v0.2.0
Highlights
- Major redesign to Vulnerability GraphQL Schema/API.
- Vulnerability types are no longer hard-coded
- Vulnerability metadata nodes include scores
- IsDependency can now point to Package Versions.
- GraphQL ingest mutations only return ID now.
- OpenVEX Parser
- Many fixes and smaller improvements.
- Large progress on Arango and Ent, though not fully complete yet.
What's Changed
- update vulnerability api by @pxp928 in #1147
- Feature/arango certify vuln implementation by @pxp928 in #1161
- Implement new IsDependency graphql to point to versions by @lumjjb in #1125
- Fix XML format validation by @mlieberman85 in #1164
- Fixed a Potential Stack Overflow Error in findProductRef by @nathannaveen in #1146
- Feature/add novuln bool to vulnerability filter by @pxp928 in #1165
- Fix check for docker buildx by @s-spindler in #1159
- Bump cloud.google.com/go/storage from 1.31.0 to 1.32.0 by @dependabot in #1171
- Bump google.golang.org/api from 0.136.0 to 0.138.0 by @dependabot in #1172
- Bump github.com/aws/aws-sdk-go from 1.44.323 to 1.44.328 by @dependabot in #1174
- Bump go.uber.org/zap from 1.24.0 to 1.25.0 by @dependabot in #1173
- Bump golangci/golangci-lint-action from 3.6.0 to 3.7.0 by @dependabot in #1175
- Feature/add vuln metadata schema by @pxp928 in #1170
- Add check for docker compose by @s-spindler in #1176
- Fixed Part of SemVer Issue by @nathannaveen in #1157
- Minor fixes to error messages patch.go by @rmetzman in #1145
- Feature/add vuln metadata backend [inmem] by @pxp928 in #1180
- remove parallel assembler as no longer needed by @pxp928 in #1183
- Bump slsa-framework/slsa-github-generator from 1.8.0 to 1.9.0 by @dependabot in #1191
- Bump github.com/aws/aws-sdk-go from 1.44.328 to 1.44.333 by @dependabot in #1189
- Bump github.com/jedib0t/go-pretty/v6 from 6.4.6 to 6.4.7 by @dependabot in #1187
- Bump github.com/CycloneDX/cyclonedx-go from 0.7.1 to 0.7.2 by @dependabot in #1188
- Bump actions/checkout from 3.5.3 to 3.6.0 by @dependabot in #1190
- changing mutationAPI to only return IDs instead of whole struct to fi… by @arorasoham9 in #1169
- Updated CollectedPypiWheelAxle by @mrizzi in #1192
- CertifyBad: refactor validation checks by @mrizzi in #1185
- Fixed a Potential Stack Overflow Error in findPurl 2 by @nathannaveen in #1194
- Implement RDMS backend (postgres/mysql/sqlite) by @ivanvanderbyl in #910
- Tag ent tests by @jeffmendoza in #1200
- [Feature] add ingestion (including bulk) and query for VEX in Arango and inmem by @pxp928 in #1184
- IngestVEXStatement resolver: fix
err
management by @mrizzi in #1203 - Add 'integration' tag to golangci-lint by @mrizzi in #1202
- add regen via make generate and add missing bulk ingest vex by @pxp928 in #1204
- update readme to include backends and update supported types by @lumjjb in #1205
- [feature] Adds a parser for CycloneDX Vex data by @stevemenezes in #1181
- prevent checking for dependency version in test so changes in this do… by @m-brophy in #1209
- Move validation checks into resolvers by @mrizzi in #1210
- Add Legal information schema and inmem backend. by @jeffmendoza in #1207
- Bump actions/checkout from 3.6.0 to 4.0.0 by @dependabot in #1214
- Bump aquasecurity/trivy-action from 0.11.2 to 0.12.0 by @dependabot in #1215
- Bump sigstore/cosign-installer from 3.1.1 to 3.1.2 by @dependabot in #1216
- Bump github.com/aws/aws-sdk-go from 1.44.333 to 1.45.2 by @dependabot in #1217
- Bump github.com/regclient/regclient from 0.4.8 to 0.5.1 by @dependabot in #1218
- Bump github.com/spdx/tools-golang from 0.5.2 to 0.5.3 by @dependabot in #1219
- Bump github.com/sigstore/sigstore from 1.6.5 to 1.7.3 by @dependabot in #1221
- Feature/ Add arango unit tests by @pxp928 in #1213
- Ent - Vulnerabilities management by @mrizzi in #1212
- Feature/vuln metadata implementation on arango by @pxp928 in #1223
- Disable ent on 32 bit by @jeffmendoza in #1226
- Included docstrings for parser_csaf by @nathannaveen in #1186
- Refactor ingestor code by @dejanb in #1195
- Feature/vuln equal bulk ingestion and arango updates by @pxp928 in #1227
- Ent - Dependency management by @mrizzi in #1232
- update SPDX parser to skip empty and 0 hashes by @lumjjb in #1228
- fix: increase gprc max message size by @dejanb in #1230
- Fix inmem unit test. by @jeffmendoza in #1235
- Bump github.com/DATA-DOG/go-txdb from 0.1.6 to 0.1.7 by @dependabot in #1220
- remove helper as unused code from old pre-release assembler by @pxp928 in #1236
- Ent - CertifyVuln: fixed noVuln management by @mrizzi in #1240
- Feature/pkg equals bulk ingestion and arango updates by @pxp928 in #1239
- Ent - IngestVulnEquals with tests by @mrizzi in #1238
- Add support for sending encoded documents by @dejanb in #1222
- Ent - IngestPkgEquals with tests by @mrizzi in #1243
- Fix/add missing unit tests arango by @pxp928 in #1246
- Ent - IngestSLSAs implementation with tests by @mrizzi in #1248
- Improved Runtime of Function Process in process.go by @neilnaveen in #1245
- Bump github.com/aws/aws-sdk-go from 1.45.2 to 1.45.7 by @dependabot in #1254
- Bump cloud.google.com/go/storage from 1.32.0 to 1.33.0 by @dependabot in #1252
- Bump github.com/vektah/gqlparser/v2 from 2.5.8 to 2.5.9 by @dependabot in #1253
- Bump golang.org/x/oauth2 from 0.11.0 to 0.12.0 by @dependabot in #1255
- Bump actions/cache from 3.3.1 to 3.3.2 by @dependabot in #1256
- Bump actions/upload-artifact from 3.1.2 to 3.1.3 by @dependabot in #1257
- Bump goreleaser/goreleaser-action from 4.4.0 to 5.0.0 by @dependabot in #1258
- Bump github.com/99designs/gqlgen from 0.17.36 to 0.17.37 by @dependabot in #1251
- Ent - IngestBuilders with tests by @mrizzi in #1260
- Feature/has metadata bulk ingestion and arango updates by @pxp928 in #1262
- Ent - IngestHasSBOMs implementation with tests by @mrizzi in #1265
- inmem - PkgEqual: Subpath query filtering by @mrizzi in #1249
- guacone - managing totalSuccess by @mrizzi in #1267
- Ingestor/Assembler and SPDX Parser for Legal information. by @jeffmendoza in #1244
- Feature/pointofcontact bulk arango by @pxp928 in #1268
- Update resolvers for legal nodes and add tests. by @jeffmendoza in #1269
- Fixed CSAF GetIdentifiers by @nathannaveen in #1264
- Log and continue on ingest errors with bulk assemler. by @jeffmendoza in #1275
- add nightly release by @sunnyyip in #1273
- Ent - IngestScorecards implementation with tests by @mrizzi in #1271
- Ent - Bump v0.12.4-0.20230918073025-797534a0d1ca by @mrizzi in #1283
- Changed JSON encoder from encoding/json to json-iterator/go by @neilnaveen in #1250
- Feature/ hasSourceAt bulk inmem and arango implementation by @pxp928 in #1281
- Changed make fmt to ignore .git files by @neilnaveen in #1280
- use officially released go-vex dependency v0.2.1 by @m-brophy in #1284
- Performance improvements for depsdev API by @naveensrinivasan in #1263
- Bump github.com/prometheus/client_golang from 1.15.1 to 1.16.0 by @dependabot in #1291
- Bump github.com/aws/aws-sdk-go from 1.45.7 to 1.45.12 by @dependabot in #1289
- Bump google.golang.org/api from 0.138.0 to 0.141.0 by @dependabot in #1287
- Bump docker/login-action from 2.2.0 to 3.0.0 by @dependabot in #1286
- Bump go.uber.org/zap from 1.25.0 to 1.26.0 by @dependabot in #1288
- use github app token to trigger nightly release by @sunnyyip in #1294
- Ent - IngestCertifyGoods and IngestCertifyBads by @mrizzi in #1295
- Implemented OpenVEX by @nathannaveen in #1241
- Feature/arango node query by @pxp928 in #1301
- fix bug in hasSLSA for arango by @pxp928 in #1303
- Ent - upsertPackageIDDoNothing vs upsertPackageIDIgnore by @mrizzi in #1270
- Ent - IngestHasSourceAts implementation by @mrizzi in #1299
- update docker manifest name in nightly releases by @mdeicas in #1302
- Confusing name of field in IsDependency GraphQL by @desmax74 in #1305
- Ent - IngestHashEquals implementation by @mrizzi in #1304
- Fixed breaking change by bumping openVex to new release by @nathannaveen in #1306
- fix/openvex by @pxp928 in #1307
- psuedopause nightly release for now by @lumjjb in #1311
- Ent - License management endpoints by @mrizzi in #1312
- Bump github.com/aws/aws-sdk-go from 1.45.12 to 1.45.16 by @dependabot in #1317
- Clarify vote needed for Reviewer promotion. by @jeffmendoza in #1323
- update maintainers (-rgreinho) by @lumjjb in #1325
- Bump github.com/go-git/go-git/v5 from 5.8.1 to 5.9.0 by @dependabot in #1314
- Bump github.com/nats-io/nats.go from 1.28.0 to 1.30.1 by @dependabot in #1316
- Bump google.golang.org/grpc from 1.57.0 to 1.58.2 by @dependabot in #1318
- Bump actions/checkout from 4.0.0 to 4.1.0 by @dependabot in #1319
- Reviewers list - mrizzi by @mrizzi in #1327
- add NoVuln node to ingestion when a package isn't affected by @m-brophy in #1274
- Ent - IngestOccurrences implementation by @mrizzi in #1328
- OSV certifier: bulk ingest by @mrizzi in #1309
- Ent - CertifyLegal endpoints implementation by @mrizzi in #1321
- Remove version name from compose tarball. by @jeffmendoza in #1322
- Ent - Packages: subpath query issue by @mrizzi in #1330
- Add support for additional checksums and lower tolerance for tests by @naveensrinivasan in #1297
- Bump actions/create-github-app-token from 1.2.1 to 1.2.2 by @dependabot in #1339
- Bump actions/setup-python from 4.7.0 to 4.7.1 by @dependabot in #1340
- Bump github.com/CycloneDX/cyclonedx-go from 0.7.1 to 0.7.2 by @dependabot in #1341
- Bump github.com/vektah/gqlparser/v2 from 2.5.9 to 2.5.10 by @dependabot in #1342
- Bump github.com/aws/aws-sdk-go from 1.45.16 to 1.45.20 by @dependabot in #1344
- Bump github.com/prometheus/client_golang from 1.16.0 to 1.17.0 by @dependabot in #1343
- Ent - CertifyVex implementation by @mrizzi in #1334
- Fixed Race Condition in ingestor/verifier Test by @neilnaveen in #1345
- update go version by @mdeicas in #1333
New Contributors
- @s-spindler made their first contribution in #1159
- @ivanvanderbyl made their first contribution in #910
- @m-brophy made their first contribution in #1209
- @mdeicas made their first contribution in #1302
- @desmax74 made their first contribution in #1305
Full Changelog: v0.1.2...v0.2.0