1.0.0 (2025-08-11)

BREAKING

• This first full release of BOMnipotent is incompatible with the beta version:
  • The database schema required a breaking overhaul.
  • User key pairs need to follow the OpenPGP standard. Keys created previously to this version do no longer work.

Added

• The server creates and offers Sha256 and Sha512 hashes for BOMs and CSAF documents.
• OpenPGP config allowing the server to host a public key and sign documents, thus becoming a CSAF trusted provider.
• If OpenPGP is configured, the server offers signatures of BOMs and CSAF documents, and the client downloads them.

Fixed

• Error messages during the initial config loading were not logged.
• The server was unable to start if a tmp_admin was specified in the config.

0.7.0 (2025-07-18)

BREAKING

• The existence check command for BOMs, Users, etc. is “exist” instead of “exists”, and in raw mode returns the number of existing entries instead of just “true”/“false”.
• Complete replacement of the option “email” with “user”, as announced with version 0.6.0.
• The configurations “skip_user_verification”, “tmp_admin” and “user_expiration_period” are found under “[user]”. Two of them are further renamed to “skip_verification” and “expiration_period”.

Added

• Expired users are completely removed from the database after a while. The time is configurable via the “removal_period” parameter.
• The “whoami” command returns your current username if you can be authenticated on the server.

Changed

• The global limit on requests for new users is configurable via the “user.new_user_dos_prevention” parameters.
• The format for specifying datetimes is much more forgiving than before.
• A user whose previous request for an account was denied cannot request new user accounts.

Fixed

• The association of CSAF documents to BOMs was flawed.
• Overwriting BOM name or version during modification did not work propertly.

0.6.1 (2025-06-14)

Changed

• BOMnipotent Client uses the platform-local SSL certificates instead of hard-coded webpki-roots.

Fixed

• HTTP status codes 3xx are no longer treated as errors.

0.6.0 (2025-06-10)

BREAKING

• Introducing many filter options for the “list” and “download” commands for bom, component, vulnerabiliy, csaf, product, user, user-role and role-permission. Some of these replace previous options, and the communication between sever and client has also been adjusted in places, which is why this is a breaking change. Albeit not very breaking.

Added

• Re-sending a request to add a new user with the same key re-triggers the verification email.
• BOM and CSAF upload accept the option “on-existing” with the variants “error”, “skip” and “replace”, which controls how conflicts during the upload are handled.
• The commands bom, vulnerability, csaf, product, user, user-role and role-permission support the “exists” subcommand, which reports whether or not at least one object matching some filters exists on the server.

Changed

• Began migrating from option “email” to “user”, by deprecating the former and enabling the latter.
• Robots cannot be assigned the admin role.

Fixed

• Removing carriage return and other whitespaces from edges of command line arguments.

0.5.0 (2025-05-17)

BREAKING

• The server verifies user accounts by sending a cryptographically signed link to the provided email address. This requires an SMTP section in the config file. This behaviour and thus the need for the SMTP section can be bypassed with another configuration, but because BOMnipotent is secure-by-default, the server does not start if neither is configured.
• The client does not allow approving unverified users. This security measure can be bypassed with the “allow-unverified” flag.

Added

• Using the “robot” flag, the client can request a robot account intended for automation. This account does not get verified via email, and needs to be approved by again using the “robot” flag.

0.4.2 (2025-04-26)

Added

• The ports that the HTTP and HTTPS server bind to are freely configurable.
• Logging can be configured to print either to stdout or to a logfile.

Fixed

• Before removing a user, the server checks if that user exists.
• Special characters in URLs are encoded more thoroughly during internet communication.

0.4.1 (2025-04-07)

Changed

• Deleting a BOM now deletes all associated vulnerabilities.
• Relative filepaths are resolved to absolute paths when storing them in a session.
• Switching to “xitca” server framework.

0.4.0 (2025-03-24)

BREAKING

• User accounts now need to exist before they can be assigned any role.
• Explicitly providing an id when modifying a CSAF document is now optional.
• Overhauled logging:
  • The option “output-mode” / “o” now only takes values “normal”, “code” and “raw”.
  • New option “log-level” / “l” takes “error”, “warn”, etc.
  • Log file is now specified via “log-file” / “f”.
  • Streamlined which combination logs how much to which output.
  • The “raw” output mode now processes the data like everyone else.

Changed

• During download, the new flag “overwrite” allows to locally overwrite BOM and CSAF documents that have been modified on the server.

Fixed

• The server can now handle the case where an uploaded BOM contains several vulnerabilities with the same ID.

0.3.1 (2025-03-17)

Added

• Implemented “bom get” and “csaf get” command to print the contents of a single document directly to stdout. This makes it easier to integrate BOMnipotent into scripting.
• Added options “name” and “version” to “vulnerability update” command, allowing to provide or overwrite the name or version of the corresponding product.

Changed

• The output of “subscription status” now contains the proper name of the product instead of the (internal) product id.