Skip to content

Releases: quay/claircore

v1.5.34 Release

06 Jan 22:54
v1.5.34
Compare
Choose a tag to compare

v1.5.34 - 2025-01-06

  • rhel: deprecate updater in favor of VEX updater
    We can extract vulnerability information about containers from the VEX data. This negates the need to look for it in the cvemap.xml file. This change modifies the VEX updater to allow for ingesting vulnerabilities in a way that can be matched my the RHCC matcher.

v1.5.33 Release

08 Nov 19:59
v1.5.33
Compare
Choose a tag to compare

v1.5.33 - 2024-11-08

  • suse: dynamic distribution discovery
    Previously Suse distributions were static/predefined in the code, the lack of updates to those definitions had allowed the Suse support lapse. This change adds dynamic support for two Suse distro flavors: suse.linux.enterprise.server and opensuse.leap.

v1.5.32 Release

04 Oct 17:25
v1.5.32
Compare
Choose a tag to compare

v1.5.32 - 2024-10-04

Nothing interesting happened this release.

v1.5.31 Release

16 Sep 15:39
v1.5.31
Compare
Choose a tag to compare

v1.5.31 - 2024-09-16

Nothing interesting happened this release.

v1.5.30 Release

06 Sep 16:03
v1.5.30
Compare
Choose a tag to compare

v1.5.30 - 2024-09-06

Nothing interesting happened this release.

v1.5.29 Release

21 Aug 17:32
v1.5.29
Compare
Choose a tag to compare

v1.5.29 - 2024-08-21

  • rhel: move IgnoreUnpatched config key from updater to matcher

    Previously the IgnoreUnpatched config key was a part of the RHEL updater and would dictate whether or not the updater would ingest unpatched vulnerabilities. This change moves that key to the RHEL matcher and dictates whether the matcher should check for a fixed_in_version when querying potential vulnerabilities. This makes the config option more usable at the expense of DB size.
  • rhel: add csaf/vex updater

    Replace the RHEL OVAL updater with a CSAF/VEX updater for Red Hat security data. Update the matching logic to deal with CPE patterns coming from the VEX files. Remove RHEL updater and add a migration to delete Red Hat OVAL data from the database.

v1.5.28 Release

13 May 20:22
v1.5.28
Compare
Choose a tag to compare

v1.5.28 - 2024-05-13

  • datastore: add vuln and enrich stream updates

    In an effort to reduce memory consumption during updating the vulnerability database, add support for iterators. Extend Updater interface with `UpdateVulnerabilitiesIter` method that performs the same operation as `UpdateVulnerabilities` but accepts an iterator function instead of a slice. Also, extend the `EnrichmentUpdater` interface with `UpdateEnrichmentsIter` in the same way.
  • cpe: add match expression support

    This adds support for NIST IR 7696, aka CPE2.3 Name Matching. It's anticipated to be used in upcoming CSAF/VEX support. See https://doi.org/10.6028/NIST.IR.7696 for the specification.

v1.5.27 Release

25 Apr 19:56
v1.5.27
Compare
Choose a tag to compare

v1.5.27 - 2024-04-25

  • tarfs: follow hardlinks in ReadFile
    This makes `fs.ReadFile` work as expected when opening hardlinks.

v1.5.26 Release

02 Apr 17:34
v1.5.26
Compare
Choose a tag to compare

v1.5.26 - 2024-04-02

  • debian: update how "source" packages are handled

    Previously, the Updater parsed metadata from the repository to try to record only "binary" packages. This was inaccurate and, with the new dpkg handling, now unneeded. The new approach should be more accurate.
  • dpkg: improve Source handling

    The dpkg handling machinery now correctly records source packages and versions. Previously, version differences between a source package and the resulting binary package(s) were incorrect if the versions were not identical.
  • libindex: add O_TMPFILE fallback logic

    After discovering that some common deployment methods are incompatible with using the `O_TMPFILE` `open(2)` flag, a fallback path has been added. The changes also move the default location of where temporary files are downloaded to, to better align with the layout recommended by systemd.

    Please see the documentation for specifics.

  • osv: parse database_specific severity when no CVSS severity is defined

    Occasionally there are OSV advisories that don't include any severity information in the `.severity` object but they do contain a severity in the `.database_specific` object. This change attempts to parse that severity if we don't get a severity from the native `.severity` object.

v1.5.25 Release

26 Feb 17:28
v1.5.25
Compare
Choose a tag to compare

v1.5.25 - 2024-02-26

Nothing interesting happened this release.