0.1.0-alpha.23
Pre-release
Pre-release
github-actions
released this
14 Nov 13:04
·
40 commits
to main
since this release
Changelog
v0.1.0-alpha.23 (2024-11-14)
⚠ BREAKING-CHANGE
- Breaks the migrations as this PR rewrites the historyto use UUID instead of i32 from the start.
Features
- imporve migration to migrate data as well (915982d)
- csaf correlation - correlate vulnerability to purls and sboms (8bc4adb)
- provide additional information (9d38b76), closes #962
- query json columns using dot notation, e.g.
field.key~log4j
(15f52f6) - add a store for user preferences (57006c2)
- add the "reserved" field for vulnerabilities (2654563), closes #964
- allow ignoring missing (404) files when importing (3e51716)
- add size of documents and sbom data license (1164a4f)
- enable compression of docs stored on S3 (ab9c056), closes #925
- introduce ability to apply a Query to any random context (d12d942)
- CI pipeline to build, package, test, and deploy each merged PR (2db0f71),
closes #804 - populate cpe_key in organization and product tables (feb9d9f)
- implement optional fs storage compression (10518de)
- create versioned purls from OSV (5d02060)
- add an endpoint to get the counts of sboms per purl (d7ac133)
- deprecate advisories when receiving an upload or deleting one (3123d2b)
- ingest products from csaf documents (2c55fde)
- add an endpoint for release information (0b234ea)
- now showing thread id's in log output (0d200fd)
- support compressed upload (14c356c)
- allow importing complete datasets (9722fdc)
- sort importers by enabledness (7c65d51)
- implement patch for updating importer configurations (ac104b4)
- allow disabling the GraphQL endpoint, and do so by default (ea6e6ed)
- add depth to GitWalker for faster clones by limiting history (8da2fe5)
- speed up initial clones of git repos (31cc15f)
- add progress support, backed by the database (bf0a017)
- add MEM_LIMIT_MB env var to configure threshold for tests (35d1cdd)
- replace SyncAdapter with SyncIoBridge to reduce RAM usage (684154d)
- add basic progress support, first just via tracing (4d6d366)
- refactor temp file creation to reduce S3 usage (f9727a2)
- allow creating the embedded database in a different directory (b6766cb)
- improve product details to return basic sbom data (6d3a777)
- allow configuring fetch retries (d1b3ce6)
- allow setting a size limit when importing SBOMs (83dcde7)
- allow using a dedicated working dir for dumps (9cc1302)
- Add maven version comparison SQL function. (7efd883)
- add an xtask for generating a pre-loaded DB dump (59889af)
- S3 storage backend (978a2be), closes #621
- add PurlService method that can gc dead purls. (11b0ede)
- Add api to delete Vulnerabilities. (ad0f2fb), closes #563
- Add api to delete Advisories. (220863f), closes #563
- add the ability to specify a branch for importing OSV (c31462c)
- Add api to delete products (807dcb5), closes #563
- Add api to delete sboms (2e6b810), closes #563
- add rapidoc support (c5df2c5)
- add trustd subcommand to export openapi spec (0ffc786)
- new convention for organizing integration tests (f653c02)
- add import warnings to the report (b59a19b)
- use v5 uuid upsert for CPEs (1fd7470)
- add cpe creator (7c5ee80)
- ingest products from sboms (d5ec88c)
- add more data to the products API (0983ac3)
- allow canceling import runs (7c53e9e)
- add sha384 and sha512 to the SBOM and advisory (bf67cdc)
- add GIN index for labels (3319040)
- add more labels to imported documents, allow user defined labels (87b6a6e)
- return description as well (63a0edd)
- allow setting labels during upload (34d2c06)
- return labels when fetching sboms or advisories (dd54b9f)
- implement setting labels for SBOMs (cf59c85)
- implement setting labels for advisories (22741d5)
- enable backslash to escape operators in filter expressions (5e66c77), closes
#434 - extract organization name from CVE (1065ab3)
- add CWE for vulnerabilities (181719d)
- implements labels using jsonb (d6b4302)
- initial product endpoints (6112344)
- add filtering/query to "find by sbom package" (93e3eaa), closes #438
- search SBOMs by PURL or package id (a4ce8ec), closes #413
- add version to sbom package (20eefb2), closes #284
- support IS [NOT] NULL in queries (5b658cb)
- add ability to translate queries (8c6f062)
- more efficient detection of advisory formats (d669658), closes #257
- Initial implementation of products (2573b01)
- add an entry for all CSAF data (bc9e6a5)
- update cyclonedx for support of 1.5 (9817ffa)
- allow configuring the OIDC UI settings (f2ad362)
- implement CVE import (f6d2cde)
- implement OSV ingestion (0bc8a20)
Fixes
- rename component to package (5436509)
- osv: treat
published
as optional (5952f3e) - re-walk all files if the commit cannot be found (1fd508f)
- have a default empty array (d5d9d33)
- add missing "number_of_vulnerabilities" field (6d6433c)
- add missing "number of packages" field (538070a)
- we normally use camel case (5fbbd9a)
- ai: Reduce tooling description duplication. Move the input description
into the the tooling parameters. (6f0377a) - performance issue in update_deprecated_advisory (03e2637)
- xtask generate-dump (def9856)
- test failure due to .DS_Store files being present (b5df115)
- don't clear qualifiers when ingesting CSAF (506e81b)
- use a combination of namespace and tracking id as document id (f542219)
- openapi.yaml github action execution (471a472)
- update openapi spec (28c332a), closes #866
- avoid workflow failures in forks (501f453)
- init logger only once, use tracing setup (258ce7c)
- handle NONE and NOASSERTION as relationship targets (ae78b03), closes #552
- declare uuid dependency and v5 feature (7dc1889), closes #839
- prevent uploading compressed files which might exhaust the memory (9145a6e)
- ensure UUIDs are stable, and we have a stable insertion order (12ef030)
- use stable order for CPEs to prevent deadlocks on the DB (08eb107)
- store documents when ingesting a dataset (600dd36)
- allow ingesting YAML based OSV (54da44c)
- able to run pm-mode in container (bc57113)
- restore hard-coded base paths in CVE/ClearlyDefined walkers (f3a9fe9)
- restore hashes in SBOM fetch api (df89982), closes #733
- disable format detection for importers (26eda5d), closes #715
- fix performance regression, speeds things up ~10x (3af6cdf)
- prevent dumping the full CSAF document into the tracing context (f66ef06)
- importer openapi definitions (aad7e20)
- use the current working directory in the podman -v arg. (ddfdc85)
- add lifetime to avoid a storage impl clone (0822a73)
- a couple of openapi fields reverted to not being required. (2858271)
- PurlService - purl_by_purl bug (a5e07a2)
- refactor sbom dto objects to better represent data model (b551051)
- delete operations were missing from api docs. (bdd3b38)
- generate config schema and ensure they are up-to-date (6ff7e9b)
- use load_one pattern to load all organizations for mulitple products
(537c640) - use load_many pattern to efficiently load versions for multiple products
(020ad82) - make storage CLI options mutually exclusive (e03fda1), closes #631
- remove usage of FileSource and document how to use csaf walker to ingest
local files (398ebf5) - sbom_node FK constraints (37d396f)
- issue with duplicate packages (399645a)
- only force devmode if the embedded OIDC is requested (4bc17f3)
- add the deleteSbom api operationId. (ca3a047)
- define the schema type of the if-match headers. (c198f04), closes #580
- Add openapi operation ids (738d10b), closes #580
- increase recursion limit (3130c74)
- strum build error (4608dff)
- remove "ui" feature (7f12f71), closes #559
- remove non-normative data from advisory vulnerability (1a2714a), closes
#543 - auto-create vulnerabilities using upsert (e516b42)
- swagger-ui for product details (b42ed10), closes #545
- swagger-ui docs for organization (c787eb3), closes #544
- ensure that descriptions are not growing with every insert (f7c4f06)
- also check for vuln-id to create all entries (0dc4583)
- apply the CPE fix also for the language (dc7c328)
- prevent the creation of duplicate CPEs (130e41f)
- use the "last_success" time for the next "since" (2456d9e)
- only add the package manager category as a name for that package (1b39eaa)
- used for both advisories and SBOMs (1d536b7)
- retrying later on change means, accepting it now (e3e9c15)
- catch cases of invalid SPDX references and report them as such (094ef8b)
- bump pg-embed to avoid github rate-limiting during tests (7e62347)
- clean up a few openapi issues around labels (94a47eb)
- this file actually belongs to migration 230 (29a52a0)
- the q param now works for /api/v1/sbom/{key}/packages (f36b558), closes
#434 - allow ingesting spdx SBOMs with files (1f2145e)
- relationship direction for "documentDescribes" (058ee24)
- link with specific node, not any node of the SBOM (8d87482)
- appease graphql and openapi paths wrt slashes (07629a9), closes #376 #422
- honor transaction for requests (97510e7)
- return only the sbom_node, not all nodes belonging to the sbom (6349e91),
closes #414 - provide the package describing the sbom with the summary (ea8af78)
- enable sorting advisories by average_severity (8de5be2), closes #383
- move graphql under
/graphql
only (f07f5fa) - count items being processed for osv and cve (a1f8d21)
- Restore /api/v1/sbom/{key} SBOM metadata access (7bb7c69), closes #253
- the the id issue for SBOMs too (a52b6f4)
- translate the id into a hash before fetching from the storage (12c0d71)
- use newer container to fix/workaround segfault in libgit2 (16deb09)
- accept either domain or full URL (d601573)
- register types, remove infinite reference (724a788)
- reset all jobs when starting up (88ec8da), closes #355
- use correct env-vars for storage settings (a93be47)
- update cve to fix some parsing errors (d46683a)
- directly pass sha256 digest, parsing it misses the perfix (feba99a)
- client ids need to split by comma when coming from the env-var (08c1402)
- update embedded oidc to support refresh tokens (f01dcc5)
- push multi-arch image (d90dae0)
- allow swaggerui to redirect (1bb1ca1)
- ingest scores when loading CSAF docs (4719406), closes #278