What's new
A factual record of recent, shipped product improvements. Everything listed is in the current release, covered by tests, and documented — nothing here is a preview. Dates are engineering-verification dates.
Note
SBOMFlow versions its artifacts and models; your output records the exact
tool version that produced it. Current release line: 0.2.x.
July 2026
Hardened scanning boundaries
- Symlink scan boundary — a symlink that resolves outside the scan root is refused with a
symlink_outside_rootwarning, so a planted link can never pull foreign files into evidence. Limitation: links resolving inside the root are followed by design. - Bounded untrusted input — container-image members, deep YAML nesting, and oversized structures hit explicit budgets and surface
resource_limit_exceededwarnings instead of unbounded reads. - Safer reports — CSV exports neutralize spreadsheet-formula injection; HTML reports escape scanned content; CLI interruptions (Ctrl-C, closed pipes) exit with conventional codes instead of tracebacks. See exit codes.
More honest component identity
- Cargo inline-table dependencies now yield the declared version — a dependency written as a table with features can no longer leak its raw text into your SBOM, and version-less git/path dependencies are never invented.
- Container references parse name, tag, and digest precisely: a digest-pinned image keeps its immutable digest as identity (no fabricated
latest), registry ports are never read as tags, and digests survive into emitted purls as qualifiers. - A component-identity guard now backstops every parser: structurally invalid names or versions become warnings instead of inventory. Legitimate epochs, vendor suffixes, prereleases, ranges, and descriptive names pass through untouched. Limitation: this is defense-in-depth against structural garbage, not proof a parser's semantics are correct — parser tests do that.
Fewer silent gaps
- Build outputs inside
build/directories — Yocto image manifests,license.manifest, and generated SBOMs are now scanned where real build systems put them, instead of being skipped with the build tree. - Recognized-but-unparsed formats warn — Gradle/NuGet/uv/Swift/ESP-IDF/ vcpkg/Maven/Conan manifests, OCI image indexes, device-tree overlays, and unpinned Python requirements now produce stable, actionable warnings instead of disappearing into the artifact list. All 178 warning codes are documented.
- CycloneDX naming conventions (
bom.json,.cdx.json,.cdx.xml) are recognized as existing-SBOM evidence alongside SPDX.
Deeper verification behind the release
- The offline suite grew to 1,300 tests, including new determinism, boundary, injection, and identity regressions.
- A ten-archetype synthetic manufacturer corpus now stress-tests the full workflow, with an acceptance contract and a per-fact semantic evaluation that fail on silent omissions, false merges, false positives, or overclaims. Limitation: synthetic testing is not real-customer validation — see Testing and trust.
Earlier in 2026
- Release history and drift — every run emits a release record; comparing releases yields component, dependency, finding, evidence, gate, and support-period drift, with issue lifecycle states (
new,persistent,resolved,regressed). - Reviewer workflow and approvals — a review queue with tamper-evident, hash-chained decisions; multi-role approvals with separation of duties, expiry, and revocation; time-boxed waivers that keep waived items visible.
- CRA-oriented evidence — versioned Annex I coverage mapping, Annex VII technical-documentation packs with validator-enforced UNSIGNED DRAFT declarations, and Article 14 draft workspaces that are never filed or transmitted.
- Exploitation context — CISA KEV, FIRST EPSS, conservative reachability, and suggested SSVC priorities as reviewable inputs; VEX-aware gating that a reviewer decision — and only a reviewer decision — can suppress.
- Evidence bundles and sharing — deterministic reviewer bundles with byte-reproducible ZIPs, and redacted sharing packs for importers and distributors.
- Stable operator contract — documented exit codes, cataloged error codes with fixes and docs links, and
doctor/init/validate-config/quickstartfor first-run setup.
For the complete capability list, see Capabilities.