Releases: guacsec/guac
Releases · guacsec/guac
v0.12.3
- updated deps.dev collector to use new
depsdevclient
- add new deps.dev scanner on ingestion
- fix bug that caused guac.yaml not to be read during initialization of the backends
What's Changed
- update depsdev collector to use depsdevclient by @lumjjb in #2383
- fix issue where guac.yaml was not being read for backend configuration by @pxp928 in #2388
- add depsdev scanner implementation by @lumjjb in #2385
Full Changelog: v0.12.2...v0.12.3
v0.12.2
- Various bug fixes and improvements
What's Changed
- Add check for empty CertifyBad nodes in query bad by @robert-cronin in #2365
- Bump arigaio/atlas from
7a2cd6a
tocc6aec9
in /pkg/assembler/backends/ent/migrate by @dependabot in #2367 - Bump arigaio/atlas from
cc6aec9
tof171955
in /pkg/assembler/backends/ent/migrate by @dependabot in #2368 - Bump arigaio/atlas from
f171955
tocdb29ba
in /pkg/assembler/backends/ent/migrate by @dependabot in #2381 - Bump actions/setup-go from 5.1.0 to 5.2.0 by @dependabot in #2379
- Bump github/codeql-action from 3.27.6 to 3.27.9 by @dependabot in #2378
- Bump github.com/go-chi/chi/v5 from 5.1.0 to 5.2.0 by @dependabot in #2372
- Bump google.golang.org/api from 0.210.0 to 0.212.0 by @dependabot in #2374
- Bump github.com/CycloneDX/cyclonedx-go from 0.9.1 to 0.9.2 by @dependabot in #2376
- Bump github.com/secure-systems-lab/go-securesystemslib from 0.8.0 to 0.9.0 by @dependabot in #2375
- Bump docker/setup-buildx-action from 3.7.1 to 3.8.0 by @dependabot in #2377
- Bump anchore/sbom-action from 0.17.8 to 0.17.9 by @dependabot in #2380
- Bump github.com/99designs/gqlgen from 0.17.59 to 0.17.60 by @dependabot in #2373
- Bump arigaio/atlas from
cdb29ba
tob0fd3a2
in /pkg/assembler/backends/ent/migrate by @dependabot in #2384 - [FIX] Update batch query vulns to return all values, including novulns by @pxp928 in #2370
- Bump arigaio/atlas from
b0fd3a2
tod61e11c
in /pkg/assembler/backends/ent/migrate by @dependabot in #2386 - [FIX] CDX vulnerability parsing and update ENT VEX index by @pxp928 in #2371
Full Changelog: v0.12.1...v0.12.2
v0.12.1
- Incremental release to ensure release of proper SBOM via the github workflow
Changelog
- fc2976b Bump arigaio/atlas in /pkg/assembler/backends/ent/migrate (#2359)
- 68bb630 Bump arigaio/atlas in /pkg/assembler/backends/ent/migrate (#2363)
- 01d52be Bump github.com/99designs/gqlgen from 0.17.56 to 0.17.59 (#2358)
- 2cd0ed9 Bump golang.org/x/crypto from 0.29.0 to 0.31.0 (#2364)
- 68610a4 Grant write permissions to the sbom generation (#2360)
What's Changed
- Bump github.com/99designs/gqlgen from 0.17.56 to 0.17.59 by @dependabot in #2358
- Bump arigaio/atlas from
0bb766d
to07bc256
in /pkg/assembler/backends/ent/migrate by @dependabot in #2359 - Bump arigaio/atlas from
07bc256
to7a2cd6a
in /pkg/assembler/backends/ent/migrate by @dependabot in #2363 - Grant write permissions to the sbom generation by @funnelfiasco in #2360
- Bump golang.org/x/crypto from 0.29.0 to 0.31.0 by @dependabot in #2364
Full Changelog: v0.12.0...v0.12.1
v0.12.0
- endoflife collector
- Collect additional metadata for vulnerabilities from OSV
- OCI registry collector updates
- Add CertifyLegal to query known package
- Fix: jsonl files are rejected
- plumbing to enable deps.dev on ingest
- Export getGraphqlServer and accept initialized backend
- Fix PURL to Coord conversion for Go
- Update workflow permissions
- Decouple backend specific config from guacgql cmd
- Various bug fixes and improvements
Contributors
- @robert-cronin
- @ANIRUDH-333 made their first contribution in #2307
- @hown3d made their first contribution in #2219
- @semmet95
- @pxp928
- @jeffmendoza
- @nathannaveen
- @lumjjb
What's Changed
- Feat/endoflife collector by @robert-cronin in #2215
- Feat/oci registry collector by @robert-cronin in #2185
- Bump arigaio/atlas from
5eac9e3
toa3b29b4
in /pkg/assembler/backends/ent/migrate by @dependabot in #2259 - Bump google.golang.org/api from 0.203.0 to 0.204.0 by @dependabot in #2255
- Bump anchore/sbom-action from 0.17.5 to 0.17.6 by @dependabot in #2260
- Bump cloud.google.com/go/storage from 1.45.0 to 1.46.0 by @dependabot in #2256
- Bump github.com/go-chi/chi/v5 from 5.0.12 to 5.1.0 by @dependabot in #2257
- Bump gocloud.dev/pubsub/kafkapubsub from 0.37.0 to 0.40.0 by @dependabot in #2258
- Bump github.com/golang-jwt/jwt/v4 from 4.5.0 to 4.5.1 by @dependabot in #2261
- Add CertifyLegal to query known package by @robert-cronin in #2254
- Fix: jsonl files are rejected by @robert-cronin in #2266
- Bump arigaio/atlas from
a3b29b4
to9e0d9f9
in /pkg/assembler/backends/ent/migrate by @dependabot in #2263 - Updated GraphQL Testing by @nathannaveen in #2216
- plumbing to enable deps.dev on ingest by @lumjjb in #2265
- Bump arigaio/atlas from
9e0d9f9
toe6b4461
in /pkg/assembler/backends/ent/migrate by @dependabot in #2283 - Bump google.golang.org/grpc from 1.67.1 to 1.68.0 by @dependabot in #2287
- Bump goreleaser/goreleaser-action from 6.0.0 to 6.1.0 by @dependabot in #2281
- Bump github/codeql-action from 3.27.0 to 3.27.1 by @dependabot in #2282
- Bump github.com/nats-io/nats-server/v2 from 2.10.20 to 2.10.22 by @dependabot in #2284
- Bump github.com/regclient/regclient from 0.7.1 to 0.7.2 by @dependabot in #2285
- Bump golang.org/x/oauth2 from 0.23.0 to 0.24.0 by @dependabot in #2286
- Bump anchore/sbom-action from 0.17.6 to 0.17.7 by @dependabot in #2280
- Attempt to fix tilt-ci flakiness by @lumjjb in #2279
- Bump arigaio/atlas from
e6b4461
toabe7313
in /pkg/assembler/backends/ent/migrate by @dependabot in #2289 - skip clearly defined tests for now because of flake by @lumjjb in #2291
- Bump arigaio/atlas from
abe7313
to062cd81
in /pkg/assembler/backends/ent/migrate by @dependabot in #2292 - Bump arigaio/atlas from
062cd81
to404e6b4
in /pkg/assembler/backends/ent/migrate by @dependabot in #2293 - Export getGraphqlServer and accept initialized backend by @robert-cronin in #2243
- Bump arigaio/atlas from
404e6b4
tof672115
in /pkg/assembler/backends/ent/migrate by @dependabot in #2295 - Fix zizmor audits by @funnelfiasco in #2276
- Don't persist credentials in actions/checkout by @funnelfiasco in #2268
- Add depsdev guac client as a stepping stone to split up depsdev functionality by @lumjjb in #2278
- skip scanner cd test due to service timeout by @pxp928 in #2297
- Bump arigaio/atlas from
f672115
to0cabbd9
in /pkg/assembler/backends/ent/migrate by @dependabot in #2303 - Bump arigaio/atlas from
0cabbd9
toeaa219c
in /pkg/assembler/backends/ent/migrate by @dependabot in #2304 - Feat/registry collector cli additions by @robert-cronin in #2241
- Fix/overwrite collector registration by @robert-cronin in #2288
- Bump arigaio/atlas from
eaa219c
to66caa34
in /pkg/assembler/backends/ent/migrate by @dependabot in #2308 - bugfix: fixes service-poll env variable bug in s3 by @ANIRUDH-333 in #2307
- Bump github/codeql-action from 3.27.1 to 3.27.4 by @dependabot in #2298
- Bump github.com/google/osv-scanner from 1.9.0 to 1.9.1 by @dependabot in #2300
- Bump github.com/99designs/gqlgen from 0.17.55 to 0.17.56 by @dependabot in #2302
- Bump arigaio/atlas from
66caa34
toda62231
in /pkg/assembler/backends/ent/migrate by @dependabot in #2311 - Bump arigaio/atlas from
da62231
to4295312
in /pkg/assembler/backends/ent/migrate by @dependabot in #2312 - Address Flakiness in ClearlyDefined API by @robert-cronin in #2306
- Fix PURL to Coord conversion for Go by @jeffmendoza in #2305
- Collect additional metadata for vulnerabilities from OSV by @hown3d in #2219
- Improve test output formatting by @robert-cronin in #2310
- clearly defined url encode/add hyphen for namespace by @pxp928 in #2262
- Decouple backend specific config from guacgql cmd by @robert-cronin in #2247
- Bump github.com/sigstore/sigstore from 1.8.9 to 1.8.10 by @dependabot in #2301
- Bump entgo.io/ent from 0.14.0 to 0.14.1 by @dependabot in #2233
- Bump arigaio/atlas from
4295312
to1a13b85
in /pkg/assembler/backends/ent/migrate by @dependabot in #2322 - Bump github.com/oapi-codegen/oapi-codegen/v2 from 2.3.1-0.20240823215434-d232e9efa9f5 to 2.4.1 by @dependabot in #2299
- Bump aquasecurity/trivy-action from 0.28.0 to 0.29.0 by @dependabot in #2321
- Bump github.com/aws/aws-sdk-go-v2 from 1.32.2 to 1.32.5 by @dependabot in #2318
- Bump golang.org/x/time from 0.7.0 to 0.8.0 by @dependabot in #2316
- Bump anchore/sbom-action from 0.17.7 to 0.17.8 by @dependabot in #2320
- Bump github/codeql-action from 3.27.4 to 3.27.5 by @dependabot in #2319
- Bump github.com/aws/aws-sdk-go-v2/config from 1.27.39 to 1.28.5 by @dependabot in #2317
- Bump arigaio/atlas from
1a13b85
tod448aab
in /pkg/assembler/backends/ent/migrate by @dependabot in #2323 - Bump arigaio/atlas from
d448aab
to5c465fd
in /pkg/assembler/backends/ent/migrate by @dependabot in #2324 - Bump arigaio/atlas from
5c465fd
toa0d43a6
in /pkg/assembler/backends/ent/migrate by @dependabot in #2325 - Bump arigaio/atlas from
a0d43a6
to96753ab
in /pkg/assembler/backends/ent/migrate by @dependabot in #2327 - Bump google.golang.org/api from 0.204.0 to 0.209.0 by @dependabot in #2336
- Bump github.com/fsnotify/fsnotify from 1.7.0 to 1.8.0 by @dependabot in #2333
- Bump docker/build-push-action from 6.9.0 to 6.10.0 by @dependabot in #2331
- Bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.63.3 to 1.70.0 by @dependabot in #2332
- Bump cloud.google.com/go/storage from 1.46.0 to 1.47.0 by @dependabot in #2335
- Bump arigaio/atlas from
96753ab
todc46240
in /pkg/assembler/backends/ent/migrate by @dependabot in #2337 - Adjust workflow permissions for signing and publishing by @funnelfiasco in #2338
- Bump arigaio/atlas from
dc46240
to73374c5
in /pkg/assembler/backends/ent/migrate by @dependabot in #2340 - Bump arigaio/atlas from
73374c5
to2ac9ef1
in /pkg/assembler/backends/ent/migrate by @dependabot in #2342 - fix: handles the case where empty pkgIDs slice is passed by @semmet95 in #2339
- Really fix the permissions this time by @funnelfiasco in #2341
- Reduce scorecard workflow permissions scope by @robert-cronin in #2326
...
v0.11.2
v0.11.1
- Improve batch query to only return latest timestamped values for CertVuln and CertLegal
What's Changed
- f97320f Bump arigaio/atlas in /pkg/assembler/backends/ent/migrate (#2239)
- 1d632d4 Bump arigaio/atlas in /pkg/assembler/backends/ent/migrate (#2242)
- 898894e Bump arigaio/atlas in /pkg/assembler/backends/ent/migrate (#2245)
- 094a31a Bump github.com/fsouza/fake-gcs-server from 1.50.0 to 1.50.2 (#2236)
- 48b1993 Bump github.com/getkin/kin-openapi from 0.127.0 to 0.128.0 (#2235)
- 35fd61c Bump github.com/klauspost/compress from 1.17.9 to 1.17.11 (#2237)
- 814bd26 Bump github/codeql-action from 3.26.13 to 3.27.0 (#2234)
- 68dfc47 Bump gocloud.dev/pubsub/rabbitpubsub from 0.39.0 to 0.40.0 (#2238)
- c571087 SPDX 'GENERATED_FROM' and 'GENERATES' management (#2249)
- 6fa0562 improve batch query (#2246)
v0.11.0
- Add batch querying for isDependency, CertifyVuln and CertifyLegal via Package Version ID
What's Changed
- 10b6b4d Add IsDependency batch querying (#2221)
- 6642687 Add vulnerability and License batch querying (#2218)
- c5d0a1f Bump actions/cache from 4.1.1 to 4.1.2 (#2228)
- 1756f10 Bump actions/checkout from 4.1.7 to 4.2.2 (#2227)
- bf89fc8 Bump actions/setup-go from 5.0.2 to 5.1.0 (#2224)
- c12ece6 Bump actions/setup-python from 5.2.0 to 5.3.0 (#2226)
- fdc22cc Bump actions/upload-artifact from 4.1.0 to 4.4.3 (#2225)
- d9bed92 Bump github.com/aws/aws-sdk-go-v2 from 1.32.1 to 1.32.2 (#2232)
- b09eca2 Bump github.com/prometheus/client_golang from 1.19.1 to 1.20.5 (#2230)
- cd11a04 Bump golang.org/x/time from 0.6.0 to 0.7.0 (#2231)
- d0bc03a Bump google.golang.org/api from 0.199.0 to 0.203.0 (#2229)
- 265ce1d [StepSecurity] Apply security best practices (#2223)
v0.10.2
- Change hasSBOMList to add filter based on client usage
- add http handler to display version string
- update vuln attestation to (opiniatedly) follow intoto/vulns v0.1 spec
Contributors
What's Changed
- 1a04f13 Bump actions/cache from 4.1.0 to 4.1.1 (#2196)
- 26663ea Bump anchore/sbom-action from 0.17.3 to 0.17.5 (#2208)
- 0e5cbe0 Bump aquasecurity/trivy-action from 0.27.0 to 0.28.0 (#2209)
- 7bebe65 Bump cloud.google.com/go/storage from 1.43.0 to 1.45.0 (#2211)
- 706f6d7 Bump github.com/99designs/gqlgen from 0.17.54 to 0.17.55 (#2213)
- 30e28d4 Bump github.com/CycloneDX/cyclonedx-go from 0.9.0 to 0.9.1 (#2214)
- 0b30860 Bump github.com/google/osv-scanner from 1.8.5 to 1.9.0 (#2210)
- 516bbda Bump github.com/vektah/gqlparser/v2 from 2.5.16 to 2.5.18 (#2212)
- 95ebb06 add vulnerability ID index on certifyVuln (#2203)
- 8e84bbe change hasSBOMList to add filter based on client usage (#2205)
- 0b6f4a9 fix #2206 add http handler to display version string (#2207)
- ff4744b update vuln attestation to (opiniatedly) follow intoto/vulns v0.1 spec (#2194)
v0.10.1
- Improve ENT query performance via Index
- Add ClearlyDefined to e2e test
- Fix bug for license scan on ingest
Contributors
What's Changed
- 7ee10f0 Add ClearlyDefined to e2e test (#2168)
- fa21e35 Bump anchore/sbom-action from 0.17.2 to 0.17.3 (#2199)
- 55f1c26 Bump aquasecurity/trivy-action from 0.25.0 to 0.27.0 (#2198)
- f45eb33 Bump github/codeql-action from 3.26.12 to 3.26.13 (#2197)
- cff089f update batch size on clearly defined and fix bug that when ingesting licenses (#2200)
- ac93fb2 update query to ensure index is hit for certifyLegal, occurence and hasSBOM (#2201)
v0.10.0
- Fix issues with certifier querying running into postgres parameter limit
- Fix: missing null check in certifyLegal blobstore backend
- Fix ite6 vuln attestation to use the right predicatetype
- Fix Flaky E2e Test