Release v11.4.0

What if SBOM tool developers utilised their tool's SBOM to make the project leaner, safer, and better? This curiosity led to the new minor release of cdxgen v11.4.x. We utilised two powerful features in pnpm package manager - aliasing and overrides to continuously generate an SBOM, test, and optimise the dependency tree. We reduced the dependency count by a whopping 10% and artefact binary sizes by 5% without losing any functionality! We then applied the same principle to trim our container images, implemented multi-stage builds for better caching, and implemented per-architecture signed SBOM attachment for the first time (Thanks @malice00). For fans of Alpine Linux, cdxgen container images are now available with Alpine base images for top languages. We are also making a static musl-linked single executable binary available for effortless rollout across a number of OS including IoT devices!

What's Changed

Breaking Changes 🛠

• almalinux 10 upgrade by @prabhu in #1818

💳 Sponsored Work

• [Python] dependency tree enhancements by @prabhu in #1855
• Recurse on optional package tree by @prabhu in #1860

Other Changes

• Add image for Rust 1.87 by @bandhan-majumder in #1819
• Add image for Debian Python 3.13, Debian dotnet 10 preview, Temurin java 24, php 8.3 by @bandhan-majumder in #1820
• Bug fix by @bandhan-majumder in #1821
• fileless image sign + trim deps with cdxgen by @prabhu in #1822
• Continue overriding to reduce deps by @prabhu in #1823
• Switch to AppThreat node-sqlite3 to get sqlite 3.50.0 by @prabhu in #1825
• Support for deno in devenv by @prabhu in #1827
• linux musl detection by @prabhu in #1829
• Add alpine images for golang 1.23 and 1.24 by @bandhan-majumder in #1828
• Add alpine images for java 21 and 24 by @bandhan-majumder in #1830
• [build] Optimized build, SBOM generation & attaching by @malice00 in #1833
• Escaping space in spawnSync args was breaking scala sbt :( by @prabhu in #1832
• [build] Added a new workflow that can be used to automatically retry failed jobs by @malice00 in #1838
• Add ruby 3.4.4 alpine image by @bandhan-majumder in #1834
• [build] Moved image-builds between cloud and hosted servers by @malice00 in #1839
• Remove PYTHON_VERSION var from alpine images by @bandhan-majumder in #1840
• We are missing java in some images so --profile research doesn't work by @prabhu in #1841
• [build] Merged all sets of Dockerfiles into a multi-stage Dockerfile by @malice00 in #1842
• Update atom, sqlite, and ruby versions. Remove find-up by @prabhu in #1843
• [build] Fixed docker warnings about using undefined variables by @malice00 in #1846
• [build] Forgot to remove some newlines in the previous PR by @malice00 in #1847
• Fix technique filtering logic by correctly checking for intersection by @yuvalmich in #1848
• bugfix: normalize component evidence identities to always be array by @yuvalmich in #1852
• Add php 8.4 image for debian and alpine distro by @bandhan-majumder in #1862
• Allowlist for server post. Quote arguments. by @prabhu in #1863
• Adhoc fixes by @prabhu in #1864

New Contributors

• @yuvalmich made their first contribution in #1848

Full Changelog: v11.3.2...v11.4.0