v0.1.22

sbom-tools v0.1.22

Highlights

The AI BOM release. sbom-tools now treats AI systems as a first-class domain across the whole pipeline: it parses CycloneDX ML-BOMs and SPDX 3.0 AI/Dataset profiles, scores AI-readiness (AI-001…AI-010), machine-checks the EU AI Act (Annex IV) and the G7/BSI "SBOM for AI — Minimum Elements" standards, diffs model and dataset changes semantically, verifies model-weight integrity, enriches Hugging Face components, and renders AI-BOMs as a dedicated profile in the TUI (Models / Datasets / AI-Readiness tabs).

Alongside the AI work this release lands a large wave of correctness and security fixes — including a hostile-SBOM stack-overflow, empty OSV severity data, and broken CycloneDX XML parsing — a new convert command (CycloneDX ↔ SPDX), KEV/EPSS vulnerability enrichment with an offline/air-gapped mode, and broad CLI/TUI alignment.

Please read Upgrade notes below — this release changes several user-visible behaviors (scoring engine 2.1, stricter license-policy gating, logs moved to stderr, official EPSS endpoint).

What's New

AI / ML Bill of Materials

• AI-readiness scoring profile. A dedicated quality --profile ai-readiness (and TUI AI-BOM profile) grades ten AI-specific checks (AI-001…AI-010): model-card, architecture, training datasets, quantitative analysis, fairness, ethical considerations, use-cases, limitations, energy, and model-weight hash integrity. (#205, #239, #246)
• CycloneDX ML-BOM + SPDX 3.0 AI/Dataset parsing. Spec-compliant CycloneDX modelCard parsing (typed fairness/quantitative-analysis/considerations) and SPDX 3.0 AI + Dataset profile metadata including the trainedOn relationship. (#204, #208, #239)
• Semantic ML model & dataset diffing. Model and dataset changes are diffed field-by-field — quantization, architecture, training-dataset add/remove, dataset sensitivity — with high diff-costs on provenance-loss and PII-escalation signals, instead of opaque blobs. (#244)
• Model-weight integrity & Hugging Face enrichment. New AI-010 weight-hash check, a verify model-weights --model-dir subcommand (direct + HF cache layouts), and a Hugging Face enrichment source that maps siblings[].lfs.sha256 → component hashes, pipeline_tag → task, and routes pkg:huggingface models into the vulnerability stack. (#246, #253)
• SBOM-AIBOM-* SARIF rule family for AI-readiness findings, and TUI rendering of ML model / dataset metadata in the component-detail panel. (#207, #206)

Compliance

• EU AI Act (Annex IV) readiness compliance level with SBOM-AIACT-* SARIF rules, N/A-gated for non-AI SBOMs and severity-escalated by the CRA high-risk-AI flag. (#245)
• G7 / BSI "SBOM for AI — Minimum Elements" readiness — a new validate --standard bsi-ai profile that scores an AI-BOM element-by-element across the seven BSI clusters (Metadata, System-Level, Models, Datasets, Infrastructure, Security) with SBOM-BSIAI-* rules. (#255)
• Compliance rule registry. Every violation now carries a stable rule_id; SARIF rule IDs and standard references come from a single registry instead of fragile message-text matching. (#231, #233)

Cross-format conversion

• convert command. Re-emit any parsed SBOM to CycloneDX 1.7 or SPDX 2.3 with a fidelity report listing synthesized/dropped fields, built on an opt-in source-field preservation slot. (#241, #243, #247)

Vulnerability enrichment

• CISA KEV and EPSS enrichment. New --kev / --epss flags surface Known-Exploited-Vulnerabilities flags and EPSS exploit-probability on vulnerabilities, with --fail-on-kev gating, KEV/EPSS columns in reports, and a watch-mode "entered KEV" alert. (#235, #237)
• Offline / air-gapped mode + cache management. A global --offline (and SBOM_TOOLS_OFFLINE) serves enrichment purely from cache, plus a new cache status / warm / clear / export / import subcommand for sneakernet transfer. (#238)
• Unified enrichment platform. All sources (OSV, EOL, VEX, KEV, staleness, EPSS, Hugging Face) now share one EnrichmentSource trait, an atomic-write cache with schema versioning, and a single retry/User-Agent HTTP client. (#230)

CLI & TUI

• Global --config file is now honored by every command (it was previously read only by config show), with CLI-flag > file > default precedence. (#227)
• Stdin input (- as a path) for diff/quality/validate/query/ vex, enabling syft … | sbom-tools quality - pipelines. (#224)
• Typed exit codes & NDJSON output. Per-command exit codes, clap value-enums (typos fail at parse), and a wired -o ndjson format. (#226)
• Document-metadata diffing. diff now reports author, tool, timestamp, spec-version, signature and serial-number changes. (#254)
• AI-BOM is first-class in the TUI — detected as its own profile with AI-readiness scoring and dedicated Models / Datasets / AI-Readiness tabs, plus EPSS/KEV badges, a KEV filter, richer component detail, and a profile-aware help overlay. (#258, #257, #259, #261, #260, #223)

Bug Fixes

• Hostile-SBOM stack-overflow fixed. Cycle detection is now iterative (Tarjan SCC); a deeply-nested dependency chain previously aborted the process (and any FFI host) via stack overflow. (#215)
• OSV enrichment now carries severity / CVSS / description. Results from /v1/querybatch (id-only) are hydrated via /v1/vulns/{id}; previously enriched vulnerabilities had empty severity and were cached empty for 24h. (#219)
• CycloneDX XML parsing fixed for spec-conformant documents (components, dependencies, vulnerabilities, license choice, xmlns spec version). (#214)
• License policy correctness. fail_on_conflict now actually fails, concluded-only licenses are evaluated against the deny list, and deny-patterns match per-operand in SPDX expressions (deny "GPL-*" now catches MIT OR GPL-3.0-only). (#212)
• Per-component license changes are populated in diffs (the field was always empty), and the Licenses TUI tab no longer falsely reports "no changes". (#211, #259)
• Watch mode no longer fires false "resolved vulnerability" alerts on file changes (re-parsed SBOMs are now enriched before diffing). (#221)
• Incremental diff cache no longer splices sections from an unrelated cached pair, and diff errors propagate instead of becoming "no changes". (#217)
• Deterministic diffs. Fixed-seed MinHash and stable solver ordering make diff output reproducible above the LSH threshold (CI --fail-on-* gating). (#218)
• Machine output is parseable again. Logs are written to stderr so -o json / -o sarif / -o ndjson on stdout is valid when piped or redirected (previously two INFO lines preceded the JSON, breaking SARIF upload and jq). (#256)
• Multi-SBOM commands honor their flags. diff-multi/timeline/ matrix now apply --graph-*/filter/rules and can reach exit code 4, and reject unsupported -o values. (#225)
• Output hardening. CSV formula-injection guard, terminal control-char sanitization, and a TUI panic hook that restores the terminal. (#213)
• Enrichment entry-point consistency. enrich/watch/query now route through the unified orchestrator so --kev/--epss/ --huggingface take effect everywhere, query --offline no longer makes network calls, and the EPSS default endpoint is the official FIRST host with a response-size bound. (#249, #248, #247)
• FFI binding parity. The AiReadiness profile is exposed in the Go / Swift wrappers with a CI drift check, and the sbom-tools-ffi crate's version/cargo publish blockers are fixed. (#216, #234)

Performance

• Sparse assignment matching. The dense O(n²) Hungarian path (≈200 MB / effective hang on cross-format diffs) is replaced by a sparse solver over the candidate edge list. (#232)
• In-place enrichment mutation removes a 2× component-map copy per pass, and report-stage compliance is computed lazily per reporter. (#236)
• TUI dependency tab caches its graph and uses an iterative longest-path, eliminating a per-frame rebuild and an exponential depth calculation. (#223)

Internal & Quality

• Compliance engine split into a StandardChecker per-standard module layout behind a registry, and the enrichment platform unified behind one trait. (#233, #230)
• cli / tui feature gates so the FFI staticlib and fuzz targets no longer link ratatui/clap/rustls (FFI dependency tree 281 → 104 crates). (#228)
• Test infrastructure. A ratatui TestBackend snapshot harness for the TUI, golden snapshots for all report formats (plus streaming-JSON validity fixes), graph-shaped hot-path benches, and diff/scoring property tests. (#229, #240, #242, #218)

Infrastructure

• Dependency bumps: ratatui 0.30.0 → 0.30.1, chrono 0.4.44 → 0.4.45, regex 1.12.3 → 1.12.4, reqwest 0.13.3 → 0.13.4, serde_json 1.0.149 → 1.0.150, libfuzzer-sys 0.4.12 → 0.4.13, plus dagger-SDK-only bumps. New runtime dependency: flate2 (gzip, enrichment feature) for the EPSS bulk feed. (#251, #252, #195, #196, #222, #248)
• GitHub Actions bumps: codeql-action → 4.36.1, cargo-deny-action → 2.0.20, actions/checkout → 6.0.3; SHA-pin hygiene + expanded Dependabot coverage; fuzz CI now installs cargo-fuzz with the nightly toolchain. (#193, #194, #199, #200, #202)
• Total tests: 1560 (1014 lib + 546 integration), up from 1214 in v0.1.21.
• 0 clippy warnings (default + all-features) on Rust 1.88; 0 production unwrap().

Upgrade notes

These behaviors changed in this release:

• Scoring engine 2.0 → 2.1. Cycle detection now counts strongly-connected components (actual cycles) rather than DFS back-edges, so quality scores for SBOMs with cyclic dependencies may change. (#215)
• semantic_score now counts per-component license transitions, so diffs that change a component's license score slightly lower than before. (#211)
• **License-policy gating ...

v0.1.21

sbom-tools v0.1.21

Highlights

Focused bug-fix release. view -o json now emits the full enriched vulnerability detail (not just counts), diff semantic similarity is correctly bounded to 0–100 (previously could exceed 100% on large diffs), and CRA compliance sections in Markdown/HTML diff reports collapse to a compact summary so reports stay readable on SBOMs with hundreds of components.

Bug Fixes

• view -o json now emits enriched vulnerability detail. The JSON view previously dropped enriched OSV/KEV data and emitted only a per-component count, even when --enrich-vulns was set. Each component now serializes the full vulnerability list (id, source, severity, CVSS, fixed_version, CWEs, KEV info, VEX status, description, dates), and the document gains a top-level vulnerabilities[] array flattened across all components. Each component and flattened entry is also tagged with dependency_kind (primary / direct / transitive). (#179, fixes #178)
• diff semantic similarity bounded to 0–100. DiffResult::semantic_score is normalized against an SBOM-size-derived upper bound and clamped to [0, 100], fixing reports of values like 916% on heavy-churn diffs. Identical SBOMs (matching content hash) now correctly report 100.0. (#188, fixes #180)
• Compact CRA compliance section in human-readable diff reports. Markdown and HTML diff reports previously emitted a full violation table per CRA finding, ballooning to 14k+ lines on real SBOMs. The diff path now emits a compact "N findings across M groups" summary with a pointer to -o json / -o sarif for full structured detail. Single-SBOM view reports and JSON/SARIF outputs are unchanged. (#189, fixes #181)

Infrastructure

• Dependency bumps: quick-xml 0.39.3 → 0.40.1, clap_complete 4.6.3 → 4.6.5, tokio 1.52.2 → 1.52.3 (dagger SDK only).
• GitHub Actions bumps: codeql-action 4.35.3 → 4.35.5, cargo-deny-action 2.0.17 → 2.0.18, crates-io-auth-action SHA-pin refresh.
• Total tests: 1214 (787 lib + 427 integration), up from 1196 in v0.1.20.
• 0 clippy warnings (default + all-features) on Rust 1.88; 0 production unwrap().

Acknowledgments

Thanks to @MChorfa (Mohamed Chorfa) for contributing the fixes behind all three user-facing improvements in this release (#179, #188, #189), and to @cmyank0 and @VincentR-OCD for the bug reports that drove them.

---

Install: cargo install sbom-tools
Homebrew: brew install sbom-tool/tap/sbom-tools
Crate: https://crates.io/crates/sbom-tools
Full changelog: v0.1.20...v0.1.21

v0.1.20

sbom-tools v0.1.20

Highlights

sbom-tools v0.1.20 ships end-to-end EU Cyber Resilience Act (CRA) readiness: prEN 40000-1-3 normative requirement IDs, CRA product-class & conformity-route severity calibration, Article 24 open-source software steward profile, BSI TR-03183-2 §5/§6 checks, CSAF v2.0 ingest and emit (ISO/IEC 20153:2025), and a cra-docs CLI that prefills Annex V documentation directly from the SBOM + sidecar. The release also adds CRA standards-drift detection to watch, with alerts routed through the existing AlertSink so they show up alongside SBOM file changes and vulnerability discoveries — no new daemon, no new TUI tab.

Combined with the CBOM scoring engine shipped in v0.1.19 and the existing NIS2 / GDPR / AI Act / RED overlap surfaces, sbom-tools is now the most complete open-source CRA conformity-assessment toolkit covering Articles 13/14, Article 24, and Annex I–VIII obligations.

What's New

CRA Compliance Engine (Articles 13/14, Article 24, Annexes I–VIII)

• 5 new ComplianceLevel variants (9 → 14): Cnsa2 (NSA CNSA 2.0), NistPqc (FIPS 203/204/205 + IR 8547), BsiTr03183_2 (German national CRA-aligned guideline), CraOssSteward (Article 24 lighter profile), EuccSubstantial (Reg. (EU) 2024/482 reference profile)
• --cra-product-class {Default|ImportantClass1|ImportantClass2|Critical} on validate, quality, view: drives Annex III/IV severity calibration, conformity-route gating (Module A / B+C / H / EUCC), vendor-hash thresholds (50/80/80/100%), and severity ramp for EOL components, DoC presence, Article 14 PSIRT readiness, and EUCC reference
• ConformityAssessmentSummary + ConformityEvidence on ComplianceResult: per-route checklist (DoC + Module-specific evidence + PSIRT). Surfaced in markdown / HTML reports and TUI compliance view as Annex VIII: <route> (<class>) N/M evidence
• is_oss_steward sidecar profile: SBOM + vuln-handling + CVD policy floor enforced; manufacturer email, EU DoC, module attestation, hardware [PRE-8-RQ-02], and vendor-hash carry-through skipped. Aliases: --standard oss-steward / cra-oss / cra-art24 / art24

CSAF v2.0 (ISO/IEC 20153:2025)

• CSAF ingest in src/enrichment/vex/csaf.rs: auto-detect priority CSAF → CycloneDX VEX → OpenVEX. Maps product_status (known_affected / known_not_affected / fixed / first_fixed / under_investigation / recommended / last_affected) to VexState. Resolves product_id → PURL via full_product_names + recursive branches + relationships; CVE → ids[].text fallback for vuln ID
• CSAF emit via new vex export --format csaf CLI: closes the round-trip — SBOM → CSAF → re-ingest preserves identical VEX states. Maps {Affected|NotAffected|Fixed|UnderInvestigation} → CSAF product status keys; CVE/GHSA dual-path on vulnerability IDs

Commands & CLI

• cra-docs: new subcommand that generates eu-declaration-of-conformity.md (Annex V DoC), technical-documentation.md (Annex V tech-doc summary, with NIS2 / GDPR / AI Act / RED overlap section when respective sidecar flags are set), and vulnerability-handling-policy.md (Annex I Part II) — prefilled from sidecar + SBOM + ComplianceChecker. Auto-discovery extended to multi-extension stems (app.cdx.json resolves app.cra.json)
• cra-standards-watch: new subcommand that prints a curated 8-artefact catalogue (prEN 40000-1-3, prEN 40000-1-2, BSI TR-03183-2, CSAF v2.0, ENISA SBOM Guidance, EUCC, STAN4CRA, ETSI EN 303 6xx) with last-known versions and --check-online HTTP-status probe
• vex export --format csaf: CSAF v2.0 advisory emitter (see above)
• watch --cra-standards (+ --cra-standards-interval=24h, --cra-standards-timeout=10s): periodically probe the CRA standards catalogue from the watch loop and surface drift through existing alert sinks

Watch & AlertSink

• AlertSink::on_cra_standard (default no-op trait method): carries CraStandardEvent with InitialBaseline / StatusChanged kinds — keeps the trait extensible without churning third-party sinks
• Stdout sink: timestamped human-readable line per drift ([12:34:56] cra-standard BSI-TR-03183-2: status drift 200 OK -> 503 Service Unavailable)
• NDJSON sink: structured {"type":"cra_standard","kind":"status_changed",...} records for SIEM/jq pipelines
• Webhook sink: deliberately stays at the trait default — drift signals are low-value to spam to webhooks

Reporting & SARIF

• SARIF helpUri populated on rules, plus results.standardHelpUris, drawn from canonical EUR-Lex / BSI / NIST / OASIS URLs. New StandardKind::canonical_help_uri() and SarifRuleWithUri serialization wrapper
• docs/CRA_COMPLIANCE.md reverse-mapping table covering CRA Articles 13/14, all Annexes, Article 24, BSI TR-03183-2, CSAF v2.0, the P3.2 calibration table, a CLI cheat sheet, a sidecar example, and a standards bibliography. Linked from README

TUI

• New policy presets: EuccSubstantial, CraOssSteward (alongside the existing Cra / Ntia / Fda / NistSsdf / Eo14028)
• Conformity-assessment summary rendered on the compliance view per active product class
• Sidecar plumbing so CRA-specific scoring + class-aware severities reach the TUI without round-tripping through CLI

Compliance Levels — Now 14

Up from 9 in v0.1.19: Minimum, Standard, NtiaMinimum, CraPhase1, CraPhase2, FdaMedicalDevice, NistSsdf, Eo14028, Cnsa2, NistPqc, BsiTr03183_2, CraOssSteward, EuccSubstantial, Comprehensive. ComplianceLevel::all() auto-reflects every variant into the TUI compliance tabs.

Bug Fixes

• cra-docs section numbering: Annex V tech-doc previously emitted duplicate 5.x headings when the NIS2 / GDPR / AI Act / RED overlap section was active — now correctly renumbers
• TUI sidecar plumbing: compliance view no longer dropped CRA-specific severities when the sidecar was loaded from disk (audit-fix landed alongside P5 polish)
• clippy 1.88 cleanup: uninlined_format_args and derivable_impls in CSAF/CRA paths

Infrastructure

• 24 new CRA-product-class tests (tests/cra_product_class_tests.rs)
• 12 new OSS-steward tests (tests/cra_oss_steward_tests.rs)
• 9 new conformity-assessment-summary tests + 8 new SARIF-helpUri tests + 9 new CSAF tests + 7 cra-docs integration + golden CRA fixtures (compliant + 2 non-compliant variants)
• Total tests: 1196 (787 lib + 409 integration), up from ~802 in v0.1.19
• Dependabot bumps: clap_complete 4.6.2 → 4.6.3, reqwest 0.13.2 → 0.13.3, quick-xml 0.39.2 → 0.39.3, dagger-sdk 0.20.4 → 0.20.8 (rust-sdk), tokio 1.51.1 → 1.52.2 (rust-sdk), indexmap 2.13.1 → 2.14.0, clap 4.6.0 → 4.6.1
• Security fixes: rand, rustls-webpki (PR #145, PR #156)
• GitHub Actions bumps: crates-io-auth-action, codeql-action 4.35.2 → 4.35.3, cosign-installer 4.1.1 → 4.1.2, cargo-deny-action 2.0.15 → 2.0.17, upload-artifact 7.0.0 → 7.0.1
• 0 clippy warnings (default + all-features) on Rust 1.88; 0 production unwrap()

---

Install: cargo install sbom-tools
Homebrew: brew install sbom-tool/tap/sbom-tools
Crate: https://crates.io/crates/sbom-tools
Full changelog: v0.1.19...v0.1.20

v0.1.19

Highlights

sbom-tools now includes a full CBOM (Cryptographic Bill of Materials) quality scoring engine — the first open-source CLI tool to grade cryptographic inventory health alongside traditional SBOM quality. CBOMs receive crypto-specific scores across 8 categories: algorithm strength, PQC readiness, OID coverage, crypto completeness, key/certificate lifecycle, cross-reference resolution, provenance, and licenses. Hard caps enforce grade ceilings for broken cryptography (D max), compromised keys (C max), and zero post-quantum migration (C max).

Combined with the CBOM architecture shipped in v0.1.18 (CycloneDX 1.6/1.7 cryptoProperties parsing, CNSA 2.0 + NIST PQC compliance, 5 dedicated TUI tabs), sbom-tools now provides end-to-end CBOM lifecycle support — from parsing to scoring to interactive analysis to compliance reporting.

What's New

CBOM Quality Scoring Engine

• ScoringProfile::Cbom: New 8-category scoring profile with crypto-tuned weights — Algorithm Strength (0.22), PQC Readiness (0.15), Crypto Completeness (0.15), OID Coverage (0.15), Crypto Lifecycle (0.13), Cross-References (0.10), Provenance (0.08), Licenses (0.02)
• 12 granular metrics: algorithms_with_oid, algorithms_with_family, algorithms_with_primitive, algorithms_with_security_level, certs_with_signature_algo_ref, keys_with_algorithm_ref, protocols_with_cipher_suites, keys_with_state, keys_with_protection, keys_with_lifecycle_dates, certs_with_validity_dates
• 6 per-category scoring methods: Each computes a 0-100 score from real field coverage (no proxies) — completeness measures family/primitive/level coverage, identifiers measure OID presence, lifecycle blends key state/protection/dates with certificate validity
• Hard caps for critical crypto issues: Broken algorithms (MD5, DES, RC4) → D max; compromised keys → C max; zero quantum-safe algorithms → C max
• Auto-detection: BomProfile::detect() triggers CBOM scoring when ≥3 crypto components make up >50% of the BOM — works in both view and diff modes

Commands & CLI

• quality --profile cbom: Evaluate CBOM quality from the command line with crypto-specific grades and recommendations
• Diff mode awareness: Both old and new SBOMs auto-detect CBOM profile, each scored with the appropriate engine

TUI

• Dynamic quality chart: Bar labels switch to Crpt/OIDs/Algo/Refs/Life/PQC/Prov/Lic in CBOM mode; header shows crypto category names for strongest/weakest
• Crypto Inventory panel: Asset counts, quantum readiness %, and warning flags for weak algorithms, compromised keys, and expired certificates
• P key toggle: Runtime SBOM/CBOM switch — re-scores with the selected profile
• Algorithm sorting (s key): Cycle Name → Family → Quantum Level → Strength (weak-first triage)
• Certificate sort by urgency: Auto-sorted by days remaining (expired first)
• Algorithm detail: Now shows Padding, Execution Environment, Implementation Platform

Bug Fixes

• CBOM tab selection: Arrow keys now correctly move selection on all crypto tabs (Algorithms, Certificates, Keys, Protocols) — detail panel was stuck on the first item due to reading a legacy shared index instead of per-tab selection
• Diff mode scoring: Both SBOMs now auto-detect profile instead of hardcoding Standard

Infrastructure

• 15 new CBOM unit tests (scoring methods, hard caps, edge cases)
• Bump indexmap 2.13.1, semver 1.0.28, dagger-sdk 0.20.4
• Bump GitHub Actions: crates-io-auth-action, setup-go 6.4.0

---

Install: cargo install sbom-tools
Homebrew: brew install sbom-tool/tap/sbom-tools
Crate: https://crates.io/crates/sbom-tools
Full changelog: v0.1.18...v0.1.19

v0.1.18

Highlights

This release delivers a comprehensive diff engine upgrade with enrichment support for all multi-SBOM commands, a complete TUI overhaul across all 10 tabs, and introduces Go and Swift bindings for the core SBOM operations.

What's New

Diff Engine

• Multi-SBOM enrichment: diff-multi, timeline, and matrix commands now support --enrich-vulns, --enrich-eol, and --vex (previously only diff had enrichment)
• Pre-release version handling: New SemverParts struct properly distinguishes 1.2.3-alpha from 1.2.3 with pre-release penalty in matching scores
• Quality delta tracking: QualityDelta in diff results shows per-category score changes, grade transitions, regressions, and improvements across all 8 quality categories
• VEX state transitions: VexStatusChange detects when persistent vulnerabilities change VEX state between SBOMs (e.g., NotAffected → Affected)
• Match quality metrics: MatchMetrics records exact/fuzzy/rule match counts, unmatched components, and confidence scores
• True incremental diff: Section-selective recomputation skips unchanged sections when cache detects partial changes (30–70% speedup for partial SBOM updates)

TUI — Summary Tab

• Redesigned layout: Merged Risk Assessment + Key Findings into a single compact card with natural-language insights
• Key Findings section: Prioritized action items — critical vulns, major version bumps, license conflicts, quality regressions, added/removed summaries
• SBOM Comparison table: Old vs New delta table showing component, dependency, license, and vulnerability counts
• All Changes list: Full scrollable list sorted by semver impact (MAJOR first) with inline version transitions
• "Not enriched" warning: Vulnerability card shows hint when enrichment wasn't used

TUI — Quality Tab

• Compact gauge header: Score transition in title with text gauge bars (replaces heavy bordered gauges)
• Category bar chart: Sorted by score with colored bars, warning badges (⚠ low, ✗ zero), and delta arrows
• Linked recommendations: Each action shows its target category; Enter navigates to the related tab

TUI — Compliance Tab

• Compact header: 3-line card replacing 7-line side-by-side gauges with New/Resolved counts
• Violation grouping: g key groups violations by component with expand/collapse
• Short tab labels: Min/Std/NTIA/CRA-1/CRA-2/FDA/SSDF/EO14028/Full — all fit on screen
• Rich empty states: When Resolved/New views are empty, shows top issues to fix and category breakdowns
• View cycle: Changed from Tab (conflicted with global tab switching) to v

TUI — Diff (Side-by-Side) Tab

• Unified upgrade view: New Unified mode (a key) matches removed+added by name to show version upgrades
• Semver classification: MAJOR/minor/patch/DOWNGRADE badges sorted by impact
• Full-width single panel: Replaces split view for clearer upgrade visualization

TUI — Dependencies Tab

• Sort order works (s key): Roots sort by Name, Depth, Vulnerability count, or Dependent count — previously displayed but never applied
• Transitive toggle works (t key): Filters to direct deps only (depth 0–1) when off — previously displayed but had no effect
• Relationship badges: Child nodes show [dev]/[build]/[test]/[opt] for non-default dependency types; detail panel shows Relationship and Scope fields
• Child count breakdown: Root nodes show color-coded (+4 -3) instead of plain (7)
• Vulnerability section in detail panel: Up to 5 CVEs with severity coloring, status (introduced/resolved/persistent), and KEV badge
• Detail panel scrolling: Ctrl+d/Ctrl+u scrolls long content; resets on navigation
• Compact 2-line header: Removed redundant key-hint line (saves 1 row), color-only toggle states, +N/-M change summary, Expanded: N/M progress, full words for alerts
• Depth badges: D0/D1/D2 indicators on tree nodes showing direct vs transitive
• Enriched detail panel: Licenses, hashes, supplier, dependency/dependent lists with shared renderer

TUI — Source Tab

• Change gutter: +/-/~ column next to line numbers colored by change type
• Change summary bar: Horizontal minimap showing change distribution across the file
• Difftastic-style rendering: Changed lines bold+colored, unchanged lines keep syntax highlighting
• Bold line numbers: Line numbers colored on changed lines for visual emphasis
• Inline version diff: Modified components show lodash 4.17.20 → 4.17.21 when collapsed
• Collapse unchanged (u): Folds unchanged regions into ··· N unchanged items ···
• Aligned diff panels (a): Gap ····· placeholders for added/removed components

TUI — Cross-Tab

• Consistent detail panels: Shared render_component_info_lines() for Components and Dependencies
• Cross-tab navigation: License→Components, Violation→Component, Component→Dependencies with breadcrumbs
• Regex search: Ctrl+R toggles substring/regex mode with error feedback
• Footer hints: Added to Compliance, Source, Vulnerabilities, Dependencies tabs
• SBOM version in header: Shows name@version from primary component

CLI

• Enrichment arg deduplication: SharedEnrichmentArgs with #[command(flatten)] across all 8 enrichment-capable commands
• Bug fixes: --no-color and --export-template forwarded to multi-SBOM commands; --fail-on-vuln exit codes for timeline/matrix
• Output flag alignment: license-check and verify audit-hashes migrated from -f to -o with backwards-compat aliases
• Feature gaps filled: --fail-on-change, --exclude-vex-resolved, --fail-on-vex-gap, --graph-max-depth for multi-SBOM commands
• Comprehensive help: 24 top-level examples in 9 categories, per-subcommand examples on 13 of 15 commands

Go and Swift Bindings (MVP)

• C ABI layer: Format detection, parsing, diffing, and quality scoring via JSON-based ABI
• Go wrapper: sbomtools.ParsePath(), Diff(), Score() with typed payloads and dedup helpers
• Swift wrapper: SbomTools.parsePath(), diff(), score() with Codable payloads and dedup helpers
• ABI contract snapshots: Schema conformance tests ensure stability across releases

Thanks to @MChorfa for contributing the Go and Swift bindings!

Bug Fixes

• Dependencies crash: Footer copy-preview panicked on multi-byte → in dependency edge text (&text[..27] on non-char-boundary) — replaced with MSRV-compatible floor_char_boundary() across 10 slicing sites
• Dependencies search OOB: next_match/prev_match could index past visible_nodes when selected was desynchronized — added bounds clamping
• Dependencies detail panel: Fixed "No node selected" (visible_nodes not populated in prepare_render); fixed duplicate "Name:" line showing canonical ID
• Quality navigation: Fixed arrow keys not working (total_recommendations never set)
• Compliance Tab key conflict: View cycle changed from Tab to v (was captured by global tab switching)
• Matching asymmetry: Proptest found alias-lookup asymmetry for short names — excluded from test generator

Infrastructure

• Bump sha2 0.10→0.11, proptest 1.10→1.11, clap_mangen 0.2→0.3, tempfile 3.25→3.27
• Bump GitHub Actions: codeql-action 4.35.1, setup-go 6.3.0, cosign-installer 4.1.1
• Dagger Rust SDK runner for bindings CI/CD

---

Install: cargo install sbom-tools
Homebrew: brew install sbom-tool/tap/sbom-tools
Crate: https://crates.io/crates/sbom-tools
Full changelog: v0.1.17...v0.1.18

v0.1.17

Highlights

This release hardens the release pipeline against tag poisoning attacks (like the recent Trivy incident), significantly improves the Source tab experience in the TUI, and fixes a severity badge bug that could underreport vulnerability severity.

What's New

TUI

• Source tab overhaul: Fix flickering by hoisting state mutations out of the render path
• Raw view breadcrumb: Show JSON path context at the top of the raw view
• Compact tree mode (C key): Narrower connectors save ~30% horizontal space at depth 4+
• Sticky scope header: Opening bracket line pins to the top when scrolled off-screen
• Active scope indent guide: Single dashed ┆ in accent color replaces cluttered multi-level guides
• Dependency bom-ref resolution: UUIDs in Source tab dependencies section now show component names (e.g., gcc@12.2.0 → 3 deps)
• Dependency context in SBOM Map panel: Right panel shows resolved component name, dep count, vulnerabilities, and license instead of generic SBOM stats
• Smart path truncation: Long file path labels show …/basename instead of truncating mid-path
• Cleaner link indicators: Remove noisy ⏎ symbols and skip redundant labels on expandable objects
• Severity badge spacing: Add space between badge and count in dependency tree ([L] 6 vs [L]6)

Security

• Tag poisoning hardening: Ancestry checks on build-binaries and update-homebrew jobs reject commits not on main
• Immutable Homebrew URLs: Formula source pinned to commit SHA instead of mutable tag ref
• Signed release manifests: Sigstore-signed release-manifest.sha256 for release asset tamper detection
• Daily tag integrity workflow: Verifies all release tags are on main and release asset checksums match signed manifests
• Tag protection ruleset: Tags are protected against force-push and deletion
• Homebrew tap protection: Branch and tag rulesets on sbom-tool/homebrew-tap
• Artifact verification docs: SECURITY.md now documents gh attestation verify, cosign verify-blob, and SHA256 verification

Bug Fixes

• Severity badge underreporting: max_severity_from_vulns() now derives severity from CVSS base scores when the categorical severity field is None, fixing cases where badges showed [L] despite high CVSS scores

Infrastructure

• Collapse 47 nested if statements into let-chains (0 clippy warnings)
• Fix RUSTSEC-2026-0044, RUSTSEC-2026-0048, RUSTSEC-2026-0049 (aws-lc-sys 0.39.0, rustls-webpki 0.103.10)
• Bump clap 4.6.0, clap_complete 4.6.0, clap_mangen 0.2.33, tracing-subscriber 0.3.23
• Bump GitHub Actions: codeql-action 4.33.0, rust-cache 2.9.1, crates-io-auth-action

---

Install: cargo install sbom-tools
Homebrew: brew install sbom-tool/tap/sbom-tools
Crate: https://crates.io/crates/sbom-tools
Full changelog: v0.1.16...v0.1.17

v0.1.16

Highlights

Major format expansion with CycloneDX 1.7 and SPDX 3.0 support, three new CLI commands (enrich, verify, license-check), VEX integration for vulnerability exception tracking, and a comprehensive TUI overhaul with ViewState architecture, RenderContext, and dozens of UX improvements. Releases now include pre-built binaries for 5 platforms with Sigstore signing, build attestations, and Homebrew tap distribution.

What's New

Format Support

• CycloneDX 1.7 — full parser, model, quality scoring, and compliance support
• SPDX 3.0 — JSON-LD parser, Security profile (VEX/CVSS), Snippet, Annotation, Lifecycle, multi-document, streaming optimization
• CycloneDX 1.7 enrichment — structured citations support

New Commands

• enrich — enrich SBOMs with vulnerability data (OSV/KEV), EOL detection, and VEX statements
• verify — file hash verification (SHA-256/512) and component hash auditing
• license-check — license policy engine with allow/deny/review lists and propagation analysis
• vex — apply, filter, and report on VEX statements; CycloneDX VEX document parsing; coverage summary with --fail-on-vex-gap

TUI

• ViewState architecture — single source of truth for all 10 tab states (Phases 1-6)
• RenderContext — read-only render abstraction eliminating render-time mutation
• Document Info panel — metadata overview in header area
• Export dialog — export current view to file
• Component overview — quick summary of component counts and types
• Quality tab — improved chart rendering, integrity/provenance panels
• Compliance tab — severity filter (f key), better gap visualization
• Dependencies tab — graph cache improvements, visual polish
• Source tab — cross-tab navigation, SBOM Map alignment, raw mode parity, focus panel fix
• UI consistency — footer hints, keyboard shortcut alignment, visual refinements across all tabs

Distribution

• Homebrew — brew install sbom-tool/tap/sbom-tools
• Pre-built binaries — 5 platforms (linux x86_64/aarch64, macOS x86_64/aarch64, Windows x86_64)
• Sigstore signing — keyless signatures on all release archives
• GitHub build attestations — per-binary provenance
• Dual-format SBOMs — CycloneDX 1.6 + SPDX 2.3 included in release assets
• GitHub Action — sbom-tool/sbom-tools-action for CI/CD integration

VEX Integration

• VEX subcommand with apply/status/filter operations
• CycloneDX VEX document parsing
• Multiple VEX responses per vulnerability
• Persistent gap tracking across diff operations
• Coverage summary and --fail-on-vex-gap CI gate

Bug Fixes

• Fixed 7 high-severity dependency vulnerabilities (aws-lc-sys, quinn-proto)
• Fixed focus panel not resetting when switching tabs
• Fixed cross-compilation targets in release pipeline (rust-toolchain.toml override)

Infrastructure

• Friendly archive names (linux-x86_64, macos-aarch64, etc.) replacing Rust target triples
• Combined checksums.sha256 file (was 5 separate files)
• Idempotent cargo publish for pipeline re-runs
• Improved proptest parser fuzz tests
• Dependency updates: pathfinding, rust-cache, codeql-action, upload/download-artifact

---

Install: cargo install sbom-tools or brew install sbom-tool/tap/sbom-tools
Crate: https://crates.io/crates/sbom-tools
Full changelog: v0.1.14...v0.1.16

v0.1.14

Highlights

Source Tab v2 brings 12 new interactive features for exploring SBOM source data. Graph-aware diffing gets major correctness and feature improvements. The entire release pipeline is now fully automated with Trusted Publishing, SLSA L3 provenance, and signed tags.

What's New

TUI

• Source Tab v2 — 12 new features:
  • Mouse click/scroll support in both diff and view modes
  • XML syntax highlighting for raw SBOM source
  • Line numbers toggle (I) and word wrap toggle (W)
  • Status bar with position and percentage
  • Diff change navigation (n/N) — jump between added/removed/modified nodes
  • Copy JSON path to clipboard (c)
  • Export source content to file (E)
  • Regex search mode (Ctrl+R during search)
  • Bookmarks (m to toggle, ' to cycle)
  • Tree filter by value type (f) and sort by key (S)
  • Detail panel in diff mode (d)
• Components and Dependencies tabs: visual polish, clipboard support, auto-expand roots

Quality & Compliance

• Software complexity index in quality metrics

Security

• Signed git tags (SSH ed25519)
• SLSA Build Level 3 provenance on GitHub Releases (.intoto.jsonl)
• Trusted Publishing (OIDC) for crates.io — no long-lived API tokens
• OSV scanner config to suppress false positives from SBOM test fixtures
• Branch protection hardened (required review thread resolution)

Bug Fixes

• Fixed UTF-8 panics in Source tab when viewing binary-like content
• Fixed vulnerability score inflating quality rating when no vuln data exists
• Fixed CI concurrency: only cancel in-progress on PRs, not main pushes

Infrastructure

• GitHub Releases with auto-generated notes and SLSA provenance attached
• PR-based release script compatible with branch protection
• Community docs: CODE_OF_CONDUCT, CONTRIBUTING, GOVERNANCE, ARCHITECTURE
• OpenSSF Scorecard improvements (Signed-Releases check fixed)
• Dependency updates: anyhow, quick-xml, chrono, spdx, ctrlc

---

Install: cargo install sbom-tools
Crate: https://crates.io/crates/sbom-tools
Full changelog: v0.1.10...v0.1.14

v0.1.13

What's Changed

• Fix release.sh: let CI create GitHub Release by @matrosov in #40
• Release v0.1.13 by @matrosov in #41

Full Changelog: v0.1.12...v0.1.13

v0.1.11

Highlights

• Source Tab v2 — 12 new interactive features for SBOM source exploration
• Graph-Aware Diffing — Major correctness and feature improvements
• Supply Chain Security — Signed releases, SLSA L3 provenance, OpenSSF hardening
• Community Docs — CODE_OF_CONDUCT, CONTRIBUTING, GOVERNANCE, ARCHITECTURE

What's New

Interactive TUI

• Mouse click/scroll support in Source tab (both diff and view modes)
• XML syntax highlighting for raw SBOM source
• Line numbers toggle (I) and word wrap toggle (W)
• Status bar with position/percentage
• Diff change navigation (n/N) — jump between added/removed/modified nodes
• Copy JSON path to clipboard (c)
• Export source content to file (E)
• Regex search mode (Ctrl+R during search)
• Bookmarks (m to toggle, ' to cycle)
• Tree filter by value type (f) and sort by key (S)
• Detail panel in diff mode (d)

Graph Diffing

• Fixed component ID normalization for cross-format matching
• Proper EdgeKey with sorted endpoints for undirected graph support
• Content-based graph hashing (xxh3) for structural comparison
• Reparenting detection and cyclic dependency depth limits
• Graph section in JSON, Markdown, HTML, CSV, and summary reports
• Multi-SBOM graph support in diff-multi command
• --graph-diff-only and --graph-depth CLI options

Quality & Compliance

• Software complexity index in quality metrics

Security & Infrastructure

• Signed git tags (SSH ed25519)
• SLSA Build Level 3 provenance on GitHub Releases
• GitHub Releases with auto-generated notes
• OSV scanner config to suppress SBOM fixture false positives
• Branch protection tightened (required review thread resolution)
• OpenSSF Scorecard improvements (Signed-Releases check fixed)

Community

• CODE_OF_CONDUCT.md (Contributor Covenant v2.1)
• CONTRIBUTING.md (development guide with DCO)
• GOVERNANCE.md (BDFL model, access continuity)
• ARCHITECTURE.md (module structure, data flow, design decisions)
• SECURITY.md updated with coordinated disclosure policy

Bug Fixes

• Fixed UTF-8 panics in Source tab when viewing binary-like content
• Fixed rustfmt formatting in source tab files

Install

cargo install sbom-tools

Full Changelog: v0.1.10...v0.1.11