0.1.0-nightly.a562397c
Pre-release
Pre-release
·
1414 commits
to main
since this release
Changelog
Unreleased (2023-10-11)
Features
- add some filters
(2392b76) - add severity field
(4b2b201) - add predicates/field for severity
(7d742f4) - add cve index
(720c528) - add v11y indexer
(b2ca425) - first attempt at searching CVEs
(9a18950) - working version of the donut poc
(a9200ac) - add donut experiment
(736b486) - implement CVSS indicator from sketches
(66be959) - add cli command for uploading
(e8c1868) - add feature flag for running acceptance tests only
(38866f5) - propagate s3 events to indexed queue
(5346fb4) - enable guac in app-sre
(255b43d) - enable guac in openshift template
(b70ce49) - use the upstream logo
(2d8f90a) - add production branch
(1ab72f5) - support different reindexing modes
(a48704e)
Fixes
- inconsistent page state
(3a466c4) - swap around
(8dcb50c) - add "test"
(a05d43c) - add v11y indexer
(ef15b30) - add v11y s3 credentials
(1effd63) - use correct vexination url
(df683c3) - using wrong data type
(7c1a5da) - fixup for --devmode
(dc3d655) - update to s3 collector with fixes
(115c48b) - commit to trigger build
(7d05f3c) - try with regenerated version
(ead8bdd) - try to inline trunk builder on UI containerfile
(49544a4) - try older version of trunk base
(5947e60) - add note on running in production
(d44b195) - task name
(3ae48a8) - point to bundle with sha
(2093dc9) - remove git sha from build
(1b07f0a) - bump buildah memory limits
(d131c0a) - update openshift dashboards
(b9518ad) - combine dashboards
(1dbc384) - update SLO dashboard
(3c6308a) - update dependencies
(b23ff62) - introduce CRDA_URL template param
(d51c52a) - fix the walker upload
(c9bf5a2) - handle delete markers as delete events
(141afe4) - improve handling of new type of VEX without advisory description
(4a4ac62) - unignore empty vex tests
(f1c6991) - remove dummy env var
(dfc1f38) - remove merge queue
(1a5a923) - different job name for each run
(b3fada8) - set driver env to dummy value
(441d50d) - try updating integration test template
(ca2b3b3) - use recreate strategy for v11y
(f295e31) - guac image
(9762002) - reset value attribute after loading
(96f5a0a) - enable collector
(f8c317d) - use correct topic
(89b8bae) - set missing s3 host and port
(b65cd47) - use correct arguments to new collector
(2f38c54) - return error if upload failed
(b66b44a) - disable unreliable test
(158bea6),
closes #618 - make log level configurable in helm values
(83c2c5a) - remove debug and parameterize namespace
(17a7450) - remove with-services feature to avoid breaking CI
(45d0f1c) - make correlated doc id's truly unique
(c4ce3be) - clippy
(7732198) - always reindex in app-sre because its convenient and we keep few docs anyway
(65ca705) - put secret name in correct location
(6dffda9) - enable snyk and nvd
(003305c) - convert walkers to cron jobs
(b756c71) - confirm index entry delete in log
(9e635ed) - make walker interval adjustable
(85379fb) - update to csaf-walker 0.5
(dab8676) - fix UI issue with unknown content
(8d0c068) - actually evaluate the fix flag
(e266541) - align the usage of --sink for the bombastic walker
(f3e60b2) - add read:document scope to walker client
(ed8d20e),
closes #0
#0
#0 - use the test context teardown fn to delete fixtures
(180e9eb),
closes #587 - release flow syntax
(e79a238) - remove nightly workflow
(db348f9) - add id qualifier to default fields
(a7fe584) - fix license in test data
(a6345e7),
closes #589 - use gpg v3 signatures
(480971b) - remove walker scripts
(71e7d8d) - use the new cyclonedx-bom crate
(8e935bb) - configure nats address explicitly
(5020d2a) - commit correct file
(8073400) - exhort reencrypt route
(2e7e449) - walkers urls and auth
(68d3555) - port bindings
(054478b) - add missing parts
(3cd1861) - use default the way clippy recommends
(c8f3dbc) - impl default and use in test
(607bdeb) - clippy
(e725fef) - reuse single client instance
(6f90dc7) - add oidc params to vex walker
(3d29d1d),
closes #547 - don't log access tokens
(fc9deaf) - fix broken s3 paths on s3
(f9cb8b3)
v0.1.0-nightly.faf47378 (2023-09-20)
Features
- allow getting by ID
(9ef59da) - add TLS support to most of the clients
(eacdac8) - add Http endpoint builder, and migrate Bombastic to it
(8c36365) - add readiness probe for API search availability
(d8ca663),
closes #532 - add real health checks
(9a29169) - allow setting a base path for the database
(832002b) - Add NVD collector
(6f49312) - allow searching advisory and cve dates separately
(f6bc29f),
closes #519 - implement default values for radio groups
(e9fd0c0) - allow using javascript snippets to generate search terms
(d7d735f) - add radio button support
(10be1e6) - Enable async guac ingest and adapt config
(ea9b60f) - providing support for getting encoded objects from the storage
(53ffbc4) - add --devmode to collector osv
(bbfa135) - bring --devmode to oidc client config
(8c0263e) - add oidc token providers to clients
(d5cd3e3) - add token provider to v11y client
(8f788bd) - add a simpler way to use no-op tokens
(1516ff6) - add welcome hint for scanner
(6dcfe05) - add "SBOM by dependency" tab
(d9d6fad) - upgrade to tantivy 0.20
(70afb82),
closes #283 - add markdown parser to CSAF notes
(aadc133) - allow searching without fetching document summaries
(0d52589),
closes #450 - make more things configurable
(519a990) - allow adding scopes to the backend info
(48a949f) - expand vexination API to allow deletion of VEX docs
(d43d76f),
closes #438 - allow adding additional scopes based on OIDC client config
(3e60f0f) - minor naming tweaks and docs for integs
(3e925cb),
closes #401
#424 - add container with integration test binaries
(317a13a) - allow building tests without building all of trustification
(dcbdfdd) - point the integs at a remote trustification server
(918c159),
closes #401 - add indexing timestamp
(86e0567) - add get related packages query
(a9085f7) - add get dependents for a package
(5ba652c) - add get dependencies logic
(ad2825e) - make each integ test run use a unique identifier
(dab3864) - factor event waiting logic into a more useful helper fn
(d9ea1d9),
closes #363 - make index size configurable
(9cd37df) - support using s3 directly as index backing store
(fe2d820),
closes #333 - allow configuring reindex at startup
(c572eb2) - add reindexing support
(71cd5ea),
closes #379
#9 - allow disabling authorization
(8c72dd9),
closes #372 - implement sorting for search indexes
(d6f6351),
closes #247 - add vuln-counters
(14e7720) - show support URL
(79b3215) - enable custom scoring for vexination
(29662a0),
closes #348 - add CVE severity count to document summaries
(d43d342) - add the "clear all" button
(0adc2dd) - add pre-defined query for "products"
(1caab7b) - provide a unified search experience
(16d956b) - exhort analysis delegates to collectorist fanout
(290d5b4) - modify response structure to include vurl's for each purl
(25b69a2) - plumb the collectorist api for triggering fan-out
(839d9b0) - listen for the SIGINT and SIGTERM signal
(04722c0) - allow injecting the access token into URL queries
(5dc63cb) - re-add correlated advisories directly related
(abf4ba0) - add a warning that authentication is turned off
(88b6f3b) - deploy a walker client
(c28390b) - allow setting OIDC client argument via env-vars
(3e99a3e) - add oidc client auth to the bombastic walker
(dce7150) - render CRDA report in SPOG UI
(dc87dc6) - add CRDA integration
(84ee4ba) - add CRDA integration
(8b0f01a) - add CRDA integration
(4550093) - configure OIDC with --devmode
(3d1b7d3) - allow setting auth config by env-vars
(e634448) - pass access_tokens to be backend
(453b3ed) - add OIDC authentication to the spog api
(20e9217) - add OIDC support to parts of the backend
(82e9bee) - add logout
(1e654f9) - add dark mode switch, drop gravatar
(ea44b97) - add oidc login to the frontend
(7b201bd) - allow overriding the landing page content
(7bd40f1) - add a way to add dividers to filter groups
(fed3030) - show remediations
(e87de6d) - search version by default
(836d833) - make the index document available as metadata
(012284c) - cleanup dynamic configuration, use it for advisories
(ddda15d) - add a schema for the config file
(0b8e421) - allow dynamic search configs
(3bf46b9) - allow configuring search
(0a5c66c) - add predefined product filters for SBOMs
(2f825ac) - add a "not found" page
(4735e2f) - add vex exporter
(40e64b3) - add placeholder animation while loading
(027079f) - store the pagination state in the history alongside the search
(b74d6d3) - increase concurrency of VEX walker
(bc71b07) - add infrastructure to exporter
(b559712) - add ocp3 to the predefined list
(a580b28) - upgrade guac image and compose file
(e567406) - enable test harness to provide either bombastic or vexination
(4c36757) - make the advisory search a bit more like the product search
(c7dac24) - expose the aggregated severity
(06cbe34) - work towards "catalog" view for advisories
(8d6ae86) - use exact match for ids
(3e79ada) - add metrics from HTTP APIs
(18af99e) - add support for providing bombastic api key
(c89eca3) - add basic authentication support for write APIs
(4893a64) - trigger download dialog, when downloading
(e12f94b) - highlight filter in package list
(5c17f03) - aggregate some packages
(ab552a6) - add a basic help popover for search
(b6659e7) - avoid port conflicts when running concurrent integs
(20d3453) - tune relevance of some fields
(4f47599) - allow searching with OR AND NOT and ()
(ef78ae8) - add infrastructure to walkers
(d7fab78) - add prometheus metrics integration
(35f2170) - get catalog view more ready
(5e51bb1) - parse search
(79f4995) - list external refs on main package
(8c792c0) - extend the SBOM viewer, allowing to drill into packages
(1333b38) - work towards catalog view
(14ca0cd) - use string matching for supplier
(26039ca),
closes #177 - add support for search qualifiers by key=value
(a4a693d) - add option to explain why a document matched
(e8f37dc) - use more flexible matching for string fields
(6a146e0) - add version information
(74af3a3) - provide links to bombastic and vexination openapi
(ebc0a10) - add openapi to vexination API
(40d8540) - improve bombastic API description
(5da2e99) - add triggering of staging workflow
(338a46d) - reduce default set of searched fields
(b3dd29a) - add script for pruning nightlies
(0f04654) - add workflow for releasing
(d84aaaa) - add integration tests
(3018d65) - add trust-docs container and manifests
(3bd015a) - improve bombastic search experience
(92db1c3) - add subdomains for APIs
(c2ac757) - use multivalues instead of multiple documents
(cd53564),
closes #150 - order index by dates
(d7a6b23) - make the accept-encodings less hard-codey
(9742861) - refactor to facilitate non-json SBOM's
(c617fba) - add advisory summary to use in frontend
(02ad1e6) - show latest published VEX and SBOM in search by default
(dee34ed),
closes #121 - add same CVSS score coloring as for advisories component
(4620043) - enable consolidated configs for exporter
(90dbcb1) - add openapi definitions to spog
(a451688) - add exporter to docker compose
(d7001b4) - don't notify on export
(e6f8ed0) - Implement guac exporter
(6b7b0b2) - add package details pane with download
(08fbe00) - refactor spog to use vexination HTTP API
(ca3ab39) - make it easier to work with local image
(1cd8e10) - add bombastic-search and use in spog
(129c953) - accept bzip2 encoded payloads to avoid decoding on upload
(1eb913a) - accept bzip2 (or zstd) encoded SBOM's
(fc1fa0b),
closes #115 - introduce actix Compress middleware
(59fac6d) - add fn to return encoded stream
(5e33821) - use multivalue values for affected and fixed packages
(43d50b0) - add download of VEX
(8182925) - separate page for vulnerabilities
(b9fca22) - compress objects while writing to S3, uncompress while reading
(f656e48) - add vanity url
(a21d8ba) - deploy spog ui
(606678e) - deploy spog api
(071229f) - add k8s resources for vexination and bombastic
(1edc623) - move compose files from root
(918017f) - add guac docker compose
(f5ea0a2) - remove annotations from the storage api
(d1f9d9b) - stream SBOM's and replace Object w/S3 metadata
(da1dc5f) - replace sqlite index with search index in bombastic
(011b3fc) - add basic search in the UI
(768e41b) - add range and date queries
(e0b5a77) - update to "next" card implementation
(004a684) - use sikula derive
(4b16d82) - generate tantivy query tree from sikula
(9e9a1c8) - add more fields to vexination index
(faef021) - first stop of implementing search
(d97a65e) - one binary to rule them all
(150f818) - add compose file
(ceee431) - do batch commits to event bus to speed up processing
(a69addf) - search index for vexination
(3f16ad6) - build containers for all services
(03171a7) - add walker options for controlling validation
(5e0054c) - ingest data to vexination
(3197e10) - add build matrix for container build and publish
(cf273c3) - initial import of vexination
(664b9b9) - make storage independent of bombastic
(fc8cbad) - import bommer
(fc2b213) - add default values for index and events arguments
(9289f44) - allow overriding the purl when uploading an SBOM
(a7ab833)
Fixes
- use correct name for spog api metrics
(faf4737) - CLI fails to start due to conflicting short argument
-s
(9aa5736) - antora requires git in context
(bb00ad0) - vex walker publishes to api url instead of directly to storage
(b16586e),
closes #547 - don't panic on empty response
(3e4662c) - recreate stream from last page on object retrieval errors
(b28a2be) - improve reliability of Guac integration test
(04f0f9c) - choose a different way to handle drop
(afb1af3) - integration test compilation
(10be3c9) - introduce transient and critical error categories for event bus
(b695ba6) - work around an IPv6 issue
(de031cc) - work around clap-rs/clap#5127
(d572403) - fix use of optional dependency
(a9b7027) - retry objects that fail fetching to avoid failing retrieval process early
(e3e382d) - rename
(89b7f27) - retries for reindexing
(68e9ddf) - tekton pipeline migration
(9e85fcc) - a bug in the reset mechanism didnt set the next state correctly
(0fb43ff) - move buttons outside of card
(d9d2b86) - check permission first
(4107fcb) - reindex starting from an empty index
(484c95f) - remove workspaces
(460fdfc) - remote async ingestor
(35da46b) - hide internal errors in API responses
(d0b0c17) - when analytics is disabled, don't ask for consent
(13f8603) - change order of components to support the context requirements
(11d61c0) - add missing ignore
(75fd974) - update nightly compose version
(eb5bb44) - remove inaccurate comment
(8a8aa58) - remove coarse grained index lock
(81414c6) - reduce API latencies by removing unneeded storage lock
(7a383d4) - align env var and cli arg name
(6fc5fa2) - allow configuring sqs via deterministic env vars
(7129a4c) - sorting by severity requires a different fast field reader
(fc81c6d) - keep sorting config for empty queries
(9eb5c86) - don't show all advisories in case there's no identifier
(5535e99) - limit length of columns and truncate version when necessary
(aa5b5f1) - ensure that directory state is not changed if sync failed
(246d4c2) - speed up by using Rcs to handle SBOMs
(7dba8f2) - clippy
(aab82c2) - ensure index is reloaded only if digest has changed
(0cdede5) - race condition reading from s3
(8ba64ff),
closes #447
#353
#343 - prevent panic if limit is zero
(2dccd85),
closes #455 - move a few forks over to the trustification org
(f265ee9),
closes #458 - duplicate target name warning
(1707a65) - integration tests
(6328513) - remove package dependency list from summary
(8acbdd0) - update integration test
(ac9fd9a) - update to sikula version that does scoping correctly
(b0cfa4e),
closes #436
#436 - trim CPE suffix wildcards
(cfc8c50) - deduplicate fixed and affected packages
(36ba01d) - allow overriding ISSUER_URL for tests via env
(860e9d0) - delete sbom/vex docs created by spog integration tests
(182ce9b) - delete sbom's created by integration tests
(863bf4a) - don't limit concurrency arbitrarily, especially on CI
(b78355d) - compose connection between spog api and guac
(725fa46) - doc links
(e0e1f66) - use repo token for protoc action
(142f561) - add wait for keycloak in compose-trustification
(f2d37a6) - add Z option to volume mount as an env var
(0355f68) - rename tekton pipeline for frontend
(98654e7) - ensure keys are sent to indexed topic after snapshot is published
(3bf9858),
closes #393 - auth for guac services
(16fffc8) - affirm indexer parse error emits a failed event
(adc7bfa),
closes #363 - affirm indexer sees delete event in search test
(e68f6f3) - ensure data path is removed from reindexed key
(ad8d9c2) - snapshot during reindexing
(9cf3c0d) - point to openapi spec for details
(1b56a8e) - ensure command channel is not closed
(2cf6462) - enable repo token to prevent rate limiting
(88fd354) - use separate ids for integration tests
(5122cd6) - disable authorizer using authentication-disabled
(0416c18),
closes #387 - add field, not replace object
(2916678) - allow overriding the client id for the nginx UI instance
(aba358a) - describe auth and cli setup
(beddd7e) - improve API error reporting
(40016bf),
closes #360 - propagate disabled flag for authentication config
(d415d53) - add OIDC/OAuth2 information into the swagger ui
(e38abed) - unit test
(0a36ba8) - use scoring of advisory severity and enable sorting
(8928a9b) - add missing files
(808f768) - clippy
(e01ca8c) - satisfy clippy
(55c2afa) - also consider actual product for listing, not only references
(e8c2e86),
closes #311 - make the swagger ui and the openapi spec public
(1be7cc3) - clippy errors
(2ab57d1) - flatten the fanned responses
(2cae542) - only return purls with vulnerabilities
(fdb1146) - upgrade sikula to fix issue with OR terms
(fde8859) - ensure index is garbage collected when snapshot is taken
(87b5a3c) - use pinned kafka image
(bb468fc) - inject access code before trigger document download
(921ed8e) - differentiate between backend and frontend URLs
(2ccb946) - add id provider setup after realm creation
(21afd30) - fix layout issue with overlapping switch component
(059e214) - restart failing services
(575476b) - terminate processes (like exporter) on sigterm
(14c8599) - avoid noisy 500 errors by only polling when purls are present
(c925a71) - wrap the backdrop viewer with the oauth2 context
(06be3bf),
closes #329 - remove primary for some bombastic fields
(972f270) - disable correlation search temporarily
(0901f30) - ensure test retries allowing vex index to sync
(5fff1e0) - cargo fmt
(98ec741) - query associated advisories using cpe OR purl
(678dd7f) - use older keycloak version with working healthcheck
(dcd9d62) - allow overriding the issuer URL in case of the compose deployment
(f65189c) - add missing env vars required for kafka image
(e216f24) - remove unnecessary guac services
(b0ec222) - allow setting the issuer url in the startup script
(26b44b5) - ensure protoc is installed prior to running integ tests
(c380e67) - allow to start guac and ingest data
(741a3a3) - show alert when product id is invalid
(f846fd1) - populate components when navigating back
(4efcc04) - clean up the search model for package as well
(95b6944) - remove workaround for table expand issue
(dfb8a26) - use "or" correctly
(73c3282) - refactor pagination, handle corner cases better, fix some issues
(39bfd51),
closes #278 - integs when buckets are pre-populated
(4de058b) - don't show an empty tooltip
(35936de) - use correct image location
(f0ed810) - escape terms in simple mode
(5cfa308) - make TRUST_VERSION mandatory
(25a7c2e) - add instruction on where to find UI
(8fce4fc) - fully qualified nats image name
(c0353da) - split walkers into a separate compose file
(1ddf3be) - vexination-walker should wait on minio service
(b9ca1a9) - update compose file
(b2f46a3) - group categories
(60bd32a) - don't double OR
(5fca29d) - fix up or-grouping
(e6a9ded) - don't search AND, but OR
(7e41d78) - search by text
(4c509d3) - support partial matches of packages
(0468b32),
closes #235 - search for aggregated severity
(1d9a82f),
closes #235 - remove Pet refs to fix swagger-ui error
(631a2db) - add body param to swagger-ui for uploads
(a25aa80),
closes #232
#233 - avoid 404 adding double slash to API
(fa9b25d) - download prodsec key to workdir
(e6d8a29) - set secret from env
(e70b646) - integration tests
(67224c5) - add delete integs
(c037a54) - correct docs re S3 delete behavior
(c4886c3) - try to be clear about tests sharing a bucket
(f54a1f5) - add positive term for not queries
(76e2f27),
closes #215 - don't fail with omitted search string
(091ecc8),
closes #223 - don't aggregate search scopes
(dd0fd64) - use the correct button style for PF5
(aa6324d) - we need NoStore instead of NoCache
(d2895a9) - prevent duplicates in index
(a81ea3c),
closes #201 - use the id as name when the name is empty
(7c11f0c) - add a separate index field for the SBOM name
(973b8a7) - wrong key used to lookup CPE in spdx
(de60405) - keep performance up when having bigger SBOMs
(08584e5) - change date queries to match on day instead of millisecond
(25500b2),
closes #176 - inject bombastic and vexination urls
(a1cf166) - tune indexing options
(29d14e7) - clippy
(ae8a268) - metadata can now be attached to large, multipart SBOM's
(60ff54f),
closes #161 - revert accidental commit
(8edf918) - try more robust way of passing digest
(7518259) - dont use matrix for publish job
(e5b4e36) - add missing write permissions on release
(a915b5e) - attempt to fix names
(08befde) - put permissions in the right place
(5579506) - specify signing permissions
(f1a5893) - Bad link to DEVELOPING.md
(a15aee6) - typo in var name
(bd58f8a) - only care about linux for now
(518c9d0) - parameterize container uploaded name
(e9fae00) - add inputs for defaults
(75ac5dd) - run only as part of CI
(12ffb83) - use default-members instead of a feature
(1789529) - remove unneeded exclude
(c458ad4) - copy nginx config from the right place
(aefe9c7) - docs build
(e0432f2) - lookup related packages in index
(e5897db) - remove highest score column
(398d48a) - bow before lord clippy
(8480cac) - graphql health port
(7f71d14) - take into account the number of collapsed
(b57c70a) - k8s manifests update after configuration changes
(78a35fb) - hide X icon when there is no text
(a7f11cd),
closes #120 - remove 'Organization: ' prefix from supplier
(308cda7) - handle multipart object created events
(e7b4308) - cargo fmt
(d830e83) - expose service on standard HTTP port
(6ddba1d) - clean up docs around uploading SBOM's
(1ac97da) - unit test
(42662d5) - cargo fmt
(ee3666b) - add rustfmt for nightly
(901a79d) - update k8s deployments after refactor
(ae7bd32) - use content-type and content-encoding correctly
(397bc56) - more format
(e3993cf) - cargo fmt
(cb8da7d) - stream vex download
(c32fcbd) - dont block executor if infra is not enabled
(687140b) - add bind address
(6dca848) - add /health scope to health endpoints
(5551a2f) - load index from storage at startup
(6605dbc) - missing pieces k8s
(1608d9a) - improve docker compose depends on functionality
(114d8b9) - unify handling of storage events from minio and s3
(c576b86) - remove cvss from default fields for the moment
(e5634b1) - remove fileextension for index file
(231e94c) - container image publishing
(bb8b401) - be strict requiring valid signatures
(b1a086d) - only apply schema in indexer
(4ca0daf) - formatting
(51de95c) - raise default body limit to 10 MiB
(73864bd) - report 404 if an object could not be found
(6be5170) - allowing parsing SBOMs with missing purls/digests
(3e23a08) - make sbom parsing less strict
(d52cfb7) - change keycloak port to not conflict with api default
(4e2dff8) - add spdx-formatted sbom test data
(c3f8002)