Releases · guacsec/guac

30 Apr 21:38

github-actions

v0.6.0

a5d1d12

v0.6.0 Latest

Latest

Highlights

PostgreSQL/Ent is complete, optimized, and supported!
REST API endpoints are starting to appear
CLI commands now allow specifying arbitrary http headers
Ingestor logs now include document references
Document references are attached to nodes as part of source information

Changelog

c0e35bf Add GUAC Version to Logs (#1856)
3bb8b21 Add a transitive dependencies endpoint to the REST API (#1867)
136ad62 Add guaccollect files option to set origin to blob path (#1811)
ae3c1aa Add missing dev tools to nix shell (#1819)
90d95a5 Add standalone postgres compose (#1868)
d95860c Add the ability to specify HTTP headers for CLI commands (to support Auth proxies) (#1845)
c6aaf87 Bump actions/checkout from 4.1.2 to 4.1.3 (#1861)
e2e4121 Bump actions/checkout from 4.1.3 to 4.1.4 (#1875)
3e827b8 Bump actions/create-github-app-token from 1.9.1 to 1.9.2 (#1802)
eca2727 Bump actions/create-github-app-token from 1.9.2 to 1.9.3 (#1823)
5a048cd Bump actions/setup-python from 5.0.0 to 5.1.0 (#1801)
1984c68 Bump anchore/sbom-action from 0.15.10 to 0.15.11 (#1877)
ae9966c Bump anchore/sbom-action from 0.15.9 to 0.15.10 (#1803)
2dc06e2 Bump aquasecurity/trivy-action from 0.18.0 to 0.19.0 (#1804)
17e8bd7 Bump cloud.google.com/go/storage from 1.39.1 to 1.40.0 (#1799)
eed71a5 Bump github.com/99designs/gqlgen from 0.17.44 to 0.17.45 (#1857)
36f1133 Bump github.com/arangodb/go-driver from 1.6.1 to 1.6.2 (#1826)
70babbd Bump github.com/aws/aws-sdk-go from 1.51.7 to 1.51.12 (#1798)
9c1eb23 Bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.53.0 to 1.53.1 (#1840)
f0e44fd Bump github.com/aws/aws-sdk-go-v2/service/sqs from 1.31.2 to 1.31.4 (#1825)
fd69617 Bump github.com/fsouza/fake-gcs-server from 1.47.8 to 1.48.0 (#1881)
19506b6 Bump github.com/go-git/go-git/v5 from 5.11.0 to 5.12.0 (#1827)
60d8dc8 Bump github.com/google/osv-scanner from 1.7.0 to 1.7.1 (#1824)
21b65fb Bump github.com/klauspost/compress from 1.17.7 to 1.17.8 (#1882)
1857403 Bump github.com/nats-io/nats.go from 1.33.1 to 1.34.0 (#1800)
a586a92 Bump github.com/nats-io/nats.go from 1.34.0 to 1.34.1 (#1879)
282ea21 Bump github.com/pitabwire/natspubsub from 0.1.2 to 0.1.3 (#1843)
6a164f5 Bump github.com/redis/go-redis/v9 from 9.5.0 to 9.5.1 (#1841)
af5d83e Bump github.com/regclient/regclient from 0.5.7 to 0.6.0 (#1797)
1ea2819 Bump github.com/spdx/tools-golang from 0.5.3 to 0.5.4 (#1860)
bb6b63d Bump gocloud.dev/pubsub/rabbitpubsub from 0.36.0 to 0.37.0 (#1842)
9317e44 Bump golang.org/x/net from 0.22.0 to 0.23.0 (#1853)
80d7d0d Bump golangci/golangci-lint-action from 4.0.0 to 5.1.0 (#1876)
9445fc0 Bump google.golang.org/api from 0.169.0 to 0.172.0 (#1796)
a2c1206 Bump google.golang.org/api from 0.172.0 to 0.176.0 (#1858)
e8e4c30 Bump google.golang.org/grpc from 1.62.1 to 1.63.2 (#1859)
d3f8704 Bump sigstore/cosign-installer from 3.4.0 to 3.5.0 (#1839)
e69c19f Bump slsa-framework/slsa-github-generator from 1.10.0 to 2.0.0 (#1878)
71c5547 Fix GitHub collector to accept explicit tag in urls (#1818)
1381c07 Fix goreleaser flag deprecation warnings (#1814)
db16cdc Fix the Overview Diagram (#1836)
46e8893 Fixes to HTTP Header functionality for CLI commands (#1852)
56ed851 Go generate (#1869)
4741c1c Handle null SPDX relationship values without panicking (#1822)
358205b Include a more descriptive debugger for the collector and processor (#1830)
6100427 Make the CSub GetCollectEntries() RPC response streaming (#1865)
3577d4d Populate SourceInformation.DocumentRef in collectors (#1847)
3f124e3 Remove unused variable (#1851)
ef4658e Run the guacgql HTTP server on only one port (#1805)
d0c51f5 Update error handling on ingestion (#1832)
6638a53 Update gql, parser and backends to add new documentRef field (#1844)
a0a0a82 Update graphQL schema to add documentRef field to all verbs (#1834)
d861241 Update graphQL, resolvers and add backend stubs for pagination (#1862)
c2477fa Update readme with supported backends. (#1873)
8189495 [ENT] Complete ent pagination and update backend tests (#1870)
2ec6bc9 [ENT] fix issue with index on artifact (#1835)
5ff8e90 [ENT] fix trie output for package, source and vulnerability (#1863)
2180123 [Ent] Add missing neighbor, node and path query (#1815)
a5d1d12 [FIX] Ingestor should not ack message on failure (#1874)
d908792 [FIX] implement fixes based on parsing and querying errors for CDX (#1855)
3d6f3c0 [fix] OSV unit test update and replaced deprecated types.Descriptor (#1807)
3dba718 add new re-designed overview diagram for GUAC (#1831)
5b2e267 added github release identifier string type (#1820)
b5e2b39 feat: switch golang/mock to uber-go/mock (#1866)
573a8d8 fix queue to deliver message directly (#1837)
0550c31 remove built in query noder as it was not properly returning the fields in the queried nodes (#1829)

Assets 71

guac-compose.tar.gz

2.97 KB 2024-04-30T21:40:38Z
guac-demo-compose.yaml

1.89 KB 2024-04-30T21:40:39Z
guac-postgres-compose.yaml

3.51 KB 2024-04-30T21:40:39Z
guaccollect-darwin-amd64

148 MB 2024-04-30T21:38:29Z
guaccollect-linux-amd64

73.7 MB 2024-04-30T21:38:23Z
guaccollect-linux-amd64.spdx.sbom.json

208 KB 2024-04-30T21:38:43Z
guaccollect-linux-arm

67.7 MB 2024-04-30T21:38:35Z
guaccollect-linux-arm.spdx.sbom.json

207 KB 2024-04-30T21:38:46Z
guaccollect-linux-arm64

71.2 MB 2024-04-30T21:38:21Z
guaccollect-linux-arm64.spdx.sbom.json

208 KB 2024-04-30T21:38:43Z
Source code (zip)

2024-04-30T21:03:00Z
Source code (tar.gz)

2024-04-30T21:03:00Z

27 Mar 19:50

github-actions

v0.5.2

ef1c2c9

v0.5.2

Highlights

Fix ENT queries
Add missing collectors to guaccollect
Support image references by digest in the OCI collector
Add guacrest to docker-compose
Various bug fixes and improvements

What's Changed

c6a5159 Bump actions/cache from 4.0.1 to 4.0.2 (#1782)
a1b49c5 Bump actions/checkout from 4.1.1 to 4.1.2 (#1776)
0620ad5 Bump actions/create-github-app-token from 1.9.0 to 1.9.1 (#1781)
996f777 Bump anchore/sbom-action from 0.15.8 to 0.15.9 (#1767)
bac5b6d Bump cloud.google.com/go/storage from 1.39.0 to 1.39.1 (#1763)
b87ea96 Bump docker/login-action from 3.0.0 to 3.1.0 (#1775)
ade9c9e Bump github.com/Khan/genqlient from 0.6.0 to 0.7.0 (#1773)
f93a552 Bump github.com/aws/aws-sdk-go from 1.50.36 to 1.51.7 (#1787)
488b99e Bump github.com/aws/aws-sdk-go-v2 from 1.25.3 to 1.26.0 (#1772)
5c5973f Bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.48.1 to 1.51.4 (#1760)
5c56383 Bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.51.4 to 1.53.0 (#1786)
a895253 Bump github.com/aws/aws-sdk-go-v2/service/sqs from 1.29.7 to 1.31.2 (#1766)
b6608f6 Bump github.com/docker/docker (#1778)
e283206 Bump github.com/go-chi/chi from 1.5.5 to 4.1.2+incompatible (#1761)
fe4faee Bump github.com/go-chi/chi/v5 from 5.0.11 to 5.0.12 (#1788)
90fc632 Bump github.com/google/osv-scanner from 1.6.1 to 1.7.0 (#1755)
59897f2 Bump github.com/nats-io/nats-server/v2 from 2.10.11 to 2.10.12 (#1774)
cc5f59f Bump github.com/pitabwire/natspubsub from 0.1.1 to 0.1.2 (#1764)
b69464a Bump github.com/sigstore/sigstore from 1.8.1 to 1.8.2 (#1785)
3100b05 Bump go.uber.org/zap from 1.26.0 to 1.27.0 (#1762)
5cccd5e Bump gocloud.dev from 0.36.0 to 0.37.0 (#1770)
dcf7cef Bump gocloud.dev/pubsub/kafkapubsub from 0.36.0 to 0.37.0 (#1784)
3b007a2 Bump golang.org/x/oauth2 from 0.17.0 to 0.18.0 (#1771)
c85eb0e Bump gopkg.in/go-jose/go-jose.v2 from 2.6.1 to 2.6.3 (#1758)
1357a7c Bump slsa-framework/slsa-github-generator from 1.9.0 to 1.10.0 (#1783)
755a8e8 Check DependencyType values in isDependency ingestion and queries (#1780)
ac4c273 Include missing collectors (#1759)
f8286dd Included Query for Scorecard (#1791)
638ba85 Included a README for guacrest (#1719)
693be1a Support image references by digest in the OCI collector (#1779)
d41d633 [ENT] Fix all broken queries from the backend test suite (#1790)
6055128 add guacrest to docker and go releaser (#1792)
ef1c2c9 fix health check for rest api (#1793)

Assets 70

07 Mar 21:08

github-actions

v0.5.1

1f9eb7c

v0.5.1

Highlights

Add GitHub release/artifact collector to guacone: guacone collect github.
Fix a validation issue in guac-demo-compose.yaml

Changelog

2b196f5 Add Pagination to the Rest API (#1720)
c3efd23 Bump github.com/cloudevents/sdk-go/v2 from 2.15.1 to 2.15.2 (#1754)
4428d22 Fixed flaky test (#1752)
652c333 Fixed typos (#1751)
249a6f5 Included Guacone Collect Github (#1677)
d4a9a96 Included Polling for Github Collect (#1678)
67e4664 README for the Github Collector (#1731)
1f9eb7c Remove empty depends_on that fails validation. (#1757)
d490212 adds helper function to check for an arango collection index (#1750)
6985a57 move message acknowledgment for pubsub to be done after the ingestion has occured (#1753)

Assets 70

05 Mar 18:45

github-actions

v0.5.0

89019ad

v0.5.0

Highlights

Various updates to the graphQL API
Updated to the ENT backend to make ingestion quicker
Addition of the REST API features and build out
Metrics via Prometheus
Various bug fixes and improvements

What's Changed

ede754a Add Deps.dev collector to guacone (#1661)
89019ad Add a demo level docker compose yaml (#1747)
42f945e Bump actions/cache from 3.3.3 to 4.0.0 (#1653)
642a10c Bump actions/cache from 4.0.0 to 4.0.1 (#1740)
9686503 Bump actions/create-github-app-token from 1.6.3 to 1.6.4 (#1651)
9c3b5d0 Bump actions/create-github-app-token from 1.6.4 to 1.7.0 (#1667)
9e3cd9d Bump actions/create-github-app-token from 1.7.0 to 1.8.0 (#1704)
ceb3192 Bump actions/create-github-app-token from 1.8.0 to 1.8.1 (#1724)
93887c6 Bump actions/create-github-app-token from 1.8.1 to 1.9.0 (#1741)
45356ea Bump anchore/sbom-action from 0.15.3 to 0.15.5 (#1652)
c350930 Bump anchore/sbom-action from 0.15.5 to 0.15.6 (#1668)
3844bcf Bump anchore/sbom-action from 0.15.6 to 0.15.8 (#1691)
a3c3690 Bump aquasecurity/trivy-action from 0.16.1 to 0.17.0 (#1703)
1b58cd4 Bump aquasecurity/trivy-action from 0.17.0 to 0.18.0 (#1742)
a1fd412 Bump cloud.google.com/go/storage from 1.36.0 to 1.37.0 (#1687)
1770712 Bump cloud.google.com/go/storage from 1.37.0 to 1.38.0 (#1716)
033f281 Bump cloud.google.com/go/storage from 1.38.0 to 1.39.0 (#1744)
d597f9e Bump entgo.io/ent v0.13.0 (#1707)
9e5d83d Bump github.com/99designs/gqlgen from 0.17.43 to 0.17.44 (#1715)
60210aa Bump github.com/aws/aws-sdk-go from 1.49.17 to 1.50.6 (#1672)
f7bdab8 Bump github.com/aws/aws-sdk-go from 1.50.6 to 1.50.11 (#1689)
68230c5 Bump github.com/aws/aws-sdk-go-v2/config from 1.26.6 to 1.27.4 (#1725)
b1c67c9 Bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.48.0 to 1.48.1 (#1662)
590df02 Bump github.com/cloudevents/sdk-go/v2 from 2.10.1 to 2.15.0 (#1669)
ce741a7 Bump github.com/cloudevents/sdk-go/v2 from 2.15.0 to 2.15.1 (#1728)
5b8d7a9 Bump github.com/deepmap/oapi-codegen/v2 from 2.0.1-0.20240123090344-d326c01d279a to 2.1.0 (#1713)
0919d31 Bump github.com/fsouza/fake-gcs-server from 1.47.7 to 1.47.8 (#1743)
13b5121 Bump github.com/getkin/kin-openapi from 0.122.0 to 0.123.0 (#1727)
a6c67d3 Bump github.com/google/osv-scanner from 1.4.3 to 1.6.1 (#1657)
b7e84b9 Bump github.com/jedib0t/go-pretty/v6 from 6.5.3 to 6.5.4 (#1673)
755c47e Bump github.com/klauspost/compress from 1.17.4 to 1.17.5 (#1671)
efd46f3 Bump github.com/klauspost/compress from 1.17.5 to 1.17.6 (#1701)
6c45c18 Bump github.com/moby/buildkit from 0.12.2 to 0.12.5 (#1679)
e1d3451 Bump github.com/nats-io/nats-server/v2 from 2.10.9 to 2.10.10 (#1686)
32169e5 Bump github.com/nats-io/nats.go from 1.32.0 to 1.33.1 (#1726)
8eaa7ed Bump github.com/prometheus/client_golang from 1.18.0 to 1.19.0 (#1745)
cf9ccd3 Bump github.com/redis/go-redis/v9 from 9.4.0 to 9.5.0 (#1714)
75a5ae7 Bump github.com/regclient/regclient from 0.5.5 to 0.5.6 (#1688)
644b493 Bump github.com/regclient/regclient from 0.5.6 to 0.5.7 (#1700)
91a9be2 Bump github.com/segmentio/kafka-go from 0.4.46 to 0.4.47 (#1655)
315dfef Bump github.com/sigstore/sigstore from 1.8.0 to 1.8.1 (#1654)
ec85ecd Bump github.com/stretchr/testify from 1.8.4 to 1.9.0 (#1746)
4adbf13 Bump github.com/swaggo/swag from 1.16.2 to 1.16.3 (#1698)
694a8f2 Bump golangci/golangci-lint-action from 3.7.0 to 4.0.0 (#1702)
6e88dab Bump google.golang.org/api from 0.154.0 to 0.157.0 (#1656)
9db9b6a Bump google.golang.org/api from 0.157.0 to 0.160.0 (#1670)
abd5a73 Bump google.golang.org/grpc from 1.60.1 to 1.61.0 (#1685)
e023b46 Bump sigstore/cosign-installer from 3.3.0 to 3.4.0 (#1690)
d5feab1 ENT - bulk ingestion and update to use IDorInputSpec (#1732)
237ff8c Encoding guesser (#1472)
f750549 Error and exit when initialization fails (#1674)
e9e3551 Fix License node ingestion when no LicenseListVersion provided. (#1738)
431a286 Fix the incorrect callingFuncName in the getNeighborIDFromCursor (#1730)
52a55e4 Github Collector Enhancements (#1566)
dbf92ad Gqlschemafix (#1683)
5fbba0d Id or inputspec (#1708)
645dcbc Implemented key value search (#1711)
e8ff763 Improve guac query vuln error message (#1695)
e2c8157 Included http middleware to measure the graphql response times using prometheus. (#1675)
de3cd11 Included prometheus server for guacql (#1635)
c628147 Move all arango tests to common integration test suite. (#1660)
2169376 Update CONTRIBUTING.md about DCO and CLA. (#1723)
b0969e3 Update default blob-addr to use filesystem (for docker-compose and k8s) (#1666)
f6e9f46 Use filename as qualifier for SBOM file references (#1546)
f393612 Use graphql.HasOperationContext in arangodb assembler (#1659)
db84270 Utilize gocloud and blob store to work around pubsub message size (#1630)
2b3b18e [Rest API] Adds the initial API Spec and guacrest cli. (#1665)
eee82ba abstract pubsub service via gocloud (#1664)
3f2ef06 add purl helper to convert from allPkgTree fragment (#1681)
99a4d54 attempt to fix golangci-lint issues (#1735)
8c27a44 feature: Verify the DSSE envelope if the verifier-key-path and verifier-key-id are provided. Fail the provenance ingestion if the document is not verified. (#1712)
1e337e3 fix: s3 collector (#1658)
f1703bd fix[update-arango-graph] - creates a missing collection in already pr… (#1649)
db6cfcc removing MAX_CONCURRENT_JOBS (#1682)
ef4c295 save qualifiers from golang loop semantics (#1684)
753e57b separate software IDs into packages and artifacts for hasSBOM ingestion (#1718)
c3464f8 update dsse processor to not guess unpacked payload (#1647)
277c791 update hasSBOM ingestion for large SBOMs and increase batch size for bulk ingestion (#1748)

Assets 70

18 Jan 03:36

github-actions

v0.4.0

c3cdc5a

v0.4.0

Highlights

Addition of a new KeyValue backend (Redis and TiKV)
Update and improve guacone CLI
Add new graphQL Custom Directives contains and startswith
Various updates to arangoDB and ENT backend
REST API initial implementation
Various bug fixes and improvements

What's Changed

8336525 1434-docker-compose - backend selection on startup (#1435)
c197a9d 1550 Ent: hasSBOM 'included' implementation (#1583)
8daf872 Add Guacone collect files json.bz2 capability (#1395)
1fb5ee9 Add Redis and TiKV kv stores (#1502)
bb36eab Add benchmark for TiKV (#1579)
ab37eb4 Add comment for id field on PkgSpec (#1631)
df88a40 Add comment on Edge schema to note that edges are bidirectional (#1632)
7176dec Add concurrency to arango hasSBOM query (#1609)
c45498b Add log level configuration (#1422)
cb92e23 Add performance test for redis. (#1562)
a4faf80 Add support for OCI referrers (#1278)
2304b5e Bump actions/cache from 3.3.2 to 3.3.3 (#1642)
cabf7f9 Bump actions/checkout from 3.4.0 to 4.1.1 (#1489)
aa334f6 Bump actions/checkout from 4.1.0 to 4.1.1 (#1423)
47f9756 Bump actions/create-github-app-token from 1.5.0 to 1.5.1 (#1467)
4c9a54f Bump actions/create-github-app-token from 1.5.1 to 1.6.0 (#1516)
1c55d0b Bump actions/create-github-app-token from 1.6.0 to 1.6.1 (#1551)
2bfe69a Bump actions/create-github-app-token from 1.6.1 to 1.6.2 (#1570)
48efadb Bump actions/create-github-app-token from 1.6.2 to 1.6.3 (#1641)
54fe233 Bump actions/download-artifact from 3 to 4 (#1591)
7e4740c Bump actions/github-script from 6.4.1 to 7.0.0 (#1494)
5c32cb5 Bump actions/github-script from 7.0.0 to 7.0.1 (#1515)
67ce224 Bump actions/setup-go from 4.0.1 to 4.1.0 (#1493)
c4c8ca3 Bump actions/setup-go from 4.1.0 to 5.0.0 (#1568)
7bbde8f Bump actions/setup-python from 4.7.1 to 5.0.0 (#1569)
1395ebf Bump actions/upload-artifact from 3 to 4 (#1640)
880b129 Bump anchore/sbom-action from 0.14.3 to 0.15.0 (#1518)
4553605 Bump anchore/sbom-action from 0.15.0 to 0.15.1 (#1552)
65da979 Bump anchore/sbom-action from 0.15.1 to 0.15.3 (#1626)
bfd70a6 Bump aquasecurity/trivy-action from 0.12.0 to 0.13.0 (#1443)
552cf9b Bump aquasecurity/trivy-action from 0.13.0 to 0.13.1 (#1468)
79ffb2f Bump aquasecurity/trivy-action from 0.13.1 to 0.14.0 (#1490)
3e8b997 Bump aquasecurity/trivy-action from 0.14.0 to 0.16.0 (#1571)
5692dc6 Bump aquasecurity/trivy-action from 0.16.0 to 0.16.1 (#1625)
f0c6c23 Bump cloud.google.com/go/storage from 1.33.0 to 1.34.1 (#1462)
a3301cb Bump cloud.google.com/go/storage from 1.34.1 to 1.35.1 (#1492)
68c22cc Bump entgo.io/ent from 0.12.4 to 0.12.5 (#1522)
9fd1846 Bump github.com/99designs/gqlgen from 0.17.37 to 0.17.39 (#1411)
f48cf42 Bump github.com/99designs/gqlgen from 0.17.39 to 0.17.41 (#1553)
645533d Bump github.com/CycloneDX/cyclonedx-go from 0.7.2 to 0.8.0 (#1573)
d9609a3 Bump github.com/arangodb/go-driver from 1.6.0 to 1.6.1 (#1523)
64d2c5b Bump github.com/aws/aws-sdk-go from 1.45.24 to 1.45.26 (#1412)
5cf6cbc Bump github.com/aws/aws-sdk-go from 1.45.26 to 1.46.2 (#1425)
f92473b Bump github.com/aws/aws-sdk-go from 1.46.2 to 1.48.0 (#1521)
4a67771 Bump github.com/aws/aws-sdk-go from 1.48.0 to 1.49.13 (#1613)
c078576 Bump github.com/aws/aws-sdk-go from 1.49.13 to 1.49.17 (#1622)
c13e040 Bump github.com/aws/aws-sdk-go-v2 from 1.20.0 to 1.21.2 (#1447)
d3611c3 Bump github.com/aws/aws-sdk-go-v2 from 1.22.2 to 1.23.5 (#1556)
6d501cc Bump github.com/aws/aws-sdk-go-v2 from 1.24.0 to 1.24.1 (#1621)
4e83d90 Bump github.com/aws/aws-sdk-go-v2/config from 1.18.32 to 1.19.1 (#1446)
21abc32 Bump github.com/aws/aws-sdk-go-v2/config from 1.19.1 to 1.26.1 (#1576)
5a12fd2 Bump github.com/aws/aws-sdk-go-v2/config from 1.26.1 to 1.26.2 (#1612)
25250e2 Bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.38.1 to 1.40.2 (#1445)
14c40cb Bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.40.2 to 1.42.1 (#1487)
b6246e5 Bump github.com/aws/aws-sdk-go-v2/service/sqs from 1.24.1 to 1.26.0 (#1466)
a95b0bf Bump github.com/aws/aws-sdk-go-v2/service/sqs from 1.24.1 to 1.29.6 (#1614)
f1e2b24 Bump github.com/cloudflare/circl from 1.3.3 to 1.3.7 (#1619)
0ce585b Bump github.com/docker/docker (#1442)
b6f77f3 Bump github.com/fsnotify/fsnotify from 1.6.0 to 1.7.0 (#1486)
604d475 Bump github.com/fsnotify/fsnotify from 1.6.0 to 1.7.0 (#1531)
8ba3f39 Bump github.com/fsouza/fake-gcs-server from 1.47.5 to 1.47.6 (#1428)
1416c0f Bump github.com/fsouza/fake-gcs-server from 1.47.6 to 1.47.7 (#1639)
97cd84f Bump github.com/go-git/go-git/v5 from 5.10.0 to 5.10.1 (#1532)
ed19b9b Bump github.com/go-git/go-git/v5 from 5.10.1 to 5.11.0 (#1588)
1d48ca9 Bump github.com/google/go-cmp from 0.5.9 to 0.6.0 (#1409)
00d978b Bump github.com/google/osv-scanner from 1.4.1 to 1.4.2 (#1444)
d0e7461 Bump github.com/google/osv-scanner from 1.4.2 to 1.4.3 (#1488)
63ebfe7 Bump github.com/jedib0t/go-pretty/v6 from 6.4.7 to 6.4.8 (#1429)
f4c68bc Bump github.com/jedib0t/go-pretty/v6 from 6.4.9 to 6.5.3 (#1638)
cb78b8d Bump github.com/klauspost/compress from 1.17.2 to 1.17.3 (#1534)
e08c31e Bump github.com/klauspost/compress from 1.17.3 to 1.17.4 (#1557)
1e4157b Bump github.com/nats-io/nats-server/v2 from 2.10.1 to 2.10.2 (#1418)
778f2c6 Bump github.com/nats-io/nats-server/v2 from 2.10.2 to 2.10.3 (#1427)
02152b2 Bump github.com/nats-io/nats-server/v2 from 2.10.3 to 2.10.4 (#1454)
45e8941 Bump github.com/nats-io/nats-server/v2 from 2.10.4 to 2.10.5 (#1495)
bac74b5 Bump github.com/nats-io/nats.go from 1.30.1 to 1.31.0 (#1408)
0689514 Bump github.com/nats-io/nkeys from 0.4.5 to 0.4.6 (#1455)
a49449a Bump github.com/ossf/scorecard/v4 from 4.13.0 to 4.13.1 (#1464)
a591214 Bump github.com/prometheus/client_golang from 1.17.0 to 1.18.0 (#1637)
c91c538 Bump github.com/redis/go-redis/v9 from 9.3.0 to 9.3.1 (#1600)
7857ed7 Bump github.com/redis/go-redis/v9 from 9.3.1 to 9.4.0 (#1623)
0b7c030 Bump github.com/regclient/regclient from 0.5.1 to 0.5.3 (#1410)
056ca7a Bump github.com/regclient/regclient from 0.5.3 to 0.5.4 (#1519)
79ef3f1 Bump github.com/regclient/regclient from 0.5.4 to 0.5.5 (#1554)
770cf2e Bump github.com/segmentio/kafka-go from 0.4.42 to 0.4.44 (#1463)
6d2150d Bump github.com/segmentio/kafka-go from 0.4.44 to 0.4.46 (#1572)
d619162 Bump github.com/sigstore/sigstore from 1.7.3 to 1.7.4 (#1426)
596c9f9 Bump github.com/sigstore/sigstore from 1.7.4 to 1.7.5 (#1533)
7ae8af7 Bump github.com/sigstore/sigstore from 1.7.5 to 1.7.6 (#1587)
9407c75 Bump github.com/sigstore/sigstore from 1.7.6 to 1.8.0 (#1602)
974f14b Bump github.com/spf13/viper from 1.16.0 to 1.17.0 (#1520)
76e2661 Bump github.com/spf13/viper from 1.17.0 to 1.18.2 (#1589)
c86d904 Bump golang.org/x/crypto from 0.16.0 to 0.17.0 (#1592)
bfa5624 Bump golang.org/x/oauth2 from 0.14.0 to 0.15.0 (#1555)
c0eaaeb Bump google.golang.org/api from 0.148.0 to 0.149.0 (#1465)
56cb4f9 Bump google.golang.org/api from 0.150.0 to 0.152.0 (#1535)
e9ee86b Bump google.golang.org/protobuf from 1.31.0 to 1.32.0 (#1620)
fe10b55 Bump goreleaser/goreleaser-action from 4 to 5 (#1517)
e2b35ad Bump ossf/scorecard-action from 2.3.0 to 2.3.1 (#1424)
2b32a09 Bump sigstore/cosign-installer from 3.1.2 to 3.2.0 (#1491)
ba1eb78 Bump sigstore/cosign-installer from 3.2.0 to 3.3.0 (#1567)
c308c54 CSAF Parser: fixed branches' names collision (#1528)
18ad0d0 Change Keys method in kv interface to Scan (#1558)
030cf7f Convert default backend from "inmem" to "keyvalue" (#1475)
c5d84b6 Create a single backend acceptance test suite. (#1597)
fb58ab3 Define edges within software tries related nodes (#1450)
f2198ad Enable query on benchmark, fix some Scan() issues in keyvalue (#1585)
2a9a787 Ent - HasMetadata: applied concurrent approach (#1458)
b178fcd Ent - PackageVersion: added index for improving IsDependency ingestion (#1439)
da929fc Ent - Restore IngestPackages concurrently (#1586)
72e03ee Ent - Vulnerability endpoints: applied concurrent approach (#1459)
1b4e681 Ent - VulnerabilityMetadata endpoints (#1416)
7a05b7e Ent: IngestArtifacts optimized using concurrently (#1596)
f6a0a24 Ent: IngestBuilders, IngestCertifyBads, IngestCertifyGoods, IngestCertifyLegals refactored concurrently (#1599)
68210cf Ent: IngestOccurrences optimized with concurrently (#1593)
a599888 Ent: IngestSources optimized with concurrently (#1595)
a20dbc7 Ent: Package,IsDependency concurrent bulk ingestions (#1440)
5521770 Ent: error management when closing Ent client during tests (#1478)
545e294 Ent: fixed lint issue on 'main' (#1598)
7a4373b Feature/arango neighbors nouns query (#1419)
2ad8e2b Feature/arango neighbors verbs with tests (#1420)
09b3c74 Feature/update arango hasSBOM adding includes (#1564)
ab00d12 Fix single target build and remove unused function from test (#1543)
e560250 Fix some error returns without unlocks. (#1581)
0b8fc18 Fix some logic errors on IsDependency (#1627)
565483d Fixed Error in Scorecard Certifier (#1501)
9faa6de Fixed docker-compose down (#1451)
14a79d9 Fixed the incorrect tests for deps_dev (#1400)
c298eea Implemented prometheus (#1500)
1e5a333 Implemented the REST API (#1452)
2af1cc4 Included option to run integration tests locally (#1361)
c72e762 Inlcuded a faster fmt (#1507)
165897d Issue 966: Extend HasSBOM to include references to included software … (#1367)
686ce43 Iterating Over all IDs in QueryVulnsViaVulnNodeNeighbors (#1509)
c5c346c OCI purl: fix repository URL management (#1485)
92bd33e Query fIlter support for nested keys (#1618)
cb550ee Remove extra read locking that will cause deadlock. (#1580)
83b892c S3 collector implementation (#1308)
7144c45 Update ent and arango source model generation. (#1594)
2b1e1ae Update key methods...

Assets 69

13 Oct 20:35

github-actions

v0.3.0

7c3b1b9

v0.3.0

Highlights

Add timestamp fields to certifyBad, certifyGood, and hasSBOM
Ingest SPDX CPEs from externalRefs
Fix the issue with OSV certifier failing to ingest vulnerabilities while polling
Fix noVuln not showing on query known CLI

What's Changed

2c19f25 Add License and CertifyLegal to Arango backend. (#1349)
b7ff00e Add SECURITY-INSIGHTS (#1353)
ffadd34 Add a developer readme to the cli commands. (#1324)
caebd0c Bump actions/create-github-app-token from 1.2.2 to 1.5.0 (#1372)
baae9ca Bump entgo.io/ent from 0.12.4-0.20230918073025-797534a0d1ca to 0.12.4 (#1377)
583c478 Bump github.com/aws/aws-sdk-go from 1.45.20 to 1.45.24 (#1375)
1db53ed Bump github.com/fsouza/fake-gcs-server from 1.47.4 to 1.47.5 (#1376)
686fcad Bump github.com/nats-io/nats-server (#1352)
2f87865 Bump github.com/ossf/scorecard/v4 from 4.12.0 to 4.13.0 (#1374)
ff8bcb9 Bump golang.org/x/net from 0.15.0 to 0.17.0 (#1389)
457ace8 Bump golang.org/x/sync from 0.3.0 to 0.4.0 (#1373)
dc8d75a Bump ossf/scorecard-action from 2.2.0 to 2.3.0 (#1371)
7c3b1b9 Certifier OSV: fixed emit func when polling (#1396)
c923aa6 Ent - HasMetadata (#1365)
64850de Ent - HasMetadata: fix ingesting same twice (#1392)
d18327b Ent - PointOfContact (#1391)
9e65098 Feature/arango node query with updates to inmem unit tests (#1369)
24dc68f Fix lint errors and increase golangci-lint timeout (#1351)
d681a8d Include Timestamps for Verbs (#1338)
542f03f SPDX Parser: ingest CPE from externalRefs (#1347)
b540d46 Support TLS for csub server and clients (#1390)
4652364 Support TLS for graphql server (#1380)
a3299ca Update packages for slices import (#1356)
3b4bc8e Update query used in docs with new vuln structure. (#1385)
e48e534 Wait for guac server to start before running tests (#1383)
a9dc7af [feature] Unionize parsing for cdx SBOM and VEX data (#1247)
c225a8e add flag to toggle getting deps.dev dependencies (#1382)
9254f32 change package version list to a map and add tests (#1332)
9caebd6 edit arangosearch view to exclude subpath search results (#1397)
5ecc2be fix contributor.md broken links to docs (#1393)
d7daa07 fix noVuln type not showing up when querying for known (#1394)
23cdc26 fix: typo (#1379)
09c5879 process PACKAGE_OF relationship in SPDX files (#1337)
51e8fc6 refactor(depversion): avoid unnecessary byte/string conversion (#1384)
70a6fe2 remove gql-test-data as its no longer needed to test the backends (#1355)

Assets 57

04 Oct 17:27

github-actions

v0.2.0

7e52b35

v0.2.0

Highlights

Major redesign to Vulnerability GraphQL Schema/API.
- Vulnerability types are no longer hard-coded
- Vulnerability metadata nodes include scores
IsDependency can now point to Package Versions.
GraphQL ingest mutations only return ID now.
OpenVEX Parser
Many fixes and smaller improvements.
Large progress on Arango and Ent, though not fully complete yet.

What's Changed

update vulnerability api by @pxp928 in #1147
Feature/arango certify vuln implementation by @pxp928 in #1161
Implement new IsDependency graphql to point to versions by @lumjjb in #1125
Fix XML format validation by @mlieberman85 in #1164
Fixed a Potential Stack Overflow Error in findProductRef by @nathannaveen in #1146
Feature/add novuln bool to vulnerability filter by @pxp928 in #1165
Fix check for docker buildx by @s-spindler in #1159
Bump cloud.google.com/go/storage from 1.31.0 to 1.32.0 by @dependabot in #1171
Bump google.golang.org/api from 0.136.0 to 0.138.0 by @dependabot in #1172
Bump github.com/aws/aws-sdk-go from 1.44.323 to 1.44.328 by @dependabot in #1174
Bump go.uber.org/zap from 1.24.0 to 1.25.0 by @dependabot in #1173
Bump golangci/golangci-lint-action from 3.6.0 to 3.7.0 by @dependabot in #1175
Feature/add vuln metadata schema by @pxp928 in #1170
Add check for docker compose by @s-spindler in #1176
Fixed Part of SemVer Issue by @nathannaveen in #1157
Minor fixes to error messages patch.go by @rmetzman in #1145
Feature/add vuln metadata backend [inmem] by @pxp928 in #1180
remove parallel assembler as no longer needed by @pxp928 in #1183
Bump slsa-framework/slsa-github-generator from 1.8.0 to 1.9.0 by @dependabot in #1191
Bump github.com/aws/aws-sdk-go from 1.44.328 to 1.44.333 by @dependabot in #1189
Bump github.com/jedib0t/go-pretty/v6 from 6.4.6 to 6.4.7 by @dependabot in #1187
Bump github.com/CycloneDX/cyclonedx-go from 0.7.1 to 0.7.2 by @dependabot in #1188
Bump actions/checkout from 3.5.3 to 3.6.0 by @dependabot in #1190
changing mutationAPI to only return IDs instead of whole struct to fi… by @arorasoham9 in #1169
Updated CollectedPypiWheelAxle by @mrizzi in #1192
CertifyBad: refactor validation checks by @mrizzi in #1185
Fixed a Potential Stack Overflow Error in findPurl 2 by @nathannaveen in #1194
Implement RDMS backend (postgres/mysql/sqlite) by @ivanvanderbyl in #910
Tag ent tests by @jeffmendoza in #1200
[Feature] add ingestion (including bulk) and query for VEX in Arango and inmem by @pxp928 in #1184
IngestVEXStatement resolver: fix err management by @mrizzi in #1203
Add 'integration' tag to golangci-lint by @mrizzi in #1202
add regen via make generate and add missing bulk ingest vex by @pxp928 in #1204
update readme to include backends and update supported types by @lumjjb in #1205
[feature] Adds a parser for CycloneDX Vex data by @stevemenezes in #1181
prevent checking for dependency version in test so changes in this do… by @m-brophy in #1209
Move validation checks into resolvers by @mrizzi in #1210
Add Legal information schema and inmem backend. by @jeffmendoza in #1207
Bump actions/checkout from 3.6.0 to 4.0.0 by @dependabot in #1214
Bump aquasecurity/trivy-action from 0.11.2 to 0.12.0 by @dependabot in #1215
Bump sigstore/cosign-installer from 3.1.1 to 3.1.2 by @dependabot in #1216
Bump github.com/aws/aws-sdk-go from 1.44.333 to 1.45.2 by @dependabot in #1217
Bump github.com/regclient/regclient from 0.4.8 to 0.5.1 by @dependabot in #1218
Bump github.com/spdx/tools-golang from 0.5.2 to 0.5.3 by @dependabot in #1219
Bump github.com/sigstore/sigstore from 1.6.5 to 1.7.3 by @dependabot in #1221
Feature/ Add arango unit tests by @pxp928 in #1213
Ent - Vulnerabilities management by @mrizzi in #1212
Feature/vuln metadata implementation on arango by @pxp928 in #1223
Disable ent on 32 bit by @jeffmendoza in #1226
Included docstrings for parser_csaf by @nathannaveen in #1186
Refactor ingestor code by @dejanb in #1195
Feature/vuln equal bulk ingestion and arango updates by @pxp928 in #1227
Ent - Dependency management by @mrizzi in #1232
update SPDX parser to skip empty and 0 hashes by @lumjjb in #1228
fix: increase gprc max message size by @dejanb in #1230
Fix inmem unit test. by @jeffmendoza in #1235
Bump github.com/DATA-DOG/go-txdb from 0.1.6 to 0.1.7 by @dependabot in #1220
remove helper as unused code from old pre-release assembler by @pxp928 in #1236
Ent - CertifyVuln: fixed noVuln management by @mrizzi in #1240
Feature/pkg equals bulk ingestion and arango updates by @pxp928 in #1239
Ent - IngestVulnEquals with tests by @mrizzi in #1238
Add support for sending encoded documents by @dejanb in #1222
Ent - IngestPkgEquals with tests by @mrizzi in #1243
Fix/add missing unit tests arango by @pxp928 in #1246
Ent - IngestSLSAs implementation with tests by @mrizzi in #1248
Improved Runtime of Function Process in process.go by @neilnaveen in #1245
Bump github.com/aws/aws-sdk-go from 1.45.2 to 1.45.7 by @dependabot in #1254
Bump cloud.google.com/go/storage from 1.32.0 to 1.33.0 by @dependabot in #1252
Bump github.com/vektah/gqlparser/v2 from 2.5.8 to 2.5.9 by @dependabot in #1253
Bump golang.org/x/oauth2 from 0.11.0 to 0.12.0 by @dependabot in #1255
Bump actions/cache from 3.3.1 to 3.3.2 by @dependabot in #1256
Bump actions/upload-artifact from 3.1.2 to 3.1.3 by @dependabot in #1257
Bump goreleaser/goreleaser-action from 4.4.0 to 5.0.0 by @dependabot in #1258
Bump github.com/99designs/gqlgen from 0.17.36 to 0.17.37 by @dependabot in #1251
Ent - IngestBuilders with tests by @mrizzi in #1260
Feature/has metadata bulk ingestion and arango updates by @pxp928 in #1262
Ent - IngestHasSBOMs implementation with tests by @mrizzi in #1265
inmem - PkgEqual: Subpath query filtering by @mrizzi in #1249
guacone - managing totalSuccess by @mrizzi in #1267
Ingestor/Assembler and SPDX Parser for Legal information. by @jeffmendoza in #1244
Feature/pointofcontact bulk arango by @pxp928 in #1268
Update resolvers for legal nodes and add tests. by @jeffmendoza in #1269
Fixed CSAF GetIdentifiers by @nathannaveen in #1264
Log and continue on ingest errors with bulk assemler. by @jeffmendoza in #1275
add nightly release by @sunnyyip in #1273
Ent - IngestScorecards implementation with tests by @mrizzi in #1271
Ent - Bump v0.12.4-0.20230918073025-797534a0d1ca by @mrizzi in #1283
Changed JSON encoder from encoding/json to json-iterator/go by @neilnaveen in #1250
Feature/ hasSourceAt bulk inmem and arango implementation by @pxp928 in #1281
Changed make fmt to ignore .git files by @neilnaveen in https://g...

Contributors

ivanvanderbyl, desmax74, and 17 other contributors

Assets 57

23 Sep 04:48

github-actions

v0-nightly

51100b7

v0-nightly Pre-release

Pre-release

Changelog

b7c8690 Ent - IngestPkgEquals with tests (#1243)
3f96625 Add 'integration' tag to golangci-lint (#1202)
68e0455 Add Legal information schema and inmem backend. (#1207)
2290eb0 Add check for docker compose (#1176)
204016c Add support for sending encoded documents (#1222)
37c6a0d Bump actions/cache from 3.3.1 to 3.3.2 (#1256)
b8b130d Bump actions/checkout from 3.5.3 to 3.6.0 (#1190)
9aeea26 Bump actions/checkout from 3.6.0 to 4.0.0 (#1214)
9cd716f Bump actions/upload-artifact from 3.1.2 to 3.1.3 (#1257)
a86c104 Bump aquasecurity/trivy-action from 0.11.2 to 0.12.0 (#1215)
f594c3a Bump cloud.google.com/go/storage from 1.31.0 to 1.32.0 (#1171)
3ed7b5d Bump cloud.google.com/go/storage from 1.32.0 to 1.33.0 (#1252)
ee18335 Bump docker/login-action from 2.2.0 to 3.0.0 (#1286)
349527b Bump github.com/99designs/gqlgen from 0.17.36 to 0.17.37 (#1251)
a27452a Bump github.com/CycloneDX/cyclonedx-go from 0.7.1 to 0.7.2 (#1188)
a311a3d Bump github.com/DATA-DOG/go-txdb from 0.1.6 to 0.1.7 (#1220)
e9877b0 Bump github.com/aws/aws-sdk-go from 1.44.323 to 1.44.328 (#1174)
cda8855 Bump github.com/aws/aws-sdk-go from 1.44.328 to 1.44.333 (#1189)
e508715 Bump github.com/aws/aws-sdk-go from 1.44.333 to 1.45.2 (#1217)
987935c Bump github.com/aws/aws-sdk-go from 1.45.2 to 1.45.7 (#1254)
b0e92e1 Bump github.com/aws/aws-sdk-go from 1.45.7 to 1.45.12 (#1289)
c2286f4 Bump github.com/jedib0t/go-pretty/v6 from 6.4.6 to 6.4.7 (#1187)
4730899 Bump github.com/prometheus/client_golang from 1.15.1 to 1.16.0 (#1291)
4bf6212 Bump github.com/regclient/regclient from 0.4.8 to 0.5.1 (#1218)
623d7a1 Bump github.com/sigstore/sigstore from 1.6.5 to 1.7.3 (#1221)
ff57642 Bump github.com/spdx/tools-golang from 0.5.2 to 0.5.3 (#1219)
e3d8893 Bump github.com/vektah/gqlparser/v2 from 2.5.8 to 2.5.9 (#1253)
6d70867 Bump go.uber.org/zap from 1.24.0 to 1.25.0 (#1173)
970af6a Bump go.uber.org/zap from 1.25.0 to 1.26.0 (#1288)
1f4c35b Bump golang.org/x/oauth2 from 0.11.0 to 0.12.0 (#1255)
9280233 Bump golangci/golangci-lint-action from 3.6.0 to 3.7.0 (#1175)
e3135b5 Bump google.golang.org/api from 0.136.0 to 0.138.0 (#1172)
9b74bde Bump google.golang.org/api from 0.138.0 to 0.141.0 (#1287)
1c104d0 Bump goreleaser/goreleaser-action from 4.4.0 to 5.0.0 (#1258)
51e8026 Bump sigstore/cosign-installer from 3.1.1 to 3.1.2 (#1216)
72d3825 Bump slsa-framework/slsa-github-generator from 1.8.0 to 1.9.0 (#1191)
31c9dbc CertifyBad: refactor validation checks (#1185)
a79ec2e Changed encoding/json to json-iterator/go for perf (#1250)
33af200 Changed make fmt to ignore .git files (#1280)
c46528b Confusing name of field in IsDependency GraphQL (#1305)
4dfaf8b Disable ent on 32 bit (#1226)
58d623e Ent - Bump v0.12.4-0.20230918073025-797534a0d1ca (#1283)
4f2c49e Ent - CertifyVuln: fixed noVuln management (#1240)
ceefb94 Ent - Dependency management (#1232)
80eab75 Ent - IngestBuilders with tests (#1260)
dc2f4d2 Ent - IngestCertifyGoods and IngestCertifyBads (#1295)
b28dce1 Ent - IngestHasSBOMs implementation with tests (#1265)
ebb6442 Ent - IngestHasSourceAts implementation (#1299)
6b9617c Ent - IngestHashEquals implementation (#1304)
40d3454 Ent - IngestSLSAs implementation with tests (#1248)
37fecf4 Ent - IngestScorecards implementation with tests (#1271)
810b0a9 Ent - IngestVulnEquals with tests (#1238)
dfa6537 Ent - Vulnerabilities management (#1212)
5ebbc66 Ent - upsertPackageIDDoNothing vs upsertPackageIDIgnore (#1270)
fce5de8 Feature/ Add arango unit tests (#1213)
e8816e2 Feature/ hasSourceAt bulk inmem and arango implementation (#1281)
4d685e2 Feature/add novuln bool to vulnerability filter (#1165)
3128475 Feature/add vuln metadata backend [inmem] (#1180)
48998db Feature/add vuln metadata schema (#1170)
e55fa24 Feature/arango certify vuln implementation (#1161)
f8b701e Feature/arango node query (#1301)
88dfb7e Feature/has metadata bulk ingestion and arango updates (#1262)
70774ce Feature/pkg equals bulk ingestion and arango updates (#1239)
6dfd549 Feature/pointofcontact bulk arango (#1268)
9fdc9a2 Feature/vuln equal bulk ingestion and arango updates (#1227)
30e2a71 Fix XML format validation (#1164)
967a46a Fix check for docker buildx (#1159)
c035663 Fix inmem unit test. (#1235)
4589fbf Fix/add missing unit tests arango (#1246)
dfab82e Fixed CSAF GetIdentifiers (#1264)
655342e Fixed Part of SemVer Issue (#1157)
be3da8d Fixed a Potential Stack Overflow Error in findProductRef (#1146)
1bba6a4 Fixed a Potential Stack Overflow Error in findPurl 2 (#1194)
8eb43c3 Fixed breaking change by bumping openVex to new release (#1306)
1c0a63f Implement RDMS backend (postgres/mysql/sqlite) (#910)
5f19f1c Implement new IsDependency graphql to point to versions (#1125)
861288d Implemented OpenVEX (#1241)
0268d1a Improved Runtime of Function Process in process.go (#1245)
567895e Included docstrings for parser_csaf (#1186)
c1413ad IngestVEXStatement: fix err management (#1203)
ebd91bb Ingestor/Assembler and SPDX Parser for Legal information. (#1244)
20fca4d Log and continue on ingest errors with bulk assemler. (#1275)
0423c59 Minor fixes to error messages patch.go (#1145)
a72cbbc Move validation checks into resolvers (#1210)
249fdd6 Performance improvements for depsdev API (#1263)
e59bbf4 Refactor ingestor code (#1195)
1e83043 Tag ent tests (#1200)
5fe78f7 Update resolvers for legal nodes and add tests. (#1269)
0e3ad1c Updated CollectedPypiWheelAxle (#1192)
7835a82 [Feature] add ingestion (including bulk) and query for VEX in Arango and inmem (#1184)
8634dd5 [feature] Adds a parser for CycloneDX Vex data (#1181)
69586ae add nightly release (#1273)
f5346dd add regen via make generate and add missing bulk ingest vex (#1204)
51100b7 add register for guesser, processor and parser. fix unknown status and justification (#1307)
8fbe560 add vuln metadata to arangodb with unit tests (#1223)
9c793a9 changing mutationAPI to only return IDs instead of whole struct to fi… (#1169)
fa78489 fix bug in hasSLSA for arango (#1303)
00fe9fa fix: increase gprc max message size (#1230)
2b44e51 guacone - managing totalSuccess (#1267)
3e496d1 inmem - PkgEqual: Subpath query filtering (#1249)
86b2099 prevent checking for dependency version in test so changes in this don't break the test (#1209)
c0efbbf remove helper as unused code (#1236)
0428adc remove parallel assembler as no longer needed (#1183)
5756e69 update SPDX parser to skip empty and 0 hashes (#1228)
3b1e4e0 update docker manifest name in nightly releases (#1302)
b2c9ce8 update readme to include backends and update supported types (#1205)
a085423 update vulnerability api (#1147)
0e5aa36 use github app token to trigger nightly release (#1294)
82d666d use officially released go-vex dependency (#1284)

Assets 57

16 Aug 18:36

github-actions

v0.1.2

463b800

v0.1.2

This GUAC release is done to capture the current state of the graphQL API (before changes to the vulnerability, isDependency, and input spec schema). This will allow for the demos/documentation to function normally until these updates are released and the demo/documents are updated.

Additionally, a guac-compose tarball is attached that is pre-configured to point to the published container for this release, ghcr.io/guacsec/guac:v0.1.2.

Changelog

463b800 📖 Included comments for the bfs on patchPlanning (#1130)
64dfda6 Add @jeffmendoza as Maintainer. (#1144)
9368f3a Add PointOfContact predicate to PatchPlanning (#1088)
61f54cd Added non-nil dereferencing to SLSA parser (#1127)
542de58 Bump actions/setup-go from 4.0.1 to 4.1.0 (#1149)
be6f554 Bump github.com/99designs/gqlgen from 0.17.35 to 0.17.36 (#1111)
93f9ec8 Bump github.com/aws/aws-sdk-go from 1.44.284 to 1.44.318 (#1134)
c88d885 Bump github.com/aws/aws-sdk-go from 1.44.318 to 1.44.323 (#1155)
cd0816e Bump github.com/fsouza/fake-gcs-server from 1.45.2 to 1.46.0 (#1108)
dff7644 Bump github.com/fsouza/fake-gcs-server from 1.46.0 to 1.47.4 (#1136)
bc9970c Bump github.com/go-git/go-git/v5 from 5.7.0 to 5.8.0 (#1090)
83cd681 Bump github.com/go-git/go-git/v5 from 5.8.0 to 5.8.1 (#1109)
d01bc9c Bump github.com/google/osv-scanner from 1.3.5 to 1.3.6 (#1089)
c8fd1a8 Bump github.com/grpc-ecosystem/go-grpc-middleware from 1.3.0 to 1.4.0 (#1137)
c618ce8 Bump github.com/nats-io/nats-server/v2 from 2.9.20 to 2.9.21 (#1152)
acc26ce Bump github.com/nats-io/nats.go from 1.27.1 to 1.28.0 (#1092)
6fb18da Bump github.com/ossf/scorecard/v4 from 4.11.0 to 4.12.0 (#1153)
33755da Bump github.com/regclient/regclient from 0.5.0 to 0.5.1 (#1138)
6b4d7a4 Bump github.com/sigstore/sigstore from 1.7.1 to 1.7.2 (#1151)
4c6e169 Bump github.com/spdx/tools-golang from 0.5.2 to 0.5.3 (#1110)
ec385a9 Bump golang.org/x/oauth2 from 0.10.0 to 0.11.0 (#1135)
605a5fa Bump google.golang.org/api from 0.130.0 to 0.133.0 (#1091)
191faac Bump google.golang.org/api from 0.134.0 to 0.136.0 (#1154)
3b3cb50 Bump goreleaser/goreleaser-action from 4.3.0 to 4.4.0 (#1150)
50f97f7 Bump slsa-framework/slsa-github-generator from 1.7.0 to 1.8.0 (#1139)
093d702 Fix Logging in Collectsub Server (#995)
1bd9fef Mandatory queries filtering specs (#1114)
069edcb Parse SPDX: manage relations with top level package (#1103)
021655e Refactored and Included Tests for TopoSortFromBfsNodeMap (#1133)
a0b4370 Remove UI Opts, add queries used by viz under packages (#1122)
a0ac552 Workaround depversion handling. (#1113)
7d1960b [PatchPlanning] Add CLI cmd for patch planning (#1129)
00e931f [PatchPlanning] Rename dependencies to dependents in search (#1142)
90cb0b7 [PatchPlanning] Toposort / frontiers (#1101)
a8e7ad3 [fix] Removed Empty String Parents for Root Nodes (#1131)
c3fe7c4 [patchPlanning] Make Parent field in BfsNode into a list (#1095)
c0614ec add certifyBad query, certifyGood ingestion and query, update bulk assembler (#1123)
3f93cd4 add query for IsOccurrence, isDependency and HasSBOM for Arango backend (#1096)
7724bda arango: query hashEqual, bulk ingest hasSBOM and hashEqual, filter on builtFrom on hasSLSA (#1100)
bc5c042 connects guac with a given aws neptune cluster endpoint (#1126)
606f5da fix to add type filter for dependent package (#1156)
9f1ccf2 fix ui opts and examples for visualizer code gen (#1121)
febfb54 issue-1105 inmem HasSBOM: manage no hasSBOMSpec sent (#1106)
bdd1b0c specify the version of the nats helm chart (#1119)
15ad9f9 update API for bulk ingestion for CertifyBad/CertifyGood, add missing unit tests, update collections on arango (#1115)

Contributors

jeffmendoza

Assets 57

24 Jul 18:18

github-actions

v0.1.1

73359ad

v0.1.1

This GUAC release is mostly incremental changes from the last few months. This includes bug fixes, small features, and performance improvements.

Releases now include compiled binaries with sboms, signed checksums, and intoto attestations. Additionally a guac-compose tarball is attached that is pre-configured to point to the published container for this release, ghcr.io/guacsec/guac:v0.1.1.

Changelog

7510cab Add Compose Tarball to Release Workflow (#1076)
ddabdf6 Add HasMetadata operations and inmem implementation (#1023)
08bfd91 Add PkgEqual and HashEqual predictaes -- testing + code planning (#1069)
778091b Add PointOfContact predicate ingest (#1075)
9cc17ad Add ability to add ingestPredicates documents for ingestion (#1051)
3587e04 Add initial nodes for arangoDB backend implementation (#911)
3885c0e Add packages to shell.nix (#1025)
d29cbb8 Add search gql (#998)
290c1c3 Add support for ingesting VEX documents in the CSAF format (#729)
73359ad Adding check for docker builx toolkit in Makefile to fix#1057 (#1083)
06fec9c Bump actions/checkout from 3.5.2 to 3.5.3 (#951)
bd619a7 Bump actions/setup-python from 4.6.0 to 4.6.1 (#890)
e92f4ff Bump actions/setup-python from 4.6.1 to 4.7.0 (#1061)
4692cde Bump anchore/sbom-action from 0.14.2 to 0.14.3 (#981)
4bb77e7 Bump anchore/sbom-action from 0.7.0 to 0.14.2 (#933)
f58d03b Bump aquasecurity/trivy-action from 0.10.0 to 0.11.0 (#912)
6fdf14c Bump aquasecurity/trivy-action from 0.10.0 to 0.11.2 (#952)
e1b0475 Bump cloud.google.com/go/storage from 1.30.1 to 1.31.0 (#1040)
92b5a2e Bump docker/login-action from 2.1.0 to 2.2.0 (#932)
2629e6c Bump github.com/99designs/gqlgen from 0.17.32 to 0.17.33 (#953)
7c9bf1e Bump github.com/99designs/gqlgen from 0.17.33 to 0.17.34 (#984)
74cc02e Bump github.com/99designs/gqlgen from 0.17.34 to 0.17.35 (#1066)
484051c Bump github.com/fsouza/fake-gcs-server from 1.45.1 to 1.45.2 (#938)
7a87726 Bump github.com/go-git/go-git/v5 from 5.6.1 to 5.7.0 (#893)
8a37528 Bump github.com/google/osv-scanner from 1.3.3 to 1.3.4 (#936)
bf5c0d9 Bump github.com/google/osv-scanner from 1.3.4 to 1.3.5 (#1064)
6eb39e9 Bump github.com/nats-io/nats-server/v2 from 2.9.17 to 2.9.18 (#956)
a415378 Bump github.com/nats-io/nats-server/v2 from 2.9.18 to 2.9.19 (#1009)
be194ab Bump github.com/nats-io/nats-server/v2 from 2.9.19 to 2.9.20 (#1062)
5a4182b Bump github.com/nats-io/nats.go from 1.25.0 to 1.26.0 (#892)
d49e868 Bump github.com/nats-io/nats.go from 1.26.0 to 1.27.0 (#934)
09c6148 Bump github.com/nats-io/nats.go from 1.27.0 to 1.27.1 (#987)
1401f7c Bump github.com/ossf/scorecard/v4 from 4.10.5 to 4.11.0 (#1012)
9bfd464 Bump github.com/package-url/packageurl-go (#988)
01f8b31 Bump github.com/prometheus/client_golang from 1.15.1 to 1.16.0 (#1038)
fd1fcf5 Bump github.com/regclient/regclient from 0.4.8 to 0.5.0 (#1010)
618f779 Bump github.com/secure-systems-lab/go-securesystemslib (#1065)
c90a50a Bump github.com/sigstore/sigstore from 1.6.4 to 1.6.5 (#916)
bf738cb Bump github.com/sigstore/sigstore from 1.6.5 to 1.7.1 (#1011)
bbe27f7 Bump github.com/spf13/viper from 1.15.0 to 1.16.0 (#917)
ef94059 Bump github.com/vektah/gqlparser/v2 from 2.5.4 to 2.5.6 (#1008)
529dadf Bump github/codeql-action from 2.3.3 to 2.3.5 (#889)
4dec012 Bump github/codeql-action from 2.3.5 to 2.3.6 (#914)
f25d7f4 Bump github/codeql-action from 2.3.6 to 2.13.4 (#931)
6db34f6 Bump golang.org/x/oauth2 from 0.8.0 to 0.9.0 (#985)
045fe10 Bump golang.org/x/oauth2 from 0.9.0 to 0.10.0 (#1041)
4e84729 Bump golang.org/x/sync from 0.2.0 to 0.3.0 (#957)
366a649 Bump golangci/golangci-lint-action from 3.4.0 to 3.5.0 (#913)
e0898dd Bump golangci/golangci-lint-action from 3.5.0 to 3.6.0 (#950)
d4b73fd Bump google.golang.org/api from 0.123.0 to 0.124.0 (#891)
d182921 Bump google.golang.org/api from 0.124.0 to 0.125.0 (#915)
6598766 Bump google.golang.org/api from 0.125.0 to 0.128.0 (#954)
a998793 Bump google.golang.org/api from 0.128.0 to 0.130.0 (#1039)
4f965f1 Bump google.golang.org/grpc from 1.55.0 to 1.56.0 (#955)
d635768 Bump google.golang.org/grpc from 1.56.0 to 1.56.2 (#1042)
5bac0b1 Bump google.golang.org/protobuf from 1.30.0 to 1.31.0 (#986)
b439054 Bump goreleaser/goreleaser-action from 4.2.0 to 4.3.0 (#929)
309c675 Bump ossf/scorecard-action from 2.1.3 to 2.2.0 (#983)
218b613 Bump sigstore/cosign-installer from 3.0.5 to 3.1.0 (#982)
314d6fd Bump sigstore/cosign-installer from 3.1.0 to 3.1.1 (#1013)
b912fa2 Bump slsa-framework/slsa-github-generator from 1.6.0 to 1.7.0 (#930)
8a03729 Changed build tag to separate scorecardRunner_test.go to run only on Merge (#927)
37971bd Cleanup arango backend and add source ingestion and query for arango (#1034)
0d557cb DoesRangeInclude function (#886)
41d4ee8 Enable tracing of GraphQL requests (#940)
08bbd69 Fix parallel ingest when guacgql is in docker. (#900)
8f639ae Fix typo (#1084)
e1c36ff Fixed Stackoverflow for simpledoc (#958)
131eeab Fixed issue with Github client tests timing out (#906)
a3d96a8 Fixed: Stackoverflow in internal/testing/dochelper (#946)
2046ab7 Implement FIndSoftware for Arango backend (#1032)
3cc7cde Implement HasSLSA predicate case + tests (patchPlanning search method) (#1046)
dc2035a Implement batch ingestion for packages, artifacts, isDependency and isOccurrences (#999)
952bdac Implement search dependent packages + testing (updated) (#969)
8b799ed Included Unit Test for Subscribe (#1056)
2360f60 Included tests and handled stack overflow error for parser (#907)
3a24c08 Ingest and Query vulnerabilities for arango backend (#1052)
d1267d1 Involve since_time for collect-sub entry getting. (#1049)
e9063d4 Make ingestion from guacone parallel (#884)
dad342b Remove DoesRangeInclude error testing (#926)
32c2b3c Remove SBOM annotations (#1027)
5a2dc45 Remove annotations from hasSBOM gql example (#1037)
f79b2c9 Reorg graphQL to ingest nouns and verbs separately (#942)
a2d5192 Update spdx and osv libraries. (#908)
30321c7 [fix] ingests nouns before verbs for test data (#1003)
f3cbf4c add GUAC use cases (#978)
7d625e7 add docker context for snapshot and release build (#960)
fb5b129 add docker-compose for arango (#1031)
25a5c72 add generic metadata gql (#1002)
d988552 add guac friends md (#1080)
1e89b83 add guac links to past presentations (#885)
3feba2c add ingestion and query of hasSLSA for Arango, remove IngestMaterials (#1081)
4e6f922 add missing hasMetadata for arango (#1028)
1bf5d5e add support for 'githubactions' package types (#924)
0fec13b add support for using Tilt for local development (#1021)
48b2234 add vex info to VULN cli (#1086)
165ec24 added error if CycloneDX sboms are missing top level metadata fields (#992)
1f147b7 arango ingest/query scorecard and bulk ingestion (#1070)
7247869 build with goreleaser (#918)
2b9306d cleanup arango backend, add ingestion of builder, add support for source ingestion for Occurrences, return IDs during ingestion and query (#1048)
5f261e9 feat(collector): expose Google Cloud Storage collector from guacone CLI (#989)
4afe4f6 feat: add environment file for configuring docker compose (#901)
d438521 feat: allow filtering of CertifyVuln query results based on whether they have vulnerabilities (#1073)
39bff2a fix PURL NPE and add OCI heuristic (#1060)
97bb3d4 fix allow for go git to be parsed for VcsToSrc (#1047)
e784f0e fix deps.dev unit test (#928)
dcbfc56 fix docker build and check for goreleaser (#947)
b18d6c7 fix lint err around annotations (#1029)
d46cbbd fix time equal check bug in certifyVuln and ensure that other match in the inmem database (#923)
6adc09e fix: logging typo (#961)
de956fc fixing typo to fix #1078 (#1079)
7164de2 getTopLevelPackage will now check DESCRIBES and DESCRIBED_BY relationships to populate the pUrl. It will fall back to the original method of generating pUrl if neither are available. Added test cases for both of these options. (#979)
4181c17 hasSourceAt predicate for patch planning search (#1058)
ccc795c implement PointOfContact in inmem backend (#1033)
8282449 moved vcs.go and vcs_test.go to misc (#962)
fcedbd0 parse current docker context from ls output (#994)
c00ff53 proposed PointOfContact schema (#1026)
1bb597c remove unused old nodes (pre 0.1) (#1035)
21273d4 set guacone collect files to ingest doc in parallel with bulk assembler (#1043)
b0defd6 special case for arch x86_64 should be converted to amd64 for GOARCH consistency (#968)
e49ce9e update client GQL fragments to public usable by go (#1085)
7b3c00b update gqlgen and gqlparser (#939)
9b8c4ca update spdx parsing and check for spdxIdentifier==DOCUMENT (#997)
2dff95e use POSIX compliant way to redirect file descriptor (#919)
a67b116 use current docker context of host for buildx (#959)
81e180b use docker compose healthcheck (#944)
48579aa use goreleaser for local builds (#945)

Assets 57

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Highlights

Changelog

Highlights

What's Changed

Highlights

Changelog

Highlights

What's Changed

Highlights

What's Changed

Highlights

What's Changed

Highlights

What's Changed

Contributors

Changelog

Changelog

Contributors

Changelog

Releases: guacsec/guac

v0.6.0

Highlights

Changelog

v0.5.2

Highlights

What's Changed

v0.5.1

Highlights

Changelog

v0.5.0

Highlights

What's Changed

v0.4.0

Highlights

What's Changed

v0.3.0

Highlights

What's Changed

v0.2.0

Highlights

What's Changed

Contributors

v0-nightly

Changelog

v0.1.2

Changelog

Contributors

v0.1.1

Changelog