Skip to content

Releases: eclipse/steady

3.2.5

20 Sep 14:24
@henrikplate henrikplate
release-3.2.5
3d261af
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
3.2.5 Latest
Latest

Bug fixes:

  • Fix encoding issue in German locale resource (#559)

Other:

  • Update Java dependencies, esp. PostgreSQL (#565)
  • Update Docker parent images
  • Create CycloneDX SBOM of Eclipse Steady during build (#551)
  • Removed Kubernetes folder and documentation (#569)
Assets 3

3.2.4

21 Apr 14:53
@serenaponta serenaponta
release-3.2.4
80d6bae
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
3.2.4

Bug fixes:

  • plugin-gradle - Use .flattend-pom.xml to deploy the module (#544) Solves #541

Other:

  • updated push-images script and documentation (#545)

Note: The asset steady-cli-3.2.5-SNAPSHOT-jar-with-dependencies.jar is made available to run the steady-cli until the next steady release that will contain the fix to a bug in steady-cli-3.2.4-jar-with-dependencies.jar. (#561)

Assets 4

3.2.3

04 Apr 19:54
@henrikplate henrikplate
release-3.2.3
9d9bc40
This commit was signed with the committer’s verified signature.
serenaponta Serena Ponta
GPG key ID: 59FD056826C132BC
Learn about vigilant mode.
Compare
Choose a tag to compare
3.2.3

New:

  • Compilation happens against Java 8, i.e. client-side components will not run with Java 7 any more (Oracle's extended support ends July 2022) (#529)
  • frontend-apps - Added view "Bloat" to highlight usage of dependencies and identify candidate debloatable libraries (i.e., libraries not used by the application that can be removed) (#538)
  • plugin-maven - Enhanced instr goal to instrument Spring Boot applications (#531)

Bug fixes:

  • Updated Log4j to 2.17.1 (#527)
  • Updated springboot to 2.5.12 (#539)
  • plugin-maven - Fixed corner case where direct dependencies were identified as being transitive (#529)

Improvements:

  • plugin-maven - Improved log messages related to client-side JAR analysis (#529)

Other:

  • Updated H2 from 1.4 to 2.0 and changed scope to test (#527, #528)
  • Updated Jackson-databind to 2.12.6.1 and Postgresql 42.3.3
  • Updated other dependencies to latest releases (#530)
  • Fixed calls to deprecated APIs (#529 and #530)
  • Minor improvements to docker local setup (#532)
  • Restructured documentation (#502)
Assets 3

3.2.2

20 Dec 18:47
@henrikplate henrikplate
release-3.2.2
07aa517
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
3.2.2

Bug fixes:

  • Updated log4j to 2.17.0
Assets 2

3.2.1

14 Dec 21:37
@serenaponta serenaponta
release-3.2.1
4008c71
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
3.2.1

Bug fixes:

  • Updated vulnerable version of log4j (log4shell vulnerability), and guava (#515 , #516 )
  • Fixed API incompatibility in the usage of guice by changedistiller (#514 )
  • (docker) Fixed handling of kb-importer source repository configured in .env (#510)

Improvements:

  • (docker) New setup to run steady locally offering three different usage profiles (#502)
  • (docker) Added configuration value in .env to skip cloning repositories during initial import
  • Renamed vulas-* to steady-* config files

Others:

  • Several dependency updates
Assets 2

3.2.0

30 Jun 20:33
@henrikplate henrikplate
release-3.2.0
33ce923
Compare
Choose a tag to compare
3.2.0

The following changes impact the invocation of Steady, please adjust your pom.xml and command-line call accordingly (see here for an up-to-date description regarding the plugin configuration and use):

  • Renamed prefix of plugin goals from vulas to steady
  • Changed Java groupId from com.sap.psr.research.security to org.eclipse.steady

Other changes:

  • Added support for Java 11 (both reachability analysis and runtime containers)
  • Updated from Spring Boot v1 to v2
  • Added Jenkins build pipeline and made builds reproducible
  • Changed default call graph construction framework from Wala to Soot
  • Retired rest-nvd module in favor of NVD's CVE API
Assets 3

3.1.15

24 Sep 21:48
@henrikplate henrikplate
3.1.15
104ecad
Compare
Choose a tag to compare
3.1.15

Bug fixes:

  • Added manifest file entry Multi-Release to all JAR artifacts (#437)
Assets 3

3.1.14

23 Sep 12:19
@henrikplate henrikplate
3.1.14
101e80d
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
3.1.14

New features:

  • Added module kb-importer to populate Steady's vulnerability database from Project KB, and updated vulnerability UI accordingly

Improvement:

  • Show proper error message in case of 403 (forbidden) responses from the backend (#419)

Bug fixes:

  • Fixed serialization of Python construct digests in module patch-lib-analyzer (#431)
  • Fixed bug related to bundled libraries, where information on the level of digest was ignored (#425 and #427)

Other:

  • Changed Java packages from com.sap... to org.eclipse.steady... (#420)
  • Updated from log4j to log4j2 (#411, #429)
Assets 3

3.1.13

03 Jul 08:42
@henrikplate henrikplate
3.1.13
c6644e1
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
3.1.13

Improvements:

  • Added new analysis goal checkcode, which resolves (some of) the cases where code is re-bundled in libraries unknown to Maven Central, or where source artifacts are not available, and which appear with orange hour glasses in the Web frontend (PR #389)
  • Switched to Apache HttpClient in order to send TCP keep-alive packages in case of long running HTTP calls (PR #400)

Bug fixes:

  • Fixed saving of inconsistent library IDs for well-known artifacts (PR #383)
Assets 3

3.1.12

27 May 13:07
@henrikplate henrikplate
3.1.12
bcd5105
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
3.1.12

Improvements:

  • Added possibility to exempt vulnerabilities for individual libraries, and simplified the exemption format (#319)
  • Added new flag createLibraryAssessments to report goal in order to print curl commands to the console, which can be used to permanently mark libraries as non-vulnerable (#319)
  • Protected POST and PUT endpoints of the BugController by introducing the dedicated, configurable HTTP header X-Vulas-Client-Token (#380, #388)
  • Added new endpoint to get affected libraries by group and artifact identifier (#381)

Bug fixes:

  • Added @Transactional to two custom repository methods of rest-backend (#367, #375)
  • Excluded traces for constructs of type PACK and CLAS when computing the reachability flags for the vulnerability overview table (#378)
Assets 3