v0.5.0

Changes by Kind

Feature

• -bom now embeds the latest SPDX license list. This avoids pulling the license list from the internet, speeding up SBOM generation
  • The bom mage file now has a CheckEmbeddedData and UpdateEmbeddedData targets to ease the management of the embedded data. (#255, @puerco)
• Bom will now correctly register in the SBOM the license list it used to scan code to detect licenses
  • the version of the SPDX license list to use is now configurable at SBOM generation time using --license-list-version (#245, @puerco)
• Bom will now generate package listings out of apk-based systems (alpine and wolfi) (#224, @puerco)
• Replace the registry with cgr.dev (#199, @developer-guy)
• The license list downloader now cached the license list zip file
  • The license list downloader can now download arbitrary versions of the license list. (#213, @puerco)
• Upgrade to go1.20 (#250, @cpanato)
• bom document outline now displays version numbers along package names by default. This can be turned off with --version=false
  • The oultine subcommand has a new ---purl flag which will display purls instead of package names when outlining an SBOM (#212, @puerco)

Documentation

• Corrected the go install instructions to install the latest version (#252, @puerco)
• Updated the readme to show up to date features
  • bom now has a logo! 🎉 (#222, @puerco)

Bug or Regression

• Fixed a bug where SBOMs were not ingested when the supplier of a package was NOASSERTION. (#203, @puerco)
• Fixed a bug where bom would crash when outlining an SBOM containing files at the top level of the document.. (#190, @puerco)
• Fixed a bug where the license downloader was always returning nil data leading to licenses not being detected. (#241, @puerco)
• Fixed a bug where the tool version was not getting included in the document creator info. The new Creator field has the app name, version tag and commit: ``bom-v0.4.1-102-g98baf66 (#242, @puerco)
• Fixed a recursion loop in spdx.recursiveIDSearch which lead to panics when generating sboms describing multiple artifacts. (#244, @puerco)

Other (Cleanup or Flake)

• Fixed a bug where bom would open each file unnecessarily when checksumming (#200, @puerco)
• LicenseDeclared in packages and licenseConcluded in files and packages will now be omitted in SPDX 2.3 documents.
  • [API Change] the PackageVerificationCode in the package JSON types (both in 2.2 and 2.3) has been changed and is now a pointer. This is a breaking change for anything depending on the bom types. This fixes a bug where JSON SBOMs contained an empty package verification code struct.
  • licenseInfoInFile in both packages and files is now committed from the JSON output when empty. (#243, @puerco)
• SBOM ingestion now supports external references with both PACKAGE-MANAGER and PACKAGE-MANAGER in the category field. Output is always SPDX 2.3 which calls for PACKAGE-MANAGER in the schema. (#221, @puerco)

Uncategorized

• Add checksums binaries (#191, @cpanato)
• Fixed a bug where bom would panic when generating an SBOM of an image specified with a digest. (#225, @sbs2001)

Dependencies

Added

• cloud.google.com/go/compute/metadata: v0.2.3
• github.com/MakeNowJust/heredoc: v1.0.0
• github.com/bwesterb/go-ristretto: v1.2.0
• github.com/cloudflare/circl: v1.1.0
• github.com/frankban/quicktest: v1.14.0
• github.com/google/renameio: v1.0.1
• github.com/mmcloughlin/avo: v0.5.0
• github.com/pjbgf/sha1cd: v0.3.0
• github.com/skeema/knownhosts: v1.1.0
• github.com/spiffe/go-spiffe/v2: v2.1.2
• github.com/zeebo/errs: v1.3.0
• gitlab.alpinelinux.org/alpine/go: v0.6.0
• golang.org/x/arch: v0.1.0
• google.golang.org/genproto: 76db087
• google.golang.org/grpc: v1.53.0
• gopkg.in/ini.v1: v1.67.0
• gopkg.in/square/go-jose.v2: v2.6.0
• mvdan.cc/editorconfig: v0.2.0
• mvdan.cc/sh/v3: v3.5.1
• rsc.io/pdf: v0.1.1

Changed

• cloud.google.com/go/compute: v1.10.0 → v1.18.0
• github.com/ProtonMail/go-crypto: 04723f9 → 7d5c6f0
• github.com/acomagu/bufpipe: v1.0.3 → v1.0.4
• github.com/anmitsu/go-shlex: 648efa6 → 38f4b40
• github.com/containerd/stargz-snapshotter/estargz: v0.12.1 → v0.14.3
• github.com/creack/pty: v1.1.9 → v1.1.17
• github.com/docker/cli: v20.10.20+incompatible → v23.0.1+incompatible
• github.com/docker/docker: v20.10.20+incompatible → v23.0.1+incompatible
• github.com/emirpasic/gods: v1.12.0 → v1.18.1
• github.com/gliderlabs/ssh: v0.2.2 → v0.3.5
• github.com/go-git/go-billy/v5: v5.3.1 → v5.4.1
• github.com/go-git/go-git-fixtures/v4: v4.2.1 → v4.3.1
• github.com/go-git/go-git/v5: v5.4.2 → v5.6.1
• github.com/golang/protobuf: v1.5.2 → v1.5.3
• github.com/google/go-containerregistry: v0.12.0 → v0.14.0
• github.com/imdario/mergo: v0.3.12 → v0.3.13
• github.com/in-toto/in-toto-golang: af1f9fb → v0.7.0
• github.com/inconshreveable/mousetrap: v1.0.1 → v1.1.0
• github.com/kevinburke/ssh_config: 4977a11 → v1.2.0
• github.com/klauspost/compress: v1.15.11 → v1.16.0
• github.com/maxbrunsfeld/counterfeiter/v6: v6.5.0 → v6.6.1
• github.com/onsi/gomega: v1.18.1 → v1.26.0
• github.com/secure-systems-lab/go-securesystemslib: v0.3.0 → v0.5.0
• github.com/stretchr/testify: v1.8.1 → v1.8.2
• github.com/xanzy/ssh-agent: v0.3.0 → v0.3.3
• golang.org/x/crypto: v0.1.0 → v0.6.0
• golang.org/x/mod: v0.6.0 → v0.9.0
• golang.org/x/net: v0.1.0 → v0.8.0
• golang.org/x/oauth2: v0.1.0 → v0.6.0
• golang.org/x/sys: v0.1.0 → v0.6.0
• golang.org/x/term: v0.1.0 → v0.6.0
• golang.org/x/text: v0.4.0 → v0.8.0
• golang.org/x/tools: v0.2.0 → v0.7.0
• google.golang.org/protobuf: v1.28.1 → v1.29.0
• sigs.k8s.io/release-utils: v0.7.3 → 2b998c6

Removed

• github.com/flynn/go-shlex: 3f9db97
• github.com/konsorten/go-windows-terminal-sequences: v1.0.1

New Contributors

• @rnjudge made their first contribution in #231

Full Changelog: v0.4.1...v0.5.0