Skip to content

Release v1.6.0

Choose a tag to compare

@github-actions github-actions released this 03 Jul 04:27
5e91764

BomLens v1.6.0

Generate a CycloneDX SBOM, an open-source notice (고지문), and a security report from your source code — or assess the open-source risk of an SBOM or firmware you receive.

Changes

Added

  • AI SBOM conformance now covers the full G7 minimum-elements checklist: seven clusters rendered as 51 checks, each tagged as read from the SBOM, inferred from signals, or requiring human review. The web UI groups the results by cluster, and the AI model guide explains what the checklist is, its EU AI Act context, and how to read the report.
  • The desktop app checks for a newer release on startup and offers the download page.
  • The desktop app recovers without a relaunch: the Docker-missing and failure screens have retry buttons, a scanner container that dies after the UI loads is detected and reported, containers left behind by a crash are cleaned up on the next start, and a second launch focuses the running window instead of starting a duplicate.
  • Desktop quality of life: the version is visible on the start screen and About panel, window size and position are remembered, startup progress is written to a log file, and the start screens support light mode, a language toggle, and per-OS Docker installation guidance.
  • New scan prefills the project name and version from the scan source (git URL, Docker image tag, uploaded file name, or SBOM metadata), marks required fields, and validates them inline.
  • The macOS installer is universal: it now runs on Intel Macs as well as Apple Silicon.
  • The desktop installers are covered by the release's SHA256SUMS.txt, so downloads can be integrity-checked.

Changed

  • Advanced scan option labels lead with what they do ("Per-file license scan", "Detect copied-in open source", "More vulnerability advisories"); the tool names moved into the hints.
  • The desktop app pulls the documented image tag (ghcr.io/sktelecom/bomlens) — the same image it used before, under its current name.
  • Installer code signing and notarization turn on automatically once certificates are registered as CI secrets; installers remain unsigned until then.

Fixed

  • OS package CVE matching in SBOM security scans was restored.
  • syft output is pinned to CycloneDX 1.6 because Trivy 0.70 cannot read 1.7; security scans of syft-generated SBOMs work again.
  • A failed security scan is now marked as failed in the report instead of silently reporting zero findings.
  • PyPI version ranges no longer duplicate the installed version as a lower bound.
  • The --deep-license image builds and runs again.

Installation

Desktop app (double-click, no CLI)

Download BomLens-Setup.exe (Windows) or BomLens-Setup.dmg (macOS) from the assets below. Unsigned for now; if Windows SmartScreen warns, choose "More info", then "Run anyway".

Scripts

curl -O https://raw.githubusercontent.com/sktelecom/sbom-tools/main/scripts/scan-sbom.sh
chmod +x scan-sbom.sh

Docker Image

docker pull ghcr.io/sktelecom/sbom-generator:1.6.0   # legacy alias: sbom-scanner

Documentation