Release v11.0.0

Announcement blog on LinkedIn

Top Features

• New ML profiles (ml-tiny, ml, ml-deep) added. Pass them via the cli args --profile.
• New filter techniques (--min-confidence and --technique)

BREAKING changes

cyclonedx-maven-plugin is no longer used by default. PREFER_MAVEN_DEPS_TREE now defaults to true. Set this value to false should you prefer the cyclonedx maven plugin.

What's Changed

🚀 Features

• Automatic annotations and tagging by @prabhu in #1450
• Annotation improvements - part 2 by @prabhu in #1451
• Annotation improvements - part 5 by @prabhu in #1455
• Minimum confidence filter by @prabhu in #1457

Other Changes

• Enable CycloneDX 1.5 snapshots to be compared with 1.6. by @cerrussell in #1444
• fix: executable path in windows by @aryan-rajoria in #1441
• Annotations text for saasbom and cdxa by @prabhu in #1452
• Trim the saasbom to help all models including Gemini by @prabhu in #1454

Full Changelog: v10.11.0...v11.0.0

Release v10.11.0 - Happy swiftwali

Swift developers deserve better tooling to make their lives simple. Accurate information about where and how a given library (both internal and external) is used, can help with prioritization and vulnerability management.

This release adds a new state-of-the-art semantic analysis engine for swift 😎. cdxgen can generate a precise semantic slice representing the application context with accurate types and fully qualified call names for a range of swift applications. The slices are then utlilized by evinse to generate "occurrences evidence" for the SBOM as shown.

We can't wait to iterate to bring you more enhancements and visibility over the coming weeks.

What's Changed

🚀 Features

• Adds occurrence evidence for swift by @prabhu in #1442

Other Changes

• Use bom-ref consistently in the dependency tree by @prabhu in #1431
• Run "Upload base images" action only on main repository by @marob in #1436
• Run some GitHub action jobs only on main repository by @marob in #1438
• Graciously fail for fastlane managed swift projects by @prabhu in #1443

Full Changelog: v10.10.7...v10.11.0

v10.10.7

What's Changed

🚀 Features

• Adds support for specifying npm install args by @prabhu in #1428

Full Changelog: v10.10.6...v10.10.7

Release v10.10.6

What's Changed

Other Changes

• Do not duplicate parent dependencies in case of multiple composer.lock files (#1419) by @marob in #1424
• Bump cjd version for bugfixes. by @cerrussell in #1427
• Do not duplicate dependsOn (#1425) by @marob in #1426

Full Changelog: v10.10.5...v10.10.6

Release v10.10.5

What's Changed

Other Changes

• Update packages with overrides by @prabhu in #1411
• WIP: Feature/swift evidence by @prabhu in #1414
• [Gradle] Added the possibility to completely exclude modules from the scan (fix for issue #1413) by @malice00 in #1418
• pnpm workspace tree by @prabhu in #1417

Full Changelog: v10.10.4...v10.10.5

Release v10.10.4

What's Changed

Other Changes

• Improve root dependency list for Gemfile.lock by @prabhu in #1409

Full Changelog: v10.10.3...v10.10.4

Release v10.10.3

We are now publishing new language-specific custom base images (contributed by AppThreat). We have seen significant improvements for Python and .Net framework applications in the field with these images. They are also lightweight compared to the default cdxgen image.

What's Changed

🚀 Features

• New custom base images by @prabhu in #1405
• Refer to new custom images in the code by @prabhu in #1406

Other Changes

• Duplicate properties by @malice00 in #1403
• Added parameter for new version of CJD by @malice00 in #1404

Full Changelog: v10.10.2...v10.10.3

Release v10.10.2

What's Changed

Other Changes

• search only for Bazel workspace and module files by @maur1 in #1394
• feat: Ignore parent component for types with empty components by @prabhu in #1399

Full Changelog: v10.10.1...v10.10.2

Release v10.10.1

Windows sae builds are back 😎

What's Changed

Other Changes

• Upgrade testing to use custom-json-diff v2. by @cerrussell in #1389
• [Gradle] Added an option to fully scan 'includedBuilds' by @malice00 in #1388
• Brings back windows sae builds by @prabhu in #1390

Full Changelog: v10.10.0...v10.10.1

Release v10.10.0

Gradle multi-threading mode is now the default 😎. Enjoy the turbo-charged performance contributed with ❤️ by @malice00. Also includes the new atom, which is a bit more leaner and performant ⚡️. Last, but not least, the repo is refactored to help with maintenance and testing (Thanks @aryan-rajoria and @setchy!)

What's Changed

Other Changes

• [Gradle] Don't use full multi-threading, SBOMs can be completely wrong by @malice00 in #1376
• Do not create empty component.components by @prabhu in #1378
• [Gradle] Fixed a problem with scoped NPM packages while resolving modules from NPM by @malice00 in #1379
• Handling sub-components of the root component the same as all other components by @malice00 in #1371
• [Gradle] Added deep-scanning of gradle modules by @malice00 in #1380
• refactor: project structure PR by @aryan-rajoria in #1382
• Typescript 5.6.x with the latest atom by @prabhu in #1384
• Feat: Include components from pnpm-lock.yaml importers by @aryan-rajoria in #1377
• Poetry root list from pyproject.toml by @prabhu in #1386
• [Gradle] Scanning of all modules fixed by @malice00 in #1383
• Update atom and other packages by @prabhu in #1387

Full Changelog: v10.9.11...v10.10.0