still_active 1.4.2 → 1.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 32a0544a8668d86b73edc4296a246b875e3c5bfbc5016544ea2b1133e1332bb8
-  data.tar.gz: bdbbaa17281dac2425cbe96a386164ae608566b3a4dd594e7e8d3d262a10f206
+  metadata.gz: 186f947f74db917e368e84dde7810495ae047720e9483dade42543028059530d
+  data.tar.gz: 756e3bc581887835db75fcc175ff3654c832c2e81550e1c9447a9f753c37339d
 SHA512:
-  metadata.gz: a63140b613dc6eb0f7fe618a4845db833524993c00ab6773699dbbd150fead81ff5f74fad283444d6d84d5aa07ef79f8cba7ab055ae3e81d720bcbeaee52f800
-  data.tar.gz: 00f898a6edefc7405e4e5d9a35b37c803b185b1e4e7edcbb76c8faf7eb9e93ef3e18660b1719b9db5b6d9961a4300dc1c3b017cd366bb195f6ea3e33b0f584bc
+  metadata.gz: 96ed9789ee0d1901d4e01beed98c094d22f800e32c23a447edb8cc11da9a751a2d6d94ca318bfee3748cce2329a0f79a5fcbc6850be18769296b3ffac07bdd19
+  data.tar.gz: b70bac1b02082583f41b49ab2521f01c436eba2275fa437adfe29de96b14a08554e0ae05e34a73dff181130f88127ac352831bb7d0698da9231b5574697c7e13

data/CHANGELOG.md

@@ -1,5 +1,15 @@
 # Changelog
 
+## [1.5.0] - 2026-05-23
+
+### Added
+
+- `--cyclonedx[=PATH]` emits a CycloneDX SBOM (stdout by default, or to a file) so the dependency graph plus still_active's signals flow into Trivy / Dependency-Track / Snyk. Emits **1.6 by default** — the version mainstream consumers ingest today (`cyclonedx-core-java` / Dependency-Track and `cyclonedx-go` / Trivy both cap at 1.6 as of 2026) — with `--cyclonedx-version=1.7` to opt into the latest. Gem name/version/purl/licenses map to native fields; maintenance signals (archived, OpenSSF score, libyear, last commit, yanked) ride in `still_active:`-namespaced `properties`; vulnerabilities map to the top-level `vulnerabilities[]`. The `serialNumber` is content-derived (two SBOMs of the same lockfile are byte-identical apart from the generation timestamp), so SBOMs diff cleanly.
+- Dependabot/Renovate awareness: when a run is detected as bot-authored (primarily via the PR author in the GitHub event payload — `pull_request.user.login`, the same authoritative signal `dependabot/fetch-metadata` uses, which unlike `GITHUB_ACTOR` survives a human re-running the workflow — falling back to `GITHUB_ACTOR`, a `dependabot/`/`renovate/` branch, or the commit subject including Dependabot's default unprefixed `Bump X from Y to Z`), output leads with a narrative header (markdown/terminal/baseline-diff: "Dependabot bump: rack 2.0.0 → 2.0.6") and JSON gains a top-level additive `pr_context` (`{ bot, bumps: [{ gem, from, to }] }`). Bump extraction tolerates any configured `commit-message.prefix`/scope (`chore(deps):`, `deps:`, …) once the bot is confirmed, while detection stays conservative to avoid false positives on human commits. Best-effort: false negatives lose only the narrative, never a finding; SARIF is unaffected. See `docs/schema.md`.
+- A warning is emitted when mutually-exclusive output flags are combined (`--baseline`/`--sarif`/`--cyclonedx`), naming which one wins, and when `--cyclonedx-version` is set without `--cyclonedx`.
+- Dual-source vulnerability data: when `bundler-audit` is installed (with a current `bundle audit update` checkout), still_active reads the `rubysec/ruby-advisory-db` advisories through bundler-audit's own loader and merges them with deps.dev results, deduplicating on shared identifiers. Each advisory carries a `source` field (`deps.dev`, `ruby-advisory-db`, or `merged`); deps.dev is preferred for CVSS/title/vector and ruby-advisory-db fills gaps. Opt-in by composition — no second source unless `bundler-audit` is present; falls back silently to deps.dev only otherwise (with a one-line hint to run `bundle audit update`). Closes the "why do bundler-audit and still_active disagree?" gap. See `docs/schema.md` and `docs/rules.md` (SA003).
+- Gem license surfaced from the RubyGems versions payload we already fetch (no extra request). Shows as a `License` column in terminal and markdown output and as an additive `license` field (SPDX identifier, comma-joined when a gem declares more than one) on the JSON per-gem record. `nil`/`-` for git/path sources where no RubyGems metadata exists. See `docs/schema.md`. Read-only metadata only — license *policy* (allow/deny gating) stays the domain of `license_finder`.
+
 ## [1.4.2] - 2026-05-22
 
 ### Fixed

data/README.md

@@ -4,6 +4,8 @@
 
 `bundle outdated` tells you version drift. `bundler-audit` catches known CVEs. Neither tells you whether anyone is still working on the thing. `still_active` checks maintenance activity, version freshness, security scores, vulnerabilities, libyear drift, and archived repos for every gem in your Gemfile.
 
+Findings ship as **terminal / markdown / JSON / SARIF / CycloneDX** — SARIF lands in your GitHub Security tab and as inline PR annotations on `Gemfile.lock`; CycloneDX feeds Trivy / Dependency-Track / Snyk. PR mode (`--baseline=FILE`) reports only what got worse since main, so reviewers see one line ("`vcr` newly archived") instead of an absolute snapshot of every dep.
+
 [![Gem Version](https://badge.fury.io/rb/still_active.svg)](https://badge.fury.io/rb/still_active)
 [![GitHub Action](https://img.shields.io/badge/Marketplace-still__active--action-2ea44f?logo=github)](https://github.com/marketplace/actions/still_active)
 ![Code Quality analysis](https://github.com/SeanLF/still_active/actions/workflows/codeql-analysis.yml/badge.svg)
@@ -11,15 +13,15 @@
 ![Rubocop analysis](https://github.com/SeanLF/still_active/actions/workflows/rubocop-analysis.yml/badge.svg)
 
 ```
-Name                    Version          Activity  OpenSSF  Vulns
-───────────────────────────────────────────────────────────────────
-async                   2.36.0 (latest)  ok        7.1/10   0
-backbone-rails          1.2.3 (latest)   archived  3.6/10   0
-bootstrap-slider-rails  9.8.0 (latest)   critical  -        0
-gitlab-markup           2.0.0 (latest)   ok        -        0
-local_gem               0.1.0 (path)     -         -        0
-nested_form             0.3.2 (git)      archived  3.3/10   0
-remotipart              1.4.4 (git)      critical  3.1/10   0
+Name                    Version          Activity  OpenSSF  Vulns  License
+──────────────────────────────────────────────────────────────────────────────
+async                   2.36.0 (latest)  ok        7.1/10   0      MIT
+backbone-rails          1.2.3 (latest)   archived  3.6/10   0      MIT
+bootstrap-slider-rails  9.8.0 (latest)   critical  -        0      MIT
+gitlab-markup           2.0.0 (latest)   ok        -        0      MIT
+local_gem               0.1.0 (path)     -         -        0      -
+nested_form             0.3.2 (git)      archived  3.3/10   0      MIT
+remotipart              1.4.4 (git)      critical  3.1/10   0      MIT
 
 7 gems: 4 up to date, 0 outdated · 2 active, 2 stale, 2 archived · 0 vulnerabilities
 Ruby 4.0.1 (latest)
@@ -32,7 +34,7 @@ Ruby 4.0.1 (latest)
 |                              | `bundle outdated` | `bundler-audit`        | `libyear-bundler` | **`still_active`**       |
 | ---------------------------- | ----------------- | ---------------------- | ----------------- | ------------------------ |
 | Outdated versions            | Yes               | -                      | Yes               | Yes                      |
-| Known vulnerabilities (CVEs) | -                 | Yes (ruby-advisory-db) | -                 | Yes (deps.dev)           |
+| Known vulnerabilities (CVEs) | -                 | Yes (ruby-advisory-db) | -                 | Yes (deps.dev + ruby-advisory-db) |
 | Libyear drift                | -                 | -                      | Yes               | Yes                      |
 | **Last commit activity**     | -                 | -                      | -                 | **Yes**                  |
 | **Archived repo detection**  | -                 | -                      | -                 | **Yes**                  |
@@ -41,9 +43,9 @@ Ruby 4.0.1 (latest)
 | **Ruby version freshness**   | -                 | -                      | -                 | **Yes** (EOL + libyear)  |
 | GitLab support               | -                 | -                      | -                 | Yes                      |
 | CI quality gates             | -                 | Exit code              | -                 | Yes (4 flags)            |
-| Output formats               | Text              | Text                   | Text              | Terminal, JSON, Markdown |
+| Output formats               | Text              | Text                   | Text              | Terminal, JSON, Markdown, SARIF, CycloneDX |
 
-The bolded rows are the gap `still_active` fills: nobody else answers "is the maintainer still around?" The CVE column is worth a closer look: `bundler-audit` and `still_active` use **different data sources** (`ruby-advisory-db` vs `deps.dev`), so coverage isn't identical. If you care about CVEs in CI, keep running `bundler-audit` alongside `still_active`.
+The bolded rows are the gap `still_active` fills: nobody else answers "is the maintainer still around?" The CVE column is worth a closer look: `bundler-audit` reads `ruby-advisory-db` and `still_active` reads `deps.dev`, which sometimes diverge. **If `bundler-audit` is installed alongside `still_active`, we read its `ruby-advisory-db` checkout too and merge the results** (deduplicated, each advisory tagged with its `source`) — so running both no longer means reconciling two different vuln counts by hand.
 
 ## Installation
 
@@ -98,6 +100,8 @@ Usage: still_active [options]
         --markdown                   Markdown table output
         --json                       JSON output (default when piped)
         --sarif[=PATH]               SARIF 2.1.0 output for GitHub Code Scanning
+        --cyclonedx[=PATH]           CycloneDX SBOM output (stdout, or a file path)
+        --cyclonedx-version=VERSION  CycloneDX spec version: 1.6 (default) or 1.7
         --baseline=PATH              Compare current state to baseline JSON; emit markdown deltas
         --github-oauth-token=TOKEN   GitHub OAuth token to make API calls
         --gitlab-token=TOKEN         GitLab personal access token for API calls
@@ -141,6 +145,7 @@ still_active --json --gemfile=spec/still_active/edge_case_gemfile/Gemfile
       "archived": false,
       "scorecard_score": 7.1,
       "vulnerability_count": 0,
+      "license": "MIT",
       "libyear": 0.0
     },
     "nested_form": {
@@ -174,15 +179,25 @@ still_active --json --gemfile=spec/still_active/edge_case_gemfile/Gemfile
 still_active --markdown
 ```
 
-| activity | up to date? | OpenSSF | vulns | name                                                         | version used                                                               | latest version                                                             | latest pre-release | last commit                                           | libyear |
-| -------- | ----------- | ------- | ----- | ------------------------------------------------------------ | -------------------------------------------------------------------------- | -------------------------------------------------------------------------- | ------------------ | ----------------------------------------------------- | ------- |
-|          | ✅          | 7.1/10  | ✅    | [async](https://github.com/socketry/async)                   | [2.36.0](https://rubygems.org/gems/async/versions/2.36.0) (2026/01)        | [2.36.0](https://rubygems.org/gems/async/versions/2.36.0) (2026/01)        | ❓                 | [2026/01](https://github.com/socketry/async)          | 0.0y    |
-| 🚩       | ✅          | 3.6/10  | ✅    | [backbone-rails](https://github.com/aflatter/backbone-rails) | [1.2.3](https://rubygems.org/gems/backbone-rails/versions/1.2.3) (2016/02) | [1.2.3](https://rubygems.org/gems/backbone-rails/versions/1.2.3) (2016/02) | ❓                 | [2016/02](https://github.com/aflatter/backbone-rails) | 0.0y    |
-| ❓       | ❓          | ❓      | ✅    | local_gem                                                    | 0.1.0 (path)                                                               | ❓                                                                         | ❓                 | ❓                                                    | -       |
-| 🚩       | ❓          | 3.3/10  | ✅    | [nested_form](https://github.com/ryanb/nested_form)          | 0.3.2 (git)                                                                | ❓                                                                         | ❓                 | [2021/12](https://github.com/ryanb/nested_form)       | -       |
+| activity | up to date? | OpenSSF | vulns | name                                                         | version used                                                               | latest version                                                             | latest pre-release | last commit                                           | libyear | license |
+| -------- | ----------- | ------- | ----- | ------------------------------------------------------------ | -------------------------------------------------------------------------- | -------------------------------------------------------------------------- | ------------------ | ----------------------------------------------------- | ------- | ------- |
+|          | ✅          | 7.1/10  | ✅    | [async](https://github.com/socketry/async)                   | [2.36.0](https://rubygems.org/gems/async/versions/2.36.0) (2026/01)        | [2.36.0](https://rubygems.org/gems/async/versions/2.36.0) (2026/01)        | ❓                 | [2026/01](https://github.com/socketry/async)          | 0.0y    | MIT     |
+| 🚩       | ✅          | 3.6/10  | ✅    | [backbone-rails](https://github.com/aflatter/backbone-rails) | [1.2.3](https://rubygems.org/gems/backbone-rails/versions/1.2.3) (2016/02) | [1.2.3](https://rubygems.org/gems/backbone-rails/versions/1.2.3) (2016/02) | ❓                 | [2016/02](https://github.com/aflatter/backbone-rails) | 0.0y    | MIT     |
+| ❓       | ❓          | ❓      | ✅    | local_gem                                                    | 0.1.0 (path)                                                               | ❓                                                                         | ❓                 | ❓                                                    | -       | -       |
+| 🚩       | ❓          | 3.3/10  | ✅    | [nested_form](https://github.com/ryanb/nested_form)          | 0.3.2 (git)                                                                | ❓                                                                         | ❓                 | [2021/12](https://github.com/ryanb/nested_form)       | -       | MIT     |
 
 **Ruby 4.0.1** (latest) ✅
 
+**CycloneDX** -- a standards-track SBOM so your dependency graph and still_active's signals flow into Trivy, Dependency-Track, or Snyk:
+
+```bash
+still_active --cyclonedx                 # CycloneDX 1.6 to stdout
+still_active --cyclonedx=sbom.json       # write to a file
+still_active --cyclonedx --cyclonedx-version=1.7
+```
+
+Emits **1.6 by default** — the version mainstream consumers ingest today (`cyclonedx-core-java`/Dependency-Track and `cyclonedx-go`/Trivy both cap at 1.6 as of 2026); `--cyclonedx-version=1.7` opts into the latest. Gem name/version/`purl`/licenses and vulnerabilities map to native CycloneDX fields; maintenance signals with no native home (archived, OpenSSF score, libyear, last commit, yanked) ride in `still_active:`-namespaced `properties`. The `serialNumber` is content-derived, so two SBOMs of the same lockfile differ only by their generation timestamp.
+
 ### SARIF output (GitHub Code Scanning)
 
 Emit findings as SARIF 2.1.0 — they show up in the GitHub Security tab and as inline annotations on `Gemfile.lock` in pull requests.
@@ -245,6 +260,53 @@ In CI, capture a baseline on main and compare on PR branches. Exits 1 if any reg
 
 The diff supersedes `--sarif`, `--terminal`, `--markdown`, and `--json` when set.
 
+When a run is detected as Dependabot- or Renovate-authored (via `GITHUB_ACTOR`, a `dependabot/`/`renovate/` branch, or the commit subject), the report leads with a one-line narrative — "Dependabot bump: `rack` 2.0.0 → 2.0.6" — and `--json` gains a top-level `pr_context`. Detection is best-effort and conservative: it never produces a false positive on an ordinary commit, and a miss costs only the narrative line.
+
+### Alongside `dependency-review-action`
+
+GitHub's first-party [`dependency-review-action`](https://github.com/actions/dependency-review-action) runs server-side on PRs and surfaces **vulnerabilities, licenses, and OpenSSF Scorecard** scores from GitHub's dependency-graph diff. It does not surface maintenance signals — last-commit activity, archived repos, libyear, Ruby EOL, or yanked versions — and is GitHub.com / GHES only. `still_active` is the complement, not a replacement:
+
+|                              | `dependency-review-action`         | `still_active`                              |
+| ---------------------------- | ---------------------------------- | ------------------------------------------- |
+| Platform                     | GitHub.com / GHES only             | Any CI                                      |
+| Languages                    | Multi (GitHub dep graph)           | Ruby                                        |
+| Vulnerabilities              | GHSA                               | deps.dev + ruby-advisory-db (merged)        |
+| Licenses                     | Yes (allow/deny gating)            | Surfaced (no gating)                        |
+| OpenSSF Scorecard            | Yes (display)                      | Yes (display + threshold)                   |
+| **Last-commit activity**     | -                                  | **Yes**                                     |
+| **Archived repo detection**  | -                                  | **Yes**                                     |
+| **Libyear drift**            | -                                  | **Yes**                                     |
+| **Ruby EOL detection**       | -                                  | **Yes**                                     |
+| **Yanked version detection** | -                                  | **Yes**                                     |
+| Diff vs base                 | Native (GitHub API)                | `--baseline=FILE`                           |
+| Output                       | Inline PR annotations              | Terminal / Markdown / JSON / SARIF / CycloneDX |
+
+Run both: let `dependency-review-action` gate CVEs and licenses, and `still_active` add the maintenance lens on the same PR.
+
+```yaml
+on: pull_request
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/dependency-review-action@v4
+        with:
+          fail-on-severity: high
+          show-openssf-scorecard: true
+
+  maintenance-review:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ruby/setup-ruby@v1
+        with: { ruby-version: ".ruby-version", bundler-cache: true }
+      - uses: SeanLF/still_active-action@v0
+        with:
+          fail-if-critical: true
+```
+
 ### CI quality gating
 
 Use exit-code flags to fail CI pipelines based on dependency status:
@@ -279,9 +341,10 @@ Activity is determined by the most recent signal across last commit date, latest
 
 ### Data sources
 
-- **Versions and release dates** from [RubyGems.org](https://rubygems.org) or [GitHub Packages](https://docs.github.com/en/packages)
+- **Versions, release dates, and licenses** from [RubyGems.org](https://rubygems.org) or [GitHub Packages](https://docs.github.com/en/packages)
 - **Last commit date and archived status** from the [GitHub](https://docs.github.com/en/rest) or [GitLab](https://docs.gitlab.com/ee/api/) API
 - **OpenSSF Scorecard**, **vulnerability counts**, and **CVSS severity** from Google's [deps.dev](https://deps.dev) API
+- **Additional advisories** from [ruby-advisory-db](https://github.com/rubysec/ruby-advisory-db), merged in when `bundler-audit` is installed alongside (run `bundle audit update` to keep its checkout current)
 - **Ruby version freshness** from [endoflife.date](https://endoflife.date)
 
 ### Configuration defaults

data/lib/helpers/bot_context.rb

@@ -0,0 +1,132 @@
+# frozen_string_literal: true
+
+require "json"
+require "open3"
+
+module StillActive
+  # Best-effort detection of a Dependabot/Renovate-authored run, so --baseline
+  # reports can lead with a narrative ("Dependabot bump: rack 2.0.0 → 2.0.6")
+  # instead of an unattributed list. Detection is heuristic: false negatives are
+  # fine (we just lose the narrative), false positives are not, so the subject
+  # patterns are anchored and require the literal bump/update keyword.
+  module BotContext
+    extend self
+
+    # Dependabot's *default* subject is "Bump X from Y to Z" (capitalized, no
+    # prefix). The `from … to …` skeleton rarely occurs in human commits, so it
+    # is safe unprefixed. The conventional-commit prefix only appears when configured.
+    DEPENDABOT_SUBJECT = /\A(?:build\(deps(?:-dev)?\):\s*)?bump (\S+) from (\S+) to (\S+)/i
+
+    # Renovate's default is "Update dependency X to vN.…" — note the **required**
+    # `v`+digit version. Matching a bare "to <word>" would false-positive on ordinary
+    # commits ("Update README to mention SARIF"), so we anchor on the v-prefixed
+    # version. False negatives (a no-`v` Renovate config) are acceptable; false
+    # positives are not. The `v` is consumed, so the captured version excludes it.
+    RENOVATE_SUBJECT = /\A(?:(?:chore|fix|build)\(deps(?:-dev)?\):\s*)?update (?:dependency )?(\S+) to v(\d[\w.\-]*)/i
+
+    # Unanchored variants used only to EXTRACT the bump *after* a bot is already
+    # confirmed (via GITHUB_ACTOR / branch / the anchored subject above). Because
+    # detection has already happened, these can ignore whatever commit-message
+    # prefix or scope Dependabot/Renovate is configured with and just find the
+    # "bump X from Y to Z" / "update X to vN" skeleton anywhere in the subject.
+    DEPENDABOT_BUMP = /bump (\S+) from (\S+) to (\S+)/i
+    RENOVATE_BUMP = /update (?:dependency )?(\S+) to v(\d[\w.\-]*)/i
+
+    # Returns { bot: "dependabot" | "renovate", bumps: [{ gem:, from:, to: }] }
+    # or nil when no bot signal is present. `bumps` is parsed from the head
+    # commit subject; a grouped or unparseable subject yields an empty list.
+    def detect(env: ENV, head_subject: head_commit_subject)
+      bot = detect_bot(env: env, head_subject: head_subject)
+      return if bot.nil?
+
+      { bot: bot, bumps: bumps_from(bot, head_subject) }
+    end
+
+    # A one-line, format-agnostic narrative for the detected context.
+    def summary(context)
+      label = context[:bot] == "renovate" ? "Renovate" : "Dependabot"
+      bumps = context[:bumps]
+
+      case bumps.length
+      when 0 then "#{label} dependency update"
+      when 1 then single_bump_summary(label, bumps.first)
+      else "#{label}: #{bumps.length} dependency updates"
+      end
+    end
+
+    private
+
+    def detect_bot(env:, head_subject:)
+      # The PR author from the event payload is the authoritative signal — it's
+      # what `dependabot/fetch-metadata` keys on, and unlike GITHUB_ACTOR it
+      # doesn't flip to a human who re-runs the workflow or pushes to the branch.
+      login = pr_author_login(env)
+      return "dependabot" if login == "dependabot[bot]"
+      return "renovate" if login == "renovate[bot]"
+
+      actor = env["GITHUB_ACTOR"]
+      return "dependabot" if actor == "dependabot[bot]"
+      return "renovate" if actor == "renovate[bot]"
+
+      ref = env["GITHUB_HEAD_REF"] || current_branch
+      return "dependabot" if ref&.start_with?("dependabot/")
+      return "renovate" if ref&.start_with?("renovate/", "renovate-bot/")
+
+      return "dependabot" if head_subject&.match?(DEPENDABOT_SUBJECT)
+      return "renovate" if head_subject&.match?(RENOVATE_SUBJECT)
+
+      nil
+    end
+
+    # Reads pull_request.user.login from the GitHub Actions event payload
+    # (GITHUB_EVENT_PATH). Returns nil off Actions, on non-PR events, or if the
+    # file is missing/unreadable/malformed — all of which just fall through to
+    # the weaker signals. TypeError covers a payload that parses but has the
+    # wrong shape (e.g. a top-level array, or pull_request/user not a Hash);
+    # this method must never raise, since detect runs unguarded and a cosmetic
+    # narrative must not be able to abort the audit.
+    def pr_author_login(env)
+      path = env["GITHUB_EVENT_PATH"]
+      return if path.nil? || !File.file?(path)
+
+      JSON.parse(File.read(path)).dig("pull_request", "user", "login")
+    rescue JSON::ParserError, SystemCallError, TypeError
+      nil
+    end
+
+    def bumps_from(bot, subject)
+      return [] if subject.nil?
+
+      if bot == "dependabot" && (match = subject.match(DEPENDABOT_BUMP))
+        [{ gem: match[1], from: match[2], to: match[3] }]
+      elsif bot == "renovate" && (match = subject.match(RENOVATE_BUMP))
+        [{ gem: match[1], from: nil, to: match[2] }]
+      else
+        []
+      end
+    end
+
+    def single_bump_summary(label, bump)
+      arrow = bump[:from] ? "#{bump[:from]} → #{bump[:to]}" : "→ #{bump[:to]}"
+      verb = label == "Renovate" ? "update" : "bump"
+      "#{label} #{verb}: #{bump[:gem]} #{arrow}"
+    end
+
+    # SystemCallError (not just Errno::ENOENT) so a git that's missing *or*
+    # unlaunchable can't crash a run over a cosmetic narrative. git *logic*
+    # failures surface as a non-zero status, not an exception, and yield nil.
+    def current_branch
+      out, _, status = Open3.capture3("git", "rev-parse", "--abbrev-ref", "HEAD")
+      status.success? ? out.strip : nil
+    rescue SystemCallError
+      nil
+    end
+
+    def head_commit_subject
+      out, _, status = Open3.capture3("git", "log", "-1", "--pretty=%s")
+      status.success? ? out.strip : nil
+    rescue SystemCallError
+      nil
+    end
+  end
+end

data/lib/helpers/cyclonedx_helper.rb

@@ -0,0 +1,159 @@
+# frozen_string_literal: true
+
+require "json"
+require "digest"
+require "time"
+require_relative "vulnerability_helper"
+
+module StillActive
+  # Renders a still_active workflow result as a CycloneDX SBOM. Emits 1.6 by
+  # default (the version mainstream consumers — Dependency-Track via
+  # cyclonedx-core-java, Trivy/Syft via cyclonedx-go — actually ingest as of
+  # 2026); 1.7 is opt-in. Our emitted subset is identical across both versions,
+  # so only the specVersion string changes.
+  #
+  # Maintenance signals that have no native CycloneDX field (scorecard, libyear,
+  # archived, last commit) are emitted as `still_active:`-namespaced component
+  # properties — lossy by spec design, ignorable by consumers that don't care.
+  module CyclonedxHelper
+    extend self
+
+    SUPPORTED_SPEC_VERSIONS = ["1.6", "1.7"].freeze
+
+    # result: gem_name => gem_data (as StillActive::Workflow.call returns)
+    # ruby_info: Ruby freshness hash or nil
+    # now: injectable clock so output is deterministic in tests
+    def render(result:, ruby_info:, tool_version:, spec_version: "1.6", now: Time.now.utc)
+      components = build_components(result, ruby_info)
+      vulnerabilities = build_vulnerabilities(result)
+
+      document = {
+        "bomFormat" => "CycloneDX",
+        "specVersion" => spec_version,
+        "serialNumber" => deterministic_serial(components),
+        "version" => 1,
+        "metadata" => {
+          "timestamp" => now.iso8601,
+          "tools" => [{ "vendor" => "SeanLF", "name" => "still_active", "version" => tool_version }],
+        },
+        "components" => components,
+      }
+      document["vulnerabilities"] = vulnerabilities unless vulnerabilities.empty?
+      JSON.pretty_generate(document)
+    end
+
+    private
+
+    def build_components(result, ruby_info)
+      components = result.sort_by { |name, _| name.to_s }.map { |name, data| gem_component(name.to_s, data) }
+      components << ruby_component(ruby_info) if ruby_info && ruby_info[:version]
+      components
+    end
+
+    def gem_component(name, data)
+      version = data[:version_used]
+      component = { "type" => "library", "name" => name }
+      component["version"] = version if version
+      component["bom-ref"] = bom_ref(name, data)
+      component["purl"] = purl(name, version) if data[:source_type] == :rubygems && version
+      component["licenses"] = licenses(data[:license]) if data[:license]
+      if data[:repository_url]
+        component["externalReferences"] = [{ "type" => "vcs", "url" => data[:repository_url] }]
+      end
+      properties = gem_properties(data)
+      component["properties"] = properties unless properties.empty?
+      component
+    end
+
+    def bom_ref(name, data)
+      version = data[:version_used]
+      return purl(name, version) if data[:source_type] == :rubygems && version
+
+      "#{data[:source_type]}-source:#{name}@#{version || "unknown"}"
+    end
+
+    def purl(name, version)
+      "pkg:gem/#{name}@#{version}"
+    end
+
+    # VersionHelper joins multiple SPDX ids with ", " for terminal/markdown
+    # display; CycloneDX's license.id must be a single SPDX id, so split back
+    # into one entry per license rather than emitting an invalid joined id.
+    def licenses(license)
+      license.split(", ").map { |id| { "license" => { "id" => id } } }
+    end
+
+    def gem_properties(data)
+      {
+        "still_active:archived" => boolean_property(data[:archived]),
+        "still_active:scorecard_score" => data[:scorecard_score]&.to_s,
+        "still_active:libyear" => data[:libyear]&.to_s,
+        "still_active:last_commit_date" => iso8601(data[:last_commit_date]),
+        "still_active:version_yanked" => boolean_property(data[:version_yanked]),
+      }.filter_map { |name, value| { "name" => name, "value" => value } unless value.nil? }
+    end
+
+    def ruby_component(ruby_info)
+      {
+        "type" => "platform",
+        "name" => "ruby",
+        "version" => ruby_info[:version],
+        "bom-ref" => "platform:ruby@#{ruby_info[:version]}",
+        "properties" => [
+          { "name" => "still_active:eol", "value" => boolean_property(ruby_info[:eol]) },
+          { "name" => "still_active:libyear", "value" => ruby_info[:libyear]&.to_s },
+        ].reject { |p| p["value"].nil? },
+      }
+    end
+
+    def build_vulnerabilities(result)
+      result.sort_by { |name, _| name.to_s }.flat_map do |name, data|
+        ref = bom_ref(name.to_s, data)
+        (data[:vulnerabilities] || []).map { |advisory| vulnerability(advisory, ref) }
+      end
+    end
+
+    def vulnerability(advisory, component_ref)
+      entry = {
+        "bom-ref" => "#{advisory[:id]}:#{component_ref}",
+        "id" => advisory[:id],
+        "affects" => [{ "ref" => component_ref }],
+      }
+      entry["source"] = { "name" => advisory[:source] } if advisory[:source]
+      advisory_rating = rating(advisory)
+      entry["ratings"] = [advisory_rating] if advisory_rating
+      entry
+    end
+
+    def rating(advisory)
+      score = advisory[:cvss3_score] || advisory[:cvss2_score]
+      return if score.nil?
+
+      method = advisory[:cvss3_score] ? "CVSSv3" : "CVSSv2"
+      rating = { "score" => score, "severity" => VulnerabilityHelper.highest_severity([advisory]) || "unknown", "method" => method }
+      rating["vector"] = advisory[:cvss3_vector] if advisory[:cvss3_vector]
+      rating
+    end
+
+    def boolean_property(value)
+      return if value.nil?
+
+      value.to_s
+    end
+
+    def iso8601(time)
+      return if time.nil?
+
+      time.respond_to?(:iso8601) ? time.iso8601 : time.to_s
+    end
+
+    # Deterministic urn:uuid derived from the component identifiers, so two SBOMs
+    # of the same lockfile are byte-identical (diffable; golden-test friendly).
+    def deterministic_serial(components)
+      basis = components.map { |c| c["bom-ref"] }.sort.join("\n")
+      hex = Digest::SHA256.hexdigest(basis)
+      uuid = "#{hex[0, 8]}-#{hex[8, 4]}-5#{hex[13, 3]}-8#{hex[17, 3]}-#{hex[20, 12]}"
+      "urn:uuid:#{uuid}"
+    end
+  end
+end

data/lib/helpers/markdown_helper.rb

@@ -26,8 +26,8 @@ module StillActive
     end
 
     def markdown_table_header_line
-      "| activity | up to date? | OpenSSF | vulns | name | version used | latest version | latest pre-release | last commit | libyear |\n" \
-        "| -------- | ----------- | ------- | ----- | ---- | ------------ | -------------- | ------------------ | ----------- | ------- |"
+      "| activity | up to date? | OpenSSF | vulns | name | version used | latest version | latest pre-release | last commit | libyear | license |\n" \
+        "| -------- | ----------- | ------- | ----- | ---- | ------------ | -------------- | ------------------ | ----------- | ------- | ------- |"
     end
 
     def markdown_table_body_line(gem_name:, data:)
@@ -78,6 +78,7 @@ module StillActive
         formatted_latest_pre_release || unsure,
         formatted_last_commit || unsure,
         format_libyear(data[:libyear]),
+        format_license(data[:license]),
       ]
 
       "| #{cells.join(" | ")} |"
@@ -113,6 +114,12 @@ module StillActive
       "#{value}y"
     end
 
+    def format_license(license)
+      return "-" if license.nil? || license.empty?
+
+      license
+    end
+
     def format_vulns(data)
       count = data[:vulnerability_count]
       return StillActive.config.unsure_emoji if count.nil?

data/lib/helpers/ruby_advisory_db.rb

@@ -0,0 +1,93 @@
+# frozen_string_literal: true
+
+module StillActive
+  # Optional second vulnerability source: rubysec/ruby-advisory-db, read through
+  # bundler-audit's own loader when the user has it installed. We are a consumer —
+  # no YAML parsing or version-range matching of our own. Advisories are mapped
+  # into the same shape as deps.dev results and merged by VulnerabilityHelper.
+  #
+  # Verified against bundler-audit 0.9.3: Advisory CVSS scores live in #to_h
+  # (:cvss_v3 / :cvss_v2), not in dedicated methods; Database.new raises
+  # ArgumentError when the ~/.local/share/ruby-advisory-db checkout is absent.
+  module RubyAdvisoryDb
+    extend self
+
+    STALE_AFTER_SECONDS = 30 * 24 * 60 * 60 # 30 days
+
+    # bundler-audit's Database#check_gem expects an object responding to
+    # #name and #version (a Gem::Version).
+    GemRef = Struct.new(:name, :version)
+
+    # Returns a loaded bundler-audit Database, or nil when bundler-audit isn't
+    # installed or its advisory checkout is absent. Never raises — a missing
+    # second source just means we fall back to deps.dev only.
+    def load
+      require "bundler/audit"
+      require "bundler/audit/database"
+      database = Bundler::Audit::Database.new
+      warn_if_stale(database)
+      database
+    rescue LoadError
+      nil # bundler-audit not installed
+    rescue ArgumentError
+      warn("still_active: ruby-advisory-db not found — run `bundle audit update` to enable dual-source vulnerability data")
+      nil
+    end
+
+    # Maps advisories the database reports for gem_name@version into our
+    # vulnerability shape. Returns [] when the database is unavailable or the
+    # version can't be parsed (e.g. a git sha). A malformed advisory in the
+    # checkout (a corrupt/partial `bundle audit update`) is surfaced, not
+    # swallowed — silently returning [] there would hide a missed vulnerability.
+    def advisories_for(database:, gem_name:, version:)
+      return [] if database.nil?
+
+      parsed = parse_version(version)
+      return [] if parsed.nil?
+
+      advisories = []
+      database.check_gem(GemRef.new(gem_name, parsed)) { |advisory| advisories << to_vulnerability(advisory) }
+      advisories
+    rescue Gem::Requirement::BadRequirementError => e
+      warn("still_active: ruby-advisory-db has a malformed advisory for #{gem_name} (#{e.message}) — run `bundle audit update` to repair the checkout")
+      []
+    end
+
+    # Translates a bundler-audit Advisory into the deps.dev-compatible hash.
+    # bundler-audit has no CVSS vector, so cvss3_vector is always nil here.
+    def to_vulnerability(advisory)
+      primary = advisory.ghsa_id || advisory.cve_id || advisory.id
+      details = advisory.to_h
+      {
+        id: primary,
+        url: details[:url],
+        title: details[:title],
+        aliases: advisory.identifiers.reject { |identifier| identifier == primary },
+        cvss3_score: details[:cvss_v3],
+        cvss3_vector: nil,
+        cvss2_score: details[:cvss_v2],
+        source: "ruby-advisory-db",
+      }
+    end
+
+    private
+
+    # nil for versions Gem::Version can't parse (e.g. a git sha); such a "version"
+    # has nothing to match in the advisory DB, so the caller returns [].
+    def parse_version(version)
+      Gem::Version.new(version)
+    rescue ArgumentError
+      nil
+    end
+
+    def warn_if_stale(database)
+      updated = database.last_updated_at
+      return if updated.nil? # can't determine age — don't warn (not a swallowed error)
+
+      age = Time.now - updated
+      return if age < STALE_AFTER_SECONDS
+
+      warn("still_active: ruby-advisory-db is #{(age / 86_400).round} days old — run `bundle audit update` for current advisories")
+    end
+  end
+end

data/lib/helpers/terminal_helper.rb

@@ -10,7 +10,7 @@ module StillActive
   module TerminalHelper
     extend self
 
-    HEADERS = ["Name", "Version", "Activity", "OpenSSF", "Vulns"].freeze
+    HEADERS = ["Name", "Version", "Activity", "OpenSSF", "Vulns", "License"].freeze
 
     def render(result, ruby_info: nil)
       rows = result.keys.sort.map { |name| build_row(name, result[name]) }
@@ -35,9 +35,16 @@ module StillActive
         format_activity(data),
         format_scorecard(data[:scorecard_score]),
         format_vulns(data),
+        format_license(data[:license]),
       ]
     end
 
+    def format_license(license)
+      return AnsiHelper.dim("-") if license.nil? || license.empty?
+
+      license
+    end
+
     def format_version(data)
       used = data[:version_used]
       latest = data[:latest_version]

data/lib/helpers/version_helper.rb

@@ -38,6 +38,15 @@ module StillActive
       Time.parse(release_date) unless release_date.nil?
     end
 
+    # SPDX license identifier(s) from the RubyGems versions payload.
+    # Comma-joined when a gem declares more than one. nil when unknown.
+    def license(version_hash:)
+      licenses = version_hash&.dig("licenses")
+      return if licenses.nil? || licenses.empty?
+
+      licenses.join(", ")
+    end
+
     private
 
     def normalize_version(version)

data/lib/helpers/vulnerability_helper.rb

@@ -22,8 +22,43 @@ module StillActive
       SEVERITY_ORDER.index(highest) >= SEVERITY_ORDER.index(threshold)
     end
 
+    # Combines advisories from deps.dev and ruby-advisory-db (via bundler-audit),
+    # deduplicating on shared identifiers. deps.dev is preferred for CVSS/title/url
+    # (it carries the vector string); ruby-advisory-db fills gaps. Advisories present
+    # in both sources are tagged source: "merged"; otherwise the per-source tag is kept.
+    def merge_advisories(deps_dev:, ruby_advisory_db:)
+      merged = deps_dev.map(&:dup)
+
+      ruby_advisory_db.each do |advisory|
+        existing = merged.find { |m| identifiers(m).intersect?(identifiers(advisory)) }
+        if existing
+          combine!(existing, advisory)
+        else
+          merged << advisory
+        end
+      end
+
+      merged
+    end
+
     private
 
+    def identifiers(advisory)
+      [advisory[:id], *advisory[:aliases]].compact
+    end
+
+    # Folds a ruby-advisory-db advisory into a matching deps.dev advisory in place:
+    # deps.dev values win where present, ruby-advisory-db fills nils, aliases union.
+    def combine!(into, from)
+      into[:cvss3_score] ||= from[:cvss3_score]
+      into[:cvss2_score] ||= from[:cvss2_score]
+      into[:cvss3_vector] ||= from[:cvss3_vector]
+      into[:title] ||= from[:title]
+      into[:url] ||= from[:url]
+      into[:aliases] = (identifiers(into) | identifiers(from)).reject { |id| id == into[:id] }.sort
+      into[:source] = "merged"
+    end
+
     def severity_label(score)
       case score
       when 9.0..Float::INFINITY then "critical"

data/lib/still_active/cli.rb

@@ -3,7 +3,9 @@
 require_relative "options"
 require_relative "diff"
 require_relative "../helpers/activity_helper"
+require_relative "../helpers/bot_context"
 require_relative "../helpers/bundler_helper"
+require_relative "../helpers/cyclonedx_helper"
 require_relative "../helpers/diff_markdown_helper"
 require_relative "../helpers/emoji_helper"
 require_relative "../helpers/markdown_helper"
@@ -26,6 +28,8 @@ module StillActive
         end
       end
 
+      warn_output_flag_conflicts(options)
+
       result = if $stderr.tty?
         Workflow.call { |done, total| $stderr.print("\rChecking #{done}/#{total} gems...") }
       else
@@ -34,11 +38,14 @@ module StillActive
       $stderr.print("\r\e[K") if $stderr.tty?
 
       ruby_info = Workflow.ruby_freshness
+      pr_context = BotContext.detect
 
       if (baseline_path = StillActive.config.baseline_path)
-        emit_diff(result, ruby_info, baseline_path)
+        emit_diff(result, ruby_info, baseline_path, pr_context)
       elsif (sarif_path = StillActive.config.sarif_path)
         emit_sarif(result, ruby_info, sarif_path)
+      elsif (cyclonedx_path = StillActive.config.cyclonedx_path)
+        emit_cyclonedx(result, ruby_info, cyclonedx_path)
       else
         case resolve_format
         when :json
@@ -49,11 +56,13 @@ module StillActive
             gems: result,
           }
           output[:ruby] = ruby_info if ruby_info
+          output[:pr_context] = pr_context if pr_context
           puts output.to_json
         when :terminal
+          puts BotContext.summary(pr_context) if pr_context
           puts TerminalHelper.render(result, ruby_info: ruby_info)
         when :markdown
-          render_markdown(result, ruby_info: ruby_info)
+          render_markdown(result, ruby_info: ruby_info, pr_context: pr_context)
         end
       end
 
@@ -62,6 +71,29 @@ module StillActive
 
     private
 
+    # The output destinations are mutually exclusive and resolved by precedence
+    # (baseline > sarif > cyclonedx > terminal/markdown/json). Warn rather than
+    # silently dropping the loser when more than one is set.
+    def warn_output_flag_conflicts(options)
+      modes = active_output_modes
+      if modes.size > 1
+        $stderr.puts("warning: multiple output modes set (#{modes.join(", ")}); using #{modes.first}, ignoring #{modes.drop(1).join(", ")}")
+      end
+      if options[:provided_cyclonedx_version] && StillActive.config.cyclonedx_path.nil?
+        $stderr.puts("warning: --cyclonedx-version has no effect without --cyclonedx")
+      end
+    end
+
+    # In precedence order, so the first entry is the one that actually runs.
+    def active_output_modes
+      config = StillActive.config
+      [
+        ("--baseline" if config.baseline_path),
+        ("--sarif" if config.sarif_path),
+        ("--cyclonedx" if config.cyclonedx_path),
+      ].compact
+    end
+
     def emit_sarif(result, ruby_info, sarif_path)
       lockfile = resolve_lockfile_path(StillActive.config.gemfile_path)
       unless File.exist?(lockfile)
@@ -83,6 +115,21 @@ module StillActive
       end
     end
 
+    def emit_cyclonedx(result, ruby_info, cyclonedx_path)
+      sbom = CyclonedxHelper.render(
+        result: result,
+        ruby_info: ruby_info,
+        tool_version: StillActive::VERSION,
+        spec_version: StillActive.config.cyclonedx_version,
+      )
+
+      if cyclonedx_path == "-"
+        puts sbom
+      else
+        File.write(cyclonedx_path, sbom)
+      end
+    end
+
     # Mirrors Bundler's convention: gems.rb -> gems.locked, otherwise <gemfile>.lock.
     def resolve_lockfile_path(gemfile)
       return gemfile.sub(/gems\.rb\z/, "gems.locked") if gemfile.end_with?("gems.rb")
@@ -90,10 +137,11 @@ module StillActive
       "#{gemfile}.lock"
     end
 
-    def emit_diff(result, ruby_info, baseline_path)
+    def emit_diff(result, ruby_info, baseline_path, pr_context = nil)
       current = current_snapshot(result, ruby_info)
       baseline = JSON.parse(File.read(baseline_path))
       diff = Diff.call(baseline: baseline, current: current)
+      puts "> **#{BotContext.summary(pr_context)}**\n\n" if pr_context
       puts DiffMarkdownHelper.render(diff)
       exit(1) if diff.regressions.any?
     rescue JSON::ParserError => e
@@ -125,7 +173,8 @@ module StillActive
       $stdout.tty? ? :terminal : :json
     end
 
-    def render_markdown(result, ruby_info: nil)
+    def render_markdown(result, ruby_info: nil, pr_context: nil)
+      puts "> **#{BotContext.summary(pr_context)}**\n" if pr_context
       puts MarkdownHelper.markdown_table_header_line
       result.keys.sort.each do |name|
         gem_data = result[name]

data/lib/still_active/config.rb

@@ -9,6 +9,8 @@ module StillActive
     attr_writer :github_oauth_token, :gitlab_token, :gemfile_path
     attr_accessor :baseline_path,
       :critical_warning_emoji,
+      :cyclonedx_path,
+      :cyclonedx_version,
       :fail_if_critical,
       :fail_if_warning,
       :futurist_emoji,
@@ -41,6 +43,8 @@ module StillActive
       @output_format = :auto
       @sarif_path = nil
       @baseline_path = nil
+      @cyclonedx_path = nil
+      @cyclonedx_version = "1.6"
 
       @critical_warning_emoji = "🚩"
       @futurist_emoji = "🔮"

data/lib/still_active/deps_dev_client.rb

@@ -52,6 +52,7 @@ module StillActive
         cvss3_score: body["cvss3Score"],
         cvss3_vector: body["cvss3Vector"],
         cvss2_score: body["cvss2Score"],
+        source: "deps.dev",
       }
     end
 

data/lib/still_active/options.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require "optparse"
+require_relative "../helpers/cyclonedx_helper"
 require_relative "../helpers/vulnerability_helper"
 
 module StillActive
@@ -70,6 +71,16 @@ module StillActive
         options[:provided_baseline] = true
         StillActive.config { |config| config.baseline_path = value }
       end
+      opts.on("--cyclonedx[=PATH]", "CycloneDX SBOM output (default to stdout; PATH to write a file). Overrides --terminal/--markdown/--json.") do |value|
+        StillActive.config { |config| config.cyclonedx_path = value || "-" }
+      end
+      opts.on("--cyclonedx-version=VERSION", String, "CycloneDX spec version to emit: 1.6 (default) or 1.7.") do |value|
+        supported = StillActive::CyclonedxHelper::SUPPORTED_SPEC_VERSIONS
+        raise ArgumentError, "--cyclonedx-version must be one of: #{supported.join(", ")} (got #{value})" unless supported.include?(value)
+
+        options[:provided_cyclonedx_version] = true
+        StillActive.config { |config| config.cyclonedx_version = value }
+      end
     end
 
     def add_token_options(opts)

data/lib/still_active/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module StillActive
-  VERSION = "1.4.2"
+  VERSION = "1.5.0"
 end

data/lib/still_active/workflow.rb

@@ -4,8 +4,10 @@ require_relative "deps_dev_client"
 require_relative "gitlab_client"
 require_relative "repository"
 require_relative "../helpers/libyear_helper"
+require_relative "../helpers/ruby_advisory_db"
 require_relative "../helpers/ruby_helper"
 require_relative "../helpers/version_helper"
+require_relative "../helpers/vulnerability_helper"
 require "async"
 require "async/barrier"
 require "async/semaphore"
@@ -17,6 +19,9 @@ module StillActive
 
     def call(&on_progress)
       task = Async do
+        # Load the optional ruby-advisory-db once, before the fan-out, so the
+        # read-only Database is shared across fibers rather than reloaded per gem.
+        advisory_db = RubyAdvisoryDb.load
         barrier = Async::Barrier.new
         semaphore = Async::Semaphore.new(StillActive.config.parallelism, parent: barrier)
         result_object = {}
@@ -30,6 +35,7 @@ module StillActive
               gem_version: gem[:version],
               source_type: gem[:source_type] || :rubygems,
               source_uri: gem[:source_uri],
+              advisory_db: advisory_db,
             )
           rescue Octokit::TooManyRequests
             $stderr.print("\r\e[K") if on_progress
@@ -54,24 +60,25 @@ module StillActive
 
     private
 
-    def gem_info(gem_name:, result_object:, gem_version: nil, source_type: :rubygems, source_uri: nil)
+    def gem_info(gem_name:, result_object:, gem_version: nil, source_type: :rubygems, source_uri: nil, advisory_db: nil)
       result_object[gem_name] = { source_type: source_type }
       result_object[gem_name][:version_used] = gem_version if gem_version
 
       case source_type
       when :path, :git
-        gem_info_non_rubygems(gem_name: gem_name, gem_version: gem_version, result_object: result_object, source_uri: source_uri)
+        gem_info_non_rubygems(gem_name: gem_name, gem_version: gem_version, result_object: result_object, source_uri: source_uri, advisory_db: advisory_db)
       else
         gem_info_rubygems(
           gem_name: gem_name,
           gem_version: gem_version,
           result_object: result_object,
           source_uri: source_uri,
+          advisory_db: advisory_db,
         )
       end
     end
 
-    def gem_info_rubygems(gem_name:, gem_version:, result_object:, source_uri:)
+    def gem_info_rubygems(gem_name:, gem_version:, result_object:, source_uri:, advisory_db: nil)
       vs = versions(gem_name: gem_name, source_uri: source_uri)
       repo_info = repository_info(gem_name: gem_name, versions: vs)
       commit_date = last_commit_date(
@@ -89,6 +96,7 @@ module StillActive
       deps_dev = fetch_deps_dev_info(
         gem_name: gem_name,
         version: gem_version || VersionHelper.gem_version(version_hash: last_release),
+        advisory_db: advisory_db,
       )
       result_object[gem_name].merge!({
         latest_version: VersionHelper.gem_version(version_hash: last_release),
@@ -118,6 +126,7 @@ module StillActive
 
           version_used_release_date: VersionHelper.release_date(version_hash: version_used),
           version_yanked: !vs.empty? && version_used.nil?,
+          license: VersionHelper.license(version_hash: version_used),
           libyear: LibyearHelper.gem_libyear(
             version_used_release_date: VersionHelper.release_date(version_hash: version_used),
             latest_version_release_date: VersionHelper.release_date(version_hash: last_release),
@@ -126,10 +135,10 @@ module StillActive
       end
     end
 
-    def gem_info_non_rubygems(gem_name:, gem_version:, result_object:, source_uri: nil)
+    def gem_info_non_rubygems(gem_name:, gem_version:, result_object:, source_uri: nil, advisory_db: nil)
       repo_info = repository_info_for_non_rubygems(gem_name: gem_name, source_uri: source_uri)
       source, owner, name = repo_info.values_at(:source, :owner, :name)
-      deps_dev = gem_version ? fetch_deps_dev_info(gem_name: gem_name, version: gem_version) : {}
+      deps_dev = gem_version ? fetch_deps_dev_info(gem_name: gem_name, version: gem_version, advisory_db: advisory_db) : {}
 
       # Fall back to repo-derived project_id for scorecard when deps.dev doesn't have the version
       deps_dev[:scorecard_score] ||= DepsDevClient.project_scorecard(project_id: repo_info[:project_id])&.dig(:score)
@@ -142,11 +151,13 @@ module StillActive
       })
     end
 
-    def fetch_deps_dev_info(gem_name:, version:)
+    def fetch_deps_dev_info(gem_name:, version:, advisory_db: nil)
       info = DepsDevClient.version_info(gem_name: gem_name, version: version)
       scorecard = DepsDevClient.project_scorecard(project_id: info&.dig(:project_id))
       advisory_keys = info&.dig(:advisory_keys) || []
-      vulnerabilities = advisory_keys.filter_map { |id| DepsDevClient.advisory_detail(advisory_id: id) }
+      deps_dev_vulns = advisory_keys.filter_map { |id| DepsDevClient.advisory_detail(advisory_id: id) }
+      radb_vulns = RubyAdvisoryDb.advisories_for(database: advisory_db, gem_name: gem_name, version: version)
+      vulnerabilities = VulnerabilityHelper.merge_advisories(deps_dev: deps_dev_vulns, ruby_advisory_db: radb_vulns)
       {
         scorecard_score: scorecard&.dig(:score),
         vulnerability_count: vulnerabilities.length,

data/still_active.gemspec

@@ -36,6 +36,7 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{\Abin/still_active}) { |f| File.basename(f) }
   spec.require_paths = ["lib"]
 
+  spec.add_development_dependency("bundler-audit")
   spec.add_development_dependency("debug")
   spec.add_development_dependency("faker")
   spec.add_development_dependency("json_schemer")

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: still_active
 version: !ruby/object:Gem::Version
-  version: 1.4.2
+  version: 1.5.0
 platform: ruby
 authors:
 - Sean Floyd
@@ -9,6 +9,20 @@ bindir: bin
 cert_chain: []
 date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler-audit
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -198,13 +212,16 @@ files:
 - bin/still_active
 - lib/helpers/activity_helper.rb
 - lib/helpers/ansi_helper.rb
+- lib/helpers/bot_context.rb
 - lib/helpers/bundler_helper.rb
+- lib/helpers/cyclonedx_helper.rb
 - lib/helpers/diff_markdown_helper.rb
 - lib/helpers/emoji_helper.rb
 - lib/helpers/http_helper.rb
 - lib/helpers/libyear_helper.rb
 - lib/helpers/lockfile_indexer.rb
 - lib/helpers/markdown_helper.rb
+- lib/helpers/ruby_advisory_db.rb
 - lib/helpers/ruby_helper.rb
 - lib/helpers/sarif_helper.rb
 - lib/helpers/terminal_helper.rb