Skip to content

v4.8.0 Release

Latest
Compare
Choose a tag to compare
@github-actions github-actions released this 09 Oct 20:19
· 25 commits to main since this release
v4.8.0

Unreleased

v4.8.0 - 2024-10-09

NOTE

This release deprecates the updaters that rely on the Red Hat OVAL v2 security data in favor of the Red Hat VEX data. This change includes a database migration to delete all the vulnerabilities that originated from the OVAL v2 feeds, meaning there could be a time in production environments before the VEX updater completes for the first time when no Red Hat vulnerabilities exist. This release also contains a clairctl admin command to clean up the deprecated vulnerabilities outside of the migration workflow which allows an operator to pre-run the migration:

clairctl -D admin pre v4.8.0

Claircore

  • rhel: move IgnoreUnpatched config key from updater to matcher

    Previously the IgnoreUnpatched config key was a part of the RHEL updater and would dictate whether or not the updater would ingest unpatched vulnerabilities. This change moves that key to the RHEL matcher and dictates whether the matcher should check for a fixed_in_version when querying potential vulnerabilities. This makes the config option more usable at the expense of DB size.
  • rhel: add csaf/vex updater

    Replace the RHEL OVAL updater with a CSAF/VEX updater for Red Hat security data. Update the matching logic to deal with CPE patterns coming from the VEX files. Remove RHEL updater and add a migration to delete Red Hat OVAL data from the database.
  • datastore: add vuln and enrich stream updates

    In an effort to reduce memory consumption during updating the vulnerability database, add support for iterators. Extend Updater interface with `UpdateVulnerabilitiesIter` method that performs the same operation as `UpdateVulnerabilities` but accepts an iterator function instead of a slice. Also, extend the `EnrichmentUpdater` interface with `UpdateEnrichmentsIter` in the same way.
  • cpe: add match expression support

    This adds support for NIST IR 7696, aka CPE2.3 Name Matching. It's anticipated to be used in upcoming CSAF/VEX support. See https://doi.org/10.6028/NIST.IR.7696 for the specification.

'Chore

Admin

  • d3467bad: add pre v4.8.0 admin command to delete OVAL vulns
  • d53780b6: add a check for compatible migration version
  • 87c24a9c: add command to update go packages with norm_version
  • 02e6c925: add pre v4.7.3 admin command to create index

All

Amqp

  • 8fcd294c: migrate to maintained package
  • #1793### Auto
  • 07b0ea7b: improve log messages
  • #2092### Build(Deps)
  • 5092198b: bump golang.org/x/time from 0.6.0 to 0.7.0
  • e7b6deac: bump golang.org/x/net from 0.29.0 to 0.30.0
  • 55fb7735: bump github.com/klauspost/compress from 1.17.9 to 1.17.10
  • 7a2e7186: bump github.com/prometheus/client_golang
  • 698d9170: bump github.com/rogpeppe/go-internal from 1.12.0 to 1.13.1
  • 7ec7e04f: bump go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace
  • 96ee336f: bump go.opentelemetry.io/otel/exporters/stdout/stdouttrace
  • 5fb41ed8: bump golang.org/x/net from 0.28.0 to 0.29.0
  • 2a13e7b7: bump peter-evans/create-pull-request from 6 to 7
  • 061b1e09: bump github.com/prometheus/client_golang
  • a2c920f4: bump go.opentelemetry.io/otel/exporters/stdout/stdouttrace
  • bbaece4e: bump go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace
  • 24aff4e4: bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
  • b203913a: bump github.com/prometheus/client_golang
  • 96937294: bump github.com/grafana/pyroscope-go/godeltaprof
  • 01b57db6: bump github.com/google/go-containerregistry
  • 7ceeaaa2: bump github.com/go-stomp/stomp/v3 from 3.1.1 to 3.1.2
  • c3ce1982: bump github.com/urfave/cli/v2 from 2.27.2 to 2.27.3
  • 95f5a5f2: bump github.com/google/go-containerregistry
  • 1a5f342c: bump github.com/go-stomp/stomp/v3 from 3.1.0 to 3.1.1
  • 5821a5bf: bump golang.org/x/net from 0.26.0 to 0.27.0
  • 08587861: bump github.com/google/go-containerregistry
  • 74914938: bump go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace
  • 67bdbbbe: bump go.opentelemetry.io/otel/exporters/stdout/stdouttrace
  • dd9d6760: bump go.opentelemetry.io/otel from 1.27.0 to 1.28.0
  • fcee4364: bump github.com/klauspost/compress from 1.17.8 to 1.17.9
  • 3f229e99: bump github.com/google/go-containerregistry
  • c5ae5021: bump docker/build-push-action from 5 to 6
  • 7400db24: bump golang.org/x/net from 0.25.0 to 0.26.0
  • 74b377b8: bump github.com/rs/zerolog from 1.32.0 to 1.33.0
  • 1fff0726: bump go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace
  • f2533fbf: bump go.opentelemetry.io/otel/exporters/stdout/stdouttrace
  • 5376a756: bump github.com/rabbitmq/amqp091-go from 1.9.0 to 1.10.0
  • d82ab343: bump golang.org/x/net from 0.24.0 to 0.25.0
  • 453d2c60: bump github.com/urfave/cli/v2 from 2.27.1 to 2.27.2
  • 5323fa31: bump go.opentelemetry.io/otel/exporters/stdout/stdouttrace
  • 3e1f5c15: bump go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace
  • 71078832: bump go.opentelemetry.io/otel from 1.25.0 to 1.26.0
  • 1006287a: bump go.opentelemetry.io/otel/exporters/stdout/stdouttrace
  • 43f3a3e4: bump go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace
  • 343515af: bump github.com/klauspost/compress from 1.17.7 to 1.17.8
  • c3db2e4d: bump github.com/quay/claircore from 1.5.25 to 1.5.26
  • 4cf0febf: bump golang.org/x/sync from 0.6.0 to 0.7.0
  • 36d21edd: bump golang.org/x/net from 0.22.0 to 0.24.0
  • 93a70b35: bump go.opentelemetry.io/otel/sdk from 1.24.0 to 1.25.0
  • da30be8b: bump github.com/google/go-containerregistry
  • 5a5e1776: bump golang.org/x/net from 0.21.0 to 0.22.0
  • d4ceeea2: bump github.com/go-jose/go-jose/v3 from 3.0.2 to 3.0.3
  • d64064ce: bump github.com/prometheus/client_golang
  • 06c9ddab: bump github.com/jackc/pgx/v4 from 4.18.1 to 4.18.3
  • e4d79110: bump github.com/go-stomp/stomp/v3 from 3.0.6 to 3.1.0
  • d7c5821f: bump go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace
  • 523ebf7f: bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
  • 0803380f: bump github.com/go-jose/go-jose/v3 from 3.0.1 to 3.0.2
  • a3e0786c: bump go.opentelemetry.io/otel/exporters/stdout/stdouttrace
  • 684c3ac3: bump peter-evans/create-pull-request from 6.0.0 to 6.0.1
  • 3fb2c921: bump go.opentelemetry.io/otel/exporters/stdout/stdouttrace
  • 51981290: bump go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace
  • 115cbb22: bump github.com/go-stomp/stomp/v3 from 3.0.5 to 3.0.6
  • 43b164e7: bump golang.org/x/net from 0.20.0 to 0.21.0
  • acf2cdf6: bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
  • 0c7fe4dd: bump go.opentelemetry.io/otel/sdk from 1.22.0 to 1.23.1
  • 16a1504a: bump go.opentelemetry.io/otel from 1.22.0 to 1.23.1
  • 1f98abe7: bump peter-evans/create-pull-request from 5.0.2 to 6.0.0
  • fb5efb51: bump github.com/klauspost/compress from 1.17.5 to 1.17.6
  • 8dbacd3c: bump github.com/rs/zerolog from 1.31.0 to 1.32.0
  • 96d34f64: bump github.com/google/go-containerregistry
  • 3bcf9aac: bump github.com/klauspost/compress from 1.17.4 to 1.17.5
  • 19afbbbe: bump github.com/evanphx/json-patch/v5 from 5.8.0 to 5.9.0
  • 50eb4b52: bump github.com/google/uuid from 1.5.0 to 1.6.0
  • 4ed100ec: bump go.opentelemetry.io/otel/exporters/stdout/stdouttrace
  • 1d338051: bump actions/cache from 3 to 4
  • a0e1ba8b: bump github.com/grafana/pyroscope-go/godeltaprof
  • 1ab0557b: bump go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace
  • fcf0ccdd: bump go.opentelemetry.io/otel/sdk from 1.21.0 to 1.22.0
  • 6fe56438: bump github.com/evanphx/json-patch/v5 from 5.7.0 to 5.8.0
  • 6ef2554e: bump golang.org/x/net from 0.19.0 to 0.20.0
  • 7b48e897: bump golang.org/x/sync from 0.5.0 to 0.6.0
  • c25d841a: bump github.com/quay/zlog from 1.1.7 to 1.1.8
  • 94b57fa0: bump github.com/prometheus/client_golang
  • ad2c872c: bump github.com/urfave/cli/v2 from 2.26.0 to 2.27.1
  • 2159bfb5: bump github.com/google/uuid from 1.4.0 to 1.5.0
  • aaa335b3: bump golang.org/x/crypto from 0.16.0 to 0.17.0
  • 9c588cf5: bump github.com/google/go-containerregistry
  • cbc166d6: bump actions/upload-artifact from 3 to 4
  • 355cab98: bump actions/download-artifact from 3 to 4
  • 7b7ff298: bump github.com/ugorji/go/codec from 1.2.11 to 1.2.12
  • 45625c51: bump github.com/urfave/cli/v2 from 2.25.7 to 2.26.0
  • b6b39706: bump actions/setup-go from 4 to 5
  • 913a5114: bump go.opentelemetry.io/otel/exporters/stdout/stdouttrace
  • 71c66638: bump github.com/klauspost/compress from 1.17.2 to 1.17.4
  • 825dddc1: bump golang.org/x/net from 0.17.0 to 0.19.0
  • e7314325: bump actions/stale from 8 to 9
  • 99291347: bump github.com/quay/zlog from 1.1.5 to 1.1.7
  • d75c2c40: bump go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace
  • 83a935dd: bump go.opentelemetry.io/otel/sdk from 1.20.0 to 1.21.0
  • 4db3b77e: bump github.com/go-jose/go-jose/v3
  • 1b2248b9: update opentelemetry modules
  • #1909 - #1911 - #1912 - #1913- 4a84b949: bump github.com/google/uuid from 1.3.1 to 1.4.0
  • efc1ab07: bump golang.org/x/time from 0.3.0 to 0.4.0
  • 61aa3ebd: bump golang.org/x/sync from 0.4.0 to 0.5.0
  • 54eb2e85: bump github.com/google/go-cmp from 0.5.9 to 0.6.0
  • b0497e58: bump github.com/klauspost/compress from 1.17.0 to 1.17.2
  • a90ecc45: bump go.opentelemetry.io/otel/sdk from 1.17.0 to 1.19.0
  • 55dc551f: bump go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace
  • 5a8c21a0: bump github.com/google/go-cmp in /config
  • f3072d19: bump go.opentelemetry.io/otel from 1.18.0 to 1.19.0
  • 8468d861: bump golang.org/x/net from 0.16.0 to 0.17.0
  • afafe835: bump golang.org/x/net from 0.15.0 to 0.16.0
  • f162e1ce: bump github.com/rs/zerolog from 1.30.0 to 1.31.0
  • e6f72bc4: bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
  • c0eef84b: bump go.opentelemetry.io/otel/exporters/stdout/stdouttrace
  • 7129bacf: bump github.com/evanphx/json-patch/v5 from 5.6.0 to 5.7.0
  • 6969e003: bump docker/setup-buildx-action from 2 to 3
  • 606c5c9b: bump docker/login-action from 2 to 3
  • 24eb3f71: bump docker/build-push-action from 4 to 5
  • dbaebb58: bump docker/setup-qemu-action from 2 to 3
  • a31be2e2: bump actions/checkout from 3 to 4
  • 480996b1: bump go.opentelemetry.io/otel/exporters/jaeger
  • bc21afa0: bump github.com/google/uuid from 1.3.0 to 1.3.1
  • 5ae4f0fa: bump github.com/google/go-containerregistry
  • 56cd1851: bump github.com/rs/zerolog from 1.29.1 to 1.30.0
  • 67b92e71: bump golang.org/x/net from 0.12.0 to 0.15.0
  • a478ce91: bump github.com/pyroscope-io/godeltaprof

Chore

  • 05680a2b: v4.8.0 changelog bump
  • 94113d95: update claircore to v1.5.32
  • e77deb98: update config module to v1.4.1
  • e5fca953: update references to rhel updater to rhel-vex updater
  • 64b66ff9: update go version to specific patch
  • 89ebd521: update go version to 1.22
  • 9333770e: update claircore to v1.5.31
  • 93fa883d: update claircore to v1.5.30
  • 1209772d: update claircore to v1.5.29
  • 3c623553: run the go formatting over the repo
  • 7703b4a2: fix some comments
  • 7d3f12e3: use the merge-multiple directive when downloading binaries
  • b5a0d8a6: update claircore to v1.5.28
  • ac255112: Add merge step when creating release binaries
  • 5dc73b16: update go version for release
  • ea990567: update claircore to v1.5.27
  • 0bf9286e: update production manifest with new tmp dir
  • 6a3ce17f: update go version
  • 3e5740e0: remove repetitive word
  • 222f2273: update claircore to v1.5.25
  • 7ac4609b: update claircore to v1.5.24
  • bad8abe5: update claircore to v1.5.23
  • c81b3b9a: update claircore to v1.5.22
  • a9b5e91d: update claircore to v1.5.21
  • 6de0d807: Add Go 1.22 support via moved godeltaprof dependancy bump
  • b65445ce: clean up sample config
  • a359eb01: migrate go-jose to maintained version
  • 5cf5fb8d: update claircore to v1.5.20
  • 180fa4f4: bump claircore to v1.5.16
  • 696b266e: bump claircore to v1.5.15
  • 2829eacf: bump claircore to v1.5.14

Cicd

  • dbcfe30d: tweak login behavior
  • 6861b804: remove second go-caching action
  • c42bee62: improve nightly script output
  • 08581d82: tweaks to the set-image-expiration action
  • 3b650c56: fix nightly build
  • 6884969b: add /var/tmp mount to make sure it's on a real filesystem
  • 139aed21: reorganize the docker test so that it's less error-prone
  • b48682a4: remove comment that the linter complained about
  • bf7005f0: add /fast-forward command
  • d11a2602: add container version skew check
  • fd153765: update testing workflow
  • 23a8c33d: don't upload workspace on failure
  • 6f3b1347: update actions/cache version
  • 0604f1e6: change version specifiers to be major-version only
  • 718ef948: make nightly script shellcheck-clean

Clair

  • ba6fc371: add platform-specific signals
  • 76a5d50b: break cancellation chain for request contexts
  • b0086d80: redo shutdown structure
  • #1946### Clairctl
  • 13acc582: warn when range requests are not honored

Cmd

Compress

  • c90a55fd: update compression middleware

Config

  • 33a77438: update minimum TLS version for server
  • e0a1f235: Update comment to describe currently supported updaters
  • 36210370: add Sentry config
  • 33cc3e5c: add OTLP configuration types
  • f503d670: fix typo

Contrib

  • 74974320: correct position of startupProbe spec
  • 5ad0d6be: update build_and_deploy.sh script
  • accee22f: account for different container engine clients
  • 1160febe: update build script to use podman
  • f19b59bd: remove rms that were needed for previous fetcher
  • b60d8266: update dashboard regex
  • 4405fdad: simplify openshift/pr_check.sh
  • 16bd3666: add grafana dashboards for deletion metrics

Contrib/Openshfit

  • 89af3db1: only start buildkitd container if needed

Contrib/Openshift

  • ab6e9e07: login shenanigans
  • 002df72b: avoid patching when using upstream images

Doc

Dockerfile

Docs

  • 038966e2: add building and Makefile usage sections
  • 137b6c50: add mention of disk space path and usage
  • 1e78f45a: add OTLP configuration to prose documentation
  • eb54b889: add dropins to prose documentation
  • #1783### Documentation
  • 80482345: add more information on how to test and get started

Documentation

  • 38b72352: correct stale configuration options

Httptransport

  • 20582315: fix test flake
  • df348dc9: GET vuln report returns 404 when indexing in-progress
  • e84883f7: change api error handling to panic internally
  • c7920962: add metrics test
  • 15732398: add unauthenticated "/robots.txt" endpoint
  • 201ed2be: add "robots.txt" endpoint
  • 5262f773: add client-close detection
  • e97f6b3c: use compression middleware
  • 0d2bf7e6: lints
  • d4b9d30f: rework constructor
  • 067bf861: update DiscoveryHandler to new style
  • 7a1186e3: re-instrument handlers with new primitives
  • bddbc57b: exit goroutine in error helper

Httputil

Initialize

  • 4686fb46: use defaults for NewRemoteFetcher

Introspection

Makefile

Openshift

  • 6bb55a21: add backstop cron manifest
  • 3615748d: handle multiple Dockerfiles in build script
  • 5f36fc12: have the pr_check script "dry run" a build
  • 3d3c03ce: add "dry run" flag
  • 135af0e0: make build_and_deploy script shellcheck-clean

Quaybackstop

README

Stomp

Webhook