v0.13.0 — parity release
A broad feature release: everything here is additive — existing scans,
projects, and configurations are unchanged, and the one new external-egress
capability (SCANOSS) is off by default. The full machine-readable changelog
lives in CHANGELOG.md.
Highlights
See how packages relate — dependency graph view
The Components tab gains a Table / Graph toggle. The graph view renders the scan's resolved dependency graph (every parent → child edge) as an interactive node-link diagram, each node coloured by its highest-severity finding, with search highlight and a click-to-detail panel — so you can see how a package is pulled in, not just that it is present. Large graphs fall back to a tree or a banner so the view stays usable at scale.
Find anything, anywhere — global search (⌘K)
The command palette (⌘K / Ctrl+K) now searches components and CVEs across every project you can access, alongside projects and pages. Results are team-scoped server-side — another team's data never appears — and deep-link straight to the relevant project tab.
Excel vulnerability reports
The project vulnerability report can now be downloaded as an Excel (.xlsx)
workbook (Overview / Components / Vulnerabilities sheets) in addition to PDF, from
the Reports tab. Cell values are neutralised against spreadsheet formula
injection. This fulfils the long-standing "Excel / PDF reports" commitment.
Better license coverage
- The classification catalog grew from 32 to 52 licenses, and a free-text
license name with no SPDX id is now normalised to its canonical id — so fewer
components land as
unknown. - The generated NOTICE file now embeds the full SPDX text of every license it credits, plus per-component copyright.
- Two advisory AI license review flags (behavioral-use / non-commercial) flag restrictions that standard compliance tooling misses.
Vulnerability triage — KEV + AI SBOM conformance
- Findings whose CVE is in the CISA KEV catalog carry a KEV badge and a remediation due-date, and a new Priority sort (KEV → severity → EPSS) is the default. An admin KEV feed panel shows sync health.
- SBOM ingest accepts CycloneDX 1.7 (ML-BOM) and appends the G7 "SBOM for AI" 51 minimum-element conformance checks (advisory) for model components.
Vendored-OSS identification (SCANOSS) — opt-in, off by default
An optional scan stage fingerprints the source tree and matches copied-in
("vendored") open source against the SCANOSS knowledge base — closing the gap for
C / C++ / embedded trees with no package manifest. It is disabled unless an
operator sets SCANOSS_ENABLED=true: a self-hosted portal must not send file
fingerprints to an external API without consent. Point SCANOSS_API_URL at a
self-hosted instance to keep fingerprints inside your network.
Upgrade notes
Additive release — no migration action required beyond the standard
alembic upgrade head the images run on boot. The new capabilities are opt-in:
SCANOSS stays off until SCANOSS_ENABLED=true, and the dependency-graph node cap
(DEPENDENCY_GRAPH_MAX_NODES) and search rate budget (SEARCH_RATE_LIMIT) have
safe defaults. See Environment variables for the
new keys.