Releases: gcve-eu/cpe-editor
Releases · gcve-eu/cpe-editor
Release list
CPE Editor v1.1.0 released with many improvements in UI, APIs, performance
Release notes
CPE Editor v1.1.0
CPE Editor v1.1.0 is a substantial feature and operations release focused on making curated CPE data easier to explore, review, publish, and run in production. It expands the public contribution workflow, adds richer APIs and feeds, improves dataset portability, and delivers major performance and reliability improvements for larger catalogs.
Highlights
- Richer public contribution workflows: contributors can now propose CPE changes, entity notes, vendor/product metadata, relationship updates, vulnerability references, and product aliases through more focused forms and review flows.
- Approved-change transparency: accepted changes are visible through public change pages, scoped vendor/product/CPE feeds, RSS/Atom feeds, and API endpoints, making downstream synchronization and audit trails easier.
- Better CPE intelligence: product pages now surface aliases, duplicate-detection signals, PURL mappings, vulnerability references, GCVE/db.gcve.eu lookup links, and combined views for related products.
- Expanded API coverage: the read-only OpenAPI interface now includes approved changes, vulnerability references, product aliases, statistics, PURL search filters, and BCP-10-friendly change bundle output.
- Portable curated datasets: dataset export/import now preserves relationships, metadata, aliases, vulnerability references, and PURL mappings, with JSON, NDJSON, and git-friendly export tooling for larger instances.
- Production-ready deployment: a dedicated WSGI entry point and hardened Gunicorn start script provide safer defaults for concurrency, request handling, logging, IPv4/IPv6 binding, and proxy-aware access logs.
- Large-catalog performance: search, prefix filtering, pagination, statistics, and export paths were optimized with better indexes, lower memory use, Valkey-backed statistics caching, and more selective expensive lookups.
- Polished user experience: the UI received improved navigation, layout, dark mode, clearer GCVE collaboration messaging, JSON download affordances, refreshed imagery, and more consistent page actions.
New and improved features
Contribution and moderation
- Added dedicated note, metadata, relationship, vulnerability-reference, and product-alias proposal workflows.
- Added admin review improvements, metadata creation/editing screens, alias management, duplicate detection, false-positive dismissal, proposal source user-agent tracking, and bulk spam deletion.
- Added public approved-change list/detail pages and linked approved changes back to affected vendors, products, CPE records, aliases, and newly created entities.
APIs, feeds, and integrations
- Added a broader OpenAPI-documented read-only API, including endpoints for vendors, products, CPEs, approved changes, vulnerability references, aliases, statistics, and scoped search filters.
- Added RSS and Atom feeds for all approved changes and for individual vendor, product, and CPE scopes.
- Added BCP-10-compatible deterministic UUID handling and optional change bundle output for integration workflows.
- Added import support for NVD CPE Match data, PURL-to-CPE mappings, and GCVE enriched CVE dumps.
Dataset portability
- Added portable dataset export/import coverage for curated entities and relationships.
- Added JSON entity downloads, streaming NDJSON export, and git-friendly export tooling that can update an existing dataset repository in place.
- Improved import robustness for UUID conflicts, orphaned PURL mappings, cvelistv5 payloads, and single-object admin JSON recovery.
Performance and reliability
- Added SQLite production safeguards such as WAL/busy-timeout support, schema alteration helpers, reindexing, and planner analysis support.
- Optimized vendor, product, CPE, PURL, and prefix searches with better query shapes and indexes.
- Reduced unnecessary counts and expensive lookups on large result sets.
- Added Valkey-backed statistics caching and fixed cached vendor name rendering.
- Reduced memory usage for dataset export.
Deployment and operations
- Added
wsgi.pyfor production app loading without debug mode. - Added
start.pyas a production Gunicorn launcher with sensible worker, thread, timeout, backlog, recycle, logging, and IPv4/IPv6 defaults. - Documented production startup, GCVE enriched CVE imports, dataset export tooling, and the current API/test workflow.
Fixes and polish
- Improved search form behavior, vendor pagination, product lookup tables, relationship proposal defaults, CPE API pagination counts, dark-mode link readability, and header/footer branding.
- Fixed several importer, export/import, template, and admin review edge cases.
- Added API and workflow regression tests plus GitHub Actions coverage.
Upgrade notes
- Run the database migration helper before serving an existing instance:
python -m flask --app run init-db --alter. - Rebuild indexes after upgrading large SQLite-backed deployments:
python -m flask --app run reindex-db. - For production deployments, prefer
./start.pyor another WSGI server targetingwsgi:apprather than the Flask development server.
cpe-editor v1.0.0: Establishing the Foundation for Collaborative CPE & PURL Mapping
cpe-editor v1.0.0 (2026-06-14)
We are thrilled to announce the official first release (v1.0.0) of cpe-editor, the platform powering cpe.gcve.eu. This initial release establishes a collaborative environment for managing Common Platform Enumerations (CPE) and Package URL (PURL) mappings, aligned carefully with the GCVE BCP-10 deterministic identity guidance.
Key Highlights
- GCVE BCP-10 Alignment: Implemented deterministic UUIDv5 generation utilizing a vendor-scoped product namespace to guarantee data identity consistency.
- PURL ⇄ CPE Mapping Workflow: Comprehensive support for importing, exporting, browsing, and proposing PURL-to-CPE mappings across vendor, product, and CPE scopes.
- Intelligent Admin Tools: Added advanced duplicate detection routines (exact and partial name matches) alongside experimental metadata creation interfaces.
- Dark Mode Support: A fully integrated dark mode toggle with system preference defaults and optimized color contrast.
Features & New Capabilities
Collaborative Proposal System
- Introduced dedicated submission pipelines for Note Proposals, Product Alias Proposals, and Relationship Proposals (including mixed vendor/product bounds).
- Added user-agent and source-IP tracking for proposals to empower admins with bulk-deletion capabilities for spam mitigation.
- Improved the proposal form UI to default fields to optional for a smoother user experience.
UI, Navigation & Aesthetics
- Theme Toggle: Added native Dark Mode support with local storage persistence and automated fallback to system preferences.
- Enhanced Tables & Views: Added a combined product listing view onto vendor details, collapsible controls for lengthy lists, and explicit anchor-link styling.
- Information & Branding: Refreshed the homepage visual layout, integrated the GCVE logo seamlessly into headers/footers, and added an initiative overview details page.
- Pagination Controls: Added clear pagination handlers to main search routes, vendor directories, top-vendor statistics, and proposal queries.
Comprehensive Statistics & Feeds
- Implemented a public Statistics Page tracking contribution inputs and CPE part distribution metrics.
- Added support for scoped RSS and Atom Change Feeds to tracking approved adjustments publicly.
API & Integration Layers
- Read-Only OpenAPI Endpoint: Exposed major data buckets via a paginated API (including approved changes, statistics, and PURL query filters).
- Vulnerability Enriched Lookups: Embedded external vulnerability lookups directly into product and version UI pages, leveraging
db.gcve.eu/vulnerability.circl.luendpoints and supporting thecvelistv5payload format. - Streaming Importer/Exporter: Rewrote data dumping workflows to utilize a streaming NDJSON exporter, radically dropping memory consumption during dataset replication.
Security & Performance Fixes
- Security Baseline: Enforced global Anti-CSRF (Cross-Site Request Forgery) protections.
- Database Scaling: Added explicit
ALTER TABLEhandling on dynamic schema alterations and unblocked concurrent file access loops on SQLite deployments. - Query Speeds: Optimized complex prefix filtering lookups on PURL data blocks via targeted index structures.
- Data Integrity: Resolved critical
NameErrorfaults impacting URI construction blocks and vendor detail views; added automated deduplication skips inside the CLI importer.