Unreleased
v4.8.0 - 2024-10-09
NOTE
This release deprecates the updaters that rely on the Red Hat OVAL v2 security data in favor of the Red Hat VEX data. This change includes a database migration to delete all the vulnerabilities that originated from the OVAL v2 feeds, meaning there could be a time in production environments before the VEX updater completes for the first time when no Red Hat vulnerabilities exist. This release also contains a clairctl
admin command to clean up the deprecated vulnerabilities outside of the migration workflow which allows an operator to pre-run the migration:
clairctl -D admin pre v4.8.0
Claircore
-
rhel: move IgnoreUnpatched config key from updater to matcher
Previously the IgnoreUnpatched config key was a part of the RHEL updater and would dictate whether or not the updater would ingest unpatched vulnerabilities. This change moves that key to the RHEL matcher and dictates whether the matcher should check for a fixed_in_version when querying potential vulnerabilities. This makes the config option more usable at the expense of DB size. -
rhel: add csaf/vex updater
Replace the RHEL OVAL updater with a CSAF/VEX updater for Red Hat security data. Update the matching logic to deal with CPE patterns coming from the VEX files. Remove RHEL updater and add a migration to delete Red Hat OVAL data from the database. -
datastore: add vuln and enrich stream updates
In an effort to reduce memory consumption during updating the vulnerability database, add support for iterators. Extend Updater interface with `UpdateVulnerabilitiesIter` method that performs the same operation as `UpdateVulnerabilities` but accepts an iterator function instead of a slice. Also, extend the `EnrichmentUpdater` interface with `UpdateEnrichmentsIter` in the same way. -
cpe: add match expression support
This adds support for NIST IR 7696, aka CPE2.3 Name Matching. It's anticipated to be used in upcoming CSAF/VEX support. See https://doi.org/10.6028/NIST.IR.7696 for the specification.
'Chore
- ab3a754e: update claircore to v1.5.19
- f783b356: update claircore to v1.5.18
- 9286ab86: update claircore to v1.5.17
Admin
- d3467bad: add pre v4.8.0 admin command to delete OVAL vulns
- d53780b6: add a check for compatible migration version
- 87c24a9c: add command to update go packages with norm_version
- 02e6c925: add pre v4.7.3 admin command to create index
All
Amqp
- 8fcd294c: migrate to maintained package
- #1793### Auto
- 07b0ea7b: improve log messages
- #2092### Build(Deps)
- 5092198b: bump golang.org/x/time from 0.6.0 to 0.7.0
- e7b6deac: bump golang.org/x/net from 0.29.0 to 0.30.0
- 55fb7735: bump github.com/klauspost/compress from 1.17.9 to 1.17.10
- 7a2e7186: bump github.com/prometheus/client_golang
- 698d9170: bump github.com/rogpeppe/go-internal from 1.12.0 to 1.13.1
- 7ec7e04f: bump go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace
- 96ee336f: bump go.opentelemetry.io/otel/exporters/stdout/stdouttrace
- 5fb41ed8: bump golang.org/x/net from 0.28.0 to 0.29.0
- 2a13e7b7: bump peter-evans/create-pull-request from 6 to 7
- 061b1e09: bump github.com/prometheus/client_golang
- a2c920f4: bump go.opentelemetry.io/otel/exporters/stdout/stdouttrace
- bbaece4e: bump go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace
- 24aff4e4: bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
- b203913a: bump github.com/prometheus/client_golang
- 96937294: bump github.com/grafana/pyroscope-go/godeltaprof
- 01b57db6: bump github.com/google/go-containerregistry
- 7ceeaaa2: bump github.com/go-stomp/stomp/v3 from 3.1.1 to 3.1.2
- c3ce1982: bump github.com/urfave/cli/v2 from 2.27.2 to 2.27.3
- 95f5a5f2: bump github.com/google/go-containerregistry
- 1a5f342c: bump github.com/go-stomp/stomp/v3 from 3.1.0 to 3.1.1
- 5821a5bf: bump golang.org/x/net from 0.26.0 to 0.27.0
- 08587861: bump github.com/google/go-containerregistry
- 74914938: bump go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace
- 67bdbbbe: bump go.opentelemetry.io/otel/exporters/stdout/stdouttrace
- dd9d6760: bump go.opentelemetry.io/otel from 1.27.0 to 1.28.0
- fcee4364: bump github.com/klauspost/compress from 1.17.8 to 1.17.9
- 3f229e99: bump github.com/google/go-containerregistry
- c5ae5021: bump docker/build-push-action from 5 to 6
- 7400db24: bump golang.org/x/net from 0.25.0 to 0.26.0
- 74b377b8: bump github.com/rs/zerolog from 1.32.0 to 1.33.0
- 1fff0726: bump go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace
- f2533fbf: bump go.opentelemetry.io/otel/exporters/stdout/stdouttrace
- 5376a756: bump github.com/rabbitmq/amqp091-go from 1.9.0 to 1.10.0
- d82ab343: bump golang.org/x/net from 0.24.0 to 0.25.0
- 453d2c60: bump github.com/urfave/cli/v2 from 2.27.1 to 2.27.2
- 5323fa31: bump go.opentelemetry.io/otel/exporters/stdout/stdouttrace
- 3e1f5c15: bump go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace
- 71078832: bump go.opentelemetry.io/otel from 1.25.0 to 1.26.0
- 1006287a: bump go.opentelemetry.io/otel/exporters/stdout/stdouttrace
- 43f3a3e4: bump go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace
- 343515af: bump github.com/klauspost/compress from 1.17.7 to 1.17.8
- c3db2e4d: bump github.com/quay/claircore from 1.5.25 to 1.5.26
- 4cf0febf: bump golang.org/x/sync from 0.6.0 to 0.7.0
- 36d21edd: bump golang.org/x/net from 0.22.0 to 0.24.0
- 93a70b35: bump go.opentelemetry.io/otel/sdk from 1.24.0 to 1.25.0
- da30be8b: bump github.com/google/go-containerregistry
- 5a5e1776: bump golang.org/x/net from 0.21.0 to 0.22.0
- d4ceeea2: bump github.com/go-jose/go-jose/v3 from 3.0.2 to 3.0.3
- d64064ce: bump github.com/prometheus/client_golang
- 06c9ddab: bump github.com/jackc/pgx/v4 from 4.18.1 to 4.18.3
- e4d79110: bump github.com/go-stomp/stomp/v3 from 3.0.6 to 3.1.0
- d7c5821f: bump go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace
- 523ebf7f: bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
- 0803380f: bump github.com/go-jose/go-jose/v3 from 3.0.1 to 3.0.2
- a3e0786c: bump go.opentelemetry.io/otel/exporters/stdout/stdouttrace
- 684c3ac3: bump peter-evans/create-pull-request from 6.0.0 to 6.0.1
- 3fb2c921: bump go.opentelemetry.io/otel/exporters/stdout/stdouttrace
- 51981290: bump go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace
- 115cbb22: bump github.com/go-stomp/stomp/v3 from 3.0.5 to 3.0.6
- 43b164e7: bump golang.org/x/net from 0.20.0 to 0.21.0
- acf2cdf6: bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
- 0c7fe4dd: bump go.opentelemetry.io/otel/sdk from 1.22.0 to 1.23.1
- 16a1504a: bump go.opentelemetry.io/otel from 1.22.0 to 1.23.1
- 1f98abe7: bump peter-evans/create-pull-request from 5.0.2 to 6.0.0
- fb5efb51: bump github.com/klauspost/compress from 1.17.5 to 1.17.6
- 8dbacd3c: bump github.com/rs/zerolog from 1.31.0 to 1.32.0
- 96d34f64: bump github.com/google/go-containerregistry
- 3bcf9aac: bump github.com/klauspost/compress from 1.17.4 to 1.17.5
- 19afbbbe: bump github.com/evanphx/json-patch/v5 from 5.8.0 to 5.9.0
- 50eb4b52: bump github.com/google/uuid from 1.5.0 to 1.6.0
- 4ed100ec: bump go.opentelemetry.io/otel/exporters/stdout/stdouttrace
- 1d338051: bump actions/cache from 3 to 4
- a0e1ba8b: bump github.com/grafana/pyroscope-go/godeltaprof
- 1ab0557b: bump go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace
- fcf0ccdd: bump go.opentelemetry.io/otel/sdk from 1.21.0 to 1.22.0
- 6fe56438: bump github.com/evanphx/json-patch/v5 from 5.7.0 to 5.8.0
- 6ef2554e: bump golang.org/x/net from 0.19.0 to 0.20.0
- 7b48e897: bump golang.org/x/sync from 0.5.0 to 0.6.0
- c25d841a: bump github.com/quay/zlog from 1.1.7 to 1.1.8
- 94b57fa0: bump github.com/prometheus/client_golang
- ad2c872c: bump github.com/urfave/cli/v2 from 2.26.0 to 2.27.1
- 2159bfb5: bump github.com/google/uuid from 1.4.0 to 1.5.0
- aaa335b3: bump golang.org/x/crypto from 0.16.0 to 0.17.0
- 9c588cf5: bump github.com/google/go-containerregistry
- cbc166d6: bump actions/upload-artifact from 3 to 4
- 355cab98: bump actions/download-artifact from 3 to 4
- 7b7ff298: bump github.com/ugorji/go/codec from 1.2.11 to 1.2.12
- 45625c51: bump github.com/urfave/cli/v2 from 2.25.7 to 2.26.0
- b6b39706: bump actions/setup-go from 4 to 5
- 913a5114: bump go.opentelemetry.io/otel/exporters/stdout/stdouttrace
- 71c66638: bump github.com/klauspost/compress from 1.17.2 to 1.17.4
- 825dddc1: bump golang.org/x/net from 0.17.0 to 0.19.0
- e7314325: bump actions/stale from 8 to 9
- 99291347: bump github.com/quay/zlog from 1.1.5 to 1.1.7
- d75c2c40: bump go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace
- 83a935dd: bump go.opentelemetry.io/otel/sdk from 1.20.0 to 1.21.0
- 4db3b77e: bump github.com/go-jose/go-jose/v3
- 1b2248b9: update opentelemetry modules
- #1909 - #1911 - #1912 - #1913- 4a84b949: bump github.com/google/uuid from 1.3.1 to 1.4.0
- efc1ab07: bump golang.org/x/time from 0.3.0 to 0.4.0
- 61aa3ebd: bump golang.org/x/sync from 0.4.0 to 0.5.0
- 54eb2e85: bump github.com/google/go-cmp from 0.5.9 to 0.6.0
- b0497e58: bump github.com/klauspost/compress from 1.17.0 to 1.17.2
- a90ecc45: bump go.opentelemetry.io/otel/sdk from 1.17.0 to 1.19.0
- 55dc551f: bump go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace
- 5a8c21a0: bump github.com/google/go-cmp in /config
- f3072d19: bump go.opentelemetry.io/otel from 1.18.0 to 1.19.0
- 8468d861: bump golang.org/x/net from 0.16.0 to 0.17.0
- afafe835: bump golang.org/x/net from 0.15.0 to 0.16.0
- f162e1ce: bump github.com/rs/zerolog from 1.30.0 to 1.31.0
- e6f72bc4: bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
- c0eef84b: bump go.opentelemetry.io/otel/exporters/stdout/stdouttrace
- 7129bacf: bump github.com/evanphx/json-patch/v5 from 5.6.0 to 5.7.0
- 6969e003: bump docker/setup-buildx-action from 2 to 3
- 606c5c9b: bump docker/login-action from 2 to 3
- 24eb3f71: bump docker/build-push-action from 4 to 5
- dbaebb58: bump docker/setup-qemu-action from 2 to 3
- a31be2e2: bump actions/checkout from 3 to 4
- 480996b1: bump go.opentelemetry.io/otel/exporters/jaeger
- bc21afa0: bump github.com/google/uuid from 1.3.0 to 1.3.1
- 5ae4f0fa: bump github.com/google/go-containerregistry
- 56cd1851: bump github.com/rs/zerolog from 1.29.1 to 1.30.0
- 67b92e71: bump golang.org/x/net from 0.12.0 to 0.15.0
- a478ce91: bump github.com/pyroscope-io/godeltaprof
Chore
- 05680a2b: v4.8.0 changelog bump
- 94113d95: update claircore to v1.5.32
- e77deb98: update config module to v1.4.1
- e5fca953: update references to rhel updater to rhel-vex updater
- 64b66ff9: update go version to specific patch
- 89ebd521: update go version to 1.22
- 9333770e: update claircore to v1.5.31
- 93fa883d: update claircore to v1.5.30
- 1209772d: update claircore to v1.5.29
- 3c623553: run the go formatting over the repo
- 7703b4a2: fix some comments
- 7d3f12e3: use the merge-multiple directive when downloading binaries
- b5a0d8a6: update claircore to v1.5.28
- ac255112: Add merge step when creating release binaries
- 5dc73b16: update go version for release
- ea990567: update claircore to v1.5.27
- 0bf9286e: update production manifest with new tmp dir
- 6a3ce17f: update go version
- 3e5740e0: remove repetitive word
- 222f2273: update claircore to v1.5.25
- 7ac4609b: update claircore to v1.5.24
- bad8abe5: update claircore to v1.5.23
- c81b3b9a: update claircore to v1.5.22
- a9b5e91d: update claircore to v1.5.21
- 6de0d807: Add Go 1.22 support via moved godeltaprof dependancy bump
- b65445ce: clean up sample config
- a359eb01: migrate go-jose to maintained version
- 5cf5fb8d: update claircore to v1.5.20
- 180fa4f4: bump claircore to v1.5.16
- 696b266e: bump claircore to v1.5.15
- 2829eacf: bump claircore to v1.5.14
Cicd
- dbcfe30d: tweak login behavior
- 6861b804: remove second go-caching action
- c42bee62: improve nightly script output
- 08581d82: tweaks to the set-image-expiration action
- 3b650c56: fix nightly build
- 6884969b: add /var/tmp mount to make sure it's on a real filesystem
- 139aed21: reorganize the docker test so that it's less error-prone
- b48682a4: remove comment that the linter complained about
- bf7005f0: add
/fast-forward
command - d11a2602: add container version skew check
- fd153765: update testing workflow
- 23a8c33d: don't upload workspace on failure
- 6f3b1347: update actions/cache version
- 0604f1e6: change version specifiers to be major-version only
- 718ef948: make nightly script shellcheck-clean
Clair
- ba6fc371: add platform-specific signals
- 76a5d50b: break cancellation chain for request contexts
- b0086d80: redo shutdown structure
- #1946### Clairctl
- 13acc582: warn when range requests are not honored
Cmd
Compress
- c90a55fd: update compression middleware
Config
- 33a77438: update minimum TLS version for server
- e0a1f235: Update comment to describe currently supported updaters
- 36210370: add Sentry config
- 33cc3e5c: add OTLP configuration types
- f503d670: fix typo
Contrib
- 74974320: correct position of startupProbe spec
- 5ad0d6be: update
build_and_deploy.sh
script - accee22f: account for different container engine clients
- 1160febe: update build script to use podman
- f19b59bd: remove rms that were needed for previous fetcher
- b60d8266: update dashboard regex
- 4405fdad: simplify openshift/pr_check.sh
- 16bd3666: add grafana dashboards for deletion metrics
Contrib/Openshfit
- 89af3db1: only start buildkitd container if needed
Contrib/Openshift
Doc
- 244183ee: fix typo
Dockerfile
- f7abfe50: update with new syntax and features
- e2fbf199: add
GOTOOLCHAIN
- e871998f: tweak ignores
- d78d3beb: remove sh loop
Docs
- 038966e2: add building and Makefile usage sections
- 137b6c50: add mention of disk space path and usage
- 1e78f45a: add OTLP configuration to prose documentation
- eb54b889: add dropins to prose documentation
- #1783### Documentation
- 80482345: add more information on how to test and get started
Documentation
- 38b72352: correct stale configuration options
Httptransport
- 20582315: fix test flake
- df348dc9: GET vuln report returns 404 when indexing in-progress
- e84883f7: change api error handling to panic internally
- c7920962: add metrics test
- 15732398: add unauthenticated "/robots.txt" endpoint
- 201ed2be: add "robots.txt" endpoint
- 5262f773: add client-close detection
- e97f6b3c: use compression middleware
- 0d2bf7e6: lints
- d4b9d30f: rework constructor
- 067bf861: update DiscoveryHandler to new style
- 7a1186e3: re-instrument handlers with new primitives
- bddbc57b: exit goroutine in error helper
Httputil
Initialize
- 4686fb46: use defaults for NewRemoteFetcher
Introspection
Makefile
- 95a765f4: fix direct
go
command - a9a8ec98: make
buildctl
usage more convenient - 2c093d9c: force line endings for
git archive
- f7bfacf1: rebuild the make setup
- 7cc2107b: updates
Openshift
- 6bb55a21: add backstop cron manifest
- 3615748d: handle multiple Dockerfiles in build script
- 5f36fc12: have the pr_check script "dry run" a build
- 3d3c03ce: add "dry run" flag
- 135af0e0: make build_and_deploy script shellcheck-clean
Quaybackstop
- e5e7ba5a: add backstop GC command
README
- abd13784: format nit
Stomp
- 3de24d71: guard against race in test
Webhook
- 41cda1fb: move+update debug server