Skip to content

Releases: CycloneDX/cyclonedx-gomod

v1.0.0

30 Sep 18:51
@github-actions github-actions
v1.0.0
02f40c9
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.0.0

Changelog

Enhancements

  • Introduce multi-command CLI (#42 via #45)
  • Output SBOMs in v1.3 of the CycloneDX specification (#43 via 5bab19b)
  • Add support for application SBOMs (#44 via #50)
    • Also addresses #20 (thanks dlorenc for reporting!)
  • Add support for binary SBOMs (#21 via #46)
  • Include applicable build constraints in application SBOMs (#29 via #59)
  • Add license detection support for binary SBOMs (#51 via #52)
  • Generate pseudo versions using golang.org/x/mod (#55 via #57)
  • Use license evidence for detected licenses (#40 via #49)
  • Build with and test against Go 1.17 (via #54)
  • Introduce improved logging (via #46)
  • Add indication for which application the SBOM was generated for (#67 via #71)
  • Slightly reduce threshold for license detection confidence, and log a debug message if this threshold isn't met (#79 via #80)

Fixes

  • Fix annotated tags not being recognized as versions (#56 via #57)
  • Fix normalized versions interfering with hash calculation (#58 via #60)
  • Fix app command missing dependencies when main package is spread across multiple files (#75 via #78)

Breaking Changes

  • The CLI now consists of multiple subcommands, thus being incompatible with the CLI in cyclonedx-gomod v0.x
  • Detected licenses (when using the -licenses flag) will now use the components/evidence/licenses node instead of components/licenses. Tools that consume SBOMs and don't support CycloneDX v1.3 yet may not recognize those licenses
  • Version normalization has been removed (#60). As a consequence, +incompatible suffixes and v prefixes (-novprefix flag in v0.x) are not trimmed anymore
  • The -reproducible flag has been removed (via 9b45f4a)

Dependency Updates

  • Update github.com/CycloneDX/cyclonedx-go from v0.3.0 to v0.4.0 (via 5bab19b)
  • Update golang.org/x/mod from v0.4.2 to v0.5.1 (via #57 and 088f0e3)
  • Update golang.org/x/crypto from v0.0.0-20210711020723-a769d52b0f97 to v0.0.0-20210817164053-32db794688a5 (via 75ae52a)

Building and Packaging

  • Produce and publish an SBOM for each binary built when releasing (via #62)
  • Builds for windows/386 and linux/386 have been dropped (via #62)
  • Use standard Go notation for architectures in release artifact names (via #62)
    • e.g. cyclonedx-gomod_1.0.0_windows_x64.zip is now cyclonedx-gomod_1.0.0_windows_amd64.zip

Commits since v1.0.0-beta.2

6276d83 feat: decrease min license detection confidence to 0.85 (#80)
b93fc5b refactor: cleanup and cosmetics (#81)

Docker images

  • docker pull cyclonedx/cyclonedx-gomod:v1.0.0
  • docker pull cyclonedx/cyclonedx-gomod:v1
  • docker pull cyclonedx/cyclonedx-gomod:v1.0
Assets 15

v1.0.0-beta.2

29 Sep 18:26
@github-actions github-actions
v1.0.0-beta.2
307c17d
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.0.0-beta.2 Pre-release
Pre-release

Changelog

307c17d fix: use main package instead of main file as entrypoint for app command (#78)

Docker images

  • docker pull cyclonedx/cyclonedx-gomod:v1.0.0-beta.2
  • docker pull cyclonedx/cyclonedx-gomod:v1
  • docker pull cyclonedx/cyclonedx-gomod:v1.0
Assets 15

v1.0.0-beta.1

27 Sep 18:31
@github-actions github-actions
v1.0.0-beta.1
a31c1e4
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.0.0-beta.1 Pre-release
Pre-release

Changelog

375e844 feat: prune graph edges to indirect dependencies for main module (#72)
d54784c refactor: remove application name property (#73)

Docker images

  • docker pull cyclonedx/cyclonedx-gomod:v1.0.0-beta.1
  • docker pull cyclonedx/cyclonedx-gomod:v1
  • docker pull cyclonedx/cyclonedx-gomod:v1.0
Assets 15

v1.0.0-beta.0

25 Sep 20:05
@github-actions github-actions
v1.0.0-beta.0
43e1e14
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.0.0-beta.0 Pre-release
Pre-release

Changelog

0b09de5 Enable CodeQL Security Scan (#47)
ac53b42 build: update go directive in go.mod to go 1.17
c87bbaa chore(deps): update github.com/rs/zerolog from v1.23.0 to v1.25.0
75ae52a chore(deps): update golang.org/x/crypto to v0.0.0-20210817164053-32db794688a5
088f0e3 chore(deps): update golang.org/x/mod from v0.5.0 to v0.5.1
be6a7f6 ci: cleanup ci workflow
4a9c43e ci: don't build against go 1.16 anymore
43e1e14 feat: add application name as property and update purl with subpath to application (#71)
70ea280 feat: disable colored log output when running in ci (#70)

Docker images

  • docker pull cyclonedx/cyclonedx-gomod:v1.0.0-beta.0
  • docker pull cyclonedx/cyclonedx-gomod:v1
  • docker pull cyclonedx/cyclonedx-gomod:v1.0
Assets 15

v1.0.0-alpha.4

12 Sep 17:16
@github-actions github-actions
v1.0.0-alpha.4
d44cc3f
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.0.0-alpha.4 Pre-release
Pre-release

Changelog

d44cc3f build: produce an sbom for each binary built (#62)
d577c40 fix: provide error details when resolving replacements failed
cc50b11 fix: resolve local module in app command
b04354b misc: cosmetic tweaks
5221f2a refactor: remove version normalization (#60)

Docker images

  • docker pull cyclonedx/cyclonedx-gomod:v1.0.0-alpha.4
  • docker pull cyclonedx/cyclonedx-gomod:v1
  • docker pull cyclonedx/cyclonedx-gomod:v1.0
Assets 15

v1.0.0-alpha.3

04 Sep 14:56
@github-actions github-actions
v1.0.0-alpha.3
7c7f0af
This commit was signed with the committer’s verified signature.
nscuro Niklas
GPG key ID: 985ADB40F06304B3
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.0.0-alpha.3 Pre-release
Pre-release

Changelog

7c7f0af ci: enable prerelease detection in goreleaser
3ed5b37 feat: include build constraints as properties of main component (#59)

Docker images

  • docker pull cyclonedx/cyclonedx-gomod:v1.0.0-alpha.3
  • docker pull cyclonedx/cyclonedx-gomod:v1
  • docker pull cyclonedx/cyclonedx-gomod:v1.0
Assets 12

v1.0.0-alpha.2

01 Sep 19:47
@github-actions github-actions
v1.0.0-alpha.2
c8f9ed2
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.0.0-alpha.2 Pre-release
Pre-release

Changelog

c8f9ed2 feat: add support for application sboms (#50)

Docker images

  • docker pull cyclonedx/cyclonedx-gomod:v1.0.0-alpha.2
  • docker pull cyclonedx/cyclonedx-gomod:v1
  • docker pull cyclonedx/cyclonedx-gomod:v1.0
Assets 12

v1.0.0-alpha.1

23 Aug 21:58
@github-actions github-actions
v1.0.0-alpha.1
9616ceb
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.0.0-alpha.1 Pre-release
Pre-release

Changelog

9616ceb fix: consider annotated tags and use official pseudo version generator (#57)

Docker images

  • docker pull cyclonedx/cyclonedx-gomod:v1.0.0-alpha.1
  • docker pull cyclonedx/cyclonedx-gomod:v1
  • docker pull cyclonedx/cyclonedx-gomod:v1.0
Assets 12

v1.0.0-alpha.0

21 Aug 08:21
@github-actions github-actions
v1.0.0-alpha.0
0cbc174
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.0.0-alpha.0 Pre-release
Pre-release

Changelog

0cbc174 ci: build and test against go 1.17 (#54)
9cff325 ci: build prs to develop-v1.0.0 as well
e93ff2d feat: add license resolution support for bin command (#52)
2b197e4 feat: generate sboms from binaries (#46)
edd71cb feat: use license evidence for detected licenses (#49)
d5e9f22 fix: ensure binary path is not a directory
404d7ee introduce multi-command cli (#45)
aee6d77 refactor: remove spdx code (#48)
2cb46a5 update cyclonedx-cli: 0.15.2 -> 0.17.0
5bab19b update cyclonedx-go: v0.3.0 -> v0.4.0

Docker images

  • docker pull cyclonedx/cyclonedx-gomod:v1.0.0-alpha.0
  • docker pull cyclonedx/cyclonedx-gomod:v1
  • docker pull cyclonedx/cyclonedx-gomod:v1.0
Assets 12

v0.10.0

31 Jul 20:40
@github-actions github-actions
v0.10.0
2571ea6
This commit was signed with the committer’s verified signature.
nscuro Niklas
GPG key ID: 985ADB40F06304B3
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.10.0

Changelog

2d76e87 build: set pseudo version for Makefile builds
370a540 chore: tidy go.mod and go.sum
d975554 chore: update spdx licenses
830142c feat: sort dependencies by path
08d0a50 refactor: add license header to generated file
27eb9c8 refactor: fix inconsistency of b911e74
1dbd74a refactor: handle error when executing template
9a2a1a0 refactor: move spdx files into their own package
aa5c7c8 refactor: transfer copyright to owasp
b911e74 refactor: use common funcs for go command execution

Docker images

  • docker pull cyclonedx/cyclonedx-gomod:v0.10.0
  • docker pull cyclonedx/cyclonedx-gomod:v0
  • docker pull cyclonedx/cyclonedx-gomod:v0.10
Assets 11