Skip to content

v1.0.0
Compare
Choose a tag to compare
@github-actions github-actions released this 30 Sep 18:51
· 683 commits to main since this release
v1.0.0
02f40c9
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

Changelog

Enhancements

  • Introduce multi-command CLI (#42 via #45)
  • Output SBOMs in v1.3 of the CycloneDX specification (#43 via 5bab19b)
  • Add support for application SBOMs (#44 via #50)
    • Also addresses #20 (thanks dlorenc for reporting!)
  • Add support for binary SBOMs (#21 via #46)
  • Include applicable build constraints in application SBOMs (#29 via #59)
  • Add license detection support for binary SBOMs (#51 via #52)
  • Generate pseudo versions using golang.org/x/mod (#55 via #57)
  • Use license evidence for detected licenses (#40 via #49)
  • Build with and test against Go 1.17 (via #54)
  • Introduce improved logging (via #46)
  • Add indication for which application the SBOM was generated for (#67 via #71)
  • Slightly reduce threshold for license detection confidence, and log a debug message if this threshold isn't met (#79 via #80)

Fixes

  • Fix annotated tags not being recognized as versions (#56 via #57)
  • Fix normalized versions interfering with hash calculation (#58 via #60)
  • Fix app command missing dependencies when main package is spread across multiple files (#75 via #78)

Breaking Changes

  • The CLI now consists of multiple subcommands, thus being incompatible with the CLI in cyclonedx-gomod v0.x
  • Detected licenses (when using the -licenses flag) will now use the components/evidence/licenses node instead of components/licenses. Tools that consume SBOMs and don't support CycloneDX v1.3 yet may not recognize those licenses
  • Version normalization has been removed (#60). As a consequence, +incompatible suffixes and v prefixes (-novprefix flag in v0.x) are not trimmed anymore
  • The -reproducible flag has been removed (via 9b45f4a)

Dependency Updates

  • Update github.com/CycloneDX/cyclonedx-go from v0.3.0 to v0.4.0 (via 5bab19b)
  • Update golang.org/x/mod from v0.4.2 to v0.5.1 (via #57 and 088f0e3)
  • Update golang.org/x/crypto from v0.0.0-20210711020723-a769d52b0f97 to v0.0.0-20210817164053-32db794688a5 (via 75ae52a)

Building and Packaging

  • Produce and publish an SBOM for each binary built when releasing (via #62)
  • Builds for windows/386 and linux/386 have been dropped (via #62)
  • Use standard Go notation for architectures in release artifact names (via #62)
    • e.g. cyclonedx-gomod_1.0.0_windows_x64.zip is now cyclonedx-gomod_1.0.0_windows_amd64.zip

Commits since v1.0.0-beta.2

6276d83 feat: decrease min license detection confidence to 0.85 (#80)
b93fc5b refactor: cleanup and cosmetics (#81)

Docker images

  • docker pull cyclonedx/cyclonedx-gomod:v1.0.0
  • docker pull cyclonedx/cyclonedx-gomod:v1
  • docker pull cyclonedx/cyclonedx-gomod:v1.0
Assets 15
Loading