Light IPAM v1.2.0
[1.2.0] - 2026-07-06
A backward-compatible release: no breaking /api/v1 or scanner-protocol changes, and
the two new database migrations (22, 23) are additive. The headline is device
correlation for multi-homed hardware — link-not-merge suggestions, now upgraded to a
gold-confidence signal from SNMP-derived chassis serials.
Added
- SNMP hardware identity + gold-confidence device links (ADR 0030, migration 23):
snmp_inventory(andcombined) scans now read the device's ENTITY-MIB chassis
serial number andsysObjectID, persist them through the discovery queue onto
the imported device, and show the serial on the device page. An exact serial
match across disjoint subnets is a gold-confidence "Serial match" link
suggestion (independent of hostname/OS agreement), and a new
Settings → Discovery toggle (default off) opts in to auto-linking those
matches at import/sync time, audited asdevice.link.auto. Placeholder vendor
serials ("N/A", "To be filled by O.E.M.", …) are filtered agent-side; the
scanner protocol gains only optional observation fields and staysv1. - Same-physical-device links (ADR 0029, migration 22): a reversible link layer that
groups the multiple device records a multi-homed device (e.g. a router with one
IP and MAC per subnet) imports as. The device page suggests high-confidence
matches (identical hostname + same OS family + disjoint subnets — never an exact
OS-string match) for the operator to confirm or dismiss; nothing links
automatically. Linked siblings show their IPs, subnets, MACs, OS, and services on
the device page, records are never merged, and manual link/unlink always works.
Link actions are audited (device.link.confirmed/.removed/.dismissed).
Fixed
- Guarded the operator-supplied scanner-agent
endpoint_urlagainst SSRF: the app's
mTLS dispatcher connects to that URL (TCP connect + TLS ClientHello) before the
pinned-CA cert check runs, and the only prior validation was anhttps://prefix
check, so an endpoint likehttps://169.254.169.254turned the app into an internal
port-scan / metadata oracle. A newValidateAgentEndpointrequires anhttpsURL
with a host and rejects literal loopback/link-local/unspecified IPs (private
RFC-1918 ranges, where real agents live, stay allowed); it runs at save time and
defensively in the dispatcher itself (CodeQLgo/request-forgery). - Bounded the argon2 parameters (memory/iterations/parallelism) decoded from a stored
password hash before their narrowing conversion touint32/uint32/uint8—
an out-of-range value in a malformed or hostile hash string wrapped silently instead
of failing closed (CodeQLgo/incorrect-integer-conversion). - Range-checked the
AGENT_SNMP_PORT/AGENT_NETBIOS_PORT/AGENT_MDNS_PORT
scanner-agent environment variables (1–65535) before their narrowing conversion to
uint16— an out-of-range value (e.g.65537) previously wrapped silently to1
instead of falling back to the documented default (CodeQL
go/incorrect-integer-conversion).