Changelog

These pages list all changes introduced to BOMnipoten Server and Client by various versions. The versions follow semantic versioning , meaning that all version have the form MAJOR.MINOR.PATCH, and

  • the MAJOR version is increased when there is a breaking change for the user. Which ideally never happens.
  • the MINOR version is increased for new, non-breaking features.
  • the PATCH version is increased for bug fixes.
  • a MAJOR version of 0 is used during the betaphase. Here everything shifts to the right: a new MINOR versions means a breaking change, and a new PATCH version any non-breaking change.

It is recommended to always use the latest version.

Mar 16, 2025

Subsections of Changelog

0.5.0 (2025-05-17)

BREAKING

  • The server verifies user accounts by sending a cryptographically signed link to the provided email address. This requires an SMTP section in the config file. This behaviour and thus the need for the SMTP section can be bypassed with another configuration, but because BOMnipotent is secure-by-default, the server does not start if neither is configured.
  • The client does not allow approving unverified users. This security measure can be bypassed with the “–allow-unverified” flag.

Added

  • Using the “–robot” flag, the client can request a robot account intended for automation. This account does not get verified via email, and needs to be approved by again using the “–robot” flag.
May 17, 2025

0.4.2 (2025-04-26)

Added

Fixed

  • Before removing a user, the server checks if that user exists.
  • Special characters in URLs are encoded more thoroughly during internet communication.
Apr 26, 2025

0.4.1 (2025-04-07)

Changed

  • Deleting a BOM now deletes all associated vulnerabilities.
  • Relative filepaths are resolved to absolute paths when storing them in a session.
  • Switching to “xitca” server framework.
Apr 7, 2025

0.4.0 (2025-03-24)

BREAKING

  • User accounts now need to exist before they can be assigned any role.
  • Explicitly providing an id when modifying a CSAF document is now optional.
  • Overhauled logging:
    • The option “–output-mode” / “-o” now only takes values “normal”, “code” and “raw”.
    • New option “–log-level” / “-l” takes “error”, “warn”, etc.
    • Log file is now specified via “–log-file” / “-f”.
    • Streamlined which combination logs how much to which output.
    • The “raw” output mode now processes the data like everyone else.

Changed

  • During download, the new flag “–overwrite” allows to locally overwrite BOM and CSAF documents that have been modified on the server.

Fixed

  • The server can now handle the case where an uploaded BOM contains several vulnerabilities with the same ID.
Mar 24, 2025

0.3.1 (2025-03-17)

Added

  • Implemented “bom get” and “csaf get” command to print the contents of a single document directly to stdout. This makes it easier to integrate BOMnipotent into scripting.
  • Added options “–name” and “–version” to “vulnerability update” command, allowing to provide or overwrite the name or version of the corresponding product.

Changed

  • The output of “subscription status” now contains the proper name of the product instead of the (internal) product id.