Release v11.1.5

What's Changed

🧪 Testing

• Linux arm tests by @prabhu in #1581

Other Changes

• Improved secure mode warnings by @prabhu in #1609

Full Changelog: v11.1.4...v11.1.5

Release v11.1.4

What's Changed

🧪 Testing

• Restrict -t java11 to linux only in repotests by @prabhu in #1604

Other Changes

• Handle pnpm workspace with duplicate names by @prabhu in #1603

Full Changelog: v11.1.3...v11.1.4

Release v11.1.3

Fixes a bug where automatic installations were no longer performed.

What's Changed

Other Changes

• fix: install setuptools and wheel before installing requirements by @AnsahMohammad in #1594
• Ensuring that the evidence.identity format is maintained after components are trimmed by @emcfins in #1591
• Fix version parsing in CMakeLists files by @asztalosdani in #1596
• cdxgen secure image - WIP by @prabhu in #1600

New Contributors

• @AnsahMohammad made their first contribution in #1594
• @emcfins made their first contribution in #1591
• @asztalosdani made their first contribution in #1596

Full Changelog: v11.1.2...v11.1.3

Release v11.1.2

What's Changed

Other Changes

• Adds is_workspace properties to uv parent components by @prabhu in #1590

Full Changelog: v11.1.1...v11.1.2

Release v11.1.1

Key highlights are the new internal properties to track pnpm and uv workspaces.

What's Changed

🚀 Features

• Track pnpm workspace for each component by @prabhu in #1578

🐛 Bug Fixes

• Improves dotnet dependency tree with case insensitive match by @prabhu in #1586

Other Changes

• Track dev and peer dependencies as optional by @prabhu in #1579
• Track relative virtual path for workspaces by @prabhu in #1580
• Track workspaces for transitive dependencies for uv monorepos by @prabhu in #1582
• Setting 'installDeps' to default to true by @malice00 in #1584
• workspace props validation by @prabhu in #1585
• Set pnpm workspace properties recursively by @prabhu in #1587

Full Changelog: v11.1.0...v11.1.1

Release v11.1.0 - cdxgen ❤️ Ruby

We're thrilled to announce the release of cdxgen v11.1.0, designed to simplify the Software Bill of Materials (SBOM) process for Ruby developers. Powered by the latest atom and a cutting-edge Ruby frontend, cdxgen generates precise build SBOMs with evidence for most Ruby applications, even those developed over 20 years ago with Ruby 1.8!

Evinse - Precise occurrences and callstack evidence

SaaSBOM with Endpoints detection

Our container images automatically install the necessary Ruby, RubyGems, and Bundler versions to create a buildable environment. cdxgen also intelligently analyzes common installation errors, offering actionable tips to improve SBOM accuracy. Plus, cdxgenGPT is now trained to expertly answer a wide range of Ruby-related queries.

Expert guidance with cdxgenGPT

CycloneDX and cdxgen Audio overview

Proudly generated using NotebookLM.

cyclonedx-and-cdxgen.m4a.zip

Sponsors

What's Changed

🚀 Features

• Bundle locally built cli in the container images by @prabhu in #1534
• Let's make things easy for Ruby - part 1 by @prabhu in #1545
• Add hash, scope and deps to dart by @paul-doherty in #1564

🧪 Testing

• container snapshot tests by @prabhu in #1535

Other Changes

• Ruby 2.5 support by @prabhu in #1547
• Ruby 3.4.1 by @prabhu in #1548
• Update atom for Ruby by @prabhu in #1549
• Ruby 1.8 support by @prabhu in #1551
• fix temp directories are no longer cleared by @youhaveme9 in #1553
• Evinse for Ruby by @prabhu in #1557
• Ruby repo tests by @prabhu in #1558
• add winget installation note by @youhaveme9 in #1559
• Introduce atom-tools to the container images by @prabhu in #1562
• Retain and validate parent component better by @prabhu in #1561
• Ruby evinse improvements by @prabhu in #1565
• Remove duplicates when resolving Gradle dependencies from Node by @malice00 in #1566
• Identify parent component from the pubspec.yaml files by @prabhu in #1570
• dotnet framework deep improvements by @prabhu in #1572
• Ruby reachables test - WIP by @prabhu in #1574
• Use docker for reachables tests by @prabhu in #1575
• More Ruby reach tests by @prabhu in #1577
• Added configurable reference generation between the components of a multi-language SBOM by @malice00 in #1567

New Contributors

• @youhaveme9 made their first contribution in #1553
• @paul-doherty made their first contribution in #1564

Full Changelog: v11.0.10...v11.1.0

Release v11.0.10

What's Changed

📚 Documentation

• [Docs] Update ENV.md to Include All Environment Variables by @satwiksps in #1526

New Features

• uv workspace support by @prabhu in #1524
• Install Ruby 3.4.0 in container images by @prabhu in #1528
• debian based dotnet images by @prabhu in #1529

Full Changelog: v11.0.9...v11.0.10

Release v11.0.9

What's Changed

Other Changes

• Expand optional tree by @prabhu in #1523

Full Changelog: v11.0.8...v11.0.9

Release v11.0.8 - Holiday update

We're ready to greet the new year with this holiday update. This release focuses on general improvements and tweaks to make cdxgen more useful for both users and AI bots. cdxgen can now reliably track all package manifests where a given component was found—especially helpful for vulnerability management and patching in large monorepos and multi-module projects. We’ve also improved dependency tree accuracy so bots like cdxgenGPT can better understand and reason about the underlying architecture.

Quality is a top priority. xBOM accuracy—particularly precision and recall—remains a constant topic that keeps us on our toes. Thanks to a generous sponsorship, we have added more snapshot testing for a number of languages and package manager ecosystems, and trained cdxgenGPT to serve as a good xBOM reviewer. We will soon use both automated testing and machine learning to continuously evaluate and improve BOM quality.

Please update to this version at your convenience. Happy Holidays!

Screenshots

cdxgenGPT training and assessment prompts

Rate my SBOM

Review of a syft SBOM

What's Changed

🚀 Features

• uv support by @prabhu in #1516
• Merge components after aggregation by @prabhu in #1517

🐛 Bug Fixes

• Retain license and external references for parent components by @prabhu in #1520

📚 Documentation

• cdxgen for bots by @prabhu in #1514
• Rate my xbom by @prabhu in #1521

Other Changes

• #1486 fix: use getGoPkgComponent in parseGosumData by @CaMoPeZzz in #1487
• Support image generation and parsing github url by @prabhu in #1497
• Fixes #1498. Don't remove await by @prabhu in #1509
• TypeError: project.modules.module.map is not a function by @readonlyuser1 in #1504
• fix:GH-1502 name root from package json by @ivanasabi in #1503
• #291 feat: vcs url for gopkg by @CaMoPeZzz in #1505
• Fix docker extract bugs by @prabhu in #1513
• asvs 5.0 - Beta by @prabhu in #1460

New Contributors

• @CaMoPeZzz made their first contribution in #1487
• @readonlyuser1 made their first contribution in #1504
• @ivanasabi made their first contribution in #1503

Full Changelog: v11.0.7...v11.0.8

Release v11.0.7

What's Changed

• Force package lock creation for stubborn projects with .npmrc by @prabhu in #1488

Full Changelog: v11.0.6...v11.0.7