Releases: guacsec/guac
Releases · guacsec/guac
v0.8.0
- Clearly Defined Certifier! (Experimental)
- Parse CycloneDX Legal information (#1985)
- Add vulnerability scanning on ingestion
- [ENT] Implement deletion for certifyVuln, hasSBOM and hasSLSA (#1982).
Keyvalue PR already created (#2033) - Update slsa parser in-toto attestation library (#1988)
- Update slsa parser to use ResourceDescriptor (#1988)
- [ENT] Fix node , improve package qualifiers query and add missing indexes to speed up query performance (#1989, #1999, #2020 and #2032)
- Include e2e tests for guaccollect, guacingest, and ent (#1998)
- Change isDependency to be only at the pkgVersion
- Fix make all and make build (#2014)
Contributors
- @Yaxhveer
- @nchelluri
- @nathannaveen
- @mlieberman85
- @cberman
- @pxp928
- @mrizzi
- @funnelfiasco
- @mdeicas
- @lumjjb
What's Changed
- 8e8bf52 #1996 Improve package's qualifiers query (#1997)
- d55629f Add default SECURITY.md policy (#2004)
- bf65123 Adds vulnerability scanning on ingestion (#1963)
- e1465d9 Bump actions/checkout from 4.1.6 to 4.1.7 (#1972)
- 681d3b7 Bump actions/create-github-app-token from 1.10.1 to 1.10.3 (#1995)
- 968c0cc Bump actions/setup-go from 5.0.1 to 5.0.2 (#2025)
- 3cacb78 Bump actions/setup-python from 5.1.0 to 5.1.1 (#2024)
- 5b9e79d Bump anchore/sbom-action from 0.16.0 to 0.17.0 (#2023)
- c2983b5 Bump aquasecurity/trivy-action from 0.21.0 to 0.22.0 (#1958)
- 250ecb8 Bump aquasecurity/trivy-action from 0.22.0 to 0.23.0 (#1977)
- a0c0b73 Bump aquasecurity/trivy-action from 0.23.0 to 0.24.0 (#2026)
- f0d7607 Bump cloud.google.com/go/storage from 1.41.0 to 1.42.0 (#1979)
- 07cea77 Bump entgo.io/ent from 0.13.0 to 0.13.1 (#2005)
- 57a219f Bump github.com/99designs/gqlgen from 0.17.45 to 0.17.48 (#1961)
- d81762c Bump github.com/Azure/azure-sdk-for-go/sdk/azidentity (#1962)
- 153f94e Bump github.com/CycloneDX/cyclonedx-go from 0.8.0 to 0.9.0 (#2007)
- dad65eb Bump github.com/aws/aws-sdk-go from 1.53.1 to 1.54.3 (#1968)
- 8ca724a Bump github.com/aws/aws-sdk-go from 1.54.3 to 1.54.6 (#1978)
- 9052a82 Bump github.com/aws/aws-sdk-go from 1.54.6 to 1.55.0 (#2043)
- 809acec Bump github.com/aws/aws-sdk-go-v2 from 1.30.1 to 1.30.3 (#2030)
- e0a7c6b Bump github.com/aws/aws-sdk-go-v2/config from 1.27.16 to 1.27.19 (#1970)
- 6139d24 Bump github.com/aws/aws-sdk-go-v2/config from 1.27.19 to 1.27.23 (#1993)
- c903f1b Bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.55.1 to 1.58.2 (#2027)
- 3c0319a Bump github.com/fsouza/fake-gcs-server from 1.48.0 to 1.49.2 (#1955)
- 5114c80 Bump github.com/google/osv-scanner from 1.7.2 to 1.7.4 (#1960)
- fb3d62a Bump github.com/google/osv-scanner from 1.7.4 to 1.8.2 (#2013)
- f39ad2e Bump github.com/hashicorp/go-retryablehttp from 0.7.4 to 0.7.7 (#1981)
- 5d0a9bf Bump github.com/nats-io/nats-server/v2 from 2.10.16 to 2.10.17 (#2029)
- c1ddb48 Bump github.com/nats-io/nats-server/v2 from 2.10.17 to 2.10.18 (#2041)
- 4fe606f Bump github.com/nats-io/nats.go from 1.34.1 to 1.36.0 (#1971)
- 221a7d3 Bump github.com/pitabwire/natspubsub from 0.1.3 to 0.1.7 (#1990)
- 9e41590 Bump github.com/redis/go-redis/v9 from 9.5.1 to 9.5.3 (#1954)
- 5c09ea6 Bump github.com/regclient/regclient from 0.6.1 to 0.7.0 (#2042)
- cdfebf3 Bump github.com/sigstore/sigstore from 1.8.3 to 1.8.4 (#1980)
- 9e41523 Bump github.com/sigstore/sigstore from 1.8.4 to 1.8.6 (#1991)
- b18df2d Bump github.com/sigstore/sigstore from 1.8.6 to 1.8.7 (#2028)
- 3ac1beb Bump github.com/vektah/gqlparser/v2 from 2.5.12 to 2.5.14 (#1966)
- 1b1ccc5 Bump github.com/vektah/gqlparser/v2 from 2.5.14 to 2.5.16 (#1992)
- ecf9206 Bump github/codeql-action from 3.25.10 to 3.25.11 (#1994)
- b12ce21 Bump github/codeql-action from 3.25.11 to 3.25.12 (#2022)
- 693a21c Bump github/codeql-action from 3.25.12 to 3.25.13 (#2045)
- f18ba93 Bump github/codeql-action from 3.25.7 to 3.25.8 (#1957)
- 21e503c Bump github/codeql-action from 3.25.8 to 3.25.10 (#1973)
- 8a987bd Bump google.golang.org/grpc from 1.64.0 to 1.64.1 (#2012)
- 546a17e Bump goreleaser/goreleaser-action from 5 to 6 (#1959)
- a0762a6 Clearly defined certifier (#2035)
- ff4c8af Expose certifier and deps.dev batch size and add optional latency (defaults to none) (#1967)
- 7306193 Fix Google Container Registry URL typo (#1986)
- 6443db6 Fix
make all
andmake build
(#2014) - 41970b6 Fix guacrest docker compose healthchecks (#2001)
- 82e3f80 Fix the e2e (#2010)
- ee17427 Fix the shebang on the e2e script by (#2017)
- 9a20f1e Fixed Guacone Query Vuln When Keyvalue is Used (#2000)
- 05de293 Implememnt the proposal in guacsec/governance#8 (#1935)
- 53a63ab Include e2e tests for
guaccollect
,guacingest
, and ent (#1998) - 71dbe34 Move to OpenSSF mail server (#1975)
- 9d51e44 Parse CycloneDX Legal information (#1985)
- 8c54ef5 Remove isDependency to pkgName (#2021)
- 0675b67 Speed up common CertifyVuln ent queries by adding indexes (#1999)
- 2845fad Speed up isDependency query when spec depPkg has pkgID (#2020)
- 2d87d8d Update slsa parser to remove deprecated structs (#1988)
- bc9361d Updated query known and slsa parser (#2018)
- 6a63c22 [ENT] Implement deletion for certifyVuln, hasSBOM and hasSLSA (#1982)
- 0b17411 [ENT] add indexes for common queries on ENT (#2032)
- b6754cf [ENT] add missing nodes from the node query (#1989)
- a4c36b1 add check for paginated queries for nil values in ent (#2031)
- 7eccfa9 add missing csub-tls flags for guaccollect (#1951)
- 0c6dc86 move timestamp up such that it is not skipped (#2046)
- 0c70002 remove GetMatchFlagsFromPkgInput helper as it was not needed for isDependency (#1933)
- e2486e1 support direct connections to ent from the rest api (#1932)
- 621b66f update to skip type guac purls in deps.dev (#2039)
v0.7.2
v0.7.1
v0.7.0
- Include Pagination for KeyValue
- Added annotate-metadata command via guacone CLI (Experimental)
- WIP for Get Next Actionable Critical Dependencies (Experimental - REST API)
- Improved CDX parsing for transitive dependencies
- GraphQL - Expose all client queries (paginated and non-paginated)
- [ENT] Controlled and automated schema version migration via Atlas
- Update certifiers to use paginated query for package and source
- Update S3 collector to support collecting from a directory within the bucket
Contributors
What's Changed
- 8e929e7 --- (#1917)
- 5402c79 --- (#1918)
- 79bb957 --- (#1919)
- 1f57e79 --- (#1920)
- febf594 --- (#1923)
- b74c853 Added annotate-metadata command (#1906)
- efa328a Attach hasSBOM nodes to artifacts instead of packages (#1883)
- de5da06 Bump actions/checkout from 4.1.4 to 4.1.5 (#1899)
- 3ad5153 Bump actions/create-github-app-token from 1.10.0 to 1.10.1 (#1946)
- 5f2c476 Bump actions/create-github-app-token from 1.9.3 to 1.10.0 (#1900)
- 098c57a Bump actions/setup-go from 5.0.0 to 5.0.1 (#1898)
- e72f98e Bump aquasecurity/trivy-action from 0.19.0 to 0.20.0 (#1912)
- e166680 Bump aquasecurity/trivy-action from 0.20.0 to 0.21.0 (#1928)
- 2ff113d Bump docker/login-action from 3.1.0 to 3.2.0 (#1944)
- 286c0f8 Bump entgo.io/contrib from 0.4.5 to 0.5.0 (#1894)
- a6471c3 Bump github.com/aws/aws-sdk-go from 1.51.12 to 1.53.1 (#1909)
- 2530c26 Bump github.com/aws/aws-sdk-go-v2/config from 1.27.7 to 1.27.16 (#1929)
- 4485169 Bump github.com/jedib0t/go-pretty/v6 from 6.5.8 to 6.5.9 (#1907)
- 19b6d7b Bump github.com/nats-io/nats-server/v2 from 2.10.12 to 2.10.14 (#1895)
- dfbf8fd Bump github.com/prometheus/client_golang from 1.19.0 to 1.19.1 (#1943)
- 0faef0a Bump github.com/sigstore/sigstore from 1.8.2 to 1.8.3 (#1896)
- 64e4b0e Bump github.com/spf13/viper from 1.18.2 to 1.19.0 (#1942)
- 6ae6785 Bump github/codeql-action from 3.25.6 to 3.25.7 (#1945)
- 44e16c9 Bump golang.org/x/oauth2 from 0.19.0 to 0.20.0 (#1908)
- b588f97 Bump golangci/golangci-lint-action from 5.1.0 to 5.3.0 (#1897)
- 9da7480 Bump golangci/golangci-lint-action from 5.3.0 to 6.0.1 (#1911)
- 7daab4a Bump google.golang.org/api from 0.176.0 to 0.177.0 (#1893)
- f126a70 Bump google.golang.org/api from 0.177.0 to 0.180.0 (#1910)
- 0c83f5d Bump google.golang.org/grpc from 1.63.2 to 1.64.0 (#1930)
- 6a9639b Bump ossf/scorecard-action from 2.3.1 to 2.3.3 (#1913)
- d2717a4 Document that the Equals predicates equate only two nouns (#1886)
- 14cd291 Get Next Actionable Critical Dependencies Part 1 (#1705)
- 089496d GraphQL - Expose client queries (#1941)
- 8b702d0 Improved cdx parsing (#1903)
- 761d672 Include Aggregated Json Logs (#1905)
- 0970c35 Include Pagination for KeyValue (#1904)
- 73108d1 Update S3 collector to support collecting from a directory within the bucket (#1871)
- 51d3218 [ENT] Versioned Migration via Atlas (#1887)
- f478bf0 [ENT] add bulk ingest for hasSBOM nodes (#1915)
- 66e066b
publishToQueue
feature flag and add certifiers to guaccollect pipeline (#1914) - c27e7c6 add issues/1885 reviewer/owners (#1902)
- 4dc7c94 add missing atlas to post merge CI (#1891)
- c81838c add releases process (#1733)
- b1b9a02 expose certifyVuln and hasSLSA query and pagination query on client side (#1936)
- a35a679 expose hasSBOM pagination query on client side (#1916)
- 7ee25d1 expose vulnerability pagination query on client side (#1925)
- e3e0f93 fix generate code for linter and static checks (#1940)
- 1253f28 fix novuln check for ent query (#1939)
- 529e33b fix: close file (#1924)
- c8b8ff3 update certifier to use paginated query for package and source (#1872)
- 0921628 use deps.dev v3 API (#1890)
- ccad6b3 use underscore instead of colon for blob store key (#1937)
v0.6.0
Highlights
- PostgreSQL/Ent is complete, optimized, and supported!
- REST API endpoints are starting to appear
- CLI commands now allow specifying arbitrary http headers
- Ingestor logs now include document references
- Document references are attached to nodes as part of source information
Changelog
- c0e35bf Add GUAC Version to Logs (#1856)
- 3bb8b21 Add a transitive dependencies endpoint to the REST API (#1867)
- 136ad62 Add guaccollect files option to set origin to blob path (#1811)
- ae3c1aa Add missing dev tools to nix shell (#1819)
- 90d95a5 Add standalone postgres compose (#1868)
- d95860c Add the ability to specify HTTP headers for CLI commands (to support Auth proxies) (#1845)
- c6aaf87 Bump actions/checkout from 4.1.2 to 4.1.3 (#1861)
- e2e4121 Bump actions/checkout from 4.1.3 to 4.1.4 (#1875)
- 3e827b8 Bump actions/create-github-app-token from 1.9.1 to 1.9.2 (#1802)
- eca2727 Bump actions/create-github-app-token from 1.9.2 to 1.9.3 (#1823)
- 5a048cd Bump actions/setup-python from 5.0.0 to 5.1.0 (#1801)
- 1984c68 Bump anchore/sbom-action from 0.15.10 to 0.15.11 (#1877)
- ae9966c Bump anchore/sbom-action from 0.15.9 to 0.15.10 (#1803)
- 2dc06e2 Bump aquasecurity/trivy-action from 0.18.0 to 0.19.0 (#1804)
- 17e8bd7 Bump cloud.google.com/go/storage from 1.39.1 to 1.40.0 (#1799)
- eed71a5 Bump github.com/99designs/gqlgen from 0.17.44 to 0.17.45 (#1857)
- 36f1133 Bump github.com/arangodb/go-driver from 1.6.1 to 1.6.2 (#1826)
- 70babbd Bump github.com/aws/aws-sdk-go from 1.51.7 to 1.51.12 (#1798)
- 9c1eb23 Bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.53.0 to 1.53.1 (#1840)
- f0e44fd Bump github.com/aws/aws-sdk-go-v2/service/sqs from 1.31.2 to 1.31.4 (#1825)
- fd69617 Bump github.com/fsouza/fake-gcs-server from 1.47.8 to 1.48.0 (#1881)
- 19506b6 Bump github.com/go-git/go-git/v5 from 5.11.0 to 5.12.0 (#1827)
- 60d8dc8 Bump github.com/google/osv-scanner from 1.7.0 to 1.7.1 (#1824)
- 21b65fb Bump github.com/klauspost/compress from 1.17.7 to 1.17.8 (#1882)
- 1857403 Bump github.com/nats-io/nats.go from 1.33.1 to 1.34.0 (#1800)
- a586a92 Bump github.com/nats-io/nats.go from 1.34.0 to 1.34.1 (#1879)
- 282ea21 Bump github.com/pitabwire/natspubsub from 0.1.2 to 0.1.3 (#1843)
- 6a164f5 Bump github.com/redis/go-redis/v9 from 9.5.0 to 9.5.1 (#1841)
- af5d83e Bump github.com/regclient/regclient from 0.5.7 to 0.6.0 (#1797)
- 1ea2819 Bump github.com/spdx/tools-golang from 0.5.3 to 0.5.4 (#1860)
- bb6b63d Bump gocloud.dev/pubsub/rabbitpubsub from 0.36.0 to 0.37.0 (#1842)
- 9317e44 Bump golang.org/x/net from 0.22.0 to 0.23.0 (#1853)
- 80d7d0d Bump golangci/golangci-lint-action from 4.0.0 to 5.1.0 (#1876)
- 9445fc0 Bump google.golang.org/api from 0.169.0 to 0.172.0 (#1796)
- a2c1206 Bump google.golang.org/api from 0.172.0 to 0.176.0 (#1858)
- e8e4c30 Bump google.golang.org/grpc from 1.62.1 to 1.63.2 (#1859)
- d3f8704 Bump sigstore/cosign-installer from 3.4.0 to 3.5.0 (#1839)
- e69c19f Bump slsa-framework/slsa-github-generator from 1.10.0 to 2.0.0 (#1878)
- 71c5547 Fix GitHub collector to accept explicit tag in urls (#1818)
- 1381c07 Fix goreleaser flag deprecation warnings (#1814)
- db16cdc Fix the Overview Diagram (#1836)
- 46e8893 Fixes to HTTP Header functionality for CLI commands (#1852)
- 56ed851 Go generate (#1869)
- 4741c1c Handle null SPDX relationship values without panicking (#1822)
- 358205b Include a more descriptive debugger for the collector and processor (#1830)
- 6100427 Make the CSub GetCollectEntries() RPC response streaming (#1865)
- 3577d4d Populate SourceInformation.DocumentRef in collectors (#1847)
- 3f124e3 Remove unused variable (#1851)
- ef4658e Run the guacgql HTTP server on only one port (#1805)
- d0c51f5 Update error handling on ingestion (#1832)
- 6638a53 Update gql, parser and backends to add new
documentRef
field (#1844) - a0a0a82 Update graphQL schema to add documentRef field to all verbs (#1834)
- d861241 Update graphQL, resolvers and add backend stubs for pagination (#1862)
- c2477fa Update readme with supported backends. (#1873)
- 8189495 [ENT] Complete ent pagination and update backend tests (#1870)
- 2ec6bc9 [ENT] fix issue with index on artifact (#1835)
- 5ff8e90 [ENT] fix trie output for package, source and vulnerability (#1863)
- 2180123 [Ent] Add missing neighbor, node and path query (#1815)
- a5d1d12 [FIX] Ingestor should not ack message on failure (#1874)
- d908792 [FIX] implement fixes based on parsing and querying errors for CDX (#1855)
- 3d6f3c0 [fix] OSV unit test update and replaced deprecated
types.Descriptor
(#1807) - 3dba718 add new re-designed overview diagram for GUAC (#1831)
- 5b2e267 added github release identifier string type (#1820)
- b5e2b39 feat: switch golang/mock to uber-go/mock (#1866)
- 573a8d8 fix queue to deliver message directly (#1837)
- 0550c31 remove built in query noder as it was not properly returning the fields in the queried nodes (#1829)
v0.5.2
Highlights
- Fix ENT queries
- Add missing collectors to guaccollect
- Support image references by digest in the OCI collector
- Add guacrest to docker-compose
- Various bug fixes and improvements
What's Changed
- c6a5159 Bump actions/cache from 4.0.1 to 4.0.2 (#1782)
- a1b49c5 Bump actions/checkout from 4.1.1 to 4.1.2 (#1776)
- 0620ad5 Bump actions/create-github-app-token from 1.9.0 to 1.9.1 (#1781)
- 996f777 Bump anchore/sbom-action from 0.15.8 to 0.15.9 (#1767)
- bac5b6d Bump cloud.google.com/go/storage from 1.39.0 to 1.39.1 (#1763)
- b87ea96 Bump docker/login-action from 3.0.0 to 3.1.0 (#1775)
- ade9c9e Bump github.com/Khan/genqlient from 0.6.0 to 0.7.0 (#1773)
- f93a552 Bump github.com/aws/aws-sdk-go from 1.50.36 to 1.51.7 (#1787)
- 488b99e Bump github.com/aws/aws-sdk-go-v2 from 1.25.3 to 1.26.0 (#1772)
- 5c5973f Bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.48.1 to 1.51.4 (#1760)
- 5c56383 Bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.51.4 to 1.53.0 (#1786)
- a895253 Bump github.com/aws/aws-sdk-go-v2/service/sqs from 1.29.7 to 1.31.2 (#1766)
- b6608f6 Bump github.com/docker/docker (#1778)
- e283206 Bump github.com/go-chi/chi from 1.5.5 to 4.1.2+incompatible (#1761)
- fe4faee Bump github.com/go-chi/chi/v5 from 5.0.11 to 5.0.12 (#1788)
- 90fc632 Bump github.com/google/osv-scanner from 1.6.1 to 1.7.0 (#1755)
- 59897f2 Bump github.com/nats-io/nats-server/v2 from 2.10.11 to 2.10.12 (#1774)
- cc5f59f Bump github.com/pitabwire/natspubsub from 0.1.1 to 0.1.2 (#1764)
- b69464a Bump github.com/sigstore/sigstore from 1.8.1 to 1.8.2 (#1785)
- 3100b05 Bump go.uber.org/zap from 1.26.0 to 1.27.0 (#1762)
- 5cccd5e Bump gocloud.dev from 0.36.0 to 0.37.0 (#1770)
- dcf7cef Bump gocloud.dev/pubsub/kafkapubsub from 0.36.0 to 0.37.0 (#1784)
- 3b007a2 Bump golang.org/x/oauth2 from 0.17.0 to 0.18.0 (#1771)
- c85eb0e Bump gopkg.in/go-jose/go-jose.v2 from 2.6.1 to 2.6.3 (#1758)
- 1357a7c Bump slsa-framework/slsa-github-generator from 1.9.0 to 1.10.0 (#1783)
- 755a8e8 Check DependencyType values in isDependency ingestion and queries (#1780)
- ac4c273 Include missing collectors (#1759)
- f8286dd Included Query for Scorecard (#1791)
- 638ba85 Included a README for guacrest (#1719)
- 693be1a Support image references by digest in the OCI collector (#1779)
- d41d633 [ENT] Fix all broken queries from the backend test suite (#1790)
- 6055128 add guacrest to docker and go releaser (#1792)
- ef1c2c9 fix health check for rest api (#1793)
v0.5.1
Highlights
- Add GitHub release/artifact collector to guacone:
guacone collect github
. - Fix a validation issue in
guac-demo-compose.yaml
Changelog
- 2b196f5 Add Pagination to the Rest API (#1720)
- c3efd23 Bump github.com/cloudevents/sdk-go/v2 from 2.15.1 to 2.15.2 (#1754)
- 4428d22 Fixed flaky test (#1752)
- 652c333 Fixed typos (#1751)
- 249a6f5 Included Guacone Collect Github (#1677)
- d4a9a96 Included Polling for Github Collect (#1678)
- 67e4664 README for the Github Collector (#1731)
- 1f9eb7c Remove empty depends_on that fails validation. (#1757)
- d490212 adds helper function to check for an arango collection index (#1750)
- 6985a57 move message acknowledgment for pubsub to be done after the ingestion has occured (#1753)
v0.5.0
Highlights
- Various updates to the graphQL API
- Updated to the ENT backend to make ingestion quicker
- Addition of the REST API features and build out
- Metrics via Prometheus
- Various bug fixes and improvements
What's Changed
- ede754a Add Deps.dev collector to guacone (#1661)
- 89019ad Add a demo level docker compose yaml (#1747)
- 42f945e Bump actions/cache from 3.3.3 to 4.0.0 (#1653)
- 642a10c Bump actions/cache from 4.0.0 to 4.0.1 (#1740)
- 9686503 Bump actions/create-github-app-token from 1.6.3 to 1.6.4 (#1651)
- 9c3b5d0 Bump actions/create-github-app-token from 1.6.4 to 1.7.0 (#1667)
- 9e3cd9d Bump actions/create-github-app-token from 1.7.0 to 1.8.0 (#1704)
- ceb3192 Bump actions/create-github-app-token from 1.8.0 to 1.8.1 (#1724)
- 93887c6 Bump actions/create-github-app-token from 1.8.1 to 1.9.0 (#1741)
- 45356ea Bump anchore/sbom-action from 0.15.3 to 0.15.5 (#1652)
- c350930 Bump anchore/sbom-action from 0.15.5 to 0.15.6 (#1668)
- 3844bcf Bump anchore/sbom-action from 0.15.6 to 0.15.8 (#1691)
- a3c3690 Bump aquasecurity/trivy-action from 0.16.1 to 0.17.0 (#1703)
- 1b58cd4 Bump aquasecurity/trivy-action from 0.17.0 to 0.18.0 (#1742)
- a1fd412 Bump cloud.google.com/go/storage from 1.36.0 to 1.37.0 (#1687)
- 1770712 Bump cloud.google.com/go/storage from 1.37.0 to 1.38.0 (#1716)
- 033f281 Bump cloud.google.com/go/storage from 1.38.0 to 1.39.0 (#1744)
- d597f9e Bump entgo.io/ent v0.13.0 (#1707)
- 9e5d83d Bump github.com/99designs/gqlgen from 0.17.43 to 0.17.44 (#1715)
- 60210aa Bump github.com/aws/aws-sdk-go from 1.49.17 to 1.50.6 (#1672)
- f7bdab8 Bump github.com/aws/aws-sdk-go from 1.50.6 to 1.50.11 (#1689)
- 68230c5 Bump github.com/aws/aws-sdk-go-v2/config from 1.26.6 to 1.27.4 (#1725)
- b1c67c9 Bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.48.0 to 1.48.1 (#1662)
- 590df02 Bump github.com/cloudevents/sdk-go/v2 from 2.10.1 to 2.15.0 (#1669)
- ce741a7 Bump github.com/cloudevents/sdk-go/v2 from 2.15.0 to 2.15.1 (#1728)
- 5b8d7a9 Bump github.com/deepmap/oapi-codegen/v2 from 2.0.1-0.20240123090344-d326c01d279a to 2.1.0 (#1713)
- 0919d31 Bump github.com/fsouza/fake-gcs-server from 1.47.7 to 1.47.8 (#1743)
- 13b5121 Bump github.com/getkin/kin-openapi from 0.122.0 to 0.123.0 (#1727)
- a6c67d3 Bump github.com/google/osv-scanner from 1.4.3 to 1.6.1 (#1657)
- b7e84b9 Bump github.com/jedib0t/go-pretty/v6 from 6.5.3 to 6.5.4 (#1673)
- 755c47e Bump github.com/klauspost/compress from 1.17.4 to 1.17.5 (#1671)
- efd46f3 Bump github.com/klauspost/compress from 1.17.5 to 1.17.6 (#1701)
- 6c45c18 Bump github.com/moby/buildkit from 0.12.2 to 0.12.5 (#1679)
- e1d3451 Bump github.com/nats-io/nats-server/v2 from 2.10.9 to 2.10.10 (#1686)
- 32169e5 Bump github.com/nats-io/nats.go from 1.32.0 to 1.33.1 (#1726)
- 8eaa7ed Bump github.com/prometheus/client_golang from 1.18.0 to 1.19.0 (#1745)
- cf9ccd3 Bump github.com/redis/go-redis/v9 from 9.4.0 to 9.5.0 (#1714)
- 75a5ae7 Bump github.com/regclient/regclient from 0.5.5 to 0.5.6 (#1688)
- 644b493 Bump github.com/regclient/regclient from 0.5.6 to 0.5.7 (#1700)
- 91a9be2 Bump github.com/segmentio/kafka-go from 0.4.46 to 0.4.47 (#1655)
- 315dfef Bump github.com/sigstore/sigstore from 1.8.0 to 1.8.1 (#1654)
- ec85ecd Bump github.com/stretchr/testify from 1.8.4 to 1.9.0 (#1746)
- 4adbf13 Bump github.com/swaggo/swag from 1.16.2 to 1.16.3 (#1698)
- 694a8f2 Bump golangci/golangci-lint-action from 3.7.0 to 4.0.0 (#1702)
- 6e88dab Bump google.golang.org/api from 0.154.0 to 0.157.0 (#1656)
- 9db9b6a Bump google.golang.org/api from 0.157.0 to 0.160.0 (#1670)
- abd5a73 Bump google.golang.org/grpc from 1.60.1 to 1.61.0 (#1685)
- e023b46 Bump sigstore/cosign-installer from 3.3.0 to 3.4.0 (#1690)
- d5feab1 ENT - bulk ingestion and update to use
IDorInputSpec
(#1732) - 237ff8c Encoding guesser (#1472)
- f750549 Error and exit when initialization fails (#1674)
- e9e3551 Fix License node ingestion when no LicenseListVersion provided. (#1738)
- 431a286 Fix the incorrect
callingFuncName
in thegetNeighborIDFromCursor
(#1730) - 52a55e4 Github Collector Enhancements (#1566)
- dbf92ad Gqlschemafix (#1683)
- 5fbba0d Id or inputspec (#1708)
- 645dcbc Implemented key value search (#1711)
- e8ff763 Improve guac query vuln error message (#1695)
- e2c8157 Included http middleware to measure the graphql response times using prometheus. (#1675)
- de3cd11 Included prometheus server for guacql (#1635)
- c628147 Move all arango tests to common integration test suite. (#1660)
- 2169376 Update CONTRIBUTING.md about DCO and CLA. (#1723)
- b0969e3 Update default
blob-addr
to use filesystem (for docker-compose and k8s) (#1666) - f6e9f46 Use filename as qualifier for SBOM file references (#1546)
- f393612 Use graphql.HasOperationContext in arangodb assembler (#1659)
- db84270 Utilize gocloud and blob store to work around pubsub message size (#1630)
- 2b3b18e [Rest API] Adds the initial API Spec and guacrest cli. (#1665)
- eee82ba abstract pubsub service via gocloud (#1664)
- 3f2ef06 add purl helper to convert from allPkgTree fragment (#1681)
- 99a4d54 attempt to fix golangci-lint issues (#1735)
- 8c27a44 feature: Verify the DSSE envelope if the verifier-key-path and verifier-key-id are provided. Fail the provenance ingestion if the document is not verified. (#1712)
- 1e337e3 fix: s3 collector (#1658)
- f1703bd fix[update-arango-graph] - creates a missing collection in already pr… (#1649)
- db6cfcc removing MAX_CONCURRENT_JOBS (#1682)
- ef4c295 save qualifiers from golang loop semantics (#1684)
- 753e57b separate software IDs into packages and artifacts for hasSBOM ingestion (#1718)
- c3464f8 update dsse processor to not guess unpacked payload (#1647)
- 277c791 update hasSBOM ingestion for large SBOMs and increase batch size for bulk ingestion (#1748)
v0.4.0
Highlights
- Addition of a new KeyValue backend (Redis and TiKV)
- Update and improve
guacone
CLI - Add new graphQL Custom Directives
contains
andstartswith
- Various updates to arangoDB and ENT backend
- REST API initial implementation
- Various bug fixes and improvements
What's Changed
- 8336525 1434-docker-compose - backend selection on startup (#1435)
- c197a9d 1550 Ent: hasSBOM 'included' implementation (#1583)
- 8daf872 Add Guacone collect files json.bz2 capability (#1395)
- 1fb5ee9 Add Redis and TiKV kv stores (#1502)
- bb36eab Add benchmark for TiKV (#1579)
- ab37eb4 Add comment for id field on PkgSpec (#1631)
- df88a40 Add comment on Edge schema to note that edges are bidirectional (#1632)
- 7176dec Add concurrency to arango hasSBOM query (#1609)
- c45498b Add log level configuration (#1422)
- cb92e23 Add performance test for redis. (#1562)
- a4faf80 Add support for OCI referrers (#1278)
- 2304b5e Bump actions/cache from 3.3.2 to 3.3.3 (#1642)
- cabf7f9 Bump actions/checkout from 3.4.0 to 4.1.1 (#1489)
- aa334f6 Bump actions/checkout from 4.1.0 to 4.1.1 (#1423)
- 47f9756 Bump actions/create-github-app-token from 1.5.0 to 1.5.1 (#1467)
- 4c9a54f Bump actions/create-github-app-token from 1.5.1 to 1.6.0 (#1516)
- 1c55d0b Bump actions/create-github-app-token from 1.6.0 to 1.6.1 (#1551)
- 2bfe69a Bump actions/create-github-app-token from 1.6.1 to 1.6.2 (#1570)
- 48efadb Bump actions/create-github-app-token from 1.6.2 to 1.6.3 (#1641)
- 54fe233 Bump actions/download-artifact from 3 to 4 (#1591)
- 7e4740c Bump actions/github-script from 6.4.1 to 7.0.0 (#1494)
- 5c32cb5 Bump actions/github-script from 7.0.0 to 7.0.1 (#1515)
- 67ce224 Bump actions/setup-go from 4.0.1 to 4.1.0 (#1493)
- c4c8ca3 Bump actions/setup-go from 4.1.0 to 5.0.0 (#1568)
- 7bbde8f Bump actions/setup-python from 4.7.1 to 5.0.0 (#1569)
- 1395ebf Bump actions/upload-artifact from 3 to 4 (#1640)
- 880b129 Bump anchore/sbom-action from 0.14.3 to 0.15.0 (#1518)
- 4553605 Bump anchore/sbom-action from 0.15.0 to 0.15.1 (#1552)
- 65da979 Bump anchore/sbom-action from 0.15.1 to 0.15.3 (#1626)
- bfd70a6 Bump aquasecurity/trivy-action from 0.12.0 to 0.13.0 (#1443)
- 552cf9b Bump aquasecurity/trivy-action from 0.13.0 to 0.13.1 (#1468)
- 79ffb2f Bump aquasecurity/trivy-action from 0.13.1 to 0.14.0 (#1490)
- 3e8b997 Bump aquasecurity/trivy-action from 0.14.0 to 0.16.0 (#1571)
- 5692dc6 Bump aquasecurity/trivy-action from 0.16.0 to 0.16.1 (#1625)
- f0c6c23 Bump cloud.google.com/go/storage from 1.33.0 to 1.34.1 (#1462)
- a3301cb Bump cloud.google.com/go/storage from 1.34.1 to 1.35.1 (#1492)
- 68c22cc Bump entgo.io/ent from 0.12.4 to 0.12.5 (#1522)
- 9fd1846 Bump github.com/99designs/gqlgen from 0.17.37 to 0.17.39 (#1411)
- f48cf42 Bump github.com/99designs/gqlgen from 0.17.39 to 0.17.41 (#1553)
- 645533d Bump github.com/CycloneDX/cyclonedx-go from 0.7.2 to 0.8.0 (#1573)
- d9609a3 Bump github.com/arangodb/go-driver from 1.6.0 to 1.6.1 (#1523)
- 64d2c5b Bump github.com/aws/aws-sdk-go from 1.45.24 to 1.45.26 (#1412)
- 5cf6cbc Bump github.com/aws/aws-sdk-go from 1.45.26 to 1.46.2 (#1425)
- f92473b Bump github.com/aws/aws-sdk-go from 1.46.2 to 1.48.0 (#1521)
- 4a67771 Bump github.com/aws/aws-sdk-go from 1.48.0 to 1.49.13 (#1613)
- c078576 Bump github.com/aws/aws-sdk-go from 1.49.13 to 1.49.17 (#1622)
- c13e040 Bump github.com/aws/aws-sdk-go-v2 from 1.20.0 to 1.21.2 (#1447)
- d3611c3 Bump github.com/aws/aws-sdk-go-v2 from 1.22.2 to 1.23.5 (#1556)
- 6d501cc Bump github.com/aws/aws-sdk-go-v2 from 1.24.0 to 1.24.1 (#1621)
- 4e83d90 Bump github.com/aws/aws-sdk-go-v2/config from 1.18.32 to 1.19.1 (#1446)
- 21abc32 Bump github.com/aws/aws-sdk-go-v2/config from 1.19.1 to 1.26.1 (#1576)
- 5a12fd2 Bump github.com/aws/aws-sdk-go-v2/config from 1.26.1 to 1.26.2 (#1612)
- 25250e2 Bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.38.1 to 1.40.2 (#1445)
- 14c40cb Bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.40.2 to 1.42.1 (#1487)
- b6246e5 Bump github.com/aws/aws-sdk-go-v2/service/sqs from 1.24.1 to 1.26.0 (#1466)
- a95b0bf Bump github.com/aws/aws-sdk-go-v2/service/sqs from 1.24.1 to 1.29.6 (#1614)
- f1e2b24 Bump github.com/cloudflare/circl from 1.3.3 to 1.3.7 (#1619)
- 0ce585b Bump github.com/docker/docker (#1442)
- b6f77f3 Bump github.com/fsnotify/fsnotify from 1.6.0 to 1.7.0 (#1486)
- 604d475 Bump github.com/fsnotify/fsnotify from 1.6.0 to 1.7.0 (#1531)
- 8ba3f39 Bump github.com/fsouza/fake-gcs-server from 1.47.5 to 1.47.6 (#1428)
- 1416c0f Bump github.com/fsouza/fake-gcs-server from 1.47.6 to 1.47.7 (#1639)
- 97cd84f Bump github.com/go-git/go-git/v5 from 5.10.0 to 5.10.1 (#1532)
- ed19b9b Bump github.com/go-git/go-git/v5 from 5.10.1 to 5.11.0 (#1588)
- 1d48ca9 Bump github.com/google/go-cmp from 0.5.9 to 0.6.0 (#1409)
- 00d978b Bump github.com/google/osv-scanner from 1.4.1 to 1.4.2 (#1444)
- d0e7461 Bump github.com/google/osv-scanner from 1.4.2 to 1.4.3 (#1488)
- 63ebfe7 Bump github.com/jedib0t/go-pretty/v6 from 6.4.7 to 6.4.8 (#1429)
- f4c68bc Bump github.com/jedib0t/go-pretty/v6 from 6.4.9 to 6.5.3 (#1638)
- cb78b8d Bump github.com/klauspost/compress from 1.17.2 to 1.17.3 (#1534)
- e08c31e Bump github.com/klauspost/compress from 1.17.3 to 1.17.4 (#1557)
- 1e4157b Bump github.com/nats-io/nats-server/v2 from 2.10.1 to 2.10.2 (#1418)
- 778f2c6 Bump github.com/nats-io/nats-server/v2 from 2.10.2 to 2.10.3 (#1427)
- 02152b2 Bump github.com/nats-io/nats-server/v2 from 2.10.3 to 2.10.4 (#1454)
- 45e8941 Bump github.com/nats-io/nats-server/v2 from 2.10.4 to 2.10.5 (#1495)
- bac74b5 Bump github.com/nats-io/nats.go from 1.30.1 to 1.31.0 (#1408)
- 0689514 Bump github.com/nats-io/nkeys from 0.4.5 to 0.4.6 (#1455)
- a49449a Bump github.com/ossf/scorecard/v4 from 4.13.0 to 4.13.1 (#1464)
- a591214 Bump github.com/prometheus/client_golang from 1.17.0 to 1.18.0 (#1637)
- c91c538 Bump github.com/redis/go-redis/v9 from 9.3.0 to 9.3.1 (#1600)
- 7857ed7 Bump github.com/redis/go-redis/v9 from 9.3.1 to 9.4.0 (#1623)
- 0b7c030 Bump github.com/regclient/regclient from 0.5.1 to 0.5.3 (#1410)
- 056ca7a Bump github.com/regclient/regclient from 0.5.3 to 0.5.4 (#1519)
- 79ef3f1 Bump github.com/regclient/regclient from 0.5.4 to 0.5.5 (#1554)
- 770cf2e Bump github.com/segmentio/kafka-go from 0.4.42 to 0.4.44 (#1463)
- 6d2150d Bump github.com/segmentio/kafka-go from 0.4.44 to 0.4.46 (#1572)
- d619162 Bump github.com/sigstore/sigstore from 1.7.3 to 1.7.4 (#1426)
- 596c9f9 Bump github.com/sigstore/sigstore from 1.7.4 to 1.7.5 (#1533)
- 7ae8af7 Bump github.com/sigstore/sigstore from 1.7.5 to 1.7.6 (#1587)
- 9407c75 Bump github.com/sigstore/sigstore from 1.7.6 to 1.8.0 (#1602)
- 974f14b Bump github.com/spf13/viper from 1.16.0 to 1.17.0 (#1520)
- 76e2661 Bump github.com/spf13/viper from 1.17.0 to 1.18.2 (#1589)
- c86d904 Bump golang.org/x/crypto from 0.16.0 to 0.17.0 (#1592)
- bfa5624 Bump golang.org/x/oauth2 from 0.14.0 to 0.15.0 (#1555)
- c0eaaeb Bump google.golang.org/api from 0.148.0 to 0.149.0 (#1465)
- 56cb4f9 Bump google.golang.org/api from 0.150.0 to 0.152.0 (#1535)
- e9ee86b Bump google.golang.org/protobuf from 1.31.0 to 1.32.0 (#1620)
- fe10b55 Bump goreleaser/goreleaser-action from 4 to 5 (#1517)
- e2b35ad Bump ossf/scorecard-action from 2.3.0 to 2.3.1 (#1424)
- 2b32a09 Bump sigstore/cosign-installer from 3.1.2 to 3.2.0 (#1491)
- ba1eb78 Bump sigstore/cosign-installer from 3.2.0 to 3.3.0 (#1567)
- c308c54 CSAF Parser: fixed branches' names collision (#1528)
- 18ad0d0 Change Keys method in kv interface to Scan (#1558)
- 030cf7f Convert default backend from "inmem" to "keyvalue" (#1475)
- c5d84b6 Create a single backend acceptance test suite. (#1597)
- fb58ab3 Define edges within software tries related nodes (#1450)
- f2198ad Enable query on benchmark, fix some Scan() issues in keyvalue (#1585)
- 2a9a787 Ent - HasMetadata: applied concurrent approach (#1458)
- b178fcd Ent - PackageVersion: added index for improving IsDependency ingestion (#1439)
- da929fc Ent - Restore IngestPackages concurrently (#1586)
- 72e03ee Ent - Vulnerability endpoints: applied concurrent approach (#1459)
- 1b4e681 Ent - VulnerabilityMetadata endpoints (#1416)
- 7a05b7e Ent: IngestArtifacts optimized using concurrently (#1596)
- f6a0a24 Ent: IngestBuilders, IngestCertifyBads, IngestCertifyGoods, IngestCertifyLegals refactored concurrently (#1599)
- 68210cf Ent: IngestOccurrences optimized with concurrently (#1593)
- a599888 Ent: IngestSources optimized with concurrently (#1595)
- a20dbc7 Ent: Package,IsDependency concurrent bulk ingestions (#1440)
- 5521770 Ent: error management when closing Ent client during tests (#1478)
- 545e294 Ent: fixed lint issue on 'main' (#1598)
- 7a4373b Feature/arango neighbors nouns query (#1419)
- 2ad8e2b Feature/arango neighbors verbs with tests (#1420)
- 09b3c74 Feature/update arango hasSBOM adding includes (#1564)
- ab00d12 Fix single target build and remove unused function from test (#1543)
- e560250 Fix some error returns without unlocks. (#1581)
- 0b8fc18 Fix some logic errors on IsDependency (#1627)
- 565483d Fixed Error in Scorecard Certifier (#1501)
- 9faa6de Fixed docker-compose down (#1451)
- 14a79d9 Fixed the incorrect tests for deps_dev (#1400)
- c298eea Implemented prometheus (#1500)
- 1e5a333 Implemented the REST API (#1452)
- 2af1cc4 Included option to run integration tests locally (#1361)
- c72e762 Inlcuded a faster fmt (#1507)
- 165897d Issue 966: Extend HasSBOM to include references to included software … (#1367)
- 686ce43 Iterating Over all IDs in QueryVulnsViaVulnNodeNeighbors (#1509)
- c5c346c OCI purl: fix repository URL management (#1485)
- 92bd33e Query fIlter support for nested keys (#1618)
- cb550ee Remove extra read locking that will cause deadlock. (#1580)
- 83b892c S3 collector implementation (#1308)
- 7144c45 Update ent and arango source model generation. (#1594)
- 2b1e1ae Update key methods...
v0.3.0
Highlights
- Add timestamp fields to
certifyBad
,certifyGood
, andhasSBOM
- Ingest SPDX CPEs from externalRefs
- Fix the issue with OSV certifier failing to ingest vulnerabilities while polling
- Fix
noVuln
not showing on query known CLI
What's Changed
- 2c19f25 Add License and CertifyLegal to Arango backend. (#1349)
- b7ff00e Add SECURITY-INSIGHTS (#1353)
- ffadd34 Add a developer readme to the cli commands. (#1324)
- caebd0c Bump actions/create-github-app-token from 1.2.2 to 1.5.0 (#1372)
- baae9ca Bump entgo.io/ent from 0.12.4-0.20230918073025-797534a0d1ca to 0.12.4 (#1377)
- 583c478 Bump github.com/aws/aws-sdk-go from 1.45.20 to 1.45.24 (#1375)
- 1db53ed Bump github.com/fsouza/fake-gcs-server from 1.47.4 to 1.47.5 (#1376)
- 686fcad Bump github.com/nats-io/nats-server (#1352)
- 2f87865 Bump github.com/ossf/scorecard/v4 from 4.12.0 to 4.13.0 (#1374)
- ff8bcb9 Bump golang.org/x/net from 0.15.0 to 0.17.0 (#1389)
- 457ace8 Bump golang.org/x/sync from 0.3.0 to 0.4.0 (#1373)
- dc8d75a Bump ossf/scorecard-action from 2.2.0 to 2.3.0 (#1371)
- 7c3b1b9 Certifier OSV: fixed emit func when polling (#1396)
- c923aa6 Ent - HasMetadata (#1365)
- 64850de Ent - HasMetadata: fix ingesting same twice (#1392)
- d18327b Ent - PointOfContact (#1391)
- 9e65098 Feature/arango node query with updates to inmem unit tests (#1369)
- 24dc68f Fix lint errors and increase golangci-lint timeout (#1351)
- d681a8d Include Timestamps for Verbs (#1338)
- 542f03f SPDX Parser: ingest CPE from externalRefs (#1347)
- b540d46 Support TLS for csub server and clients (#1390)
- 4652364 Support TLS for graphql server (#1380)
- a3299ca Update packages for slices import (#1356)
- 3b4bc8e Update query used in docs with new vuln structure. (#1385)
- e48e534 Wait for guac server to start before running tests (#1383)
- a9dc7af [feature] Unionize parsing for cdx SBOM and VEX data (#1247)
- c225a8e add flag to toggle getting deps.dev dependencies (#1382)
- 9254f32 change package version list to a map and add tests (#1332)
- 9caebd6 edit arangosearch view to exclude subpath search results (#1397)
- 5ecc2be fix contributor.md broken links to docs (#1393)
- d7daa07 fix noVuln type not showing up when querying for known (#1394)
- 23cdc26 fix: typo (#1379)
- 09c5879 process
PACKAGE_OF
relationship in SPDX files (#1337) - 51e8fc6 refactor(depversion): avoid unnecessary byte/string conversion (#1384)
- 70a6fe2 remove gql-test-data as its no longer needed to test the backends (#1355)