In recent weeks, we’ve shipped impactful updates across the FOSSA platform, enhancing vulnerability visibility, container analysis, and standards compliance. Here’s a look at what’s new.
🎯 CycloneDX Report Filtering: Focus Your View
You can now filter CycloneDX reports to include only the vulnerabilities that matter for your workflow:
- Open Vulnerabilities: Only includes those that have not been ignored
- Closed Vulnerabilities: Only includes those that have been ignored
This gives security and compliance teams better control over how vulnerability data is shared and consumed in downstream tools.
🧪 Validate Your SBOMs with Confidence
We launched our SBOM Validator, a free tool to help you validate CycloneDX SBOMs against NTIA guidelines. The tool will also help you fill in gaps if it identifiees any missing elements. Whether you’re preparing for U.S. Executive Order compliance or aligning with industry standards, this tool ensures your SBOMs are complete, correct, and ready for audit.
🐳 Major Improvements to Container Scanning
FOSSA CLI’s container scanning just got a major overhaul:
- Compatibility with modern Docker: Exported containers from recent Docker versions are now supported
- Better support for OCI registries
- Seamless integration with Docker’s native authentication providers
- Improved reliability across authentication flows
- Fallback support: If something goes wrong, the older container scanning logic is still there as a backup
Behind the scenes, FOSSA now uses a dedicated helper binary to pull images — this is bundled with the CLI, so there’s no additional setup required.
⚠️ The CVE Program Scare — And Our Take
Last month, uncertainty around funding for the CVE Program sent ripples through the security community. CISA later confirmed that funding will continue — but the episode raised valid concerns, and the program's long-term future is still unclear.
Here’s how FOSSA is prepared; we also encourage you to check out our CEO Kevin Wang's LinkedIn post on the matter.
-
Resilience by design: We maintain a proprietary vulnerability database, continuously updated from multiple sources — not just the NVD.
-
Adaptable infrastructure: Our ingest pipeline is built to accommodate changes in source systems.
-
Community support: We’re actively tracking and supporting parallel efforts like the CVE Foundation and EUVD.
No matter how the landscape evolves, we’re committed to helping teams maintain a strong vulnerability management posture.
🚀 Don’t Miss These: BCA & Package Labels
In case you missed it: In April, we released several major products and product updates that may be of interest:
-
Binary Composition Analysis (BCA): Scan compiled binaries to uncover hidden security and license compliance risks
-
Package Labels: Tag, group, and manage packages by usage, risk, or any other dimension
For a full list of product updates, you can reference our Core Release Notes and the FOSSA CLI Changelog. And, of course, feel free to contact your customer success representative with any questions or for more information on any of these features.