to CycloneDX 1.6 because Trivy 0.70 cannot read 1.7; security scans of syft-generated SBOMs work again.
  • A failed security scan is now marked as failed in the report instead of silently reporting zero findings.
  • PyPI version ranges no longer duplicate the installed version as a lower bound.
  • The --deep-license image builds and runs again.

Installation

Desktop app (double-click, no CLI)

Download BomLens-Setup.exe (Windows) or BomLens-Setup.dmg (macOS) from the assets below. Unsigned for now; if Windows SmartScreen warns, choose "More info", then "Run anyway".

Scripts

curl -O https://raw.githubusercontent.com/sktelecom/sbom-tools/main/scripts/scan-sbom.sh
chmod +x scan-sbom.sh

Docker Image

docker pull ghcr.io/sktelecom/sbom-generator:1.6.0   # legacy alias: sbom-scanner

Documentation

Release v1.5.5

Choose a tag to compare

@github-actions github-actions released this 01 Jul 01:26
88ab21f

BomLens v1.5.5

Generate a CycloneDX SBOM, an open-source notice (고지문), and a security report from your source code — or assess the open-source risk of an SBOM or firmware you receive.

Changes

Fixed

  • Maven and Gradle source scans now record their direct dependencies in the SBOM dependency graph. The root component previously carried an empty dependsOn, so tools reading the graph classified every direct dependency as transitive. npm was unaffected.

Installation

Desktop app (double-click, no CLI)

Download BomLens-Setup.exe (Windows) or BomLens-Setup.dmg (macOS) from the assets below. Unsigned for now; if Windows SmartScreen warns, choose "More info", then "Run anyway".

Scripts

curl -O https://raw.githubusercontent.com/sktelecom/sbom-tools/main/scripts/scan-sbom.sh
chmod +x scan-sbom.sh

Docker Image

docker pull ghcr.io/sktelecom/sbom-generator:1.5.5   # legacy alias: sbom-scanner

Documentation

Release v1.5.4

Choose a tag to compare

@haksungjang haksungjang released this 28 Jun 12:20
81df198

BomLens v1.5.4

Generate a CycloneDX SBOM, an open-source notice (고지문), and a security report from your source code — or assess the open-source risk of an SBOM or firmware you receive.

Changes

Added

  • The result Overview leads with the section jump cards and shows Security and License classification side by side; clicking a band opens that section pre-filtered.
  • Licenses are graded by copyleft strength (network / strong / weak / permissive), with separate review-needed and uncategorized classes; an unrecognised license is never assumed permissive.
  • The home screen is now Scan management: search past scans, filter by scan type, and see total / at-risk / project counts, with the at-risk card doubling as a filter.
  • Global search across components and CVEs from the top bar.
  • Re-scan: re-run a finished scan with the same target and options from the top bar.
  • The SCANOSS client ships in the base image, so vendored open-source identification works out of the box (still opt-in at scan time).
  • Running firmware and AI scans can be cancelled.

Changed

  • New scan and Recent moved into the top bar, so the left rail is purely the current scan's sections.
  • New scan's advanced analysis toggles moved into their own Advanced scan options section, with clearer copy and SCANOSS free-tier guidance.
  • Generated HTML reports were restyled to match the web UI.
  • The scan progress bar follows the real pipeline stages, and the Scan management table columns are sortable.
  • The dependency rail badge shows the direct/transitive split.

Fixed

  • A source scan that falls back to syft is labelled "Source" instead of "SBOM", and now says so when the fallback was caused by Docker running out of disk.
  • Fonts are self-hosted so the desktop content-security policy keeps the intended typography.

Installation

Desktop app (double-click, no CLI)

Download BomLens-Setup.exe (Windows) or BomLens-Setup.dmg (macOS) from the assets below. Unsigned for now; if Windows SmartScreen warns, choose "More info", then "Run anyway".

Scripts

curl -O https://raw.githubusercontent.com/sktelecom/sbom-tools/main/scripts/scan-sbom.sh
chmod +x scan-sbom.sh

Docker Image

docker pull ghcr.io/sktelecom/sbom-generator:1.5.4   # legacy alias: sbom-scanner

Documentation

Release v1.5.3

Choose a tag to compare

@github-actions github-actions released this 27 Jun 00:58
0db8abe

BomLens v1.5.3

Generate a CycloneDX SBOM, an open-source notice (고지문), and a security report from your source code — or assess the open-source risk of an SBOM or firmware you receive.

Changes

Added

  • The dependency graph view was redesigned to read like a commercial graph explorer.
  • License distribution is shown as proportional bars, with the charts animating in on first render.
  • Each scan now shows how it compares to the previous run of the same project.

Changed

  • Interactive result cards lift on hover, with motion that honours the operating system's reduced-motion setting.

Fixed

  • SECURITY_ENRICH=false now reaches the post-process container, so the EPSS and CISA KEV opt-out works from the host CLI for air-gapped runs.
  • --analyze/--sbom combined with --model is now rejected instead of silently running in ANALYZE mode.
  • AI SBOM generation fails closed when the model card cannot be collected (offline, or an unknown/private model id) instead of writing an empty stub ML-BOM as a valid output.
  • Supplier SBOM analysis now produces the conformance report for well-formed SPDX Tag-Value inputs; a zero-count grep had aborted the Tag-Value checks.
  • Reopening a past scan from history no longer shows an empty run-log panel.
  • A release stays a draft until the release gate verifies it, so it is never published before its entry points are checked.

Documentation

  • Corrected the supplier-SBOM conversion note (SPDX is converted to CycloneDX 1.6; CycloneDX inputs keep their original spec version), removed the unimplemented drag-resizable columns claim from the UI reference, fixed the Node.js lock-file guidance, and added page descriptions to five navigation pages.

Installation

Desktop app (double-click, no CLI)

Download BomLens-Setup.exe (Windows) or BomLens-Setup.dmg (macOS) from the assets below. Unsigned for now; if Windows SmartScreen warns, choose "More info", then "Run anyway".

Scripts

curl -O https://raw.githubusercontent.com/sktelecom/sbom-tools/main/scripts/scan-sbom.sh
chmod +x scan-sbom.sh

Docker Image

docker pull ghcr.io/sktelecom/sbom-generator:1.5.3   # legacy alias: sbom-scanner

Documentation

Release v1.5.2

Choose a tag to compare

@github-actions github-actions released this 26 Jun 07:51
8404b89

BomLens v1.5.2

Generate a CycloneDX SBOM, an open-source notice (고지문), and a security report from your source code — or assess the open-source risk of an SBOM or firmware you receive.

Changes

Added

  • Per-run output isolation: each scan now lands in its own {Project}_{Version}/ subfolder, so the files from one run stay together and the CLI never litters the source tree it scans. New --output-dir/-o and --timestamp flags choose the base directory and keep repeat runs side by side.
  • Release gate: a release is created as a draft and only published after its recommended entry points are verified for that exact release — the desktop installers are attached and the documented first-scan command produces a valid SBOM on the actual published image.
  • Onboarding CI gates that keep the docs and the tool in step: a doc/tool drift check (flags, environment variables, image names, the desktop download name), an internal-link check for the getting-started pages, machine UX checks (no silent error exits, parity between the setup scripts, a complete --help), a desktop-app boot smoke on Windows and macOS, and a walkthrough that runs the documented first-scan command on the published image.

Changed

  • Scan outputs default to a {Project}_{Version}/ subfolder of the current directory instead of being written flat. Set SBOM_OUTPUT_FLAT=1 for the previous flat layout.

Fixed

  • --byte-stable is now reproducible: it no longer resolves dependency licenses over the network, a lookup whose success varied between runs and made two otherwise-identical scans differ.
  • Source scans no longer leave root-owned build files (for example node_modules) in the scanned project folder or the git/zip ingestion temp directory on Linux; the scanned tree is handed back to the host user.
  • The README pointed at a renamed desktop installer; the download links now use BomLens-Setup.exe and BomLens-Setup.dmg.
  • Documented the --ref alias for --branch.

Installation

Desktop app (double-click, no CLI)

Download BomLens-Setup.exe (Windows) or BomLens-Setup.dmg (macOS) from the assets below. Unsigned for now; if Windows SmartScreen warns, choose "More info", then "Run anyway".

Scripts

curl -O https://raw.githubusercontent.com/sktelecom/sbom-tools/main/scripts/scan-sbom.sh
chmod +x scan-sbom.sh

Docker Image

docker pull ghcr.io/sktelecom/sbom-generator:1.5.2   # legacy alias: sbom-scanner

Documentation

Release v1.5.1

Choose a tag to compare

@github-actions github-actions released this 25 Jun 21:09
b06c32b

BomLens v1.5.1

Generate a CycloneDX SBOM, an open-source notice (고지문), and a security report from your source code — or assess the open-source risk of an SBOM or firmware you receive.

Changes

Added

  • Desktop app firmware and AI-model scans: the desktop app now runs firmware and AI-model (AIBOM) scans by launching the matching scanner image as a sibling container, pulling it on first use.
  • Source file tree without ScanCode: source scans emit a _files.json file inventory, and the web UI shows a source tree from it when no ScanCode result is present.
  • SBOM conformance is now a first-class result section, with per-element G7 evidence, examples and guidance links.
  • Determinate firmware CVE-database download progress: a real percentage bar during the cve-bin-tool database fetch, falling back to the previous approximation when a scan reports no progress.

Changed

  • Web UI design-language refresh: a redesigned visual language, a Recent-scans home, and neutralized report wording.
  • Release assets are unified under the BomLens name (for example BomLens-Setup.*), and the release notes link to the documentation site.
  • The AI-model scan form now explains the open-source Notice option.

Fixed

  • Firmware scans matched zero CVEs because the published firmware image shipped an empty cve-bin-tool database. The image now bundles a populated database with a runtime refresh, the build fails if the database ends up empty, and the database path matches the location cve-bin-tool actually uses.

Installation

Desktop app (double-click, no CLI)

Download BomLens-Setup.exe (Windows) or BomLens-Setup.dmg (macOS) from the assets below. Unsigned for now; if Windows SmartScreen warns, choose "More info", then "Run anyway".

Scripts

curl -O https://raw.githubusercontent.com/sktelecom/sbom-tools/main/scripts/scan-sbom.sh
chmod +x scan-sbom.sh

Docker Image

docker pull ghcr.io/sktelecom/sbom-generator:1.5.1   # legacy alias: sbom-scanner

Documentation

Release v1.5.0

Choose a tag to compare

@github-actions github-actions released this 25 Jun 03:33
375abc2

BomLens v1.5.0

Generate a CycloneDX SBOM, an open-source notice (고지문), and a security report from your source code — or assess the open-source risk of an SBOM or firmware you receive.

Changes

Added

  • Redesigned web UI: a new shell with Overview, Components, Dependencies, Vulnerabilities, Licenses, AI (Models & datasets / G7), and Artifacts sections; a single-card New scan form; and local Recent scans (list, re-open, delete; newest 20 shown). Every navigation element is a real link, so the logo, New scan, sidebar sections, recent scans and jump cards open in a new tab (Cmd/Ctrl/middle click) via URL-hash routing.
  • AI-model SBOM (AIBOM): generate a CycloneDX ML-BOM for a HuggingFace model id — with G7 minimum-element conformance — from the web UI's AI model input. Published as the new bomlens-aibom image (legacy alias sbom-scanner-aibom).
  • EPSS exploit probability and CISA KEV (actively exploited) surfaced on vulnerabilities.
  • Component detail: click a component row to see its PURL, source/download location, copyright, licenses and vulnerabilities.
  • License explorer: click a license to list its components, with copyleft/reciprocal licenses highlighted.
  • Vulnerability view: click the severity bar to filter, plus a search box; all result tables are drag-resizable.
  • Firmware analysis: cve-bin-tool now matches CVEs online (the firmware image bundles the vulnerability DB), and an enrichment step fills CPEs and SPDX licenses for a curated whitelist of well-known OSS (busybox, dropbear, dnsmasq, …) so Trivy and the notice can use them. Compressed firmware images (.img.gz, .tar.xz, …) can be uploaded.
  • Open-source notice: per-component source/download location and copyright line, plus an optional PDF rendering (SBOM_PDF build).
  • SCANOSS: a token input for the OSSKB endpoint (the free anonymous endpoint is rate-limited), and a result note that distinguishes "search unavailable" from "nothing found".

Changed

  • Advanced scan options (deep license / SCANOSS) appear only for source scans; AI-model scans drop the deep-license toggle and the (always-empty) security report.
  • G7 conformance moved under the AI group, with per-element "what it is / how to satisfy" guidance.
  • The live run log now appears only on the Overview, not under every section.
  • The scan banner and UI startup logs are unified to "BomLens".

Fixed

  • SCANOSS found nothing on uploaded/cloned sources because they extract under a dot-prefixed .uploads path that scanoss-py skips by default (--all-hidden).
  • The firmware component merge hit the command-line length limit on large rootfs images (jq now reads arrays from files via --slurpfile).
  • The dependency graph drew edgeless SBOMs (e.g. firmware) as overlapping dots — it now shows a note — and framed large graphs too far out to read.
  • AI scans were labelled by the generator's job-<timestamp> instead of the model name.
  • The scan done-event listed every artifact in the output folder instead of only the current scan's.
  • Leaving a running scan no longer lets the backgrounded scan finish and hijack the screen (the live SSE stream is closed on navigation).

Installation

Desktop app (double-click, no CLI)

Download SBOM-Generator-*.exe (Windows) or .dmg (macOS) from the assets below. Unsigned for now; if Windows SmartScreen warns, choose "More info", then "Run anyway".

Scripts

curl -O https://raw.githubusercontent.com/sktelecom/sbom-tools/main/scripts/scan-sbom.sh
chmod +x scan-sbom.sh

Docker Image

docker pull ghcr.io/sktelecom/sbom-generator:1.5.0   # legacy alias: sbom-scanner

Documentation

Release v1.4.0

Choose a tag to compare

@haksungjang haksungjang released this 23 Jun 01:49
9a92363

BomLens v1.4.0

Generate a CycloneDX SBOM, an open-source notice (고지문), and a security report from your source code — or assess the open-source risk of an SBOM or firmware you receive.

Changes

Added

  • Identify open source copied (vendored) into C/C++ source that has no package manager. --identify-vendored matches file fingerprints against the SCANOSS/OSSKB knowledge base and records copied-in open source as named components (name, version, PURL, and a CPE where one exists), so the security report can surface their CVEs. It is off by default, with a one-line suggestion shown automatically when a scan looks like C/C++ embedded source, and is available in the web UI under Advanced. Matches are reconciled against the package-manager scan, so enabling it on a managed project does not duplicate dependencies or inflate the vulnerability count. Hardened with an adversarial CLI + UI test campaign (CPE-grammar safety, large-tree handling, over-detection, injection). (#168, #169)

Changed

  • The published bomlens image now bundles the (MIT-licensed) SCANOSS client, so --identify-vendored works out of the box without a custom build. (#168)

Installation

Desktop app (double-click, no CLI)

Download SBOM-Generator-*.exe (Windows) or .dmg (macOS) from the assets below. Unsigned for now; if Windows SmartScreen warns, choose "More info", then "Run anyway".

Scripts

curl -O https://raw.githubusercontent.com/sktelecom/sbom-tools/main/scripts/scan-sbom.sh
chmod +x scan-sbom.sh

Docker Image

docker pull ghcr.io/sktelecom/sbom-generator:1.4.0   # legacy alias: sbom-scanner

Documentation