FOSSA Logo

May 2025 FOSSA Product Updates

May 5, 2025 · 3 min read
May 2025 FOSSA Product Updates

In recent weeks, we’ve shipped impactful updates across the FOSSA platform, enhancing vulnerability visibility, container analysis, and standards compliance. Here’s a look at what’s new.


🎯 CycloneDX Report Filtering: Focus Your View

You can now filter CycloneDX reports to include only the vulnerabilities that matter for your workflow:

  • Open Vulnerabilities: Only includes those that have not been ignored
  • Closed Vulnerabilities: Only includes those that have been ignored

This gives security and compliance teams better control over how vulnerability data is shared and consumed in downstream tools.


🧪 Validate Your SBOMs with Confidence

We launched our SBOM Validator, a free tool to help you validate CycloneDX SBOMs against NTIA guidelines. The tool will also help you fill in gaps if it identifiees any missing elements. Whether you’re preparing for U.S. Executive Order compliance or aligning with industry standards, this tool ensures your SBOMs are complete, correct, and ready for audit.


🐳 Major Improvements to Container Scanning

FOSSA CLI’s container scanning just got a major overhaul:

  • Compatibility with modern Docker: Exported containers from recent Docker versions are now supported
  • Better support for OCI registries
  • Seamless integration with Docker’s native authentication providers
  • Improved reliability across authentication flows
  • Fallback support: If something goes wrong, the older container scanning logic is still there as a backup

Behind the scenes, FOSSA now uses a dedicated helper binary to pull images — this is bundled with the CLI, so there’s no additional setup required.


⚠️ The CVE Program Scare — And Our Take

Last month, uncertainty around funding for the CVE Program sent ripples through the security community. CISA later confirmed that funding will continue — but the episode raised valid concerns, and the program's long-term future is still unclear.

Here’s how FOSSA is prepared; we also encourage you to check out our CEO Kevin Wang's LinkedIn post on the matter.

  • Resilience by design: We maintain a proprietary vulnerability database, continuously updated from multiple sources — not just the NVD.

  • Adaptable infrastructure: Our ingest pipeline is built to accommodate changes in source systems.

  • Community support: We’re actively tracking and supporting parallel efforts like the CVE Foundation and EUVD.

No matter how the landscape evolves, we’re committed to helping teams maintain a strong vulnerability management posture.


🚀 Don’t Miss These: BCA & Package Labels

In case you missed it: In April, we released several major products and product updates that may be of interest:


For a full list of product updates, you can reference our Core Release Notes and the FOSSA CLI Changelog. And, of course, feel free to contact your customer success representative with any questions or for more information on any of these features.

Subscribe to our newsletter

Get the latest insights on open source license compliance and security delivered to your inbox.