shyshlakov/pci-dss-mcp

v0.6.2 Breaking

This release includes 1 breaking change for platform teams planning a safe upgrade.

Published 1mo MCP Security & Auth

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Affected surfaces

breaking_upgrade

Summary

AI summary

Bumped CycloneDX spec version from 1.5 to 1.6, requiring schema updates for consumers.

Full changelog

PCI DSS 6.3.2 software-inventory output is now production-grade: full CycloneDX 1.6 metadata, SPDX-correct licenses, byte-reproducible output, and a CI gate that runs the official cyclonedx-cli validator against every build.

Highlights

Standards conformance

CycloneDX spec bumped 1.5 → 1.6. Schema-validated in CI via cyclonedx-cli validate --input-version v1_6 --fail-on-errors.
SBOM provenance. Every SBOM now carries serialNumber (urn:uuid v4), metadata.timestamp (RFC3339 UTC), metadata.component (the scanned project as the BOM subject), and an enriched metadata.tools.components[0] with publisher, externalReferences (VCS + website), and a SHA-256 self-hash of the running pci-dss-mcp binary.
SPDX-correct licenses. Detected licenses now emit valid SPDX identifiers (MIT, Apache-2.0, BSD-3-Clause) instead of placeholder strings. Detection via github.com/google/licensecheck v0.3.1 with coverageThreshold = 75 (matches pkg.go.dev's production source). License findings recorded with acknowledgement: "concluded" per CycloneDX 1.6 semantics (verified by file analysis), plus a full component.evidence.licenses[] trail with confidence and source-file location.
NTIA Minimum Elements for SBOM (2021): 6 of 7 baseline fields covered.

Reproducibility

New generate_sbom parameters: fixed_serial (override the serialNumber) and no_timestamp (omit metadata.timestamp). Combined, two runs over the same dependency graph produce byte-identical SBOMs (SHA-256-verified). Required for SLSA Level 3 reproducible-build attestations and for caching in CI pipelines.
sbomdump CLI mirrors both options as -fixed-serial and -no-timestamp. Default output is now compact JSON.
New error token: INVALID_FIXED_SERIAL.

CI standards-validation gate

New make test-sbom-validate target generates a fresh SBOM via sbomdump and validates it against the bom-1.6 schema using the official cyclonedx-cli Docker image (cyclonedx/cyclonedx-cli:0.30.0, pinned).
Wired into .github/workflows/ci.yml on ubuntu-latest. Every PR is now externally validated against the spec.

Stability fixes (rolled in for this release)

Human-readable 6.3.2 cross-reference no longer renders an unknown-license count that depended on local GOMODCACHE state. The line now reads SBOM inventory: N components only — component count is deterministic from go.mod. The unknown count is still available programmatically via unknown_licenses on the MCP response and as per-component pci-dss-mcp:license-status="unknown" properties in the SBOM JSON.
License acknowledgement corrected from declared (what authors stated) to concluded (verified by file analysis), matching what pci-dss-mcp actually does.

Migration

Clients schema-validating against the v0.6.1 OutputSchema constant "spec_version": "1.5" need to update their consumer-side schema to "1.6". Downstream SBOM tooling (Grype, Trivy, Snyk, Dependency-Track, VEX tooling) auto-detects the spec version from the SBOM's own specVersion field — no consumer change there.
Clients that read License.id == "UNKNOWN-LICENSE" to detect license gaps must switch to unknown_licenses in the response (already populated since v0.6.1) or to checking for the pci-dss-mcp:license-status property on components without a licenses[] array.

Verification

| Gate | Result |
|------|--------|
| make vet | PASS |
| make test (race, 23 packages) | PASS |
| make test-fixture (golden regression) | PASS |
| make test-sbom-validate (cyclonedx-cli 1.6 schema) | PASS |
| TestSBOMStandardsConformance (urn:uuid + RFC3339 + metadata.component + tool version + SPDX ids) | PASS |
| TestFormatHumanReadable_ByteIdentical_Golden (clean GOMODCACHE) | PASS |
| Live-path vs fixture-copy smoke parity (C=49 H=89 M=27 I=59) | PASS |
| Reproducibility proof (two runs, identical SHA-256) | PASS |

Severity counts on testdata/vulnerable-payment-service remain byte-identical to v0.6.1: 49 CRITICAL / 89 HIGH / 27 MEDIUM / 0 LOW / 59 INFO. No detection logic changed.

Distribution

go install github.com/shyshlakov/[email protected]
Multi-arch Docker (linux/amd64 + linux/arm64), cosign-signed via OIDC: ghcr.io/shyshlakov/pci-dss-mcp:0.6.2 and :latest
MCP Registry: io.github.shyshlakov/pci-dss-mcp v0.6.2 (auto-published on tag)

Pull request

Supersedes #20. Merged via #21.

Breaking Changes

Output schema changed from "spec_version": "1.5" to "1.6"; downstream consumers must update validation schemas.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track shyshlakov/pci-dss-mcp

Get notified when new releases ship.

About shyshlakov/pci-dss-mcp

PCI DSS v4.0.1 static-analysis MCP server for Go payment codebases. 12 scanners detect PAN/CVV exposure, weak crypto, missing audit logs, vulnerable deps, TLS misconfig, auth weaknesses, plus CycloneDX 1.6 SBOM generation - each finding mapped to the exact PCI requirement. AI-assisted triage via triage_findings. Keyless-signed multi-arch Docker image on ghcr.io.

All releases →