The One Where We Go To FOSDEM

Breaking Changes

• Python 3.11+ now required - Minimum Python version increased from 3.10 to 3.11 for tomllib module support

New Features

Hash Enrichment from Lockfiles

New subsystem that extracts cryptographic hashes from lockfiles and adds them to SBOM components. Supports Cargo.lock, package-lock.json, Pipfile.lock, pnpm-lock.yaml, poetry.lock, pubspec.lock, uv.lock, and yarn.lock.

Interactive Configuration Wizard

New sbomify init command with interactive prompts to create sbomify.json configuration files.

Conan Center Enrichment

New enrichment source for C/C++ packages using the Conan Center API. Fetches license, author, homepage, repository, and description.

Component Supplier Field (NTIA Compliance)

Components now include a supplier field populated with the distribution platform (e.g., PyPI, npm) rather than package author, improving NTIA SBOM compliance.

PURL Generation from VCS URL

SPDX SBOMs now generate PURLs from VCS URLs for the main package when no explicit PURL is available, improving NTIA compliance.

Organization Data from Contact Profile API

Enhanced sbomify API integration extracts organizational data from the contact_profile structure.

Improvements

Lifecycle Property Standardization

Lifecycle properties now use official CycloneDX taxonomy:

• cle:releaseDate → cdx:lifecycle:milestone:generalAvailability
• cle:eos → cdx:lifecycle:milestone:endOfSupport
• cle:eol → cdx:lifecycle:milestone:endOfLife

Better Error Handling

• New ToolNotAvailableError for graceful handling when SBOM generation tools are missing
• Improved error messages for "component not found" scenarios
• Better diagnostic info included in SBOM generation errors
• Path expansion errors now include file name and searched paths
• Helpful error when file path looks like a CLI flag
• Stdout captured in error logging for tools that output errors there
• Sentry filtering fixed for log-based configuration errors

Other

• Augmentation now works without sbomify API credentials

What's Changed

• Improve path_expansion error message to include file name and searched paths by @vpetersson in #146
• fix: capture stdout in error logging for tools that output errors there by @vpetersson in #145
• fix: allow augmentation without sbomify API credentials by @vpetersson in #147
• Add Conan Center enrichment source for C/C++ packages by @vpetersson in #144
• Add user-friendly error handling for component not found errors by @vpetersson in #148
• Add CLAUDE.md with project guidance and exclude from Docker build by @vpetersson in #149
• Fix Sentry filtering for log-based configuration errors by @vpetersson in #152
• Improve error handling to include diagnostic info in SBOM generation errors by @vpetersson in #150
• Add ToolNotAvailableError for graceful handling of missing SBOM tools by @vpetersson in #151
• Extract organizational data from contact_profile API structure by @vpetersson in #154
• Add PURL generation from VCS URL for SPDX NTIA compliance by @vpetersson in #155
• Add helpful error when file path looks like CLI flag by @vpetersson in #157
• Add interactive wizard for sbomify.json configuration by @vpetersson in #156
• Standardize lifecycle properties to official CycloneDX taxonomy by @vpetersson in #158
• Add hash enrichment from lockfiles to SBOMs by @vpetersson in #160
• Use distribution platform as supplier instead of package author by @vpetersson in #159
• Bump version to 0.13 by @vpetersson in #162

Full Changelog: v0.12...v0.13

The One Where We Got CRA-zy Compliant

New Features

CRA (Cyber Resilience Act) Compliance Support

• Added security_contact field for vulnerability reporting (URL/email)
• Added support_period_end field for security support end date
• Expanded lifecycle event support with release_date and end_of_life fields
• Both CycloneDX and SPDX formats supported

SPDX Product Tagging

• Added product metadata tagging for SPDX SBOMs, bringing parity with CycloneDX

Tool Version Checker

• Added bin/check_tool_versions.py script to check and update bundled tool versions from GitHub releases

Improvements

Better Error Handling

• Added DockerImageNotFoundError for clearer errors when Docker images don't exist
• Improved duplicate SBOM upload handling with graceful error recovery
• Better error messages for duplicate uploads with version hints

Updated Bundled Tools

• Trivy: 0.67.2 → 0.68.2
• Syft: 1.39.0 → 1.40.1

Bug Fixes

• Fixed SPDX schema resolution error during validation
• Fixed SPDX lockfile detection for full paths generated by Trivy
• Fixed Docker tag mismatch in production container SBOM jobs

The One Where They Go to PyPI

Highlights

• PyPI Package - Install via pip install sbomify-action and use outside CI/CD
• Click-based CLI - Full command-line interface with --help on all commands
• SPDX Format Support - New SBOM_FORMAT env var for SPDX output
• Audit Trail - Every SBOM modification logged with timestamps for attestation
• License Database - Pre-computed license data for 30+ Linux distro versions
• Rust Support - Native cargo-cyclonedx generator + crates.io enrichment

---

New Features

Distribution & CLI

• PyPI package: pip install sbomify-action (#104, #124, #125, #126)
• Click-based CLI with full environment variable parity (#128)

SBOM Formats & Output

• SPDX format support via SBOM_FORMAT=spdx (#118, #119, #121)
• CDX/SPDX license sanitization parity (#129)
• Comprehensive audit trail for all SBOM modifications (#130)
• Rich console output with transformation tracking (#101)

Enrichment & Augmentation

• Pre-computed license database for Linux distros (#122)
  • Debian, Ubuntu, Alpine, Fedora, Amazon Linux, CentOS Stream, AlmaLinux, Rocky Linux, Oracle Linux, openSUSE, Arch, Wolfi/Chainguard, Distroless
• Architecture-agnostic PURL lookup in license database (#127)
• Dedicated Lifecycle plugin for CLE data (#123)
• Augmentation provider plugin architecture (#99)
• VCS auto-detection from CI environment (#107)
• Manufacturer data support (#110)
• crates.io enrichment source for Rust packages (#100)

Generation

• cargo-cyclonedx as native Rust SBOM generator (#102)
• COMPONENT_PURL environment variable for PURL override (#113)

Processing & Releases

• SBOM processor plugin system with sbomify_releases processor (#105)
• Link top-level components to root in CycloneDX dependency graph (#115)

Improvements

Docker Image

• Multi-arch support (amd64/arm64) and modernized base images (#92)
• Lazy Java/Maven installation to reduce image size (#93)
• Lazy Go installation for cdxgen Go module scanning (#96)
• Install cdxgen from bun lockfile (#90)

PURL & Version Handling

• Fix PURL double-encoding in ecosyste.ms API calls (#131)
• Update PURL version when COMPONENT_VERSION is set (#108)
• Use short git hash for SBOM version, update bom-ref consistently (#112)

Compliance & Validation

• Align NTIA compliance checkers with NTIA 2021 standard (#97)
• Improved CycloneDX dependency graph warning display (#111)

Bug Fixes

• De-duplicate VCS URL normalization log messages (#91)
• Skip redundant component name override when name already matches (#94)
• Resolve DUPLICATE_NAME error recovery in releases API (#114)
• Handle 409 DUPLICATE_ARTIFACT as success in release tagging (#117)
• Minor ecosyste.ms fix (#95)
• Minor bug fixes in npm handling (#116)

Infrastructure

• Split delivery between stage and prod (#109)
• Set correct version in output (#106, #120)
• Disable Sentry telemetry globally for tests (#132)

Breaking Changes

• Removed rpmrepo and ubuntu enrichment sources (replaced by license database)
• Test data restructured to versioned distro-specific files

Stats

• 43 PRs merged
• 218 commits
• 262 files changed

---

Full Changelog: v0.10...v0.11

null

Merge pull request #122 from sbomify/licensedb

feat: add pre-computed license database for Linux distro enrichment

The One Where They Finally Added Java

Changelog v0.10

New Features

Upload Plugin Architecture

• Implement multi-destination upload support via UPLOAD_DESTINATIONS environment variable
• Add Dependency Track as a new upload destination with DTRACK_* prefixed configuration variables
• Support uploading to multiple destinations simultaneously (e.g., sbomify,dependency-track)
• sbomify credentials now only required when uploading to sbomify

Additional Packages Injection

• Inject packages not captured by lockfile scanning (vendored code, runtime deps, system libraries)
• Auto-detect additional_packages.txt convention-based file in working directory
• Support custom file location via ADDITIONAL_PACKAGES_FILE environment variable
• Support inline PURLs via ADDITIONAL_PACKAGES environment variable (comma or newline separated)
• Merge and deduplicate packages from all sources before injection

cdxgen Generator

• Add cdxgen as a new SBOM generator (priority 20) with ecosystem-aware scanning
• Best-in-class support for Java/Maven (pom.xml, build.gradle, gradle.lockfile)
• Support for Python, JavaScript, Go, Rust, Ruby, Dart, C++, PHP, .NET, Swift, Elixir, Scala, and Docker images
• Run cdxgen from lock file directory for consistent behavior
• Add --required-only and --fail-on-error flags for stricter builds

CycloneDX 1.3 Support

• Add CycloneDX 1.3 schema for validation and output

Improvements

PURL Normalization and Sanitization

• Add PURL normalization to fix common encoding issues (double @@, %40%40)
• Detect and filter invalid PURLs:
  • File references (local workspace packages)
  • Link references (npm link)
  • Path-based versions
  • Invalid root namespace
  • Missing versions (for ecosystems that require them)
• Extend PURL sanitization to tools.components in generated SBOMs
• Add stub components for orphaned dependency graph references

VCS URL Normalization (SPDX Compliance)

• Normalize VCS URLs to SPDX-standard format:
  • scm:git:... → strips prefix, normalizes inner URL
  • git@host:path → git+https://host/path
  • Known git hosts (GitHub, GitLab, etc.) → adds git+ prefix
• Expand allowed URL schemes to include SPDX VCS schemes (git, git+ssh, git+https, git+http)
• Recognize 15 known git hosting providers for automatic normalization

Expanded Lockfile Support

• Add support for Java: pom.xml, build.gradle, build.gradle.kts, gradle.lockfile
• Add support for: pyproject.toml, package.json, bun.lock, composer.json, composer.lock, packages.lock.json, Package.swift, Package.resolved, mix.lock, build.sbt, .terraform.lock.hcl

Other Improvements

• Include schema files in package distribution for offline validation
• Improve validation logging with better error messages
• Extract tool versions from Dockerfile (single source of truth)

Bug Fixes

• Fix orphaned dependency graph references by creating stub components
• Fix root namespace detection for invalid PURLs
• Fix _is_invalid_purl to explicitly handle None input
• Include schema files in package distribution

The One Where Generation Gets Modular

Changelog v0.9

New Features

• Plugin architecture for SBOM generation - Modular generator system with priority-based selection and automatic fallback (cyclonedx-py → Trivy → Syft)
• Ubuntu APT repository enrichment - Native metadata source for pkg:deb/ubuntu/* packages (LTS 18.04-24.04 + 24.10)
• Built-in schema validation - JSON Schema validation for generated SBOMs

Bug Fixes

• Fixed NTIA compliance issues for supplier and version fields
• Improved author extraction from PyPI author_email field
• Added version inheritance for lockfile components

Documentation

• Added ADR-0001: Plugin Architecture for Extensibility

The one with enrichment plugins

Changelog for v0.8.0

Major Features

Plugin-based Enrichment Architecture

• Complete rewrite of the SBOM enrichment system with a plugin-based architecture
• Queries multiple data sources in priority order to improve NTIA compliance
• 8 data sources implemented: PyPI, Debian, deps.dev, ecosyste.ms, PURL, ClearlyDefined, Repology, and RPM Repo
• Lockfile components are now enriched with metadata instead of removed, preserving dependency graph integrity

RPM Repository Enrichment (PR #69)

• Native Tier 1 enrichment for RHEL-compatible distros
• Supports: Rocky Linux 8/9, Alma Linux 8/9, CentOS Stream 8/9, Fedora 39-42, Amazon Linux 2/2023
• Extracts license, vendor/supplier, description, homepage, and download URL from official repos
• Intelligent caching at repo level for efficient batch processing

Dart/Flutter Support (PR #67)

• Added support for Dart packages via pub.dev data source
• Enrichment for pubspec.lock files

CycloneDX 1.7 Support (PR #64)

• Added full support for CycloneDX 1.7 schema
• Schema compliance tests for CycloneDX 1.4, 1.5, 1.6, 1.7

Bug Fixes

CycloneDX Tools Format (PR #64)

• Fixed spec compliance: now uses modern tools format (tools.components/tools.services) for CycloneDX 1.5+
• CycloneDX 1.4 correctly uses legacy Tool format (tools array)
• Sbomify now correctly identified as a service-based tool in 1.5+

Debian Source Rewrite (PR #67)

• Use correct API endpoint with version-specific lookups
• Added fallback to latest version when specific version not found
• Added VCS URL parsing from pkg_infos field

Augmentation Fix (PR #66)

• Fixed dependency cleanup when filtering lockfile components

Dependency Upgrades

• cyclonedx-python-lib: 8.4.0 to 11.5.0
• cyclonedx-bom: 6.1.1 to 7.2.1

Other Improvements

• PURL-based enrichment for OS packages (deb, rpm, apk) as fallback when ecosyste.ms has no data
• Improved documentation - README overhaul with enrichment architecture details, data sources table, and Mermaid flowchart
• NTIA compliance tests - New comprehensive test suite for NTIA minimum elements
• Container SBOM test data - Added 16 test files covering Alpine, Debian, Ubuntu, and RHEL with both Syft and Trivy scanners
• Standalone mode improvements (PR #60)
• Input sanitization for tagging (PR #68)
• Added .dockerignore for smaller container images
• Sentry filtering - Don't send events to Sentry in tests (PR #62)

The one with ecosystems

Changelog: v0.6 → v0.7.0

Major Changes:

• Switched enrichment from Parley to ecosyste.ms API - Now uses ecosyste.ms for package metadata enrichment (thank you @andrew)
• Added SPDX support - Full support for SPDX 2.2 and 2.3 formats alongside CycloneDX (via new spdx-tools dependency)
• Enhanced telemetry with privacy controls - Sentry error tracking now respects repository visibility (private repos don't send CI context)

Improvements:

• Product releases API now uses sbom_id instead of artifact_id/artifact_type
• Improved release tagging workflow with better ID resolution
• Fixed tool vendor normalization to prevent serialization comparison errors
• Better cache management for enrichment API calls
• User errors (validation/config) are now filtered from telemetry

Testing:

• Added comprehensive Sentry filtering tests for GitHub Actions, GitLab CI, and Bitbucket Pipelines
• New tool vendor normalization tests
• Migrated timestamp tests to library-based augmentation
• Added test coverage for SPDX version-specific behavior

Dependencies:

• Added: spdx-tools, beartype, click, isodate, ply, rdflib, semantic-version, uritools, xmltodict

The one with UV

Major Features

Package Manager Support

• Added uv.lock support: Full support for Python's uv package manager dependency files (#39 by @vpetersson)
• Added Conan support: Support for Conan C++ package manager with conan.lock files (#40 by @vpetersson)

SPDX Enhancements

• Comprehensive SPDX augmentation: Implemented full CycloneDX parity for SPDX format SBOMs (#37 by @vpetersson)
• Fixed SPDX component naming: Corrected COMPONENT_NAME override for SPDX SBOMs (#36 by @vpetersson)
• Enhanced SPDX metadata: Fixed missing metadata.component.type field (#41 by @rusko124)

Product Release Management

• Automatic product release management: Added comprehensive release tracking and management (#35 by @vpetersson)
• SBOM tagging: Implemented automatic tagging of SBOMs with product versions
• Release endpoint improvements: Fixed release endpoint functionality and API URL construction (#38 by @vpetersson)

Infrastructure & Tooling

Migration to UV

• Poetry to UV migration: Migrated from Poetry to UV for dependency management (#44 by @vpetersson)
• Removed poetry.lock: Deleted Poetry lockfile (1,366 lines removed)
• Added uv.lock: New UV lockfile with 932 lines of dependencies
• Updated pyproject.toml: Significant updates to project configuration (49 changes)

CI/CD Improvements

• Consolidated workflows: Removed 4 separate GitHub workflow files:
  • docker_build.yaml (29 lines)
  • docker_registry.yaml (57 lines)
  • integration_tests.yaml (96 lines)
  • sanity_checks.yaml (35 lines)
• Enhanced main workflow: Significantly expanded sbomify.yaml (193+ additions)
• Updated deployment flow: Improved release order and deployment process (#45 by @vpetersson)
• Trivy version bump: Updated Trivy scanner version (#47 by @vpetersson)

Bug Fixes

API Improvements

• Fixed double API prefix: Prevented double /api/v1 prefix in API URL construction
• Updated requests library: Addressed CVE security vulnerability
• Sentry endpoint update: Switched to new Sentry endpoint (#43 by @vpetersson)

Testing Enhancements

New Test Coverage

• API endpoint auditing: Added comprehensive API endpoint audit tests (218 lines)
• Release management tests: New release functionality tests (394 lines)
• Enhanced enrichment tests: Expanded SBOM enrichment test coverage (57+ additions)
• JSON augmentation tests: Significantly expanded JSON augmentation tests (353+ additions)
• Configuration tests: Enhanced configuration testing (97+ additions)

Test Data

• Added Conan test data: New conan.lock test file
• Added UV test data: New uv.lock test file for testing UV support
• Poetry generation test: Added test file for Poetry SBOM generation

Documentation

README Updates

• Enhanced documentation: Significant README improvements (103+ additions)
• Updated usage examples: Better examples and documentation for new features

Core Functionality

Enhanced SBOM Processing

• Expanded main.py: Major enhancements to core CLI functionality (657+ additions)
• Improved command handling: Better command processing and error handling
• Enhanced configuration: More robust configuration management

Version Information

• Previous version: v0.5.0
• Current version: v0.6
• Release commits: 20+ commits with comprehensive feature additions and improvements

New Contributors

• @rusko124 made their first contribution in #41

Links

• Full Changelog: v0.5.0...v0.6

More NTIA checks

• NEW: COMPONENT_NAME environment variable - Direct component name specification that works independently of augmentation settings, supporting both CycloneDX and SPDX formats
• NEW: Automatic timestamp generation - Adds UTC timestamps to SBOMs missing them (CycloneDX timestamp, SPDX created) to meet NTIA requirements while preserving existing timestamps
• Deprecated OVERRIDE_NAME and SBOM_VERSION - Replaced with COMPONENT_NAME and COMPONENT_VERSION respectively, with deprecation warnings and backward compatibility maintained
• Improved logging and user experience - Removed emoji characters from warnings for better CI/CD compatibility, added clearer status messages for component operations
• Enhanced documentation - Updated README with comprehensive COMPONENT_NAME examples for GitHub Actions, Bitbucket Pipelines, and Docker usage
• Expanded test coverage - Added comprehensive timestamp functionality tests (test_timestamp.py) and enhanced configuration validation tests
• Better error handling - Improved component metadata operations with graceful fallbacks and component creation when missing from SBOMs
• Updated workflows - GitHub Actions workflow now uses new variable names with conditional tag-based versioning
• Full backward compatibility - All deprecated features continue to work while encouraging migration to new variable names