Release v11.1.0 - cdxgen ❤️ Ruby

We're thrilled to announce the release of cdxgen v11.1.0, designed to simplify the Software Bill of Materials (SBOM) process for Ruby developers. Powered by the latest atom and a cutting-edge Ruby frontend, cdxgen generates precise build SBOMs with evidence for most Ruby applications, even those developed over 20 years ago with Ruby 1.8!

Evinse - Precise occurrences and callstack evidence

SaaSBOM with Endpoints detection

Our container images automatically install the necessary Ruby, RubyGems, and Bundler versions to create a buildable environment. cdxgen also intelligently analyzes common installation errors, offering actionable tips to improve SBOM accuracy. Plus, cdxgenGPT is now trained to expertly answer a wide range of Ruby-related queries.

Expert guidance with cdxgenGPT

CycloneDX and cdxgen Audio overview

Proudly generated using NotebookLM.

cyclonedx-and-cdxgen.m4a.zip

Sponsors

What's Changed

🚀 Features

• Bundle locally built cli in the container images by @prabhu in #1534
• Let's make things easy for Ruby - part 1 by @prabhu in #1545
• Add hash, scope and deps to dart by @paul-doherty in #1564

🧪 Testing

• container snapshot tests by @prabhu in #1535

Other Changes

• Ruby 2.5 support by @prabhu in #1547
• Ruby 3.4.1 by @prabhu in #1548
• Update atom for Ruby by @prabhu in #1549
• Ruby 1.8 support by @prabhu in #1551
• fix temp directories are no longer cleared by @youhaveme9 in #1553
• Evinse for Ruby by @prabhu in #1557
• Ruby repo tests by @prabhu in #1558
• add winget installation note by @youhaveme9 in #1559
• Introduce atom-tools to the container images by @prabhu in #1562
• Retain and validate parent component better by @prabhu in #1561
• Ruby evinse improvements by @prabhu in #1565
• Remove duplicates when resolving Gradle dependencies from Node by @malice00 in #1566
• Identify parent component from the pubspec.yaml files by @prabhu in #1570
• dotnet framework deep improvements by @prabhu in #1572
• Ruby reachables test - WIP by @prabhu in #1574
• Use docker for reachables tests by @prabhu in #1575
• More Ruby reach tests by @prabhu in #1577
• Added configurable reference generation between the components of a multi-language SBOM by @malice00 in #1567

New Contributors

• @youhaveme9 made their first contribution in #1553
• @paul-doherty made their first contribution in #1564

Full Changelog: v11.0.10...v11.1.0

Release v11.0.10

What's Changed

📚 Documentation

• [Docs] Update ENV.md to Include All Environment Variables by @satwiksps in #1526

New Features

• uv workspace support by @prabhu in #1524
• Install Ruby 3.4.0 in container images by @prabhu in #1528
• debian based dotnet images by @prabhu in #1529

Full Changelog: v11.0.9...v11.0.10

Release v11.0.9

What's Changed

Other Changes

• Expand optional tree by @prabhu in #1523

Full Changelog: v11.0.8...v11.0.9

Release v11.0.8 - Holiday update

We're ready to greet the new year with this holiday update. This release focuses on general improvements and tweaks to make cdxgen more useful for both users and AI bots. cdxgen can now reliably track all package manifests where a given component was found—especially helpful for vulnerability management and patching in large monorepos and multi-module projects. We’ve also improved dependency tree accuracy so bots like cdxgenGPT can better understand and reason about the underlying architecture.

Quality is a top priority. xBOM accuracy—particularly precision and recall—remains a constant topic that keeps us on our toes. Thanks to a generous sponsorship, we have added more snapshot testing for a number of languages and package manager ecosystems, and trained cdxgenGPT to serve as a good xBOM reviewer. We will soon use both automated testing and machine learning to continuously evaluate and improve BOM quality.

Please update to this version at your convenience. Happy Holidays!

Screenshots

cdxgenGPT training and assessment prompts

Rate my SBOM

Review of a syft SBOM

What's Changed

🚀 Features

• uv support by @prabhu in #1516
• Merge components after aggregation by @prabhu in #1517

🐛 Bug Fixes

• Retain license and external references for parent components by @prabhu in #1520

📚 Documentation

• cdxgen for bots by @prabhu in #1514
• Rate my xbom by @prabhu in #1521

Other Changes

• #1486 fix: use getGoPkgComponent in parseGosumData by @CaMoPeZzz in #1487
• Support image generation and parsing github url by @prabhu in #1497
• Fixes #1498. Don't remove await by @prabhu in #1509
• TypeError: project.modules.module.map is not a function by @readonlyuser1 in #1504
• fix:GH-1502 name root from package json by @ivanasabi in #1503
• #291 feat: vcs url for gopkg by @CaMoPeZzz in #1505
• Fix docker extract bugs by @prabhu in #1513
• asvs 5.0 - Beta by @prabhu in #1460

New Contributors

• @CaMoPeZzz made their first contribution in #1487
• @readonlyuser1 made their first contribution in #1504
• @ivanasabi made their first contribution in #1503

Full Changelog: v11.0.7...v11.0.8

Release v11.0.7

What's Changed

• Force package lock creation for stubborn projects with .npmrc by @prabhu in #1488

Full Changelog: v11.0.6...v11.0.7

Release v11.0.6

What's Changed

• Improve php tree by @prabhu in #1483
• Retain multiple SrcFile and identity evidences by @prabhu in #1484

Full Changelog: v11.0.5...v11.0.6

Release v11.0.5 - hey quarkus

cdxgen now supports the Quarkus framework with automatic detection for Maven projects—no configuration changes needed. It uses the official dependency-sbom goal but adds extra value by including phantom JARs that aren’t managed through Maven. With the research profile enabled (--profile research), cdxgen produces a highly detailed SBOM with occurrences and call stack evidence, offering better insights than the official implementation, which only tracks jar files.

cdxgenGPT is also updated to better understand the evidence information for decent reasoning performance.

What's Changed

Other Changes

• feat: quarkus maven support by @prabhu in #1480
• Improve printOccurrences function with streaming output for large SBO… by @deeshantk in #1482

New Contributors

• @deeshantk made their first contribution in #1482

Full Changelog: v11.0.4...v11.0.5

Release v11.0.4

What's Changed

Other Changes

• Expand snapshots part I by @cerrussell in #1467
• Tweaks for node.js ignore list by @prabhu in #1469
• Fix Index Boundary Error in parseCmakeLikeFile by @cerrussell in #1470
• refactor(dart): Use api /versions to avoid payload with all versions by @lsaudon in #1471
• Expand Python Snapshots by @cerrussell in #1473
• Track php per-module tree by @prabhu in #1475
• npm auto install for non-root package.json by @prabhu in #1478
• Added documentation for ML profiles in cdxgen by @satwiksps in #1477

New Contributors

• @satwiksps made their first contribution in #1477

Full Changelog: v11.0.3...v11.0.4

Release v11.0.3

What's Changed

Other Changes

• Replace toml library by @prabhu in #1468

Full Changelog: v11.0.2...v11.0.3

Release v11.0.2

What's Changed

🚀 Features

• dotnet 9 deep improvements by @prabhu in #1459

Other Changes

• update atom to get cpg 1.0.1 and the latest protobuf by @prabhu in #1462
• Safely handle components without names by @prabhu in #1464
• Update atom to get tagging and android apk improvements by @prabhu in #1465

Full Changelog: v11.0.1...v11.0.2