v0.2.1

Security

• Updated dependencies to address GHSA-6g7w-8wpp-frhj, GHSA-q6cp-qfwq-4gcv, and GHSA-8r5v-vm4m-4g25 (#37)

Full Changelog: v0.2.0...v0.2.1

v0.2.0

What's New

• Added a GitHub Actions workflow for building releases (#26, #31, #33, #34)
• Server returns the correct build type and builder IDs (#24)
• Hardened configuration has been enabled by default for the server (#32)
• Server does a better detecting tags in multi-platform docker image artifacts (#35)
• Client prints the SBOM instead of its containing In-toto Statement (#25)
• Fix the EdgeBit GitHub integration (#27)

Full Changelog: v0.1.0...v0.2.0

v0.2.0-rc.2

release: v0.2.0

v0.2.0-rc.1

security: add PCR0 for v0.2.0-rc.0

https://github.com/edgebitio/sbom-server/actions/runs/7119446763

v0.2.0-rc.0

github: add write permission to contents scope

Without this, the build-binary job fails to publish the executable
with a 403. I didn't notice this in my testing because my fork of the
repository has a different setting for "Workflow permissions" (Code
and automation > Actions > General).

v0.1.0

This is the initial release of the server and client components. They implement a minimal demonstration of in-toto and AWS Nitro Enclaves being used to verifiably generate an SBOM from an uploaded artifact. This release is intended for demonstration purposes only, but that should change in future releases.

Known Issues

• The binaries and EIF were built in a one-off, manual process
• The dist/ directory is missing the Enclaver configuration used to build the enclave image file (EIF)
• The Build Type and Builder IDs are incorrect (missing a 'v' prefix on the version number)
• When --attest is used, the client outputs the in-toto Statement instead of the inner SBOM