v1.5.3 Release

v1.5.3 - 2023-05-22

Nothing interesting happened this release.

v1.5.2 Release

v1.5.2 - 2023-05-22

Nothing interesting happened this release.

v1.5.1 Release

v1.5.1 - 2023-05-15

Nothing interesting happened this release.

v1.5.0 Release

v1.5.0 - 2023-05-15

• updater: Extend default updater period to 6 hours

  Given the expense of updating and the lack of value to such a high frequency this change extends the default update period from 30 mins to 6 hours.

• whiteout: Add the ability to reason about whiteout files in layers

  This change give the indexing process a mechanism to discover whiteout files and use them to inform the final index report. A Resolver step is added to the end of the indexing process to allow for logic to be injected after the various indexers' results have been compiled. Indexers are expected to add a filepath to the packages they discover to denote that the deletion of the filepath signifies the package is delete.

• debian: use JSON security tracker data

  Previously, claircore used the OVAL database provided by the Debian project. However, the translation from the native format used upstream lost the severity information. Now, claircore consumes the upstream format and thus can report severity information.

v1.4.22 Release

v1.4.22 - 2023-04-14

• libindex: Change location of layerScanner construction
  Change the construction of layerScanner to be during libindex instantiation so the lifespan of the objects it creates are tied to the process as opposed to the request.

v1.4.21 Release

v1.4.21 - 2023-03-29

Nothing interesting happened this release.

v1.4.20 Release

v1.4.20 - 2023-03-27

Nothing interesting happened this release.

v1.4.19 Release

v1.4.19 - 2023-03-20

• Better jar names

  The heuristic for extracting package names from jars has been improved and may yield different results.

• URLs are now included in the prose documentation

  Previous, changes to URLs needed to be copied into the prose documentation; this means the documentation was almost always out of sync. There's now a tool to process comment directives and slipstream the URLs into th e documentation in the build step. Contributors should see the `docs/injecturls.go` file for information on how to use the system in code.

• Dpkg indexing honors the "Status" field

  Previously, a dpkg-installed package that kept around dpkg-tracked files after removal would be reported as installed.

• Improved indexing of python packages

  The python package indexer now detects some package managers and omits indexing the parts of the filesystem that those package managers would place python packages.

• Handling of "pep440" versions has changed

  Previously, versions of type "pep440" were inadvertently handled by two different packages -- one was used for validation, another for comparisons. Claircore now uses a single package. There should be no noticeable change in the behavior of python indexing or matching, so please file bugs if there are regressions.

• Update required go version to 1.20

  This is needed to fix [go issue 33121](https://go.dev/issue/33121), which was indirectly triggered by the `gobin` indexer.

• Distroless container support

  Claircore's `dpkg` indexer now supports the "distroless" scheme, where the `dpkg` status database is split across multiple files.

• RPM is removed as a dependency

  Claircore no longer requires `rpm`. Previously, `rpm` was executed as a subprocess to examine rpm's BerkeleyDB-based databases. This required extra disk space, extra dependencies, and had the potential to leak resources. Now, claircore implements just enough knowledge of the BerkeleyDB hash database format to be able to extract headers that it already had the means to interpret. Users of claircore should also be able run without zombie handling, as claircore no longer spawns subprocesses.

• The python indexer consults INSTALLER metadata

  The indexer now ignores installers that it knows beforehand is handled elsewhere.

• rpm: extract a minimal file set for bdb-based databases

  This should reduce runtime and disk resources when the `rpm` indexer decides that it needs to invoke `rpm` to analyze packages installed in a layer.

v1.4.18 Release

v1.4.18 - 2023-01-27

Nothing interesting happened this release.

v1.4.14 Release

v1.4.14 - 2023-01-13

• Add golang binary indexer.

  There's now a component for recognizing and pulling the dependencies out
  of arbitrary go binaries. Binaries built without modules are not
  supported. The plan is to use OSV data in the matcher component.

• Remove airgapped logic from the core

  This change removes the code that disables RPC scanners when airgap
  is true in the config allowing hybrid implementations to be configured
  with local resources. It assumes that the client passed will be airgap
  aware and will restrict network access if requested.

• Check that after casting to mappingFile we have a usable mapper

  Previously it was possible that if the repo2cpe_mapping_url or the
  repo2cpe_mapping_file (or indeed if the endpoint is down) that we would
  panic as the mappingFile will cast to a nil. Now we check for a nil
  mapper before it gets accessed and error out. This was also an issue
  for name2repos_mapping_url and name2repos_mapping_file used by RHCC
  scanner.

• The sqlite dependency is now supported on ppc64le.

  This means that claircore should build and behave correctly on
  ppc64le. Please open issues if this is not the case.

• Fixed some database metrics.

  The metrics distributionbylayer_total and
  distributionbylayer_duration_seconds were previously counted under
  different metrics. They're now counted under the correct metrics.