Software Bill of Materials
Every CICADA IR release publishes a complete Software Bill of Materials in industry-standard CycloneDX 1.6 JSON format. This page is the single source of truth for what is actually installed inside the appliance you run.
Why we publish this
When you deploy a security tool inside your network, your audit, compliance, and procurement teams need to know exactly what is in it. Modern supply-chain attacks target dependencies, not the headline product. Publishing an SBOM means:
- Your SCA tooling can ingest it directly. Dependency-Track, Snyk, GitHub Advanced Security, and every other SCA platform reads CycloneDX natively. Drop the JSON in and you get a real-time view of any CVEs that affect your CICADA appliance.
- Your auditors can verify our claims. Every dependency, every version, every license, every Package URL (purl). Nothing hidden.
- Incident response is faster. When the next zero-day drops, you do not have to wait for us to tell you whether you are exposed — you can check in seconds.
Latest release
v1.83.10 — released 2026-06-11. 174 backend dependencies, 239 frontend dependencies.
Release history
| Version | Released | Backend | Frontend | Notes |
|---|---|---|---|---|
| v1.83.10 | 2026-06-11 | 174 deps (JSON) | 239 deps (JSON) | Security hardening release. Licensing moves to asymmetric Ed25519 signatures: the appliance verifies product keys and license files with an embedded public key and no longer holds the signing secret, so keys cannot be forged from an appliance (legacy HMAC keys still validate; unsigned license files are now rejected). Sensitive audit records, including AI prompt/response logs, are sealed with authenticated AES-256-GCM, replacing an XOR placeholder cipher and adding tamper detection. Administrative surfaces are now authorization-gated: deployment-tier override, trial start, feature activate/deactivate, first-boot setup (proxy/EULA/network), and the support bundle require an administrator, and SAML/OIDC SSO is enforced as a licensed feature. Fixes: the local-LLM (Ollama) assistant returned a single word on evidence-heavy investigations because num_ctx was unset and Ollama truncated the prompt to its 4096-token default, leaving no room to generate; the context window is now sized to the prompt. Navigating away from the assistant mid-response no longer loses the answer. Community Edition demos no longer count against the investigation limit. No dependency changes: backend holds at 174 components and frontend at 239. |
| v1.83.9 | 2026-06-07 | 174 deps (JSON) | 239 deps (JSON) | Dependency modernization release: after the 1.83.8 security patch sweep, the remaining non-vulnerable version drift across the Python backend was brought current via uv lock --upgrade, moving 52 packages to their latest compatible releases. Notable majors, each verified: cryptography 47 to 48 (RSA/RS256-JWT/AES-GCM round-trips covering the JWT, SAML, evidence-seal and TOTP crypto paths), google-genai 1.74 to 2.8 (v2 client surface intact), weasyprint 68 to 69 (PDF report rendering), plus anthropic, openai and the FastAPI/uvicorn web stack. thinc was deliberately held at 8.3.13 because spaCy 3.8 pins thinc below 8.4, so presidio PII detection is unaffected. A fresh pip-audit reports zero known vulnerabilities. Lockfile-only with no pyproject constraint changes; backend component count holds at 174 and frontend at 239. |
| v1.83.8 | 2026-06-07 | 174 deps (JSON) | 239 deps (JSON) | Adds an interactive entity relationship graph on the Timeline Entities tab: users, devices, applications and their relationships render as an explorable React Flow + dagre node-link diagram with a stable hierarchical layout, pan/zoom and verdict colour-coding, offered as a Graph/List toggle that defaults to Graph. Also a security patch sweep of the bundled Python dependencies: pip-audit flagged 11 known advisories across five packages (pyjwt, aiohttp, urllib3, starlette, idna), each upgraded to a fixed release with no transitive version churn and verified against the test suite and a live app boot. The frontend SBOM grows from 231 to 239 components with the React Flow and dagre subtree; the backend dependency set is unchanged in count (174) with five packages moved to fixed versions. |
| v1.83.7 | 2026-05-30 | 174 deps (JSON) | 231 deps (JSON) | Graph-engine hardening release: the entity relationship graph is now always persisted even if blast-radius analysis fails partway, and group nodes are labelled as membership pivots rather than accessible resources, with the Blast Radius report kept as the single source of truth for accessible-vs-accessed. |
| v1.83.6 | 2026-05-29 | 174 deps (JSON) | 231 deps (JSON) | Graph-engine code-review pass. Blast-radius verdicts (Confirmed Compromised, Potentially Compromised, Observed Accessed) had been shipping with empty evidence_refs since the graph engine landed: GraphBuilder populated the field on edges, but the traverser was reading it off nodes, so every verdict cited no underlying evidence. Refs are now threaded from the BFS path edges and qualifying in-edges so each verdict ships with the evidence rows that drove it. Floored attack-path endpoints (introduced in 1.83.5) were persisted carrying the stale 'No audit logs available' coverage note from their prior UNKNOWN state, contradicting the new verdict in the UI; the note is now cleared on promotion. Blast-radius seed mapping had been calling the entity resolver's mutating resolve() path, silently minting a junk 'blast_radius_seed'-sourced entity for every unmatched seed string and inflating the per-investigation entity store every analysis run; switched to a new read-only EntityResolver.lookup_identifier. Internal cleanup: removed three dead EdgeType enum members (CAN_ACCESS, DELEGATED_TO, TRUSTS) that no GraphBuilder code path ever emitted, deleted the unused EntityType enum, halved the graph-persist SQL on every analysis (was DELETE+INSERT twice; now once at the end of the blast-radius block), and built the lowercase node-id index once and reused it across the three seed batches. No schema migrations. Backend and frontend dependency trees unchanged from 1.83.5. |
| v1.83.5 | 2026-05-23 | 174 deps (JSON) | 231 deps (JSON) | Blast-radius / Case Narrative verdict-accuracy fixes. Compromised machine/computer accounts (DOMAIN\HOST$) now map to the host's entity-graph node, so the blast radius marks them confirmed-compromised instead of leaving the investigation at '0 Confirmed' (user accounts were always handled correctly). Device nodes are canonicalised so one host is a single node rather than two or three fragments (WORKGROUP\HOST$ vs HOST$ vs host), tightening edge attribution and propagation. Attack-path terminating entities are floored at observed_accessed even when no traversal edge surfaced them, never downgrading a stronger verdict. Frontend build tooling bumped (Vite 5→7, plugin-react 4→5) to clear a long-standing esbuild peer-dependency warning; no app-behaviour change. Backend dependency tree unchanged from 1.83.4. |
| v1.83.4 | 2026-05-23 | 174 deps (JSON) | 231 deps (JSON) | Six new IR playbook scenarios (BEC, Data Breach, Insider Threat, Ransomware/Exfiltration, SaaS Compromise, Supply-Chain Compromise) plus a new recommendation engine and a branch-aware Playbook surface (PlaybookSurface + ProgressTree + BranchIndicator + StepCard + InvestigationContext) that replaces the linear wizard. Polish: detaching the last attached playbook now correctly drops the page back to the gallery; severity pills on Investigation Timeline and Incidents page center their text (dot dropped); Dashboard Key Findings severity tags render Title-cased. LLM Assistant grounding for Type-3 logon IOCs: chat context now surfaces the parser's filtered routable source-IP set per IOC so the model has ground truth, and the system prompt explicitly forbids inventing IPs, hostnames, or counts not in the evidence. |
| v1.83.3 | 2026-05-19 | 175 deps (JSON) | 231 deps (JSON) | MFA no longer forced on first login (org policy default 'admin' → 'none', upgrade migration respects admin's explicit choice). Per-user mfa_required toggle on Settings → Users edit modal lets admin force enrolment for one account without forcing the whole org. Timeline FP fix: multi-source Type 3 logon heuristic now filters loopback (127.0.0.1, ::1) and IPv6 link-local (fe80::) before counting — was flagging Critical on DC machine accounts (e.g. LABDC01$) for normal-traffic source sets. |
| v1.83.2 | 2026-05-17 | 175 deps (JSON) | 231 deps (JSON) | Fresh-OVA hotfix: v1.83.0/v1.83.1 demo investigations were silently failing to seed on first boot of a sealed appliance because system.db.investigations + response_actions tables didn't exist yet at startup (they get created lazily on first API call). Seeder now pre-creates them. Existing v1.83.0/v1.83.1 sealed VMs pick up the demos automatically on next boot after upgrade. |
| v1.83.1 | 2026-05-17 | 175 deps (JSON) | 231 deps (JSON) | Build hotfix: TS6133 unused-var in DemoInvestigationBanner.tsx (leftover useState from a deferred per-demo-message feature) was breaking the vite build step in the customer VM build scripts (arm64 + proxmox). Removed the dead state. |
| v1.83.0 | 2026-05-17 | 175 deps (JSON) | 231 deps (JSON) | Sample DEMO investigations + demo-mode overlay. Two seeded sample investigations (M365 BEC, AD Lateral Movement → Ransomware Precursor) ship with every appliance for customer onboarding. Demo-mode overlay intercepts LLM chat, threat-intel enrich, source test-connection, response-action execute, and available-adapters pre-check to return canned simulated responses without touching real credentials/adapters. Zero impact on real investigations (every overlay is an early-return gated on state.metadata.is_demo). Demos don't count against Community quota, are deletable, and don't re-seed once deleted (seeded-once marker is permanent). Opt out with CICADA_SEED_DEMO_INVESTIGATIONS=false. |
| v1.82.6 | 2026-05-17 | 175 deps (JSON) | 231 deps (JSON) | Appliance UX: tty1-tty6 virtual-terminal login prompts masked at install time. Customer console stays on the CICADA banner instead of agetty drawing 'cicada-ir login:' on top. Honest scope — UX polish only, not a security boundary (disk-mount trivially reverses by removing the systemd mask symlink). Real disk-mount defense (LUKS + passphrase) tracked for v1.85+. |
| v1.82.5 | 2026-05-16 | 175 deps (JSON) | 231 deps (JSON) | Post-recovery UX: after the cicada-recover menu exits, banner script ANSI-clears tty1, re-cats /etc/issue (so the CICADA logo + access URL are back on screen) and offers a 10-second [R] reboot prompt before falling through to the agetty login. Particularly handy after a password reset where the operator wants a clean reboot first. |
| v1.82.4 | 2026-05-16 | 175 deps (JSON) | 231 deps (JSON) | Hotfix: emergency-recovery CLI (cicada-recover) — every menu option (1-4) was crashing with RuntimeError: asyncio.run() cannot be called from a running event loop on the first audit-write call. Root cause: dual-channel audit helper was sync but invoked asyncio.run() against an async DB-write while already running under an outer event loop started by the option's own asyncio.run(). Fixed by making the audit helper async and awaiting from all 16 call sites. Recovery menu is now actually usable end-to-end. |
| v1.82.3 | 2026-05-16 | 175 deps (JSON) | 231 deps (JSON) | Quiet-boot config: CICADA banner + access URL + [E] prompt are now the last thing rendered on tty1 (was being pushed off-screen by systemd service-start chatter). Two layers — kernel cmdline (quiet loglevel=3 systemd.show_status=false rd.udev.log_priority=3 vt.global_cursor_default=0) and systemd drop-in (/etc/systemd/system.conf.d/quiet-boot.conf ShowStatus=no LogLevel=warning) — applied across arm64, proxmox, and deploy-test install paths. Backend unchanged (version bump for SBOM + WhatsNew + banner string only). |
| v1.82.2 | 2026-05-16 | 175 deps (JSON) | 231 deps (JSON) | Hotfix: console emergency-recovery [E] menu on tty1 no longer crashes on every option — CLI now chdirs to /opt/cicada on startup (was inheriting cwd '/' from systemd, causing PermissionError mkdir '/data/') and banner script wraps invocation in cd /opt/cicada belt-and-braces; build scripts (arm64, proxmox, deploy-test) pre-create /var/log/cicada/ with root-owned dir + cicada-group-appendable log file so audit-file writes succeed on first use |
| v1.82.1 | 2026-05-16 | 175 deps (JSON) | 231 deps (JSON) | Activation → Current License panel now reads seats from product_keys table (was always 1 — JWT-path-only); Enterprise tier default 10 → 5 across cicada-app/admin/storefront; admin Product Keys page copy-to-clipboard works over HTTP (execCommand fallback); storefront /api/admin/keys seats fallback uses TIER_DEFAULT_SEATS instead of hard-coded 1 |
| v1.82.0 | 2026-05-16 | 175 deps (JSON) | 231 deps (JSON) | Console-only emergency recovery menu on tty1 (4 options, including CLEAR EMERGENCY ADMIN FLAG with strong typed-phrase warning), is_emergency_admin flag with API-level immutability + boot-time backfill, pre-v1.81.3 compromised-identity backfill migration; storefront-issued recovery token flow killed during security review |
| v1.81.3 | 2026-05-15 | 175 deps (JSON) | 231 deps (JSON) | Known Compromised Accounts auto-promote now writes the canonical investigation_iocs table — declared identities now surface on Dashboard Key Findings, IOC Timeline, and reports (was state.iocs-only since v1.79.0, partial-migration bug from the v1.71 IOC-truthfulness pass) |
| v1.81.2 | 2026-05-15 | 175 deps (JSON) | 231 deps (JSON) | Cleanup patch: Test Stub playbook removed from the production gallery (now lives only in the framework test suite); pricing-page acronym fix (SAML / OIDC / SSO / MFA / TOTP now render uppercased instead of "Saml Sso" / "Oidc Sso") |
| v1.81.1 | 2026-05-15 | 175 deps (JSON) | 231 deps (JSON) | SAML 2.0 + OIDC SSO (Entra ID, Okta, Google Workspace) + JIT user provisioning + sealed-appliance lockout guards (hard refusal on removing last password-capable admin + warning on promoting SSO-linked users) + MFA force-enrol page-refresh fix + Settings UI polish |
| v1.81.0 | 2026-05-15 | 170 deps (JSON) | 231 deps (JSON) | Local TOTP MFA — keyed-HMAC sealed authenticator secrets + append-only auth audit log + admin-required-by-default policy + Settings → Security tab. SAML 2.0 + OIDC SSO feature gates landed (Professional tier); route handlers ship in v1.81.1+. |
| v1.80.0 | 2026-05-12 | 169 deps (JSON) | 230 deps (JSON) | Forensic-grade evidence integrity — keyed HMAC + append-only Merkle chain over raw_evidence + signed anchor mirrored to system.db + idempotent migration of pre-v1.80 rows + truthful Verify toast |
| v1.79.12 | 2026-05-10 | 169 deps (JSON) | 230 deps (JSON) | Customer VM banner reliability — DHCP poll bumped 30s→45s + 5s read pause + Before=getty ordering + build-VM IP no longer leaks into /etc/issue + customer hostname now operator-selectable |
| v1.79.11 | 2026-05-10 | 169 deps (JSON) | 230 deps (JSON) | Customer .ova OVF namespace fix (VMware Workstation accepts the .ova) + Banner DHCP race fixed + Settings → Users gets Edit User affordance |
| v1.79.10 | 2026-05-09 | 169 deps (JSON) | 230 deps (JSON) | Sidebar admin row redesign (kebab menu) + uniform status pills (drop dot from 6 surfaces) + CrowdStrike sign-up link removed |
| v1.79.9 | 2026-05-07 | 169 deps (JSON) | 230 deps (JSON) | Upload SHA-256 dedupe across PCAP/log/EVTX + Timeline UX polish + Sidebar investigation context + TLS upload modal + Uploaded Files KPI dedupe |
| v1.79.8 | 2026-05-07 | 169 deps (JSON) | 230 deps (JSON) | UX polish — centered Sources status pills + Uploaded Files KPI counts EVTX + Pricing copy cleanup |
| v1.79.7 | 2026-05-06 | 169 deps (JSON) | 230 deps (JSON) | Security hotfix — 5 Critical + 22 High audit findings closed across cicada-app, cicada-admin, cicada-storefront, cicada-vm-builder |
| v1.79.6 | 2026-05-06 | 169 deps (JSON) | 230 deps (JSON) | Re-run Collection now actually re-collects + Source pills update in real time + Per-source collection_enabled toggle honoured + REPORTING-phase Re-run no longer silently no-ops |
| v1.79.5 | 2026-05-06 | 169 deps (JSON) | 230 deps (JSON) | Community Edition tier limits enforced — Evidence Export, Backup/Restore, and Global Source Connectors moved to Professional + Pricing page introductory-offer |
| v1.79.4 | 2026-05-06 | 169 deps (JSON) | 230 deps (JSON) | Case Narrative rewritten as a sectioned auto-generated investigation overview + Entity graph moves to a new Entities tab on the Timeline page |
| v1.79.3 | 2026-05-05 | 169 deps (JSON) | 230 deps (JSON) | Cloud LLM 'Not Purchased' on paid tiers fixed + Threat Intelligence providers stop appearing to vanish on direct navigation |
| v1.79.2 | 2026-05-05 | 169 deps (JSON) | 230 deps (JSON) | Multi-cloud LLM picker, LLM Assistant Stop button, investigation-id passthrough, v2 product keys with embedded seats, pricing label fix |
| v1.79.1 | 2026-05-04 | 169 deps (JSON) | 230 deps (JSON) | Audit close-out — IOC auto-promotion (F-9) + source-name canonicalisation (F-8) |
| v1.79.0 | 2026-05-04 | 169 deps (JSON) | 230 deps (JSON) | Professional-tier truthfulness pass — reports now reflect engine output, UCG block-IP UX corrected |
| v1.78.1 | 2026-05-04 | 169 deps (JSON) | 230 deps (JSON) | Community-tier log sources verified end-to-end + capability metadata aligned |
| v1.78.0 | 2026-05-04 | 169 deps (JSON) | 230 deps (JSON) | Community Edition gets log-based evidence + Automated Response, pricing restructure, Trust & SBOM landing section |
| v1.77.13 | 2026-05-04 | 169 deps (JSON) | 230 deps (JSON) | Timeline IOC details: 'Engine assessment' → 'Why this severity', collapsed by default, plain-English reasoning |
| v1.77.12 | 2026-05-04 | 169 deps (JSON) | 230 deps (JSON) | Threat Intelligence enrichment: abuse.ch 403s fixed (User-Agent), Shodan 404 no longer shows as Failed |
| v1.77.11 | 2026-05-03 | 169 deps (JSON) | 230 deps (JSON) | Reports page: AI-Enhanced cards stop mirroring status + grey out when no local LLM available |
| v1.77.10 | 2026-05-03 | 169 deps (JSON) | 230 deps (JSON) | Help button moves from floating FAB into the sidebar bottom toggle row |
| v1.77.9 | 2026-05-03 | 169 deps (JSON) | 230 deps (JSON) | Settings → LLM Provider: per-provider URL retention + accurate "no models" copy + Assistant banner parity |
| v1.77.8 | 2026-05-03 | 169 deps (JSON) | 230 deps (JSON) | /health stops returning 503 just because Ollama isn't running |
| v1.77.7 | 2026-05-03 | 169 deps (JSON) | 230 deps (JSON) | PCAP endpoints stop returning 500 on brand-new investigations |
| v1.77.6 | 2026-05-03 | 169 deps (JSON) | 230 deps (JSON) | Reports stop crashing on missing spaCy NER model |
Format
We publish in CycloneDX 1.6, the OWASP-stewarded SBOM standard backed by CISA in the U.S. Each component entry includes:
- Package name and exact version
- Package URL (
purl) — globally-unique identifier resolvable to the upstream registry (PyPI, npm) - Declared license (where the package metadata supplies one)
- Hashes (SHA-256, SHA-512) where available
Verifying integrity
The SBOM JSON is served over HTTPS from this site with no caching layer that could rewrite it. If you need a stronger guarantee for an audit, hash the downloaded file and compare against the value in your purchase confirmation email — we publish the SHA-256 of every release artefact at the same time we ship.
Questions
For supply-chain security questions, vulnerability disclosures, or licence enquiries: security@cicada-ir.ai.