Skip to content

Release v1.4.0

Choose a tag to compare

@haksungjang haksungjang released this 23 Jun 01:49
9a92363

BomLens v1.4.0

Generate a CycloneDX SBOM, an open-source notice (고지문), and a security report from your source code — or assess the open-source risk of an SBOM or firmware you receive.

Changes

Added

  • Identify open source copied (vendored) into C/C++ source that has no package manager. --identify-vendored matches file fingerprints against the SCANOSS/OSSKB knowledge base and records copied-in open source as named components (name, version, PURL, and a CPE where one exists), so the security report can surface their CVEs. It is off by default, with a one-line suggestion shown automatically when a scan looks like C/C++ embedded source, and is available in the web UI under Advanced. Matches are reconciled against the package-manager scan, so enabling it on a managed project does not duplicate dependencies or inflate the vulnerability count. Hardened with an adversarial CLI + UI test campaign (CPE-grammar safety, large-tree handling, over-detection, injection). (#168, #169)

Changed

  • The published bomlens image now bundles the (MIT-licensed) SCANOSS client, so --identify-vendored works out of the box without a custom build. (#168)

Installation

Desktop app (double-click, no CLI)

Download SBOM-Generator-*.exe (Windows) or .dmg (macOS) from the assets below. Unsigned for now; if Windows SmartScreen warns, choose "More info", then "Run anyway".

Scripts

curl -O https://raw.githubusercontent.com/sktelecom/sbom-tools/main/scripts/scan-sbom.sh
chmod +x scan-sbom.sh

Docker Image

docker pull ghcr.io/sktelecom/sbom-generator:1.4.0   # legacy alias: sbom-scanner

Documentation