v1.1.0

Changelog

Enhancements

• Add option to assert detected licenses (#96 via #97)
  • This will move licenses from evidence/licenses to licenses, which helps with SBOM ingestion in some cases
• app: Add option to include packages in application SBOM (#85 via #92)
• app: The -packages and -files options are now also applied to the standard library component (when -std is used) (#84 via #92)
  • Thanks TheDiveO for reporting!
• bin: Add support for build info in binaries built with Go 1.18+ (#86 via #101)
• Package URLs now include a type qualifier to better differentiate between modules and packages (via 1c4b136)

Breaking Changes

• app: -files can now only be used in conjunction with -packages
• app: Files are now represented as subcomponents of packages

Miscellaneous

• The go prefix is no longer stripped from Go versions
  • e.g. the standard library module will now appear as pkg:golang/[email protected] instead of pkg:golang/[email protected]

Dependency Updates

• Update github.com/rs/zerolog from v1.25.0 to v1.26.0

Building and Packaging

• Bump golang container base images from 1.17.2 to 1.17.3 (via #95)
• Reference container base images by their SHA digest (#89 via #90)
• Introduce multi-platform container image builds (#87 via #90)
• Bump alpine-based golang container base images from alpine3.14 to alpine3.15 (via 47cee81)

Commits since v1.1.0-alpha.1

• 47cee81 build: update base images to alpine 3.15
• 1f15606 feat: add support for build info in binaries built with go 1.18+ (#101)

Docker images

• docker pull cyclonedx/cyclonedx-gomod:v1.1.0
• docker pull cyclonedx/cyclonedx-gomod:v1
• docker pull cyclonedx/cyclonedx-gomod:v1.1