Release v11.0.9

What's Changed

Other Changes

• Expand optional tree by @prabhu in #1523

Full Changelog: v11.0.8...v11.0.9

Release v11.0.8 - Holiday update

We're ready to greet the new year with this holiday update. This release focuses on general improvements and tweaks to make cdxgen more useful for both users and AI bots. cdxgen can now reliably track all package manifests where a given component was found—especially helpful for vulnerability management and patching in large monorepos and multi-module projects. We’ve also improved dependency tree accuracy so bots like cdxgenGPT can better understand and reason about the underlying architecture.

Quality is a top priority. xBOM accuracy—particularly precision and recall—remains a constant topic that keeps us on our toes. Thanks to a generous sponsorship, we have added more snapshot testing for a number of languages and package manager ecosystems, and trained cdxgenGPT to serve as a good xBOM reviewer. We will soon use both automated testing and machine learning to continuously evaluate and improve BOM quality.

Please update to this version at your convenience. Happy Holidays!

Screenshots

cdxgenGPT training and assessment prompts

Rate my SBOM

Review of a syft SBOM

What's Changed

🚀 Features

• uv support by @prabhu in #1516
• Merge components after aggregation by @prabhu in #1517

🐛 Bug Fixes

• Retain license and external references for parent components by @prabhu in #1520

📚 Documentation

• cdxgen for bots by @prabhu in #1514
• Rate my xbom by @prabhu in #1521

Other Changes

• #1486 fix: use getGoPkgComponent in parseGosumData by @CaMoPeZzz in #1487
• Support image generation and parsing github url by @prabhu in #1497
• Fixes #1498. Don't remove await by @prabhu in #1509
• TypeError: project.modules.module.map is not a function by @readonlyuser1 in #1504
• fix:GH-1502 name root from package json by @ivanasabi in #1503
• #291 feat: vcs url for gopkg by @CaMoPeZzz in #1505
• Fix docker extract bugs by @prabhu in #1513
• asvs 5.0 - Beta by @prabhu in #1460

New Contributors

• @CaMoPeZzz made their first contribution in #1487
• @readonlyuser1 made their first contribution in #1504
• @ivanasabi made their first contribution in #1503

Full Changelog: v11.0.7...v11.0.8

Release v11.0.7

What's Changed

• Force package lock creation for stubborn projects with .npmrc by @prabhu in #1488

Full Changelog: v11.0.6...v11.0.7

Release v11.0.6

What's Changed

• Improve php tree by @prabhu in #1483
• Retain multiple SrcFile and identity evidences by @prabhu in #1484

Full Changelog: v11.0.5...v11.0.6

Release v11.0.5 - hey quarkus

cdxgen now supports the Quarkus framework with automatic detection for Maven projects—no configuration changes needed. It uses the official dependency-sbom goal but adds extra value by including phantom JARs that aren’t managed through Maven. With the research profile enabled (--profile research), cdxgen produces a highly detailed SBOM with occurrences and call stack evidence, offering better insights than the official implementation, which only tracks jar files.

cdxgenGPT is also updated to better understand the evidence information for decent reasoning performance.

What's Changed

Other Changes

• feat: quarkus maven support by @prabhu in #1480
• Improve printOccurrences function with streaming output for large SBO… by @deeshantk in #1482

New Contributors

• @deeshantk made their first contribution in #1482

Full Changelog: v11.0.4...v11.0.5

Release v11.0.4

What's Changed

Other Changes

• Expand snapshots part I by @cerrussell in #1467
• Tweaks for node.js ignore list by @prabhu in #1469
• Fix Index Boundary Error in parseCmakeLikeFile by @cerrussell in #1470
• refactor(dart): Use api /versions to avoid payload with all versions by @lsaudon in #1471
• Expand Python Snapshots by @cerrussell in #1473
• Track php per-module tree by @prabhu in #1475
• npm auto install for non-root package.json by @prabhu in #1478
• Added documentation for ML profiles in cdxgen by @satwiksps in #1477

New Contributors

• @satwiksps made their first contribution in #1477

Full Changelog: v11.0.3...v11.0.4

Release v11.0.3

What's Changed

Other Changes

• Replace toml library by @prabhu in #1468

Full Changelog: v11.0.2...v11.0.3

Release v11.0.2

What's Changed

🚀 Features

• dotnet 9 deep improvements by @prabhu in #1459

Other Changes

• update atom to get cpg 1.0.1 and the latest protobuf by @prabhu in #1462
• Safely handle components without names by @prabhu in #1464
• Update atom to get tagging and android apk improvements by @prabhu in #1465

Full Changelog: v11.0.1...v11.0.2

Release v11.0.1

Notable Features

• Official cdxgen base image updated to almalinux:10-kitten-minimal. dotnet 9 sdk is now used as default.
• All base images updated to use :v11 as the suffix. Due to a release mistake the last few cdxgen :v10 images inadvertently use cdxgen v11.0.0. Let us know if you are affected by this mistake.
• Latest dosai with support for dotnet 9 via cdxgen-plugins-bin@1.6.9.

What's Changed

Other Changes

• Package updates by @prabhu in #1458

Full Changelog: v11.0.0...v11.0.1

Release v11.0.0

Announcement blog on LinkedIn

Top Features

• New ML profiles (ml-tiny, ml, ml-deep) added. Pass them via the cli args --profile.
• New filter techniques (--min-confidence and --technique)

BREAKING changes

cyclonedx-maven-plugin is no longer used by default. PREFER_MAVEN_DEPS_TREE now defaults to true. Set this value to false should you prefer the cyclonedx maven plugin.

What's Changed

🚀 Features

• Automatic annotations and tagging by @prabhu in #1450
• Annotation improvements - part 2 by @prabhu in #1451
• Annotation improvements - part 5 by @prabhu in #1455
• Minimum confidence filter by @prabhu in #1457

Other Changes

• Enable CycloneDX 1.5 snapshots to be compared with 1.6. by @cerrussell in #1444
• fix: executable path in windows by @aryan-rajoria in #1441
• Annotations text for saasbom and cdxa by @prabhu in #1452
• Trim the saasbom to help all models including Gemini by @prabhu in #1454

Full Changelog: v10.11.0...v11.0.0