Release v1.5.2
BomLens v1.5.2
Generate a CycloneDX SBOM, an open-source notice (고지문), and a security report from your source code — or assess the open-source risk of an SBOM or firmware you receive.
Changes
Added
- Per-run output isolation: each scan now lands in its own
{Project}_{Version}/subfolder, so the files from one run stay together and the CLI never litters the source tree it scans. New--output-dir/-oand--timestampflags choose the base directory and keep repeat runs side by side. - Release gate: a release is created as a draft and only published after its recommended entry points are verified for that exact release — the desktop installers are attached and the documented first-scan command produces a valid SBOM on the actual published image.
- Onboarding CI gates that keep the docs and the tool in step: a doc/tool drift check (flags, environment variables, image names, the desktop download name), an internal-link check for the getting-started pages, machine UX checks (no silent error exits, parity between the setup scripts, a complete
--help), a desktop-app boot smoke on Windows and macOS, and a walkthrough that runs the documented first-scan command on the published image.
Changed
- Scan outputs default to a
{Project}_{Version}/subfolder of the current directory instead of being written flat. SetSBOM_OUTPUT_FLAT=1for the previous flat layout.
Fixed
--byte-stableis now reproducible: it no longer resolves dependency licenses over the network, a lookup whose success varied between runs and made two otherwise-identical scans differ.- Source scans no longer leave root-owned build files (for example
node_modules) in the scanned project folder or the git/zip ingestion temp directory on Linux; the scanned tree is handed back to the host user. - The README pointed at a renamed desktop installer; the download links now use
BomLens-Setup.exeandBomLens-Setup.dmg. - Documented the
--refalias for--branch.
Installation
Desktop app (double-click, no CLI)
Download BomLens-Setup.exe (Windows) or BomLens-Setup.dmg (macOS) from the assets below. Unsigned for now; if Windows SmartScreen warns, choose "More info", then "Run anyway".
Scripts
curl -O https://raw.githubusercontent.com/sktelecom/sbom-tools/main/scripts/scan-sbom.sh
chmod +x scan-sbom.shDocker Image
docker pull ghcr.io/sktelecom/sbom-generator:1.5.2 # legacy alias: sbom-scanner