1.4.0

What's Changed

• Added support for viewing multiple SPDX documents attached to a single build
• Added new "Summary" tab containing high-level charts and statistics of SPDX document by @rhyskoedijk in #15
• "License" and "Supplier" tabs only show first three package by default; click "More" button to expand list
• "License" and "Supplier" tabs shows the package version and allow click-through to package manager web page
• "Security" tab now shows the "package introduced through" dependency chain when hovering over package names
• Task will no longer attach "manifest.spdx.xlsx" to pipeline build attachments; it is now generated dynamically in UI
• Normalised SPDX constants before all equality checks, for better compatibility
• Improved accuracy of license expression parsing

Dependency Changes

• Bump prettier from 3.4.1 to 3.4.2 by @dependabot in #16
• Bump webpack from 5.96.1 to 5.97.1 in /task by @dependabot in #17
• Bump axios from 1.7.8 to 1.7.9 in /shared by @dependabot in #20
• Bump sass-loader from 16.0.3 to 16.0.4 in /ui by @dependabot in #21
• Bump webpack from 5.96.1 to 5.97.1 in /ui by @dependabot in #22
• Bump @vizdom/vizdom-ts-node from 0.1.17 to 0.1.18 in /task by @dependabot in #18
• Bump @mui/x-charts from 7.23.0 to 7.23.1 in /ui by @dependabot in #23
• Bump sass from 1.81.0 to 1.82.0 in /ui by @dependabot in #24
• Bump @types/node from 22.10.1 to 22.10.2 by @dependabot in #25
• Bump terser-webpack-plugin from 5.3.10 to 5.3.11 in /task by @dependabot in #26
• Bump @mui/x-charts from 7.23.1 to 7.23.2 in /ui by @dependabot in #27
• Bump @types/react-dom from 17.0.25 to 17.0.26 in /ui by @dependabot in #29
• Bump terser-webpack-plugin from 5.3.10 to 5.3.11 in /ui by @dependabot in #28
• Bump webpack-cli from 5.1.4 to 6.0.1 in /task by @dependabot in #30
• Bump webpack-dev-server from 5.1.0 to 5.2.0 in /ui by @dependabot in #31
• Bump @emotion/styled from 11.13.5 to 11.14.0 in /ui by @dependabot in #32
• Bump @emotion/react from 11.13.5 to 11.14.0 in /ui by @dependabot in #34
• Bump webpack-cli from 5.1.4 to 6.0.1 in /ui by @dependabot in #33
• Bump recharts from 2.14.1 to 2.15.0 in /ui by @dependabot in #37
• Bump sass from 1.82.0 to 1.83.0 in /ui by @dependabot in #35
• Bump @types/react-dom from 16.8.5 to 16.9.25 in /ui by @dependabot in #39
• Bump @types/react from 16.8.25 to 16.14.62 in /ui by @dependabot in #40

Full Changelog: 1.3.0...1.4.0

1.3.0

What's Changed

• Improve GHSA graph client error handling when rate-limited
• Show error message card when SPDX artifacts cannot be loaded
• Don't throw error when SVG artifact cannot be loaded
• Don't include SVG artifact when downloading the SPDX document
• Align security advisory severity colours with the Azure DevOps theme
• Condense the security advisories column width in the packages tables
• Increase the SPDX version to 2.3 if security advisories are added
• Add "Upload SPDX" menu option to quickly test different .spdx.json files; Only enabled in localhost environment
• Add the full GHSA security vulnerability data as "security url" external reference to packages
• Add task input option enableManifestSpreadsheetGeneration for XLSX spreadsheet generation
• Add affected/patched versions to security advisory tab
• Add licenses tab
• Add suppliers tab
• Add vulnerability count columns to XLSX packages sheet
• Add more info to XLSX security advisories sheet
• Add XLSX licenses sheet
• Add XLSX suppliers sheet
• Add XLSX "fix available" column to security advisories sheet
• Order XLSX rows to match default sort order of UI
• Use wider columns in XLSX
• Parse SPDX license expressions in to individual license references rather than displaying the raw expression
• Parse PURL package manager name and url
• Use webpack to build and package the task files
• Use more verbose logging for XLSX and SVG generation
• When publishing the localhost package, always increment the task patch version to a higher number than previous package

Dependency Changes

• Bump husky from 9.1.6 to 9.1.7 by @dependabot in #9
• Bump @types/node from 22.9.0 to 22.9.1 by @dependabot in #10
• Bump @types/mocha from 10.0.9 to 10.0.10 by @dependabot in #8
• Bump prettier from 3.3.3 to 3.4.1 by @dependabot in #13
• Bump @types/node from 22.9.1 to 22.10.1 by @dependabot in #14

Full Changelog: 1.2.1...1.3.0

1.2.1

What's Changed

• Lower minimum server API version from 7.2 to 5.0 (wider server compatibility) by @rhyskoedijk in #7
• Set minimum pipeline agent version to 3.232.1 (lowest version supporting Node 20.1) by @rhyskoedijk in #7

Full Changelog: 1.2.0...1.2.1

1.2.0

What's Changed

• Added zoom, pan, and pinch support for the graph view tab SVG image
• Added security advisory summary pills to the document header
• Added security advisory severity info to the packages table
• Added package introduced through info to security advisories table

Full Changelog: 1.1.0...1.2.0

1.1.0

What's Changed

• Update CI/CD pipelines

Full Changelog: 1.0.25...1.1.0

1.0.25

What's Changed

• Add SBOM build result tab UI by @rhyskoedijk in #4
• Add Husky pre-commit git hooks for codespell and prettier by @rhyskoedijk in #4
• Fixed invalid namespace uri base when derived from supplier name containing spaces or special character by @rhyskoedijk in #4

Full Changelog: 1.0.15...1.0.25

1.0.15

What's Changed

• Add SBOM tool generate command by @rhyskoedijk in #2
• Bump @types/node from 22.8.1 to 22.8.6 by @dependabot in #1
• Bump @types/node from 22.8.6 to 22.8.7 by @dependabot in #3

Full Changelog: https://github.com/rhyskoedijk/sbom-azure-devops/commits/1.0.15