Release v1.4.0
BomLens v1.4.0
Generate a CycloneDX SBOM, an open-source notice (고지문), and a security report from your source code — or assess the open-source risk of an SBOM or firmware you receive.
Changes
Added
- Identify open source copied (vendored) into C/C++ source that has no package manager.
--identify-vendoredmatches file fingerprints against the SCANOSS/OSSKB knowledge base and records copied-in open source as named components (name, version, PURL, and a CPE where one exists), so the security report can surface their CVEs. It is off by default, with a one-line suggestion shown automatically when a scan looks like C/C++ embedded source, and is available in the web UI under Advanced. Matches are reconciled against the package-manager scan, so enabling it on a managed project does not duplicate dependencies or inflate the vulnerability count. Hardened with an adversarial CLI + UI test campaign (CPE-grammar safety, large-tree handling, over-detection, injection). (#168, #169)
Changed
- The published
bomlensimage now bundles the (MIT-licensed) SCANOSS client, so--identify-vendoredworks out of the box without a custom build. (#168)
Installation
Desktop app (double-click, no CLI)
Download SBOM-Generator-*.exe (Windows) or .dmg (macOS) from the assets below. Unsigned for now; if Windows SmartScreen warns, choose "More info", then "Run anyway".
Scripts
curl -O https://raw.githubusercontent.com/sktelecom/sbom-tools/main/scripts/scan-sbom.sh
chmod +x scan-sbom.shDocker Image
docker pull ghcr.io/sktelecom/sbom-generator:1.4.0 # legacy alias: sbom-scanner