What's new

A factual record of recent, shipped product improvements. Everything listed is in the current release, covered by tests, and documented — nothing here is a preview. Dates are engineering-verification dates.

Note

SBOMFlow versions its artifacts and models; your output records the exact
tool version that produced it. Current release line: 0.2.x.

July 2026

Hardened scanning boundaries

  • Symlink scan boundary — a symlink that resolves outside the scan root is refused with a symlink_outside_root warning, so a planted link can never pull foreign files into evidence. Limitation: links resolving inside the root are followed by design.
  • Bounded untrusted input — container-image members, deep YAML nesting, and oversized structures hit explicit budgets and surface resource_limit_exceeded warnings instead of unbounded reads.
  • Safer reports — CSV exports neutralize spreadsheet-formula injection; HTML reports escape scanned content; CLI interruptions (Ctrl-C, closed pipes) exit with conventional codes instead of tracebacks. See exit codes.

More honest component identity

  • Cargo inline-table dependencies now yield the declared version — a dependency written as a table with features can no longer leak its raw text into your SBOM, and version-less git/path dependencies are never invented.
  • Container references parse name, tag, and digest precisely: a digest-pinned image keeps its immutable digest as identity (no fabricated latest), registry ports are never read as tags, and digests survive into emitted purls as qualifiers.
  • A component-identity guard now backstops every parser: structurally invalid names or versions become warnings instead of inventory. Legitimate epochs, vendor suffixes, prereleases, ranges, and descriptive names pass through untouched. Limitation: this is defense-in-depth against structural garbage, not proof a parser's semantics are correct — parser tests do that.

Fewer silent gaps

  • Build outputs inside build/ directories — Yocto image manifests, license.manifest, and generated SBOMs are now scanned where real build systems put them, instead of being skipped with the build tree.
  • Recognized-but-unparsed formats warn — Gradle/NuGet/uv/Swift/ESP-IDF/ vcpkg/Maven/Conan manifests, OCI image indexes, device-tree overlays, and unpinned Python requirements now produce stable, actionable warnings instead of disappearing into the artifact list. All 178 warning codes are documented.
  • CycloneDX naming conventions (bom.json, .cdx.json, .cdx.xml) are recognized as existing-SBOM evidence alongside SPDX.

Deeper verification behind the release

  • The offline suite grew to 1,300 tests, including new determinism, boundary, injection, and identity regressions.
  • A ten-archetype synthetic manufacturer corpus now stress-tests the full workflow, with an acceptance contract and a per-fact semantic evaluation that fail on silent omissions, false merges, false positives, or overclaims. Limitation: synthetic testing is not real-customer validation — see Testing and trust.

Earlier in 2026

  • Release history and drift — every run emits a release record; comparing releases yields component, dependency, finding, evidence, gate, and support-period drift, with issue lifecycle states (new, persistent, resolved, regressed).
  • Reviewer workflow and approvals — a review queue with tamper-evident, hash-chained decisions; multi-role approvals with separation of duties, expiry, and revocation; time-boxed waivers that keep waived items visible.
  • CRA-oriented evidence — versioned Annex I coverage mapping, Annex VII technical-documentation packs with validator-enforced UNSIGNED DRAFT declarations, and Article 14 draft workspaces that are never filed or transmitted.
  • Exploitation context — CISA KEV, FIRST EPSS, conservative reachability, and suggested SSVC priorities as reviewable inputs; VEX-aware gating that a reviewer decision — and only a reviewer decision — can suppress.
  • Evidence bundles and sharing — deterministic reviewer bundles with byte-reproducible ZIPs, and redacted sharing packs for importers and distributors.
  • Stable operator contract — documented exit codes, cataloged error codes with fixes and docs links, and doctor/init/validate-config/quickstart for first-run setup.

For the complete capability list, see Capabilities.