- Added the ability to collect SBOMs from vendored dependencies (e.g. from Rust or Go dependencies).
- Added the option
excludestobuildBomto exclude store paths via regex patterns from the final SBOM. - Added the option
extraPathstobuildBomto consider extra dependencies but still generating an SBOM for the original derivation. - Hashes of fixed output derivations are now included in the SBOM.
- A derivation's
srcurl and hash are now included in the SBOM. - Derivations' descriptions are now included in the SBOM.
docandmanoutputs are not included in the SBOM anymore.- Generate CycloneDX v1.5 SBOMs instead of v1.4.
- The created SBOMS are now reproducible because they derive their serial number from a known input instead of randomly generating it.
- Fixed cross-compilation for SBOMs.