Releases: EdgewareRoad/TrivySummary
Release 3.0.3
Release 3.0.3:
Fixed bug caused by EPSS API changing response format - now ignores new fields
Better diagnostics in exception conditions (separate message for files not found, error trace when EPSS API
generates exception)
Release 3.0.2:
If the scan date is today, TrivySummary now omits the date from the EPSS Query as this
can sometimes cause issues if an explicit date of today is used (assume due to time
zones, calling this in the morning from the UK before the daily stats are generated).
Default output file is now, for a single input file, the same name and folder but with
a .pdf suffix. For the scenario where two input files are used, the default output
file path is the same as the input file but with name output.pdf.
If not in offline mode and there are errors experienced in calling the EPSS API, the
operation will simply fail with an error message, rather than creating a report.
Release 3.0.1:
Bug fixes
Release 3.0:
Massive update...
Simple EPSS/CVSS thresholds now replaced with a configurable priority model. Each
CVE is now prioritised based on one of three models:
- SEVERITYONLY
As in previous versions, priority is simple the stated vendor severity - RECTANGULAR
Each of CRITICAL, HIGH or MEDIUM priorities set by minimum CVSS and EPSS values.
Shown as colour bands on the graph view. - ELLIPTICAL
Similar to RECTANGULAR but based on an ellipse bounded by the stated CVSS / EPSS
thresholds, giving a much more elegant view of distance from the top right hand
corner of the graph.
Now defaults to querying for EPSS scores based on the scan date.
Supports --useTodayForEPSSQuery attribute to override this and force loading EPSS
scores for the report date.
BREAKING CHANGE: --failSeverityThreshold parameter now renamed --failPriorityThreshold
to reflect the change from a severity-only world to the new priority models
error code.
BREAKING CHANGE: --minimumCVSSToPrioritise and --minimumEPSSToPrioritise now removed,
replaced by the --priorityModel parameter
Release 3.0.2
Release 3.0.2:
If the scan date is today, TrivySummary now omits the date from the EPSS Query as this
can sometimes cause issues if an explicit date of today is used (assume due to time
zones, calling this in the morning from the UK before the daily stats are generated).
Default output file is now, for a single input file, the same name and folder but with
a .pdf suffix. For the scenario where two input files are used, the default output
file path is the same as the input file but with name output.pdf.
If not in offline mode and there are errors experienced in calling the EPSS API, the
operation will simply fail with an error message, rather than creating a report.
Release 3.0.1:
Bug fixes
Release 3.0:
Massive update...
Simple EPSS/CVSS thresholds now replaced with a configurable priority model. Each
CVE is now prioritised based on one of three models:
- SEVERITYONLY
As in previous versions, priority is simple the stated vendor severity - RECTANGULAR
Each of CRITICAL, HIGH or MEDIUM priorities set by minimum CVSS and EPSS values.
Shown as colour bands on the graph view. - ELLIPTICAL
Similar to RECTANGULAR but based on an ellipse bounded by the stated CVSS / EPSS
thresholds, giving a much more elegant view of distance from the top right hand
corner of the graph.
Now defaults to querying for EPSS scores based on the scan date.
Supports --useTodayForEPSSQuery attribute to override this and force loading EPSS
scores for the report date.
BREAKING CHANGE: --failSeverityThreshold parameter now renamed --failPriorityThreshold
to reflect the change from a severity-only world to the new priority models
error code.
BREAKING CHANGE: --minimumCVSSToPrioritise and --minimumEPSSToPrioritise now removed,
replaced by the --priorityModel parameter
Release 3.0.1
Release 3.0.1:
Bug fixes
Release 3.0:
Massive update...
Simple EPSS/CVSS thresholds now replaced with a configurable priority model. Each
CVE is now prioritised based on one of three models:
- SEVERITYONLY
As in previous versions, priority is simple the stated vendor severity - RECTANGULAR
Each of CRITICAL, HIGH or MEDIUM priorities set by minimum CVSS and EPSS values.
Shown as colour bands on the graph view. - ELLIPTICAL
Similar to RECTANGULAR but based on an ellipse bounded by the stated CVSS / EPSS
thresholds, giving a much more elegant view of distance from the top right hand
corner of the graph.
Now defaults to querying for EPSS scores based on the scan date.
Supports --useTodayForEPSSQuery attribute to override this and force loading EPSS
scores for the report date.
BREAKING CHANGE: --failSeverityThreshold parameter now renamed --failPriorityThreshold
to reflect the change from a severity-only world to the new priority models
error code.
BREAKING CHANGE: --minimumCVSSToPrioritise and --minimumEPSSToPrioritise now removed,
replaced by the --priorityModel parameter
Release 2.0.3
Release 2.0.3:
Fixed null pointer exception in the happy case that you have no vulnerabilities in your code.
Release 2.0.2:
Fixed generated POM file in published Maven package
Release 2.0.1:
Fixed offline mode
Release 2.0:
Massive update...
TrivySummary will now attempt to download EPSS scores for each CVE and graph each CVE,
CVSS (severity) against EPSS (exploitability), unless asked to operate in offline mode.
TrivySummary can be given minimum CVSS and EPSS thresholds above which CVEs should be
marked as high priority for remediation.
TrivySummary will now show applicable NVD and RedHat links for each CVE, aiding
assessment.
BREAKING CHANGE: --failThreshold parameter now renamed --failSeverityThreshold and the
default is no longer to fail on any severity. In return, if this isn't set and
prioritisation is in effect (as above), then any high priority CVEs would return an
error code.
Release 2.0.2
Release 2.0.2:
Fixed generated POM file in published Maven package
Release 2.0.1:
Fixed offline mode
Release 2.0:
Massive update...
TrivySummary will now attempt to download EPSS scores for each CVE and graph each CVE,
CVSS (severity) against EPSS (exploitability), unless asked to operate in offline mode.
TrivySummary can be given minimum CVSS and EPSS thresholds above which CVEs should be
marked as high priority for remediation.
TrivySummary will now show applicable NVD and RedHat links for each CVE, aiding
assessment.
BREAKING CHANGE: --failThreshold parameter now renamed --failSeverityThreshold and the
default is no longer to fail on any severity. In return, if this isn't set and
prioritisation is in effect (as above), then any high priority CVEs would return an
error code.
Release 2.0.1
Release 2.0.1:
Fixed offline mode
Release 2.0:
Massive update...
TrivySummary will now attempt to download EPSS scores for each CVE and graph each CVE,
CVSS (severity) against EPSS (exploitability), unless asked to operate in offline mode.
TrivySummary can be given minimum CVSS and EPSS thresholds above which CVEs should be
marked as high priority for remediation.
TrivySummary will now show applicable NVD and RedHat links for each CVE, aiding
assessment.
BREAKING CHANGE: --failThreshold parameter now renamed --failSeverityThreshold and the
default is no longer to fail on any severity. In return, if this isn't set and
prioritisation is in effect (as above), then any high priority CVEs would return an
error code.
Release 2.0.0
Release 2.0.
Massive update...
TrivySummary will now attempt to download EPSS scores for each CVE and graph each CVE,
CVSS (severity) against EPSS (exploitability), unless asked to operate in offline mode.
TrivySummary can be given minimum CVSS and EPSS thresholds above which CVEs should be
marked as high priority for remediation.
TrivySummary will now show applicable NVD and RedHat links for each CVE, aiding
assessment.
BREAKING CHANGE: --failThreshold parameter now renamed --failSeverityThreshold and the
default is no longer to fail on any severity. In return, if this isn't set and
prioritisation is in effect (as above), then any high priority CVEs would return an
error code.
Release 1.2.1
Release 1.2 - Formatting improvements.
Now will hyphenate very long words intelligently (new in 1.2.1), avoiding table overflow
Tries to avoid wrapping of the CVE title where possible (but will wrap for very long IDs we've not seen yet)
Closed vulnerabilities now in a much compressed format as there's no need to list the affected packages. Can save a huge amount of space.
Release 1.2.0
Formatting improvements.
Now will hyphenate very long words properly, avoiding table overflow
Tries to avoid wrapping of the CVE title where possible (but will wrap for very long IDs we've not seen yet)
Closed vulnerabilities now in a much compressed format as there's no need to list the affected packages. Can save a huge amount of space.
Release 1.1.3
Improved the appearance of comparing two Trivy scans of the same exact artefact