Skip to content

Releases: guacsec/guac

v0.12.3

19 Dec 16:23
148d0a6
Compare
Choose a tag to compare
  • updated deps.dev collector to use new depsdevclient
  • add new deps.dev scanner on ingestion
  • fix bug that caused guac.yaml not to be read during initialization of the backends

What's Changed

  • update depsdev collector to use depsdevclient by @lumjjb in #2383
  • fix issue where guac.yaml was not being read for backend configuration by @pxp928 in #2388
  • add depsdev scanner implementation by @lumjjb in #2385

Full Changelog: v0.12.2...v0.12.3

v0.12.2

18 Dec 21:48
c277250
Compare
Choose a tag to compare
  • Various bug fixes and improvements

What's Changed

  • Add check for empty CertifyBad nodes in query bad by @robert-cronin in #2365
  • Bump arigaio/atlas from 7a2cd6a to cc6aec9 in /pkg/assembler/backends/ent/migrate by @dependabot in #2367
  • Bump arigaio/atlas from cc6aec9 to f171955 in /pkg/assembler/backends/ent/migrate by @dependabot in #2368
  • Bump arigaio/atlas from f171955 to cdb29ba in /pkg/assembler/backends/ent/migrate by @dependabot in #2381
  • Bump actions/setup-go from 5.1.0 to 5.2.0 by @dependabot in #2379
  • Bump github/codeql-action from 3.27.6 to 3.27.9 by @dependabot in #2378
  • Bump github.com/go-chi/chi/v5 from 5.1.0 to 5.2.0 by @dependabot in #2372
  • Bump google.golang.org/api from 0.210.0 to 0.212.0 by @dependabot in #2374
  • Bump github.com/CycloneDX/cyclonedx-go from 0.9.1 to 0.9.2 by @dependabot in #2376
  • Bump github.com/secure-systems-lab/go-securesystemslib from 0.8.0 to 0.9.0 by @dependabot in #2375
  • Bump docker/setup-buildx-action from 3.7.1 to 3.8.0 by @dependabot in #2377
  • Bump anchore/sbom-action from 0.17.8 to 0.17.9 by @dependabot in #2380
  • Bump github.com/99designs/gqlgen from 0.17.59 to 0.17.60 by @dependabot in #2373
  • Bump arigaio/atlas from cdb29ba to b0fd3a2 in /pkg/assembler/backends/ent/migrate by @dependabot in #2384
  • [FIX] Update batch query vulns to return all values, including novulns by @pxp928 in #2370
  • Bump arigaio/atlas from b0fd3a2 to d61e11c in /pkg/assembler/backends/ent/migrate by @dependabot in #2386
  • [FIX] CDX vulnerability parsing and update ENT VEX index by @pxp928 in #2371

Full Changelog: v0.12.1...v0.12.2

v0.12.1

12 Dec 19:09
2cd0ed9
Compare
Choose a tag to compare
  • Incremental release to ensure release of proper SBOM via the github workflow

Changelog

  • fc2976b Bump arigaio/atlas in /pkg/assembler/backends/ent/migrate (#2359)
  • 68bb630 Bump arigaio/atlas in /pkg/assembler/backends/ent/migrate (#2363)
  • 01d52be Bump github.com/99designs/gqlgen from 0.17.56 to 0.17.59 (#2358)
  • 2cd0ed9 Bump golang.org/x/crypto from 0.29.0 to 0.31.0 (#2364)
  • 68610a4 Grant write permissions to the sbom generation (#2360)

What's Changed

  • Bump github.com/99designs/gqlgen from 0.17.56 to 0.17.59 by @dependabot in #2358
  • Bump arigaio/atlas from 0bb766d to 07bc256 in /pkg/assembler/backends/ent/migrate by @dependabot in #2359
  • Bump arigaio/atlas from 07bc256 to 7a2cd6a in /pkg/assembler/backends/ent/migrate by @dependabot in #2363
  • Grant write permissions to the sbom generation by @funnelfiasco in #2360
  • Bump golang.org/x/crypto from 0.29.0 to 0.31.0 by @dependabot in #2364

Full Changelog: v0.12.0...v0.12.1

v0.12.0

10 Dec 20:27
a944fc4
Compare
Choose a tag to compare
  • endoflife collector
  • Collect additional metadata for vulnerabilities from OSV
  • OCI registry collector updates
  • Add CertifyLegal to query known package
  • Fix: jsonl files are rejected
  • plumbing to enable deps.dev on ingest
  • Export getGraphqlServer and accept initialized backend
  • Fix PURL to Coord conversion for Go
  • Update workflow permissions
  • Decouple backend specific config from guacgql cmd
  • Various bug fixes and improvements

Contributors

What's Changed

  • Feat/endoflife collector by @robert-cronin in #2215
  • Feat/oci registry collector by @robert-cronin in #2185
  • Bump arigaio/atlas from 5eac9e3 to a3b29b4 in /pkg/assembler/backends/ent/migrate by @dependabot in #2259
  • Bump google.golang.org/api from 0.203.0 to 0.204.0 by @dependabot in #2255
  • Bump anchore/sbom-action from 0.17.5 to 0.17.6 by @dependabot in #2260
  • Bump cloud.google.com/go/storage from 1.45.0 to 1.46.0 by @dependabot in #2256
  • Bump github.com/go-chi/chi/v5 from 5.0.12 to 5.1.0 by @dependabot in #2257
  • Bump gocloud.dev/pubsub/kafkapubsub from 0.37.0 to 0.40.0 by @dependabot in #2258
  • Bump github.com/golang-jwt/jwt/v4 from 4.5.0 to 4.5.1 by @dependabot in #2261
  • Add CertifyLegal to query known package by @robert-cronin in #2254
  • Fix: jsonl files are rejected by @robert-cronin in #2266
  • Bump arigaio/atlas from a3b29b4 to 9e0d9f9 in /pkg/assembler/backends/ent/migrate by @dependabot in #2263
  • Updated GraphQL Testing by @nathannaveen in #2216
  • plumbing to enable deps.dev on ingest by @lumjjb in #2265
  • Bump arigaio/atlas from 9e0d9f9 to e6b4461 in /pkg/assembler/backends/ent/migrate by @dependabot in #2283
  • Bump google.golang.org/grpc from 1.67.1 to 1.68.0 by @dependabot in #2287
  • Bump goreleaser/goreleaser-action from 6.0.0 to 6.1.0 by @dependabot in #2281
  • Bump github/codeql-action from 3.27.0 to 3.27.1 by @dependabot in #2282
  • Bump github.com/nats-io/nats-server/v2 from 2.10.20 to 2.10.22 by @dependabot in #2284
  • Bump github.com/regclient/regclient from 0.7.1 to 0.7.2 by @dependabot in #2285
  • Bump golang.org/x/oauth2 from 0.23.0 to 0.24.0 by @dependabot in #2286
  • Bump anchore/sbom-action from 0.17.6 to 0.17.7 by @dependabot in #2280
  • Attempt to fix tilt-ci flakiness by @lumjjb in #2279
  • Bump arigaio/atlas from e6b4461 to abe7313 in /pkg/assembler/backends/ent/migrate by @dependabot in #2289
  • skip clearly defined tests for now because of flake by @lumjjb in #2291
  • Bump arigaio/atlas from abe7313 to 062cd81 in /pkg/assembler/backends/ent/migrate by @dependabot in #2292
  • Bump arigaio/atlas from 062cd81 to 404e6b4 in /pkg/assembler/backends/ent/migrate by @dependabot in #2293
  • Export getGraphqlServer and accept initialized backend by @robert-cronin in #2243
  • Bump arigaio/atlas from 404e6b4 to f672115 in /pkg/assembler/backends/ent/migrate by @dependabot in #2295
  • Fix zizmor audits by @funnelfiasco in #2276
  • Don't persist credentials in actions/checkout by @funnelfiasco in #2268
  • Add depsdev guac client as a stepping stone to split up depsdev functionality by @lumjjb in #2278
  • skip scanner cd test due to service timeout by @pxp928 in #2297
  • Bump arigaio/atlas from f672115 to 0cabbd9 in /pkg/assembler/backends/ent/migrate by @dependabot in #2303
  • Bump arigaio/atlas from 0cabbd9 to eaa219c in /pkg/assembler/backends/ent/migrate by @dependabot in #2304
  • Feat/registry collector cli additions by @robert-cronin in #2241
  • Fix/overwrite collector registration by @robert-cronin in #2288
  • Bump arigaio/atlas from eaa219c to 66caa34 in /pkg/assembler/backends/ent/migrate by @dependabot in #2308
  • bugfix: fixes service-poll env variable bug in s3 by @ANIRUDH-333 in #2307
  • Bump github/codeql-action from 3.27.1 to 3.27.4 by @dependabot in #2298
  • Bump github.com/google/osv-scanner from 1.9.0 to 1.9.1 by @dependabot in #2300
  • Bump github.com/99designs/gqlgen from 0.17.55 to 0.17.56 by @dependabot in #2302
  • Bump arigaio/atlas from 66caa34 to da62231 in /pkg/assembler/backends/ent/migrate by @dependabot in #2311
  • Bump arigaio/atlas from da62231 to 4295312 in /pkg/assembler/backends/ent/migrate by @dependabot in #2312
  • Address Flakiness in ClearlyDefined API by @robert-cronin in #2306
  • Fix PURL to Coord conversion for Go by @jeffmendoza in #2305
  • Collect additional metadata for vulnerabilities from OSV by @hown3d in #2219
  • Improve test output formatting by @robert-cronin in #2310
  • clearly defined url encode/add hyphen for namespace by @pxp928 in #2262
  • Decouple backend specific config from guacgql cmd by @robert-cronin in #2247
  • Bump github.com/sigstore/sigstore from 1.8.9 to 1.8.10 by @dependabot in #2301
  • Bump entgo.io/ent from 0.14.0 to 0.14.1 by @dependabot in #2233
  • Bump arigaio/atlas from 4295312 to 1a13b85 in /pkg/assembler/backends/ent/migrate by @dependabot in #2322
  • Bump github.com/oapi-codegen/oapi-codegen/v2 from 2.3.1-0.20240823215434-d232e9efa9f5 to 2.4.1 by @dependabot in #2299
  • Bump aquasecurity/trivy-action from 0.28.0 to 0.29.0 by @dependabot in #2321
  • Bump github.com/aws/aws-sdk-go-v2 from 1.32.2 to 1.32.5 by @dependabot in #2318
  • Bump golang.org/x/time from 0.7.0 to 0.8.0 by @dependabot in #2316
  • Bump anchore/sbom-action from 0.17.7 to 0.17.8 by @dependabot in #2320
  • Bump github/codeql-action from 3.27.4 to 3.27.5 by @dependabot in #2319
  • Bump github.com/aws/aws-sdk-go-v2/config from 1.27.39 to 1.28.5 by @dependabot in #2317
  • Bump arigaio/atlas from 1a13b85 to d448aab in /pkg/assembler/backends/ent/migrate by @dependabot in #2323
  • Bump arigaio/atlas from d448aab to 5c465fd in /pkg/assembler/backends/ent/migrate by @dependabot in #2324
  • Bump arigaio/atlas from 5c465fd to a0d43a6 in /pkg/assembler/backends/ent/migrate by @dependabot in #2325
  • Bump arigaio/atlas from a0d43a6 to 96753ab in /pkg/assembler/backends/ent/migrate by @dependabot in #2327
  • Bump google.golang.org/api from 0.204.0 to 0.209.0 by @dependabot in #2336
  • Bump github.com/fsnotify/fsnotify from 1.7.0 to 1.8.0 by @dependabot in #2333
  • Bump docker/build-push-action from 6.9.0 to 6.10.0 by @dependabot in #2331
  • Bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.63.3 to 1.70.0 by @dependabot in #2332
  • Bump cloud.google.com/go/storage from 1.46.0 to 1.47.0 by @dependabot in #2335
  • Bump arigaio/atlas from 96753ab to dc46240 in /pkg/assembler/backends/ent/migrate by @dependabot in #2337
  • Adjust workflow permissions for signing and publishing by @funnelfiasco in #2338
  • Bump arigaio/atlas from dc46240 to 73374c5 in /pkg/assembler/backends/ent/migrate by @dependabot in #2340
  • Bump arigaio/atlas from 73374c5 to 2ac9ef1 in /pkg/assembler/backends/ent/migrate by @dependabot in #2342
  • fix: handles the case where empty pkgIDs slice is passed by @semmet95 in #2339
  • Really fix the permissions this time by @funnelfiasco in #2341
  • Reduce scorecard workflow permissions scope by @robert-cronin in #2326
    ...
Read more

v0.11.2

04 Nov 14:25
a5fe089
Compare
Choose a tag to compare
  • fix batch query where a nil query would return all values in the DB

What's Changed

  • a018777 Bump arigaio/atlas in /pkg/assembler/backends/ent/migrate (#2250)
  • fad3dd5 Bump arigaio/atlas in /pkg/assembler/backends/ent/migrate (#2251)
  • a5fe089 check if batch query is empty, otherwise skip (#2252)

v0.11.1

31 Oct 16:16
6fa0562
Compare
Choose a tag to compare
  • Improve batch query to only return latest timestamped values for CertVuln and CertLegal

What's Changed

  • f97320f Bump arigaio/atlas in /pkg/assembler/backends/ent/migrate (#2239)
  • 1d632d4 Bump arigaio/atlas in /pkg/assembler/backends/ent/migrate (#2242)
  • 898894e Bump arigaio/atlas in /pkg/assembler/backends/ent/migrate (#2245)
  • 094a31a Bump github.com/fsouza/fake-gcs-server from 1.50.0 to 1.50.2 (#2236)
  • 48b1993 Bump github.com/getkin/kin-openapi from 0.127.0 to 0.128.0 (#2235)
  • 35fd61c Bump github.com/klauspost/compress from 1.17.9 to 1.17.11 (#2237)
  • 814bd26 Bump github/codeql-action from 3.26.13 to 3.27.0 (#2234)
  • 68dfc47 Bump gocloud.dev/pubsub/rabbitpubsub from 0.39.0 to 0.40.0 (#2238)
  • c571087 SPDX 'GENERATED_FROM' and 'GENERATES' management (#2249)
  • 6fa0562 improve batch query (#2246)

v0.11.0

28 Oct 20:11
b09eca2
Compare
Choose a tag to compare
  • Add batch querying for isDependency, CertifyVuln and CertifyLegal via Package Version ID

What's Changed

  • 10b6b4d Add IsDependency batch querying (#2221)
  • 6642687 Add vulnerability and License batch querying (#2218)
  • c5d0a1f Bump actions/cache from 4.1.1 to 4.1.2 (#2228)
  • 1756f10 Bump actions/checkout from 4.1.7 to 4.2.2 (#2227)
  • bf89fc8 Bump actions/setup-go from 5.0.2 to 5.1.0 (#2224)
  • c12ece6 Bump actions/setup-python from 5.2.0 to 5.3.0 (#2226)
  • fdc22cc Bump actions/upload-artifact from 4.1.0 to 4.4.3 (#2225)
  • d9bed92 Bump github.com/aws/aws-sdk-go-v2 from 1.32.1 to 1.32.2 (#2232)
  • b09eca2 Bump github.com/prometheus/client_golang from 1.19.1 to 1.20.5 (#2230)
  • cd11a04 Bump golang.org/x/time from 0.6.0 to 0.7.0 (#2231)
  • d0bc03a Bump google.golang.org/api from 0.199.0 to 0.203.0 (#2229)
  • 265ce1d [StepSecurity] Apply security best practices (#2223)

v0.10.2

22 Oct 18:06
706f6d7
Compare
Choose a tag to compare
  • Change hasSBOMList to add filter based on client usage
  • add http handler to display version string
  • update vuln attestation to (opiniatedly) follow intoto/vulns v0.1 spec

Contributors

What's Changed

  • 1a04f13 Bump actions/cache from 4.1.0 to 4.1.1 (#2196)
  • 26663ea Bump anchore/sbom-action from 0.17.3 to 0.17.5 (#2208)
  • 0e5cbe0 Bump aquasecurity/trivy-action from 0.27.0 to 0.28.0 (#2209)
  • 7bebe65 Bump cloud.google.com/go/storage from 1.43.0 to 1.45.0 (#2211)
  • 706f6d7 Bump github.com/99designs/gqlgen from 0.17.54 to 0.17.55 (#2213)
  • 30e28d4 Bump github.com/CycloneDX/cyclonedx-go from 0.9.0 to 0.9.1 (#2214)
  • 0b30860 Bump github.com/google/osv-scanner from 1.8.5 to 1.9.0 (#2210)
  • 516bbda Bump github.com/vektah/gqlparser/v2 from 2.5.16 to 2.5.18 (#2212)
  • 95ebb06 add vulnerability ID index on certifyVuln (#2203)
  • 8e84bbe change hasSBOMList to add filter based on client usage (#2205)
  • 0b6f4a9 fix #2206 add http handler to display version string (#2207)
  • ff4744b update vuln attestation to (opiniatedly) follow intoto/vulns v0.1 spec (#2194)

v0.10.1

16 Oct 22:30
ac93fb2
Compare
Choose a tag to compare
  • Improve ENT query performance via Index
  • Add ClearlyDefined to e2e test
  • Fix bug for license scan on ingest

Contributors

What's Changed

  • 7ee10f0 Add ClearlyDefined to e2e test (#2168)
  • fa21e35 Bump anchore/sbom-action from 0.17.2 to 0.17.3 (#2199)
  • 55f1c26 Bump aquasecurity/trivy-action from 0.25.0 to 0.27.0 (#2198)
  • f45eb33 Bump github/codeql-action from 3.26.12 to 3.26.13 (#2197)
  • cff089f update batch size on clearly defined and fix bug that when ingesting licenses (#2200)
  • ac93fb2 update query to ensure index is hit for certifyLegal, occurence and hasSBOM (#2201)

v0.10.0

11 Oct 13:00
9cfc2b7
Compare
Choose a tag to compare
  • Fix issues with certifier querying running into postgres parameter limit
  • Fix: missing null check in certifyLegal blobstore backend
  • Fix ite6 vuln attestation to use the right predicatetype
  • Fix Flaky E2e Test

Contributors

What's Changed

  • 9cfc2b7 Fix Flaky E2e Test (#2189)
  • 0efa268 Fix: missing null check in certifyLegal blobstore backend (#2193)
  • c639eca fix issues with certifier querying running into postgres parameter limit (#2184)
  • 6940fb0 fix ite6 vuln attestation to use the right predicatetype (#2191)