0.8.1 - 2025-03-19

Release Notes

• Increased the MSRV to 1.85.0 ([#845])
• Updated the spdx crate to support additional SPDX expressions ([#845])
• Extended the invalid SPDX expression error to include the expression ([#844])
• Several Optional fields are not serialized when they're None ([#847], [#848], [#849])

0.5.9 - 2026-03-19

Release Notes

Added

• Support for the SOURCE_DATE_EPOCH environment variable for reproducible builds. When set, the SBOM timestamp is derived from the value of SOURCE_DATE_EPOCH and the random serial number is omitted. ([#852])
• The CARGO_BUILD_TARGET environment variable is now honored to determine the target platform, matching the behavior of other Cargo tools ([#840])

Fixed

• Recognize sparse registries (sparse+http://...) as custom registries when constructing PURLs ([#853])
• Fixed PURL spec compliance where invalid vcs_url would be produced if package source contains qualifiers such as ?branch= ([#856])

Changed

• Make manifest path absolute without resolving symlinks, bringing the behavior in line with cargo build and fixing issues on systems where the project path contains symlinks ([#808])
• Avoid writing JSON null for more omitted optional fields (serial_number, depends_on, diff, etc.) ([#847]) ([#848]) ([#849])
• SPDX validation errors now include the invalid license expression in the error message ([#844])
• Increased MSRV (minimum supported Rust version) to 1.85 ([#845])

Install cargo-cyclonedx 0.5.9

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://github.com/CycloneDX/cyclonedx-rust-cargo/releases/download/cargo-cyclonedx-0.5.9/cargo-cyclonedx-installer.sh | sh

Install prebuilt binaries via powershell script

powershell -ExecutionPolicy Bypass -c "irm https://github.com/CycloneDX/cyclonedx-rust-cargo/releases/download/cargo-cyclonedx-0.5.9/cargo-cyclonedx-installer.ps1 | iex"

Download cargo-cyclonedx 0.5.9

File	Platform	Checksum
cargo-cyclonedx-aarch64-apple-darwin.tar.xz	Apple Silicon macOS	checksum
cargo-cyclonedx-x86_64-apple-darwin.tar.xz	Intel macOS	checksum
cargo-cyclonedx-x86_64-pc-windows-msvc.zip	x64 Windows	checksum
cargo-cyclonedx-aarch64-unknown-linux-gnu.tar.xz	ARM64 Linux	checksum
cargo-cyclonedx-x86_64-unknown-linux-gnu.tar.xz	x64 Linux	checksum
cargo-cyclonedx-x86_64-unknown-linux-musl.tar.xz	x64 MUSL Linux	checksum

Verifying GitHub Artifact Attestations

The artifacts in this release have attestations generated with GitHub Artifact Attestations. These can be verified by using the GitHub CLI:

gh attestation verify <file-path of downloaded artifact> --repo CycloneDX/cyclonedx-rust-cargo

You can also download the attestation from GitHub and verify against that directly:

gh attestation verify <file-path of downloaded artifact> --bundle <file-path of downloaded attestation>

0.5.8 - 2026-03-12

Release Notes

Fixed

• Do not include a license file if SPDX license identifiers are present, fixing a spec compliance issue which doesn't allow both at once ([#826])
• Do not include subcomponents in metadata.component when describing individual build artifacts (as opposed to an entire crate), fixing interoperability with some CycloneDX deserializing libraries ([#828])

Install cargo-cyclonedx 0.5.8

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://github.com/CycloneDX/cyclonedx-rust-cargo/releases/download/cargo-cyclonedx-0.5.8/cargo-cyclonedx-installer.sh | sh

Install prebuilt binaries via powershell script

powershell -ExecutionPolicy Bypass -c "irm https://github.com/CycloneDX/cyclonedx-rust-cargo/releases/download/cargo-cyclonedx-0.5.8/cargo-cyclonedx-installer.ps1 | iex"

Download cargo-cyclonedx 0.5.8

File	Platform	Checksum
cargo-cyclonedx-aarch64-apple-darwin.tar.xz	Apple Silicon macOS	checksum
cargo-cyclonedx-x86_64-apple-darwin.tar.xz	Intel macOS	checksum
cargo-cyclonedx-x86_64-pc-windows-msvc.zip	x64 Windows	checksum
cargo-cyclonedx-aarch64-unknown-linux-gnu.tar.xz	ARM64 Linux	checksum
cargo-cyclonedx-x86_64-unknown-linux-gnu.tar.xz	x64 Linux	checksum
cargo-cyclonedx-x86_64-unknown-linux-musl.tar.xz	x64 MUSL Linux	checksum

Verifying GitHub Artifact Attestations

The artifacts in this release have attestations generated with GitHub Artifact Attestations. These can be verified by using the GitHub CLI:

gh attestation verify <file-path of downloaded artifact> --repo CycloneDX/cyclonedx-rust-cargo

You can also download the attestation from GitHub and verify against that directly:

gh attestation verify <file-path of downloaded artifact> --bundle <file-path of downloaded attestation>

0.5.7 - 2024-11-30

Release Notes

Added

• Cargo.lock v4 format stabilized in Rust 1.78 is now supported. ([#772]) Previously the SBOM would be generated but package hashes would not be recorded in presence of v4 lockfiles.
• The component.author field is now set to comma-separated list of authors ([#770]). We'd like to use component.authors instead once CycloneDX v1.6 is supported.

Install cargo-cyclonedx 0.5.7

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://github.com/CycloneDX/cyclonedx-rust-cargo/releases/download/cargo-cyclonedx-0.5.7/cargo-cyclonedx-installer.sh | sh

Install prebuilt binaries via powershell script

powershell -c "irm https://github.com/CycloneDX/cyclonedx-rust-cargo/releases/download/cargo-cyclonedx-0.5.7/cargo-cyclonedx-installer.ps1 | iex"

Download cargo-cyclonedx 0.5.7

File	Platform	Checksum
cargo-cyclonedx-aarch64-apple-darwin.tar.xz	Apple Silicon macOS	checksum
cargo-cyclonedx-x86_64-apple-darwin.tar.xz	Intel macOS	checksum
cargo-cyclonedx-x86_64-pc-windows-msvc.zip	x64 Windows	checksum
cargo-cyclonedx-x86_64-unknown-linux-gnu.tar.xz	x64 Linux	checksum
cargo-cyclonedx-x86_64-unknown-linux-musl.tar.xz	x64 MUSL Linux	checksum

Verifying GitHub Artifact Attestations

The artifacts in this release have attestations generated with GitHub Artifact Attestations. These can be verified by using the GitHub CLI:

gh attestation verify <file-path of downloaded artifact> --repo CycloneDX/cyclonedx-rust-cargo

You can also download the attestation from GitHub and verify against that directly:

gh attestation verify <file-path of downloaded artifact> --bundle <file-path of downloaded attestation>

0.8.0 - 2024-11-07

Release Notes

Added

• Support parsing of empty XML string tags ([#761])
• Add spec version to bom struct and make validation honor it ([#767])

0.5.6 - 2024-11-07

Release Notes

Added

• The target platform for which the SBOM is generated is now recorded, in accodrance with the CycloneDX taxonomy we've contributed upstream ([#762])

Install cargo-cyclonedx 0.5.6

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://github.com/CycloneDX/cyclonedx-rust-cargo/releases/download/cargo-cyclonedx-0.5.6/cargo-cyclonedx-installer.sh | sh

Install prebuilt binaries via powershell script

powershell -c "irm https://github.com/CycloneDX/cyclonedx-rust-cargo/releases/download/cargo-cyclonedx-0.5.6/cargo-cyclonedx-installer.ps1 | iex"

Download cargo-cyclonedx 0.5.6

File	Platform	Checksum
cargo-cyclonedx-aarch64-apple-darwin.tar.xz	Apple Silicon macOS	checksum
cargo-cyclonedx-x86_64-apple-darwin.tar.xz	Intel macOS	checksum
cargo-cyclonedx-x86_64-pc-windows-msvc.zip	x64 Windows	checksum
cargo-cyclonedx-x86_64-unknown-linux-gnu.tar.xz	x64 Linux	checksum
cargo-cyclonedx-x86_64-unknown-linux-musl.tar.xz	x64 MUSL Linux	checksum

Verifying GitHub Artifact Attestations

The artifacts in this release have attestations generated with GitHub Artifact Attestations. These can be verified by using the GitHub CLI:

gh attestation verify <file-path of downloaded artifact> --repo CycloneDX/cyclonedx-rust-cargo

You can also download the attestation from GitHub and verify against that directly:

gh attestation verify <file-path of downloaded artifact> --bundle <file-path of downloaded attestation>

0.7.0 - 2024-08-06

Release Notes

Changed

• Made model types pub instead of pub(crate), which allows client code to write more fields in SBOMs ([#758])
• Removed #[non_exhaustive] from SpecVersion, which was a source of bugs in client code ([#749])
• Switched from packageurl to purl crate as the PURL implementation ([#746])
• Removed JSON schema validation from the public API and moved jsonschema to dev-dependencies to combat dependency bloat ([#750])

0.5.5 - 2024-07-01

Release Notes

Changed

• Build dependencies are now recorded with scope: "excluded", to indicate that they are not used at runtime. ([#755])

Added

• --no-build-deps flag to omit build dependencies entirely. ([#755])

Install cargo-cyclonedx 0.5.5

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://github.com/CycloneDX/cyclonedx-rust-cargo/releases/download/cargo-cyclonedx-0.5.5/cargo-cyclonedx-installer.sh | sh

Install prebuilt binaries via powershell script

powershell -c "irm https://github.com/CycloneDX/cyclonedx-rust-cargo/releases/download/cargo-cyclonedx-0.5.5/cargo-cyclonedx-installer.ps1 | iex"

Download cargo-cyclonedx 0.5.5

File	Platform	Checksum
cargo-cyclonedx-aarch64-apple-darwin.tar.xz	Apple Silicon macOS	checksum
cargo-cyclonedx-x86_64-apple-darwin.tar.xz	Intel macOS	checksum
cargo-cyclonedx-x86_64-pc-windows-msvc.zip	x64 Windows	checksum
cargo-cyclonedx-x86_64-unknown-linux-gnu.tar.xz	x64 Linux	checksum
cargo-cyclonedx-x86_64-unknown-linux-musl.tar.xz	x64 MUSL Linux	checksum

Verifying GitHub Artifact Attestations

The artifacts in this release have attestations generated with GitHub Artifact Attestations. These can be verified by using the GitHub CLI:

gh attestation verify <file-path of downloaded artifact> --repo CycloneDX/cyclonedx-rust-cargo

You can also download the attestation from GitHub and verify against that directly:

gh attestation verify <file-path of downloaded artifact> --bundle <file-path of downloaded attestation>

0.5.4 - 2024-07-17

Release Notes

Fixed

• Fixed PURLs being percent-encoded incorrectly when using the purl crate v0.1.3 or later ([#746])

Install cargo-cyclonedx 0.5.4

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://github.com/CycloneDX/cyclonedx-rust-cargo/releases/download/cargo-cyclonedx-0.5.4/cargo-cyclonedx-installer.sh | sh

Install prebuilt binaries via powershell script

powershell -c "irm https://github.com/CycloneDX/cyclonedx-rust-cargo/releases/download/cargo-cyclonedx-0.5.4/cargo-cyclonedx-installer.ps1 | iex"

Download cargo-cyclonedx 0.5.4

File	Platform	Checksum
cargo-cyclonedx-aarch64-apple-darwin.tar.xz	Apple Silicon macOS	checksum
cargo-cyclonedx-x86_64-apple-darwin.tar.xz	Intel macOS	checksum
cargo-cyclonedx-x86_64-pc-windows-msvc.zip	x64 Windows	checksum
cargo-cyclonedx-x86_64-unknown-linux-gnu.tar.xz	x64 Linux	checksum
cargo-cyclonedx-x86_64-unknown-linux-musl.tar.xz	x64 MUSL Linux	checksum

Verifying GitHub Artifact Attestations

The artifacts in this release have attestations generated with GitHub Artifact Attestations. These can be verified by using the GitHub CLI:

gh attestation verify <file-path of downloaded artifact> --repo CycloneDX/cyclonedx-rust-cargo

You can also download the attestation from GitHub and verify against that directly:

gh attestation verify <file-path of downloaded artifact> --bundle <file-path of downloaded attestation>

0.6.2 - 2024-07-16

Release Notes

Fixed

• Dropped a lot of unnecessary dependencies pulled in transitively though the jsonschema crate ([#744])