CHANGELOG.md

Unreleased

v1.4.11 - 2022-10-26

Build(Deps)

• 9fdb583: bump github.com/prometheus/client_model from 0.2.0 to 0.3.0

Jar

• d52a304: handle manifest with invalid header keys

Tarfs

• 48317f8: implement hard links correctly
  • #714
• 6511863: implement hard links
• 070737a: skip "known" directory

v1.4.10 - 2022-10-25

Build(Deps)

• 713df2f: bump golang.org/x/tools from 0.1.12 to 0.2.0
• 11e9a0f: bump peaceiris/actions-gh-pages from 3.8.0 to 3.9.0
• d94e1e7: bump gsactions/commit-message-checker from 1 to 2
• 786ba1e: bump peter-evans/create-pull-request from 4.1.3 to 4.2.0

Chore

• 80708e0: v1.4.10 changelog bump

Fetcher

• 4d50715: Add layer hash to error message

v1.4.9 - 2022-10-24

Build(Deps)

• 401b227: bump golang.org/x/text from 0.3.8 to 0.4.0
• e63deae: bump peter-evans/create-pull-request from 4.1.2 to 4.1.3
• e7ecd78: bump actions/cache from 3.0.8 to 3.0.11

Chore

• 65e62a0: v1.4.9 changelog bump
• f89847c: update set-output usage
• 078d7cf: enable go1.19 building and testing
• 6ede351: update go dependencies
  • #695
  • #696
  • #697
  • #698
  • #699
• 38698fa: update go dependencies
  • #688
  • #689
  • #690
  • #691
  • #692
  • #693

Cicd

• 0dfcd3c: move to redhat-actions actions for golang image
• 9a3ab55: enable dependabot for go modules

Ndb

• 5f049d5: add package to read RPM ndb databases

Notifier

• d9abe3d: delete manifest_index_manifest_id_package_id_dist_id_repo_id_idx

Rpm

• 7e5d7d6: add ndb support
• a54ea6f: split RPM header parsing into dedicated package

Sqlite

• c160060: remove header parser, port to common API

Tarfs

• 8a0cb12: handle data and EOF return

v1.4.8 - 2022-10-11

Chore

• c9fa148: v1.4.8 changelog bump

Tarfs

• ca4a13d: symlink changes

v1.4.7 - 2022-10-07

Build(Deps)

• d4e524e: bump actions/cache from 3.0.7 to 3.0.8
• de1fa2f: bump peter-evans/create-pull-request from 4.1.1 to 4.1.2
• 85562c9: bump peter-evans/create-pull-request from 4.0.4 to 4.1.1

Chore

• 3d36cd0: v1.4.7 changelog bump

Chore

• ffb3960: Bump goval-parser to v0.8.8

Rhel

• 0f2066a: handle malformed build metadata

Tarfs

• 6fb6ef5: handle tars without trailer

v1.4.6 - 2022-08-17

Build(Deps)

• b38dc01: bump actions/cache from 3.0.5 to 3.0.7

Chore

• 407aa7d: v1.4.6 changelog bump

Fetcher

• f11ec59: Wrap error to surface type to external caller

v1.4.5 - 2022-08-01

All

• 3591883: Rewrite libvuln instantiation (#614)
  • #614
• 454830e: new exportable indexer and datastore packages (#587)
  • #587

Aws

• d7edab9: remove updater integration tests

Bisect

• e3a85e5: port to this weird test setup

Build(Deps)

• 8f0d7d9: bump actions/cache from 3.0.4 to 3.0.5

Chore

• 8e1cd78: Add filter version flag to release workflow
• d69b464: v1.4.5 changelog bump
• 24dd7e9: Add tag pattern to chg-log Changelog generator

Cicd

• 49616bd: ensure rpm is installed for periodic tests

Cmd

• c55fcd6: remove obsolete commands

Debian

• d44da96: create distributions dynamically

Defaults

• d3f595d: update debian

Docs

• b4e2243: remove mentions of cctool

Events

• bd0c417: facade for diagnostic events

Fetch

• a91e041: add support for registry.access.redhat.com
• 846553c: add options to Layer function

Integration

• 448c827: add Persistent variant

Libindex

• 8cf4455: use new String method
• f84baf4: attempt to validate tar during fetch

Libvuln

• dadef07: fix compilation error
• b2e2753: don't attempt to decompress within OfflineImport

Makefile

• f51477c: remove command targets

Ovaldebug

• e59f862: remove debian support

Ovalutil

• 6ec6ce7: additional dpkg fixes

Periodic

• db14afa: update debian
• b8f712f: add automated RPM acceptance tests

Photon

• 34595f2: remove updater integration tests

Postgres

• e452f64: use bisect tool to generate test fixtures
• 9d7d063: Observe metric

Rpm

• 87ab3e3: add sqlite db support

Rpmtest

• 018e872: helpers and data structures for testing RPM indexing

Sqlite

• e16880f: add sqlite RPM database parser

Suse

• 6e16f47: remove updater integration tests

Tarfs

• 5695866: add dedicated format error

Ubuntu

• 3ac9b52: dynamic distributions
• 9998715: remove unused file

Updater

• 97420ed: dedicated Updater subsystem

v1.4.4 - 2022-07-05

Chore

• 1542105: v1.4.4 changelog bump

Updates

• df37f2a: Use the tx's methods to record updater's status (#647)
  • #647

v1.4.3 - 2022-06-29

Alpine

• 9db8b16: move to dynamic distributions
• c804ced: syntax simplifications in tests
• bf21d03: add documentation to Matcher type
• cef8829: remove disused method

Build(Deps)

• 7c33022: bump actions/cache from 3.0.3 to 3.0.4

Chore

• b3f95ab: v1.4.3 changelog bump

Defaults

• 8b93324: update alpine

Dpkg

• d475a7a: test with known-problematic status file
  • #297

Ovalutil

• e8478a4: sanity-check incoming dpkg version strings
  • #395

Periodic

• 3d40ef6: update alpine

Rhel

• 98b6183: recognize RHEL9 for updaters
• 2eba2c4: construct distributions dynamically
• c959ca5: test structure simplifications

Tarfs

• 4d1ba0d: resolve symlinks when adding new files

Ubuntu

• 7988203: update feed URLs
  • #588

Updates

• 0dad974: Record in a new table each time updaters check for vulns (#558)
  • #558

v1.4.2 - 2022-06-09

Chore

• e9aa844: v1.4.2 changelog bump

Crda

• dc939a0: clone url when creating a new matcher (#633)
  • #633

Rhcc

• 4059faf: don't fatally error on unexpected Dockerfiles
• de0aac8: Update vulnerability details to match rhel patched
  • #627

v1.4.1 - 2022-06-06

Build(Deps)

• 7200c3c: bump actions/cache from 3.0.2 to 3.0.3
• b0664a1: bump peter-evans/create-pull-request from 4.0.3 to 4.0.4

Chore

• f57b7a1: v1.4.1 changelog bump

Crda

• c854b78: check response status code

Ovalutil

• 547686f: remove pointless log

Postgres

• 1ea9fcf: run creates before creating transaction (#617)
  • #617

Tarfs

• d58afbd: always create a root directory

v1.4.0 - 2022-05-24

Alpine

• ece632e: ingest alpine vulnerabilities as type SOURCE (#615)
  • #615
• c52b6e3: use tarfs in scanners
• 79a61e2: move test fixtures to files

Build(Deps)

• dd3b32c: bump docker/build-push-action from 2 to 3
• 3af44fd: bump docker/setup-buildx-action from 1 to 2
• 3b83f2e: bump docker/login-action from 1 to 2
• 3a4c69b: bump peter-evans/create-pull-request from 4.0.2 to 4.0.3
• 8901d07: bump actions/cache from 3.0.1 to 3.0.2
• efa8e87: bump peter-evans/create-pull-request from 4.0.1 to 4.0.2
• 93d74a6: bump peter-evans/create-pull-request from 3.14.0 to 4.0.1
• 2df3f9f: bump actions/cache from 2 to 3.0.1

Chore

• 1d16410: v1.4.0 changelog bump

Claircore

• 635aab5: use tarfs and expand Reader return

Contrib

• 8072112: Add Release Alpine 3.16 Alpine 3.16 is not supported yet

Defaults

• 5f92e96: update defaults
• 44117e6: update defaults

Dockerfile

• 6d3940b: add quay dockerfile tests

Dpkg

• 604fd61: use tarfs in scanner

Go.Mod

• c28a174: update minimum go version

Indexer

• 5994349: fix indexer deduplication

Java

• 00e2239: use tarfs in scanners

Libindex

• 44aeb93: fix pool DSN parameter handling
• d12ada0: update defaults

Libvuln

• 6243056: fix pool DSN parameter handling

Matcher

• 4590fd6: fail vuln report on matcher error
  • Fixes #593

Osrelease

• 559487d: use tarfs in scanner
• d51f97d: export Parse function

Osv

• 6a1787e: removed trailing dot in file path
  • #619
• 3e15a4a: osv updater

Periodic

• 2f7d621: add package for periodic tests

Pkgconfig

• cf2a86a: use tarfs in scanner

Postgres

• 4655883: update metrics on GetEnrichment

Python

• 865069f: use tarfs in scanners

Rhcc

• 839adc6: add machinery for the Red Hat Container Catalog
  • #513

Rhctag

• aaa4de6: add package for Red Hat Container versions

Rhel

• c38558a: normalize serverity to all-lower strings
• 8f021ab: use tarfs in scanner

Rpm

• b2d722e: tarfs todo

Tarfs

• 361a2ca: package for implementing fs.FS over a tar

Ubuntu

• ec67a8f: update releaseToDist to correct cosmic error (#600)
  • #600

v1.3.2 - 2022-03-21

Alpine

• 051b3c7: Ignore any vulns that have 0 as the fixed_in_version (#581)
  • #581
• 99dec48: check validator on 200 response

Build(Deps)

• 171469d: bump peter-evans/create-pull-request from 3.12.1 to 3.14.0
• 907037e: bump actions/checkout from 2 to 3

Chore

• acf65f9: v1.3.2 changelog bump

Ci

• 12fa580: remember to log into quay.io
• 353e1f9: don't fail job when there's nothing to do
• f48ae57: fix version checker script
• 55db234: update main ci workflow
• cab09db: update base image builder machinery

Crda

• 108d9f5: Stop using the Client Clair instanciates (#583)
  • #583

Cvss

• 11fd04f: fix vet errors, lints

Debian

• 3a7988d: check validator on 200 response

Dockerfile

• 0dcf0c7: support invalid label syntax

Etc

• 02ca493: update Dockerfile and Makefile

Jar

• e5bb400: use textproto in place of mail

Ovalutil

• 00acbb5: check validator on 200 response

Pyupio

• cd8aa81: check validator on 200 response

Rhel

• 243f329: check validator on 200 response

Ubuntu

• c8ee8b9: check validator on 200 response

v1.3.1 - 2022-02-21

Chore

• 5d254d8: v1.3.1 changelog bump

Enrichment

• f91fd65: Optimize the way enrichments are queried (#570)
  • #570

v1.3.0 - 2022-02-16

All

• 8ca8736: update zlog and otel

Build(Deps)

• 8f79866: bump peter-evans/create-pull-request from 3.12.0 to 3.12.1

Chore

• 6ec7ec5: v1.3.0 changelog bump

Controller

• b6fd709: fix mocks

Crda

• 790cf86: remove default key
• c1bbfa2: fix invalid test name

Debian

• df34db7: split OVAL feed into binary packages (#550)
  • #550

Docs

• 33c7142: fix test in compiled docs
• 20c31c9: update README
• 8cfac96: add test for linked pages
• 4d8902a: update any code or documentation samples

Fastesturl

• 4e27f1f: remove unused package

Go.Mod

• 23537ab: update dependencies
• a10db52: update gomock

Integration

• b533b20: move code snippets to examples

Layerscanner

• 2b212f8: fix mocks

Libindex

• 168989d: fix integration test
• df1115a: add pgxpool metrics
• b2eca12: fix file access race
• 34a38fd: treat ConnString same as libvuln
• 2176bcc: add example from README
• ea826b7: remove requirement on Opts.ConnString

Libvuln

• edafd21: fix leaked lock manager
• 2f312f0: add pgxpool metrics
• 6b82f45: add example from README
• 2ec1818: remove requirement on Opts.ConnString

Mock/Driver

• a969bc1: move Matcher mock to dedicated package

Mock/Indexer

• 305da17: use dedicated mocks package
• d305501: move indexer mocks to dedicated package

Mock/Vulnstore

• 61c2335: move Store mock to dedicated package

Poolstats

• a1eaf2c: add package for collecting pgx pool stats

Rhel

• 03f3190: tolerate invalid CPEs

v1.2.0 - 2022-01-14

Build(Deps)

• 9fbff76: bump peter-evans/create-pull-request from 3.11.0 to 3.12.0

Chore

• 48444ec: v1.2.0 changelog bump

Dockerfile

• 397136f: add some fuzz testing
• 5d08565: handle comments correctly
• 467ad76: extend test harness

GC

• 1123788: Do query execution all in one rather than separate (#517)
  • #517

Go.Mod

• 2aac174: update minimum go version

Jar

• 3ce352a: fix text harness

Libindex

• f53a08f: set postgres application name
• d390f79: expose DeleteManifests method

Libvuln

• 58abf35: set postgres application name
• 5b95f97: print documentation links with matcher names

Migrations

• 08db7b9: add foreign key cascade constraints

Postgres

• 78448fa: add DeleteManifests method
• 8af4a24: add metric lint test
• 937155c: add digest helper
• da6d413: add some prometheus helpers
• 3575d9c: fix typo

v1.1.6 - 2021-12-07

Chore

• 8332795: v1.1.6 changelog bump

Dockerfile

• 8b5a73d: handle whitespace runs correctly
  • #526

Ubuntu

• 00537e5: updater log evaluation bug (#537)
  • #537

v1.1.5 - 2021-12-07

Chore

• 62a6547: v1.1.5 changelog bump

Crda

• d9e2950: fix typo (#534)
  • #534

v1.1.4 - 2021-12-07

Alpine

• 84ab16a: Add Release 3.15 (#524)
  • #524

Aws

• 1075235: use CharsetReader

Chore

• c52e0e0: v1.1.4 changelog bump

Debian

• 87ca1ab: use CharsetReader

Jar

• 5542f5a: Deal with non-sane manifests without erroring (#523)
  • #523

Java

• fc125c3: account for zip reporting file with bad format (#528)
  • #528

Libvuln

• 90b2e7d: log the names of all the configured matchers (#529)
  • #529

Oracle

• 43d5cba: use CharsetReader

Pep440

• 781e346: deal with invalid version (#530)
  • #530

Photon

• f89a444: use CharsetReader

Rhel

• a207cf5: fix error on old containers
• 605ee51: use CharsetReader

Suse

• d1a4d06: use CharsetReader

Ubuntu

• 5dc4edf: use CharsetReader

Xmlutil

• a27a18b: add package for XML helpers

v1.1.3 - 2021-11-19

Chore

• 9f26d7f: v1.1.3 changelog bump
• 8cc7c71: update changelog config

Cpe

• 5f2731f: code simplifications
• 5582bca: add dictionary test

Dockerfile

• ff6f74c: update GetLabel test
• d841f1a: fix quote confusion

Jar

• c37acbc: handle archives with invalid filesystem semantics

Test

• 2fa9642: sort comparison inputs

v1.1.2 - 2021-11-05

Build(Deps)

• c81b37a: bump peaceiris/actions-gh-pages from 2 to 3.8.0
• a401058: bump peter-evans/create-pull-request from 3.5.1 to 3.11.0

Chore

• 77a443e: v1.1.2 changelog bump

Cicd

• fa1f877: switch gh-pages action to use default token
• 44bbd6a: update documentation arguments
• 1a85242: fix changelog template
  • #446
• 752df85: update release workflows for branch, tag changes

Crda

• 8d90253: simplifications, formatting, and typos
• edd435b: update defaults
• 659db9f: updated remote-matcher
• f319d74: revert "crda: remove matcher"

Dockerfile

• e0a2bac: fix terminal expansion with too-small destination

v1.1.1 - 2021-10-28

Chore

• 2843d93: v1.1.1 changelog bump

Cicd

• 3e7043f: add caches for testdata, modules, and builds

Debian

• 77080de: add bullseye (#483)
  • #483

Dockerfile

• b658fdf: add a low-dependency Dockerfile parser

Dpkg

• c8a6e7f: test status file directly
• 0977b3e: remove bufio.Scanner usage

Jar

• eb85f0b: parse any archive in test
• 846c076: handle manifests with multiple sections
• f33c1fc: add Parse test to help debugging

Java

• 43703c7: properly handle embedded jars
• b44ca85: don't error for known classes of failures
  • #484

Rhel

• 505f2fc: replace docker-slim with local parser
• ce8b5b4: remove unconditional log
• c0a18d6: update comments (#486)
  • #486

Ubuntu

• e25f7d4: add impish (#491)
  • #491

v1.1.0 - 2021-09-28

v1.1.0-rc.1 - 2021-09-28

Alpine

• 94dd31b: add 0 check in fixed_in_version
• 945cdf5: add new releases

Gc

• 056d5e7: add foreign key ON DELETE CASCADES to uo_enrich table (#470)
  • #470

Jar

• 088772a: add jar metadata parser

Java

• 2b9423d: move to internal jar package

Libindex

• c0a71c6: recognize application/x-gzip content-type
• 4836df6: new fetcher implementation

Rpm

• 691f202: prevent directory traversal when extracting
• dab4e19: examine file for BDB magic numbers
• 64f6249: handle cross-layer hardlinks when extracting

v1.1.0-rc.0 - 2021-09-02

Build(Deps)

• 8ba0561: bump github.com/ulikunitz/xz from 0.5.7 to 0.5.8

Cctool

• dd069ae: LockSource name change

Chore

• ac4abbe: update go versions (#461)
  • #461
• 6b1fa87: Improve check for go versions (#462)
  • #462

Cicd

• 4647949: release golang Docker image for linux/arm64

Controller

• 1ed79c6: cleanups
• 02bd118: add retry
• 45c3b0d: wrap all returned errors
• 4953c27: misc cleanups
• 8f1d055: remove Lock/Unlock functions

Ctxlock

• 8d77280: context based locks

Debian

• 68a646f: update matcher test

Distlock

• 56166c3: remove package

Dpkg

• bba58a3: update identification method of dpkg DB dir (#456)
  • #456

Fetcher

• 3e873a3: use security data from access.redhat.com instead of www.redhat.com (#458)
  • #458

Indexer

• 5a27c1f: remove ScanLock member

Integration

• 82b8f7c: multiple OS support

Java

• a7380b8: don't attempt to read too-small files
• a8949df: bump scanner version
  • #435
• 008aa23: check magic number
  • Closes #434

Layerscanner

• a2899c5: log returned errors with scanner

Libindex

• 9115ee0: use new controller and ctxlock APIs

Libvuln

• ec85f4c: switch to ctxlock API

Postgres

• fa7d23e: update gc test
• b68fdf8: add timeouts around database operations
• 9217a95: use wrap formatting verb

Rhel

• 94a6da0: update matcher test

Rpm

• a056e57: check tar error return
• 5528de0: normalize link target
• 3c2fafc: remove tar(1) call
  • #436
• 636b243: special-case symlinks
• 0a00be2: eagerly change directory permissions

Scripts

• 0d7ac64: check in a prepare-release script

Updates

• 896fd8a: remove distlock-like API

Vulnstore

• 5abfb9e: update mock

v0.5.5 - 2021-09-28

Chore

• 0e113c3: v0.5.5 changelog bump

Gc

• 3defe60: add foreign key ON DELETE CASCADES to uo_enrich table (#470) (#477)
  • #470
  • #477

Rpm

• ed5f52a: prevent directory traversal when extracting
  • #478
• 95f60b3: handle cross-layer hardlinks when extracting (#475)
  • #475
  • #465

v0.5.4 - 2021-08-17

Chore

• d3590dd: v0.5.4 changelog bump

Rpm

• c7c28fa: normalize link target
  • #447

v0.5.3 - 2021-08-16

Chore

• d4a3e8c: v0.5.3 changelog bump

Java

• e6ea56f: bump scanner version
  • #435
  • #438
• 2cd8c17: check magic number
  • #435

Rpm

• 4455559: remove tar(1) call
  • #437

v0.5.2 - 2021-08-10

Chore

• b8224c7: v0.5.2 changelog bump

Rpm

• cca9933: special-case symlinks
• 3060f8b: eagerly change directory permissions

v0.5.1 - 2021-07-27

Chore

• 38656e0: v0.5.1 changelog bump

Integration

• 81f8501: multiple OS support
  • #418

v0.5.0 - 2021-07-15

All

• 67c0791: use GOMAXPROCS instead of NumCPU
• f7b23aa: switch CODEOWNERS to use clair team
• 6bd0386: remove jzelinskie from CODEOWNERS

Chore

• bbafc5c: v0.5.0 changelog bump

Claircore

• 68e107a: add Enrichments to VulnerabilityReport

Crda

• 7d5927a: remove matcher

Cvss

• 9dd8d38: CVSS enricher

Defaults

• 40282ac: add cvss

Dpkg

• 16993db: replace go-dpkg dependency
• f7a2925: fix path handling
  • #381
  • Closes #381

Driver

• ed3a555: add enrichment types and interfaces

Fetcher

• 2f1b61d: include response body in error message for non-200 repsonses

Indexer

• f36da9f: avoid creating a new db pool for the locks

Integration

• b2eae4e: use embedded postgres

Introspection

• 3f72eb7: add scanned_before metrics

Java

• dac6715: ignore whiteout files

Jsonblob

• dbd56bb: implement enricher methods

Libindex

• 526e1ba: use new DB testing harness
• d7cea80: fix manifest_index unique constraint

Libvuln

• 391adac: add Enrichment API surface

Makefile

• 2a3634d: update in light of test DB changes

Matcher

• 574497a: add Enrichment support

Postgres

• dbaa2f7: fix query in GetLatestUpdateRefs
• 0db5101: implement enricher methods
• 7b4475f: use new DB testing harness
• e364e13: use new DB testing harness

Rhel

• 80a2826: use new DB testing harness

Updater

• 3de9f4d: remove obsolete package

Updates

• aaea5ba: run enrichment updaters

Vulnstore

• bec40e2: add enrichment interfaces

v0.4.8 - 2021-09-28

Chore

• e9fb1c3: v0.4.8 changelog bump

Gc

• 9682889: add foreign key ON DELETE CASCADES to uo_enrich table (#470) (#476)
  • #470
  • #476

Rpm

• dff671c: prevent directory traversal when extracting
  • #478
• a6e9b97: handle cross-layer hardlinks when extracting (#474)
  • #474
  • #465

v0.4.7 - 2021-08-17

Chore

• 7410a33: v0.4.7 changelog bump

Rpm

• 950d9dd: normalize link target
  • #477

v0.4.6 - 2021-08-16

Chore

• c2cd4fa: v0.4.6 changelog bump

Java

• a6669db: bump scanner version
  • #438
  • #435
• be81768: check magic number
  • #435
• c64d05c: ignore whiteout files
  • #409

Rpm

• 2f652f8: remove tar(1) call
  • #437

v0.4.5 - 2021-08-10

Chore

• 9793200: v0.4.5 changelog bump

Rpm

• a00ddef: special-case symlinks

v0.4.4 - 2021-08-06

Chore

• ce6c994: v0.4.4 changelog bump

Indexer

• 302384b: avoid creating a new db pool for the locks
  • #408

Rpm

• 9b1d1e3: eagerly change directory permissions

v0.4.3 - 2021-06-15

Chore

• 3d4a413: v0.4.3 changelog bump

Crda

• fe112d7: remove matcher

Dpkg

• 11837c4: fix path handling
  • #381
  • #402

Libindex

• c809930: fix manifest_index unique constraint

v0.4.2 - 2021-05-11

Alpine

• f92e1be: implement driver.Configurable

Aws

• 4738610: add http.Client configurability

Chore

• 51f6ca5: v0.4.2 changelog bump

Cicd

• fe6cb92: use golang major version tag for dev env
• 0a04053: use quay.io/projectquay/golang image
• d62b5ad: add golang-image workflow

Crda

• 5146d8c: implement driver.MatcherConfigurable

Debian

• 3d2d700: implement driver.Configurable

Enrichments

• 9a3b349: datamodel updates

Fetcher

• cd6b7fa: remove DefaultClient usage

Jsonblob

• bd2487d: fix copyops

Libindex

• eec427f: use configurable http.Client

Libvuln

• 34de61e: add warn logs when not providing an http.Client

Libvulnhttp

• ef4ee5c: add HTTP client debugging flag

Matchers

• 07fcc40: require http.Client

Oracle

• de18d67: add assertion for Configurable interface

Ovalutil

• d3106a3: implement driver.Configurable

Photon

• 28341b9: add assertion for Configurable interface

Pyupio

• 2cf6a9e: implement driver.Configurable

Registry

• 891a6df: require http.Client

Rhel

• 5c873b4: add assertion for Configurable interface
• 2112153: pass Client through Factory
• ad16c39: make repo2cpe mapping a work stealing scheme

Suse

• 0039063: add assertion for Configurable interface

Ubuntu

• 2976e93: implement driver.Configurable

Updater

• 9145453: report error on nil *http.Client
• ece3005: call Configure method if present

Updates

• 59bec1f: call Configure method if present
• de4be78: drop updater when configuration fails
• 9bc81ca: consolidate update logic
• 9ade4e1: add LockSource interface

Vulnstore

• e9cd964: fix getting update operation diff
• bfafd2f: enrichment migration

v0.4.1 - 2021-05-04

All

• def957b: return empty byte slices from MarshalText

Chore

• 990cd41: v0.4.1 changelog bump

Cicd

• b764338: remove chglog fork

Crda

• 1405b57: use bulk API in remotematcher

Indexer

• 905d6f3: Implement package indexer for maven
  • Fixes #236

Introspection

• 9ecfbb0: Fix a typo in the query label for the distributionbylayer metric

Libindex

• 5877dc1: set concurrency number
• 254c094: AffectedManifests to be bounded

Matcher

• 78f069b: add ability to return multiple matchers from same type

Testing

• bb26dab: add unittest
• d6d7e8e: maxConns to 10

v0.4.0 - 2021-04-05

Chore

• f56014b: v0.4.0 changelog bump

Cicd

• ab1208b: update doc building to main

Docs

• 99d6eff: note default updater URLs

Introspection

• 880166b: datastore metrics

Python

• 24aad97: force re-fetch/parse
• 1f881b5: update package scanner version

Rhel

• 8cc2823: discard unaffected vulnerabilities
• ddd2621: treat vulns without FixedInVersion as unfixed

v0.3.3 - 2021-03-18

Chore

• 278fd77: v0.3.3 changelog bump

Cicd

• 6e26297: fix release failure

v0.3.2 - 2021-03-18

Chore

• 280bf2b: v0.3.2 changelog bump
• d3ac00e: release quay.io/claircore/golang:1.16
• bfb37f0: update comments in distribution scanners

Cicd

• 7d55319: sort changelog by semver
• eae2b15: bump out go1.14 and bump in go1.16
• d9f28c4: gh action echo branch
• 6efb496: fix gh action script
• 67fa955: filter tags for stable branch releases

Fetcher

• a30c62d: relax allowable gzip types
  • Closes #303

Fix

• 892ba0c: comments and docs
• 7b054c2: provide a way for default and out-of-tree matchers

Indexer

• 47b877a: regen indexer test data

Libindex

• f49cea5: remove annoying log

Matcherfactory

• 25dd763: fix typos in comments

Matchers

• 14bc1d2: add factory pattern

Python

• 2cef538: move to traditional mapping

Rhel

• 5eba440: fix cpe mapping type assertion

Vulnstore

• aa46c6b: update-diff optimize
• 7856456: chunked vuln cleanup

v0.3.1 - 2021-02-11

Chore

• e5743e3: v0.3.1 changelog bump

Libindex

• 2cf7d4a: limit MaxConns in controller pool to 1

v0.3.0 - 2021-02-05

Chore

• 533316c: v0.3.0 changelog bump

Cicd

• 1d47ccd: fix release notes

Docs

• 480dcf7: various doc fixups

Libvuln

• b0ba2f2: rework constuctor

Remotematcher

• b95d984: Implement RemoteMatcher for CRDA

Severity-Mapping

• fc1aa30: remove defcon1 severity

Updates

• 966de96: perform implicit run

Vulnstore

• 20a4437: fix gc live lock
• 1f4717f: add Initialized method

v0.2.0 - 2021-01-19

All

• 3a4e3d3: logging switch

Alpine

• f639452: fix typo of ecosystem

Aws

• 1cdf08c: test cleanup

Cctool

• 826aacb: copy loop variable

Chore

• 4fac8b5: v0.2.0 changelog bump

Cicd

• e749f3b: drop go1.13 support
• 733d8f1: use quay.io/claircore/golang in CI

Claircore

• 316fc25: lint test names

Controller

• e36877c: test cleanup

Debian

• 31956a9: test cleanup

Fastesturl

• cd55757: use Cleanup method in tests

Fetch

• 5ac709b: turn layer fetcher into a generic fetcher

Go.Mod

• eed4aaa: remove testify dependency

Go.Sum

• 11df716: clean sum database

Indexer

• 313c8c4: filter scanners during manifest check

Layerscanner

• 4695c34: test cleanup
• 0615a7b: return unused error

Libindex

• ddb6b59: remove sqlx
• bf73eb8: return pointer to AffectedManifests

Libvulnhttp

• f31eec7: add DisableBackgroundUpdates config option

Linux

• 8bb87e2: lint test name

Misc

• 4840e07: go vet fixes

Photon

• e6e2310: add normalized severity

Postgres

• a1519ae: test cleanup
• f865df5: lint test name
• bb8324d: check subtest return instead of closure
• 46d391e: use Cleanup in tests
• b3d19dd: use Cleanup in tests
• 8017e85: remove distlock sqlx implementation
• e19e115: remove test harness sqlx usage
• d84781f: remove indexer sqlx usage
• 947e853: remove unused file
• 0cc6579: fix update_operation response

Rhel

• b7a279c: lint test names

Updaters

• 886d62b: fix WithEnabled option
• 5385f5d: consolidate into manager

Vulnstore

• 77df2c7: implement active gc

v0.1.26 - 2021-06-15

Chore

• 1e14a8c: v0.1.26 changelog bump

Cicd

• 88527c0: remove chglog fork

Dpkg

• 6d2134e: fix path handling
  • #381
  • #402

Libindex

• a217608: fix manifest_index unique constraint

Vulnstore

• 32c55bd: enrichment migration

v0.1.25 - 2021-04-16

Chore

• 6f7bc34: v0.1.25 changelog bump

Cicd

• 9ba3cdc: use git-chglog fork to sort by semver
• aaab793: sort changelog by semver

Indexer

• ed50b6a: filter scanners during manifest check

v0.1.24 - 2021-03-25

Chore

• 8060abe: v0.1.24 changelog bump

Libvuln

• 0823927: sync migrations with upstream

Python

• da6e417: force re-fetch/parse
• e5e767b: update package scanner version
  • #348

v0.1.23 - 2021-03-11

Chore

• 8ec6001: v0.1.23 changelog bump

Cicd

• 62575fd: bump out go1.14 and bump in go1.16

Fetcher

• fef216a: relax allowable gzip types
  • Closes #303

Indexer

• 6bf358b: regen indexer test data

Python

• 763ccdc: move to traditional mapping

v0.1.22 - 2021-02-12

Chore

• a9c9919: v0.1.22 changelog bump

Cicd

• d493b6f: fix release notes

v0.1.21 - 2021-02-12

Chore

• bf12f91: v0.1.21 changelog bump

Rhel

• 17a73b5: fix cpe mapping type assertion

Reverts

• cicd: use CI golang image from quay.io

v0.1.20 - 2020-12-11

Alpine

• 98d3828: switch to JSON security DB

Chore

• 2313419: v0.1.20 changelog bump

Cicd

• 97fa28b: use CI golang image from quay.io

Docs

• 00d4fcc: fix couple typos in libvuln_usage.md

Rhel

• baff663: ignore rhel-7-alt OVAL stream

v0.1.19 - 2020-12-03

Chore

• cfa74e1: v0.1.19 changelog bump

Docs

• e2eeae0: indexer data model

Dpkg

• 8025828: add checks to discovered paths

Indexer

• f493a89: utilize migration for data model refactor
• 65aced8: e2e with multiple scanners
• f31ca4c: database refactor

v0.1.18 - 2020-12-02

Chore

• 2dc2e58: v0.1.18 changelog bump

Cicd

• e80d4c7: bump create pull request action

Oval

• b6f61ac: rpm and dpkg parser updates

v0.1.17 - 2020-11-30

Chore

• 6ffe592: v0.1.17 changelog bump

Cicd

• efbc55b: github actions set-env fix

v0.1.16 - 2020-11-25

Chore

• c07b9dc: v0.1.16 changelog bump

Documentation

• 268b037: indexer state diagram update

Ovaldebug

• 6986794: add tool for testing parsing of OVAL

Ovalutil

• aa1927a: fix dpkg "name caching" bug
• f9dea3a: update vulnerability heuristic

Ubuntu

• 6d61f87: attempt to add normalized severity

Updater

• 378deef: remove updater diff limit (#265)
  • #265

v0.1.15 - 2020-11-02

Alpine

• 16f63d4: use new versions, upstream databases
• e1f3e1f: add new versions
• c4367d5: fix yaml tag

Chore

• 266a577: v0.1.15 changelog bump

Etc

• 94aa5f0: update podman yaml

Matcher

• 9b9c113: add apk specific version parser for alpine
  • #254

v0.1.14 - 2020-10-26

Rpm

• 04cb53c: fix error handling in WalkFunc

v0.1.13 - 2020-10-19

Chore

• b194f51: v0.1.13 changelog bump

Pyupio

• 6569e25: handle database schema change

v0.1.12 - 2020-10-19

Chore

• fc45b99: v0.1.12 changelog bump

Updaters

• 1fd140d: do not kill loop on error

v0.1.11 - 2020-10-08

Chore

• a8dd1cd: v0.1.11 changelog bump

Cicd

• 9b7d461: copy some changes from clair's CI workflows

Oval

• f33a45d: check lookup type (#244)
  • #244

Repo2cpe

• eec2473: add errorchecking

v0.1.10 - 2020-10-01

Affected Manifests

• f8f0ff2: Use mather's Filter() in omnimatcher
• aebd3a8: Add missing properties into affected manifest query

Chore

• 9ba63f8: v0.1.10 changelog bump

Cicd

• d118d98: force no flags for regexp commit check

Postgres

• 2df1697: remove warning in common case

Updater

• c6b1bc9: use pointer receiver for errmap methods

v0.1.9 - 2020-09-28

Chore

• 1ecb4be: v0.1.9 changelog bump

Layerscanner

• 4a1b872: prevent misleading log line

Vulnstore

• 6295f37: limit diffs

v0.1.8 - 2020-09-23

Chore

• ce4f428: v0.1.8 changelog bump

Cicd

• 1566fc5: fix commit check regexp

Makefile

• 1d9b607: handle SELinux permissions for volume in docker-compose

Rpm

• d75ba4c: wait til command is finished
• 3008cba: Reduce database file to Packages

v0.1.7 - 2020-09-15

Chore

• 123b812: v0.1.7 changelog bump

RHEL

• f4d10b5: Use last-modified to cache data

v0.1.6 - 2020-09-11

Chore

• 8c8cb3b: v0.1.6 changelog bump

Cicd

• ff6af2a: new release and change log process
• 40c7a28: new release and change log process

Postgres

• ff884b7: manage the number of update_operations

v0.1.5 - 2020-09-11

Testing

• 40861cf: bump golang 1.15 local dev

v0.1.4 - 2020-09-10

Goval

• 6f3dbd5: bump goval for ubuntu date fix

v0.1.3 - 2020-09-03

Coalescer

• ee37a8f: refactor of the linux coalescer

Docs

• 4b3bc5b: prose pr fixes
• b92a4cc: rework md book

v0.1.2 - 2020-09-02

Rhel

• 9e3dfee: fix config struct tag

v0.1.1 - 2020-08-26

Cctool

• 2bb0b31: use updater defaults

Libvuln

• 823ffdc: use updater defaults
• c89c59a: re-add matchers that got lost somehow
• 104c5f3: add OfflineImport function

Libvulnhttp

• fc85f57: call new defaults register function

Updater

• 006f540: set up an updater registry and defaults

v0.1.0 - 2020-08-11

Add

• f31f160: Oval operation/arch matcher

Alpine

• 736017c: use etag instead of date

Arch Op

• 6b9c72f: turn into string, implement pattern match

Aws

• 1b6b49a: use manifest checksum

Cctool

• cd8b332: add offline update subcommands

Debian

• e2dcbf9: fix conditional fetch

Distlock

• 24c305f: implement interface over pgxpool

Driver

• 3f4d56f: add Configurable interface

Jsonblob

• 92f3904: add database impostor package

Libvuln

• 568096b: refactor updater execution
• f7426b2: use new Configurable interfaces
• b9b5dec: use Executor + UpdateSetFactory

Log

• 900f3bb: one more attempt at race squashing

Matcher

• d51d4c3: Introduce Remote Matcher interface (#202)
  • #202

Osrelease

• ea0ef68: fix integration test

Ovalutil

• 6309553: don't record Date in fingerprint if Etag is present
• c84d73c: use modified and etag conditional requests
• bf06dd5: handle "exists" tests better

Postgres

• 4e8df71: split vulnerability creation into two statements
• 27359db: remove sqlx usage

Pyupio

• 096bed5: use etag

Rhel

• bc4a6f7: add configuration and manifest caching
• c3bada8: handle empty cpes
• 65fae38: use pulp factory

Ubuntu

• d30bf1e: fix conditional fetch
• c9b6274: new updater framework

Updater

• ea1a99a: add Controller and offline implementation

v0.0.25 - 2020-06-08

Updatediffs

• a7fce3e: fix broken query

v0.0.24 - 2020-06-01

v0.0.23 - 2020-05-26

Aws

• 79bad1e: ensure Close call gets to underlying File

Cpe

• ef7ce23: use a structured type for CPEs

Etc

• 4e73b31: podman yaml needs volume flag

Fastesturl

• 59f5f98: flaky test hunting

Indexer

• 11b4676: add Configurable interface

Libindex

• ac10351: use new Configurable interfaces

Ubuntu

• 92a7a15: remove unused variables

v0.0.22 - 2020-05-01

Claircore

• d04ad4c: make Severity a proper enum

Docs

• b5d84c0: mention pyupio updater

Makefile

• 373f1cd: use podman play for podman env

v0.0.21 - 2020-04-30

Postgres

• 7f42a18: defer after checking error

v0.0.20 - 2020-04-17

v0.0.19 - 2020-04-03

Migrations

• e76ed28: improve extension error reporting

v0.0.18 - 2020-03-12

Fastesturl

• 859a311: deflake the test

Integration

• 7a30aaa: load uuid-ossp before dropping privileges

Libvuln

• 486e6a6: use new Updater interface

Migrations

• a6aaa82: rewrite schema to be operation-based

Pkgconfig

• e784bd8: add pkg-config scanner

Postgres

• e3fa032: implement new Updater interface

Reduce

• 1010855: pass all instances of a layer to be fetched to the fetcher

Updater

• 41860d4: use new Updater interface

Vulnstore

• 3873d45: update Updater interface

v0.0.17 - 2020-03-05

v0.0.16 - 2020-02-28

Alpine

• e800a02: don't choke on very large package entries

Cctool

• ae4be45: dump vulnerability report with dump flag

Claircore

• c99a5c8: add Version and Range types

Controller

• f6587f8: record manifest before using in logger

Driver

• e2d3d34: add optional interface for database filtering

Fetcher

• ee72da6: handle servers returning binary/octect-stream

Indexer, Vulnstore

• 062bf90: use version and range in the database
• f8d17dc: database connection correctness

Libindex

• 655312e: add python to defaults

Libvuln

• 4e038fb: add python to defaults

Makefile

• 116d63f: use variables in podman targets

Matcher

• b72885d: use db filtering in controller

Migrations

• a5b9f0d: add version representation to database

Pep440

• 4436de2: add package supporting PEP-440 versioning

Python

• 3f6abba: add python package scanner

Pyupio

• 1ada901: add pyup.io updater

Rhel

• ad81962: check before dereferencing record.Distribution

Rpm

• 75ef273: don't extract whiteout files

Test

• b9c767b: add common package scanner machinery

v0.0.15 - 2020-03-03

Ovalutil

• a57487f: correctness fixes

v0.0.14 - 2020-02-10

All

• f47acf1: unify digest representation
  • closes #113
• f2dcacc: logging consistency pass

Cctool

• 2b3bb44: add "manifest" subcommand

Docs

• dbd6ba2: use mdBook config file instead of weird symlinks

Feat

• 2030a92: add jUnit reports to cctool

Postgres

• 1bec5c9: retrieve updater informaition

v0.0.13 - 2020-01-15

All

• 7d6e79b: use bigserials in the database

Cctool

• 8c1e827: update with datastructure changes and index call semantics

Libindex

• 064e0f6: add location header

Libvuln

• 09b75dd: propagate initilization context

Makefile

• 94b70f2: add mdbook target

Postgres

• 932cece: remove use of context.Background
• e453f95: discard vulnerabilites with no package
• cbf05ac: discard empty-named packages

v0.0.12 - 2020-01-10

v0.0.11 - 2020-01-09

v0.0.10 - 2020-01-08

All

• f7791a0: remove context.Background usage in test

Cctool

• c7918bf: generate storage URLs based on registry manifest

Etc

• 501f4dd: update Dockerfile (#92)
  • #92

Fetcher

• 1a04296: flush buffer to disk

Libindex

• 8a5a18a: add state endpoint and merge http handler
• 5195457: add State method

Libindexhttp

• 38bfe2d: propigate context from main

Log

• 8788c7d: bound log prints to a Context

Osrelease

• bb74bc1: don't unconditionally defer

Postrges

• 4c9b86f: fix test copy-paste errors

v0.0.9 - 2019-12-10

v0.0.8 - 2019-12-10

All

• 57ffc13: regroup imports consistently

Cctool

• 250d8da: add a tool for interacting with claircore directly

Claircore

• 60789e7: add annotations to generate slighty smaller json

Libvuln

• 9ae9ed9: add rpm matcher to defaults

Libvulnhttp

• dff4316: wire in additional debugging logs

Makefile

• a8bf8be: have podman remove volumes

Osrelease

• d5cfb06: add RHEL-alike hack
• 8bd23ff: add logging statements

Osrelease, Ovalutil

• cec88d1: normalize CPEs

Ovalutil

• e650898: add cpe information to packages

Postgres

• 37fccbb: use different names for different prepared statements
• 1e8c519: handle driver.Package(Source)Name arguments
• 5db1ffe: check query builder error

Rhel

• 99a2379: add matcher test
• 7087457: add matcher

Rpm

• e4cd783: prevent infinite loop on read error
• 383e108: fix package scanner test

Test

• e894054: add disk-based updater

v0.0.7 - 2019-12-02

v0.0.6 - 2019-11-27

Fetcher

• 0c4072c: check error before defer

Rpm

• 6fc8d83: exclude dev directory

v0.0.5 - 2019-11-19

v0.0.4 - 2019-11-15

All

• 6583cf2: add license and dco
• d55da4c: remove use of "log" package

Claircore

• 50d7a96: bump goval-parser version

Integration

• 01ea77c: add database test harness

Ovalutil

• d4cc8d0: attach detected dist to vulns

Updater

• 13ce92c: use blocking call

v0.0.3 - 2019-10-04

Go.Mod

• 267126b: update goval-parser version

Oracle

• 8f38e72: rework to year-wise databases

Ovalutil

• fa5ca19: rename oval package and add common rpminfo functions

Postgres

• f5c130a: db batch fix

Suse

• c03f5a1: add suse updater

v0.0.2 - 2019-10-03

Amazon

• 2938b67: add amazon updater

Oracle

• 7d434c4: add Oracle Linux oval updater

v0.0.1 - 2019-09-30

All

• bf7f5a3: move to pgx/v4

Distlock/Postgres

• d362b3e: convert key to int64
• b290260: hash input key

Driver

• bce0ecf: create libvuln/driver package

Integration

• ebc1eea: add test/integration package

Makefile

• a29d899: have docker-compose populate and use a vendor directory
• b97b97e: have podman targets populate and use a vendor directory
• 480d4e5: add some podman

Rhel

• 41f947f: add rhel vulnerability updater

Scanner

• 303150c: add missed contexts

Updater

• 62abdfa: don't expect to call Close on error paths

Vendor

• cbd3610: remove vendor folder

Vulnstore

• 4c53d16: add context.Context to interfaces

Pull Requests

• Merge pull request #28 from quay/louis/dist-lock-fix
• Merge pull request #27 from quay/louis/unique-constraint-fix
• Merge pull request #9 from quay/docker-compose
• Merge pull request #12 from quay/code-owners
• Merge pull request #6 from quay/debian-support
• Merge pull request #5 from quay/scanner-data-model-docs
• Merge pull request #3 from quay/documentation