Software Bill of Materials
Every CICADA IR release publishes a complete Software Bill of Materials in industry-standard CycloneDX 1.6 JSON format. This page is the single source of truth for what is actually installed inside the appliance you run.
Why we publish this
When you deploy a security tool inside your network, your audit, compliance, and procurement teams need to know exactly what is in it. Modern supply-chain attacks target dependencies, not the headline product. Publishing an SBOM means:
- Your SCA tooling can ingest it directly. Dependency-Track, Snyk, GitHub Advanced Security, and every other SCA platform reads CycloneDX natively. Drop the JSON in and you get a real-time view of any CVEs that affect your CICADA appliance.
- Your auditors can verify our claims. Every dependency, every version, every license, every Package URL (purl). Nothing hidden.
- Incident response is faster. When the next zero-day drops, you do not have to wait for us to tell you whether you are exposed — you can check in seconds.
Latest release
v1.79.3 — released 2026-05-05. 169 backend dependencies, 230 frontend dependencies.
Release history
| Version | Released | Backend | Frontend | Notes |
|---|---|---|---|---|
| v1.79.3 | 2026-05-05 | 169 deps (JSON) | 230 deps (JSON) | Cloud LLM 'Not Purchased' on paid tiers fixed + Threat Intelligence providers stop appearing to vanish on direct navigation |
| v1.79.2 | 2026-05-05 | 169 deps (JSON) | 230 deps (JSON) | Multi-cloud LLM picker, LLM Assistant Stop button, investigation-id passthrough, v2 product keys with embedded seats, pricing label fix |
| v1.78.1 | 2026-05-04 | 169 deps (JSON) | 230 deps (JSON) | Community-tier log sources verified end-to-end + capability metadata aligned |
| v1.78.0 | 2026-05-04 | 169 deps (JSON) | 230 deps (JSON) | Community Edition gets log-based evidence + Automated Response, pricing restructure, Trust & SBOM landing section |
| v1.77.13 | 2026-05-04 | 169 deps (JSON) | 230 deps (JSON) | Timeline IOC details: 'Engine assessment' → 'Why this severity', collapsed by default, plain-English reasoning |
| v1.77.12 | 2026-05-04 | 169 deps (JSON) | 230 deps (JSON) | Threat Intelligence enrichment: abuse.ch 403s fixed (User-Agent), Shodan 404 no longer shows as Failed |
| v1.77.11 | 2026-05-03 | 169 deps (JSON) | 230 deps (JSON) | Reports page: AI-Enhanced cards stop mirroring status + grey out when no local LLM available |
| v1.77.10 | 2026-05-03 | 169 deps (JSON) | 230 deps (JSON) | Help button moves from floating FAB into the sidebar bottom toggle row |
| v1.77.9 | 2026-05-03 | 169 deps (JSON) | 230 deps (JSON) | Settings → LLM Provider: per-provider URL retention + accurate "no models" copy + Assistant banner parity |
| v1.77.8 | 2026-05-03 | 169 deps (JSON) | 230 deps (JSON) | /health stops returning 503 just because Ollama isn't running |
| v1.77.7 | 2026-05-03 | 169 deps (JSON) | 230 deps (JSON) | PCAP endpoints stop returning 500 on brand-new investigations |
| v1.77.6 | 2026-05-03 | 169 deps (JSON) | 230 deps (JSON) | Reports stop crashing on missing spaCy NER model |
Format
We publish in CycloneDX 1.6, the OWASP-stewarded SBOM standard backed by CISA in the U.S. Each component entry includes:
- Package name and exact version
- Package URL (
purl) — globally-unique identifier resolvable to the upstream registry (PyPI, npm) - Declared license (where the package metadata supplies one)
- Hashes (SHA-256, SHA-512) where available
Verifying integrity
The SBOM JSON is served over HTTPS from this site with no caching layer that could rewrite it. If you need a stronger guarantee for an audit, hash the downloaded file and compare against the value in your purchase confirmation email — we publish the SHA-256 of every release artefact at the same time we ship.
Questions
For supply-chain security questions, vulnerability disclosures, or licence enquiries: security@cicada-ir.ai.