All notable changes to this project will be documented in this file.
- BREAKING Changes
- CLI option
--spec-version
defaults to1.6
, was1.4
(#1173 via #1258) - Emit
.metadata.tools
as components (#1233 via #1235)
This affects only CycloneDX spec-version 1.5 and later. - Emitted
.purl
values might be partially url-encoded (via #1235)
This is caused by changes on underlying 3rd-party dependencypackageurl-js
. - Create dir for output file if not exists (#1241 via #1242)
This is only a breaking change if you relied on non-existent result paths to cause errors.
- CLI option
- Misc
- Raised dependency
@cyclonedx/cyclonedx-library@^7.0.0
, was@^6.11.0
(via #1235)
- Raised dependency
- Added
- Dependencies
- No longer directly depend on
packageurl-js
(via #1237)
- No longer directly depend on
- Build
- Dependencies
- Raised runtime dependency
@cyclonedx/cyclonedx-library@^6.11.0
, was@^6.6.0
(via #1205)
This was done to incorporate non-breaking upstream changes and fixes.
- Raised runtime dependency
- Build
- Use TypeScript
v5.5.3
now, wasv5.4.5
(via #1201)
- Use TypeScript
- Fixed
- Changed
- Added
- More debug output when it comes to package manifest loading (via #1189)
- Misc
- Added direct dependency
hosted-git-info@^4||^5||^6||^7
(via #1191)
This is also a transitive dependency via already existing direct dependencynormalize-package-data
.
- Added direct dependency
- Added
- Dependencies
- Raised dependency
@cyclonedx/cyclonedx-library@^6.6.0
, was@^6.5.0
(via #1183)
- Raised dependency
Added support for CycloneDX Specification-1.6.
- Changed
- This tool explicitly supports CycloneDX Specification-1.6 now (via #1175)
- Added
- CLI switch
--spec-version
now supports value1.6
to reflect CycloneDX Specification-1.6 (via #1175)
Default value for that option is unchanged - still1.4
.
- CLI switch
- Build
- Use TypeScript
v5.4.5
now, wasv5.4.2
(via #1167)
- Use TypeScript
- Style
- Applied latest code standards (via #1149)
- Build
- Use TypeScript
v5.4.2
now, wasv5.3.3
(via #1160)
- Use TypeScript
- Fixed
- Writing large results to buffered streams no longer drops data, but retries until success (via #1145)
- Docs
- Change
- Changed
- Added
- Build
- Use TypeScript
v5.3.3
now, wasv5.3.2
(via #1133)
- Use TypeScript
- Fixed
- Added direct dependency
packageurl-js
as such (via #1122)
- Added direct dependency
- Docs
- Fixed typos (via #1123)
- Style
- Applied latest code standards (via #1124)
- Build
- Use TypeScript
v5.3.2
now, wasv5.2.2
(via #1125)
- Use TypeScript
- Fixed
- SBOM results might have the
externalReferences[].hashes
populated (#1118 via #1120)
The hashes might have wrongly appeared ascomponents[].hashes
before. - Components' distribution integrity hash of "sha256" is properly detected and populated in the SBOM result (#699 via #1121)
- Components' distribution integrity hash of "sha384" is properly detected and populated in the SBOM result (#699 via #1121)
- SBOM results might have the
- Misc
- Raised dependency
@cyclonedx/cyclonedx-library@^6.1.0
, was@^3||^4||^5||^6
(via #1120)
- Raised dependency
- Fixed
- Tests
- added regression test for all supported NPM versions (via #1108)
- Docs
- Tests
- Build
- Use TypeScript
v5.2.2
now, wasv5.1.6
(via #1098)
- Use TypeScript
- Misc
- Raised dependency
@cyclonedx/cyclonedx-library@^3||^4||^5||^6
, was@^3||^4||^5
(via #1096)
- Raised dependency
- Misc
Added support for CycloneDX Specification-1.5.
- Changed
- Added
- Build
- Use TypeScript
v5.1.6
now, wasv5.1.3
(via #841)
- Use TypeScript
- Misc
- Build
Based on OWASP Software Component Verification Standard for Software Bill of Materials
(SCVS SBOM) criteria, this tool is now capable of producing SBOM documents almost passing Level-2 (only signing needs to be done externally).
Affective changes based on these SCVS SBOM criteria:
- 2.15 — SPDX license expression detection improved (via #726)
- 2.18 — SHA-1 integrity hash detection added (#699 via #735)
Details
- Changes
- SPDX license expression detection improved (via #726)
Previously, some expressions were not properly detected, so they were marked as named-license in the SBOM results. They should be marked as expression, now.
- SPDX license expression detection improved (via #726)
- Added
- Dependencies
- Raised dependency
@cyclonedx/cyclonedx-library@^2.0.0
, was@^1.14.0
(via #726)
- Raised dependency
- Added
- SBOM result might be validated (via #660)
This feature is enabled per default and can be disabled via CLI switch--no-validate
.
Validation is skipped, if requirements are not met. Requires transitive optional dependencies
- SBOM result might be validated (via #660)
- Added
- Fixed
- DevDependencies that are also required by OptionalDependencies correctly have the property
cdx:npm:package:development
populated in SBOM results (#645 via #657) - DevDependencies that are also required by OptionalDependencies are correctly omitted from SBOM results, when the CLI switch for omitting "dev" and "optional" are set (#645 via #657)
- DevDependencies that are also required by OptionalDependencies correctly have the property
- Docs
- Describe internal NPM executable detection in README (via #647)
- Build
- Use TypeScript
v5.0.4
now, wasv4.9.5
(via #638)
- Use TypeScript
- Fixed
- Misc
- Utilize SerialNumber generator from
@cyclonedx/cyclonedx-library@^1.13
(via #599)
The previously used internal code was donated to that library.
- Utilize SerialNumber generator from
- Docs
- added section "How it works" to the README (via #563)
- Changed
- Detected node packages' metadata are now normalized, before translation to SBOM components happens (#536 via #537)
This might increase the quality of SBOM results.
- Detected node packages' metadata are now normalized, before translation to SBOM components happens (#536 via #537)
Maintenance release
Maintenance release
Maintenance release
- Dependencies
- Utilize commander
^10.0.0
now, was"^9.4.0
(via #431)
- Utilize commander
- Build
- Use TypeScript
v4.9.5
now, wasv4.9.4
(via #482)
- Use TypeScript
- Changed
- Enhanced randomness when generating a
serialNumber
(via #389)
- Enhanced randomness when generating a
- Build
- Use TypeScript
v4.9.4
now, wasv4.9.3
(via #366)
- Use TypeScript
Maintenance release
- Docs
- fix CI/CT shield (badges/shields#8671 via #378)
Maintenance release
- Docs
- Enhanced documentation regarding NodeJS/NPM internals, package-dedupe and results (via #331)
- Misc
- Added test for flattened results (via #312)
- Build
- Use TypeScript
v4.9.3
now, wasv4.8.4
(via #333)
- Use TypeScript
- Added
- When CLI option
--flatten-components=true
is set, then the propertycdx:npm:package:bundled
might be added (#311 via #310)
- When CLI option
- Misc
- Added demos for flattened results (via #310)
- Fixed
- Fixed
- Misc
- Added more debug output regarding NPM version detection (via #259)
- Changed
- Added
- Fixed
- Misc
- Build
- Use TypeScript
v4.8.4
now, wasv4.8.3
(via #164)
- Use TypeScript
First major version (via #1)
Thanks to all the beta testers. Your efforts, feedback and contributions are appreciated.
- Fixed
- Run on Windows systems was improved for
npm
/npx
sub-processes.
- Run on Windows systems was improved for
- Misc
- Style: imports are sorted, now.
- Build
- Use TypeScript
v4.8.3
now, wasv4.8.2
.
- Use TypeScript
- Changed
- PackageUrl(PURL) in JSON and XML results are as short as possible, but still precise.
- Added
- CLI switch
--ignore-npm-errors
to ignore/suppress NPM errors.
- CLI switch
- Added
- Support for node 14 was enabled.
- Support for handling when run via
npx
.
- Docs
- Improve installation instructions and usage instructions.
- Misc
- Improved test coverage.
- Build
- Use TypeScript
v4.8.2
now, wasv4.7.4
.
- Use TypeScript
- Fixed
- Run on Windows systems was fixed.
- Improved error reporting.
- Debug output was made clearer to understand.
- Change
- The package no longer pins dependencies via shrinkwrap.
- Fixed
- Debug output was made clearer to understand and less annoying.
- Style
- Improved internal typing for OmittableDependencyTypes.
- First feature complete implementation.