Skip to content

Release v0.2.2
Compare
Choose a tag to compare
@puerco puerco released this 03 Feb 01:11
· 943 commits to main since this release
v0.2.2
1a1dee6
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

This release brings an important fix to avoid duplicating SPDX IDs when generating complex SBOMs that repeast elements such as base images. It also adds to the API a new function to query documents and other minor fixes. Thanks a lot to everyone for your contributions and feedback

Release Notes

Changes by Kind

Feature

  • New XML-DOM inspired x.GetElementByID() allows querying documents, Files and Packages for elements that match an ID.
    • The builder Object now ensures that generated SPDX IDs are unique across the document. (#57, @puerco)
  • The YAML configuration file now supports adding archives using type: archive (#50, @puerco)

Bug or Regression

  • ./bom document outline
    bom document outline → Draw structure of a SPDX document",

    This subcommand draws a tree-like outline to help the user visualize
    the structure of the bom. Even when an SBOM represents a graph structure,
    drawing a tree helps a lot to understand what is contained in the document.

    You can define a level of depth to limit the expansion of the entities.
    For example set --depth=1 to only visualize only the files and packages
    attached directly to the root of the document.

    bom will try to add useful information to the oultine but, if needed, you can
    set the --spdx-ids to only output the IDs of the entities.

    Usage:
    bom document outline [SPDX File To Draw] [flags]

    Flags:
    -d, --depth int recursion level (default -1)
    -h, --help help for outline
    --spdx-ids use SPDX identifiers in tree nodes instead of names

    Global Flags:
    --log-level string the logging verbosity, either 'panic', 'fatal', 'error', 'warning', 'info', 'debug', 'trace' (default "info")
    FATA You should only specify one file (#54, @jeremyrickard)

  • Released bom binaries are now statically compiled (#47, @puerco)

  • When applying ignore patterns, bom will now refuse to build an empty SBOM if the patterns result in zero files included (#58, @kfaseela)

Other (Cleanup or Flake)

  • Replaced the animation on the main GitHub page with a link to external page as it caused high CPU consumption (#39, @puerco)
  • When generating an SBOM, bom will now print its version before running to record it in CI/CD logs (#51, @puerco)

Dependencies

Added

Nothing has changed.

Changed

Removed

Nothing has changed.

Contributors

puerco, kfaseela, and jeremyrickard
Assets 8
Loading