- We updated package-url models, WARNING: in next major version of vulnerablecode i.e v35.0.0 qualifiers will be of type
stringand notdict. - We added changelog and dates on packages and vulnerabilities.
- We fixed table borders in Vulnerability details UI #1356 (#1358)
- We added robots.txt in views.
- We fixed import runner's process_inferences (#1360)
- We fixed debian OVAL importer (#1361)
- We added graph model diagrams #977(#1350)
- We added endpoint for purl lookup (#1359)
- We fixed swagger API docs generation (#1366)
- Fix issues nexB#1385, nexB#1387
- We updated package-url models, WARNING: in next major version of vulnerablecode i.e v35.0.0 qualifiers will be of type
stringand notdict. - We added changelog and dates on packages and vulnerabilities.
- We fixed table borders in Vulnerability details UI #1356 (#1358)
- We added robots.txt in views.
- We fixed import runner's process_inferences (#1360)
- We fixed debian OVAL importer (#1361)
- We added graph model diagrams #977(#1350)
- We added endpoint for purl lookup (#1359)
- We fixed swagger API docs generation (#1366)
- We added /var/www/html as volume in nginx Docker compose (#1373).
- We added /var/www/html as volume in Docker compose (#1371).
- We updated RTD build configuration.
- We added importer for OSS-Fuzz.
- We removed vulnerabilities with empty aliases.
- We fixed search encoding issue nexB#1336.
- We added middleware to ban "bytedance" user-agent.
- We added note about CSRF_TRUSTED_ORIGINS.
- We added proper acknowledgements for NGI projects.
- We added throttling for anonymous users.
- We added pagination to valid versions improver.
- We added support to write packages and vulnerabilities at the time of import.
- We fixed a text-overflow issue in the Essentials tab of the Vulnerability details template.
- We added clickable links to the Essentials tab of the Vulnerability details template that enable the user to navigate to the Fixed by packages tab and the Affected packages tab.
- We fixed severity range issue for handling unknown scores.
- We added importer specific improvers and removed default improver additionally improve recent advisories first.
- We filtered out the weakness that are not presented in the cwe2.database before passing them into the vulnerability details view.
- We fixed NVD importer to import the latest data by adding weakness in unique content ID for advisories.
- We have paginated the default improver and added keyboard interrupt support for import and improve processes.
- We bumped PyYaml to 6.0.1 and saneyaml to 0.6.0 and dropped docker-compose.
- We have dropped
unresolved_vulnerabilitiesfrom /api/package endpoint API response. - We have added missing quotes for href values in template.
- We have fixed merge functionality of AffectedPackage.
- Clean imported data after import process.
- We fixed Apache HTTPD and Apache Kafka importer.
- We removed excessive network calls from Redhat importer.
- Add documentation for version 32.0.0.
- We added loading of env for GitHub datasource in vulntotal.
- We fixed import process in github importer in vulnerablecode reported here nexB#1142.
- We added an improver to get all package versions of all ecosystems for a range of affected packages.
- We added documentation for configuring throttling rate for API endpoints.
- We fixed kbmsr2019 importer.
- We added support for conan advisories through gitlab importer.
- Add aliases to package endpoint.
- We added Apache HTTPD improver.
- We removed redundant API tests.
- We added fireye vulnerabilities advisories importer.
- We added support for public instance of vulnerablecode in vulntotal.
- We re-enabled support for the Apache Kafka vulnerabilities advisories importer.
- We re-enabled support for the xen vulnerabilities advisories importer.
- We re-enabled support for the istio vulnerabilities advisories importer.
- We re-enabled support for the Ubuntu usn vulnerabilities advisories importer.
- We added migration for adding apache tomcat option in severity scoring.
- We re-enabled support for the mozilla vulnerabilities advisories importer.
- We re-enabled support for the gentoo vulnerabilities advisories importer.
- We re-enabled support for the istio vulnerabilities advisories importer.
- We re-enabled support for the kbmsr2019 vulnerabilities advisories importer.
- We re-enabled support for the suse score advisories importer.
- We re-enabled support for the elixir security advisories importer.
- We re-enabled support for the apache tomcat security advisories importer.
- We added support for CWE.
- We added migrations to remove corrupted advisories nexB#1086.
- We re-enabled support for the Apache HTTPD security advisories importer.
- We now support incomplete versions for a valid purl in search. For example, you can now search for
pkg:nginx/nginx@1and get all versions of nginx starting with1.
- We re-enabled support for the NPM vulnerabilities advisories importer.
- We re-enabled support for the Retiredotnet vulnerabilities advisories importer.
- We are now handling purl fragments in package search. For example: you can now serch using queries in the UI like this :
cherrypy@2.1.1,cherrypyorpkg:pypi. - We are now ingesting npm advisories data through GitHub API.
- We added a new Vulntotal command line tool that can compare the vulnerabilities between multiple vulnerability databases.
- We refactored how we handle CVSS scores. We are no longer storing a CVSS score separately from a CVSS vector. Instead the vector is stored in the scoring_elements field.
- We re-enabled support for the PostgreSQL securities advisories importer.
- We fixed the API key request form UI and made it consistent with rest of UI.
- We made bulk search faster by pre-computing package_url and plain_package_url in Package model. And provided two options in package bulk search
purl_onlyoption to get only vulnerable purls without any extra details,plain_purloption to filter purls without qualifiers and subpath and also return them without qualifiers and subpath. The names used are provisional and may be updated in a future release.
This is a minor bug fix release.
- We enabled proper CSRF configuration for deployments
This is a feature update release including minor bug fixes and the introduction of API keys and API throttling.
- We enabled API throttling for a basic user and for a staff user they can have unlimited access on API.
- We added throttle rate for each API endpoint and it can be configured from the settings #991 nexB#991
- We improved how we import NVD data
- We refactored and made the purl2cpe script work to dump purl to CPE mappings
Internally:
- We aligned key names internally with the names used in the UI and API (such as affected and fixed)
- We now use querysets as model managers and have streamlined view code
- We refactored and fixed the LaunchPad API code.
- We now ignore qualifiers and subpath from PURL search lookups.
- We fixed severity table column spillover.
This is a critical bug fix release including features updates.
- We fixed critical performance issues that made the web UI unusable. This include removing some less interesting redundant details displayed in the web UI for vulnerabilities.
- We made minor documentation updates.
- We re-enabled support for Arch linux, Debian, and Ubuntu security advisories importers
- We added a new improver for Oval data sources
- We improved Alpine linux and Gitlab security advisories importers
The summary of performance improvements include these fixes:
- Cascade queries from exact to approximate searches to avoid full table scans in all cases. This is a band-aid for now. The proper solution will likely require using full text search instead.
- Avoid iceberg queries with "prefetch related" to limit the number of queries that are needed in the UI
- Do not recreate querysets from scratch but instead allow these to be chained for simpler and correct code.
- Remove extra details from the vulnerability pacge: each package was further listing its related vulnerabilities creating an iceberg query.
- Enable the django-debug-toolbar with a setting to easily profile queries on demand by setting both VULNERABLECODE_DEBUG and VULNERABLECODE_DEBUG_TOOLBAR enviroment variables.
- We added a new web UI link to explain how to obtain an API for the publicly hosted VulnerableCode
- We added a new "/packages/all" API endpoint to get all Package URLs know to be vulnerable.
This is a major version that is not backward compatible.
We refactored the core processing with Importers that import data and Improvers that transform imported data and convert that in Vulnerabilities and Packages. Improvers can also improve and refine imported and existing data as well as enrich data using external data sources. The migration to this new architecture is under way and not all importers are available.
Because of these extensive changes, it is not possible to migrate existing imported data to the new schema. You will need instead to restart imports from an empty database or access the new public.vulnerablecode.io live instance. We also provide a database dump.
- You can track the progress of this refactoring in this issue: nexB#597
- We added new data sources including PYSEC, GitHub and GitLab.
- We improved the documentation including adding development examples for importers and improvers.
- We removed the ability to edit relationships from the UI. The UI is now read-only.
- We replaced the web UI with a brand new UI based on the same overall look and feel as ScanCode.io.
- We added support for NixOS as a Linux deployment target.
- The aliases of a vulnerabily are reported in the API vulnerabilities/ endpoint
- There are breaking Changes at API level with changes in the data structure:
- in the /api/vulnerabilities/ endpoint:
- Rename resolved_packages to fixed_packages
- Rename unresolved_packages to affected_packages
- Rename url to reference_url in the reference list
- Add is_vulnerable property in fixed and affected_packages.
- in the /api/packages/ endpoint:
- Rename unresolved_vulnerabilities to affected_by_vulnerabilities
- Rename resolved_vulnerabilities to fixing_vulnerabilities
- Rename url to reference_url in the reference list
- Add new attribute is_resolved
- Add namespace filter
- in the /api/vulnerabilities/ endpoint:
- We have provided backward compatibility for url and unresolved_vulnerabilities for now. These will be removed in the next major version and should be considered as deprecated.
- There is a new experimental cpe/ API endpoint to lookup for vulnerabilities by CPE and another aliases/ endpoint to lookup for vulnerabilities by aliases. These two endpoints will be replaced by query parameters on the main vulnerabilities/ endpoint when stabilized.
- We added filters for vulnerabilities endpoint to get fixed packages in accordance to the details given in filters: For example, when you call the endpoint this way
/api/vulnerabilities?type=pypi&namespace=foo&name=bar, you will receive only fixed versioned purls of the typepypi, namespacefooand namebar. - Package endpoint will give fixed packages of only those that matches type, name, namespace, subpath and qualifiers of the package queried.
- Paginated initial listings to display a small number of records and provided page per size with a maximum limit of 100 records per page.
- Add fixed packages in vulnerabilities details in packages endpoint.
- Add bulk search support for CPEs.
- Add authentication for REST API endpoint. The autentication is disabled by default and can be enabled using the VULNERABLECODEIO_REQUIRE_AUTHENTICATION settings. When enabled, users have to authenticate using their API Key in the REST API. Users can be created using the Django "createsuperuser" management command.
- The data license is now CC-BY-SA-4.0 as this is the highest common denominator license among all the data sources we collect and aggregate.
Other:
- We dropped calver to use a plain semver.
- We adopted vers and the new univers library to handle version ranges.
This release comes with the new calver versioning scheme and an initial data dump.