Skip to content

0.5.9 - 2026-03-19

Latest
Latest

Choose a tag to compare

View all tags
@github-actions github-actions released this 19 Mar 09:36
cargo-cyclonedx-0.5.9
e58bd55
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Release Notes

Added

  • Support for the SOURCE_DATE_EPOCH environment variable for reproducible builds. When set, the SBOM timestamp is derived from the value of SOURCE_DATE_EPOCH and the random serial number is omitted. ([#852])
  • The CARGO_BUILD_TARGET environment variable is now honored to determine the target platform, matching the behavior of other Cargo tools ([#840])

Fixed

  • Recognize sparse registries (sparse+http://...) as custom registries when constructing PURLs ([#853])
  • Fixed PURL spec compliance where invalid vcs_url would be produced if package source contains qualifiers such as ?branch= ([#856])

Changed

  • Make manifest path absolute without resolving symlinks, bringing the behavior in line with cargo build and fixing issues on systems where the project path contains symlinks ([#808])
  • Avoid writing JSON null for more omitted optional fields (serial_number, depends_on, diff, etc.) ([#847]) ([#848]) ([#849])
  • SPDX validation errors now include the invalid license expression in the error message ([#844])
  • Increased MSRV (minimum supported Rust version) to 1.85 ([#845])

Install cargo-cyclonedx 0.5.9

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://github.com/CycloneDX/cyclonedx-rust-cargo/releases/download/cargo-cyclonedx-0.5.9/cargo-cyclonedx-installer.sh | sh

Install prebuilt binaries via powershell script

powershell -ExecutionPolicy Bypass -c "irm https://github.com/CycloneDX/cyclonedx-rust-cargo/releases/download/cargo-cyclonedx-0.5.9/cargo-cyclonedx-installer.ps1 | iex"

Download cargo-cyclonedx 0.5.9

File Platform Checksum
cargo-cyclonedx-aarch64-apple-darwin.tar.xz Apple Silicon macOS checksum
cargo-cyclonedx-x86_64-apple-darwin.tar.xz Intel macOS checksum
cargo-cyclonedx-x86_64-pc-windows-msvc.zip x64 Windows checksum
cargo-cyclonedx-aarch64-unknown-linux-gnu.tar.xz ARM64 Linux checksum
cargo-cyclonedx-x86_64-unknown-linux-gnu.tar.xz x64 Linux checksum
cargo-cyclonedx-x86_64-unknown-linux-musl.tar.xz x64 MUSL Linux checksum

Verifying GitHub Artifact Attestations

The artifacts in this release have attestations generated with GitHub Artifact Attestations. These can be verified by using the GitHub CLI:

gh attestation verify <file-path of downloaded artifact> --repo CycloneDX/cyclonedx-rust-cargo

You can also download the attestation from GitHub and verify against that directly:

gh attestation verify <file-path of downloaded artifact> --bundle <file-path of downloaded attestation>
Assets 20
Loading