본문으로 건너뛰기

v0.13.0 — parity release

A broad feature release: everything here is additive — existing scans, projects, and configurations are unchanged, and the one new external-egress capability (SCANOSS) is off by default. The full machine-readable changelog lives in CHANGELOG.md.

Highlights

See how packages relate — dependency graph view

The Components tab gains a Table / Graph toggle. The graph view renders the scan's resolved dependency graph (every parent → child edge) as an interactive node-link diagram, each node coloured by its highest-severity finding, with search highlight and a click-to-detail panel — so you can see how a package is pulled in, not just that it is present. Large graphs fall back to a tree or a banner so the view stays usable at scale.

Find anything, anywhere — global search (⌘K)

The command palette (⌘K / Ctrl+K) now searches components and CVEs across every project you can access, alongside projects and pages. Results are team-scoped server-side — another team's data never appears — and deep-link straight to the relevant project tab.

Excel vulnerability reports

The project vulnerability report can now be downloaded as an Excel (.xlsx) workbook (Overview / Components / Vulnerabilities sheets) in addition to PDF, from the Reports tab. Cell values are neutralised against spreadsheet formula injection. This fulfils the long-standing "Excel / PDF reports" commitment.

Better license coverage

  • The classification catalog grew from 32 to 52 licenses, and a free-text license name with no SPDX id is now normalised to its canonical id — so fewer components land as unknown.
  • The generated NOTICE file now embeds the full SPDX text of every license it credits, plus per-component copyright.
  • Two advisory AI license review flags (behavioral-use / non-commercial) flag restrictions that standard compliance tooling misses.

Vulnerability triage — KEV + AI SBOM conformance

  • Findings whose CVE is in the CISA KEV catalog carry a KEV badge and a remediation due-date, and a new Priority sort (KEV → severity → EPSS) is the default. An admin KEV feed panel shows sync health.
  • SBOM ingest accepts CycloneDX 1.7 (ML-BOM) and appends the G7 "SBOM for AI" 51 minimum-element conformance checks (advisory) for model components.

Vendored-OSS identification (SCANOSS) — opt-in, off by default

An optional scan stage fingerprints the source tree and matches copied-in ("vendored") open source against the SCANOSS knowledge base — closing the gap for C / C++ / embedded trees with no package manifest. It is disabled unless an operator sets SCANOSS_ENABLED=true: a self-hosted portal must not send file fingerprints to an external API without consent. Point SCANOSS_API_URL at a self-hosted instance to keep fingerprints inside your network.

Upgrade notes

Additive release — no migration action required beyond the standard alembic upgrade head the images run on boot. The new capabilities are opt-in: SCANOSS stays off until SCANOSS_ENABLED=true, and the dependency-graph node cap (DEPENDENCY_GRAPH_MAX_NODES) and search rate budget (SEARCH_RATE_LIMIT) have safe defaults. See Environment variables for the new keys.