cdxgen can now statically analyse itself to create a detailed SBOM with all occurrences and call-stack evidence. Plotting all call-stack evidence for a large pure JavaScript codebase like ours was previously not possible due to various issues in the downstream tools, all of which have finally been addressed. The generated BOMs, including atom slices, can be found in this Hugging Face repo.
Below is an example of a complete data-flow that was plotted only using the information in the cdxgen generated BOM file.
More examples can be found in this file.
What's Changed
- [Gradle] Optimization for included/composite builds broke cdxgen on single module by @malice00 in #1744
- Prefix language to support multiple slices files for evinse by @prabhu in #1748
- pnpm add and dlx plugins detection by @prabhu in #1749
- Makes oci image export more robust when using cli by @prabhu in #1751
Full Changelog: v11.2.5...v11.2.6