Skip to content

0.1.0
Compare
Choose a tag to compare
@github-actions github-actions released this 12 Dec 15:18
· 19 commits to main since this release
v0.1.0
a4357a3

Changelog

v0.1.0 (2024-12-12)

⚠ BREAKING-CHANGE

  • Breaks the migrations as this PR rewrites the historyto use UUID instead of i32 from the start.

Features

  • allow processing CDX 1.6 (3c3870f)
  • add ingestion time to source documents (f5b9bff)
  • find purls for affected packages (1354501)
  • allow more postgres database options (0f36466), closes #1000
  • provide scores in sbom details response (a3b8e6d)
  • correlate vulnerabilties for purls using product statuses (9ee0d13)
  • enable custom trust anchors for swagger oidc (96ab4c9)
  • imporve migration to migrate data as well (915982d)
  • csaf correlation - correlate vulnerability to purls and sboms (8bc4adb)
  • provide additional information (9d38b76), closes #962
  • query json columns using dot notation, e.g. field.key~log4j (15f52f6)
  • add a store for user preferences (57006c2)
  • add the "reserved" field for vulnerabilities (2654563), closes #964
  • allow ignoring missing (404) files when importing (3e51716)
  • add size of documents and sbom data license (1164a4f)
  • enable compression of docs stored on S3 (ab9c056), closes #925
  • introduce ability to apply a Query to any random context (d12d942)
  • CI pipeline to build, package, test, and deploy each merged PR (2db0f71),
    closes #804
  • populate cpe_key in organization and product tables (feb9d9f)
  • implement optional fs storage compression (10518de)
  • create versioned purls from OSV (5d02060)
  • add an endpoint to get the counts of sboms per purl (d7ac133)
  • deprecate advisories when receiving an upload or deleting one (3123d2b)
  • ingest products from csaf documents (2c55fde)
  • add an endpoint for release information (0b234ea)
  • now showing thread id's in log output (0d200fd)
  • support compressed upload (14c356c)
  • allow importing complete datasets (9722fdc)
  • sort importers by enabledness (7c65d51)
  • implement patch for updating importer configurations (ac104b4)
  • allow disabling the GraphQL endpoint, and do so by default (ea6e6ed)
  • add depth to GitWalker for faster clones by limiting history (8da2fe5)
  • speed up initial clones of git repos (31cc15f)
  • add progress support, backed by the database (bf0a017)
  • add MEM_LIMIT_MB env var to configure threshold for tests (35d1cdd)
  • replace SyncAdapter with SyncIoBridge to reduce RAM usage (684154d)
  • add basic progress support, first just via tracing (4d6d366)
  • refactor temp file creation to reduce S3 usage (f9727a2)
  • allow creating the embedded database in a different directory (b6766cb)
  • improve product details to return basic sbom data (6d3a777)
  • allow configuring fetch retries (d1b3ce6)
  • allow setting a size limit when importing SBOMs (83dcde7)
  • allow using a dedicated working dir for dumps (9cc1302)
  • Add maven version comparison SQL function. (7efd883)
  • add an xtask for generating a pre-loaded DB dump (59889af)
  • S3 storage backend (978a2be), closes #621
  • add PurlService method that can gc dead purls. (11b0ede)
  • Add api to delete Vulnerabilities. (ad0f2fb), closes #563
  • Add api to delete Advisories. (220863f), closes #563
  • add the ability to specify a branch for importing OSV (c31462c)
  • Add api to delete products (807dcb5), closes #563
  • Add api to delete sboms (2e6b810), closes #563
  • add rapidoc support (c5df2c5)
  • add trustd subcommand to export openapi spec (0ffc786)
  • new convention for organizing integration tests (f653c02)
  • add import warnings to the report (b59a19b)
  • use v5 uuid upsert for CPEs (1fd7470)
  • add cpe creator (7c5ee80)
  • ingest products from sboms (d5ec88c)
  • add more data to the products API (0983ac3)
  • allow canceling import runs (7c53e9e)
  • add sha384 and sha512 to the SBOM and advisory (bf67cdc)
  • add GIN index for labels (3319040)
  • add more labels to imported documents, allow user defined labels (87b6a6e)
  • return description as well (63a0edd)
  • allow setting labels during upload (34d2c06)
  • return labels when fetching sboms or advisories (dd54b9f)
  • implement setting labels for SBOMs (cf59c85)
  • implement setting labels for advisories (22741d5)
  • enable backslash to escape operators in filter expressions (5e66c77), closes
    #434
  • extract organization name from CVE (1065ab3)
  • add CWE for vulnerabilities (181719d)
  • implements labels using jsonb (d6b4302)
  • initial product endpoints (6112344)
  • add filtering/query to "find by sbom package" (93e3eaa), closes #438
  • search SBOMs by PURL or package id (a4ce8ec), closes #413
  • add version to sbom package (20eefb2), closes #284
  • support IS [NOT] NULL in queries (5b658cb)
  • add ability to translate queries (8c6f062)
  • more efficient detection of advisory formats (d669658), closes #257
  • Initial implementation of products (2573b01)
  • add an entry for all CSAF data (bc9e6a5)
  • update cyclonedx for support of 1.5 (9817ffa)
  • allow configuring the OIDC UI settings (f2ad362)
  • implement CVE import (f6d2cde)
  • implement OSV ingestion (0bc8a20)

Fixes

  • actually set a default value, instead of null (bcf4fc2)
  • ensure sbom's and adv's can be filtered/sorted by ingested date (b920d63),
    closes #1077
  • use the ingested column in the sbom query (606f596), closes #1077
  • report 500 in case of storage errors, align with other errors (ad97b19),
    closes #1042
  • include json columns in full-text searches (c1330c2)
  • enable filtering/sorting on qualified purl json fields (910c378), closes
    #888 #951 #972
  • use UUID v4 instead of name for the ID of the node (a5a15c1)
  • always create "described by" relationships (ddd20e8)
  • change name from walker to cli (54df2e4)
  • don't check if the bucket exists. (1e9b3e9)
  • openapi spec for moved number_of_packages (32ceeab)
  • move number_of_packages to SbomHead (186d407), closes #1006
  • s3 storage config options and encoding case insensitivity (66c20fd)
  • rename component to package (5436509)
  • osv: treat published as optional (5952f3e)
  • re-walk all files if the commit cannot be found (1fd508f)
  • have a default empty array (d5d9d33)
  • add missing "number_of_vulnerabilities" field (6d6433c)
  • add missing "number of packages" field (538070a)
  • we normally use camel case (5fbbd9a)
  • ai: Reduce tooling description duplication. Move the input description
    into the the tooling parameters. (6f0377a)
  • performance issue in update_deprecated_advisory (03e2637)
  • xtask generate-dump (def9856)
  • test failure due to .DS_Store files being present (b5df115)
  • don't clear qualifiers when ingesting CSAF (506e81b)
  • use a combination of namespace and tracking id as document id (f542219)
  • openapi.yaml github action execution (471a472)
  • update openapi spec (28c332a), closes #866
  • avoid workflow failures in forks (501f453)
  • init logger only once, use tracing setup (258ce7c)
  • handle NONE and NOASSERTION as relationship targets (ae78b03), closes #552
  • declare uuid dependency and v5 feature (7dc1889), closes #839
  • prevent uploading compressed files which might exhaust the memory (9145a6e)
  • ensure UUIDs are stable, and we have a stable insertion order (12ef030)
  • use stable order for CPEs to prevent deadlocks on the DB (08eb107)
  • store documents when ingesting a dataset (600dd36)
  • allow ingesting YAML based OSV (54da44c)
  • able to run pm-mode in container (bc57113)
  • restore hard-coded base paths in CVE/ClearlyDefined walkers (f3a9fe9)
  • restore hashes in SBOM fetch api (df89982), closes #733
  • disable format detection for importers (26eda5d), closes #715
  • fix performance regression, speeds things up ~10x (3af6cdf)
  • prevent dumping the full CSAF document into the tracing context (f66ef06)
  • importer openapi definitions (aad7e20)
  • use the current working directory in the podman -v arg. (ddfdc85)
  • add lifetime to avoid a storage impl clone (0822a73)
  • a couple of openapi fields reverted to not being required. (2858271)
  • PurlService - purl_by_purl bug (a5e07a2)
  • refactor sbom dto objects to better represent data model (b551051)
  • delete operations were missing from api docs. (bdd3b38)
  • generate config schema and ensure they are up-to-date (6ff7e9b)
  • use load_one pattern to load all organizations for mulitple products
    (537c640)
  • use load_many pattern to efficiently load versions for multiple products
    (020ad82)
  • make storage CLI options mutually exclusive (e03fda1), closes #631
  • remove usage of FileSource and document how to use csaf walker to ingest
    local files (398ebf5)
  • sbom_node FK constraints (37d396f)
  • issue with duplicate packages (399645a)
  • only force devmode if the embedded OIDC is requested (4bc17f3)
  • add the deleteSbom api operationId. (ca3a047)
  • define the schema type of the if-match headers. (c198f04), closes #580
  • Add openapi operation ids (738d10b), closes #580
  • increase recursion limit (3130c74)
  • strum build error (4608dff)
  • remove "ui" feature (7f12f71), closes #559
  • remove non-normative data from advisory vulnerability (1a2714a), closes
    #543
  • auto-create vulnerabilities using upsert (e516b42)
  • swagger-ui for product details (b42ed10), closes #545
  • swagger-ui docs for organization (c787eb3), closes #544
  • ensure that descriptions are not growing with every insert (f7c4f06)
  • also check for vuln-id to create all entries (0dc4583)
  • apply the CPE fix also for the language (dc7c328)
  • prevent the creation of duplicate CPEs (130e41f)
  • use the "last_success" time for the next "since" (2456d9e)
  • only add the package manager category as a name for that package (1b39eaa)
  • used for both advisories and SBOMs (1d536b7)
  • retrying later on change means, accepting it now (e3e9c15)
  • catch cases of invalid SPDX references and report them as such (094ef8b)
  • bump pg-embed to avoid github rate-limiting during tests (7e62347)
  • clean up a few openapi issues around labels (94a47eb)
  • this file actually belongs to migration 230 (29a52a0)
  • the q param now works for /api/v1/sbom/{key}/packages (f36b558), closes
    #434
  • allow ingesting spdx SBOMs with files (1f2145e)
  • relationship direction for "documentDescribes" (058ee24)
  • link with specific node, not any node of the SBOM (8d87482)
  • appease graphql and openapi paths wrt slashes (07629a9), closes #376 #422
  • honor transaction for requests (97510e7)
  • return only the sbom_node, not all nodes belonging to the sbom (6349e91),
    closes #414
  • provide the package describing the sbom with the summary (ea8af78)
  • enable sorting advisories by average_severity (8de5be2), closes #383
  • move graphql under /graphql only (f07f5fa)
  • count items being processed for osv and cve (a1f8d21)
  • Restore /api/v1/sbom/{key} SBOM metadata access (7bb7c69), closes #253
  • the the id issue for SBOMs too (a52b6f4)
  • translate the id into a hash before fetching from the storage (12c0d71)
  • use newer container to fix/workaround segfault in libgit2 (16deb09)
  • accept either domain or full URL (d601573)
  • register types, remove infinite reference (724a788)
  • reset all jobs when starting up (88ec8da), closes #355
  • use correct env-vars for storage settings (a93be47)
  • update cve to fix some parsing errors (d46683a)
  • directly pass sha256 digest, parsing it misses the perfix (feba99a)
  • client ids need to split by comma when coming from the env-var (08c1402)
  • update embedded oidc to support refresh tokens (f01dcc5)
  • push multi-arch image (d90dae0)
  • allow swaggerui to redirect (1bb1ca1)
  • ingest scores when loading CSAF docs (4719406), closes #278
Assets 22
Loading