Bump @cyclonedx/cdxgen from 11.1.5 to 11.1.7

[dependabot]

Bumps @cyclonedx/cdxgen from 11.1.5 to 11.1.7.

Release notes

Sourced from @​cyclonedx/cdxgen's releases.

Release v11.1.7

cdxgen (>= v11.1.7) now includes a "secure mode," powered by the Node.js permission model. This "seat-belt approach" allows you to control which system resources cdxgen can access and what actions it can perform with those resources. For example, in --lifecycle pre-build mode, you can restrict cdxgen to reading only specific files, without granting permission to execute child processes. Even when executing node-based commands such as npm or atom, you can further limit the directories these external commands can read and write, as well as their permissions to execute child processes. This makes cdxgen an ideal SBOM tool when dealing with untrusted codebases (which is all software).

For further information, please refer to the permissions documentation or start using the new ghcr.io/cyclonedx/cdxgen-secure container image.

Thank you to @​eran-medan and the other security researchers for helping bring this feature live.

Addresses CVE-2024-50611 and #1328. Please update at your convenience.

Full Changelog: cdxgen/cdxgen@v11.1.6...v11.1.7

Release v11.1.6

• Reduce validation warnings. Fix for #1610
• golang is included in a few Python images

What's Changed

Other Changes

• update container images by @​prabhu in CycloneDX/cdxgen#1611

Full Changelog: cdxgen/cdxgen@v11.1.5...v11.1.6

Commits

• b704676 Secure mode - part 2 (#1614)
• 7fb050a update container images (#1611)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[socket-security]

Updated dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/@cyclonedx/cdxgen@11.1.7 🔁 npm/@cyclonedx/cdxgen@11.1.5	Transitive: environment, eval, filesystem, network, shell, unsafe	+394	1.51 GB	cyclonedx-automation

View full report↗︎

[socket-security-staging]

Updated dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/@cyclonedx/cdxgen@11.1.7 🔁 npm/@cyclonedx/cdxgen@11.1.5	Transitive: environment, eval, filesystem, network, shell, unsafe	+394	1.48 GB	cyclonedx-automation

View full report↗︎

[dependabot]

Looks like @cyclonedx/cdxgen is up-to-date now, so this is no longer needed.