still_active 1.4.2 → 1.6.0

data/lib/helpers/cyclonedx_helper.rb

@@ -0,0 +1,159 @@
+# frozen_string_literal: true
+
+require "json"
+require "digest"
+require "time"
+require_relative "vulnerability_helper"
+
+module StillActive
+  # Renders a still_active workflow result as a CycloneDX SBOM. Emits 1.6 by
+  # default (the version mainstream consumers — Dependency-Track via
+  # cyclonedx-core-java, Trivy/Syft via cyclonedx-go — actually ingest as of
+  # 2026); 1.7 is opt-in. Our emitted subset is identical across both versions,
+  # so only the specVersion string changes.
+  #
+  # Maintenance signals that have no native CycloneDX field (scorecard, libyear,
+  # archived, last commit) are emitted as `still_active:`-namespaced component
+  # properties — lossy by spec design, ignorable by consumers that don't care.
+  module CyclonedxHelper
+    extend self
+
+    SUPPORTED_SPEC_VERSIONS = ["1.6", "1.7"].freeze
+
+    # result: gem_name => gem_data (as StillActive::Workflow.call returns)
+    # ruby_info: Ruby freshness hash or nil
+    # now: injectable clock so output is deterministic in tests
+    def render(result:, ruby_info:, tool_version:, spec_version: "1.6", now: Time.now.utc)
+      components = build_components(result, ruby_info)
+      vulnerabilities = build_vulnerabilities(result)
+
+      document = {
+        "bomFormat" => "CycloneDX",
+        "specVersion" => spec_version,
+        "serialNumber" => deterministic_serial(components),
+        "version" => 1,
+        "metadata" => {
+          "timestamp" => now.iso8601,
+          "tools" => [{ "vendor" => "SeanLF", "name" => "still_active", "version" => tool_version }],
+        },
+        "components" => components,
+      }
+      document["vulnerabilities"] = vulnerabilities unless vulnerabilities.empty?
+      JSON.pretty_generate(document)
+    end
+
+    private
+
+    def build_components(result, ruby_info)
+      components = result.sort_by { |name, _| name.to_s }.map { |name, data| gem_component(name.to_s, data) }
+      components << ruby_component(ruby_info) if ruby_info && ruby_info[:version]
+      components
+    end
+
+    def gem_component(name, data)
+      version = data[:version_used]
+      component = { "type" => "library", "name" => name }
+      component["version"] = version if version
+      component["bom-ref"] = bom_ref(name, data)
+      component["purl"] = purl(name, version) if data[:source_type] == :rubygems && version
+      component["licenses"] = licenses(data[:license]) if data[:license]
+      if data[:repository_url]
+        component["externalReferences"] = [{ "type" => "vcs", "url" => data[:repository_url] }]
+      end
+      properties = gem_properties(data)
+      component["properties"] = properties unless properties.empty?
+      component
+    end
+
+    def bom_ref(name, data)
+      version = data[:version_used]
+      return purl(name, version) if data[:source_type] == :rubygems && version
+
+      "#{data[:source_type]}-source:#{name}@#{version || "unknown"}"
+    end
+
+    def purl(name, version)
+      "pkg:gem/#{name}@#{version}"
+    end
+
+    # VersionHelper joins multiple SPDX ids with ", " for terminal/markdown
+    # display; CycloneDX's license.id must be a single SPDX id, so split back
+    # into one entry per license rather than emitting an invalid joined id.
+    def licenses(license)
+      license.split(", ").map { |id| { "license" => { "id" => id } } }
+    end
+
+    def gem_properties(data)
+      {
+        "still_active:archived" => boolean_property(data[:archived]),
+        "still_active:scorecard_score" => data[:scorecard_score]&.to_s,
+        "still_active:libyear" => data[:libyear]&.to_s,
+        "still_active:last_commit_date" => iso8601(data[:last_commit_date]),
+        "still_active:version_yanked" => boolean_property(data[:version_yanked]),
+      }.filter_map { |name, value| { "name" => name, "value" => value } unless value.nil? }
+    end
+
+    def ruby_component(ruby_info)
+      {
+        "type" => "platform",
+        "name" => "ruby",
+        "version" => ruby_info[:version],
+        "bom-ref" => "platform:ruby@#{ruby_info[:version]}",
+        "properties" => [
+          { "name" => "still_active:eol", "value" => boolean_property(ruby_info[:eol]) },
+          { "name" => "still_active:libyear", "value" => ruby_info[:libyear]&.to_s },
+        ].reject { |p| p["value"].nil? },
+      }
+    end
+
+    def build_vulnerabilities(result)
+      result.sort_by { |name, _| name.to_s }.flat_map do |name, data|
+        ref = bom_ref(name.to_s, data)
+        (data[:vulnerabilities] || []).map { |advisory| vulnerability(advisory, ref) }
+      end
+    end
+
+    def vulnerability(advisory, component_ref)
+      entry = {
+        "bom-ref" => "#{advisory[:id]}:#{component_ref}",
+        "id" => advisory[:id],
+        "affects" => [{ "ref" => component_ref }],
+      }
+      entry["source"] = { "name" => advisory[:source] } if advisory[:source]
+      advisory_rating = rating(advisory)
+      entry["ratings"] = [advisory_rating] if advisory_rating
+      entry
+    end
+
+    def rating(advisory)
+      score = advisory[:cvss3_score] || advisory[:cvss2_score]
+      return if score.nil?
+
+      method = advisory[:cvss3_score] ? "CVSSv3" : "CVSSv2"
+      rating = { "score" => score, "severity" => VulnerabilityHelper.highest_severity([advisory]) || "unknown", "method" => method }
+      rating["vector"] = advisory[:cvss3_vector] if advisory[:cvss3_vector]
+      rating
+    end
+
+    def boolean_property(value)
+      return if value.nil?
+
+      value.to_s
+    end
+
+    def iso8601(time)
+      return if time.nil?
+
+      time.respond_to?(:iso8601) ? time.iso8601 : time.to_s
+    end
+
+    # Deterministic urn:uuid derived from the component identifiers, so two SBOMs
+    # of the same lockfile are byte-identical (diffable; golden-test friendly).
+    def deterministic_serial(components)
+      basis = components.map { |c| c["bom-ref"] }.sort.join("\n")
+      hex = Digest::SHA256.hexdigest(basis)
+      uuid = "#{hex[0, 8]}-#{hex[8, 4]}-5#{hex[13, 3]}-8#{hex[17, 3]}-#{hex[20, 12]}"
+      "urn:uuid:#{uuid}"
+    end
+  end
+end

data/lib/helpers/markdown_helper.rb

@@ -26,8 +26,8 @@ module StillActive
     end
 
     def markdown_table_header_line
-      "| activity | up to date? | OpenSSF | vulns | name | version used | latest version | latest pre-release | last commit | libyear |\n" \
-        "| -------- | ----------- | ------- | ----- | ---- | ------------ | -------------- | ------------------ | ----------- | ------- |"
+      "| activity | up to date? | OpenSSF | vulns | name | version used | latest version | latest pre-release | last commit | libyear | license |\n" \
+        "| -------- | ----------- | ------- | ----- | ---- | ------------ | -------------- | ------------------ | ----------- | ------- | ------- |"
     end
 
     def markdown_table_body_line(gem_name:, data:)
@@ -78,11 +78,23 @@ module StillActive
         formatted_latest_pre_release || unsure,
         formatted_last_commit || unsure,
         format_libyear(data[:libyear]),
+        format_license(data[:license]),
       ]
 
       "| #{cells.join(" | ")} |"
     end
 
+    def alternatives_section(result)
+      flagged = result.select do |_name, data|
+        data[:alternatives] && !data[:alternatives].empty?
+      end
+      return "" if flagged.empty?
+
+      lines = ["", "**Alternatives** (Ruby Toolbox leads, verify fit):"]
+      flagged.each { |name, data| lines << "- `#{name}`: #{data[:alternatives].join(", ")}" }
+      lines.join("\n")
+    end
+
     private
 
     def version_with_date(text:, url:, date:)
@@ -113,6 +125,12 @@ module StillActive
       "#{value}y"
     end
 
+    def format_license(license)
+      return "-" if license.nil? || license.empty?
+
+      license
+    end
+
     def format_vulns(data)
       count = data[:vulnerability_count]
       return StillActive.config.unsure_emoji if count.nil?

data/lib/helpers/ruby_advisory_db.rb

@@ -0,0 +1,93 @@
+# frozen_string_literal: true
+
+module StillActive
+  # Optional second vulnerability source: rubysec/ruby-advisory-db, read through
+  # bundler-audit's own loader when the user has it installed. We are a consumer —
+  # no YAML parsing or version-range matching of our own. Advisories are mapped
+  # into the same shape as deps.dev results and merged by VulnerabilityHelper.
+  #
+  # Verified against bundler-audit 0.9.3: Advisory CVSS scores live in #to_h
+  # (:cvss_v3 / :cvss_v2), not in dedicated methods; Database.new raises
+  # ArgumentError when the ~/.local/share/ruby-advisory-db checkout is absent.
+  module RubyAdvisoryDb
+    extend self
+
+    STALE_AFTER_SECONDS = 30 * 24 * 60 * 60 # 30 days
+
+    # bundler-audit's Database#check_gem expects an object responding to
+    # #name and #version (a Gem::Version).
+    GemRef = Struct.new(:name, :version)
+
+    # Returns a loaded bundler-audit Database, or nil when bundler-audit isn't
+    # installed or its advisory checkout is absent. Never raises — a missing
+    # second source just means we fall back to deps.dev only.
+    def load
+      require "bundler/audit"
+      require "bundler/audit/database"
+      database = Bundler::Audit::Database.new
+      warn_if_stale(database)
+      database
+    rescue LoadError
+      nil # bundler-audit not installed
+    rescue ArgumentError
+      warn("still_active: ruby-advisory-db not found — run `bundle audit update` to enable dual-source vulnerability data")
+      nil
+    end
+
+    # Maps advisories the database reports for gem_name@version into our
+    # vulnerability shape. Returns [] when the database is unavailable or the
+    # version can't be parsed (e.g. a git sha). A malformed advisory in the
+    # checkout (a corrupt/partial `bundle audit update`) is surfaced, not
+    # swallowed — silently returning [] there would hide a missed vulnerability.
+    def advisories_for(database:, gem_name:, version:)
+      return [] if database.nil?
+
+      parsed = parse_version(version)
+      return [] if parsed.nil?
+
+      advisories = []
+      database.check_gem(GemRef.new(gem_name, parsed)) { |advisory| advisories << to_vulnerability(advisory) }
+      advisories
+    rescue Gem::Requirement::BadRequirementError => e
+      warn("still_active: ruby-advisory-db has a malformed advisory for #{gem_name} (#{e.message}) — run `bundle audit update` to repair the checkout")
+      []
+    end
+
+    # Translates a bundler-audit Advisory into the deps.dev-compatible hash.
+    # bundler-audit has no CVSS vector, so cvss3_vector is always nil here.
+    def to_vulnerability(advisory)
+      primary = advisory.ghsa_id || advisory.cve_id || advisory.id
+      details = advisory.to_h
+      {
+        id: primary,
+        url: details[:url],
+        title: details[:title],
+        aliases: advisory.identifiers.reject { |identifier| identifier == primary },
+        cvss3_score: details[:cvss_v3],
+        cvss3_vector: nil,
+        cvss2_score: details[:cvss_v2],
+        source: "ruby-advisory-db",
+      }
+    end
+
+    private
+
+    # nil for versions Gem::Version can't parse (e.g. a git sha); such a "version"
+    # has nothing to match in the advisory DB, so the caller returns [].
+    def parse_version(version)
+      Gem::Version.new(version)
+    rescue ArgumentError
+      nil
+    end
+
+    def warn_if_stale(database)
+      updated = database.last_updated_at
+      return if updated.nil? # can't determine age — don't warn (not a swallowed error)
+
+      age = Time.now - updated
+      return if age < STALE_AFTER_SECONDS
+
+      warn("still_active: ruby-advisory-db is #{(age / 86_400).round} days old — run `bundle audit update` for current advisories")
+    end
+  end
+end

data/lib/helpers/sarif_helper.rb

@@ -98,7 +98,7 @@ module StillActive
       location = location_for(name, line_index, lockfile_uri)
 
       if data[:archived]
-        out << result("SA001", name, "#{name} #{version}: upstream repository is archived#{repo_suffix(data)}.", location)
+        out << result("SA001", name, "#{name} #{version}: upstream repository is archived#{repo_suffix(data)}#{alternatives_suffix(data)}.", location)
       end
 
       unless data[:archived]
@@ -108,7 +108,7 @@ module StillActive
           out << result(
             "SA002",
             name,
-            "#{name} #{version}: no commits in #{years} years (last #{last_commit.utc.strftime("%Y-%m-%d")}).",
+            "#{name} #{version}: no commits in #{years} years (last #{last_commit.utc.strftime("%Y-%m-%d")})#{alternatives_suffix(data)}.",
             location,
           )
         end
@@ -228,5 +228,12 @@ module StillActive
     def repo_suffix(data)
       data[:repository_url] ? " (#{data[:repository_url]})" : ""
     end
+
+    def alternatives_suffix(data)
+      leads = data[:alternatives]
+      return "" if leads.nil? || leads.empty?
+
+      " Consider: #{leads.join(", ")}"
+    end
   end
 end

data/lib/helpers/terminal_helper.rb

@@ -10,16 +10,21 @@ module StillActive
   module TerminalHelper
     extend self
 
-    HEADERS = ["Name", "Version", "Activity", "OpenSSF", "Vulns"].freeze
+    HEADERS = ["Name", "Version", "Activity", "OpenSSF", "Vulns", "License"].freeze
 
     def render(result, ruby_info: nil)
-      rows = result.keys.sort.map { |name| build_row(name, result[name]) }
+      names = result.keys.sort
+      rows = names.map { |name| build_row(name, result[name]) }
       widths = column_widths(rows)
 
       lines = []
       lines << header_line(widths)
       lines << separator_line(widths)
-      rows.each { |row| lines << row_line(row, widths) }
+      names.each_with_index do |name, i|
+        lines << row_line(rows[i], widths)
+        extra = alternatives_line(result[name])
+        lines << extra if extra
+      end
       lines << ""
       lines << summary_line(result)
       lines << ruby_summary_line(ruby_info) if ruby_info
@@ -35,9 +40,16 @@ module StillActive
         format_activity(data),
         format_scorecard(data[:scorecard_score]),
         format_vulns(data),
+        format_license(data[:license]),
       ]
     end
 
+    def format_license(license)
+      return AnsiHelper.dim("-") if license.nil? || license.empty?
+
+      license
+    end
+
     def format_version(data)
       used = data[:version_used]
       latest = data[:latest_version]
@@ -118,6 +130,18 @@ module StillActive
         .join
     end
 
+    def alternatives_line(data)
+      level = ActivityHelper.activity_level(data)
+      return unless [:archived, :critical].include?(level)
+
+      leads = data[:alternatives]
+      if leads && !leads.empty?
+        AnsiHelper.dim("  ↳ leads (Ruby Toolbox): #{leads.join(" · ")} (verify fit)")
+      elsif !StillActive.config.alternatives
+        AnsiHelper.dim("  ↳ run with --alternatives for maintained replacements")
+      end
+    end
+
     def ruby_summary_line(ruby_info)
       version = ruby_info[:version]
       latest = ruby_info[:latest_version]

data/lib/helpers/version_helper.rb

@@ -38,6 +38,15 @@ module StillActive
       Time.parse(release_date) unless release_date.nil?
     end
 
+    # SPDX license identifier(s) from the RubyGems versions payload.
+    # Comma-joined when a gem declares more than one. nil when unknown.
+    def license(version_hash:)
+      licenses = version_hash&.dig("licenses")
+      return if licenses.nil? || licenses.empty?
+
+      licenses.join(", ")
+    end
+
     private
 
     def normalize_version(version)

data/lib/helpers/vulnerability_helper.rb

@@ -22,8 +22,43 @@ module StillActive
       SEVERITY_ORDER.index(highest) >= SEVERITY_ORDER.index(threshold)
     end
 
+    # Combines advisories from deps.dev and ruby-advisory-db (via bundler-audit),
+    # deduplicating on shared identifiers. deps.dev is preferred for CVSS/title/url
+    # (it carries the vector string); ruby-advisory-db fills gaps. Advisories present
+    # in both sources are tagged source: "merged"; otherwise the per-source tag is kept.
+    def merge_advisories(deps_dev:, ruby_advisory_db:)
+      merged = deps_dev.map(&:dup)
+
+      ruby_advisory_db.each do |advisory|
+        existing = merged.find { |m| identifiers(m).intersect?(identifiers(advisory)) }
+        if existing
+          combine!(existing, advisory)
+        else
+          merged << advisory
+        end
+      end
+
+      merged
+    end
+
     private
 
+    def identifiers(advisory)
+      [advisory[:id], *advisory[:aliases]].compact
+    end
+
+    # Folds a ruby-advisory-db advisory into a matching deps.dev advisory in place:
+    # deps.dev values win where present, ruby-advisory-db fills nils, aliases union.
+    def combine!(into, from)
+      into[:cvss3_score] ||= from[:cvss3_score]
+      into[:cvss2_score] ||= from[:cvss2_score]
+      into[:cvss3_vector] ||= from[:cvss3_vector]
+      into[:title] ||= from[:title]
+      into[:url] ||= from[:url]
+      into[:aliases] = (identifiers(into) | identifiers(from)).reject { |id| id == into[:id] }.sort
+      into[:source] = "merged"
+    end
+
     def severity_label(score)
       case score
       when 9.0..Float::INFINITY then "critical"

data/lib/still_active/cli.rb

@@ -3,7 +3,9 @@
 require_relative "options"
 require_relative "diff"
 require_relative "../helpers/activity_helper"
+require_relative "../helpers/bot_context"
 require_relative "../helpers/bundler_helper"
+require_relative "../helpers/cyclonedx_helper"
 require_relative "../helpers/diff_markdown_helper"
 require_relative "../helpers/emoji_helper"
 require_relative "../helpers/markdown_helper"
@@ -26,6 +28,8 @@ module StillActive
         end
       end
 
+      warn_output_flag_conflicts(options)
+
       result = if $stderr.tty?
         Workflow.call { |done, total| $stderr.print("\rChecking #{done}/#{total} gems...") }
       else
@@ -34,11 +38,14 @@ module StillActive
       $stderr.print("\r\e[K") if $stderr.tty?
 
       ruby_info = Workflow.ruby_freshness
+      pr_context = BotContext.detect
 
       if (baseline_path = StillActive.config.baseline_path)
-        emit_diff(result, ruby_info, baseline_path)
+        emit_diff(result, ruby_info, baseline_path, pr_context)
       elsif (sarif_path = StillActive.config.sarif_path)
         emit_sarif(result, ruby_info, sarif_path)
+      elsif (cyclonedx_path = StillActive.config.cyclonedx_path)
+        emit_cyclonedx(result, ruby_info, cyclonedx_path)
       else
         case resolve_format
         when :json
@@ -49,11 +56,13 @@ module StillActive
             gems: result,
           }
           output[:ruby] = ruby_info if ruby_info
+          output[:pr_context] = pr_context if pr_context
           puts output.to_json
         when :terminal
+          puts BotContext.summary(pr_context) if pr_context
           puts TerminalHelper.render(result, ruby_info: ruby_info)
         when :markdown
-          render_markdown(result, ruby_info: ruby_info)
+          render_markdown(result, ruby_info: ruby_info, pr_context: pr_context)
         end
       end
 
@@ -62,6 +71,29 @@ module StillActive
 
     private
 
+    # The output destinations are mutually exclusive and resolved by precedence
+    # (baseline > sarif > cyclonedx > terminal/markdown/json). Warn rather than
+    # silently dropping the loser when more than one is set.
+    def warn_output_flag_conflicts(options)
+      modes = active_output_modes
+      if modes.size > 1
+        $stderr.puts("warning: multiple output modes set (#{modes.join(", ")}); using #{modes.first}, ignoring #{modes.drop(1).join(", ")}")
+      end
+      if options[:provided_cyclonedx_version] && StillActive.config.cyclonedx_path.nil?
+        $stderr.puts("warning: --cyclonedx-version has no effect without --cyclonedx")
+      end
+    end
+
+    # In precedence order, so the first entry is the one that actually runs.
+    def active_output_modes
+      config = StillActive.config
+      [
+        ("--baseline" if config.baseline_path),
+        ("--sarif" if config.sarif_path),
+        ("--cyclonedx" if config.cyclonedx_path),
+      ].compact
+    end
+
     def emit_sarif(result, ruby_info, sarif_path)
       lockfile = resolve_lockfile_path(StillActive.config.gemfile_path)
       unless File.exist?(lockfile)
@@ -83,6 +115,21 @@ module StillActive
       end
     end
 
+    def emit_cyclonedx(result, ruby_info, cyclonedx_path)
+      sbom = CyclonedxHelper.render(
+        result: result,
+        ruby_info: ruby_info,
+        tool_version: StillActive::VERSION,
+        spec_version: StillActive.config.cyclonedx_version,
+      )
+
+      if cyclonedx_path == "-"
+        puts sbom
+      else
+        File.write(cyclonedx_path, sbom)
+      end
+    end
+
     # Mirrors Bundler's convention: gems.rb -> gems.locked, otherwise <gemfile>.lock.
     def resolve_lockfile_path(gemfile)
       return gemfile.sub(/gems\.rb\z/, "gems.locked") if gemfile.end_with?("gems.rb")
@@ -90,10 +137,11 @@ module StillActive
       "#{gemfile}.lock"
     end
 
-    def emit_diff(result, ruby_info, baseline_path)
+    def emit_diff(result, ruby_info, baseline_path, pr_context = nil)
       current = current_snapshot(result, ruby_info)
       baseline = JSON.parse(File.read(baseline_path))
       diff = Diff.call(baseline: baseline, current: current)
+      puts "> **#{BotContext.summary(pr_context)}**\n\n" if pr_context
       puts DiffMarkdownHelper.render(diff)
       exit(1) if diff.regressions.any?
     rescue JSON::ParserError => e
@@ -125,7 +173,8 @@ module StillActive
       $stdout.tty? ? :terminal : :json
     end
 
-    def render_markdown(result, ruby_info: nil)
+    def render_markdown(result, ruby_info: nil, pr_context: nil)
+      puts "> **#{BotContext.summary(pr_context)}**\n" if pr_context
       puts MarkdownHelper.markdown_table_header_line
       result.keys.sort.each do |name|
         gem_data = result[name]
@@ -141,6 +190,8 @@ module StillActive
 
         puts MarkdownHelper.markdown_table_body_line(gem_name: name, data: gem_data)
       end
+      alternatives = MarkdownHelper.alternatives_section(result)
+      puts alternatives unless alternatives.empty?
       if ruby_info
         puts ""
         puts MarkdownHelper.ruby_line(ruby_info)

data/lib/still_active/config.rb

@@ -7,8 +7,11 @@ require "open3"
 module StillActive
   class Config
     attr_writer :github_oauth_token, :gitlab_token, :gemfile_path
-    attr_accessor :baseline_path,
+    attr_accessor :alternatives,
+      :baseline_path,
       :critical_warning_emoji,
+      :cyclonedx_path,
+      :cyclonedx_version,
       :fail_if_critical,
       :fail_if_warning,
       :futurist_emoji,
@@ -26,6 +29,7 @@ module StillActive
       :warning_range_end
 
     def initialize
+      @alternatives = false
       @fail_if_critical = false
       @fail_if_outdated = nil
       @fail_if_vulnerable = nil
@@ -41,6 +45,8 @@ module StillActive
       @output_format = :auto
       @sarif_path = nil
       @baseline_path = nil
+      @cyclonedx_path = nil
+      @cyclonedx_version = "1.6"
 
       @critical_warning_emoji = "🚩"
       @futurist_emoji = "🔮"

data/lib/still_active/deps_dev_client.rb

@@ -52,6 +52,7 @@ module StillActive
         cvss3_score: body["cvss3Score"],
         cvss3_vector: body["cvss3Vector"],
         cvss2_score: body["cvss2Score"],
+        source: "deps.dev",
       }
     end
 

data/lib/still_active/options.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require "optparse"
+require_relative "../helpers/cyclonedx_helper"
 require_relative "../helpers/vulnerability_helper"
 
 module StillActive
@@ -63,6 +64,7 @@ module StillActive
       opts.on("--terminal", "Coloured terminal output (default in TTY)") { StillActive.config { |config| config.output_format = :terminal } }
       opts.on("--markdown", "Markdown table output") { StillActive.config { |config| config.output_format = :markdown } }
       opts.on("--json", "JSON output (default when piped)") { StillActive.config { |config| config.output_format = :json } }
+      opts.on("--alternatives", "Suggest maintained alternatives (Ruby Toolbox leads) for archived/critical gems") { StillActive.config { |config| config.alternatives = true } }
       opts.on("--sarif[=PATH]", "SARIF 2.1.0 output for GitHub Code Scanning (default path: still_active.sarif.json; '-' for stdout). Overrides --terminal/--markdown/--json.") do |value|
         StillActive.config { |config| config.sarif_path = value || "still_active.sarif.json" }
       end
@@ -70,6 +72,16 @@ module StillActive
         options[:provided_baseline] = true
         StillActive.config { |config| config.baseline_path = value }
       end
+      opts.on("--cyclonedx[=PATH]", "CycloneDX SBOM output (default to stdout; PATH to write a file). Overrides --terminal/--markdown/--json.") do |value|
+        StillActive.config { |config| config.cyclonedx_path = value || "-" }
+      end
+      opts.on("--cyclonedx-version=VERSION", String, "CycloneDX spec version to emit: 1.6 (default) or 1.7.") do |value|
+        supported = StillActive::CyclonedxHelper::SUPPORTED_SPEC_VERSIONS
+        raise ArgumentError, "--cyclonedx-version must be one of: #{supported.join(", ")} (got #{value})" unless supported.include?(value)
+
+        options[:provided_cyclonedx_version] = true
+        StillActive.config { |config| config.cyclonedx_version = value }
+      end
     end
 
     def add_token_options(opts)

data/lib/still_active/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module StillActive
-  VERSION = "1.4.2"
+  VERSION = "1.6.0"
 end