Release v11.1.7

cdxgen (>= v11.1.7) now includes a "secure mode," powered by the Node.js permission model. This "seat-belt approach" allows you to control which system resources cdxgen can access and what actions it can perform with those resources. For example, in --lifecycle pre-build mode, you can restrict cdxgen to reading only specific files, without granting permission to execute child processes. Even when executing node-based commands such as npm or atom, you can further limit the directories these external commands can read and write, as well as their permissions to execute child processes. This makes cdxgen an ideal SBOM tool when dealing with untrusted codebases (which is all software).

For further information, please refer to the permissions documentation or start using the new ghcr.io/cyclonedx/cdxgen-secure container image.

Thank you to @eran-medan and the other security researchers for helping bring this feature live.

Addresses CVE-2024-50611 and #1328. Please update at your convenience.

Full Changelog: v11.1.6...v11.1.7

Release v11.1.6

• Reduce validation warnings. Fix for #1610
• golang is included in a few Python images

What's Changed

Other Changes

• update container images by @prabhu in #1611

Full Changelog: v11.1.5...v11.1.6

Release v11.1.5

What's Changed

🧪 Testing

• Linux arm tests by @prabhu in #1581

Other Changes

• Improved secure mode warnings by @prabhu in #1609

Full Changelog: v11.1.4...v11.1.5

Release v11.1.4

What's Changed

🧪 Testing

• Restrict -t java11 to linux only in repotests by @prabhu in #1604

Other Changes

• Handle pnpm workspace with duplicate names by @prabhu in #1603

Full Changelog: v11.1.3...v11.1.4

Release v11.1.3

Fixes a bug where automatic installations were no longer performed.

What's Changed

Other Changes

• fix: install setuptools and wheel before installing requirements by @AnsahMohammad in #1594
• Ensuring that the evidence.identity format is maintained after components are trimmed by @emcfins in #1591
• Fix version parsing in CMakeLists files by @asztalosdani in #1596
• cdxgen secure image - WIP by @prabhu in #1600

New Contributors

• @AnsahMohammad made their first contribution in #1594
• @emcfins made their first contribution in #1591
• @asztalosdani made their first contribution in #1596

Full Changelog: v11.1.2...v11.1.3

Release v11.1.2

What's Changed

Other Changes

• Adds is_workspace properties to uv parent components by @prabhu in #1590

Full Changelog: v11.1.1...v11.1.2

Release v11.1.1

Key highlights are the new internal properties to track pnpm and uv workspaces.

What's Changed

🚀 Features

• Track pnpm workspace for each component by @prabhu in #1578

🐛 Bug Fixes

• Improves dotnet dependency tree with case insensitive match by @prabhu in #1586

Other Changes

• Track dev and peer dependencies as optional by @prabhu in #1579
• Track relative virtual path for workspaces by @prabhu in #1580
• Track workspaces for transitive dependencies for uv monorepos by @prabhu in #1582
• Setting 'installDeps' to default to true by @malice00 in #1584
• workspace props validation by @prabhu in #1585
• Set pnpm workspace properties recursively by @prabhu in #1587

Full Changelog: v11.1.0...v11.1.1

Release v11.1.0 - cdxgen ❤️ Ruby

We're thrilled to announce the release of cdxgen v11.1.0, designed to simplify the Software Bill of Materials (SBOM) process for Ruby developers. Powered by the latest atom and a cutting-edge Ruby frontend, cdxgen generates precise build SBOMs with evidence for most Ruby applications, even those developed over 20 years ago with Ruby 1.8!

Evinse - Precise occurrences and callstack evidence

SaaSBOM with Endpoints detection

Our container images automatically install the necessary Ruby, RubyGems, and Bundler versions to create a buildable environment. cdxgen also intelligently analyzes common installation errors, offering actionable tips to improve SBOM accuracy. Plus, cdxgenGPT is now trained to expertly answer a wide range of Ruby-related queries.

Expert guidance with cdxgenGPT

CycloneDX and cdxgen Audio overview

Proudly generated using NotebookLM.

cyclonedx-and-cdxgen.m4a.zip

Sponsors

What's Changed

🚀 Features

• Bundle locally built cli in the container images by @prabhu in #1534
• Let's make things easy for Ruby - part 1 by @prabhu in #1545
• Add hash, scope and deps to dart by @paul-doherty in #1564

🧪 Testing

• container snapshot tests by @prabhu in #1535

Other Changes

• Ruby 2.5 support by @prabhu in #1547
• Ruby 3.4.1 by @prabhu in #1548
• Update atom for Ruby by @prabhu in #1549
• Ruby 1.8 support by @prabhu in #1551
• fix temp directories are no longer cleared by @youhaveme9 in #1553
• Evinse for Ruby by @prabhu in #1557
• Ruby repo tests by @prabhu in #1558
• add winget installation note by @youhaveme9 in #1559
• Introduce atom-tools to the container images by @prabhu in #1562
• Retain and validate parent component better by @prabhu in #1561
• Ruby evinse improvements by @prabhu in #1565
• Remove duplicates when resolving Gradle dependencies from Node by @malice00 in #1566
• Identify parent component from the pubspec.yaml files by @prabhu in #1570
• dotnet framework deep improvements by @prabhu in #1572
• Ruby reachables test - WIP by @prabhu in #1574
• Use docker for reachables tests by @prabhu in #1575
• More Ruby reach tests by @prabhu in #1577
• Added configurable reference generation between the components of a multi-language SBOM by @malice00 in #1567

New Contributors

• @youhaveme9 made their first contribution in #1553
• @paul-doherty made their first contribution in #1564

Full Changelog: v11.0.10...v11.1.0

Release v11.0.10

What's Changed

📚 Documentation

• [Docs] Update ENV.md to Include All Environment Variables by @satwiksps in #1526

New Features

• uv workspace support by @prabhu in #1524
• Install Ruby 3.4.0 in container images by @prabhu in #1528
• debian based dotnet images by @prabhu in #1529

Full Changelog: v11.0.9...v11.0.10

Release v11.0.9

What's Changed

Other Changes

• Expand optional tree by @prabhu in #1523

Full Changelog: v11.0.8...v11.0.9