본문으로 건너뛰기

v0.12.0 — SBOM ingest + on-prem dynamic scanning

A feature release with two themes. Both are additive and opt-in — existing scans and configurations are unchanged. The full machine-readable changelog lives in CHANGELOG.md.

Highlights

Received-SBOM ingest with conformance scoring (Model 3)

Hand TRUSCA an SBOM your own tooling already produced instead of having it clone and build your source. POST /v1/projects/{id}/sbom-ingest accepts a CycloneDX-JSON or SPDX (JSON / Tag-Value) document, queues an sbom-kind scan that persists the components, matches CVEs with Trivy, and classifies declared licenses — no source clone or build.

Every uploaded SBOM is scored for quality on its original bytes and gets a pass / warn / fail verdict (mandatory checks: timestamp, tool info, a top-level component, 100% name+version, PURL coverage ≥ 90%, no pkg:generic placeholders, a dependency graph; license + hash coverage are warn-only). The verdict is advisory — a fail is recorded and surfaced but never blocks matching. It is exposed at GET /v1/projects/{id}/scans/{scan_id}/conformance and rendered as a badge + per-check table on the scan detail page.

On-prem dynamic per-environment scanning

The SBOM-generation stage is now pluggable. With SCAN_EXECUTOR=local_docker (opt-in, on-prem single-tenant), the worker launches a per-environment cdxgen sidecar for a toolchain it does not carry, runs build-prep + cdxgen there, and collects the SBOM — the rest of the pipeline (sign / scancode / Trivy / persist) is unchanged.

The first target is Android: the worker has no Android SDK, so the Android Gradle Plugin cannot resolve dependencies (0 components); routing Android to the SDK sidecar resolves the full graph. Verification showed node / go / rust / ruby / java / python / php / dotnet already resolve identically in the all-in-one worker, so Android is the one genuine gap and the only default-routed environment — the routed set is configurable via SCAN_LOCAL_DOCKER_ENVS.

The Docker socket is a host-escape surface, so the executor ships hardened defaults (workspace-only volume mounting, dropped capabilities, no-new-privileges, resource bounds, a curated env allow-list, refusal of unpinned :latest images, and an isolated egress network) and went through a security review. See the Dynamic scan executor admin guide before enabling it. New CDXGEN_SPEC_VERSION / CDXGEN_FETCH_LICENSE toggles tune the SBOM spec version and component-license resolution.

Upgrade notes

  • Additive, no action required. New endpoints, the new sbom scan kind, and all new environment variables default to the previous behaviour.
  • Migrations auto-apply at container startup (AUTO_MIGRATE, the default): 0032_scan_kind_sbom and 0033_sbom_conformance are forward-only.
  • Dynamic scanning is off by default (SCAN_EXECUTOR=inprocess). Enabling local_docker is on-prem single-tenant only and requires the opt-in setup in the admin guide. The worker image now bundles the Docker CLI for that path; it is unused under the default executor.

Pull the 0.12.0 images (or helm upgrade to chart 0.12.0).