Releases: ossf/package-analysis
Releases · ossf/package-analysis
rel-36
What's Changed
- enable code execution feature by default by @maxfisher-g in #958
- Add environment variable baits by @elainechien in #948
- cmd/analyze: use exit status 1 and 2 for errors, improve error messages for invalid cli arguments by @maxfisher-g in #967
- python dynamic analysis: support async and generator function execution by @maxfisher-g in #968
- update babel parser to match babel traverse version by @maxfisher-g in #969
- strace parsing: fix regex issue when unlink syscall does not have path by @maxfisher-g in #970
- add python3-dev package to dynamic analysis dockerfile by @maxfisher-g in #974
- cmd/analyze: add resolved package version to logging context by @maxfisher-g in #975
- Add archive checksum by @h0x0er in #978
- Fix compose path by @lukehinds in #983
- move DynamicAnalysisRecord struct to public API by @maxfisher-g in #986
- sandboxes/README.md: fix some sentences by @maxfisher-g in #992
- pkg/api/analysisrun refactoring by @maxfisher-g in #995
- static analysis: collect basic information about archive file by @maxfisher-g in #993
- Move images using load/save instead of docker daemon. by @calebbrown in #998
- Switch to osv-scanner-action repo, pin action version by @another-rex in #1006
- Shard dynamic analysis data loading across ecosystems and simplify implementation. by @calebbrown in #1007
- Add option to force cloud logging for BigQuery loading in cloudbuild. by @calebbrown in #1008
- Set the entrypoint explicitly to /bin/bash in the BQ Loader cloudbuild.yaml by @calebbrown in #1009
- Fix a bug where the RESULT_BUCKET env var wasn't used correctly. by @calebbrown in #1010
- Add headless flag to BQ command to improve output. by @calebbrown in #1011
- Add option to BigQuery SQL to remove expiration from "like" table. by @calebbrown in #1012
- Add support to build sample python package with docker by @elainechien in #1002
- Disable the currently failing crates.io test until it is fixed. by @calebbrown in #1016
- Point the new dynamic analysis loader at the real table. by @calebbrown in #1017
- Add user-agents to http requests sent by Package Analysis by @calebbrown in #1018
New Contributors
- @h0x0er made their first contribution in #978
- @lukehinds made their first contribution in #983
Full Changelog: rel-35...rel-36
Contributors
calebbrown, lukehinds, and 4 other contributors
Assets 2
rel-35
What's Changed
- Add script for kubernetes deployment by @maxfisher-g in #939
- fix issues with deploy script and move it to the scripts/ folder by @maxfisher-g in #941
- update static analysis json schema for bigquery ingestion by @maxfisher-g in #942
- add BigQuery loader function for static analysis by @maxfisher-g in #943
- update dynamic analysis Load function by @maxfisher-g in #947
- enable code execution feature in worker by @maxfisher-g in #946
- Add OSV-Scanner github action by @maxfisher-g in #949
- add execute phase to dynamic analysis JSON schema and update loader deployment commands by @maxfisher-g in #953
- add osv-scanner.toml by @maxfisher-g in #951
- add separate result bucket for execution log by @maxfisher-g in #950
- add explicit go setup step for CodeQL analysis by @maxfisher-g in #954
- add alias of scanned vulnerability by @maxfisher-g in #955
Full Changelog: rel-34...rel-35
Contributors
maxfisher-g
Assets 2
rel-34
What's Changed
- Use os.Create to truncate the results file if a previous one exists. by @calebbrown in #940
Full Changelog: rel-33...rel-34
Contributors
calebbrown
Assets 2
rel-33
What's Changed
- worker: run dynamic and static analysis unconditionally by @maxfisher-g in #921
- static analysis: rename "description" field to "detected_type" by @maxfisher-g in #923
- make token.IdentifierType into an integer enum by @maxfisher-g in #922
- Inline single-key JSON structs in static analysis formatter script by @maxfisher-g in #925
- Make public API struct for static analysis data by @maxfisher-g in #920
- omit null JS and valuecounts data from staticanalysis result struct by @maxfisher-g in #924
- Update CONTRIBUTING.md with style guide note by @calebbrown in #931
- Add execute phase to dynamic analysis by @maxfisher-g in #926
- disable strace debug logging in worker, add feature flag to enable separate logging in analysis image by @maxfisher-g in #932
- Add ssh key pair bait to sandbox by @elainechien in #916
- write static analysis results to v1 bucket by @maxfisher-g in #908
- update docs for static analysis data schema by @maxfisher-g in #936
- add Makefile recipe to build test images for e2e test by @maxfisher-g in #937
Full Changelog: rel-32...rel-33
Contributors
calebbrown, elainechien, and maxfisher-g
Assets 2
rel-32
What's Changed
- Enable package saving. by @calebbrown in #882
- Add
dnsutilsto dynamic analysis image + remove extra update/upgrades by @calebbrown in #890 - dependabot: group all minor and patch updates by @maxfisher-g in #891
- Fix dockerfile to match best practices by @calebbrown in #892
- Remove result_bucket_override support. by @calebbrown in #895
- Default "on" SaveAnalyzedPackages now it is enabled in prod. by @calebbrown in #896
- Add test credential access functionality and package structure refactor by @elainechien in #856
- add doc for results data format by @maxfisher-g in #898
- bring static analysis schema JSON into line with actual data format by @maxfisher-g in #899
- Update go version in README.md by @maxfisher-g in #900
- create /root/.ssh directory in dynamic analysis Dockerfile by @maxfisher-g in #901
Full Changelog: rel-31...rel-32
Contributors
calebbrown, elainechien, and maxfisher-g
Assets 2
rel-31
What's Changed
- Handle missing PyPI packages properly as well. by @calebbrown in #881
Full Changelog: rel-30...rel-31
Contributors
calebbrown
Assets 2
rel-30
What's Changed
- remove email address from static analysis schema by @maxfisher-g in #879
- Fix Packagist JSON parsing to correctly parse dist fields. by @calebbrown in #880
Full Changelog: rel-29...rel-30
Contributors
calebbrown and maxfisher-g
Assets 2
rel-29
What's Changed
- static analysis minor bugfixes by @maxfisher-g in #877
- don't upload static analysis results when there is no data by @maxfisher-g in #878
Full Changelog: rel-28...rel-29
Contributors
maxfisher-g
Assets 2
rel-28
Main changes:
- Static analysis data schema updates
- Migrate logging to
log/slog - Bug fix to allow package saving to work
What's Changed
- Migrate the analyze cmd to slog. Remove unused log funcs. by @calebbrown in #846
- static analysis: rename FileType to Description, fix some json names by @maxfisher-g in #847
- loader: add static analysis schema, rename dynamic analysis schema to match by @maxfisher-g in #848
- Use node v18 instead of v12 (the default for Ubuntu 22.04) by @calebbrown in #849
- Replace more logging calls with slog and context. by @calebbrown in #850
- Fix bugs in static analysis schema by @maxfisher-g in #855
- JS parsing: Improve handling of string templates by @maxfisher-g in #854
- Move more logs over to slog. by @calebbrown in #851
- Move the sandbox code over to slog and propogate context everywhere. by @calebbrown in #857
- Add xxd to dynamic analysis sandbox. by @calebbrown in #858
- Make explicit top-level structs for serialised analysis results by @maxfisher-g in #859
- Turn the result dest into a result store instance. by @calebbrown in #860
- move
createdfield to top level in static analysis schema by @maxfisher-g in #861 - fix null values in static analysis parsing results by @maxfisher-g in #863
- Rename obfuscation package to signals by @maxfisher-g in #866
- Add env var support to sandboxes so LOGGING_ENV can be passed to static analysis. by @calebbrown in #864
- Add parsed string value to EscapedStrings struct by @maxfisher-g in #867
- move key fields to top level in static analysis schema by @maxfisher-g in #868
- Static analysis: unify result struct into single array of file data (second try) by @maxfisher-g in #872
- Migrate to slog in static analysis, and remove now-dead logging code. by @calebbrown in #871
- clean up dependabot config and check for GH actions updates weekly by @maxfisher-g in #873
- Complete the slogging changes. by @calebbrown in #874
- add constant for static analysis schema version by @maxfisher-g in #875
- remove email address detection in string literals by @maxfisher-g in #876
Full Changelog: rel-27...rel-28
Contributors
calebbrown and maxfisher-g
Assets 2
rel-27
What's Changed
- explicitly use
--require-hashesin pip install command by @maxfisher-g in #791 - More GCP PubSub tests and enable lazy nacks by @calebbrown in #792
- pass logger instance to strace parsing functions by @maxfisher-g in #802
- Improve archive download code by @maxfisher-g in #805
- Add option to print feature flags in analyze script by @maxfisher-g in #820
- Create sample python package by @elainechien in #801
- Minor static analysis refactoring by @maxfisher-g in #817
- add URL, IP and email address detection in strings by @maxfisher-g in #818
- print static analysis errors using logger by @maxfisher-g in #823
- Rework of bucket path handling in resultstore.go by @maxfisher-g in #825
- Static analysis result structure rework by @maxfisher-g in #838
- Remove entropy summaries and record string literal and identifier entropy as part of parsing phase by @maxfisher-g in #839
- update go to v1.21 by @maxfisher-g in #842
- Improve static analysis unit tests and do cleanups by @maxfisher-g in #843
- Enable log/slog from Go v1.21 and migrate scheduler. by @calebbrown in #845
Full Changelog: rel-26...rel-27
Contributors
calebbrown, elainechien, and maxfisher-g