SBoM with evidence
This release introduces evinse
, a new command to generate component evidence for Java projects. Three kinds of evidence are supported.
Occurrences
Shows all the places in the application source code where a given package is used.
Shows a dataflow call stack where a component gets invoked
Services and HTTP entry points created by the application.
What's Changed
- Fixes #464: Updated the regex to support 'relocation' of a complete component by @malice00 in #467
- Evinse tool preview - part 1 by @prabhu in #465
- Adds cdx-verify a simple command to verify signature by @prabhu in #468
- Evinse support for java with gradle project - part 2 by @prabhu in #472
- Handle Gradle sub-projects correctly by @malice00 in #470
- Try multiple encoding to parse nuspec data. Fixes #469 by @prabhu in #475
Full Changelog: v9.4.0...v9.5.0