Release v10.5.1

The cdxgen container image now uses node 22 with compile cache. This offers significant performance improvements compared to the current node 20 based images, especially with server mode. With no breaking changes, we feel this is a patch release for the cdxgen node package rather than a minor release.

What's Changed

• Remove bun lock file by @prabhu in #1030
• Improve deno compatibility by using jar command fallback by @prabhu in #1031
• Enable node 22 tests by @prabhu in #1034
• Use node 22 via nvm in docker. Enable NODE_COMPILE_CACHE by @prabhu in #1036

Full Changelog: v10.5.0...v10.5.1

Release v10.5.0 - Python CBOM for everyone

Introduction

You can now generate CBOM for Python applications. It is as easy as invoking the cbom command.

cbom -t python

cdxi REPL can natively understand CBOM. Simply load the generated CBOM, and try the new commands .cryptos and .provides.

We have also added support for compliance-as-code via standards. Invoke cdxgen with the new --standard arguments to automatically include their definitions.

Example:

cdxgen -t java --standard asvs-4.0.3

What's Changed

• Add support for executing dependencies task in parallel for Gradle by @ajmalab in #1007
• Feature/swh by @prabhu in #1012
• Update jdk to 21.0.3-tem by @prabhu in #1013
• Remove bun frozen install mode by @prabhu in #1017
• Python cbom by @prabhu in #1026
• Update atom. Regenerate types by @prabhu in #1028
• Support for standard templates by @prabhu in #1029

Full Changelog: v10.4.3...v10.5.0

Release v10.4.3

What's Changed

• Removed docsify which is not required for generating docs by @prabhu in #1001
• Adding directories starting with __ to ignore by @almaz045 in #1004
• Adds bun image by @prabhu in #1002

New Contributors

• @almaz045 made their first contribution in #1004

Full Changelog: v10.4.2...v10.4.3

Release v10.4.2

We have applied numerous linting fixes reported by biome (Thanks @setchy). The lock file was deleted and regenerated, since the dependency tree was looking a lot better when compared with the existing one.

What's Changed

• chore(biome): fix use single var declarator by @setchy in #984
• chore(biome): fix use template by @setchy in #985
• chore(biome): remove unused rule overrides by @setchy in #986
• chore(biome): fix optional chaining cases by @setchy in #987
• chore(biome): fix useless else cases by @setchy in #988
• chore(biome): fix unused template literals by @setchy in #989
• Feature/maven private repos by @prabhu in #992
• chore(biome): fix no double equals by @setchy in #991
• chore: update biome by @setchy in #998
• Regenerate lock file and types. Adds vuln scanning by @prabhu in #999

Full Changelog: v10.4.1...v10.4.2

Release v10.4.1

What's Changed

• Applied a number of unsafe fixes using biome by @prabhu in #983
• Bugfix for a problematic yaml file

Full Changelog: v10.4.0...v10.4.1

Release v10.4.0

What's Changed

• docs: update downloads badge by @setchy in #968
• Follow CycloneDX 1.5 spec for SPDX license expressions by @validide in #975
• Export proto support for 1.6 by @prabhu in #974
• Include cyclonedx-maven-plugin under tools for java by @prabhu in #976
• feat: switch to biomejs formatter + linter by @setchy in #977

Full Changelog: v10.3.5...v10.4.0

Release v10.3.5 - cdx 1.6++

Introduction

This release is to formally announce cdxgen with support for 1.6 specifications. To recap, below are the features that are part of the 10.3.x release.

Cryptography Bill of Materials (CBOM) support

Quatum-based threats and Harvest now, decrypt later attacks are closer than we think. A precise inventory of all crypto libraries, assets such as keys, secrets, algorithms in use at an organization is important to give us an early start.

cdxgen now includes a brand new command called cbom to generate a Cryptography Bill of Materials (CBOM) document. This is supported for Java projects at launch and is powered by atom.

cbom -t java

Crypto properties

cdxgen can identify a range of crypto properties such as the algorithm names and their Object IDs. It can also identify the package that provides the implementation for the detected algorithms and add both occurrence and call-stack evidences to the CBOM document to help locate them.

Detailed formulation

cdxgen can identify a range of platform components that are used to compile, build, test, and deploy applications. We can now identify possible crypto libraries that might get statically-linked to the applications.

One more thing

cdxgen can now include components from the git tree and set an OmniBOR ID for git projects.

This feature is currently part of the --include-formulation argument although could become a dedicated command with a future release.

Full Changelog: v10.2.6...v10.3.5

Release v10.3.4

The previous release actually broke the cbom command since the variable options was not declared prior to use. This is the problem with doing a rush job.

Full Changelog: v10.3.3...v10.3.4

Release v10.3.3

Some tweaks to the cbom command

Full Changelog: v10.3.2...v10.3.3

Release v10.3.2

What's Changed

• docs: badges by @setchy in #966
• Update docs and debug output for dotnet by @prabhu in #963

Full Changelog: v10.3.1...v10.3.2