Skip to content

Releases: sbom-tool/sbom-tools

v0.1.22

Choose a tag to compare

@github-actions github-actions released this 15 Jun 06:16
Immutable release. Only release title and notes can be modified.
dea7853

sbom-tools v0.1.22

Highlights

The AI BOM release. sbom-tools now treats AI systems as a first-class domain across the whole pipeline: it parses CycloneDX ML-BOMs and SPDX 3.0 AI/Dataset profiles, scores AI-readiness (AI-001…AI-010), machine-checks the EU AI Act (Annex IV) and the G7/BSI "SBOM for AI — Minimum Elements" standards, diffs model and dataset changes semantically, verifies model-weight integrity, enriches Hugging Face components, and renders AI-BOMs as a dedicated profile in the TUI (Models / Datasets / AI-Readiness tabs).

Alongside the AI work this release lands a large wave of correctness and security fixes — including a hostile-SBOM stack-overflow, empty OSV severity data, and broken CycloneDX XML parsing — a new convert command (CycloneDX ↔ SPDX), KEV/EPSS vulnerability enrichment with an offline/air-gapped mode, and broad CLI/TUI alignment.

Please read Upgrade notes below — this release changes several user-visible behaviors (scoring engine 2.1, stricter license-policy gating, logs moved to stderr, official EPSS endpoint).

What's New

AI / ML Bill of Materials

  • AI-readiness scoring profile. A dedicated quality --profile ai-readiness (and TUI AI-BOM profile) grades ten AI-specific checks (AI-001…AI-010): model-card, architecture, training datasets, quantitative analysis, fairness, ethical considerations, use-cases, limitations, energy, and model-weight hash integrity. (#205, #239, #246)
  • CycloneDX ML-BOM + SPDX 3.0 AI/Dataset parsing. Spec-compliant CycloneDX modelCard parsing (typed fairness/quantitative-analysis/considerations) and SPDX 3.0 AI + Dataset profile metadata including the trainedOn relationship. (#204, #208, #239)
  • Semantic ML model & dataset diffing. Model and dataset changes are diffed field-by-field — quantization, architecture, training-dataset add/remove, dataset sensitivity — with high diff-costs on provenance-loss and PII-escalation signals, instead of opaque blobs. (#244)
  • Model-weight integrity & Hugging Face enrichment. New AI-010 weight-hash check, a verify model-weights --model-dir subcommand (direct + HF cache layouts), and a Hugging Face enrichment source that maps siblings[].lfs.sha256 → component hashes, pipeline_tag → task, and routes pkg:huggingface models into the vulnerability stack. (#246, #253)
  • SBOM-AIBOM-* SARIF rule family for AI-readiness findings, and TUI rendering of ML model / dataset metadata in the component-detail panel. (#207, #206)

Compliance

  • EU AI Act (Annex IV) readiness compliance level with SBOM-AIACT-* SARIF rules, N/A-gated for non-AI SBOMs and severity-escalated by the CRA high-risk-AI flag. (#245)
  • G7 / BSI "SBOM for AI — Minimum Elements" readiness — a new validate --standard bsi-ai profile that scores an AI-BOM element-by-element across the seven BSI clusters (Metadata, System-Level, Models, Datasets, Infrastructure, Security) with SBOM-BSIAI-* rules. (#255)
  • Compliance rule registry. Every violation now carries a stable rule_id; SARIF rule IDs and standard references come from a single registry instead of fragile message-text matching. (#231, #233)

Cross-format conversion

  • convert command. Re-emit any parsed SBOM to CycloneDX 1.7 or SPDX 2.3 with a fidelity report listing synthesized/dropped fields, built on an opt-in source-field preservation slot. (#241, #243, #247)

Vulnerability enrichment

  • CISA KEV and EPSS enrichment. New --kev / --epss flags surface Known-Exploited-Vulnerabilities flags and EPSS exploit-probability on vulnerabilities, with --fail-on-kev gating, KEV/EPSS columns in reports, and a watch-mode "entered KEV" alert. (#235, #237)
  • Offline / air-gapped mode + cache management. A global --offline (and SBOM_TOOLS_OFFLINE) serves enrichment purely from cache, plus a new cache status / warm / clear / export / import subcommand for sneakernet transfer. (#238)
  • Unified enrichment platform. All sources (OSV, EOL, VEX, KEV, staleness, EPSS, Hugging Face) now share one EnrichmentSource trait, an atomic-write cache with schema versioning, and a single retry/User-Agent HTTP client. (#230)

CLI & TUI

  • Global --config file is now honored by every command (it was previously read only by config show), with CLI-flag > file > default precedence. (#227)
  • Stdin input (- as a path) for diff/quality/validate/query/ vex, enabling syft … | sbom-tools quality - pipelines. (#224)
  • Typed exit codes & NDJSON output. Per-command exit codes, clap value-enums (typos fail at parse), and a wired -o ndjson format. (#226)
  • Document-metadata diffing. diff now reports author, tool, timestamp, spec-version, signature and serial-number changes. (#254)
  • AI-BOM is first-class in the TUI — detected as its own profile with AI-readiness scoring and dedicated Models / Datasets / AI-Readiness tabs, plus EPSS/KEV badges, a KEV filter, richer component detail, and a profile-aware help overlay. (#258, #257, #259, #261, #260, #223)

Bug Fixes

  • Hostile-SBOM stack-overflow fixed. Cycle detection is now iterative (Tarjan SCC); a deeply-nested dependency chain previously aborted the process (and any FFI host) via stack overflow. (#215)
  • OSV enrichment now carries severity / CVSS / description. Results from /v1/querybatch (id-only) are hydrated via /v1/vulns/{id}; previously enriched vulnerabilities had empty severity and were cached empty for 24h. (#219)
  • CycloneDX XML parsing fixed for spec-conformant documents (components, dependencies, vulnerabilities, license choice, xmlns spec version). (#214)
  • License policy correctness. fail_on_conflict now actually fails, concluded-only licenses are evaluated against the deny list, and deny-patterns match per-operand in SPDX expressions (deny "GPL-*" now catches MIT OR GPL-3.0-only). (#212)
  • Per-component license changes are populated in diffs (the field was always empty), and the Licenses TUI tab no longer falsely reports "no changes". (#211, #259)
  • Watch mode no longer fires false "resolved vulnerability" alerts on file changes (re-parsed SBOMs are now enriched before diffing). (#221)
  • Incremental diff cache no longer splices sections from an unrelated cached pair, and diff errors propagate instead of becoming "no changes". (#217)
  • Deterministic diffs. Fixed-seed MinHash and stable solver ordering make diff output reproducible above the LSH threshold (CI --fail-on-* gating). (#218)
  • Machine output is parseable again. Logs are written to stderr so -o json / -o sarif / -o ndjson on stdout is valid when piped or redirected (previously two INFO lines preceded the JSON, breaking SARIF upload and jq). (#256)
  • Multi-SBOM commands honor their flags. diff-multi/timeline/ matrix now apply --graph-*/filter/rules and can reach exit code 4, and reject unsupported -o values. (#225)
  • Output hardening. CSV formula-injection guard, terminal control-char sanitization, and a TUI panic hook that restores the terminal. (#213)
  • Enrichment entry-point consistency. enrich/watch/query now route through the unified orchestrator so --kev/--epss/ --huggingface take effect everywhere, query --offline no longer makes network calls, and the EPSS default endpoint is the official FIRST host with a response-size bound. (#249, #248, #247)
  • FFI binding parity. The AiReadiness profile is exposed in the Go / Swift wrappers with a CI drift check, and the sbom-tools-ffi crate's version/cargo publish blockers are fixed. (#216, #234)

Performance

  • Sparse assignment matching. The dense O(n²) Hungarian path (≈200 MB / effective hang on cross-format diffs) is replaced by a sparse solver over the candidate edge list. (#232)
  • In-place enrichment mutation removes a 2× component-map copy per pass, and report-stage compliance is computed lazily per reporter. (#236)
  • TUI dependency tab caches its graph and uses an iterative longest-path, eliminating a per-frame rebuild and an exponential depth calculation. (#223)

Internal & Quality

  • Compliance engine split into a StandardChecker per-standard module layout behind a registry, and the enrichment platform unified behind one trait. (#233, #230)
  • cli / tui feature gates so the FFI staticlib and fuzz targets no longer link ratatui/clap/rustls (FFI dependency tree 281 → 104 crates). (#228)
  • Test infrastructure. A ratatui TestBackend snapshot harness for the TUI, golden snapshots for all report formats (plus streaming-JSON validity fixes), graph-shaped hot-path benches, and diff/scoring property tests. (#229, #240, #242, #218)

Infrastructure

  • Dependency bumps: ratatui 0.30.0 → 0.30.1, chrono 0.4.44 → 0.4.45, regex 1.12.3 → 1.12.4, reqwest 0.13.3 → 0.13.4, serde_json 1.0.149 → 1.0.150, libfuzzer-sys 0.4.12 → 0.4.13, plus dagger-SDK-only bumps. New runtime dependency: flate2 (gzip, enrichment feature) for the EPSS bulk feed. (#251, #252, #195, #196, #222, #248)
  • GitHub Actions bumps: codeql-action → 4.36.1, cargo-deny-action → 2.0.20, actions/checkout → 6.0.3; SHA-pin hygiene + expanded Dependabot coverage; fuzz CI now installs cargo-fuzz with the nightly toolchain. (#193, #194, #199, #200, #202)
  • Total tests: 1560 (1014 lib + 546 integration), up from 1214 in v0.1.21.
  • 0 clippy warnings (default + all-features) on Rust 1.88; 0 production unwrap().

Upgrade notes

These behaviors changed in this release:

  • Scoring engine 2.0 → 2.1. Cycle detection now counts strongly-connected components (actual cycles) rather than DFS back-edges, so quality scores for SBOMs with cyclic dependencies may change. (#215)
  • semantic_score now counts per-component license transitions, so diffs that change a component's license score slightly lower than before. (#211)
  • **License-policy gating ...
Read more

v0.1.21

Choose a tag to compare

@github-actions github-actions released this 23 May 20:12
Immutable release. Only release title and notes can be modified.
063fcc1

sbom-tools v0.1.21

Highlights

Focused bug-fix release. view -o json now emits the full enriched vulnerability detail (not just counts), diff semantic similarity is correctly bounded to 0–100 (previously could exceed 100% on large diffs), and CRA compliance sections in Markdown/HTML diff reports collapse to a compact summary so reports stay readable on SBOMs with hundreds of components.

Bug Fixes

  • view -o json now emits enriched vulnerability detail. The JSON view previously dropped enriched OSV/KEV data and emitted only a per-component count, even when --enrich-vulns was set. Each component now serializes the full vulnerability list (id, source, severity, CVSS, fixed_version, CWEs, KEV info, VEX status, description, dates), and the document gains a top-level vulnerabilities[] array flattened across all components. Each component and flattened entry is also tagged with dependency_kind (primary / direct / transitive). (#179, fixes #178)
  • diff semantic similarity bounded to 0–100. DiffResult::semantic_score is normalized against an SBOM-size-derived upper bound and clamped to [0, 100], fixing reports of values like 916% on heavy-churn diffs. Identical SBOMs (matching content hash) now correctly report 100.0. (#188, fixes #180)
  • Compact CRA compliance section in human-readable diff reports. Markdown and HTML diff reports previously emitted a full violation table per CRA finding, ballooning to 14k+ lines on real SBOMs. The diff path now emits a compact "N findings across M groups" summary with a pointer to -o json / -o sarif for full structured detail. Single-SBOM view reports and JSON/SARIF outputs are unchanged. (#189, fixes #181)

Infrastructure

  • Dependency bumps: quick-xml 0.39.3 → 0.40.1, clap_complete 4.6.3 → 4.6.5, tokio 1.52.2 → 1.52.3 (dagger SDK only).
  • GitHub Actions bumps: codeql-action 4.35.3 → 4.35.5, cargo-deny-action 2.0.17 → 2.0.18, crates-io-auth-action SHA-pin refresh.
  • Total tests: 1214 (787 lib + 427 integration), up from 1196 in v0.1.20.
  • 0 clippy warnings (default + all-features) on Rust 1.88; 0 production unwrap().

Acknowledgments

Thanks to @MChorfa (Mohamed Chorfa) for contributing the fixes behind all three user-facing improvements in this release (#179, #188, #189), and to @cmyank0 and @VincentR-OCD for the bug reports that drove them.


Install: cargo install sbom-tools
Homebrew: brew install sbom-tool/tap/sbom-tools
Crate: https://crates.io/crates/sbom-tools
Full changelog: v0.1.20...v0.1.21

v0.1.20

Choose a tag to compare

@github-actions github-actions released this 10 May 08:31
Immutable release. Only release title and notes can be modified.
5f1afaa

sbom-tools v0.1.20

Highlights

sbom-tools v0.1.20 ships end-to-end EU Cyber Resilience Act (CRA) readiness: prEN 40000-1-3 normative requirement IDs, CRA product-class & conformity-route severity calibration, Article 24 open-source software steward profile, BSI TR-03183-2 §5/§6 checks, CSAF v2.0 ingest and emit (ISO/IEC 20153:2025), and a cra-docs CLI that prefills Annex V documentation directly from the SBOM + sidecar. The release also adds CRA standards-drift detection to watch, with alerts routed through the existing AlertSink so they show up alongside SBOM file changes and vulnerability discoveries — no new daemon, no new TUI tab.

Combined with the CBOM scoring engine shipped in v0.1.19 and the existing NIS2 / GDPR / AI Act / RED overlap surfaces, sbom-tools is now the most complete open-source CRA conformity-assessment toolkit covering Articles 13/14, Article 24, and Annex I–VIII obligations.

What's New

CRA Compliance Engine (Articles 13/14, Article 24, Annexes I–VIII)

  • 5 new ComplianceLevel variants (9 → 14): Cnsa2 (NSA CNSA 2.0), NistPqc (FIPS 203/204/205 + IR 8547), BsiTr03183_2 (German national CRA-aligned guideline), CraOssSteward (Article 24 lighter profile), EuccSubstantial (Reg. (EU) 2024/482 reference profile)
  • --cra-product-class {Default|ImportantClass1|ImportantClass2|Critical} on validate, quality, view: drives Annex III/IV severity calibration, conformity-route gating (Module A / B+C / H / EUCC), vendor-hash thresholds (50/80/80/100%), and severity ramp for EOL components, DoC presence, Article 14 PSIRT readiness, and EUCC reference
  • ConformityAssessmentSummary + ConformityEvidence on ComplianceResult: per-route checklist (DoC + Module-specific evidence + PSIRT). Surfaced in markdown / HTML reports and TUI compliance view as Annex VIII: <route> (<class>) N/M evidence
  • is_oss_steward sidecar profile: SBOM + vuln-handling + CVD policy floor enforced; manufacturer email, EU DoC, module attestation, hardware [PRE-8-RQ-02], and vendor-hash carry-through skipped. Aliases: --standard oss-steward / cra-oss / cra-art24 / art24

CSAF v2.0 (ISO/IEC 20153:2025)

  • CSAF ingest in src/enrichment/vex/csaf.rs: auto-detect priority CSAF → CycloneDX VEX → OpenVEX. Maps product_status (known_affected / known_not_affected / fixed / first_fixed / under_investigation / recommended / last_affected) to VexState. Resolves product_id → PURL via full_product_names + recursive branches + relationships; CVE → ids[].text fallback for vuln ID
  • CSAF emit via new vex export --format csaf CLI: closes the round-trip — SBOM → CSAF → re-ingest preserves identical VEX states. Maps {Affected|NotAffected|Fixed|UnderInvestigation} → CSAF product status keys; CVE/GHSA dual-path on vulnerability IDs

Commands & CLI

  • cra-docs: new subcommand that generates eu-declaration-of-conformity.md (Annex V DoC), technical-documentation.md (Annex V tech-doc summary, with NIS2 / GDPR / AI Act / RED overlap section when respective sidecar flags are set), and vulnerability-handling-policy.md (Annex I Part II) — prefilled from sidecar + SBOM + ComplianceChecker. Auto-discovery extended to multi-extension stems (app.cdx.json resolves app.cra.json)
  • cra-standards-watch: new subcommand that prints a curated 8-artefact catalogue (prEN 40000-1-3, prEN 40000-1-2, BSI TR-03183-2, CSAF v2.0, ENISA SBOM Guidance, EUCC, STAN4CRA, ETSI EN 303 6xx) with last-known versions and --check-online HTTP-status probe
  • vex export --format csaf: CSAF v2.0 advisory emitter (see above)
  • watch --cra-standards (+ --cra-standards-interval=24h, --cra-standards-timeout=10s): periodically probe the CRA standards catalogue from the watch loop and surface drift through existing alert sinks

Watch & AlertSink

  • AlertSink::on_cra_standard (default no-op trait method): carries CraStandardEvent with InitialBaseline / StatusChanged kinds — keeps the trait extensible without churning third-party sinks
  • Stdout sink: timestamped human-readable line per drift ([12:34:56] cra-standard BSI-TR-03183-2: status drift 200 OK -> 503 Service Unavailable)
  • NDJSON sink: structured {"type":"cra_standard","kind":"status_changed",...} records for SIEM/jq pipelines
  • Webhook sink: deliberately stays at the trait default — drift signals are low-value to spam to webhooks

Reporting & SARIF

  • SARIF helpUri populated on rules, plus results.standardHelpUris, drawn from canonical EUR-Lex / BSI / NIST / OASIS URLs. New StandardKind::canonical_help_uri() and SarifRuleWithUri serialization wrapper
  • docs/CRA_COMPLIANCE.md reverse-mapping table covering CRA Articles 13/14, all Annexes, Article 24, BSI TR-03183-2, CSAF v2.0, the P3.2 calibration table, a CLI cheat sheet, a sidecar example, and a standards bibliography. Linked from README

TUI

  • New policy presets: EuccSubstantial, CraOssSteward (alongside the existing Cra / Ntia / Fda / NistSsdf / Eo14028)
  • Conformity-assessment summary rendered on the compliance view per active product class
  • Sidecar plumbing so CRA-specific scoring + class-aware severities reach the TUI without round-tripping through CLI

Compliance Levels — Now 14

Up from 9 in v0.1.19: Minimum, Standard, NtiaMinimum, CraPhase1, CraPhase2, FdaMedicalDevice, NistSsdf, Eo14028, Cnsa2, NistPqc, BsiTr03183_2, CraOssSteward, EuccSubstantial, Comprehensive. ComplianceLevel::all() auto-reflects every variant into the TUI compliance tabs.

Bug Fixes

  • cra-docs section numbering: Annex V tech-doc previously emitted duplicate 5.x headings when the NIS2 / GDPR / AI Act / RED overlap section was active — now correctly renumbers
  • TUI sidecar plumbing: compliance view no longer dropped CRA-specific severities when the sidecar was loaded from disk (audit-fix landed alongside P5 polish)
  • clippy 1.88 cleanup: uninlined_format_args and derivable_impls in CSAF/CRA paths

Infrastructure

  • 24 new CRA-product-class tests (tests/cra_product_class_tests.rs)
  • 12 new OSS-steward tests (tests/cra_oss_steward_tests.rs)
  • 9 new conformity-assessment-summary tests + 8 new SARIF-helpUri tests + 9 new CSAF tests + 7 cra-docs integration + golden CRA fixtures (compliant + 2 non-compliant variants)
  • Total tests: 1196 (787 lib + 409 integration), up from ~802 in v0.1.19
  • Dependabot bumps: clap_complete 4.6.2 → 4.6.3, reqwest 0.13.2 → 0.13.3, quick-xml 0.39.2 → 0.39.3, dagger-sdk 0.20.4 → 0.20.8 (rust-sdk), tokio 1.51.1 → 1.52.2 (rust-sdk), indexmap 2.13.1 → 2.14.0, clap 4.6.0 → 4.6.1
  • Security fixes: rand, rustls-webpki (PR #145, PR #156)
  • GitHub Actions bumps: crates-io-auth-action, codeql-action 4.35.2 → 4.35.3, cosign-installer 4.1.1 → 4.1.2, cargo-deny-action 2.0.15 → 2.0.17, upload-artifact 7.0.0 → 7.0.1
  • 0 clippy warnings (default + all-features) on Rust 1.88; 0 production unwrap()

Install: cargo install sbom-tools
Homebrew: brew install sbom-tool/tap/sbom-tools
Crate: https://crates.io/crates/sbom-tools
Full changelog: v0.1.19...v0.1.20

v0.1.19

Choose a tag to compare

@github-actions github-actions released this 10 Apr 23:12
Immutable release. Only release title and notes can be modified.
057fa6b

Highlights

sbom-tools now includes a full CBOM (Cryptographic Bill of Materials) quality scoring engine — the first open-source CLI tool to grade cryptographic inventory health alongside traditional SBOM quality. CBOMs receive crypto-specific scores across 8 categories: algorithm strength, PQC readiness, OID coverage, crypto completeness, key/certificate lifecycle, cross-reference resolution, provenance, and licenses. Hard caps enforce grade ceilings for broken cryptography (D max), compromised keys (C max), and zero post-quantum migration (C max).

Combined with the CBOM architecture shipped in v0.1.18 (CycloneDX 1.6/1.7 cryptoProperties parsing, CNSA 2.0 + NIST PQC compliance, 5 dedicated TUI tabs), sbom-tools now provides end-to-end CBOM lifecycle support — from parsing to scoring to interactive analysis to compliance reporting.

What's New

CBOM Quality Scoring Engine

  • ScoringProfile::Cbom: New 8-category scoring profile with crypto-tuned weights — Algorithm Strength (0.22), PQC Readiness (0.15), Crypto Completeness (0.15), OID Coverage (0.15), Crypto Lifecycle (0.13), Cross-References (0.10), Provenance (0.08), Licenses (0.02)
  • 12 granular metrics: algorithms_with_oid, algorithms_with_family, algorithms_with_primitive, algorithms_with_security_level, certs_with_signature_algo_ref, keys_with_algorithm_ref, protocols_with_cipher_suites, keys_with_state, keys_with_protection, keys_with_lifecycle_dates, certs_with_validity_dates
  • 6 per-category scoring methods: Each computes a 0-100 score from real field coverage (no proxies) — completeness measures family/primitive/level coverage, identifiers measure OID presence, lifecycle blends key state/protection/dates with certificate validity
  • Hard caps for critical crypto issues: Broken algorithms (MD5, DES, RC4) → D max; compromised keys → C max; zero quantum-safe algorithms → C max
  • Auto-detection: BomProfile::detect() triggers CBOM scoring when ≥3 crypto components make up >50% of the BOM — works in both view and diff modes

Commands & CLI

  • quality --profile cbom: Evaluate CBOM quality from the command line with crypto-specific grades and recommendations
  • Diff mode awareness: Both old and new SBOMs auto-detect CBOM profile, each scored with the appropriate engine

TUI

  • Dynamic quality chart: Bar labels switch to Crpt/OIDs/Algo/Refs/Life/PQC/Prov/Lic in CBOM mode; header shows crypto category names for strongest/weakest
  • Crypto Inventory panel: Asset counts, quantum readiness %, and warning flags for weak algorithms, compromised keys, and expired certificates
  • P key toggle: Runtime SBOM/CBOM switch — re-scores with the selected profile
  • Algorithm sorting (s key): Cycle Name → Family → Quantum Level → Strength (weak-first triage)
  • Certificate sort by urgency: Auto-sorted by days remaining (expired first)
  • Algorithm detail: Now shows Padding, Execution Environment, Implementation Platform

Bug Fixes

  • CBOM tab selection: Arrow keys now correctly move selection on all crypto tabs (Algorithms, Certificates, Keys, Protocols) — detail panel was stuck on the first item due to reading a legacy shared index instead of per-tab selection
  • Diff mode scoring: Both SBOMs now auto-detect profile instead of hardcoding Standard

Infrastructure

  • 15 new CBOM unit tests (scoring methods, hard caps, edge cases)
  • Bump indexmap 2.13.1, semver 1.0.28, dagger-sdk 0.20.4
  • Bump GitHub Actions: crates-io-auth-action, setup-go 6.4.0

Install: cargo install sbom-tools
Homebrew: brew install sbom-tool/tap/sbom-tools
Crate: https://crates.io/crates/sbom-tools
Full changelog: v0.1.18...v0.1.19

v0.1.18

Choose a tag to compare

@github-actions github-actions released this 31 Mar 09:27
Immutable release. Only release title and notes can be modified.
6f2fbc9

Highlights

This release delivers a comprehensive diff engine upgrade with enrichment support for all multi-SBOM commands, a complete TUI overhaul across all 10 tabs, and introduces Go and Swift bindings for the core SBOM operations.

What's New

Diff Engine

  • Multi-SBOM enrichment: diff-multi, timeline, and matrix commands now support --enrich-vulns, --enrich-eol, and --vex (previously only diff had enrichment)
  • Pre-release version handling: New SemverParts struct properly distinguishes 1.2.3-alpha from 1.2.3 with pre-release penalty in matching scores
  • Quality delta tracking: QualityDelta in diff results shows per-category score changes, grade transitions, regressions, and improvements across all 8 quality categories
  • VEX state transitions: VexStatusChange detects when persistent vulnerabilities change VEX state between SBOMs (e.g., NotAffected → Affected)
  • Match quality metrics: MatchMetrics records exact/fuzzy/rule match counts, unmatched components, and confidence scores
  • True incremental diff: Section-selective recomputation skips unchanged sections when cache detects partial changes (30–70% speedup for partial SBOM updates)

TUI — Summary Tab

  • Redesigned layout: Merged Risk Assessment + Key Findings into a single compact card with natural-language insights
  • Key Findings section: Prioritized action items — critical vulns, major version bumps, license conflicts, quality regressions, added/removed summaries
  • SBOM Comparison table: Old vs New delta table showing component, dependency, license, and vulnerability counts
  • All Changes list: Full scrollable list sorted by semver impact (MAJOR first) with inline version transitions
  • "Not enriched" warning: Vulnerability card shows hint when enrichment wasn't used

TUI — Quality Tab

  • Compact gauge header: Score transition in title with text gauge bars (replaces heavy bordered gauges)
  • Category bar chart: Sorted by score with colored bars, warning badges (⚠ low, ✗ zero), and delta arrows
  • Linked recommendations: Each action shows its target category; Enter navigates to the related tab

TUI — Compliance Tab

  • Compact header: 3-line card replacing 7-line side-by-side gauges with New/Resolved counts
  • Violation grouping: g key groups violations by component with expand/collapse
  • Short tab labels: Min/Std/NTIA/CRA-1/CRA-2/FDA/SSDF/EO14028/Full — all fit on screen
  • Rich empty states: When Resolved/New views are empty, shows top issues to fix and category breakdowns
  • View cycle: Changed from Tab (conflicted with global tab switching) to v

TUI — Diff (Side-by-Side) Tab

  • Unified upgrade view: New Unified mode (a key) matches removed+added by name to show version upgrades
  • Semver classification: MAJOR/minor/patch/DOWNGRADE badges sorted by impact
  • Full-width single panel: Replaces split view for clearer upgrade visualization

TUI — Dependencies Tab

  • Sort order works (s key): Roots sort by Name, Depth, Vulnerability count, or Dependent count — previously displayed but never applied
  • Transitive toggle works (t key): Filters to direct deps only (depth 0–1) when off — previously displayed but had no effect
  • Relationship badges: Child nodes show [dev]/[build]/[test]/[opt] for non-default dependency types; detail panel shows Relationship and Scope fields
  • Child count breakdown: Root nodes show color-coded (+4 -3) instead of plain (7)
  • Vulnerability section in detail panel: Up to 5 CVEs with severity coloring, status (introduced/resolved/persistent), and KEV badge
  • Detail panel scrolling: Ctrl+d/Ctrl+u scrolls long content; resets on navigation
  • Compact 2-line header: Removed redundant key-hint line (saves 1 row), color-only toggle states, +N/-M change summary, Expanded: N/M progress, full words for alerts
  • Depth badges: D0/D1/D2 indicators on tree nodes showing direct vs transitive
  • Enriched detail panel: Licenses, hashes, supplier, dependency/dependent lists with shared renderer

TUI — Source Tab

  • Change gutter: +/-/~ column next to line numbers colored by change type
  • Change summary bar: Horizontal minimap showing change distribution across the file
  • Difftastic-style rendering: Changed lines bold+colored, unchanged lines keep syntax highlighting
  • Bold line numbers: Line numbers colored on changed lines for visual emphasis
  • Inline version diff: Modified components show lodash 4.17.20 → 4.17.21 when collapsed
  • Collapse unchanged (u): Folds unchanged regions into ··· N unchanged items ···
  • Aligned diff panels (a): Gap ····· placeholders for added/removed components

TUI — Cross-Tab

  • Consistent detail panels: Shared render_component_info_lines() for Components and Dependencies
  • Cross-tab navigation: License→Components, Violation→Component, Component→Dependencies with breadcrumbs
  • Regex search: Ctrl+R toggles substring/regex mode with error feedback
  • Footer hints: Added to Compliance, Source, Vulnerabilities, Dependencies tabs
  • SBOM version in header: Shows name@version from primary component

CLI

  • Enrichment arg deduplication: SharedEnrichmentArgs with #[command(flatten)] across all 8 enrichment-capable commands
  • Bug fixes: --no-color and --export-template forwarded to multi-SBOM commands; --fail-on-vuln exit codes for timeline/matrix
  • Output flag alignment: license-check and verify audit-hashes migrated from -f to -o with backwards-compat aliases
  • Feature gaps filled: --fail-on-change, --exclude-vex-resolved, --fail-on-vex-gap, --graph-max-depth for multi-SBOM commands
  • Comprehensive help: 24 top-level examples in 9 categories, per-subcommand examples on 13 of 15 commands

Go and Swift Bindings (MVP)

  • C ABI layer: Format detection, parsing, diffing, and quality scoring via JSON-based ABI
  • Go wrapper: sbomtools.ParsePath(), Diff(), Score() with typed payloads and dedup helpers
  • Swift wrapper: SbomTools.parsePath(), diff(), score() with Codable payloads and dedup helpers
  • ABI contract snapshots: Schema conformance tests ensure stability across releases

Thanks to @MChorfa for contributing the Go and Swift bindings!

Bug Fixes

  • Dependencies crash: Footer copy-preview panicked on multi-byte in dependency edge text (&text[..27] on non-char-boundary) — replaced with MSRV-compatible floor_char_boundary() across 10 slicing sites
  • Dependencies search OOB: next_match/prev_match could index past visible_nodes when selected was desynchronized — added bounds clamping
  • Dependencies detail panel: Fixed "No node selected" (visible_nodes not populated in prepare_render); fixed duplicate "Name:" line showing canonical ID
  • Quality navigation: Fixed arrow keys not working (total_recommendations never set)
  • Compliance Tab key conflict: View cycle changed from Tab to v (was captured by global tab switching)
  • Matching asymmetry: Proptest found alias-lookup asymmetry for short names — excluded from test generator

Infrastructure

  • Bump sha2 0.10→0.11, proptest 1.10→1.11, clap_mangen 0.2→0.3, tempfile 3.25→3.27
  • Bump GitHub Actions: codeql-action 4.35.1, setup-go 6.3.0, cosign-installer 4.1.1
  • Dagger Rust SDK runner for bindings CI/CD

Install: cargo install sbom-tools
Homebrew: brew install sbom-tool/tap/sbom-tools
Crate: https://crates.io/crates/sbom-tools
Full changelog: v0.1.17...v0.1.18

v0.1.17

Choose a tag to compare

@github-actions github-actions released this 21 Mar 20:21
Immutable release. Only release title and notes can be modified.
207c562

Highlights

This release hardens the release pipeline against tag poisoning attacks (like the recent Trivy incident), significantly improves the Source tab experience in the TUI, and fixes a severity badge bug that could underreport vulnerability severity.

What's New

TUI

  • Source tab overhaul: Fix flickering by hoisting state mutations out of the render path
  • Raw view breadcrumb: Show JSON path context at the top of the raw view
  • Compact tree mode (C key): Narrower connectors save ~30% horizontal space at depth 4+
  • Sticky scope header: Opening bracket line pins to the top when scrolled off-screen
  • Active scope indent guide: Single dashed in accent color replaces cluttered multi-level guides
  • Dependency bom-ref resolution: UUIDs in Source tab dependencies section now show component names (e.g., gcc@12.2.0 → 3 deps)
  • Dependency context in SBOM Map panel: Right panel shows resolved component name, dep count, vulnerabilities, and license instead of generic SBOM stats
  • Smart path truncation: Long file path labels show …/basename instead of truncating mid-path
  • Cleaner link indicators: Remove noisy symbols and skip redundant labels on expandable objects
  • Severity badge spacing: Add space between badge and count in dependency tree ([L] 6 vs [L]6)

Security

  • Tag poisoning hardening: Ancestry checks on build-binaries and update-homebrew jobs reject commits not on main
  • Immutable Homebrew URLs: Formula source pinned to commit SHA instead of mutable tag ref
  • Signed release manifests: Sigstore-signed release-manifest.sha256 for release asset tamper detection
  • Daily tag integrity workflow: Verifies all release tags are on main and release asset checksums match signed manifests
  • Tag protection ruleset: Tags are protected against force-push and deletion
  • Homebrew tap protection: Branch and tag rulesets on sbom-tool/homebrew-tap
  • Artifact verification docs: SECURITY.md now documents gh attestation verify, cosign verify-blob, and SHA256 verification

Bug Fixes

  • Severity badge underreporting: max_severity_from_vulns() now derives severity from CVSS base scores when the categorical severity field is None, fixing cases where badges showed [L] despite high CVSS scores

Infrastructure

  • Collapse 47 nested if statements into let-chains (0 clippy warnings)
  • Fix RUSTSEC-2026-0044, RUSTSEC-2026-0048, RUSTSEC-2026-0049 (aws-lc-sys 0.39.0, rustls-webpki 0.103.10)
  • Bump clap 4.6.0, clap_complete 4.6.0, clap_mangen 0.2.33, tracing-subscriber 0.3.23
  • Bump GitHub Actions: codeql-action 4.33.0, rust-cache 2.9.1, crates-io-auth-action

Install: cargo install sbom-tools
Homebrew: brew install sbom-tool/tap/sbom-tools
Crate: https://crates.io/crates/sbom-tools
Full changelog: v0.1.16...v0.1.17

v0.1.16

Choose a tag to compare

@github-actions github-actions released this 17 Mar 08:44
Immutable release. Only release title and notes can be modified.
837b3da

Highlights

Major format expansion with CycloneDX 1.7 and SPDX 3.0 support, three new CLI commands (enrich, verify, license-check), VEX integration for vulnerability exception tracking, and a comprehensive TUI overhaul with ViewState architecture, RenderContext, and dozens of UX improvements. Releases now include pre-built binaries for 5 platforms with Sigstore signing, build attestations, and Homebrew tap distribution.

What's New

Format Support

  • CycloneDX 1.7 — full parser, model, quality scoring, and compliance support
  • SPDX 3.0 — JSON-LD parser, Security profile (VEX/CVSS), Snippet, Annotation, Lifecycle, multi-document, streaming optimization
  • CycloneDX 1.7 enrichment — structured citations support

New Commands

  • enrich — enrich SBOMs with vulnerability data (OSV/KEV), EOL detection, and VEX statements
  • verify — file hash verification (SHA-256/512) and component hash auditing
  • license-check — license policy engine with allow/deny/review lists and propagation analysis
  • vex — apply, filter, and report on VEX statements; CycloneDX VEX document parsing; coverage summary with --fail-on-vex-gap

TUI

  • ViewState architecture — single source of truth for all 10 tab states (Phases 1-6)
  • RenderContext — read-only render abstraction eliminating render-time mutation
  • Document Info panel — metadata overview in header area
  • Export dialog — export current view to file
  • Component overview — quick summary of component counts and types
  • Quality tab — improved chart rendering, integrity/provenance panels
  • Compliance tab — severity filter (f key), better gap visualization
  • Dependencies tab — graph cache improvements, visual polish
  • Source tab — cross-tab navigation, SBOM Map alignment, raw mode parity, focus panel fix
  • UI consistency — footer hints, keyboard shortcut alignment, visual refinements across all tabs

Distribution

  • Homebrewbrew install sbom-tool/tap/sbom-tools
  • Pre-built binaries — 5 platforms (linux x86_64/aarch64, macOS x86_64/aarch64, Windows x86_64)
  • Sigstore signing — keyless signatures on all release archives
  • GitHub build attestations — per-binary provenance
  • Dual-format SBOMs — CycloneDX 1.6 + SPDX 2.3 included in release assets
  • GitHub Actionsbom-tool/sbom-tools-action for CI/CD integration

VEX Integration

  • VEX subcommand with apply/status/filter operations
  • CycloneDX VEX document parsing
  • Multiple VEX responses per vulnerability
  • Persistent gap tracking across diff operations
  • Coverage summary and --fail-on-vex-gap CI gate

Bug Fixes

  • Fixed 7 high-severity dependency vulnerabilities (aws-lc-sys, quinn-proto)
  • Fixed focus panel not resetting when switching tabs
  • Fixed cross-compilation targets in release pipeline (rust-toolchain.toml override)

Infrastructure

  • Friendly archive names (linux-x86_64, macos-aarch64, etc.) replacing Rust target triples
  • Combined checksums.sha256 file (was 5 separate files)
  • Idempotent cargo publish for pipeline re-runs
  • Improved proptest parser fuzz tests
  • Dependency updates: pathfinding, rust-cache, codeql-action, upload/download-artifact

Install: cargo install sbom-tools or brew install sbom-tool/tap/sbom-tools
Crate: https://crates.io/crates/sbom-tools
Full changelog: v0.1.14...v0.1.16

v0.1.14

Choose a tag to compare

@github-actions github-actions released this 28 Feb 07:25
Immutable release. Only release title and notes can be modified.
0e0c197

Highlights

Source Tab v2 brings 12 new interactive features for exploring SBOM source data. Graph-aware diffing gets major correctness and feature improvements. The entire release pipeline is now fully automated with Trusted Publishing, SLSA L3 provenance, and signed tags.

What's New

TUI

  • Source Tab v2 — 12 new features:
    • Mouse click/scroll support in both diff and view modes
    • XML syntax highlighting for raw SBOM source
    • Line numbers toggle (I) and word wrap toggle (W)
    • Status bar with position and percentage
    • Diff change navigation (n/N) — jump between added/removed/modified nodes
    • Copy JSON path to clipboard (c)
    • Export source content to file (E)
    • Regex search mode (Ctrl+R during search)
    • Bookmarks (m to toggle, ' to cycle)
    • Tree filter by value type (f) and sort by key (S)
    • Detail panel in diff mode (d)
  • Components and Dependencies tabs: visual polish, clipboard support, auto-expand roots

Quality & Compliance

  • Software complexity index in quality metrics

Security

  • Signed git tags (SSH ed25519)
  • SLSA Build Level 3 provenance on GitHub Releases (.intoto.jsonl)
  • Trusted Publishing (OIDC) for crates.io — no long-lived API tokens
  • OSV scanner config to suppress false positives from SBOM test fixtures
  • Branch protection hardened (required review thread resolution)

Bug Fixes

  • Fixed UTF-8 panics in Source tab when viewing binary-like content
  • Fixed vulnerability score inflating quality rating when no vuln data exists
  • Fixed CI concurrency: only cancel in-progress on PRs, not main pushes

Infrastructure

  • GitHub Releases with auto-generated notes and SLSA provenance attached
  • PR-based release script compatible with branch protection
  • Community docs: CODE_OF_CONDUCT, CONTRIBUTING, GOVERNANCE, ARCHITECTURE
  • OpenSSF Scorecard improvements (Signed-Releases check fixed)
  • Dependency updates: anyhow, quick-xml, chrono, spdx, ctrlc

Install: cargo install sbom-tools
Crate: https://crates.io/crates/sbom-tools
Full changelog: v0.1.10...v0.1.14

v0.1.13

Choose a tag to compare

@github-actions github-actions released this 28 Feb 06:58
Immutable release. Only release title and notes can be modified.
390d84f

What's Changed

Full Changelog: v0.1.12...v0.1.13

v0.1.11

Choose a tag to compare

@matrosov matrosov released this 27 Feb 23:41
Immutable release. Only release title and notes can be modified.
5d808d0

Highlights

  • Source Tab v2 — 12 new interactive features for SBOM source exploration
  • Graph-Aware Diffing — Major correctness and feature improvements
  • Supply Chain Security — Signed releases, SLSA L3 provenance, OpenSSF hardening
  • Community Docs — CODE_OF_CONDUCT, CONTRIBUTING, GOVERNANCE, ARCHITECTURE

What's New

Interactive TUI

  • Mouse click/scroll support in Source tab (both diff and view modes)
  • XML syntax highlighting for raw SBOM source
  • Line numbers toggle (I) and word wrap toggle (W)
  • Status bar with position/percentage
  • Diff change navigation (n/N) — jump between added/removed/modified nodes
  • Copy JSON path to clipboard (c)
  • Export source content to file (E)
  • Regex search mode (Ctrl+R during search)
  • Bookmarks (m to toggle, ' to cycle)
  • Tree filter by value type (f) and sort by key (S)
  • Detail panel in diff mode (d)

Graph Diffing

  • Fixed component ID normalization for cross-format matching
  • Proper EdgeKey with sorted endpoints for undirected graph support
  • Content-based graph hashing (xxh3) for structural comparison
  • Reparenting detection and cyclic dependency depth limits
  • Graph section in JSON, Markdown, HTML, CSV, and summary reports
  • Multi-SBOM graph support in diff-multi command
  • --graph-diff-only and --graph-depth CLI options

Quality & Compliance

  • Software complexity index in quality metrics

Security & Infrastructure

  • Signed git tags (SSH ed25519)
  • SLSA Build Level 3 provenance on GitHub Releases
  • GitHub Releases with auto-generated notes
  • OSV scanner config to suppress SBOM fixture false positives
  • Branch protection tightened (required review thread resolution)
  • OpenSSF Scorecard improvements (Signed-Releases check fixed)

Community

  • CODE_OF_CONDUCT.md (Contributor Covenant v2.1)
  • CONTRIBUTING.md (development guide with DCO)
  • GOVERNANCE.md (BDFL model, access continuity)
  • ARCHITECTURE.md (module structure, data flow, design decisions)
  • SECURITY.md updated with coordinated disclosure policy

Bug Fixes

  • Fixed UTF-8 panics in Source tab when viewing binary-like content
  • Fixed rustfmt formatting in source tab files

Install

cargo install sbom-tools

Full Changelog: v0.1.10...v0.1.11