Releases: CycloneDX/cdxgen
Release v10.5.1
The cdxgen container image now uses node 22 with compile cache. This offers significant performance improvements compared to the current node 20 based images, especially with server mode. With no breaking changes, we feel this is a patch release for the cdxgen node package rather than a minor release.
What's Changed
- Remove bun lock file by @prabhu in #1030
- Improve deno compatibility by using jar command fallback by @prabhu in #1031
- Enable node 22 tests by @prabhu in #1034
- Use node 22 via nvm in docker. Enable NODE_COMPILE_CACHE by @prabhu in #1036
Full Changelog: v10.5.0...v10.5.1
Release v10.5.0 - Python CBOM for everyone
Introduction
You can now generate CBOM for Python applications. It is as easy as invoking the cbom
command.
cbom -t python
cdxi
REPL can natively understand CBOM. Simply load the generated CBOM, and try the new commands .cryptos
and .provides
.
We have also added support for compliance-as-code via standards. Invoke cdxgen with the new --standard
arguments to automatically include their definitions.
Example:
cdxgen -t java --standard asvs-4.0.3
What's Changed
- Add support for executing dependencies task in parallel for Gradle by @ajmalab in #1007
- Feature/swh by @prabhu in #1012
- Update jdk to 21.0.3-tem by @prabhu in #1013
- Remove bun frozen install mode by @prabhu in #1017
- Python cbom by @prabhu in #1026
- Update atom. Regenerate types by @prabhu in #1028
- Support for standard templates by @prabhu in #1029
Full Changelog: v10.4.3...v10.5.0
Release v10.4.3
Release v10.4.2
We have applied numerous linting fixes reported by biome (Thanks @setchy). The lock file was deleted and regenerated, since the dependency tree was looking a lot better when compared with the existing one.
What's Changed
- chore(biome): fix use single var declarator by @setchy in #984
- chore(biome): fix use template by @setchy in #985
- chore(biome): remove unused rule overrides by @setchy in #986
- chore(biome): fix optional chaining cases by @setchy in #987
- chore(biome): fix useless else cases by @setchy in #988
- chore(biome): fix unused template literals by @setchy in #989
- Feature/maven private repos by @prabhu in #992
- chore(biome): fix no double equals by @setchy in #991
- chore: update biome by @setchy in #998
- Regenerate lock file and types. Adds vuln scanning by @prabhu in #999
Full Changelog: v10.4.1...v10.4.2
Release v10.4.1
What's Changed
Full Changelog: v10.4.0...v10.4.1
Release v10.4.0
What's Changed
- docs: update downloads badge by @setchy in #968
- Follow CycloneDX 1.5 spec for SPDX license expressions by @validide in #975
- Export proto support for 1.6 by @prabhu in #974
- Include cyclonedx-maven-plugin under tools for java by @prabhu in #976
- feat: switch to biomejs formatter + linter by @setchy in #977
Full Changelog: v10.3.5...v10.4.0
Release v10.3.5 - cdx 1.6++
Introduction
This release is to formally announce cdxgen with support for 1.6 specifications. To recap, below are the features that are part of the 10.3.x release.
Cryptography Bill of Materials (CBOM) support
Quatum-based threats and Harvest now, decrypt later attacks are closer than we think. A precise inventory of all crypto libraries, assets such as keys, secrets, algorithms in use at an organization is important to give us an early start.
cdxgen now includes a brand new command called cbom
to generate a Cryptography Bill of Materials (CBOM) document. This is supported for Java projects at launch and is powered by atom.
cbom -t java
Crypto properties
cdxgen can identify a range of crypto properties such as the algorithm names and their Object IDs. It can also identify the package that provides the implementation for the detected algorithms and add both occurrence and call-stack evidences to the CBOM document to help locate them.
Detailed formulation
cdxgen can identify a range of platform components that are used to compile, build, test, and deploy applications. We can now identify possible crypto libraries that might get statically-linked to the applications.
One more thing
cdxgen can now include components from the git tree and set an OmniBOR ID for git projects.
This feature is currently part of the --include-formulation
argument although could become a dedicated command with a future release.
Full Changelog: v10.2.6...v10.3.5
Release v10.3.4
The previous release actually broke the cbom command since the variable options was not declared prior to use. This is the problem with doing a rush job.
Full Changelog: v10.3.3...v10.3.4
Release v10.3.3
Some tweaks to the cbom command
Full Changelog: v10.3.2...v10.3.3
Release v10.3.2
What's Changed
Full Changelog: v10.3.1...v10.3.2