- Chore: remove cliff.toml configuration
- Chore: rebuild images
- Config de-duplication (moved some rules into the main config.toml)
- Improve config validation for [[ignores]] sections
- Add 4.14 configuration.
- Add semver sort of stored config versions
- Add
--walk-scanflag to node scan. If set, the scan is using the same algorithm asscan payload(walk the directory tree and scan all files). Note that per-payload and per-tag configuration entries are still ignored because neither tag nor component is set. - Add
--rpm-scanflag to payload and image scan. If set, the scan is using the same algorithm and rules asscan node(only scan files belonging to RPM packages, and ignore per-payload and per-tag configuration entries).
- Fix error text in message when logging scan node failure/warning
- Fix checking for duplicates in config validation logic
This is a major release, which allows more fine-grained exceptions configuration. Instead of merely excluding some files from being checked, it is now possible to ignore specific well known errors for some specific files or directories in a specific RPM packages, or components, or tags.
In addition, per-rpm configuration rules ([rpm.xxx], previously known as [node.xxx]) are now applicable to payload and image scans, alleviating the need to duplicate the exclusions.
The exceptions printing (-p) now prints exceptions in the new format (per-error,
also per-rpm, if possible, or per-component, or per-tag), making it easier to
maintain configurations.
Another notable feature is that a versioned configuration is not merged into the main one, rather that replacing it, allowing to specify exclusions common to multiple OpenShift versions to a main configuration file.
The configurations were rewritten mostly using the new rules. Due to this, some previously added exceptions might be lost and need to be re-added.
Some validations of configuration were added, and invalid configurations might be rejected now (or warned about, depening on the severity). An example of such bad configuration is a non-canonical (non-clean or not absolute) file name.
A bunch of performance optimizations has been made, and the tool no longer requires "file" and "go" binaries to be present on the system.
- Ensure the configuration is fully parsed
- Remove dependency on go binary
- Rename node ignores to rpm ignores in configs
- Use rpm name only (not name-version-release.arch) in configs
- Report rpm name in image/payload scan results
- Use per-rpm config filters in image/payload scans
- Add tag and rpm support to displayExceptions
- Show component, tag, rpm in log
- Unify node and payload/image reports
- Add known errors
- Add ability to ignore specific known errors for specific files/dirs
- Display exceptions in the new per-error format
- Major config facelift using (mostly) per-error exclusions
- Make the versioned config (e.g. -V 4.12) added to the main one, implement config merging with duplicate checks
- Add configuration validation (absolute/clean URLs, etc)
- Node scan: use dbpath in all rpm calls for node
- Add warning where there are no build tags in Golang binary
- Fix "Successful run" message when there are warnings
- Log the entire configuration, not a part of it
- Check for and report errors from isGoExecutable
- node scan: report warnings as such
- Hide "found operator" messages under increased verbosity level
- Do not ignore rpm -qa errors from node scan
- Add/use getTag, getImage, getComponent to avoid potential nil dereferences
- Report, do not lose error from filepath.WalkDir
- Log inner path in node scan
- scan payload: require either --url or -- file
- Store semver in baton
- Instantiate go semver constraint only once
- Instantiate go tag mapsets only once
- Optimize validateGoVersion, add a benchmark
- Improve regexp use in validateGoTags, add a benchmark
- validateGoTags: simplify and speedup
- validateStringsOpenssl: simplify and speedup
- ReadTable: do not build a map
- Skip all files with no x bit set
- Use debug/elf (rather than spawning file tool) to detect static binaries
- Removal unused code and variables
- Unify loop in scanBinary
- ExpectedSyms: document, refactor, return bool
- Simplify displayExceptions
- Remove tag argument from validation functions
- Move rpm-related functionality to a separate package
- Simplify file mode check in RunNodeScan
- Simplify returns from validateTag
- Simplify return from RunOperatorScan
- Remove tag and component arguments from ScanBinary
- Add OWNERS file
- CI: add golangci-lint timeout
- GH: add dependabot configuration
- GH: add ok-to-test label to dependabot
- Add vendor directory
- CI: add make test
- CI: test that embedded configs are sane
- CI: tests for config merge
- Fix remove container create/rm step
- Remove obsoleted requirements
- Use RPM name in node scan
- perf: validaetGoSymbols and skip early
- perf: compile regexes only once
- perf: isGoExecutable do not use regexp
- Add node ignores
- Add 4.9, 4.10, 4.11, 4.12, 4.13 config files
- Add warning support and ---fail-on-warnings
- Embed per-version config files, allow to choose one using -V,
--config-for-version option (for example:
scan -V 4.12 payload ...)
- Fixes to -p output
- Add support for per-tag ignores
- Add config file for 4.12
- Cleanup Go symbols error message
- Fix PIE executables detection
- GHA-related fixes to CI
- Add LICENSE
- Add support for per-payload image ignores
- Add exception printer (-p) option
- Configuration: add more exceptions
- CHANGELOG: cleanup
- README: add prereqiusites
- Add rhel9 fips symbol
- Add
sysrootto filtered directories list
- Use file open instead of strings
- Add
/usr/src/multus-cni/rhel7/bin/multusto filter list
- Check for
fips_mode
- Add more binaries to filter list:
/usr/local/bin/catatonit - Use rootfs
- Fix openssl detection
- Support specifying pull secret for oc adm release info
- Add more binaries to filter list:
grpc_health_probe
- Podman: cleanup container
- Improve memory usage for
node_scan
- Use backup entrypoint /bin/sh
- Allow for alternate entrypoints
- Add CPU profiling
- ScanBinary: check for ELF binary first
- ValidateGoLinux: remove
- Remove mime type check
- Make logging less verbose by default for
node_scan
- Add more binaries to filter list:
glibc_post_upgrade,ldconfig,sln
- Cleanup and print operator components
- If there is no crypto then skip openssl test
- Add
dumb-initto the filter list - Fix missing header column
- Remove scanner and use buffer directly to prevent 'token too long' errors
- Fix readme
- Fix
--verboseoption - Fix parsing
--config - Fix bogus "found too many crypto libraries"
- Add
-uand-fshort commands - Wire the klog flags
- Simplify logging
- Make logging less verbose by default
- Podman: simplify logging
- Fix libcrypto regex
- Split filter-paths into dirs and files
- Scan for dependent openssl library within container
- Go mod tidy
- runNodeScan: Faster symlink detection
- scanBinary: Less repetitions
- scanBinary: pass topDir and innerPath
- Update readme
- Add cobra commandline control
- Should use 777 permissions
- Document filter for node scan
- Document pinns
- Add insecure pull option
- Add embedded ignore list and config file
- Ignore removed file from node scan
- Update readme
- Add multierror to capture all dependent binaries
- Add operator detection
- Add build-locale-archive to the ignore list
- Check for
_cgo_init(fixes 4.10)
- Ignore
CGO_ENABLEDfor golang <= 1.17 (fixes 4.10)
- Add latest to changelog generation
- Add release information blurb
- Use upstream golang image and remove port
- Disable cgo... allows for slightly smaller binary
- first gitlab pipeline release
- Use git describe for version info
- Add release and changelog
- Skip
CGO_ENABLEDcheck on go versions < 1.17 - Ignore
tini-static - Add golang tags validation
- Add Makefile
- Fix markdown lint