Releases: trustification/trustify
Releases · trustification/trustify
0.1.1
Changelog
v0.1.1 (2024-12-20)
Features
- allow disabling the request logging (720b939)
- allow start year and years filtering for osv (de9b8b3)
- reimplament vulnerability endpoint logic and api so we can retrieve purls
for affected sboms (7982498)
Fixes
- urlencode purl qualifier values in the db (fcd4691)
- use predictable ids for product related entities and additionally speed up
csaf ingestion (8a0085d) - optimize import of product related entities during csaf ingestion (c66d1af)
- improve sbom to vunerabilities correlation both in performance and accuracy
(2e28a33)
0.1.0
Changelog
v0.1.0 (2024-12-12)
⚠ BREAKING-CHANGE
- Breaks the migrations as this PR rewrites the historyto use UUID instead of i32 from the start.
Features
- allow processing CDX 1.6 (3c3870f)
- add ingestion time to source documents (f5b9bff)
- find purls for affected packages (1354501)
- allow more postgres database options (0f36466), closes #1000
- provide scores in sbom details response (a3b8e6d)
- correlate vulnerabilties for purls using product statuses (9ee0d13)
- enable custom trust anchors for swagger oidc (96ab4c9)
- imporve migration to migrate data as well (915982d)
- csaf correlation - correlate vulnerability to purls and sboms (8bc4adb)
- provide additional information (9d38b76), closes #962
- query json columns using dot notation, e.g.
field.key~log4j
(15f52f6) - add a store for user preferences (57006c2)
- add the "reserved" field for vulnerabilities (2654563), closes #964
- allow ignoring missing (404) files when importing (3e51716)
- add size of documents and sbom data license (1164a4f)
- enable compression of docs stored on S3 (ab9c056), closes #925
- introduce ability to apply a Query to any random context (d12d942)
- CI pipeline to build, package, test, and deploy each merged PR (2db0f71),
closes #804 - populate cpe_key in organization and product tables (feb9d9f)
- implement optional fs storage compression (10518de)
- create versioned purls from OSV (5d02060)
- add an endpoint to get the counts of sboms per purl (d7ac133)
- deprecate advisories when receiving an upload or deleting one (3123d2b)
- ingest products from csaf documents (2c55fde)
- add an endpoint for release information (0b234ea)
- now showing thread id's in log output (0d200fd)
- support compressed upload (14c356c)
- allow importing complete datasets (9722fdc)
- sort importers by enabledness (7c65d51)
- implement patch for updating importer configurations (ac104b4)
- allow disabling the GraphQL endpoint, and do so by default (ea6e6ed)
- add depth to GitWalker for faster clones by limiting history (8da2fe5)
- speed up initial clones of git repos (31cc15f)
- add progress support, backed by the database (bf0a017)
- add MEM_LIMIT_MB env var to configure threshold for tests (35d1cdd)
- replace SyncAdapter with SyncIoBridge to reduce RAM usage (684154d)
- add basic progress support, first just via tracing (4d6d366)
- refactor temp file creation to reduce S3 usage (f9727a2)
- allow creating the embedded database in a different directory (b6766cb)
- improve product details to return basic sbom data (6d3a777)
- allow configuring fetch retries (d1b3ce6)
- allow setting a size limit when importing SBOMs (83dcde7)
- allow using a dedicated working dir for dumps (9cc1302)
- Add maven version comparison SQL function. (7efd883)
- add an xtask for generating a pre-loaded DB dump (59889af)
- S3 storage backend (978a2be), closes #621
- add PurlService method that can gc dead purls. (11b0ede)
- Add api to delete Vulnerabilities. (ad0f2fb), closes #563
- Add api to delete Advisories. (220863f), closes #563
- add the ability to specify a branch for importing OSV (c31462c)
- Add api to delete products (807dcb5), closes #563
- Add api to delete sboms (2e6b810), closes #563
- add rapidoc support (c5df2c5)
- add trustd subcommand to export openapi spec (0ffc786)
- new convention for organizing integration tests (f653c02)
- add import warnings to the report (b59a19b)
- use v5 uuid upsert for CPEs (1fd7470)
- add cpe creator (7c5ee80)
- ingest products from sboms (d5ec88c)
- add more data to the products API (0983ac3)
- allow canceling import runs (7c53e9e)
- add sha384 and sha512 to the SBOM and advisory (bf67cdc)
- add GIN index for labels (3319040)
- add more labels to imported documents, allow user defined labels (87b6a6e)
- return description as well (63a0edd)
- allow setting labels during upload (34d2c06)
- return labels when fetching sboms or advisories (dd54b9f)
- implement setting labels for SBOMs (cf59c85)
- implement setting labels for advisories (22741d5)
- enable backslash to escape operators in filter expressions (5e66c77), closes
#434 - extract organization name from CVE (1065ab3)
- add CWE for vulnerabilities (181719d)
- implements labels using jsonb (d6b4302)
- initial product endpoints (6112344)
- add filtering/query to "find by sbom package" (93e3eaa), closes #438
- search SBOMs by PURL or package id (a4ce8ec), closes #413
- add version to sbom package (20eefb2), closes #284
- support IS [NOT] NULL in queries (5b658cb)
- add ability to translate queries (8c6f062)
- more efficient detection of advisory formats (d669658), closes #257
- Initial implementation of products (2573b01)
- add an entry for all CSAF data (bc9e6a5)
- update cyclonedx for support of 1.5 (9817ffa)
- allow configuring the OIDC UI settings (f2ad362)
- implement CVE import (f6d2cde)
- implement OSV ingestion (0bc8a20)
Fixes
- actually set a default value, instead of
null
(bcf4fc2) - ensure sbom's and adv's can be filtered/sorted by ingested date (b920d63),
closes #1077 - use the ingested column in the sbom query (606f596), closes #1077
- report 500 in case of storage errors, align with other errors (ad97b19),
closes #1042 - include json columns in full-text searches (c1330c2)
- enable filtering/sorting on qualified purl json fields (910c378), closes
#888 #951 #972 - use UUID v4 instead of name for the ID of the node (a5a15c1)
- always create "described by" relationships (ddd20e8)
- change name from walker to cli (54df2e4)
- don't check if the bucket exists. (1e9b3e9)
- openapi spec for moved number_of_packages (32ceeab)
- move number_of_packages to SbomHead (186d407), closes #1006
- s3 storage config options and encoding case insensitivity (66c20fd)
- rename component to package (5436509)
- osv: treat
published
as optional (5952f3e) - re-walk all files if the commit cannot be found (1fd508f)
- have a default empty array (d5d9d33)
- add missing "number_of_vulnerabilities" field (6d6433c)
- add missing "number of packages" field (538070a)
- we normally use camel case (5fbbd9a)
- ai: Reduce tooling description duplication. Move the input description
into the the tooling parameters. (6f0377a) - performance issue in update_deprecated_advisory (03e2637)
- xtask generate-dump (def9856)
- test failure due to .DS_Store files being present (b5df115)
- don't clear qualifiers when ingesting CSAF (506e81b)
- use a combination of namespace and tracking id as document id (f542219)
- openapi.yaml github action execution (471a472)
- update openapi spec (28c332a), closes #866
- avoid workflow failures in forks (501f453)
- init logger only once, use tracing setup (258ce7c)
- handle NONE and NOASSERTION as relationship targets (ae78b03), closes #552
- declare uuid dependency and v5 feature (7dc1889), closes #839
- prevent uploading compressed files which might exhaust the memory (9145a6e)
- ensure UUIDs are stable, and we have a stable insertion order (12ef030)
- use stable order for CPEs to prevent deadlocks on the DB (08eb107)
- store documents when ingesting a dataset (600dd36)
- allow ingesting YAML based OSV (54da44c)
- able to run pm-mode in container (bc57113)
- restore hard-coded base paths in CVE/ClearlyDefined walkers (f3a9fe9)
- restore hashes in SBOM fetch api (df89982), closes #733
- disable format detection for importers (26eda5d), closes #715
- fix performance regression, speeds things up ~10x (3af6cdf)
- prevent dumping the full CSAF document into the tracing context (f66ef06)
- importer openapi definitions (aad7e20)
- use the current working directory in the podman -v arg. (ddfdc85)
- add lifetime to avoid a storage impl clone (0822a73)
- a couple of openapi fields reverted to not being required. (2858271)
- PurlService - purl_by_purl bug (a5e07a2)
- refactor sbom dto objects to better represent data model (b551051)
- delete operations were missing from api docs. (bdd3b38)
- generate config schema and ensure they are up-to-date (6ff7e9b)
- use load_one pattern to load all organizations for mulitple products
(537c640) - use load_many pattern to efficiently load versions for multiple products
(020ad82) - make storage CLI options mutually exclusive (e03fda1), closes #631
- remove usage of FileSource and document how to use csaf walker to ingest
local files (398ebf5) - sbom_node FK constraints (37d396f)
- issue with duplicate packages (399645a)
- only force devmode if the embedded OIDC is requested (4bc17f3)
- add the deleteSbom api operationId. (ca3a047)
- define the schema type of the if-match headers. (c198f04), closes #580
- Add openapi operation ids (738d10b), closes #580
- increase recursion limit (3130c74)
- strum build error (4608dff)
- remove "ui" feature (7f12f71), closes #559
- remove non-normative data from advisory vulnerability (1a2714a), closes
#543 - auto-create vulnerabilities using upsert (e516b42)
- swagger-ui for product details (b42ed10), closes #545
- swagger-ui docs for organization (c787eb3), closes #544
- ensure that descriptions are not growing with every insert (f7c4f06)
- also check for vuln-id to create all entries (0dc4583)
- apply the CPE fix also for the language (dc7c328)
- prevent the creation of duplicate CPEs (130e41f)
- use the "last_success" time for the next "since" (2456d9e)
- only add the package manager category as a name for that package (1b39eaa)
- used for both advisories and SBOMs (1d536b7)
- retrying later on change means, accepting it now (e3e9c15)
- catch cases of invalid SPDX references and report them as such (094ef8b)
- bump pg-embed to avoid github rate-limiting during tests (7e62347)
- clean up a few openapi issues around labels (94a47eb)
- this file actually belongs to migration 230 (29a52a0)
- the q param now works for /api/v1/sbom/{key}/packages (f36b558), closes
#434 - allow ingesting spdx SBOMs with files (1f2145e)
- relationship direction for "documentDescribes" (058ee24)
- link with specific node, not any node of the SBOM (8d87482)
- appease graphql and openapi paths wr...
0.1.0-alpha.28
Changelog
v0.1.0-alpha.28 (2024-12-06)
⚠ BREAKING-CHANGE
- Breaks the migrations as this PR rewrites the historyto use UUID instead of i32 from the start.
Features
- find purls for affected packages (1354501)
- allow more postgres database options (0f36466), closes #1000
- provide scores in sbom details response (a3b8e6d)
- correlate vulnerabilties for purls using product statuses (9ee0d13)
- enable custom trust anchors for swagger oidc (96ab4c9)
- imporve migration to migrate data as well (915982d)
- csaf correlation - correlate vulnerability to purls and sboms (8bc4adb)
- provide additional information (9d38b76), closes #962
- query json columns using dot notation, e.g.
field.key~log4j
(15f52f6) - add a store for user preferences (57006c2)
- add the "reserved" field for vulnerabilities (2654563), closes #964
- allow ignoring missing (404) files when importing (3e51716)
- add size of documents and sbom data license (1164a4f)
- enable compression of docs stored on S3 (ab9c056), closes #925
- introduce ability to apply a Query to any random context (d12d942)
- CI pipeline to build, package, test, and deploy each merged PR (2db0f71),
closes #804 - populate cpe_key in organization and product tables (feb9d9f)
- implement optional fs storage compression (10518de)
- create versioned purls from OSV (5d02060)
- add an endpoint to get the counts of sboms per purl (d7ac133)
- deprecate advisories when receiving an upload or deleting one (3123d2b)
- ingest products from csaf documents (2c55fde)
- add an endpoint for release information (0b234ea)
- now showing thread id's in log output (0d200fd)
- support compressed upload (14c356c)
- allow importing complete datasets (9722fdc)
- sort importers by enabledness (7c65d51)
- implement patch for updating importer configurations (ac104b4)
- allow disabling the GraphQL endpoint, and do so by default (ea6e6ed)
- add depth to GitWalker for faster clones by limiting history (8da2fe5)
- speed up initial clones of git repos (31cc15f)
- add progress support, backed by the database (bf0a017)
- add MEM_LIMIT_MB env var to configure threshold for tests (35d1cdd)
- replace SyncAdapter with SyncIoBridge to reduce RAM usage (684154d)
- add basic progress support, first just via tracing (4d6d366)
- refactor temp file creation to reduce S3 usage (f9727a2)
- allow creating the embedded database in a different directory (b6766cb)
- improve product details to return basic sbom data (6d3a777)
- allow configuring fetch retries (d1b3ce6)
- allow setting a size limit when importing SBOMs (83dcde7)
- allow using a dedicated working dir for dumps (9cc1302)
- Add maven version comparison SQL function. (7efd883)
- add an xtask for generating a pre-loaded DB dump (59889af)
- S3 storage backend (978a2be), closes #621
- add PurlService method that can gc dead purls. (11b0ede)
- Add api to delete Vulnerabilities. (ad0f2fb), closes #563
- Add api to delete Advisories. (220863f), closes #563
- add the ability to specify a branch for importing OSV (c31462c)
- Add api to delete products (807dcb5), closes #563
- Add api to delete sboms (2e6b810), closes #563
- add rapidoc support (c5df2c5)
- add trustd subcommand to export openapi spec (0ffc786)
- new convention for organizing integration tests (f653c02)
- add import warnings to the report (b59a19b)
- use v5 uuid upsert for CPEs (1fd7470)
- add cpe creator (7c5ee80)
- ingest products from sboms (d5ec88c)
- add more data to the products API (0983ac3)
- allow canceling import runs (7c53e9e)
- add sha384 and sha512 to the SBOM and advisory (bf67cdc)
- add GIN index for labels (3319040)
- add more labels to imported documents, allow user defined labels (87b6a6e)
- return description as well (63a0edd)
- allow setting labels during upload (34d2c06)
- return labels when fetching sboms or advisories (dd54b9f)
- implement setting labels for SBOMs (cf59c85)
- implement setting labels for advisories (22741d5)
- enable backslash to escape operators in filter expressions (5e66c77), closes
#434 - extract organization name from CVE (1065ab3)
- add CWE for vulnerabilities (181719d)
- implements labels using jsonb (d6b4302)
- initial product endpoints (6112344)
- add filtering/query to "find by sbom package" (93e3eaa), closes #438
- search SBOMs by PURL or package id (a4ce8ec), closes #413
- add version to sbom package (20eefb2), closes #284
- support IS [NOT] NULL in queries (5b658cb)
- add ability to translate queries (8c6f062)
- more efficient detection of advisory formats (d669658), closes #257
- Initial implementation of products (2573b01)
- add an entry for all CSAF data (bc9e6a5)
- update cyclonedx for support of 1.5 (9817ffa)
- allow configuring the OIDC UI settings (f2ad362)
- implement CVE import (f6d2cde)
- implement OSV ingestion (0bc8a20)
Fixes
- use UUID v4 instead of name for the ID of the node (a5a15c1)
- always create "described by" relationships (ddd20e8)
- change name from walker to cli (54df2e4)
- don't check if the bucket exists. (1e9b3e9)
- openapi spec for moved number_of_packages (32ceeab)
- move number_of_packages to SbomHead (186d407), closes #1006
- s3 storage config options and encoding case insensitivity (66c20fd)
- rename component to package (5436509)
- osv: treat
published
as optional (5952f3e) - re-walk all files if the commit cannot be found (1fd508f)
- have a default empty array (d5d9d33)
- add missing "number_of_vulnerabilities" field (6d6433c)
- add missing "number of packages" field (538070a)
- we normally use camel case (5fbbd9a)
- ai: Reduce tooling description duplication. Move the input description
into the the tooling parameters. (6f0377a) - performance issue in update_deprecated_advisory (03e2637)
- xtask generate-dump (def9856)
- test failure due to .DS_Store files being present (b5df115)
- don't clear qualifiers when ingesting CSAF (506e81b)
- use a combination of namespace and tracking id as document id (f542219)
- openapi.yaml github action execution (471a472)
- update openapi spec (28c332a), closes #866
- avoid workflow failures in forks (501f453)
- init logger only once, use tracing setup (258ce7c)
- handle NONE and NOASSERTION as relationship targets (ae78b03), closes #552
- declare uuid dependency and v5 feature (7dc1889), closes #839
- prevent uploading compressed files which might exhaust the memory (9145a6e)
- ensure UUIDs are stable, and we have a stable insertion order (12ef030)
- use stable order for CPEs to prevent deadlocks on the DB (08eb107)
- store documents when ingesting a dataset (600dd36)
- allow ingesting YAML based OSV (54da44c)
- able to run pm-mode in container (bc57113)
- restore hard-coded base paths in CVE/ClearlyDefined walkers (f3a9fe9)
- restore hashes in SBOM fetch api (df89982), closes #733
- disable format detection for importers (26eda5d), closes #715
- fix performance regression, speeds things up ~10x (3af6cdf)
- prevent dumping the full CSAF document into the tracing context (f66ef06)
- importer openapi definitions (aad7e20)
- use the current working directory in the podman -v arg. (ddfdc85)
- add lifetime to avoid a storage impl clone (0822a73)
- a couple of openapi fields reverted to not being required. (2858271)
- PurlService - purl_by_purl bug (a5e07a2)
- refactor sbom dto objects to better represent data model (b551051)
- delete operations were missing from api docs. (bdd3b38)
- generate config schema and ensure they are up-to-date (6ff7e9b)
- use load_one pattern to load all organizations for mulitple products
(537c640) - use load_many pattern to efficiently load versions for multiple products
(020ad82) - make storage CLI options mutually exclusive (e03fda1), closes #631
- remove usage of FileSource and document how to use csaf walker to ingest
local files (398ebf5) - sbom_node FK constraints (37d396f)
- issue with duplicate packages (399645a)
- only force devmode if the embedded OIDC is requested (4bc17f3)
- add the deleteSbom api operationId. (ca3a047)
- define the schema type of the if-match headers. (c198f04), closes #580
- Add openapi operation ids (738d10b), closes #580
- increase recursion limit (3130c74)
- strum build error (4608dff)
- remove "ui" feature (7f12f71), closes #559
- remove non-normative data from advisory vulnerability (1a2714a), closes
#543 - auto-create vulnerabilities using upsert (e516b42)
- swagger-ui for product details (b42ed10), closes #545
- swagger-ui docs for organization (c787eb3), closes #544
- ensure that descriptions are not growing with every insert (f7c4f06)
- also check for vuln-id to create all entries (0dc4583)
- apply the CPE fix also for the language (dc7c328)
- prevent the creation of duplicate CPEs (130e41f)
- use the "last_success" time for the next "since" (2456d9e)
- only add the package manager category as a name for that package (1b39eaa)
- used for both advisories and SBOMs (1d536b7)
- retrying later on change means, accepting it now (e3e9c15)
- catch cases of invalid SPDX references and report them as such (094ef8b)
- bump pg-embed to avoid github rate-limiting during tests (7e62347)
- clean up a few openapi issues around labels (94a47eb)
- this file actually belongs to migration 230 (29a52a0)
- the q param now works for /api/v1/sbom/{key}/packages (f36b558), closes
#434 - allow ingesting spdx SBOMs with files (1f2145e)
- relationship direction for "documentDescribes" (058ee24)
- link with specific node, not any node of the SBOM (8d87482)
- appease graphql and openapi paths wrt slashes (07629a9), closes #376 #422
- honor transaction for requests (97510e7)
- return only the sbom_node, not all nodes belonging to the sbom (6349e91),
closes #414 - provide the package describing the sbom with the summary (ea8af78)
- enable sorting advisories by average_severity (8de5be2), closes #383
- move graphql under
/graphql
only (f07f5fa) - count items being processed for osv and cve (a1f8d21)
- Restore /api/v1/sbom/{key} SBOM metadata access (7bb7c69), closes #253
- the the id issue for SBOMs too (a52b6f4)
- ...
0.1.0-alpha.27
Changelog
v0.1.0-alpha.27 (2024-12-05)
⚠ BREAKING-CHANGE
- Breaks the migrations as this PR rewrites the historyto use UUID instead of i32 from the start.
Features
- allow more postgres database options (0f36466), closes #1000
- provide scores in sbom details response (a3b8e6d)
- correlate vulnerabilties for purls using product statuses (9ee0d13)
- enable custom trust anchors for swagger oidc (96ab4c9)
- imporve migration to migrate data as well (915982d)
- csaf correlation - correlate vulnerability to purls and sboms (8bc4adb)
- provide additional information (9d38b76), closes #962
- query json columns using dot notation, e.g.
field.key~log4j
(15f52f6) - add a store for user preferences (57006c2)
- add the "reserved" field for vulnerabilities (2654563), closes #964
- allow ignoring missing (404) files when importing (3e51716)
- add size of documents and sbom data license (1164a4f)
- enable compression of docs stored on S3 (ab9c056), closes #925
- introduce ability to apply a Query to any random context (d12d942)
- CI pipeline to build, package, test, and deploy each merged PR (2db0f71),
closes #804 - populate cpe_key in organization and product tables (feb9d9f)
- implement optional fs storage compression (10518de)
- create versioned purls from OSV (5d02060)
- add an endpoint to get the counts of sboms per purl (d7ac133)
- deprecate advisories when receiving an upload or deleting one (3123d2b)
- ingest products from csaf documents (2c55fde)
- add an endpoint for release information (0b234ea)
- now showing thread id's in log output (0d200fd)
- support compressed upload (14c356c)
- allow importing complete datasets (9722fdc)
- sort importers by enabledness (7c65d51)
- implement patch for updating importer configurations (ac104b4)
- allow disabling the GraphQL endpoint, and do so by default (ea6e6ed)
- add depth to GitWalker for faster clones by limiting history (8da2fe5)
- speed up initial clones of git repos (31cc15f)
- add progress support, backed by the database (bf0a017)
- add MEM_LIMIT_MB env var to configure threshold for tests (35d1cdd)
- replace SyncAdapter with SyncIoBridge to reduce RAM usage (684154d)
- add basic progress support, first just via tracing (4d6d366)
- refactor temp file creation to reduce S3 usage (f9727a2)
- allow creating the embedded database in a different directory (b6766cb)
- improve product details to return basic sbom data (6d3a777)
- allow configuring fetch retries (d1b3ce6)
- allow setting a size limit when importing SBOMs (83dcde7)
- allow using a dedicated working dir for dumps (9cc1302)
- Add maven version comparison SQL function. (7efd883)
- add an xtask for generating a pre-loaded DB dump (59889af)
- S3 storage backend (978a2be), closes #621
- add PurlService method that can gc dead purls. (11b0ede)
- Add api to delete Vulnerabilities. (ad0f2fb), closes #563
- Add api to delete Advisories. (220863f), closes #563
- add the ability to specify a branch for importing OSV (c31462c)
- Add api to delete products (807dcb5), closes #563
- Add api to delete sboms (2e6b810), closes #563
- add rapidoc support (c5df2c5)
- add trustd subcommand to export openapi spec (0ffc786)
- new convention for organizing integration tests (f653c02)
- add import warnings to the report (b59a19b)
- use v5 uuid upsert for CPEs (1fd7470)
- add cpe creator (7c5ee80)
- ingest products from sboms (d5ec88c)
- add more data to the products API (0983ac3)
- allow canceling import runs (7c53e9e)
- add sha384 and sha512 to the SBOM and advisory (bf67cdc)
- add GIN index for labels (3319040)
- add more labels to imported documents, allow user defined labels (87b6a6e)
- return description as well (63a0edd)
- allow setting labels during upload (34d2c06)
- return labels when fetching sboms or advisories (dd54b9f)
- implement setting labels for SBOMs (cf59c85)
- implement setting labels for advisories (22741d5)
- enable backslash to escape operators in filter expressions (5e66c77), closes
#434 - extract organization name from CVE (1065ab3)
- add CWE for vulnerabilities (181719d)
- implements labels using jsonb (d6b4302)
- initial product endpoints (6112344)
- add filtering/query to "find by sbom package" (93e3eaa), closes #438
- search SBOMs by PURL or package id (a4ce8ec), closes #413
- add version to sbom package (20eefb2), closes #284
- support IS [NOT] NULL in queries (5b658cb)
- add ability to translate queries (8c6f062)
- more efficient detection of advisory formats (d669658), closes #257
- Initial implementation of products (2573b01)
- add an entry for all CSAF data (bc9e6a5)
- update cyclonedx for support of 1.5 (9817ffa)
- allow configuring the OIDC UI settings (f2ad362)
- implement CVE import (f6d2cde)
- implement OSV ingestion (0bc8a20)
Fixes
- roll back the UI update as it fails the build (2570aaf)
- use UUID v4 instead of name for the ID of the node (a5a15c1)
- always create "described by" relationships (ddd20e8)
- change name from walker to cli (54df2e4)
- don't check if the bucket exists. (1e9b3e9)
- openapi spec for moved number_of_packages (32ceeab)
- move number_of_packages to SbomHead (186d407), closes #1006
- s3 storage config options and encoding case insensitivity (66c20fd)
- rename component to package (5436509)
- osv: treat
published
as optional (5952f3e) - re-walk all files if the commit cannot be found (1fd508f)
- have a default empty array (d5d9d33)
- add missing "number_of_vulnerabilities" field (6d6433c)
- add missing "number of packages" field (538070a)
- we normally use camel case (5fbbd9a)
- ai: Reduce tooling description duplication. Move the input description
into the the tooling parameters. (6f0377a) - performance issue in update_deprecated_advisory (03e2637)
- xtask generate-dump (def9856)
- test failure due to .DS_Store files being present (b5df115)
- don't clear qualifiers when ingesting CSAF (506e81b)
- use a combination of namespace and tracking id as document id (f542219)
- openapi.yaml github action execution (471a472)
- update openapi spec (28c332a), closes #866
- avoid workflow failures in forks (501f453)
- init logger only once, use tracing setup (258ce7c)
- handle NONE and NOASSERTION as relationship targets (ae78b03), closes #552
- declare uuid dependency and v5 feature (7dc1889), closes #839
- prevent uploading compressed files which might exhaust the memory (9145a6e)
- ensure UUIDs are stable, and we have a stable insertion order (12ef030)
- use stable order for CPEs to prevent deadlocks on the DB (08eb107)
- store documents when ingesting a dataset (600dd36)
- allow ingesting YAML based OSV (54da44c)
- able to run pm-mode in container (bc57113)
- restore hard-coded base paths in CVE/ClearlyDefined walkers (f3a9fe9)
- restore hashes in SBOM fetch api (df89982), closes #733
- disable format detection for importers (26eda5d), closes #715
- fix performance regression, speeds things up ~10x (3af6cdf)
- prevent dumping the full CSAF document into the tracing context (f66ef06)
- importer openapi definitions (aad7e20)
- use the current working directory in the podman -v arg. (ddfdc85)
- add lifetime to avoid a storage impl clone (0822a73)
- a couple of openapi fields reverted to not being required. (2858271)
- PurlService - purl_by_purl bug (a5e07a2)
- refactor sbom dto objects to better represent data model (b551051)
- delete operations were missing from api docs. (bdd3b38)
- generate config schema and ensure they are up-to-date (6ff7e9b)
- use load_one pattern to load all organizations for mulitple products
(537c640) - use load_many pattern to efficiently load versions for multiple products
(020ad82) - make storage CLI options mutually exclusive (e03fda1), closes #631
- remove usage of FileSource and document how to use csaf walker to ingest
local files (398ebf5) - sbom_node FK constraints (37d396f)
- issue with duplicate packages (399645a)
- only force devmode if the embedded OIDC is requested (4bc17f3)
- add the deleteSbom api operationId. (ca3a047)
- define the schema type of the if-match headers. (c198f04), closes #580
- Add openapi operation ids (738d10b), closes #580
- increase recursion limit (3130c74)
- strum build error (4608dff)
- remove "ui" feature (7f12f71), closes #559
- remove non-normative data from advisory vulnerability (1a2714a), closes
#543 - auto-create vulnerabilities using upsert (e516b42)
- swagger-ui for product details (b42ed10), closes #545
- swagger-ui docs for organization (c787eb3), closes #544
- ensure that descriptions are not growing with every insert (f7c4f06)
- also check for vuln-id to create all entries (0dc4583)
- apply the CPE fix also for the language (dc7c328)
- prevent the creation of duplicate CPEs (130e41f)
- use the "last_success" time for the next "since" (2456d9e)
- only add the package manager category as a name for that package (1b39eaa)
- used for both advisories and SBOMs (1d536b7)
- retrying later on change means, accepting it now (e3e9c15)
- catch cases of invalid SPDX references and report them as such (094ef8b)
- bump pg-embed to avoid github rate-limiting during tests (7e62347)
- clean up a few openapi issues around labels (94a47eb)
- this file actually belongs to migration 230 (29a52a0)
- the q param now works for /api/v1/sbom/{key}/packages (f36b558), closes
#434 - allow ingesting spdx SBOMs with files (1f2145e)
- relationship direction for "documentDescribes" (058ee24)
- link with specific node, not any node of the SBOM (8d87482)
- appease graphql and openapi paths wrt slashes (07629a9), closes #376 #422
- honor transaction for requests (97510e7)
- return only the sbom_node, not all nodes belonging to the sbom (6349e91),
closes #414 - provide the package describing the sbom with the summary (ea8af78)
- enable sorting advisories by average_severity (8de5be2), closes #383
- move graphql under
/graphql
only (f07f5fa) - count items being processed for osv and cve (a1f8d21)
- Restore /api/v1/sbom/{key} SBOM metadata access (7bb7c69), closes #253
- the the id issue for SBOMs too...
0.1.0-alpha.26
Changelog
v0.1.0-alpha.26 (2024-11-28)
⚠ BREAKING-CHANGE
- Breaks the migrations as this PR rewrites the historyto use UUID instead of i32 from the start.
Features
- allow more postgres database options (0f36466), closes #1000
- provide scores in sbom details response (a3b8e6d)
- correlate vulnerabilties for purls using product statuses (9ee0d13)
- enable custom trust anchors for swagger oidc (96ab4c9)
- imporve migration to migrate data as well (915982d)
- csaf correlation - correlate vulnerability to purls and sboms (8bc4adb)
- provide additional information (9d38b76), closes #962
- query json columns using dot notation, e.g.
field.key~log4j
(15f52f6) - add a store for user preferences (57006c2)
- add the "reserved" field for vulnerabilities (2654563), closes #964
- allow ignoring missing (404) files when importing (3e51716)
- add size of documents and sbom data license (1164a4f)
- enable compression of docs stored on S3 (ab9c056), closes #925
- introduce ability to apply a Query to any random context (d12d942)
- CI pipeline to build, package, test, and deploy each merged PR (2db0f71),
closes #804 - populate cpe_key in organization and product tables (feb9d9f)
- implement optional fs storage compression (10518de)
- create versioned purls from OSV (5d02060)
- add an endpoint to get the counts of sboms per purl (d7ac133)
- deprecate advisories when receiving an upload or deleting one (3123d2b)
- ingest products from csaf documents (2c55fde)
- add an endpoint for release information (0b234ea)
- now showing thread id's in log output (0d200fd)
- support compressed upload (14c356c)
- allow importing complete datasets (9722fdc)
- sort importers by enabledness (7c65d51)
- implement patch for updating importer configurations (ac104b4)
- allow disabling the GraphQL endpoint, and do so by default (ea6e6ed)
- add depth to GitWalker for faster clones by limiting history (8da2fe5)
- speed up initial clones of git repos (31cc15f)
- add progress support, backed by the database (bf0a017)
- add MEM_LIMIT_MB env var to configure threshold for tests (35d1cdd)
- replace SyncAdapter with SyncIoBridge to reduce RAM usage (684154d)
- add basic progress support, first just via tracing (4d6d366)
- refactor temp file creation to reduce S3 usage (f9727a2)
- allow creating the embedded database in a different directory (b6766cb)
- improve product details to return basic sbom data (6d3a777)
- allow configuring fetch retries (d1b3ce6)
- allow setting a size limit when importing SBOMs (83dcde7)
- allow using a dedicated working dir for dumps (9cc1302)
- Add maven version comparison SQL function. (7efd883)
- add an xtask for generating a pre-loaded DB dump (59889af)
- S3 storage backend (978a2be), closes #621
- add PurlService method that can gc dead purls. (11b0ede)
- Add api to delete Vulnerabilities. (ad0f2fb), closes #563
- Add api to delete Advisories. (220863f), closes #563
- add the ability to specify a branch for importing OSV (c31462c)
- Add api to delete products (807dcb5), closes #563
- Add api to delete sboms (2e6b810), closes #563
- add rapidoc support (c5df2c5)
- add trustd subcommand to export openapi spec (0ffc786)
- new convention for organizing integration tests (f653c02)
- add import warnings to the report (b59a19b)
- use v5 uuid upsert for CPEs (1fd7470)
- add cpe creator (7c5ee80)
- ingest products from sboms (d5ec88c)
- add more data to the products API (0983ac3)
- allow canceling import runs (7c53e9e)
- add sha384 and sha512 to the SBOM and advisory (bf67cdc)
- add GIN index for labels (3319040)
- add more labels to imported documents, allow user defined labels (87b6a6e)
- return description as well (63a0edd)
- allow setting labels during upload (34d2c06)
- return labels when fetching sboms or advisories (dd54b9f)
- implement setting labels for SBOMs (cf59c85)
- implement setting labels for advisories (22741d5)
- enable backslash to escape operators in filter expressions (5e66c77), closes
#434 - extract organization name from CVE (1065ab3)
- add CWE for vulnerabilities (181719d)
- implements labels using jsonb (d6b4302)
- initial product endpoints (6112344)
- add filtering/query to "find by sbom package" (93e3eaa), closes #438
- search SBOMs by PURL or package id (a4ce8ec), closes #413
- add version to sbom package (20eefb2), closes #284
- support IS [NOT] NULL in queries (5b658cb)
- add ability to translate queries (8c6f062)
- more efficient detection of advisory formats (d669658), closes #257
- Initial implementation of products (2573b01)
- add an entry for all CSAF data (bc9e6a5)
- update cyclonedx for support of 1.5 (9817ffa)
- allow configuring the OIDC UI settings (f2ad362)
- implement CVE import (f6d2cde)
- implement OSV ingestion (0bc8a20)
Fixes
- change name from walker to cli (54df2e4)
- don't check if the bucket exists. (1e9b3e9)
- openapi spec for moved number_of_packages (32ceeab)
- move number_of_packages to SbomHead (186d407), closes #1006
- s3 storage config options and encoding case insensitivity (66c20fd)
- rename component to package (5436509)
- osv: treat
published
as optional (5952f3e) - re-walk all files if the commit cannot be found (1fd508f)
- have a default empty array (d5d9d33)
- add missing "number_of_vulnerabilities" field (6d6433c)
- add missing "number of packages" field (538070a)
- we normally use camel case (5fbbd9a)
- ai: Reduce tooling description duplication. Move the input description
into the the tooling parameters. (6f0377a) - performance issue in update_deprecated_advisory (03e2637)
- xtask generate-dump (def9856)
- test failure due to .DS_Store files being present (b5df115)
- don't clear qualifiers when ingesting CSAF (506e81b)
- use a combination of namespace and tracking id as document id (f542219)
- openapi.yaml github action execution (471a472)
- update openapi spec (28c332a), closes #866
- avoid workflow failures in forks (501f453)
- init logger only once, use tracing setup (258ce7c)
- handle NONE and NOASSERTION as relationship targets (ae78b03), closes #552
- declare uuid dependency and v5 feature (7dc1889), closes #839
- prevent uploading compressed files which might exhaust the memory (9145a6e)
- ensure UUIDs are stable, and we have a stable insertion order (12ef030)
- use stable order for CPEs to prevent deadlocks on the DB (08eb107)
- store documents when ingesting a dataset (600dd36)
- allow ingesting YAML based OSV (54da44c)
- able to run pm-mode in container (bc57113)
- restore hard-coded base paths in CVE/ClearlyDefined walkers (f3a9fe9)
- restore hashes in SBOM fetch api (df89982), closes #733
- disable format detection for importers (26eda5d), closes #715
- fix performance regression, speeds things up ~10x (3af6cdf)
- prevent dumping the full CSAF document into the tracing context (f66ef06)
- importer openapi definitions (aad7e20)
- use the current working directory in the podman -v arg. (ddfdc85)
- add lifetime to avoid a storage impl clone (0822a73)
- a couple of openapi fields reverted to not being required. (2858271)
- PurlService - purl_by_purl bug (a5e07a2)
- refactor sbom dto objects to better represent data model (b551051)
- delete operations were missing from api docs. (bdd3b38)
- generate config schema and ensure they are up-to-date (6ff7e9b)
- use load_one pattern to load all organizations for mulitple products
(537c640) - use load_many pattern to efficiently load versions for multiple products
(020ad82) - make storage CLI options mutually exclusive (e03fda1), closes #631
- remove usage of FileSource and document how to use csaf walker to ingest
local files (398ebf5) - sbom_node FK constraints (37d396f)
- issue with duplicate packages (399645a)
- only force devmode if the embedded OIDC is requested (4bc17f3)
- add the deleteSbom api operationId. (ca3a047)
- define the schema type of the if-match headers. (c198f04), closes #580
- Add openapi operation ids (738d10b), closes #580
- increase recursion limit (3130c74)
- strum build error (4608dff)
- remove "ui" feature (7f12f71), closes #559
- remove non-normative data from advisory vulnerability (1a2714a), closes
#543 - auto-create vulnerabilities using upsert (e516b42)
- swagger-ui for product details (b42ed10), closes #545
- swagger-ui docs for organization (c787eb3), closes #544
- ensure that descriptions are not growing with every insert (f7c4f06)
- also check for vuln-id to create all entries (0dc4583)
- apply the CPE fix also for the language (dc7c328)
- prevent the creation of duplicate CPEs (130e41f)
- use the "last_success" time for the next "since" (2456d9e)
- only add the package manager category as a name for that package (1b39eaa)
- used for both advisories and SBOMs (1d536b7)
- retrying later on change means, accepting it now (e3e9c15)
- catch cases of invalid SPDX references and report them as such (094ef8b)
- bump pg-embed to avoid github rate-limiting during tests (7e62347)
- clean up a few openapi issues around labels (94a47eb)
- this file actually belongs to migration 230 (29a52a0)
- the q param now works for /api/v1/sbom/{key}/packages (f36b558), closes
#434 - allow ingesting spdx SBOMs with files (1f2145e)
- relationship direction for "documentDescribes" (058ee24)
- link with specific node, not any node of the SBOM (8d87482)
- appease graphql and openapi paths wrt slashes (07629a9), closes #376 #422
- honor transaction for requests (97510e7)
- return only the sbom_node, not all nodes belonging to the sbom (6349e91),
closes #414 - provide the package describing the sbom with the summary (ea8af78)
- enable sorting advisories by average_severity (8de5be2), closes #383
- move graphql under
/graphql
only (f07f5fa) - count items being processed for osv and cve (a1f8d21)
- Restore /api/v1/sbom/{key} SBOM metadata access (7bb7c69), closes #253
- the the id issue for SBOMs too (a52b6f4)
- translate the id into a hash before fetching from the storage (12c0d71)
- use newer container to fix/workaround segfault in libgit2 (16deb09)
- accept either domai...
0.1.0-alpha.25
Changelog
v0.1.0-alpha.25 (2024-11-22)
⚠ BREAKING-CHANGE
- Breaks the migrations as this PR rewrites the historyto use UUID instead of i32 from the start.
Features
- provide scores in sbom details response (a3b8e6d)
- correlate vulnerabilties for purls using product statuses (9ee0d13)
- enable custom trust anchors for swagger oidc (96ab4c9)
- imporve migration to migrate data as well (915982d)
- csaf correlation - correlate vulnerability to purls and sboms (8bc4adb)
- provide additional information (9d38b76), closes #962
- query json columns using dot notation, e.g.
field.key~log4j
(15f52f6) - add a store for user preferences (57006c2)
- add the "reserved" field for vulnerabilities (2654563), closes #964
- allow ignoring missing (404) files when importing (3e51716)
- add size of documents and sbom data license (1164a4f)
- enable compression of docs stored on S3 (ab9c056), closes #925
- introduce ability to apply a Query to any random context (d12d942)
- CI pipeline to build, package, test, and deploy each merged PR (2db0f71),
closes #804 - populate cpe_key in organization and product tables (feb9d9f)
- implement optional fs storage compression (10518de)
- create versioned purls from OSV (5d02060)
- add an endpoint to get the counts of sboms per purl (d7ac133)
- deprecate advisories when receiving an upload or deleting one (3123d2b)
- ingest products from csaf documents (2c55fde)
- add an endpoint for release information (0b234ea)
- now showing thread id's in log output (0d200fd)
- support compressed upload (14c356c)
- allow importing complete datasets (9722fdc)
- sort importers by enabledness (7c65d51)
- implement patch for updating importer configurations (ac104b4)
- allow disabling the GraphQL endpoint, and do so by default (ea6e6ed)
- add depth to GitWalker for faster clones by limiting history (8da2fe5)
- speed up initial clones of git repos (31cc15f)
- add progress support, backed by the database (bf0a017)
- add MEM_LIMIT_MB env var to configure threshold for tests (35d1cdd)
- replace SyncAdapter with SyncIoBridge to reduce RAM usage (684154d)
- add basic progress support, first just via tracing (4d6d366)
- refactor temp file creation to reduce S3 usage (f9727a2)
- allow creating the embedded database in a different directory (b6766cb)
- improve product details to return basic sbom data (6d3a777)
- allow configuring fetch retries (d1b3ce6)
- allow setting a size limit when importing SBOMs (83dcde7)
- allow using a dedicated working dir for dumps (9cc1302)
- Add maven version comparison SQL function. (7efd883)
- add an xtask for generating a pre-loaded DB dump (59889af)
- S3 storage backend (978a2be), closes #621
- add PurlService method that can gc dead purls. (11b0ede)
- Add api to delete Vulnerabilities. (ad0f2fb), closes #563
- Add api to delete Advisories. (220863f), closes #563
- add the ability to specify a branch for importing OSV (c31462c)
- Add api to delete products (807dcb5), closes #563
- Add api to delete sboms (2e6b810), closes #563
- add rapidoc support (c5df2c5)
- add trustd subcommand to export openapi spec (0ffc786)
- new convention for organizing integration tests (f653c02)
- add import warnings to the report (b59a19b)
- use v5 uuid upsert for CPEs (1fd7470)
- add cpe creator (7c5ee80)
- ingest products from sboms (d5ec88c)
- add more data to the products API (0983ac3)
- allow canceling import runs (7c53e9e)
- add sha384 and sha512 to the SBOM and advisory (bf67cdc)
- add GIN index for labels (3319040)
- add more labels to imported documents, allow user defined labels (87b6a6e)
- return description as well (63a0edd)
- allow setting labels during upload (34d2c06)
- return labels when fetching sboms or advisories (dd54b9f)
- implement setting labels for SBOMs (cf59c85)
- implement setting labels for advisories (22741d5)
- enable backslash to escape operators in filter expressions (5e66c77), closes
#434 - extract organization name from CVE (1065ab3)
- add CWE for vulnerabilities (181719d)
- implements labels using jsonb (d6b4302)
- initial product endpoints (6112344)
- add filtering/query to "find by sbom package" (93e3eaa), closes #438
- search SBOMs by PURL or package id (a4ce8ec), closes #413
- add version to sbom package (20eefb2), closes #284
- support IS [NOT] NULL in queries (5b658cb)
- add ability to translate queries (8c6f062)
- more efficient detection of advisory formats (d669658), closes #257
- Initial implementation of products (2573b01)
- add an entry for all CSAF data (bc9e6a5)
- update cyclonedx for support of 1.5 (9817ffa)
- allow configuring the OIDC UI settings (f2ad362)
- implement CVE import (f6d2cde)
- implement OSV ingestion (0bc8a20)
Fixes
- don't check if the bucket exists. (1e9b3e9)
- openapi spec for moved number_of_packages (32ceeab)
- move number_of_packages to SbomHead (186d407), closes #1006
- s3 storage config options and encoding case insensitivity (66c20fd)
- rename component to package (5436509)
- osv: treat
published
as optional (5952f3e) - re-walk all files if the commit cannot be found (1fd508f)
- have a default empty array (d5d9d33)
- add missing "number_of_vulnerabilities" field (6d6433c)
- add missing "number of packages" field (538070a)
- we normally use camel case (5fbbd9a)
- ai: Reduce tooling description duplication. Move the input description
into the the tooling parameters. (6f0377a) - performance issue in update_deprecated_advisory (03e2637)
- xtask generate-dump (def9856)
- test failure due to .DS_Store files being present (b5df115)
- don't clear qualifiers when ingesting CSAF (506e81b)
- use a combination of namespace and tracking id as document id (f542219)
- openapi.yaml github action execution (471a472)
- update openapi spec (28c332a), closes #866
- avoid workflow failures in forks (501f453)
- init logger only once, use tracing setup (258ce7c)
- handle NONE and NOASSERTION as relationship targets (ae78b03), closes #552
- declare uuid dependency and v5 feature (7dc1889), closes #839
- prevent uploading compressed files which might exhaust the memory (9145a6e)
- ensure UUIDs are stable, and we have a stable insertion order (12ef030)
- use stable order for CPEs to prevent deadlocks on the DB (08eb107)
- store documents when ingesting a dataset (600dd36)
- allow ingesting YAML based OSV (54da44c)
- able to run pm-mode in container (bc57113)
- restore hard-coded base paths in CVE/ClearlyDefined walkers (f3a9fe9)
- restore hashes in SBOM fetch api (df89982), closes #733
- disable format detection for importers (26eda5d), closes #715
- fix performance regression, speeds things up ~10x (3af6cdf)
- prevent dumping the full CSAF document into the tracing context (f66ef06)
- importer openapi definitions (aad7e20)
- use the current working directory in the podman -v arg. (ddfdc85)
- add lifetime to avoid a storage impl clone (0822a73)
- a couple of openapi fields reverted to not being required. (2858271)
- PurlService - purl_by_purl bug (a5e07a2)
- refactor sbom dto objects to better represent data model (b551051)
- delete operations were missing from api docs. (bdd3b38)
- generate config schema and ensure they are up-to-date (6ff7e9b)
- use load_one pattern to load all organizations for mulitple products
(537c640) - use load_many pattern to efficiently load versions for multiple products
(020ad82) - make storage CLI options mutually exclusive (e03fda1), closes #631
- remove usage of FileSource and document how to use csaf walker to ingest
local files (398ebf5) - sbom_node FK constraints (37d396f)
- issue with duplicate packages (399645a)
- only force devmode if the embedded OIDC is requested (4bc17f3)
- add the deleteSbom api operationId. (ca3a047)
- define the schema type of the if-match headers. (c198f04), closes #580
- Add openapi operation ids (738d10b), closes #580
- increase recursion limit (3130c74)
- strum build error (4608dff)
- remove "ui" feature (7f12f71), closes #559
- remove non-normative data from advisory vulnerability (1a2714a), closes
#543 - auto-create vulnerabilities using upsert (e516b42)
- swagger-ui for product details (b42ed10), closes #545
- swagger-ui docs for organization (c787eb3), closes #544
- ensure that descriptions are not growing with every insert (f7c4f06)
- also check for vuln-id to create all entries (0dc4583)
- apply the CPE fix also for the language (dc7c328)
- prevent the creation of duplicate CPEs (130e41f)
- use the "last_success" time for the next "since" (2456d9e)
- only add the package manager category as a name for that package (1b39eaa)
- used for both advisories and SBOMs (1d536b7)
- retrying later on change means, accepting it now (e3e9c15)
- catch cases of invalid SPDX references and report them as such (094ef8b)
- bump pg-embed to avoid github rate-limiting during tests (7e62347)
- clean up a few openapi issues around labels (94a47eb)
- this file actually belongs to migration 230 (29a52a0)
- the q param now works for /api/v1/sbom/{key}/packages (f36b558), closes
#434 - allow ingesting spdx SBOMs with files (1f2145e)
- relationship direction for "documentDescribes" (058ee24)
- link with specific node, not any node of the SBOM (8d87482)
- appease graphql and openapi paths wrt slashes (07629a9), closes #376 #422
- honor transaction for requests (97510e7)
- return only the sbom_node, not all nodes belonging to the sbom (6349e91),
closes #414 - provide the package describing the sbom with the summary (ea8af78)
- enable sorting advisories by average_severity (8de5be2), closes #383
- move graphql under
/graphql
only (f07f5fa) - count items being processed for osv and cve (a1f8d21)
- Restore /api/v1/sbom/{key} SBOM metadata access (7bb7c69), closes #253
- the the id issue for SBOMs too (a52b6f4)
- translate the id into a hash before fetching from the storage (12c0d71)
- use newer container to fix/workaround segfault in libgit2 (16deb09)
- accept either domain or full URL (d601573)
- register types, remove infinite reference (724a788)
- reset all jobs when starti...
0.1.0-alpha.24
Changelog
v0.1.0-alpha.24 (2024-11-21)
⚠ BREAKING-CHANGE
- Breaks the migrations as this PR rewrites the historyto use UUID instead of i32 from the start.
Features
- enable custom trust anchors for swagger oidc (96ab4c9)
- imporve migration to migrate data as well (915982d)
- csaf correlation - correlate vulnerability to purls and sboms (8bc4adb)
- provide additional information (9d38b76), closes #962
- query json columns using dot notation, e.g.
field.key~log4j
(15f52f6) - add a store for user preferences (57006c2)
- add the "reserved" field for vulnerabilities (2654563), closes #964
- allow ignoring missing (404) files when importing (3e51716)
- add size of documents and sbom data license (1164a4f)
- enable compression of docs stored on S3 (ab9c056), closes #925
- introduce ability to apply a Query to any random context (d12d942)
- CI pipeline to build, package, test, and deploy each merged PR (2db0f71),
closes #804 - populate cpe_key in organization and product tables (feb9d9f)
- implement optional fs storage compression (10518de)
- create versioned purls from OSV (5d02060)
- add an endpoint to get the counts of sboms per purl (d7ac133)
- deprecate advisories when receiving an upload or deleting one (3123d2b)
- ingest products from csaf documents (2c55fde)
- add an endpoint for release information (0b234ea)
- now showing thread id's in log output (0d200fd)
- support compressed upload (14c356c)
- allow importing complete datasets (9722fdc)
- sort importers by enabledness (7c65d51)
- implement patch for updating importer configurations (ac104b4)
- allow disabling the GraphQL endpoint, and do so by default (ea6e6ed)
- add depth to GitWalker for faster clones by limiting history (8da2fe5)
- speed up initial clones of git repos (31cc15f)
- add progress support, backed by the database (bf0a017)
- add MEM_LIMIT_MB env var to configure threshold for tests (35d1cdd)
- replace SyncAdapter with SyncIoBridge to reduce RAM usage (684154d)
- add basic progress support, first just via tracing (4d6d366)
- refactor temp file creation to reduce S3 usage (f9727a2)
- allow creating the embedded database in a different directory (b6766cb)
- improve product details to return basic sbom data (6d3a777)
- allow configuring fetch retries (d1b3ce6)
- allow setting a size limit when importing SBOMs (83dcde7)
- allow using a dedicated working dir for dumps (9cc1302)
- Add maven version comparison SQL function. (7efd883)
- add an xtask for generating a pre-loaded DB dump (59889af)
- S3 storage backend (978a2be), closes #621
- add PurlService method that can gc dead purls. (11b0ede)
- Add api to delete Vulnerabilities. (ad0f2fb), closes #563
- Add api to delete Advisories. (220863f), closes #563
- add the ability to specify a branch for importing OSV (c31462c)
- Add api to delete products (807dcb5), closes #563
- Add api to delete sboms (2e6b810), closes #563
- add rapidoc support (c5df2c5)
- add trustd subcommand to export openapi spec (0ffc786)
- new convention for organizing integration tests (f653c02)
- add import warnings to the report (b59a19b)
- use v5 uuid upsert for CPEs (1fd7470)
- add cpe creator (7c5ee80)
- ingest products from sboms (d5ec88c)
- add more data to the products API (0983ac3)
- allow canceling import runs (7c53e9e)
- add sha384 and sha512 to the SBOM and advisory (bf67cdc)
- add GIN index for labels (3319040)
- add more labels to imported documents, allow user defined labels (87b6a6e)
- return description as well (63a0edd)
- allow setting labels during upload (34d2c06)
- return labels when fetching sboms or advisories (dd54b9f)
- implement setting labels for SBOMs (cf59c85)
- implement setting labels for advisories (22741d5)
- enable backslash to escape operators in filter expressions (5e66c77), closes
#434 - extract organization name from CVE (1065ab3)
- add CWE for vulnerabilities (181719d)
- implements labels using jsonb (d6b4302)
- initial product endpoints (6112344)
- add filtering/query to "find by sbom package" (93e3eaa), closes #438
- search SBOMs by PURL or package id (a4ce8ec), closes #413
- add version to sbom package (20eefb2), closes #284
- support IS [NOT] NULL in queries (5b658cb)
- add ability to translate queries (8c6f062)
- more efficient detection of advisory formats (d669658), closes #257
- Initial implementation of products (2573b01)
- add an entry for all CSAF data (bc9e6a5)
- update cyclonedx for support of 1.5 (9817ffa)
- allow configuring the OIDC UI settings (f2ad362)
- implement CVE import (f6d2cde)
- implement OSV ingestion (0bc8a20)
Fixes
- s3 storage config options and encoding case insensitivity (66c20fd)
- rename component to package (5436509)
- osv: treat
published
as optional (5952f3e) - re-walk all files if the commit cannot be found (1fd508f)
- have a default empty array (d5d9d33)
- add missing "number_of_vulnerabilities" field (6d6433c)
- add missing "number of packages" field (538070a)
- we normally use camel case (5fbbd9a)
- ai: Reduce tooling description duplication. Move the input description
into the the tooling parameters. (6f0377a) - performance issue in update_deprecated_advisory (03e2637)
- xtask generate-dump (def9856)
- test failure due to .DS_Store files being present (b5df115)
- don't clear qualifiers when ingesting CSAF (506e81b)
- use a combination of namespace and tracking id as document id (f542219)
- openapi.yaml github action execution (471a472)
- update openapi spec (28c332a), closes #866
- avoid workflow failures in forks (501f453)
- init logger only once, use tracing setup (258ce7c)
- handle NONE and NOASSERTION as relationship targets (ae78b03), closes #552
- declare uuid dependency and v5 feature (7dc1889), closes #839
- prevent uploading compressed files which might exhaust the memory (9145a6e)
- ensure UUIDs are stable, and we have a stable insertion order (12ef030)
- use stable order for CPEs to prevent deadlocks on the DB (08eb107)
- store documents when ingesting a dataset (600dd36)
- allow ingesting YAML based OSV (54da44c)
- able to run pm-mode in container (bc57113)
- restore hard-coded base paths in CVE/ClearlyDefined walkers (f3a9fe9)
- restore hashes in SBOM fetch api (df89982), closes #733
- disable format detection for importers (26eda5d), closes #715
- fix performance regression, speeds things up ~10x (3af6cdf)
- prevent dumping the full CSAF document into the tracing context (f66ef06)
- importer openapi definitions (aad7e20)
- use the current working directory in the podman -v arg. (ddfdc85)
- add lifetime to avoid a storage impl clone (0822a73)
- a couple of openapi fields reverted to not being required. (2858271)
- PurlService - purl_by_purl bug (a5e07a2)
- refactor sbom dto objects to better represent data model (b551051)
- delete operations were missing from api docs. (bdd3b38)
- generate config schema and ensure they are up-to-date (6ff7e9b)
- use load_one pattern to load all organizations for mulitple products
(537c640) - use load_many pattern to efficiently load versions for multiple products
(020ad82) - make storage CLI options mutually exclusive (e03fda1), closes #631
- remove usage of FileSource and document how to use csaf walker to ingest
local files (398ebf5) - sbom_node FK constraints (37d396f)
- issue with duplicate packages (399645a)
- only force devmode if the embedded OIDC is requested (4bc17f3)
- add the deleteSbom api operationId. (ca3a047)
- define the schema type of the if-match headers. (c198f04), closes #580
- Add openapi operation ids (738d10b), closes #580
- increase recursion limit (3130c74)
- strum build error (4608dff)
- remove "ui" feature (7f12f71), closes #559
- remove non-normative data from advisory vulnerability (1a2714a), closes
#543 - auto-create vulnerabilities using upsert (e516b42)
- swagger-ui for product details (b42ed10), closes #545
- swagger-ui docs for organization (c787eb3), closes #544
- ensure that descriptions are not growing with every insert (f7c4f06)
- also check for vuln-id to create all entries (0dc4583)
- apply the CPE fix also for the language (dc7c328)
- prevent the creation of duplicate CPEs (130e41f)
- use the "last_success" time for the next "since" (2456d9e)
- only add the package manager category as a name for that package (1b39eaa)
- used for both advisories and SBOMs (1d536b7)
- retrying later on change means, accepting it now (e3e9c15)
- catch cases of invalid SPDX references and report them as such (094ef8b)
- bump pg-embed to avoid github rate-limiting during tests (7e62347)
- clean up a few openapi issues around labels (94a47eb)
- this file actually belongs to migration 230 (29a52a0)
- the q param now works for /api/v1/sbom/{key}/packages (f36b558), closes
#434 - allow ingesting spdx SBOMs with files (1f2145e)
- relationship direction for "documentDescribes" (058ee24)
- link with specific node, not any node of the SBOM (8d87482)
- appease graphql and openapi paths wrt slashes (07629a9), closes #376 #422
- honor transaction for requests (97510e7)
- return only the sbom_node, not all nodes belonging to the sbom (6349e91),
closes #414 - provide the package describing the sbom with the summary (ea8af78)
- enable sorting advisories by average_severity (8de5be2), closes #383
- move graphql under
/graphql
only (f07f5fa) - count items being processed for osv and cve (a1f8d21)
- Restore /api/v1/sbom/{key} SBOM metadata access (7bb7c69), closes #253
- the the id issue for SBOMs too (a52b6f4)
- translate the id into a hash before fetching from the storage (12c0d71)
- use newer container to fix/workaround segfault in libgit2 (16deb09)
- accept either domain or full URL (d601573)
- register types, remove infinite reference (724a788)
- reset all jobs when starting up (88ec8da), closes #355
- use correct env-vars for storage settings (a93be47)
- update cve to fix some parsing errors (d46683a)
- directly pass sha256 digest, parsing it misses the perfix (feba99a)
- client ids need to split by comma when coming from the env-var (08c1402)
- upda...
0.1.0-alpha.23
Changelog
v0.1.0-alpha.23 (2024-11-14)
⚠ BREAKING-CHANGE
- Breaks the migrations as this PR rewrites the historyto use UUID instead of i32 from the start.
Features
- imporve migration to migrate data as well (915982d)
- csaf correlation - correlate vulnerability to purls and sboms (8bc4adb)
- provide additional information (9d38b76), closes #962
- query json columns using dot notation, e.g.
field.key~log4j
(15f52f6) - add a store for user preferences (57006c2)
- add the "reserved" field for vulnerabilities (2654563), closes #964
- allow ignoring missing (404) files when importing (3e51716)
- add size of documents and sbom data license (1164a4f)
- enable compression of docs stored on S3 (ab9c056), closes #925
- introduce ability to apply a Query to any random context (d12d942)
- CI pipeline to build, package, test, and deploy each merged PR (2db0f71),
closes #804 - populate cpe_key in organization and product tables (feb9d9f)
- implement optional fs storage compression (10518de)
- create versioned purls from OSV (5d02060)
- add an endpoint to get the counts of sboms per purl (d7ac133)
- deprecate advisories when receiving an upload or deleting one (3123d2b)
- ingest products from csaf documents (2c55fde)
- add an endpoint for release information (0b234ea)
- now showing thread id's in log output (0d200fd)
- support compressed upload (14c356c)
- allow importing complete datasets (9722fdc)
- sort importers by enabledness (7c65d51)
- implement patch for updating importer configurations (ac104b4)
- allow disabling the GraphQL endpoint, and do so by default (ea6e6ed)
- add depth to GitWalker for faster clones by limiting history (8da2fe5)
- speed up initial clones of git repos (31cc15f)
- add progress support, backed by the database (bf0a017)
- add MEM_LIMIT_MB env var to configure threshold for tests (35d1cdd)
- replace SyncAdapter with SyncIoBridge to reduce RAM usage (684154d)
- add basic progress support, first just via tracing (4d6d366)
- refactor temp file creation to reduce S3 usage (f9727a2)
- allow creating the embedded database in a different directory (b6766cb)
- improve product details to return basic sbom data (6d3a777)
- allow configuring fetch retries (d1b3ce6)
- allow setting a size limit when importing SBOMs (83dcde7)
- allow using a dedicated working dir for dumps (9cc1302)
- Add maven version comparison SQL function. (7efd883)
- add an xtask for generating a pre-loaded DB dump (59889af)
- S3 storage backend (978a2be), closes #621
- add PurlService method that can gc dead purls. (11b0ede)
- Add api to delete Vulnerabilities. (ad0f2fb), closes #563
- Add api to delete Advisories. (220863f), closes #563
- add the ability to specify a branch for importing OSV (c31462c)
- Add api to delete products (807dcb5), closes #563
- Add api to delete sboms (2e6b810), closes #563
- add rapidoc support (c5df2c5)
- add trustd subcommand to export openapi spec (0ffc786)
- new convention for organizing integration tests (f653c02)
- add import warnings to the report (b59a19b)
- use v5 uuid upsert for CPEs (1fd7470)
- add cpe creator (7c5ee80)
- ingest products from sboms (d5ec88c)
- add more data to the products API (0983ac3)
- allow canceling import runs (7c53e9e)
- add sha384 and sha512 to the SBOM and advisory (bf67cdc)
- add GIN index for labels (3319040)
- add more labels to imported documents, allow user defined labels (87b6a6e)
- return description as well (63a0edd)
- allow setting labels during upload (34d2c06)
- return labels when fetching sboms or advisories (dd54b9f)
- implement setting labels for SBOMs (cf59c85)
- implement setting labels for advisories (22741d5)
- enable backslash to escape operators in filter expressions (5e66c77), closes
#434 - extract organization name from CVE (1065ab3)
- add CWE for vulnerabilities (181719d)
- implements labels using jsonb (d6b4302)
- initial product endpoints (6112344)
- add filtering/query to "find by sbom package" (93e3eaa), closes #438
- search SBOMs by PURL or package id (a4ce8ec), closes #413
- add version to sbom package (20eefb2), closes #284
- support IS [NOT] NULL in queries (5b658cb)
- add ability to translate queries (8c6f062)
- more efficient detection of advisory formats (d669658), closes #257
- Initial implementation of products (2573b01)
- add an entry for all CSAF data (bc9e6a5)
- update cyclonedx for support of 1.5 (9817ffa)
- allow configuring the OIDC UI settings (f2ad362)
- implement CVE import (f6d2cde)
- implement OSV ingestion (0bc8a20)
Fixes
- rename component to package (5436509)
- osv: treat
published
as optional (5952f3e) - re-walk all files if the commit cannot be found (1fd508f)
- have a default empty array (d5d9d33)
- add missing "number_of_vulnerabilities" field (6d6433c)
- add missing "number of packages" field (538070a)
- we normally use camel case (5fbbd9a)
- ai: Reduce tooling description duplication. Move the input description
into the the tooling parameters. (6f0377a) - performance issue in update_deprecated_advisory (03e2637)
- xtask generate-dump (def9856)
- test failure due to .DS_Store files being present (b5df115)
- don't clear qualifiers when ingesting CSAF (506e81b)
- use a combination of namespace and tracking id as document id (f542219)
- openapi.yaml github action execution (471a472)
- update openapi spec (28c332a), closes #866
- avoid workflow failures in forks (501f453)
- init logger only once, use tracing setup (258ce7c)
- handle NONE and NOASSERTION as relationship targets (ae78b03), closes #552
- declare uuid dependency and v5 feature (7dc1889), closes #839
- prevent uploading compressed files which might exhaust the memory (9145a6e)
- ensure UUIDs are stable, and we have a stable insertion order (12ef030)
- use stable order for CPEs to prevent deadlocks on the DB (08eb107)
- store documents when ingesting a dataset (600dd36)
- allow ingesting YAML based OSV (54da44c)
- able to run pm-mode in container (bc57113)
- restore hard-coded base paths in CVE/ClearlyDefined walkers (f3a9fe9)
- restore hashes in SBOM fetch api (df89982), closes #733
- disable format detection for importers (26eda5d), closes #715
- fix performance regression, speeds things up ~10x (3af6cdf)
- prevent dumping the full CSAF document into the tracing context (f66ef06)
- importer openapi definitions (aad7e20)
- use the current working directory in the podman -v arg. (ddfdc85)
- add lifetime to avoid a storage impl clone (0822a73)
- a couple of openapi fields reverted to not being required. (2858271)
- PurlService - purl_by_purl bug (a5e07a2)
- refactor sbom dto objects to better represent data model (b551051)
- delete operations were missing from api docs. (bdd3b38)
- generate config schema and ensure they are up-to-date (6ff7e9b)
- use load_one pattern to load all organizations for mulitple products
(537c640) - use load_many pattern to efficiently load versions for multiple products
(020ad82) - make storage CLI options mutually exclusive (e03fda1), closes #631
- remove usage of FileSource and document how to use csaf walker to ingest
local files (398ebf5) - sbom_node FK constraints (37d396f)
- issue with duplicate packages (399645a)
- only force devmode if the embedded OIDC is requested (4bc17f3)
- add the deleteSbom api operationId. (ca3a047)
- define the schema type of the if-match headers. (c198f04), closes #580
- Add openapi operation ids (738d10b), closes #580
- increase recursion limit (3130c74)
- strum build error (4608dff)
- remove "ui" feature (7f12f71), closes #559
- remove non-normative data from advisory vulnerability (1a2714a), closes
#543 - auto-create vulnerabilities using upsert (e516b42)
- swagger-ui for product details (b42ed10), closes #545
- swagger-ui docs for organization (c787eb3), closes #544
- ensure that descriptions are not growing with every insert (f7c4f06)
- also check for vuln-id to create all entries (0dc4583)
- apply the CPE fix also for the language (dc7c328)
- prevent the creation of duplicate CPEs (130e41f)
- use the "last_success" time for the next "since" (2456d9e)
- only add the package manager category as a name for that package (1b39eaa)
- used for both advisories and SBOMs (1d536b7)
- retrying later on change means, accepting it now (e3e9c15)
- catch cases of invalid SPDX references and report them as such (094ef8b)
- bump pg-embed to avoid github rate-limiting during tests (7e62347)
- clean up a few openapi issues around labels (94a47eb)
- this file actually belongs to migration 230 (29a52a0)
- the q param now works for /api/v1/sbom/{key}/packages (f36b558), closes
#434 - allow ingesting spdx SBOMs with files (1f2145e)
- relationship direction for "documentDescribes" (058ee24)
- link with specific node, not any node of the SBOM (8d87482)
- appease graphql and openapi paths wrt slashes (07629a9), closes #376 #422
- honor transaction for requests (97510e7)
- return only the sbom_node, not all nodes belonging to the sbom (6349e91),
closes #414 - provide the package describing the sbom with the summary (ea8af78)
- enable sorting advisories by average_severity (8de5be2), closes #383
- move graphql under
/graphql
only (f07f5fa) - count items being processed for osv and cve (a1f8d21)
- Restore /api/v1/sbom/{key} SBOM metadata access (7bb7c69), closes #253
- the the id issue for SBOMs too (a52b6f4)
- translate the id into a hash before fetching from the storage (12c0d71)
- use newer container to fix/workaround segfault in libgit2 (16deb09)
- accept either domain or full URL (d601573)
- register types, remove infinite reference (724a788)
- reset all jobs when starting up (88ec8da), closes #355
- use correct env-vars for storage settings (a93be47)
- update cve to fix some parsing errors (d46683a)
- directly pass sha256 digest, parsing it misses the perfix (feba99a)
- client ids need to split by comma when coming from the env-var (08c1402)
- update embedded oidc to support refresh tokens (f01dcc5)
- push multi-arch image (d90dae0)
- allow swaggerui to redirect (1bb1ca1)
...
0.1.0-alpha.22
Changelog
v0.1.0-alpha.22 (2024-11-07)
⚠ BREAKING-CHANGE
- Breaks the migrations as this PR rewrites the historyto use UUID instead of i32 from the start.
Features
- query json columns using dot notation, e.g.
field.key~log4j
(15f52f6) - add a store for user preferences (57006c2)
- add the "reserved" field for vulnerabilities (2654563), closes #964
- allow ignoring missing (404) files when importing (3e51716)
- add size of documents and sbom data license (1164a4f)
- enable compression of docs stored on S3 (ab9c056), closes #925
- introduce ability to apply a Query to any random context (d12d942)
- CI pipeline to build, package, test, and deploy each merged PR (2db0f71),
closes #804 - populate cpe_key in organization and product tables (feb9d9f)
- implement optional fs storage compression (10518de)
- create versioned purls from OSV (5d02060)
- add an endpoint to get the counts of sboms per purl (d7ac133)
- deprecate advisories when receiving an upload or deleting one (3123d2b)
- ingest products from csaf documents (2c55fde)
- add an endpoint for release information (0b234ea)
- now showing thread id's in log output (0d200fd)
- support compressed upload (14c356c)
- allow importing complete datasets (9722fdc)
- sort importers by enabledness (7c65d51)
- implement patch for updating importer configurations (ac104b4)
- allow disabling the GraphQL endpoint, and do so by default (ea6e6ed)
- add depth to GitWalker for faster clones by limiting history (8da2fe5)
- speed up initial clones of git repos (31cc15f)
- add progress support, backed by the database (bf0a017)
- add MEM_LIMIT_MB env var to configure threshold for tests (35d1cdd)
- replace SyncAdapter with SyncIoBridge to reduce RAM usage (684154d)
- add basic progress support, first just via tracing (4d6d366)
- refactor temp file creation to reduce S3 usage (f9727a2)
- allow creating the embedded database in a different directory (b6766cb)
- improve product details to return basic sbom data (6d3a777)
- allow configuring fetch retries (d1b3ce6)
- allow setting a size limit when importing SBOMs (83dcde7)
- allow using a dedicated working dir for dumps (9cc1302)
- Add maven version comparison SQL function. (7efd883)
- add an xtask for generating a pre-loaded DB dump (59889af)
- S3 storage backend (978a2be), closes #621
- add PurlService method that can gc dead purls. (11b0ede)
- Add api to delete Vulnerabilities. (ad0f2fb), closes #563
- Add api to delete Advisories. (220863f), closes #563
- add the ability to specify a branch for importing OSV (c31462c)
- Add api to delete products (807dcb5), closes #563
- Add api to delete sboms (2e6b810), closes #563
- add rapidoc support (c5df2c5)
- add trustd subcommand to export openapi spec (0ffc786)
- new convention for organizing integration tests (f653c02)
- add import warnings to the report (b59a19b)
- use v5 uuid upsert for CPEs (1fd7470)
- add cpe creator (7c5ee80)
- ingest products from sboms (d5ec88c)
- add more data to the products API (0983ac3)
- allow canceling import runs (7c53e9e)
- add sha384 and sha512 to the SBOM and advisory (bf67cdc)
- add GIN index for labels (3319040)
- add more labels to imported documents, allow user defined labels (87b6a6e)
- return description as well (63a0edd)
- allow setting labels during upload (34d2c06)
- return labels when fetching sboms or advisories (dd54b9f)
- implement setting labels for SBOMs (cf59c85)
- implement setting labels for advisories (22741d5)
- enable backslash to escape operators in filter expressions (5e66c77), closes
#434 - extract organization name from CVE (1065ab3)
- add CWE for vulnerabilities (181719d)
- implements labels using jsonb (d6b4302)
- initial product endpoints (6112344)
- add filtering/query to "find by sbom package" (93e3eaa), closes #438
- search SBOMs by PURL or package id (a4ce8ec), closes #413
- add version to sbom package (20eefb2), closes #284
- support IS [NOT] NULL in queries (5b658cb)
- add ability to translate queries (8c6f062)
- more efficient detection of advisory formats (d669658), closes #257
- Initial implementation of products (2573b01)
- add an entry for all CSAF data (bc9e6a5)
- update cyclonedx for support of 1.5 (9817ffa)
- allow configuring the OIDC UI settings (f2ad362)
- implement CVE import (f6d2cde)
- implement OSV ingestion (0bc8a20)
Fixes
- add missing "number_of_vulnerabilities" field (6d6433c)
- add missing "number of packages" field (538070a)
- we normally use camel case (5fbbd9a)
- ai: Reduce tooling description duplication. Move the input description
into the the tooling parameters. (6f0377a) - performance issue in update_deprecated_advisory (03e2637)
- xtask generate-dump (def9856)
- test failure due to .DS_Store files being present (b5df115)
- don't clear qualifiers when ingesting CSAF (506e81b)
- use a combination of namespace and tracking id as document id (f542219)
- openapi.yaml github action execution (471a472)
- update openapi spec (28c332a), closes #866
- avoid workflow failures in forks (501f453)
- init logger only once, use tracing setup (258ce7c)
- handle NONE and NOASSERTION as relationship targets (ae78b03), closes #552
- declare uuid dependency and v5 feature (7dc1889), closes #839
- prevent uploading compressed files which might exhaust the memory (9145a6e)
- ensure UUIDs are stable, and we have a stable insertion order (12ef030)
- use stable order for CPEs to prevent deadlocks on the DB (08eb107)
- store documents when ingesting a dataset (600dd36)
- allow ingesting YAML based OSV (54da44c)
- able to run pm-mode in container (bc57113)
- restore hard-coded base paths in CVE/ClearlyDefined walkers (f3a9fe9)
- restore hashes in SBOM fetch api (df89982), closes #733
- disable format detection for importers (26eda5d), closes #715
- fix performance regression, speeds things up ~10x (3af6cdf)
- prevent dumping the full CSAF document into the tracing context (f66ef06)
- importer openapi definitions (aad7e20)
- use the current working directory in the podman -v arg. (ddfdc85)
- add lifetime to avoid a storage impl clone (0822a73)
- a couple of openapi fields reverted to not being required. (2858271)
- PurlService - purl_by_purl bug (a5e07a2)
- refactor sbom dto objects to better represent data model (b551051)
- delete operations were missing from api docs. (bdd3b38)
- generate config schema and ensure they are up-to-date (6ff7e9b)
- use load_one pattern to load all organizations for mulitple products
(537c640) - use load_many pattern to efficiently load versions for multiple products
(020ad82) - make storage CLI options mutually exclusive (e03fda1), closes #631
- remove usage of FileSource and document how to use csaf walker to ingest
local files (398ebf5) - sbom_node FK constraints (37d396f)
- issue with duplicate packages (399645a)
- only force devmode if the embedded OIDC is requested (4bc17f3)
- add the deleteSbom api operationId. (ca3a047)
- define the schema type of the if-match headers. (c198f04), closes #580
- Add openapi operation ids (738d10b), closes #580
- increase recursion limit (3130c74)
- strum build error (4608dff)
- remove "ui" feature (7f12f71), closes #559
- remove non-normative data from advisory vulnerability (1a2714a), closes
#543 - auto-create vulnerabilities using upsert (e516b42)
- swagger-ui for product details (b42ed10), closes #545
- swagger-ui docs for organization (c787eb3), closes #544
- ensure that descriptions are not growing with every insert (f7c4f06)
- also check for vuln-id to create all entries (0dc4583)
- apply the CPE fix also for the language (dc7c328)
- prevent the creation of duplicate CPEs (130e41f)
- use the "last_success" time for the next "since" (2456d9e)
- only add the package manager category as a name for that package (1b39eaa)
- used for both advisories and SBOMs (1d536b7)
- retrying later on change means, accepting it now (e3e9c15)
- catch cases of invalid SPDX references and report them as such (094ef8b)
- bump pg-embed to avoid github rate-limiting during tests (7e62347)
- clean up a few openapi issues around labels (94a47eb)
- this file actually belongs to migration 230 (29a52a0)
- the q param now works for /api/v1/sbom/{key}/packages (f36b558), closes
#434 - allow ingesting spdx SBOMs with files (1f2145e)
- relationship direction for "documentDescribes" (058ee24)
- link with specific node, not any node of the SBOM (8d87482)
- appease graphql and openapi paths wrt slashes (07629a9), closes #376 #422
- honor transaction for requests (97510e7)
- return only the sbom_node, not all nodes belonging to the sbom (6349e91),
closes #414 - provide the package describing the sbom with the summary (ea8af78)
- enable sorting advisories by average_severity (8de5be2), closes #383
- move graphql under
/graphql
only (f07f5fa) - count items being processed for osv and cve (a1f8d21)
- Restore /api/v1/sbom/{key} SBOM metadata access (7bb7c69), closes #253
- the the id issue for SBOMs too (a52b6f4)
- translate the id into a hash before fetching from the storage (12c0d71)
- use newer container to fix/workaround segfault in libgit2 (16deb09)
- accept either domain or full URL (d601573)
- register types, remove infinite reference (724a788)
- reset all jobs when starting up (88ec8da), closes #355
- use correct env-vars for storage settings (a93be47)
- update cve to fix some parsing errors (d46683a)
- directly pass sha256 digest, parsing it misses the perfix (feba99a)
- client ids need to split by comma when coming from the env-var (08c1402)
- update embedded oidc to support refresh tokens (f01dcc5)
- push multi-arch image (d90dae0)
- allow swaggerui to redirect (1bb1ca1)
- ingest scores when loading CSAF docs (4719406), closes #278
0.1.0-alpha.21
Changelog
v0.1.0-alpha.21 (2024-10-31)
⚠ BREAKING-CHANGE
- Breaks the migrations as this PR rewrites the historyto use UUID instead of i32 from the start.
Features
- enable compression of docs stored on S3 (ab9c056), closes #925
- introduce ability to apply a Query to any random context (d12d942)
- CI pipeline to build, package, test, and deploy each merged PR (2db0f71),
closes #804 - populate cpe_key in organization and product tables (feb9d9f)
- implement optional fs storage compression (10518de)
- create versioned purls from OSV (5d02060)
- add an endpoint to get the counts of sboms per purl (d7ac133)
- deprecate advisories when receiving an upload or deleting one (3123d2b)
- ingest products from csaf documents (2c55fde)
- add an endpoint for release information (0b234ea)
- now showing thread id's in log output (0d200fd)
- support compressed upload (14c356c)
- allow importing complete datasets (9722fdc)
- sort importers by enabledness (7c65d51)
- implement patch for updating importer configurations (ac104b4)
- allow disabling the GraphQL endpoint, and do so by default (ea6e6ed)
- add depth to GitWalker for faster clones by limiting history (8da2fe5)
- speed up initial clones of git repos (31cc15f)
- add progress support, backed by the database (bf0a017)
- add MEM_LIMIT_MB env var to configure threshold for tests (35d1cdd)
- replace SyncAdapter with SyncIoBridge to reduce RAM usage (684154d)
- add basic progress support, first just via tracing (4d6d366)
- refactor temp file creation to reduce S3 usage (f9727a2)
- allow creating the embedded database in a different directory (b6766cb)
- improve product details to return basic sbom data (6d3a777)
- allow configuring fetch retries (d1b3ce6)
- allow setting a size limit when importing SBOMs (83dcde7)
- allow using a dedicated working dir for dumps (9cc1302)
- Add maven version comparison SQL function. (7efd883)
- add an xtask for generating a pre-loaded DB dump (59889af)
- S3 storage backend (978a2be), closes #621
- add PurlService method that can gc dead purls. (11b0ede)
- Add api to delete Vulnerabilities. (ad0f2fb), closes #563
- Add api to delete Advisories. (220863f), closes #563
- add the ability to specify a branch for importing OSV (c31462c)
- Add api to delete products (807dcb5), closes #563
- Add api to delete sboms (2e6b810), closes #563
- add rapidoc support (c5df2c5)
- add trustd subcommand to export openapi spec (0ffc786)
- new convention for organizing integration tests (f653c02)
- add import warnings to the report (b59a19b)
- use v5 uuid upsert for CPEs (1fd7470)
- add cpe creator (7c5ee80)
- ingest products from sboms (d5ec88c)
- add more data to the products API (0983ac3)
- allow canceling import runs (7c53e9e)
- add sha384 and sha512 to the SBOM and advisory (bf67cdc)
- add GIN index for labels (3319040)
- add more labels to imported documents, allow user defined labels (87b6a6e)
- return description as well (63a0edd)
- allow setting labels during upload (34d2c06)
- return labels when fetching sboms or advisories (dd54b9f)
- implement setting labels for SBOMs (cf59c85)
- implement setting labels for advisories (22741d5)
- enable backslash to escape operators in filter expressions (5e66c77), closes
#434 - extract organization name from CVE (1065ab3)
- add CWE for vulnerabilities (181719d)
- implements labels using jsonb (d6b4302)
- initial product endpoints (6112344)
- add filtering/query to "find by sbom package" (93e3eaa), closes #438
- search SBOMs by PURL or package id (a4ce8ec), closes #413
- add version to sbom package (20eefb2), closes #284
- support IS [NOT] NULL in queries (5b658cb)
- add ability to translate queries (8c6f062)
- more efficient detection of advisory formats (d669658), closes #257
- Initial implementation of products (2573b01)
- add an entry for all CSAF data (bc9e6a5)
- update cyclonedx for support of 1.5 (9817ffa)
- allow configuring the OIDC UI settings (f2ad362)
- implement CVE import (f6d2cde)
- implement OSV ingestion (0bc8a20)
Fixes
- ai: Reduce tooling description duplication. Move the input description
into the the tooling parameters. (6f0377a) - performance issue in update_deprecated_advisory (03e2637)
- xtask generate-dump (def9856)
- test failure due to .DS_Store files being present (b5df115)
- don't clear qualifiers when ingesting CSAF (506e81b)
- use a combination of namespace and tracking id as document id (f542219)
- openapi.yaml github action execution (471a472)
- update openapi spec (28c332a), closes #866
- avoid workflow failures in forks (501f453)
- init logger only once, use tracing setup (258ce7c)
- handle NONE and NOASSERTION as relationship targets (ae78b03), closes #552
- declare uuid dependency and v5 feature (7dc1889), closes #839
- prevent uploading compressed files which might exhaust the memory (9145a6e)
- ensure UUIDs are stable, and we have a stable insertion order (12ef030)
- use stable order for CPEs to prevent deadlocks on the DB (08eb107)
- store documents when ingesting a dataset (600dd36)
- allow ingesting YAML based OSV (54da44c)
- able to run pm-mode in container (bc57113)
- restore hard-coded base paths in CVE/ClearlyDefined walkers (f3a9fe9)
- restore hashes in SBOM fetch api (df89982), closes #733
- disable format detection for importers (26eda5d), closes #715
- fix performance regression, speeds things up ~10x (3af6cdf)
- prevent dumping the full CSAF document into the tracing context (f66ef06)
- importer openapi definitions (aad7e20)
- use the current working directory in the podman -v arg. (ddfdc85)
- add lifetime to avoid a storage impl clone (0822a73)
- a couple of openapi fields reverted to not being required. (2858271)
- PurlService - purl_by_purl bug (a5e07a2)
- refactor sbom dto objects to better represent data model (b551051)
- delete operations were missing from api docs. (bdd3b38)
- generate config schema and ensure they are up-to-date (6ff7e9b)
- use load_one pattern to load all organizations for mulitple products
(537c640) - use load_many pattern to efficiently load versions for multiple products
(020ad82) - make storage CLI options mutually exclusive (e03fda1), closes #631
- remove usage of FileSource and document how to use csaf walker to ingest
local files (398ebf5) - sbom_node FK constraints (37d396f)
- issue with duplicate packages (399645a)
- only force devmode if the embedded OIDC is requested (4bc17f3)
- add the deleteSbom api operationId. (ca3a047)
- define the schema type of the if-match headers. (c198f04), closes #580
- Add openapi operation ids (738d10b), closes #580
- increase recursion limit (3130c74)
- strum build error (4608dff)
- remove "ui" feature (7f12f71), closes #559
- remove non-normative data from advisory vulnerability (1a2714a), closes
#543 - auto-create vulnerabilities using upsert (e516b42)
- swagger-ui for product details (b42ed10), closes #545
- swagger-ui docs for organization (c787eb3), closes #544
- ensure that descriptions are not growing with every insert (f7c4f06)
- also check for vuln-id to create all entries (0dc4583)
- apply the CPE fix also for the language (dc7c328)
- prevent the creation of duplicate CPEs (130e41f)
- use the "last_success" time for the next "since" (2456d9e)
- only add the package manager category as a name for that package (1b39eaa)
- used for both advisories and SBOMs (1d536b7)
- retrying later on change means, accepting it now (e3e9c15)
- catch cases of invalid SPDX references and report them as such (094ef8b)
- bump pg-embed to avoid github rate-limiting during tests (7e62347)
- clean up a few openapi issues around labels (94a47eb)
- this file actually belongs to migration 230 (29a52a0)
- the q param now works for /api/v1/sbom/{key}/packages (f36b558), closes
#434 - allow ingesting spdx SBOMs with files (1f2145e)
- relationship direction for "documentDescribes" (058ee24)
- link with specific node, not any node of the SBOM (8d87482)
- appease graphql and openapi paths wrt slashes (07629a9), closes #376 #422
- honor transaction for requests (97510e7)
- return only the sbom_node, not all nodes belonging to the sbom (6349e91),
closes #414 - provide the package describing the sbom with the summary (ea8af78)
- enable sorting advisories by average_severity (8de5be2), closes #383
- move graphql under
/graphql
only (f07f5fa) - count items being processed for osv and cve (a1f8d21)
- Restore /api/v1/sbom/{key} SBOM metadata access (7bb7c69), closes #253
- the the id issue for SBOMs too (a52b6f4)
- translate the id into a hash before fetching from the storage (12c0d71)
- use newer container to fix/workaround segfault in libgit2 (16deb09)
- accept either domain or full URL (d601573)
- register types, remove infinite reference (724a788)
- reset all jobs when starting up (88ec8da), closes #355
- use correct env-vars for storage settings (a93be47)
- update cve to fix some parsing errors (d46683a)
- directly pass sha256 digest, parsing it misses the perfix (feba99a)
- client ids need to split by comma when coming from the env-var (08c1402)
- update embedded oidc to support refresh tokens (f01dcc5)
- push multi-arch image (d90dae0)
- allow swaggerui to redirect (1bb1ca1)
- ingest scores when loading CSAF docs (4719406), closes #278