Skip to content

Light IPAM v1.2.0

Choose a tag to compare

@devSealWare devSealWare released this 06 Jul 21:17
15217dd

[1.2.0] - 2026-07-06

A backward-compatible release: no breaking /api/v1 or scanner-protocol changes, and
the two new database migrations (22, 23) are additive. The headline is device
correlation for multi-homed hardware — link-not-merge suggestions, now upgraded to a
gold-confidence signal from SNMP-derived chassis serials.

Added

  • SNMP hardware identity + gold-confidence device links (ADR 0030, migration 23):
    snmp_inventory (and combined) scans now read the device's ENTITY-MIB chassis
    serial number and sysObjectID, persist them through the discovery queue onto
    the imported device, and show the serial on the device page. An exact serial
    match across disjoint subnets is a gold-confidence "Serial match" link
    suggestion (independent of hostname/OS agreement), and a new
    Settings → Discovery toggle (default off) opts in to auto-linking those
    matches at import/sync time, audited as device.link.auto. Placeholder vendor
    serials ("N/A", "To be filled by O.E.M.", …) are filtered agent-side; the
    scanner protocol gains only optional observation fields and stays v1.
  • Same-physical-device links (ADR 0029, migration 22): a reversible link layer that
    groups the multiple device records a multi-homed device (e.g. a router with one
    IP and MAC per subnet) imports as. The device page suggests high-confidence
    matches (identical hostname + same OS family + disjoint subnets — never an exact
    OS-string match) for the operator to confirm or dismiss; nothing links
    automatically. Linked siblings show their IPs, subnets, MACs, OS, and services on
    the device page, records are never merged, and manual link/unlink always works.
    Link actions are audited (device.link.confirmed / .removed / .dismissed).

Fixed

  • Guarded the operator-supplied scanner-agent endpoint_url against SSRF: the app's
    mTLS dispatcher connects to that URL (TCP connect + TLS ClientHello) before the
    pinned-CA cert check runs, and the only prior validation was an https:// prefix
    check, so an endpoint like https://169.254.169.254 turned the app into an internal
    port-scan / metadata oracle. A new ValidateAgentEndpoint requires an https URL
    with a host and rejects literal loopback/link-local/unspecified IPs (private
    RFC-1918 ranges, where real agents live, stay allowed); it runs at save time and
    defensively in the dispatcher itself (CodeQL go/request-forgery).
  • Bounded the argon2 parameters (memory/iterations/parallelism) decoded from a stored
    password hash before their narrowing conversion to uint32/uint32/uint8
    an out-of-range value in a malformed or hostile hash string wrapped silently instead
    of failing closed (CodeQL go/incorrect-integer-conversion).
  • Range-checked the AGENT_SNMP_PORT / AGENT_NETBIOS_PORT / AGENT_MDNS_PORT
    scanner-agent environment variables (1–65535) before their narrowing conversion to
    uint16 — an out-of-range value (e.g. 65537) previously wrapped silently to 1
    instead of falling back to the documented default (CodeQL
    go/incorrect-integer-conversion).