Clair Versions Save

Vulnerability Static Analysis for Containers

v4.7.3

1 month ago

Highlights:

  • The minimum TLS version is now 1.2. Previously, servers also allowed 1.1 connections.
  • Claircore is updated to v1.5.25:

    • rhcc, rhel: support compression of sideband data

      If a Clair instance is using local files for the data needed for the `rhel` and `rhcc` indexers, this data may now be compressed. This should allow for the files to fit within a Kubernetes ConfigMap, making some deployments easier to wrangle.

    • datastore: add "delta" update interface

      This change should allow for updaters to use fewer resources and consume API-based data sources in the future. As of this change, no in-tree updaters have been converted to this interface.

    • java: size buffers correctly before use

      This should reduce memory consumption for indexing layers that have deeply nested Java archives.

    • postgres: remove internal timeouts

      Database queries now take as long as needed to execute. This shouldn't negatively affect any working uses, and should make some slower or less-optimized queries possible on larger instances.

    • integration: make PGVERSION a pattern

      The behavior of the setup of an embedded PostgreSQL in integration tests has changed. The relevant environment variable (`PGVERSION`) is now a pattern instead of a literal version string. Note that a version string would be a patten that matches itself, so that format continues to work.

      Additionally, the version used is now read from the distributed manifest, rather than hard-coded versions. Other than occasional network calls to fetch this manifest, users shouldn't notice any difference.

    • alpine: add edge support

      Alpine's `edge` version should now be supported for reporting.

    • rpm: support PGP V4 signatures

      Rpm has apparently started using "current"/V4 PGP signatures, which claircore was not handling. This adds support for these signatures.

    • jsonblob: add a disk buffering step

      This improves "offline" operation by eagerly buffering output to disk instead of creating a large in-memory data structure first.

      This makes the API trickier but given that there's a single (known and intended) user, this should be fine.

    • tarfs: check a potential interger overflow

      This change fixes a potential integer overflow in tar handling code.

      The possibility of exploiting this is effectively 0, as it would require more bytes to represent a sufficiently large integer than is available in the tar header.

      See also: https://github.com/quay/claircore/security/code-scanning/5

    • gobin: take into account package replacements

      Previously, there was a bug where package replacements were not considered for go binaries.

    • all: purge http.DefaultClient usage

      Some packages with less churn (`photon`, `oracle`, `aws`) were using older ways of getting an `*http.Client` or using `http.DefaultClient`.

      This change breaks some API in exchange for unifying the *http.Client handling. The practical upshot is that it's much easier to control the network contact surface.

    • all: share single FS implementation

      Claircore components that deal with `Layer` objects now share a single backing File and a single `fs.FS` implementation when using the `FS` method. There should be no noticeable changes for users, but out-of-tree implementations may want to move over to using the new FS method.

      This change should improve memory usage.

    • libindex: move to O_TMPFILE fetcher

      This release uses a new fetcher (the component responsible for pulling layers locally) that makes use of the O_TMPFILE flag to open(2). This ensures that layer files will be cleaned up even in the event of an unclean shutdown, including being sent a KILL signal.

v4.7.3 - 2024-02-26

Admin

  • 9517c7be: add a check for compatible migration version See Also: #1915

Chore

Config

  • 6ba32131: update minimum TLS version for server See Also: #1945

v4.7.2

6 months ago

Unreleased

v4.7.2 - 2023-10-09

Claircore

  • chore: update claircore to v1.5.19
  • crda: remove crda support
    The CRDA API has been decommissioned and the functionality has been superseded by OSV support.
  • chore: update toolkit to latest version v1.1.1
    v1.5.17 (toolkit/v1.1.0) introduced a bug where claircore could not handle empty strings when trying to Scan() a value into a cpe.WFN. toolkit/v1.1.1 mitigates this bug.

Clair

v4.7.1

8 months ago

Unreleased

v4.7.1 - 2023-08-10

Build(Deps)

  • bd4bdbf6: bump github.com/pyroscope-io/godeltaprof

Chore

v4.7.0

8 months ago

Unreleased

v4.7.0 - 2023-07-27

Auto

  • 1e574c25: enable mutex, blocking profiles by default

Build(Deps)

  • adee21df: bump golang.org/x/net from 0.11.0 to 0.12.0
  • 32c9ae2e: bump github.com/klauspost/compress from 1.16.6 to 1.16.7

Chore

  • 1bfbfa1b: bump claircore to v1.5.13
  • 31cf5570: Bump claircore to v1.5.12
  • 2d2d16a1: Bump claircore to v1.5.11
  • 048ad2f1: Bump claircore to v1.5.10
  • 5550b27a: bump Claircore to v1.5.9
  • 7df2b863: add pyroscope to compose setup
  • c28648e5: Update outdated docs and comment with default update period.
  • a02a0f2f: remove refs to deprecated io/ioutil
  • 44638edf: Remove dogstatsd variable and references

Clairctl

  • bccabff1: Add post 4.7 admin command to delete pyupio vulns
  • d2b3d826: Scan the pointer to the pointer of the bool
  • 05bd8fa0: Add log line signifying admin is done
  • c636e207: Remove DSN logging
  • 89cae779: admin subcommand

Cmd

Contrib

  • 70d878eb: Add manifest for a Job to run DB jobs

Docs

  • 394efe15: Fix up debug tools table
  • a4ec17f6: Add description of debugging services available during local-dev

Httptransport

  • 86f7a86a: add request ID to profiler labels

Introspection

v4.7.0-rc.1

9 months ago

Unreleased

v4.7.0-rc.1 - 2023-06-26

Airgap

  • 94757c7d: Remove libindex Airgap option

All

Build(Deps)

  • 00a4279d: bump github.com/prometheus/client_golang
  • f4f22e33: bump golang.org/x/net from 0.10.0 to 0.11.0
  • 36a7c88c: bump github.com/klauspost/compress from 1.16.5 to 1.16.6
  • 17cdc922: bump peter-evans/create-pull-request from 5.0.1 to 5.0.2
  • b95be229: bump github.com/streadway/amqp from 1.0.0 to 1.1.0
  • 45f808da: bump github.com/urfave/cli/v2 from 2.25.5 to 2.25.7
  • b75a00c3: bump github.com/urfave/cli/v2 from 2.25.3 to 2.25.5
  • 22a75603: bump github.com/google/go-containerregistry
  • 300b1374: bump go.opentelemetry.io/otel/exporters/jaeger
  • b2d7a091: bump github.com/urfave/cli/v2 from 2.3.0 to 2.25.3
  • a21fb21d: bump go.opentelemetry.io/otel/exporters/stdout/stdouttrace
  • b188cba7: bump github.com/quay/claircore from 1.5.2 to 1.5.3
  • eb9d1225: bump golang.org/x/sync from 0.1.0 to 0.2.0
  • f35c832f: bump golang.org/x/net from 0.9.0 to 0.10.0
  • 3dbbaf7b: bump github.com/rs/zerolog from 1.29.0 to 1.29.1
  • 1ee7cb8a: bump go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace
  • dcb7a05a: bump go.opentelemetry.io/otel/exporters/jaeger
  • fca257d7: bump go.opentelemetry.io/otel/exporters/stdout/stdouttrace
  • 933cc5c7: bump github.com/ugorji/go/codec from 1.2.9 to 1.2.11
  • 4f39b319: bump github.com/klauspost/compress from 1.16.4 to 1.16.5
  • 3643f9d2: bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
  • c13eaecc: bump go.opentelemetry.io/otel/trace from 1.11.0 to 1.15.1
  • 43e3daea: bump github.com/jackc/pgx/v4 from 4.18.0 to 4.18.1
  • 2180bc40: bump gopkg.in/square/go-jose.v2 from 2.5.1 to 2.6.0
  • f669244a: bump peter-evans/create-pull-request from 5.0.0 to 5.0.1
  • 74bc404f: bump peter-evans/create-pull-request from 4.2.4 to 5.0.0
  • 912c6e47: bump actions/stale from 7 to 8
  • ddec3b43: bump peter-evans/create-pull-request from 4.2.3 to 4.2.4
  • f35a3611: bump actions/setup-go from 3 to 4
  • d3655eef: bump golang.org/x/net from 0.5.0 to 0.7.0
  • 854a2fbf: bump docker/build-push-action from 3 to 4

Chore

  • 9d58dba8: v4.7.0-rc.1 changelog bump
  • 31823df2: bump Claircore to v1.5.8
  • 836c0579: bump Claircore to v1.5.7
  • e688e88b: bump Claircore to v1.5.6
  • 3d61485d: bump Claircore to v1.5.5
  • ddc4cc24: bump Claircore to v1.5.4
  • 76686650: Add the osv updater to the local-dev config
  • 56e63e8b: Update opentelemetry to v1.16.0
  • 5df81b19: bump Claircore to v1.5.2
  • cc0d9df4: bump Claircore to v1.5.1
  • 35971dc9: produce nightly for ppc64le
  • 471da4ee: Only ask dependabot to care about direct dependencies
  • 62119209: updated nightly for s390x support
  • 57774bd9: added s390x support
  • 248a4733: move emulator tests to a nightly run
  • bd0488ee: add gomod ecosystems to dependabot
  • 8174e950: Remove 1.19
  • efe27892: Bump Claircore to v1.4.22
  • 1b857d13: Update go version in go.mod
  • 5faf0fc9: Bump Claircore to v1.4.21
  • a433c93c: Bump Claircore to v1.4.20
  • d565775c: Add back GIT_HASH as needed for image name
  • 12f38e45: Update go-image version in docker-compose manifest
  • 02f311d5: Use our dedicated metric for the go version
  • 896b2dfb: Update go version in Dockerfile
  • d10c06e0: Bump claircore to v1.4.18

Cicd

  • 58c26f4a: don't checkout source on clairctl builds
  • 2eb10895: use common workflow in main module CI
  • 83d9b2f5: use common workflow in config module CI
  • e2f264f4: fix nightly connection strings
  • 1ea95d83: rename yamllint config
  • 7e2ae8fc: fix nightly-ci error
  • 1267335e: use rabbitmq as STOMP broker in nightly CI
  • 2edb4915: use rabbitmq as STOMP broker in tests
  • 74c34c0c: update nightly job to work
  • 30a98697: update go versions

Clair

Clairctl

Cmd

Config

  • cee776b3: add newtype for Durations
  • 1ebbbf24: add some omitempty tags
  • 3b6047ca: update module to remove x/sys dependency

Contrib

  • bb3a4be5: Better versioning when building the service image
  • 8566c525: Add a dashboard panel to surface running versions

Docker-Compose

  • bb777399: use rabbitmq instead of activemq

Dockerfile

Docs

Httptransport

Httputil

Stomp

  • 5b876935: override default behavior for "host" header
  • 643bd1c9: rework tests
  • f84e3491: plumb Context into Dialer
  • 7d476ebd: remove apparent ActiveMQ-ism
  • aa441b3c: switch to module release for stomp client
  • #1739### Updater
  • 95970e28: Extend default updater time to 6 hours

v4.6.1

1 year ago

Unreleased

v4.6.1 - 2023-04-13

Airgap

  • e02aba27: Remove libindex Airgap option

Chore

Go.Mod

Httptransport

Httputil

v4.6.0

1 year ago

Unreleased

v4.6.0 - 2023-01-20

All

  • 577a55d4: use httputil to construct requests

Auto

  • 1f1010fe: add automatic memory limit discovery

Build(Deps)

  • ef896eb6: bump actions/stale from 6 to 7
  • 5a212ffe: bump peter-evans/create-pull-request from 4.1.4 to 4.2.3
  • b883bc2b: bump gsactions/commit-message-checker from 1 to 2

Chore

Cicd

Client

Cmd

  • 8b899803: use git-archive for version information

Documentation

Httptransport

  • 25ac033f: use new signer scheme in test
  • a9228d40: add a request_id to logs
  • #1547### Httputil
  • e746ff05: rework request signing and request restriction

Service

Webhook

  • d99f7005: add explicit signer argument

v4.5.1

1 year ago

[Unreleased]

[v4.5.1] - 2022-11-09

Chore

v4.5.0

1 year ago

Unreleased

v4.5.0 - 2022-11-03

Build(Deps)

  • df77d75a: bump peter-evans/create-pull-request from 4.1.3 to 4.1.4

Chore

Clairctl

Cmd

v4.5.0-rc.0

1 year ago

Unreleased

v4.5.0-rc.0 - 2022-10-10

All

  • 1a1d5662: remove Quay keyserver support

Build(Deps)

  • 224d0698: bump actions/stale from 5 to 6
  • 180b887c: bump peter-evans/create-pull-request from 4.1.2 to 4.1.3
  • 0537bbc0: bump peter-evans/create-pull-request from 4.1.1 to 4.1.2
  • 47a9c1cb: bump peter-evans/create-pull-request from 4.0.4 to 4.1.1
  • 3cad3319: bump peter-evans/create-pull-request from 4.0.3 to 4.0.4
  • c5975257: bump peter-evans/create-pull-request from 4.0.2 to 4.0.3
  • 57dc2378: bump docker/setup-qemu-action from 1 to 2
  • c4e2031b: bump docker/login-action from 1 to 2
  • a9823a91: bump docker/setup-buildx-action from 1 to 2
  • 7c8bafbe: bump docker/build-push-action from 2 to 3
  • 4408b1bb: bump actions/download-artifact from 2 to 3
  • 4c91a714: bump actions/setup-go from 2 to 3
  • 64389db0: bump actions/upload-artifact from 2 to 3
  • 1db22a62: bump peter-evans/create-pull-request from 4.0.1 to 4.0.2
  • c0953e6f: bump actions/stale from 4 to 5
  • 53e944f9: bump peter-evans/create-pull-request from 3.14.0 to 4.0.1
  • c76efaee: bump actions/cache from 2 to 3

CRDA

  • 4bb2d332: replace API key request form URL

Chore

Chore

  • aae2d839: v4.5.0-rc.0 changelog bump
  • 95073d0b: Bump claircore to v1.4.7
  • 415b2a17: Add back Publish Binaries to upload clairctl versions
  • c9041efa: bump Claircore to v1.4.6
  • 039d2073: bump Claircore to v1.4.5
  • 4e44f7ef: bump claircore v1.4.2 -> v1.4.3
  • e2b8e101: Bump claircore v1.4.1 -> 1.4.2
  • 3273a969: bump claircore to v1.3.2

Ci

  • 45443c8e: fix prerelease conditional
  • eea6fea1: fix config tidy check
  • 4180d787: update workflows and machinery for go1.18

Clair

  • b8882f9d: better argument error messages
  • #1605### Clairctl
  • f0d6a357: fix error reporting for streaming responses

Config

Contrib

  • 9612ee67: remove rpmscanner files on startup
  • a6609638: First wipe anything that might be left before starting clair indexers
  • 6a6fd901: fix DB connection charts
  • 6b60eef6: Only count index report creation latency for successful requests
  • 17862ae3: Add DB connections to Grafana dashboard
  • 37ca1ab0: Add dedicated serviceAccount
  • 1d89c032: Wipe all the temporary files in the process of being fetched
  • 187764a3: Wipe all the contents of /tmp on container start
  • ae7675af: Use the readyz endpoint in startup probes
  • Fixes #1488### Docker-Compose
  • dfd68db8: remove -mod=vendor flag

Dockerfile

  • e689241b: strip binaries to reduce size
  • 2af2a7f6: fix build with newer ubi8/ubi-minimal image
  • f2e209c6: update for 1.18, add trimpath

Docs

  • 369319cd: note tested docker-compose version

Documentation

Go.Mod

Httptransport

Indexer

  • 8e5d76d3: Return 4XX status code when Index() returns tarfs.ErrBadFormat

Introspection

  • f4db2610: allow custom health function

Logging

  • 5c5a1ab4: log when request is rate-limited

Matcher

  • e5cb6a91: Update matcher client to match server definition

Metrics

  • e1664659: Spread clair_http_indexerv1_request_duration buckets

Prometheus

Services

Webhook