Releases: CycloneDX/cdxgen
Release v11.2.3 - Scala and SaaSBOM 2
This release brings evinse support for Scala and the next generation of SaaSBOM. Our LinkedIn announcement blog has more details.
Evinse for Scala
cdxgen v11.2.x features an innovative hybrid semantic analysis engine (based on both source code and TASTy files) for Scala 3 codebases. cdxgen supports both Scala 2 and 3 projects for basic SBOM generation. However, for Scala versions 3.3 to 3.6.4, it can produce highly detailed SBOMs enriched with occurrence data and SaaSBOM evidence.
The semantic analysis performed by cdxgen (with atom) is precise and state-of-the-art. Here are a few examples:
Automatic expansion of wildcard imports entirely with static analysis
Our analyzer exactly knows the full type names of the modules and its Package URLs, even when the codebase uses dynamic imports and aliasing.
Occurrence evidences for scala
Services evidence for scala
SaaSBOM Enhancements
Version 11.2.x introduces the next generation of the SaaSBOM generator, featuring enhanced granularity in endpoint detection, specifically the tracking of precise HTTP methods (GET, POST, PUT, DELETE, etc.) utilized by the application in its interactions with services and clients.
Let’s look at an example:
scope ":account_id", as: "account", constraints: { account_id: /\d+/ } do resources :articles endThis single line of Ruby code would result in the following 7 routes!
url_pattern='/account_id/articles', method='GET'
url_pattern='/account_id/articles/new', method='GET'
url_pattern='/account_id/articles', method='POST'
url_pattern='/account_id/articles/{id}', method='GET'
url_pattern='/account_id/articles/{id}/edit', method='GET'
url_pattern='/account_id/articles/{id}', method='PUT'
url_pattern='/account_id/articles/{id}', method='DELETE'
Users of cdxgen require no knowledge of programming languages, frameworks, or SDKs. The tool handles tasks like setting up build tools and compilation automatically. If user intervention is required, the tool will provide clear troubleshooting tips in plain English.
We support the following languages with SaaSBOM v2.
- Java
- JavaScript
- TypeScript
- Python
- Ruby
- Scala
In v1 mode, we support additional languages such as PHP and C/C++.
Generating SaaSBOMs has also become much easier. We’ve added a new dedicated command called “saasbom”.
npm install -g @cyclonedx/cdxgen
saasbom -t languageWhat's Changed
Other Changes
- Include hashes for oci file components by @prabhu in #1689
- fix exit code when submitting a bom by @winren9 in #1691
- Set 'quarkus.dependency.sbom.schema-version' if spec version defined by @marcelstoer in #1694
- chore: fix exports by @marco-ippolito in #1696
- Track executables with setuid and setgid flags by @prabhu in #1707
- Use pnpm to find the global node_modules path by @prabhu in #1713
New Contributors
Full Changelog: v11.2.2...v11.2.3
Contributors
Assets 23
- 50.8 MB
2025-04-01T09:47:46Z - 83 Bytes
2025-04-01T09:47:46Z - 51.2 MB
2025-04-01T09:47:47Z - 41.5 MB
2025-04-01T09:50:39Z - 66 Bytes
2025-04-01T09:50:39Z - 77 Bytes
2025-04-01T09:47:47Z - 216 MB
2025-04-01T09:47:47Z - 215 MB
2025-04-01T09:47:46Z - 50.8 MB
2025-04-01T09:47:46Z - 84 Bytes
2025-04-01T09:47:46Z -
2025-04-01T06:41:49Z -
2025-04-01T06:41:49Z - Loading
Release v11.2.2
We have introduced several improvements to container SBOMs. cdxgen now collects executable binaries and shared libraries in container images as file components, and it tracks specific environment variables that may affect the security properties of the hosted applications.
What's Changed
Other Changes
- Disable HTTP cache option with env var CDXGEN_NO_CACHE by @emcfins in #1681
- fix: correct types path by @marco-ippolito in #1683
- container sbom improvements by @prabhu in #1685
- Collect shared libraries from container images by @prabhu in #1687
- Support for parsing ld.so.conf and ld.so.conf.d directories by @prabhu in #1688
Full Changelog: v11.2.1...v11.2.2
Contributors
Assets 23
Release v11.2.1
cocoapods is now supported by cdxgen (Thank you @malice00)! We even support hybrid projects that use both cocoapods and swift pm to generate a single aggregate SBOM.
What's Changed
- Improves name identification for yarn v1 lock files with self aliases by @prabhu in #1668
- Basic support for twincat project types such as tsproj, plcproj, hmiproj by @prabhu in #1669
- [Cocoa] Added generating SBOM for projects using Cocoapods by @malice00 in #1667
- adhoc changes by @prabhu in #1672
Full Changelog: v11.2.0...v11.2.1
Contributors
Assets 23
Release v11.2.0 - Think, Evaluate, and Improve
Thanks to continuous thought logging and GPT-powered evaluation, we have fixed several bugs to enhance precision and improve the user experience.
What's Changed
- [Documentation] Split the table in ENV.md by language/tool and sorted the keys. by @malice00 in #1649
- Convert to relative paths using postgen + goodies by @prabhu in #1652
- Auto-detect gradle composite builds by @prabhu in #1658
- npm workspace improvements by @prabhu in #1659
- [swift] Parent hierarchy and properties improvements by @prabhu in #1664
Full Changelog: v11.1.10...v11.2.0
Contributors
Assets 23
Release v11.1.10
What's Changed
Other Changes
- result.stderr could be null in node.js even with non-zero error code by @prabhu in #1641
- Fix pnpm and yarn lock file detection by @konstantinas1 in #1643
New Contributors
- @konstantinas1 made their first contribution in #1643
Full Changelog: v11.1.9...v11.1.10
Contributors
Assets 23
Release v11.1.9
cdxgen can now log its thought process while generating the xBOM. cdxgenGPT can then interpret this log and advise whether the generated SBOM is accurate and complete. Below is an example for the Kafka repository:
What's Changed
Other Changes
- Refactor toml and lock file in cargo parsing using
@iarna/toml(#1592) by @Code-Agitator in #1595
New Contributors
- @Code-Agitator made their first contribution in #1595
Full Changelog: v11.1.8...v11.1.9
Contributors
Assets 23
Release v11.1.8
What's Changed
🐛 Bug Fixes
Other Changes
- cdx1 by @prabhu in #1624
- Switch to llama.cpp for gguf conversion by @prabhu in #1625
- document temperature and system prompt sensitivity by @prabhu in #1626
- cdx1 notes by @prabhu in #1627
- Sample eval questions by @prabhu in #1628
- Handle name less csproj files better by @prabhu in #1632
- Fix docker qemu bug by @prabhu in #1637
Full Changelog: v11.1.7...v11.1.8
Contributors
Assets 23
Release v11.1.7
cdxgen (>= v11.1.7) now includes a "secure mode," powered by the Node.js permission model. This "seat-belt approach" allows you to control which system resources cdxgen can access and what actions it can perform with those resources. For example, in --lifecycle pre-build mode, you can restrict cdxgen to reading only specific files, without granting permission to execute child processes. Even when executing node-based commands such as npm or atom, you can further limit the directories these external commands can read and write, as well as their permissions to execute child processes. This makes cdxgen an ideal SBOM tool when dealing with untrusted codebases (which is all software).
For further information, please refer to the permissions documentation or start using the new ghcr.io/cyclonedx/cdxgen-secure container image.
Thank you to @eran-medan and the other security researchers for helping bring this feature live.
Addresses CVE-2024-50611 and #1328. Please update at your convenience.
Full Changelog: v11.1.6...v11.1.7
Contributors
Assets 23
Release v11.1.6
- Reduce validation warnings. Fix for #1610
- golang is included in a few Python images
What's Changed
Other Changes
Full Changelog: v11.1.5...v11.1.6