What's Changed

Breaking Changes 🛠

• Prefer package name and version from the hint path for csproj parsing by @prabhu in #2158
• Goodbye validate-iri by @prabhu in #2182

🤖 AI-assisted Changes

• cdx1 retune by @prabhu in #2149
• [server] Improved server params validation to allow null values by @prabhu in #2155
• Goodbye jest. Hey, poku. by @prabhu in #2181

🧠 Machine-Learning Changes

• gpt-5 benchmark by @prabhu in #2146
• cdx1-mini by @prabhu in #2148
• cdx1-nano dev testing release by @prabhu in #2152

🧪 Testing

• [testing] Really run dotnetutils tests by @prabhu in #2179

📦 Dependency Updates

• chore(deps): update github/codeql-action action to v3.29.7 by @renovate[bot] in #2145
• chore(deps): update github/codeql-action action to v3.29.8 by @renovate[bot] in #2150
• chore(deps): update actions/checkout action to v5 by @renovate[bot] in #2164
• chore(deps): update ruby/setup-ruby action to v1.255.0 by @renovate[bot] in #2168
• chore(deps): update github/codeql-action action to v3.29.9 by @renovate[bot] in #2169
• chore(deps): update sbt/setup-sbt action to v1.1.12 by @renovate[bot] in #2170
• chore(deps): update dependency go to 1.25 by @renovate[bot] in #2171
• chore(deps): update node.js to v24.6.0 by @renovate[bot] in #2177

Other Changes

• sponsors update by @bandhan-majumder in #2154
• feat: log cdxgen version on server startup by @setchy in #2160
• fix: dont log mvn dependency:tree args by @setchy in #2161
• Make parseNuspecData have a consistent return type by @jdalton in #2165
• Add missing retMap?.pkgList?.length guard by @jdalton in #2166
• Fix validate-iri hanging on malformed percent-encoding by @streichsbaer in #2175
• [build] Changed image builds to make use of Nexus on self-hosted runs. by @malice00 in #2153

New Contributors

• @streichsbaer made their first contribution in #2175

Full Changelog: v11.5.0...v11.6.0

What's Changed

Breaking Changes 🛠

• Remove container purl hacks by @prabhu in #2084
• [security] Do not log any args by @prabhu in #2123

🤖 AI-assisted Changes

• Improved query params extraction in server mode by @prabhu in #2118

🧠 Machine-Learning Changes

• Detailed fine-tuning docs by @prabhu in #2116
• cdx1-pro by @prabhu in #2133
• cdx1 8-bit xBOMEval tests by @prabhu in #2137
• cdx1 safety tests by @prabhu in #2142
• cdx1 jailbreak tests by @prabhu in #2144

📦 Dependency Updates

• chore(deps): update ruby/setup-ruby action to v1.246.0 by @renovate[bot] in #2072
• chore(deps): update ruby/setup-ruby action to v1.247.0 by @renovate[bot] in #2077
• chore(deps): update dependency @biomejs/biome to v2.1.2 by @renovate[bot] in #2079
• chore(deps): update dependency compression to v1.8.1 by @renovate[bot] in #2080
• chore(deps): update github/codeql-action action to v3.29.3 by @renovate[bot] in #2096
• chore(deps): update ruby/setup-ruby action to v1.248.0 by @renovate[bot] in #2097
• chore(deps): update github/codeql-action action to v3.29.4 by @renovate[bot] in #2099
• chore(deps): update ruby/setup-ruby action to v1.249.0 by @renovate[bot] in #2100
• chore(deps): update dependency cacache to v20 by @renovate[bot] in #2101
• chore(deps): update dependency make-fetch-happen to v15 by @renovate[bot] in #2102
• chore(deps): update cachix/install-nix-action action to v31.5.2 by @renovate[bot] in #2112
• chore(deps): update ruby/setup-ruby action to v1.251.0 by @renovate[bot] in #2111
• chore(deps): update ruby/setup-ruby action to v1.253.0 by @renovate[bot] in #2115
• chore(deps): update ruby/setup-ruby action to v1.253.0 by @renovate[bot] in #2119
• chore(deps): update dependency @biomejs/biome to v2.1.3 by @renovate[bot] in #2127
• chore(deps): update github/codeql-action action to v3.29.5 by @renovate[bot] in #2128
• chore(deps): update ruby/setup-ruby action to v1.254.0 by @renovate[bot] in #2129
• chore(deps): update docker/metadata-action action to v5.8.0 by @renovate[bot] in #2136
• chore(deps): update docker/login-action action to v3.5.0 by @renovate[bot] in #2143

💳 Sponsored Work

• Update atom to 2.2.7 to get Ruby 3.4.5 support by @prabhu in #2117

Other Changes

• bugfix(cli): parse requirements.txt first and map packages to technique by @omriyoffe-panw in #2030
• fix: adding require-dev to rootRequires in parseComposerJson by @lirshindalman in #2064
• windows device names check by @prabhu in #2068
• Fix git clone argument order when branch is specified by @amuravski in #2071
• [devenv] Downgraded node to v22 because the regression of v24 is now also in the nix repos by @malice00 in #2076
• Fix: Enhance root dependency detection for requirements.txt by @OfekShimko in #2031
• Added information about runtime Node in 'version' output by @malice00 in #2075
• JS-implementation of getting runtime + version by @malice00 in #2081
• [python] re-work manifest-analysis tracker by @prabhu in #2083
• Collect node bundled components in formulation by @prabhu in #2087
• fix(go): prioritize root modules by directory depth in multimodule projects by @ivanasabi in #2090
• Improved server validations by @prabhu in #2093
• Testing Node.js nightly builds by @malice00 in #2098
• [build] Added a setup for a fixed version of node by @malice00 in #2110
• #2044: Change logic for Conan.lock handling by @valeriigamaley in #2091
• [build] Better musl-binary builds by @malice00 in #2092
• Support for include regex by @prabhu in #2120
• fix: do not log docker opts by @setchy in #2125
• Updated Node.js to 24.5.0 / 24 to see if the OoM still occurs by @malice00 in #2126
• [feat] Added nix flake support by @youhaveme9 in #2138
• [pnpm] Improve metadata collection with node_modules parsing by @youhaveme9 in #2139

New Contributors

• @omriyoffe-panw made their first contribution in #2030
• @lirshindalman made their first contribution in #2064
• @OfekShimko made their first contribution in #2031
• @valeriigamaley made their first contribution in #2091

Full Changelog: v11.4.4...v11.5.0

What's Changed

📦 Dependency Updates

• chore(deps): update github/codeql-action action to v3.29.2 by @renovate[bot] in #2024
• chore(deps): pin addnab/docker-run-action action to 4f65fab by @renovate[bot] in #2041
• chore(deps): pin addnab/docker-run-action action to 4f65fab by @renovate[bot] in #2043
• chore(deps): update cachix/install-nix-action action to v31.5.0 by @renovate[bot] in #2053
• chore(deps): update cachix/install-nix-action action to v31.5.1 by @renovate[bot] in #2062

💳 Sponsored Work

• Fix: Set version correctly for dotnet cpm directory packages by @prabhu in #2046

Other Changes

• Update cdx-proto and bufbuild by @prabhu in #2026
• macos sea binary by @prabhu in #2027
• [build] Do not load docker image into local registry, export a tarball instead by @malice00 in #2028
• [build] Fixed issues with building/uploading musl-arm64 binary by @malice00 in #2029
• [build] PRs can't be cloned directly, they need special handling by @malice00 in #2034
• Revert "chore(deps): update dependency strip-json-comments to v5" by @malice00 in #2035
• [build] Only run build in container by @malice00 in #2038
• Use package version when fetching info from PyPI API for Python components by @evgovch-tf in #2033
• config(renovate): custom package rule for actions without semver available by @setchy in #2040
• Use pnpmLockObj.pkgList array for addEvidenceForImport #2021 by @gkumarcertinia in #2032
• [build] Simplified and merged the binary builds by @malice00 in #2042
• [build] Lowered some versions for OSes for wider compatibility of the binaries by @malice00 in #2050
• [build] Fixed regression with node v24.4.0 by @malice00 in #2054
• Check license_expression in PyPI response by @evgovch-tf in #2047
• [build] Pin node v24 to v24.3 because of a regression by @malice00 in #2055
• [build] Added a parameter to control tagging images as 'latest' by @malice00 in #2057
• [build] Repository for debian 10 is no longer available by @malice00 in #2059
• [build] Removed building of 'evinse' on deno by @malice00 in #2063
• default to npm when lock file is missing by @sebbalv in #2061

New Contributors

• @evgovch-tf made their first contribution in #2033
• @gkumarcertinia made their first contribution in #2032
• @sebbalv made their first contribution in #2061

Full Changelog: v11.4.3...v11.4.4

Re-release of v11.4.2 because of incomplete release

What's Changed

🧪 Testing

• Add test for boolean values by @bandhan-majumder in #2015

📦 Dependency Updates

• feat: biomejs 2 migration by @setchy in #1874
• chore(deps): update docker/build-push-action action to v6 by @renovate in #1888
• chore(deps): pin dependencies by @renovate in #1898
• chore(deps): pin sbt/setup-sbt action to 69a46ab by @renovate in #1916
• chore(deps): update cachix/cachix-action action to v16 by @renovate in #1913
• chore(deps): update cachix/install-nix-action action to v31 by @renovate in #1914
• chore(deps): update oven-sh/setup-bun action to v2 by @renovate in #1917
• chore(deps): update actions/checkout action to v4.2.2 by @renovate in #1927
• chore(deps): update actions/setup-node action to v4.4.0 by @renovate in #1930
• chore(deps): update actions/setup-java action to v4.7.1 by @renovate in #1929
• chore(deps): update actions/setup-go action to v5.5.0 - autoclosed by @renovate in #1928
• chore(deps): update oven-sh/setup-bun action to v2.0.2 by @renovate in #1925
• chore(deps): update docker/metadata-action action to v5.7.0 by @renovate in #1939
• chore(deps): update github/codeql-action action to v3.29.0 by @renovate in #1942
• chore(deps): update docker/setup-qemu-action action to v3.6.0 by @renovate in #1941
• chore(deps): update docker/setup-buildx-action action to v3.11.1 by @renovate in #1940
• chore(deps): update cachix/install-nix-action action to v31.4.0 by @renovate in #1934
• chore(deps): update docker/build-push-action action to v6.18.0 by @renovate in #1937
• chore(deps): update docker/login-action action to v3.4.0 by @renovate in #1938
• chore(deps): update android-actions/setup-android action to v3.2.2 by @renovate in #1933
• chore(deps): update actions/setup-python action to v5.6.0 by @renovate in #1931
• chore(deps): update actions/upload-artifact action to v4.6.2 by @renovate in #1932
• chore(deps): update coursier/cache-action action to v6.4.7 by @renovate in #1935
• chore(deps): update coursier/setup-action action to v1.3.9 by @renovate in #1936
• chore(deps): update denoland/setup-deno action to v2.0.3 by @renovate in #1924
• chore(deps): update softprops/action-gh-release action to v2.3.2 by @renovate in #1947
• chore(deps): update int128/docker-manifest-create-action action to v2.8.0 by @renovate in #1943
• chore(deps): update pnpm/action-setup action to v4.1.0 by @renovate in #1945
• chore(deps): update oras-project/setup-oras action to v1.2.3 by @renovate in #1944
• chore(deps): update ruby/setup-ruby action to v1.245.0 by @renovate in #1946
• chore(deps): update dependency @biomejs/biome to v2.0.4 by @renovate in #1948
• chore(deps): update pnpm to v10.12.2 by @renovate in #1968
• chore(deps): update endbug/add-and-commit action to v9.1.4 by @renovate in #1976
• chore(deps): update dependency @biomejs/biome to v2.0.5 by @renovate in #1975
• chore(deps): update pnpm to v10.12.3 by @renovate in #1980
• chore(deps): update dependency strip-json-comments to v5 by @renovate in #1988
• chore(deps): update mshick/add-pr-comment action to v2.8.2 by @renovate in #1995
• chore(deps): update dependency pacote to v21 by @renovate in #1985
• chore(deps): update dependency node-gyp to v11 by @renovate in #1984
• chore(deps): update sbt/setup-sbt action to v1.1.10 by @renovate in #1986
• chore(deps): update cachix/install-nix-action action to v31.4.1 by @renovate in #2003
• chore(deps): update sbt/setup-sbt action to v1.1.11 by @renovate in #2004
• chore(deps): update pnpm to v10.12.4 by @renovate in #2008
• chore(deps): update github/codeql-action action to v3.29.1 by @renovate in #2011
• chore(deps): update dependency @biomejs/biome to v2.0.6 by @renovate in #2010

💳 Sponsored Work

• Track optional deps in ruby by @prabhu in #1899

Other Changes

• Move containers and containers-secure back to github-hosted by @prabhu in #1871
• Add script for checking docker image existence by @bandhan-majumder in #1872
• chore: bump nvmrc version by @setchy in #1875
• Restrict the type of values that can be posted by @prabhu in #1879
• chore: Configure Renovate by @renovate in #1886
• fix: handle null package.json name when parsing and matching by @rlmestre in #1877
• config(renovate): limit enabled managers by @setchy in #1892
• config(renovate): nvm manager by @setchy in #1894
• config(renovate): jsonata manager for biome by @setchy in #1895
• config(renovate): pin package rules by @setchy in #1897
• [build] Configured all checkouts to NOT persist the credentials by @malice00 in #1901
• build: align java versions by @setchy in #1903
• build: align node versions by @setchy in #1905
• [build] Fixed Suse removing nodejs20 & npm20 from their repo by @malice00 in #1906
• proto upgrade by @prabhu in #1902
• [images] Implemented rebuild for the last 2 tags by @malice00 in #1908
• [renovate] configured minimumReleaseAge by @malice00 in #1912
• [build] Changed sbt/setup-sbt action to v1.1.8 by @malice00 in #1915
• [build] Tried to optimize workflow runs even more with more detailed paths. by @malice00 in #1918
• [renovate] Increased the renovate interval to 'daily' by @malice00 in #1921
• config(renovate): pin github actions by @setchy in #1919
• config(renovate): simplify setup by @setchy in #1923
• [build] Changed the group-names to (hopefully) have runs abort on newer commits by @malice00 in #1949
• Exclude install.sh from .dockerignore by @bandhan-majumder in #1950
• [build] Either run on cron or push, not both by @malice00 in #1951
• [build] Added 'nuget'-directory to .dockerignore by @malice00 in #1952
• chore(deps): bump node versions by @bandhan-majumder in #1960
• config(renovate): enable _VERSION dockerfile updates for node by @setchy in #1961
• [renotavate] Addded 'postUpgradeTasks' to renovate, to have it generate a correct pnpm-lock by @malice00 in #1967
• [build] Run binary-builds on PRs by @malice00 in #1969
• [renovate] Removed renovate scheduling -- just send PRs when updates are found by @malice00 in #1973
• [renovate] Adding a comment to the PR that explains the usage of the updated dependency by @malice00 in #1994
• [renovate] Make sure there is output in the file that is used as a comment by @malice00 in #1996
• [build] More tuning on when workflows run by @malice00 in #1997
• [renovate] Added generating an SBOM and grepping dependency by @malice00 in #1998
• allowlist+trace for commands and http by @prabhu in #1992
• Bugfix - Added MVN_ARGS usage when calculating f...

What's Changed

🧪 Testing

• Add test for boolean values by @bandhan-majumder in #2015

📦 Dependency Updates

• feat: biomejs 2 migration by @setchy in #1874
• chore(deps): update docker/build-push-action action to v6 by @renovate in #1888
• chore(deps): pin dependencies by @renovate in #1898
• chore(deps): pin sbt/setup-sbt action to 69a46ab by @renovate in #1916
• chore(deps): update cachix/cachix-action action to v16 by @renovate in #1913
• chore(deps): update cachix/install-nix-action action to v31 by @renovate in #1914
• chore(deps): update oven-sh/setup-bun action to v2 by @renovate in #1917
• chore(deps): update actions/checkout action to v4.2.2 by @renovate in #1927
• chore(deps): update actions/setup-node action to v4.4.0 by @renovate in #1930
• chore(deps): update actions/setup-java action to v4.7.1 by @renovate in #1929
• chore(deps): update actions/setup-go action to v5.5.0 - autoclosed by @renovate in #1928
• chore(deps): update oven-sh/setup-bun action to v2.0.2 by @renovate in #1925
• chore(deps): update docker/metadata-action action to v5.7.0 by @renovate in #1939
• chore(deps): update github/codeql-action action to v3.29.0 by @renovate in #1942
• chore(deps): update docker/setup-qemu-action action to v3.6.0 by @renovate in #1941
• chore(deps): update docker/setup-buildx-action action to v3.11.1 by @renovate in #1940
• chore(deps): update cachix/install-nix-action action to v31.4.0 by @renovate in #1934
• chore(deps): update docker/build-push-action action to v6.18.0 by @renovate in #1937
• chore(deps): update docker/login-action action to v3.4.0 by @renovate in #1938
• chore(deps): update android-actions/setup-android action to v3.2.2 by @renovate in #1933
• chore(deps): update actions/setup-python action to v5.6.0 by @renovate in #1931
• chore(deps): update actions/upload-artifact action to v4.6.2 by @renovate in #1932
• chore(deps): update coursier/cache-action action to v6.4.7 by @renovate in #1935
• chore(deps): update coursier/setup-action action to v1.3.9 by @renovate in #1936
• chore(deps): update denoland/setup-deno action to v2.0.3 by @renovate in #1924
• chore(deps): update softprops/action-gh-release action to v2.3.2 by @renovate in #1947
• chore(deps): update int128/docker-manifest-create-action action to v2.8.0 by @renovate in #1943
• chore(deps): update pnpm/action-setup action to v4.1.0 by @renovate in #1945
• chore(deps): update oras-project/setup-oras action to v1.2.3 by @renovate in #1944
• chore(deps): update ruby/setup-ruby action to v1.245.0 by @renovate in #1946
• chore(deps): update dependency @biomejs/biome to v2.0.4 by @renovate in #1948
• chore(deps): update pnpm to v10.12.2 by @renovate in #1968
• chore(deps): update endbug/add-and-commit action to v9.1.4 by @renovate in #1976
• chore(deps): update dependency @biomejs/biome to v2.0.5 by @renovate in #1975
• chore(deps): update pnpm to v10.12.3 by @renovate in #1980
• chore(deps): update dependency strip-json-comments to v5 by @renovate in #1988
• chore(deps): update mshick/add-pr-comment action to v2.8.2 by @renovate in #1995
• chore(deps): update dependency pacote to v21 by @renovate in #1985
• chore(deps): update dependency node-gyp to v11 by @renovate in #1984
• chore(deps): update sbt/setup-sbt action to v1.1.10 by @renovate in #1986
• chore(deps): update cachix/install-nix-action action to v31.4.1 by @renovate in #2003
• chore(deps): update sbt/setup-sbt action to v1.1.11 by @renovate in #2004
• chore(deps): update pnpm to v10.12.4 by @renovate in #2008
• chore(deps): update github/codeql-action action to v3.29.1 by @renovate in #2011
• chore(deps): update dependency @biomejs/biome to v2.0.6 by @renovate in #2010

💳 Sponsored Work

• Track optional deps in ruby by @prabhu in #1899

Other Changes

• Move containers and containers-secure back to github-hosted by @prabhu in #1871
• Add script for checking docker image existence by @bandhan-majumder in #1872
• chore: bump nvmrc version by @setchy in #1875
• Restrict the type of values that can be posted by @prabhu in #1879
• chore: Configure Renovate by @renovate in #1886
• fix: handle null package.json name when parsing and matching by @rlmestre in #1877
• config(renovate): limit enabled managers by @setchy in #1892
• config(renovate): nvm manager by @setchy in #1894
• config(renovate): jsonata manager for biome by @setchy in #1895
• config(renovate): pin package rules by @setchy in #1897
• [build] Configured all checkouts to NOT persist the credentials by @malice00 in #1901
• build: align java versions by @setchy in #1903
• build: align node versions by @setchy in #1905
• [build] Fixed Suse removing nodejs20 & npm20 from their repo by @malice00 in #1906
• proto upgrade by @prabhu in #1902
• [images] Implemented rebuild for the last 2 tags by @malice00 in #1908
• [renovate] configured minimumReleaseAge by @malice00 in #1912
• [build] Changed sbt/setup-sbt action to v1.1.8 by @malice00 in #1915
• [build] Tried to optimize workflow runs even more with more detailed paths. by @malice00 in #1918
• [renovate] Increased the renovate interval to 'daily' by @malice00 in #1921
• config(renovate): pin github actions by @setchy in #1919
• config(renovate): simplify setup by @setchy in #1923
• [build] Changed the group-names to (hopefully) have runs abort on newer commits by @malice00 in #1949
• Exclude install.sh from .dockerignore by @bandhan-majumder in #1950
• [build] Either run on cron or push, not both by @malice00 in #1951
• [build] Added 'nuget'-directory to .dockerignore by @malice00 in #1952
• chore(deps): bump node versions by @bandhan-majumder in #1960
• config(renovate): enable _VERSION dockerfile updates for node by @setchy in #1961
• [renotavate] Addded 'postUpgradeTasks' to renovate, to have it generate a correct pnpm-lock by @malice00 in #1967
• [build] Run binary-builds on PRs by @malice00 in #1969
• [renovate] Removed renovate scheduling -- just send PRs when updates are found by @malice00 in #1973
• [renovate] Adding a comment to the PR that explains the usage of the updated dependency by @malice00 in #1994
• [renovate] Make sure there is output in the file that is used as a comment by @malice00 in #1996
• [build] More tuning on when workflows run by @malice00 in #1997
• [renovate] Added generating an SBOM and grepping dependency by @malice00 in #1998
• allowlist+trace for commands and http by @prabhu in #1992
• Bugfix - Added MVN_ARGS usage when calculating firstPom + added option to server to get boolean values ...

What's Changed

🏗️ Build System

• musl arm64 builds by @prabhu in #1869
• Use uv to manage the optional python dependencies + goodies by @prabhu in #1870

Full Changelog: v11.4.0...v11.4.1

What if SBOM tool developers utilised their tool's SBOM to make the project leaner, safer, and better? This curiosity led to the new minor release of cdxgen v11.4.x. We utilised two powerful features in pnpm package manager - aliasing and overrides to continuously generate an SBOM, test, and optimise the dependency tree. We reduced the dependency count by a whopping 10% and artefact binary sizes by 5% without losing any functionality! We then applied the same principle to trim our container images, implemented multi-stage builds for better caching, and implemented per-architecture signed SBOM attachment for the first time (Thanks @malice00). For fans of Alpine Linux, cdxgen container images are now available with Alpine base images for top languages. We are also making a static musl-linked single executable binary available for effortless rollout across a number of OS including IoT devices!

What's Changed

Breaking Changes 🛠

• almalinux 10 upgrade by @prabhu in #1818

💳 Sponsored Work

• [Python] dependency tree enhancements by @prabhu in #1855
• Recurse on optional package tree by @prabhu in #1860

Other Changes

• Add image for Rust 1.87 by @bandhan-majumder in #1819
• Add image for Debian Python 3.13, Debian dotnet 10 preview, Temurin java 24, php 8.3 by @bandhan-majumder in #1820
• Bug fix by @bandhan-majumder in #1821
• fileless image sign + trim deps with cdxgen by @prabhu in #1822
• Continue overriding to reduce deps by @prabhu in #1823
• Switch to AppThreat node-sqlite3 to get sqlite 3.50.0 by @prabhu in #1825
• Support for deno in devenv by @prabhu in #1827
• linux musl detection by @prabhu in #1829
• Add alpine images for golang 1.23 and 1.24 by @bandhan-majumder in #1828
• Add alpine images for java 21 and 24 by @bandhan-majumder in #1830
• [build] Optimized build, SBOM generation & attaching by @malice00 in #1833
• Escaping space in spawnSync args was breaking scala sbt :( by @prabhu in #1832
• [build] Added a new workflow that can be used to automatically retry failed jobs by @malice00 in #1838
• Add ruby 3.4.4 alpine image by @bandhan-majumder in #1834
• [build] Moved image-builds between cloud and hosted servers by @malice00 in #1839
• Remove PYTHON_VERSION var from alpine images by @bandhan-majumder in #1840
• We are missing java in some images so --profile research doesn't work by @prabhu in #1841
• [build] Merged all sets of Dockerfiles into a multi-stage Dockerfile by @malice00 in #1842
• Update atom, sqlite, and ruby versions. Remove find-up by @prabhu in #1843
• [build] Fixed docker warnings about using undefined variables by @malice00 in #1846
• [build] Forgot to remove some newlines in the previous PR by @malice00 in #1847
• Fix technique filtering logic by correctly checking for intersection by @yuvalmich in #1848
• bugfix: normalize component evidence identities to always be array by @yuvalmich in #1852
• Add php 8.4 image for debian and alpine distro by @bandhan-majumder in #1862
• Allowlist for server post. Quote arguments. by @prabhu in #1863
• Adhoc fixes by @prabhu in #1864

New Contributors

• @yuvalmich made their first contribution in #1848

Full Changelog: v11.3.2...v11.4.0

What's Changed

💳 Sponsored Work

• go vendor/modules.txt support by @prabhu in #1810
• Improve dependency tree for poetry in non-workspace mode by @prabhu in #1817

Other Changes

• Verify oci images with SBOM attachments by @prabhu in #1799
• [build] Don't try to install NPM -- it's already installed by @malice00 in #1801
• [build] Free more space on CI-machine by @malice00 in #1802
• fix: unformatted go.mod which is valid leads to parse error by @fearfate in #1803
• fix: go 1.24 has introduced tool directive in go.mod, which is recognized as a dependency by @fearfate in #1805
• ImportedSymbols property for c++ was breaking chen CdxPass by @prabhu in #1808
• [CocoaPods] Fix problems with external Pods from Git by @malice00 in #1807
• split ruby build by @prabhu in #1811
• Add container image for golang 1.23 by @bandhan-majumder in #1814
• Add devenv setup by @bandhan-majumder in #1815

New Contributors

• @fearfate made their first contribution in #1803
• @bandhan-majumder made their first contribution in #1814

Full Changelog: v11.3.1...v11.3.2

All cdxgen container images would now included a signed BOM as an attachment. Use oras discover and pull commands to download these attachments as shown here.

What's Changed

Other Changes

• Build Ruby in a builder by @prabhu in #1790
• Attach cdx sboms to various images by @prabhu in #1793
• Sign the generated BOMs by @prabhu in #1794
• sbom signing attempt 2 by @prabhu in #1798

Full Changelog: v11.3.0...v11.3.1

This is a major release. cdxgen now uses Node 24 in single executable applications (sea) and container images for improved performance. For the first time, our sea binaries are built with pnpm node_modules and therefore have an identical dependency tree to the source and container images. Thanks to the excellent work from @malice00, our build workflows are modernised and scalable. We have also trimmed multiple container images by removing Java and other unneeded packages without any loss of functionality (For instance, by using atom native binary which doesn't require Java).

What's Changed

🧪 Testing

• Run unit tests in matrix. Run depscan with pypi package by @prabhu in #1780

🏗️ Build System

• Build sae with pnpm-based node_modules by @prabhu in #1779

Other Changes

• Updated OpenJDK to v24 by @malice00 in #1772
• Changed workflow to use a matrix by @malice00 in #1773
• Added trimming of the CI-server for depscan-run by @malice00 in #1774
• Override jwa for node 24. Include node 24.x in workflow by @prabhu in #1776
• Use PackageURL.fromString to properly parse npm targetName by @jdalton in #1777
• Switch to node24 by @prabhu in #1778
• Update node version by @prabhu in #1782
• [build] Optimized building of some of the java images by @malice00 in #1783
• [build] Update/rust cargo by @malice00 in #1784
• [build] Extracted reusable workflow for image build by @malice00 in #1785
• [build] Extracted the rolling image into its own workflow by @malice00 in #1786
• Update atom. Use atom-native + remove Java by @prabhu in #1789

New Contributors

• @jdalton made their first contribution in #1777

Full Changelog: v11.2.7...v11.3.0