Skip to content
Pre-release
Pre-release

@blueandgold blueandgold released this Oct 15, 2019 · 4 commits to master since this release

TBD

Assets 2

@gkowalski-google gkowalski-google released this Oct 3, 2019 · 25 commits to dev since this release

Summary

Forseti GitHub repository

Instead of maintaining two main branches (dev and master), we are going to consolidate into only using the master branch. In the past we have used the dev branch for merging feature changes and we recommended to fork from this branch. Going forward we will be merging changes directly to master. This work will be completed during the week of October 7th. If this causes any issues for your forked repository, please contact us on Slack.

Installer

We are postponing the Python installer deprecation to align with the sub-modularization Terraform changes coming in the next release. The Python installer will still be supported to upgrade from v2.21.0 to v2.22.0. We are planning to fully remove support for this installation method in the next release.

Inventory

  • Added new resources from Cloud Asset Inventory.
    • Compute Security Policy
  • Fix for the Groups Settings inventory for G Suite. Previously the allowExternalMembers setting would always be interpreted as true.

Scanner

  • Fix for the Location and Groups Settings Rules Engines to format violation data in a more helpful format. This will be used by the Notifier to produce helpful messages for Slack Notification, and other notification methods.
  • Updated the Firewall Rule Scanner to support firewall rules that targeted a protocol (other than TCP/UDP) and a port. Previously these rules were throwing an exception and causing the scanner to not complete.

Infrastructure

  • Upgraded the default size for the Forseti Server VM and the CloudSQL instance.
  • Improved performance of the startup script by only pulling in the current head of the Forseti branch.
  • Updated the startup script to use a random minute for the periodic scan. This will help reduce rate throttling that was seen by some instances in regards to getting a Cloud Asset Inventory (CAI) export.

Thanks to our contributors!

  • Bob Klein

All changes

134f552 (HEAD -> release-2.22.0, tag: v2.22.0, origin/release-2.22.0) Updated Forseti version
8b6676e (dev) Merge pull request #2706 from forseti-security/servicemanagement-getconfig
6195553 Merge branch 'dev' into servicemanagement-getconfig
cbb6d62 Merge pull request #3243 from forseti-security/fe-dup-name-error
015d24c (origin/fe-dup-name-error) Merge branch 'dev' into fe-dup-name-error
0307d00 Update Firewall Rule Validation (#3249)
ad837ea Updated Group Settings Rules Engine to return an array of settings that are in violation for blacklist/whitelist rules, instead of a string. Added new tests for the blacklist/whitelist methods. (#3245)
c039b30 Added SecurityPolicy from CAI (#3246)
866f03c Merge pull request #3242 from forseti-security/feature/fix-violation-data-for-location-rules-engine
a11a018 Add additional exceptions to catch statements.
d237b4e (origin/feature/fix-violation-data-for-location-rules-engine, feature/fix-violation-data-for-location-rules-engine) Updated the location rules engine to format violation data as a dictionary because the Slack notifier expects this. Updated the Slack notifier to log the issue and not throw an exception, otherwise this prevents other violations from being sent to Slack.
0b706a6 Merge pull request #3233 from forseti-security/dekuhn-patch-5
d878e51 (origin/dekuhn-patch-5) Merge branch 'dev' into dekuhn-patch-5
119e627 Update stale.yml
bc9cc9f Fixed the groups settings from_json method to correctly identify groups that have allow external members = false. (#3237)
da9390f Update stale.yml
240abbd Add files via upload
a4b8f36 Merge pull request #3226 from forseti-security/release-2.21.0
6c73bb1 (origin/servicemanagement-getconfig) Merge branch 'dev' into servicemanagement-getconfig
002919a Merge branch 'dev' into servicemanagement-getconfig
d03a4ff Fix json formatting errors in test
8f1582c Fix final pylint error

Assets 2

@gkowalski-google gkowalski-google released this Sep 19, 2019 · 48 commits to dev since this release

Summary

Installer

This release includes a migration script for users of the Forseti Python installer. This script can be used to import existing GCP resources into a Terraform state, which can then be used to upgrade the existing Forseti installation. The Python installer is officially deprecated on September 30, 2019. If you have any questions/issues, please contact us on Slack or Email.

Inventory

  • Added new resources from Cloud Asset Inventory.
    • Bigtable
  • Fix for errors generated by BigQuery authorized views when CAI is disabled.

Scanner

  • Fix for Kubernetes scanners that were unable to scan some Kubernetes resources that did not have a unique id.

Infrastructure

  • Kubernetes Alpha 2 release - Config Validator and Policy Library sync is now supported.
  • Updated database migrator script (db_migrator.py) to support custom names for the database, which can be specified through Terraform.
  • Initial changes to support Turbinia
  • Additional logging for the Forseti startup script within Google Compute Engine (GCE). The startup script was also updated to not remove the Forseti installation folder if there is no internet connection.
  • The Cloud SQL database will be created in the same GCP zone as the Forseti server/client GCE instances.

Thanks to our contributors!

  • Johan Berggren

All changes

17f6c15 Updated Forseti version to 2.21.0
e081e90 Turbinia terraform (#3009)
f5ab85e Merge pull request #3206 from forseti-security/feature/fix-db-migrator-for-custom-db-name
6867a8f Updated the db_migrator.py script by using the FORSETI_DB_NAME environment variable for the Forseti database name. This is set via Terraform and the startup script. Will have some additional PRs for the GKE changes.
07ef0c7 PyMySQL (#3190)
a745272 Merge pull request #3193 from forseti-security/feature/add-cai-resources-bigtable
cc5d12c Merge branch 'dev' into feature/add-cai-resources-bigtable
25fea6f Merge pull request #3192 from forseti-security/feature/bigquery-ignore-authorized-views
92e28e7 Fixing lint issues
1f06454 Adding Bigtable Cluster, Instance, and Table resources from CAI.
1c960ef When Inventory CAI is disabled, the BigQuery API will return any authorized views as part of a dataset policy. These do not have any roles associated with them and should be ignored.
ce6b113 Merge pull request #3187 from forseti-security/feature/fix-resource-hash-function
361a44c moving pylint to same line.
84071a1 Switching from xxhash to blake2b hash function.
9576727 Changing the hash function used by size_t_hash() to be idempotent between different runs. The builtin hash() method is salted with a random value determined at the start of each process. This was causing certain resource IDs to change between runs of the inventory, and breaking some scanners when they are run separately from the inventory process.
44dc251 Allow specification of config-validator host via env var (#3175)

Assets 2

@red2k18 red2k18 released this Sep 9, 2019 · 10 commits to release-2.20.0 since this release

Summary

Inventory

  • Added new Compute resources from Cloud Asset Inventory.
    • Address
    • GlobalAddress
    • Interconnect
    • InterconnectAttachment

Scanner

  • Added functionality to sync the policy library from a public/private GitHub repository as an alternative to manually copying the files to GCS.

Infrastructure

  • Updated docker script (docker_setup_forseti.sh) to copy code to docker container after container is running.

Thanks to our contributors!

  • katze120

All Changes

21c97d9 (HEAD -> release-2.20.0, tag: v2.20.0, origin/release-2.20.0) updated version
27093a8 (origin/dev, origin/HEAD, dev) Add policy library sync (#3159)
c402606 Fix for copying code to container after container is running (#3156)
fc90c52 Merge pull request #3153 from forseti-security/portcai
386dcbb Merge branch 'dev' into portcai
ac2caf5 port changes
826c0b1 (test-scanners, rename-tests-to-test) Initial commit of compute_interconnect (#3141)
80cadb1 Merge pull request #3137 from forseti-security/updatefirewalltest
f2fc187 Update firewall test
ea2426e [RELEASE] Merge release-2.19.1 into dev (#3128)
cde7b83 Fix Flaky Firewall Test (#3118)
8d3d162 Fix Flaky Replay Test (#3119)
ba13934 Merge pull request #3120 from forseti-security/add-cai-compute-addresses
393304a (origin/add-cai-compute-addresses) Merge branch 'dev' into add-cai-compute-addresses
d01dc5d Update line length
5457ddf Added Compute Address and GlobalAddress resources from CAI to Forseti Inventory.
fa16918 Merge pull request #3101 from katze120/cscc-dont-inactivate-inactive-findings
22fcf40 Merge branch 'dev' into cscc-dont-inactivate-inactive-findings
8595c2e Merge branch 'dev' into cscc-dont-inactivate-inactive-findings
7cdf985 add one more INACTIVE test data
ea19f7b simplify logic
f110f13 Do not inactivate findings that are already inactive

Assets 3

@kevensen kevensen released this Aug 23, 2019

Summary

Inventory

  • Add try-except block for CAI export to handle disablement of resources in CAI.

Notifier

  • Fixed bugs in notifier where Python strings were being passed to functions expecting byte-arrays
  • Minor code fix to comply with style guide

Unit Tests

  • Fixed flaky firewall test
  • Fixed flaky replay test

Thanks to our contributors!

  • marmolejogo

All Changes

2990d15 Fix Flaky Firewall Test (#3118)
edfa101 Fix Flaky Replay Test (#3119)
fae92f1 Merge branch 'dev' into release-2.19.1
0dba777 Merge pull request #3114 from forseti-security/revert-2826-fix-svc-perms
061af86 Revert "Add storage.objectViewer role to GCP_READ_IAM_ROLES"
33dacc8 Merge branch 'dev' into release-2.19.1
5ff38bf Merge pull request #2826 from marmolejo/fix-svc-perms
ca13a46 Update package version
b556ea1 Merge pull request #3084 from kevensen/notifier-type-error-fix
bc75d42 Fix string to bytes issue
b54faf6 Merge pull request #3077 from kevensen/inventory-type-error-fix
cb791b3 Update inventory notifier to accept Python 3 strings
042787e + Add try except block for CAI export (#3066)
1428b6f Removed slash to follow style guide (#3033)
7cb09d9 Update Forseti version (#3047)
ff035d6 Use storage.legacyBucketReader role instead of roles/storage.objectViewer
77af416 Add storage.objectViewer role to GCP_READ_IAM_ROLES

Assets 2

@joecheuk joecheuk released this Aug 13, 2019

Summary

Inventory

  • Added better handling of CAI exported resources.
  • Updated to retrieve Kubernetes Cluster resource from CAI instead of GCP API.

Infrastructure

  • Update python base image to slim-stretch.

Scanner

  • Updated ke_rules to scan KE versions for the following vulnerabilities:
    • CVE-2019-11477
    • CVE-2019-11478
    • CVE-2019-11479
  • Updated iam_rules to accept dataset as resource type.
  • Added support in IAM scanner to detect allUsers in BigQuery.

Thanks to our contributors!

All Changes

1bf6425 Update python base image to slim-stretch (#3074)
19f6bb9 Add try except block for CAI export (#3064)
6eac33c Update ke rules to use >= on the latest minor for version 1.11 and 1.12. (#2963)
91ac736 Uncommented iter_container_clusters method in cai_gcp_client.py. (#2958)
3943e8c Update ke_rules.yaml to scan for the added KE versions (#2953)
ce15e9c Add missing dash in resource_rules.yaml (#2950)
673924f Remove useless True and in while loop. (#2801)
d8fa63b Updates to docker_entrypoint.sh to assist with testing (#2943)
2e19304 Do not validate storage-component api (#2912)
afeb548 Added metricWriter role to installer script. (#2944)
481a85a Align forseti_conf_server.yaml.sample with forseti_conf_server.yaml.in (#2941)
a471ee3 Allow iam scanner rule to accept dataset as resource type (#2921)
2c62f00 GKE Container Updates (#2885)

Assets 2

@hshin-g hshin-g released this Aug 10, 2019

Summary

Inventory

  • Added better handling of CAI exported resources.
  • Added feature to allow users to exclude resources during the inventory phase.
  • Added error handling when root resource is not configured properly.
  • Fixed missing group members in Inventory.
  • Muted 501 Not Implemented for listing AppEngine Instances.

CSCC

  • Muted CSCC API exceptions.

Firewall Enforcer

  • Normalized network name in FirewallRules when a short network name is supplied.

Infrastructure

  • Added ability to specify server endpoint on CLI.
  • Fixed Docker base image.
  • Replaced mariadb version in Dockerfile.

Notifier

  • Added root resources to the Inventory Summary.

Terraform

  • Starting from v2.19.0, Forseti on Google Kubernetes Engine (GKE) is available on the Forseti Terraform module and as a Helm Chart.
    • This product is currently in ALPHA. Please reach out to us if you would like to work with us on making Forseti on GKE accessible for your organization.

Misc

  • Changed to WatchedFileHandler to better handle log rotation of forseti.log.

Thanks to our contributors!

All Changes

cbebc4a Add try except block for CAI export (#3064)
ee59008 Add Error Handling When Root Resource Is Not Configured Properly (#3008)
5751c9a Fix Missing Group Members in Inventory (#3002)
b61f134 Mute 501 Not Implemented for Listing AppEngine Instances (#3014)
3e48905 Allow users to exclude resources during the inventory phase. (#2997)
5c447f2 Update export_assets method to take support different outputs. (#3013)
8dfc89a Add Root Resources to the Inventory Summary (#3007)
15e851a Add Deprecation Message to Python Installer (#2985)
246174b CSCC API exceptions are now muted (#2987)
d3cc101 Add ability to specify server endpoint on CLI (#2999)
fa0ace0 Use WatchedFileHandler to better handle log rotation of forseti.log (#2994)
47802a8 Normalize network name in FirewallRules when a short network name is supplied (#2979)
dc5baaf Fixing base image (#2983)
7e4ad1b Replace mariadb version in Dockerfile (#2980)

Assets 2

@hshin-g hshin-g released this Aug 10, 2019

Summary

Installer

  • Used get-ancestors method instead of gcloud describe to get org id.

Inventory

  • Added better handling of CAI exported resources.
  • Skipped logging error messages for delete pending projects during Inventory creation.
  • Added CAI data for Kubernetes resources:
    • Namespace
    • Node
    • Pod
    • ClusterRole
    • ClusterRoleBinding
    • Role
    • RoleBinding

CSCC

  • Updated state of outdated findings to inactive.

Notifier

  • Added in traceback if there is an error during notification.

Scanner

  • Added in traceback if there is an error during scanner run.

Infrastructure

  • Added Stackdriver monitoring agent.

Thanks to our contributors!

All Changes

87478c8 Add try except block for CAI export (#3064)
792b7dc Update state of outdated findings to inactive (#2915)
12b22b9 Update violation_data from config validator scanner from str to dict (#2913)
cac7593 Add config-validator user agent suffix (#2910)
47d889b (origin/added-k8-resources) Updated config validator binary to the latest version (#2899)
7617d67 Installer to use get-ancestors method instead of gcloud describe to get org id (#2892)
162e230 Add Stackdriver monitoring agent (#2882)
f30d3e5 Clarified in the config file to use project number / folder number / organization number when specifying the root resource id. (#2879)
e7cc057 Merge release 2.16.0 into dev (#2877)
09f34f2 Skip logging error messages for delete pending projects during Inventory creation (#2878)
edbe92c Add in traceback if there is an error during notification (#2875)
c706c21 Add in traceback if there is an error during scanner run (#2876)

Assets 2

@joecheuk joecheuk released this May 30, 2019 · 4 commits to release-2.16.0 since this release

Summary

Python 3 Migration

The Forseti application has been updated to run in python3 as python2 is no longer supported.

All changes

0b33385 (tag: v2.16.0) Decode content to string before attaching to an email. (#2866)
aaac3c5 Removed uncessary call to site.main(). (#2863)
436f8f3 Incremented version to 2.16.0
5f78b6a Fixed blacklist scanner to use decode the request content and updated model handle to use hex instead of str. (#2859)
b6baa7d Updated config validator binary to the latest version. (#2855)
78150d7 updated to use python3 -m to locate pip3. (#2854)
6a151af Updated ModelManager to make sure model builds properly (#2853)
2f1d895 Downgraded pip to 9.0.3. (#2851)
a9a820f Python 3 migration (#2850)
87f9b2c Cherry pick #2798 to dev (#2840)
74e5392 Suppressed inventory warning messages in inventory list command. (#2838) (#2841)
b261a51 Merge release 2.15.0 into dev (#2821)

Assets 2

@joecheuk joecheuk released this May 21, 2019

Summary

Inventory

  • Skip storing 404 response for Service Account not found due to #2798.
  • Hide inventory warning messages when running command forseti inventory list to improve user experience.
Assets 2
You can’t perform that action at this time.