Releases: CycloneDX/cdxgen
Release v11.4.1
What's Changed
🏗️ Build System
- musl arm64 builds by @prabhu in #1869
- Use uv to manage the optional python dependencies + goodies by @prabhu in #1870
Full Changelog: v11.4.0...v11.4.1
Contributors
Assets 44
- sha256:bc392736757d6979fd5f015418bb8f12711944ab8a6af4ee3c4cd6bdbfe48c58
2025-06-17T02:44:09Z - sha256:fc888dc28a8d5681a5180cbebe9f3bae872724e7b051bd62b573922d3fe35c9b
2025-06-17T02:44:09Z - sha256:6771c07374236bf54e124a4fbb4f654868ee7786e4b64eadf268a08a4a41e09f
2025-06-17T02:42:19Z - sha256:2dc248c9abbd16415fdf1b84c259f0a91cae414bff6cbfc615390a63a930a663
2025-06-17T02:42:19Z - sha256:fecadf9a0a3c5a40c448493a319b5bebd3370eb9d9155a4c5893982d6a9b4797
2025-06-17T03:01:31Z - sha256:5d8d3d0f1a3bdc681e1af7ea23e34e2c71eb7f438a8e36fc7d744e1118332ac6
2025-06-17T03:01:50Z - sha256:b6d04d589cfddd3096f02cb90e03bb72ff12140198c71ca17447ea9fc914e50e
2025-06-17T02:41:59Z - sha256:2835a342a875e13ddb9dc581216d8cbf3d7f5a32c98b4b852ed0be5321387da8
2025-06-17T02:41:59Z - sha256:7e96791847e4c0f38d671632f542385bed93d8840093a1743cb8c2f6d87fc831
2025-06-17T02:42:14Z - sha256:d7d28cba73006aa57045458207809e46e2d960f78c3274ba78749c819a726f17
2025-06-17T02:46:36Z -
2025-06-17T00:57:47Z -
2025-06-17T00:57:47Z - Loading
Release v11.4.0
What if SBOM tool developers utilised their tool's SBOM to make the project leaner, safer, and better? This curiosity led to the new minor release of cdxgen v11.4.x. We utilised two powerful features in pnpm package manager - aliasing and overrides to continuously generate an SBOM, test, and optimise the dependency tree. We reduced the dependency count by a whopping 10% and artefact binary sizes by 5% without losing any functionality! We then applied the same principle to trim our container images, implemented multi-stage builds for better caching, and implemented per-architecture signed SBOM attachment for the first time (Thanks @malice00). For fans of Alpine Linux, cdxgen container images are now available with Alpine base images for top languages. We are also making a static musl-linked single executable binary available for effortless rollout across a number of OS including IoT devices!
What's Changed
Breaking Changes 🛠
💳 Sponsored Work
- [Python] dependency tree enhancements by @prabhu in #1855
- Recurse on optional package tree by @prabhu in #1860
Other Changes
- Add image for Rust 1.87 by @bandhan-majumder in #1819
- Add image for Debian Python 3.13, Debian dotnet 10 preview, Temurin java 24, php 8.3 by @bandhan-majumder in #1820
- Bug fix by @bandhan-majumder in #1821
- fileless image sign + trim deps with cdxgen by @prabhu in #1822
- Continue overriding to reduce deps by @prabhu in #1823
- Switch to AppThreat node-sqlite3 to get sqlite 3.50.0 by @prabhu in #1825
- Support for deno in devenv by @prabhu in #1827
- linux musl detection by @prabhu in #1829
- Add alpine images for golang 1.23 and 1.24 by @bandhan-majumder in #1828
- Add alpine images for java 21 and 24 by @bandhan-majumder in #1830
- [build] Optimized build, SBOM generation & attaching by @malice00 in #1833
- Escaping space in spawnSync args was breaking scala sbt :( by @prabhu in #1832
- [build] Added a new workflow that can be used to automatically retry failed jobs by @malice00 in #1838
- Add ruby 3.4.4 alpine image by @bandhan-majumder in #1834
- [build] Moved image-builds between cloud and hosted servers by @malice00 in #1839
- Remove
PYTHON_VERSIONvar from alpine images by @bandhan-majumder in #1840 - We are missing java in some images so --profile research doesn't work by @prabhu in #1841
- [build] Merged all sets of Dockerfiles into a multi-stage Dockerfile by @malice00 in #1842
- Update atom, sqlite, and ruby versions. Remove find-up by @prabhu in #1843
- [build] Fixed docker warnings about using undefined variables by @malice00 in #1846
- [build] Forgot to remove some newlines in the previous PR by @malice00 in #1847
- Fix technique filtering logic by correctly checking for intersection by @yuvalmich in #1848
- bugfix: normalize component evidence identities to always be array by @yuvalmich in #1852
- Add php 8.4 image for debian and alpine distro by @bandhan-majumder in #1862
- Allowlist for server post. Quote arguments. by @prabhu in #1863
- Adhoc fixes by @prabhu in #1864
New Contributors
- @yuvalmich made their first contribution in #1848
Full Changelog: v11.3.2...v11.4.0
Contributors
Assets
34
Loading
Release v11.3.2
What's Changed
💳 Sponsored Work
- go vendor/modules.txt support by @prabhu in #1810
- Improve dependency tree for poetry in non-workspace mode by @prabhu in #1817
Other Changes
- Verify oci images with SBOM attachments by @prabhu in #1799
- [build] Don't try to install NPM -- it's already installed by @malice00 in #1801
- [build] Free more space on CI-machine by @malice00 in #1802
- fix: unformatted go.mod which is valid leads to parse error by @fearfate in #1803
- fix: go 1.24 has introduced tool directive in go.mod, which is recognized as a dependency by @fearfate in #1805
- ImportedSymbols property for c++ was breaking chen CdxPass by @prabhu in #1808
- [CocoaPods] Fix problems with external Pods from Git by @malice00 in #1807
- split ruby build by @prabhu in #1811
- Add container image for golang 1.23 by @bandhan-majumder in #1814
- Add devenv setup by @bandhan-majumder in #1815
New Contributors
- @fearfate made their first contribution in #1803
- @bandhan-majumder made their first contribution in #1814
Full Changelog: v11.3.1...v11.3.2
Contributors
Assets 22
Release v11.3.1
All cdxgen container images would now included a signed BOM as an attachment. Use oras discover and pull commands to download these attachments as shown here.
What's Changed
Other Changes
- Build Ruby in a builder by @prabhu in #1790
- Attach cdx sboms to various images by @prabhu in #1793
- Sign the generated BOMs by @prabhu in #1794
- sbom signing attempt 2 by @prabhu in #1798
Full Changelog: v11.3.0...v11.3.1
Contributors
Assets 22
Release v11.3.0
This is a major release. cdxgen now uses Node 24 in single executable applications (sea) and container images for improved performance. For the first time, our sea binaries are built with pnpm node_modules and therefore have an identical dependency tree to the source and container images. Thanks to the excellent work from @malice00, our build workflows are modernised and scalable. We have also trimmed multiple container images by removing Java and other unneeded packages without any loss of functionality (For instance, by using atom native binary which doesn't require Java).
What's Changed
🧪 Testing
🏗️ Build System
Other Changes
- Updated OpenJDK to v24 by @malice00 in #1772
- Changed workflow to use a matrix by @malice00 in #1773
- Added trimming of the CI-server for depscan-run by @malice00 in #1774
- Override jwa for node 24. Include node 24.x in workflow by @prabhu in #1776
- Use PackageURL.fromString to properly parse npm targetName by @jdalton in #1777
- Switch to node24 by @prabhu in #1778
- Update node version by @prabhu in #1782
- [build] Optimized building of some of the java images by @malice00 in #1783
- [build] Update/rust cargo by @malice00 in #1784
- [build] Extracted reusable workflow for image build by @malice00 in #1785
- [build] Extracted the rolling image into its own workflow by @malice00 in #1786
- Update atom. Use atom-native + remove Java by @prabhu in #1789
New Contributors
Full Changelog: v11.2.7...v11.3.0
Contributors
Assets 22
Release v11.2.7
bazel 8 support. Thanks @sebastianvoss
What's Changed
Other Changes
- [server] Additional validations + don't reflect by @prabhu in #1756
- adhoc tweaks by @prabhu in #1758
- Fixed Typos by @kooldud535 in #1761
- Tune down frameworks for js by @prabhu in #1762
- Create output directory if needed. Update atom to get JS improvements by @prabhu in #1763
- scan cdxgen with depscan by @prabhu in #1764
- More container env variables by @prabhu in #1766
- feat: make bazel query compatible with newer bazel versions and rules… by @sebastianvoss in #1769
- Update packages by @prabhu in #1770
New Contributors
- @kooldud535 made their first contribution in #1761
Full Changelog: v11.2.6...v11.2.7
Contributors
Assets 22
Release v11.2.6
cdxgen can now statically analyse itself to create a detailed SBOM with all occurrences and call-stack evidence. Plotting all call-stack evidence for a large pure JavaScript codebase like ours was previously not possible due to various issues in the downstream tools, all of which have finally been addressed. The generated BOMs, including atom slices, can be found in this Hugging Face repo.
Below is an example of a complete data-flow that was plotted only using the information in the cdxgen generated BOM file.
More examples can be found in this file.
What's Changed
- [Gradle] Optimization for included/composite builds broke cdxgen on single module by @malice00 in #1744
- Prefix language to support multiple slices files for evinse by @prabhu in #1748
- pnpm add and dlx plugins detection by @prabhu in #1749
- Makes oci image export more robust when using cli by @prabhu in #1751
Full Changelog: v11.2.5...v11.2.6
Contributors
Assets 22
v11.2.5
We have improved performance for Gradle and Maven by supporting daemon mode. A key breaking change in this release is the removal of android-sdk from container images, since the licence doesn't allow redistribution.
What's Changed
Breaking Changes 🛠
Other Changes
- [Gradle] SBOM generation didn't work on Windows by @malice00 in #1615
- repo tests quick by @prabhu in #1728
- Allowlists in server mode by @prabhu in #1729
- Let gradle handle resolving included builds! by @malice00 in #1732
- self hosted ubuntu by @prabhu in #1734
- [gradle] Added the possibility to explicitly control the gradle daemon / cleaning up after ourselves by @malice00 in #1736
- [mill] Added the possibility to control usage of the server (daemon) by @malice00 in #1739
- Ruby 3.4.3 by @prabhu in #1741
Full Changelog: v11.2.4...v11.2.5
Contributors
Assets 22
Release v11.2.4 - mill support
Mill build tool is now supported by cdxgen. Thanks @malice00!
What's Changed
🚀 Features
💳 Sponsored Work
Other Changes
- fix: remove logging support for NODE_ENV by @marco-ippolito in #1716
- fix(ci-deno): allow sqlite post-install scripts by @OffBy0x01 in #1719
- lima hosted build by @prabhu in #1721
- mill additional args by @prabhu in #1725
New Contributors
- @OffBy0x01 made their first contribution in #1719
Full Changelog: v11.2.3...v11.2.4
Contributors
Assets 23
Release v11.2.3 - Scala and SaaSBOM 2
This release brings evinse support for Scala and the next generation of SaaSBOM. Our LinkedIn announcement blog has more details.
Evinse for Scala
cdxgen v11.2.x features an innovative hybrid semantic analysis engine (based on both source code and TASTy files) for Scala 3 codebases. cdxgen supports both Scala 2 and 3 projects for basic SBOM generation. However, for Scala versions 3.3 to 3.6.4, it can produce highly detailed SBOMs enriched with occurrence data and SaaSBOM evidence.
The semantic analysis performed by cdxgen (with atom) is precise and state-of-the-art. Here are a few examples:
Automatic expansion of wildcard imports entirely with static analysis
Our analyzer exactly knows the full type names of the modules and its Package URLs, even when the codebase uses dynamic imports and aliasing.
Occurrence evidences for scala
Services evidence for scala
SaaSBOM Enhancements
Version 11.2.x introduces the next generation of the SaaSBOM generator, featuring enhanced granularity in endpoint detection, specifically the tracking of precise HTTP methods (GET, POST, PUT, DELETE, etc.) utilized by the application in its interactions with services and clients.
Let’s look at an example:
scope ":account_id", as: "account", constraints: { account_id: /\d+/ } do resources :articles endThis single line of Ruby code would result in the following 7 routes!
url_pattern='/account_id/articles', method='GET'
url_pattern='/account_id/articles/new', method='GET'
url_pattern='/account_id/articles', method='POST'
url_pattern='/account_id/articles/{id}', method='GET'
url_pattern='/account_id/articles/{id}/edit', method='GET'
url_pattern='/account_id/articles/{id}', method='PUT'
url_pattern='/account_id/articles/{id}', method='DELETE'
Users of cdxgen require no knowledge of programming languages, frameworks, or SDKs. The tool handles tasks like setting up build tools and compilation automatically. If user intervention is required, the tool will provide clear troubleshooting tips in plain English.
We support the following languages with SaaSBOM v2.
- Java
- JavaScript
- TypeScript
- Python
- Ruby
- Scala
In v1 mode, we support additional languages such as PHP and C/C++.
Generating SaaSBOMs has also become much easier. We’ve added a new dedicated command called “saasbom”.
npm install -g @cyclonedx/cdxgen
saasbom -t languageWhat's Changed
Other Changes
- Include hashes for oci file components by @prabhu in #1689
- fix exit code when submitting a bom by @winren9 in #1691
- Set 'quarkus.dependency.sbom.schema-version' if spec version defined by @marcelstoer in #1694
- chore: fix exports by @marco-ippolito in #1696
- Track executables with setuid and setgid flags by @prabhu in #1707
- Use pnpm to find the global node_modules path by @prabhu in #1713
New Contributors
Full Changelog: v11.2.2...v11.2.3