v9.2.1a

Release Notes

Made Open Source Integration (OSI) compatible with MacOS

Fixed

• SBOMs now generate on MacOS

What's Changed

• SBOM-in-a-Box v9.2.1-alpha Release by @amandanitta in #320

Full Changelog: v9.2.0a...v9.2.1.a

v9.2.0a

Release Notes

Add SBOM Repair and overhaul OSI for easier customization. The full changelog can be found here

Added

Repair SBOM Fields

• HashFixes - Suggests a list of fixes for invalid hashes and hashing algorithms
• LicenseFixes - Suggests a list of fixes for deprecated licenses
• PURLFixes - Use data stored in sbom to generate correct PURLs
• CPEFixes - Use data stored in sbom to generate correct CPEs
• Null copyright checks - use package manger files to check for copyrights

CycloneDX 1.4 XML Support

• Support upload and manipulation of xml sboms for CycloneDX

Changed

Convert

• New manipulate package to alter SVIPSBOM data
• New toSchema package to convert SVIPSBOMs into SBOMs

OSIv4

• Overhaul OSI to use tool config files for easier modification
  • See Adding Additional OSI Tools
  • Total of 18 tools, newly added
    1. Covenant
    2. CycloneDX Bower
    3. CycloneDX Go
    4. CycloneDX Rust
    5. GoBom
    6. SBOM4Files
    7. SBOM4Python
    8. SBOM4Rust
    9. SBOM Tool
• QoL debug messages to get more information about OSI status inside the container
• Add new OSIService to replace old OSI and OSIClient files
• Update OSIController to use new OSIService
• Added additional scripts

Misc.

• SBOM components objects are now compared by name and version
• Changed the max packet size for MySQL to 256M
• Minor changes to QAPipeline to support Repair

Fixed

• Mismatched port inside OSI container that caused issues when using OSI API
• Small typos with SPDX serialization

What's Changed

• Rename SBOMRepository to SBOMFileRepository and SBOM to SBOMFile by @JorWo in #283
• Compare components by name and version by @JorWo in #282
• Hotfix: Rename findByTargetSBOMAndOtherSBOM() to findByTargetSBOMFileAndOtherSBOMFile() by @JorWo in #290
• Made OSI tool calls consistent by @tranw8 in #295
• Fix deserialization bugs with SPDX23 Tag Value Deserializer by @dlg1206 in #298
• HashFixes Improvements by @JorWo in #289
• Add Relationships Header for SPDX23TagValueSerializer by @JorWo in #300
• Convert Rebuild by @txdvse in #272
• Repair by @jwj7297 in #299
• Repair Bom-Ref Fix by @jwj7297 in #304
• Simple fix for boolean convert overwrite by @Hooobot in #306
• Rename by @amandanitta in #308
• Valid PURL Repair by @jwj7297 in #309
• CycloneDX 1.4 XML Serializer by @txdvse in #307
• OSI additional Tools + Refactor by @dlg1206 in #303
• Add OSI heathcheck wait to dockercompose for API by @dlg1206 in #311
• Merger Doc Cleanup by @txdvse in #314
• updated start period and link to curl by @amandanitta in #312
• CycloneDX 1.4 XML Support by @dlg1206 in #313
• SVIP v9.2.0-alpha Pre-Release by @dlg1206 in #315

New Contributors

• @tranw8 made their first contribution in #295

Full Changelog: v8.0.5a...v9.2.0a

v8.0.5a

Release Notes

Numerous bugfixes and QoL changes. The full changelog can be found here

Added

• Added SBOM Generation support by two methods via API:
  • Open Source Integration (OSI)
    • Generate an aggregate SBOM from a number of Open Source SBOM generators
    • Additional details can be found here
  • SVIP Generation
    • SVIP generation uses regex and natural language processing techniques to parse source code for dependencies used in the code.
    • Uses dependency manifest files ( pom.xml, package.json, etc ) to enhance with additional information, but are not required
    • Additional details and CLI usage can be found here

Changed

• Refactor database into more robust structure to support future usage of SBOM, VEX, Quality Report, and Diff Report files
• Refactor API into services and controllers
• Refactor OSI into standalone service that can be used outside of SVIP
• Restructure directory structure to by features

Known Issues

• #279

What's Changed

• Feature-Focused Directory Structure by @dlg1206 in #190
• API Container Hotfix by @ian1dunn in #191
• Generator Endpoints Support Binary ZIP Files of Projects by @juanfpatino in #173
• mergeAll tests by @liamthemailman in #196
• Full convert refactor for SPDX and CDX by @txdvse in #199
• Improved Diff Report Readability by @tfr8811 in #193
• Completed QA Controller by @dlg1206 in #202
• Convert Functionality Refactor (core) by @juanfpatino in #200
• VEX Refactor by @dlg1206 in #204
• Convert Endpoint by @juanfpatino in #201
• Quality of Life Hotfixes by @dlg1206 in #216
• Audit Round 1 Fixes by @liamthemailman in #214
• Merge Cross Schema Support and Convert Fixes by @txdvse in #222
• /compare endpoint API Refactor by @dlg1206 in #220
• OSI Tool Selection by @ian1dunn in #221
• MergerSVIP() implementation for /merge Endpoint refactor by @juanfpatino in #227
• /merge endpoint refactor by @juanfpatino in #228
• Completed SBOMController + Services by @dlg1206 in #198
• OSI Endpoint Refactor by @ian1dunn in #230
• Parser Refactor by @tfr8811 in #231
• Dev db refactor SBOM unit tests services by @tfr8811 in #233
• Diff/QA/VEX Controller Unit Tests by @tfr8811 in #235
• Generator (Parser & OSI) Unit Tests by @ian1dunn in #236
• Consolidate All Unit Tests by @ian1dunn in #237
• Dev db refactor fixes by @ian1dunn in #238
• Added Unit Tests to SBOMControllerTest.java by @tfr8811 in #239
• Database / API Refactor by @dlg1206 in #197
• Added creationTool externalReferences by @liamthemailman in #240
• Audit Round 3 Backend Fixes by @liamthemailman in #234
• RepairStatements by @txdvse in #248
• OSI Works Inside and Outside container by @dlg1206 in #243
• Dev port5000 by @amandanitta in #255
• Dev docker file mount by @Hooobot in #259
• Fixed Parsers Post Mapping by @jwj7297 in #266
• Release Documentation by @dlg1206 in #267
• Changed SQL Max packet size to 256M by @jwj7297 in #276
• SVIP v8.0.5-alpha Pre-Release by @dlg1206 in #268

New Contributors

• @liamthemailman made their first contribution in #196
• @amandanitta made their first contribution in #255
• @Hooobot made their first contribution in #259
• @jwj7297 made their first contribution in #266

Full Changelog: v7.1.2a...v8.0.5a

v7.1.2a

v7.1.2a

First stable release of the SBOM Visualization and Integration Platform. The full changelog can be found here

• Open Source Integrated SBOM Generation: Makes use of open source SBOM Generator Tools to generate SBOMs
• SBOM Generation: Custom SBOM generation via source file and package manager file analysis
• Vulnerability Exploitability eXchange (VEX) Generation: Generate VEX documents from SBOMs
• SBOM Metrics: Grade SBOMs using a series of metric tests
• SBOM Comparison: Compare SBOMs to identify key differences between them
• SBOM Merging: Merge SBOMs into a single unified document

Known Issues

• SBOM Generation with the API is semi-unstable
• Serialization and Deserialization of SBOMs are still in early development stages and occasionally have translation errors
• OSI Container rarely but occasionally fails to run startup script
• OSI XML Support is deprecated

Comments

The CI/CD SBOMs generated on release do not arcuately represent SVIP. This is a known issue, the CI/CD SBOM generator includes component information from test SBOMs that are unrelated to SVIP. Please disregard any data originated from any test/resources directory