v0.12.0 — SBOM ingest + on-prem dynamic scanning
A feature release with two themes. Both are additive and opt-in — existing
scans and configurations are unchanged. The full machine-readable changelog lives
in CHANGELOG.md.
Highlights
Received-SBOM ingest with conformance scoring (Model 3)
Hand TRUSCA an SBOM your own tooling already produced instead of having it clone
and build your source. POST /v1/projects/{id}/sbom-ingest accepts a
CycloneDX-JSON or SPDX (JSON / Tag-Value) document, queues an sbom-kind
scan that persists the components, matches CVEs with Trivy, and classifies
declared licenses — no source clone or build.
Every uploaded SBOM is scored for quality on its original bytes and gets a
pass / warn / fail verdict (mandatory checks: timestamp, tool info, a
top-level component, 100% name+version, PURL coverage ≥ 90%, no pkg:generic
placeholders, a dependency graph; license + hash coverage are warn-only). The
verdict is advisory — a fail is recorded and surfaced but never blocks
matching. It is exposed at
GET /v1/projects/{id}/scans/{scan_id}/conformance and rendered as a badge +
per-check table on the scan detail page.
On-prem dynamic per-environment scanning
The SBOM-generation stage is now pluggable. With SCAN_EXECUTOR=local_docker
(opt-in, on-prem single-tenant), the worker launches a per-environment cdxgen
sidecar for a toolchain it does not carry, runs build-prep + cdxgen there,
and collects the SBOM — the rest of the pipeline (sign / scancode / Trivy /
persist) is unchanged.
The first target is Android: the worker has no Android SDK, so the Android
Gradle Plugin cannot resolve dependencies (0 components); routing Android to the
SDK sidecar resolves the full graph. Verification showed node / go / rust / ruby
/ java / python / php / dotnet already resolve identically in the all-in-one
worker, so Android is the one genuine gap and the only default-routed
environment — the routed set is configurable via SCAN_LOCAL_DOCKER_ENVS.
The Docker socket is a host-escape surface, so the executor ships hardened
defaults (workspace-only volume mounting, dropped capabilities,
no-new-privileges, resource bounds, a curated env allow-list, refusal of
unpinned :latest images, and an isolated egress network) and went through a
security review. See the
Dynamic scan executor
admin guide before enabling it. New CDXGEN_SPEC_VERSION / CDXGEN_FETCH_LICENSE toggles
tune the SBOM spec version and component-license resolution.
Upgrade notes
- Additive, no action required. New endpoints, the new
sbomscan kind, and all new environment variables default to the previous behaviour. - Migrations auto-apply at container startup (
AUTO_MIGRATE, the default):0032_scan_kind_sbomand0033_sbom_conformanceare forward-only. - Dynamic scanning is off by default (
SCAN_EXECUTOR=inprocess). Enablinglocal_dockeris on-prem single-tenant only and requires the opt-in setup in the admin guide. The worker image now bundles the Docker CLI for that path; it is unused under the default executor.
Pull the 0.12.0 images (or helm upgrade to chart 0.12.0).