winget install --id CycloneDX.cdxgen
About CycloneDX Generator (cdxgen)
Generate Software Bill of Materials (SBOM) for most applications and container images with a single command. Generate Operations Bill of Materials (OBOM) for Linux and Windows hosts. Integrate with any CI/CD pipeline. Automatically submit the generated BOM to your dependency track server for analysis.
What's new in 12.7.0
What's Changed Go - [go] Fix crash on empty go.mod file by @malice00 in #4179 Java / Kotlin / Scala / Clojure - [gradle] Fix incorrect SBOM with unresolved dependencies by @malice00 in #4173 - Strip scala version suffix for sbt by @prabhu in #4186 - Attempt to find the hashes and licenses for gradle. by @prabhu in #4187 - Better asar detection with header sniffing. by @prabhu in #4190 - Move gradle fixture to hosted by @prabhu in #4220 Docker / Containers / Infrastructure - Native sbom attachment by @prabhu in #4184 Breaking Changes - Support no-ignore argument by @prabhu in #4188 Full Changelog: v12.6.0...v12.7.0
Version history
| Version | Updated | Notes |
|---|---|---|
| 12.7.0 | Unknown | What's Changed Go - [go] Fix crash on empty go.mod file by @malice00 in #4179 Java / Kotlin / Scala / Clojure - [gradle] Fix incorrect SBOM with unresolved dependencies by @malice00 in #4173 - Strip scala version suffix... |
| 12.6.0 | Unknown | This minor release includes two new features: - Support for dynamic/trace BOM generation using instrumentation. Powered by safer-exec. - New tui mode powered by cdxui. Please try with the --tui argument. What's Changed J... |
| 12.5.1 | Unknown | cdxgen now supports generating AI/ML-BOM with the new -t ai type. For JavaScript and Python projects, AI-BOM would also include the exact occurrence evidence. evinse is now supported for Rust projects. Pass --profile res... |
| 12.5.0 | Unknown | Highlights This release introduces go evinse with golem integration for deep, data-flow-aware analysis of go projects. The JavaScript analyzer gains type-only import detection, better Vue.js scope resolution, and new npm... |
| 12.4.4 | Unknown | What's Changed - java maven improvements #4064 - component type filter #4063 - javascript improvements #4066 - pass exclude arguments to atom #4069 Full Changelog: v12.4.3...v12.4.4 |
| 12.4.3 | Unknown | This release includes one security fix. - [Security] harden maven shell metacharacters in #4059. Thanks, @aleff-github Full Changelog: v12.4.2...v12.4.3 |
| 12.4.2 | Unknown | What's Changed 🤖 AI-auto Changes - Handle object-form GitHub Actions runs-on by @Copilot in #4057 - Upgrade to dosai v3 by @prabhu in #4058 Full Changelog: v12.4.1...v12.4.2 |
| 12.4.1 | Unknown | Optimise SEA binaries. What's Changed 🤖 AI-auto Changes - fix: profile standalone binary dependencies by @prabhu in #4053 Full Changelog: v12.4.0...v12.4.1 |
| 12.4.0 | Unknown | What's Changed 🤖 AI-auto Changes - Enhance dry-run mode with symlink, spawn I/O, and archive extraction tracing by @Copilot in #3969 - package visibility, cbom and obom improvements by @prabhu in #4002 - feat: caxa v3 ba... |
| 12.3.3 | Unknown | This release includes security fixes and some features. What's Changed 🤖 AI-auto Changes - Trim non-runtime files from published npm artifacts, image context, and SEA bundles by @Copilot in #3957 - Add collider.lock supp... |
| 12.3.2 | Unknown | What's Changed 🤖 AI-auto Changes - Enforce CycloneDX 1.7 TLP validation for sensitive BOM properties by @Copilot in #3954 Full Changelog: v12.3.1...v12.3.2 |
| 12.3.1 | Unknown | cdxgen can now identify the MCP configurations and skills used in your project. It can also predict supply-chain attacks against your cargo dependencies. What's Changed 🤖 AI-auto Changes - Expand Cargo predictive audit c... |
| 12.3.0 | Unknown | cdxgen v12.3.0 Full changelog: v12.2.1...v12.3.0 v12.3.0 is a big release for cdxgen. It expands the project beyond BOM generation with new capabilities for upstream dependency risk prioritisation, SPDX conversion/export... |
| 12.2.1 | Unknown | This release focuses on Node.js dependency accuracy, server-side submission hardening, and CI/build maintenance. lang:node #3920 added WASM and WASI detection in the JS analyzer with test coverage updates. #3924 fixed np... |
| 12.2.0 | Unknown | > The beginning of the cycle where the AI agents write more code than humans. cdxgen continues to lose weight. We have removed more dependencies such as sqlite3 and jws by rewriting code to make use of native Node module... |
| 12.1.5 | Unknown | What's Changed Breaking Changes 🛠 - Couple of security fixes. Update jdk versions by @prabhu in #3808 - Audit npmrc config files and NODE_OPTIONS for code execution risks. by @prabhu in #3815 - Improve python venv detect... |
| 12.1.4 | Unknown | What's Changed Breaking Changes 🛠 - Do not try to build sqlite3 for deno by @prabhu in #3801 Other Changes - typescript 6 by @prabhu in #3802 - Detect npm package name and version spoofing by @prabhu in #3805 Full Change... |
| 12.1.3 | Unknown | What's Changed Breaking Changes 🛠 - [security] server hardening for safer git clones by @prabhu in #3708 - Do not make pypi calls unless necessary. by @prabhu in #3711 🤖 AI-assisted Changes - Trim sqlite3 prebuilds by @p... |
| 12.1.2 | Unknown | What's Changed Breaking Changes 🛠 - go 1.24+ support with additional attributes by @prabhu in #3576 🤖 AI-assisted Changes - fix(cmake): skip empty dependency() names when parsing Meson files by @SergioChan in #3682 - fix... |
| 12.1.1 | Unknown | What's Changed 🏗️ Build System - [musl binaries] Switch to 'official unofficial' nodejs builds URL by @malice00 in #3513 Other Changes - Add arguments to prevent trivy telemetry and version check (#3499) by @atwupack in... |