SeeBOM 0.2.0

Container Images

docker pull ghcr.io/seebom-labs/seebom/api-gateway:0.2.0
docker pull ghcr.io/seebom-labs/seebom/parsing-worker:0.2.0
docker pull ghcr.io/seebom-labs/seebom/ingestion-watcher:0.2.0
docker pull ghcr.io/seebom-labs/seebom/cve-refresher:0.2.0
docker pull ghcr.io/seebom-labs/seebom/ui:0.2.0

Helm Chart

helm install seebom oci://ghcr.io/seebom-labs/seebom/charts/seebom --version 0.2.0

What's Changed

📖 Documentation

• Feat. Update Violations to Compliance and non compliance for licenses by @mfahlandt in #14
• S3 Ingestion + docs by @mfahlandt in #15

🔧 Maintenance

• Fix Doc Deplioyment by @mfahlandt in #16
• Fix Number Display by @mfahlandt in #17

Full Changelog: v0.1.3...v0.2.0

SeeBOM 0.1.3

Container Images

docker pull ghcr.io/seebom-labs/seebom/api-gateway:0.1.3
docker pull ghcr.io/seebom-labs/seebom/parsing-worker:0.1.3
docker pull ghcr.io/seebom-labs/seebom/ingestion-watcher:0.1.3
docker pull ghcr.io/seebom-labs/seebom/cve-refresher:0.1.3
docker pull ghcr.io/seebom-labs/seebom/ui:0.1.3

Helm Chart

helm install seebom oci://ghcr.io/seebom-labs/seebom/charts/seebom --version 0.1.3

What's Changed

📖 Documentation

• Bugfix Volumne Affinity Fix by @mfahlandt in #13

Other Changes

• Chart updates for the initial installation by @koksay in #12

Full Changelog: v0.1.2...v0.1.3

SeeBOM 0.1.2

🚀 Features

CNCF Allowed Third-Party License Policy as Default

The license policy now follows the official CNCF Allowed Third-Party License Policy. 18 licenses from the CNCF Allowlist (Apache-2.0, MIT, MIT-0, 0BSD, BSD-2-Clause, BSD-2-Clause-FreeBSD, BSD-3-Clause, ISC, PSF-2.0, Python-2.0, Python-2.0.1, PostgreSQL, UPL-1.0, X11, Zlib, OpenSSL, OpenSSL-standalone, SSLeay-standalone) are classified as permissive. All other licenses are flagged and require a CNCF Governing Board exception. The policy is fully customisable via licensePolicy.custom in Helm values.

CNCF Exception Handling Improvements

• Exceptions with "project": "All CNCF Projects" are automatically promoted to blanket exceptions that apply to every SBOM — no per-project matching needed.
• Compound license expressions like GPL-2.0-only, GPL-2.0-or-later and MPL-2.0 OR LGPL-3.0-or-later are now split into individual SPDX IDs and matched correctly.
• Substring package matching: CNCF exception entries use short names like cyphar/filepath-securejoin, which now correctly match fully-qualified SBOM package names like github.com/cyphar/filepath-securejoin.

License Exception Fallback Loading

Both the API Gateway and Parsing Worker now try loading exceptions from the ConfigMap path first, then fall back to /data/sboms/license-exceptions.json (the CNCF file downloaded by the seed job). Previously, workers would silently run without exceptions if the ConfigMap was empty.

Deployment Examples (examples/)

New examples/ directory with ready-to-use deployment configurations:

• examples/kind/ — Kind cluster config, Helm values, secrets template, and step-by-step README
• examples/kubernetes/values-production.yaml — HA deployment with seed job (for large SBOM repos)
• examples/kubernetes/values-minimal.yaml — Single-replica deployment with git-sync (for small repos)
• Full documentation of all three SBOM ingestion methods (seed job, git-sync, manual PVC) with file placement rules

New Makefile Targets

• make kind-build — Build all container images and load them into the Kind cluster
• make kind-deploy — Build, load, Helm upgrade, and restart pods in one command
• make kind-reingest — Truncate all data tables and re-queue all SBOMs from the PVC without re-downloading

Configurable PVC Size

sbomSource.storageSize in Helm values now controls the SBOM PVC size. The CNCF SBOM repo requires ~15 Gi; the default remains 1 Gi for generic deployments.

---

🐛 Bug Fixes

Archived Packages Query (HTTP 500)

Fixed a ClickHouse query error (Expected equi-join ON condition) in the /api/v1/packages/archived endpoint. The JOIN was replaced with a CROSS JOIN using a filtered subquery. The endpoint now returns results correctly instead of an HTTP 500 error.

SBOM Seed Job File Deduplication

The CNCF SBOM repo contains 6559 files across deeply nested directories, but many share the same basename. The seed job now flattens directory paths into filenames (e.g. cncf/kubernetes/v1.28/kubernetes.spdx.json → cncf_kubernetes_v1.28_kubernetes.spdx.json), preserving all files. Previously only ~1105 of 6559 SBOMs were ingested.

SBOM Detail Page Error Handling

Fixed an issue in the Angular UI where forkJoin cancelled all parallel API calls when the archived-packages endpoint returned an error. Added catchError with fallback defaults so the detail page loads even when individual API calls fail.

---

🔧 Maintenance

• Removed stale compiled Go binaries (backend/api-gateway, backend/parsing-worker) from the repository and added them to .gitignore.
• Production Helm example (values-production.yaml) switched from git-sync to seed job — git-sync times out on large repos (>1 GB) like cncf/sbom.
• Fixed duplicate "Option B" headings in the README (now correctly labelled A/B/C).
• Updated all version references from 0.1.0 to 0.1.2 across Helm chart, values, examples, and documentation.
• Updated dates in all docs.

---

🧪 Tests

• 8 new tests for CNCF exception handling:
  • TestBuildIndex_AllCNCFProjectsPromotedToBlanket
  • TestBuildIndex_CompoundLicenseOR
  • TestBuildIndex_CompoundLicenseAND
  • TestIsExempt_SubstringPackageMatch
  • TestIsExempt_SubstringPackageAnyLicense
  • TestSplitLicenses (6 subtests)
  • TestLoadExceptionsWithFallback_PrimaryPath
  • TestLoadExceptionsWithFallback_FallbackPath
  • TestLoadExceptionsWithFallback_AllMissing
  • TestLoadExceptionsWithFallback_EmptyPaths
• Updated TestCategorize to cover BSD-3-Clause, ISC, and 0BSD under the CNCF Allowlist.
• Total test count: 87+ (up from 73+).

---

📦 Upgrade Notes

• The default license policy has changed. Licenses previously classified as permissive (e.g. Unlicense, CC0-1.0, BSL-1.0, Artistic-2.0, JSON, WTFPL, CC-BY-3.0, CC-BY-4.0) are now classified as unknown (not in either list) — they will be flagged for review unless covered by a CNCF exception. If you want the old behaviour, set licensePolicy.custom in your Helm values.
• To apply the new policy to existing data, run make kind-reingest (Kind) or truncate the license_compliance table and re-trigger the Ingestion Watcher.
• The examples/kubernetes/values-production.yaml now uses a seed job instead of git-sync. If you were using git-sync with a large repo, consider switching.

---

Container Images

docker pull ghcr.io/seebom-labs/seebom/api-gateway:0.1.2
docker pull ghcr.io/seebom-labs/seebom/parsing-worker:0.1.2
docker pull ghcr.io/seebom-labs/seebom/ingestion-watcher:0.1.2
docker pull ghcr.io/seebom-labs/seebom/cve-refresher:0.1.2
docker pull ghcr.io/seebom-labs/seebom/ui:0.1.2

Helm Chart

helm install seebom oci://ghcr.io/seebom-labs/seebom/charts/seebom --version 0.1.2

What's Changed

Other Changes

• feat: CNCF license policy as default, exception handling improvements by @mfahlandt in #10

Full Changelog: v0.1.1...v0.1.2

SeeBOM 0.1.1

Container Images

docker pull ghcr.io/seebom-labs/seebom/api-gateway:0.1.1
docker pull ghcr.io/seebom-labs/seebom/parsing-worker:0.1.1
docker pull ghcr.io/seebom-labs/seebom/ingestion-watcher:0.1.1
docker pull ghcr.io/seebom-labs/seebom/cve-refresher:0.1.1
docker pull ghcr.io/seebom-labs/seebom/ui:0.1.1

Helm Chart

helm install seebom oci://ghcr.io/seebom-labs/seebom/charts/seebom --version 0.1.1

What's Changed

Other Changes

• Add podTemplate and volumeClaimTemplate to ClickhouseInstallation by @koksay in #5

Full Changelog: v0.1.0...v0.1.1

SeeBOM 0.1.0

SeeBOM v0.1.0 – Initial Release 🎉

Kubernetes-native SBOM Visualization & Governance Platform

The first public release of SeeBOM Labs. Ingest SPDX SBOMs, scan for vulnerabilities via OSV, enforce license compliance, apply VEX statements, and detect archived dependencies — all visualized in a fast Angular dashboard backed by ClickHouse analytics.

---

🚀 Features

Core Platform

• SBOM Ingestion Pipeline — CronJob-based file scanner with SHA256 deduplication, ClickHouse job queue, and scalable stateless parsing workers
• SPDX 2.3 Parser — Streaming JSON parser with deterministic SBOM IDs and license fallback handling
• 17 REST API Endpoints — Stateless API Gateway built with Go stdlib net/http

Vulnerability Management

• OSV Integration — Batch vulnerability scanning with rate-limiting (token bucket) and exponential backoff retry
• CVE Refresher — Background CronJob that incrementally checks all known PURLs for newly published CVEs without re-scanning SBOMs
• CVE Impact Search — Find all projects affected by a specific CVE with direct/transitive dependency classification
• Shared OSV Helpers — internal/osvutil package for severity classification, CVSS parsing, fixed version extraction

VEX Support (OpenVEX v0.2.0)

• VEX Ingestion — *.openvex.json / *.vex.json files processed through the same pipeline as SBOMs
• VEX URL Normalization — Vulnerability @id URLs automatically reduced to plain IDs (e.g. https://pkg.go.dev/vuln/GO-2025-4188 → GO-2025-4188)
• VEX Filtering — "All" vs "Effective Only" toggle on vulnerabilities page excludes not_affected entries
• VEX Status Badges — Visual indicators on vulnerability lists and SBOM detail views
• VEX files never limited — SBOM_LIMIT only applies to SBOMs, VEX files are always fully processed

License Governance

• Externalized License Policy — license-policy.json defines permissive/copyleft classification (no rebuild needed)
• License Exceptions — CNCF-format license-exceptions.json with blanket and per-package exceptions, prefix matching (e.g. MPL-2.0 matches MPL-2.0-no-copyleft-exception)
• License Violations View — Cross-project license compliance with two tabs: violations and active exceptions
• Permissive License Handling — Packages with permissive licenses (MIT, Apache-2.0, BSD) are never flagged as non-compliant

GitHub Integration

• License Resolution — Packages with NOASSERTION/empty licenses resolved via GitHub API (/repos/{owner}/{repo}/license)
• GitHub License Cache — ClickHouse table avoids redundant API calls across ingestion runs
• Repo Metadata Detection — Archived status, fork, stars, last push date captured automatically
• Archived Repos Warning — Dashboard banner + dedicated page listing dependencies from archived GitHub repos
• Rate Limiting — Token bucket with automatic rate-limit reset handling (authenticated: 5000 req/h, unauthenticated: 60 req/h)

Angular UI (10 Pages)

• Dashboard — KPI cards, 3 donut charts, 2 bar charts, VEX effective/suppressed counts, CVE refresh banner, archived repos warning
• SBOM Explorer — Paginated list with client-side full-text search (project name, file path, version)
• SBOM Detail — 3 tabs: Vulnerabilities (VEX badges), Licenses (exemption status + package list), Dependencies (tree view, archived badges)
• Vulnerability List — Virtual scrolling, VEX status badges, All/Effective toggle
• CVE Impact Search — CVE search → affected projects grouped by project with version tags, DIRECT/TRANSITIVE badges
• License Overview — Category cards with project grouping and version tags
• License Violations — Two tabs: violations filtered by exceptions, active exceptions list
• Dependency Statistics — Top-100 dependencies cross-project, sortable columns, version pills, vuln count
• VEX Statements — Virtual scrolling, status/justification badges, affected SBOMs, empty state
• Archived Packages — Grouped by repo with stars, last push date, affected projects with version links

UI Theming

• 60+ CSS Custom Properties — Full control over layout, brand, navbar, text, severity, status, license, chart colors
• Dark Mode — Built-in toggle in navbar, persisted in localStorage, respects prefers-color-scheme
• Custom Theme CSS — External custom-theme.css mountable without Angular rebuild (Docker: CUSTOM_THEME env var, K8s: ConfigMap)

Kubernetes Deployment

• Helm Chart — 13 templates: API Gateway, Parsing Worker, Ingestion Watcher (CronJob), CVE Refresher (CronJob), UI, ClickHouse Operator installation, ConfigMaps for license policy/exceptions/custom theme, Secrets
• git-sync — InitContainer clones SBOM repo before ingestion (public or private SSH)
• Configurable via values.yaml — Worker replicas, SBOM limits, OSV skip, GitHub token, CVE refresh schedule, custom theme

Database

• ClickHouse — 11 migrations, 10 tables + 1 materialized view
• Tables: sboms, sbom_packages, vulnerabilities, license_compliance, ingestion_queue, dashboard_stats_mv, vex_statements, cve_refresh_log, github_license_cache, github_repo_metadata

---

🐛 Bug Fixes

• Fix VEX effective filter query — was returning HTTP 500 due to ClickHouse NOT EXISTS subquery incompatibility, replaced with LEFT JOIN + WHERE filter

---

🧪 Tests

• 73+ backend tests across 8 packages: config, github/purl, github/resolver, license, osv, osvutil, repo, spdx, vex
• Angular specs for: Dashboard, SBOM Explorer, SBOM Detail, Vulnerability List, CVE Impact, Dependency Stats, License Violations, VEX List, Archived Packages, ApiService (14 endpoint tests)
• All tests run without external dependencies (httptest mocks, t.TempDir, inline JSON)
• Race-safe: go test -race passes

---

📖 Documentation

• README.md — Quick start, Docker Compose setup, configuration, Makefile commands, API endpoint table
• docs/ARCHITECTURE_PLAN.md — Full blueprint: directory structure, data flow, 17 API endpoints, ClickHouse schema, VEX architecture, OSV integration, license governance, GitHub dependency health, UI architecture, decision log (28 decisions)
• docs/DEPLOYMENT_GUIDE.md — Kubernetes deployment: SBOM sources (git-sync, SSH, PVC), license exceptions, license policy, custom theme, full Helm install example
• docs/RELEASE.md — Release workflow, CI/CD pipelines, container image architecture, fork-based workflow
• docs/TESTING.md — Test guide: patterns, conventions, current inventory, how to add tests
• AGENTS.md — Contributor guide for AI coding agents

---

🔧 CI/CD

• CI (.github/workflows/ci.yml) — Go build + test + vet, Angular build, Helm lint on every push/PR
• Release (.github/workflows/release.yml) — Tag-triggered: builds 5 multi-arch images, pushes Helm chart, creates GitHub Release with auto-generated notes
• Pre-Release (.github/workflows/pre-release.yml) — Manual workflow_dispatch for testing from any branch
• Auto-Label (.github/workflows/labeler.yml) — Assigns labels to PRs based on changed files
• Sync Labels (.github/workflows/sync-labels.yml) — Syncs .github/labels.yml to repo

---

Container Images

docker pull ghcr.io/seebom-labs/seebom/api-gateway:0.1.0
docker pull ghcr.io/seebom-labs/seebom/parsing-worker:0.1.0
docker pull ghcr.io/seebom-labs/seebom/ingestion-watcher:0.1.0
docker pull ghcr.io/seebom-labs/seebom/cve-refresher:0.1.0
docker pull ghcr.io/seebom-labs/seebom/ui:0.1.0

Helm Chart

helm install seebom oci://ghcr.io/seebom-labs/seebom/charts/seebom --version 0.1.0

New Contributors

• @mfahlandt made their first contribution in #1
• @koksay made their first contribution in #2

Full Changelog: https://github.com/seebom-labs/seebom/commits/v0.1.0