Clair Versions Save

Vulnerability Static Analysis for Containers

v4.7.4

2 weeks ago

Unreleased

v4.7.4 - 2024-05-01

NOTE

The default layer download location has changed

Claircore

  • tarfs: follow hardlinks in ReadFile

    This makes `fs.ReadFile` work as expected when opening hardlinks.

  • debian: update how "source" packages are handled

    Previously, the Updater parsed metadata from the repository to try to record only "binary" packages. This was inaccurate and, with the new dpkg handling, now unneeded. The new approach should be more accurate.

  • dpkg: improve Source handling

    The dpkg handling machinery now correctly records source packages and versions. Previously, version differences between a source package and the resulting binary package(s) were incorrect if the versions were not identical.

  • libindex: add O_TMPFILE fallback logic

    After discovering that some common deployment methods are incompatible with using the `O_TMPFILE` `open(2)` flag, a fallback path has been added. The changes also move the default location of where temporary files are downloaded to, to better align with the layout recommended by systemd.

    Please see the documentation for specifics.

    26-0.20240325212310-fedb9d327aa7#NewRemoteFetchArena

  • osv: parse database_specific severity when no CVSS severity is defined

    Occasionally there are OSV advisories that don't include any severity information in the `.severity` object but they do contain a severity in the `.database_specific` object. This change attempts to parse that severity if we don't get a severity from the native `.severity` object.

Build(Deps)

  • 3ebd889c: bump peter-evans/create-pull-request from 6.0.0 to 6.0.1
  • b7566a0f: bump peter-evans/create-pull-request from 5.0.2 to 6.0.0
  • 4db2f09b: bump actions/cache from 3 to 4
  • 6cef8311: bump actions/upload-artifact from 3 to 4
  • 5ed80215: bump actions/download-artifact from 3 to 4
  • c9e1f56b: bump actions/setup-go from 4 to 5
  • 3ab3de55: bump actions/stale from 8 to 9
  • 591188f0: bump docker/setup-buildx-action from 2 to 3
  • 7ef6ef6b: bump docker/login-action from 2 to 3
  • 5597e7cc: bump docker/build-push-action from 4 to 5
  • 14d7f2b4: bump docker/setup-qemu-action from 2 to 3
  • 1204db98: bump actions/checkout from 3 to 4

Chore

Cicd

  • e6378d03: add container version skew check
  • 2ba3ecc0: update testing workflow
  • ae135c49: don't upload workspace on failure
  • 7222dc88: change version specifiers to be major-version only

Clairctl

  • 2a2ba37f: warn when range requests are not honored

Dockerfile

Docs

  • 3753415b: add mention of disk space path and usage

Httptransport

  • c6df986f: GET vuln report returns 404 when indexing in-progress

Initialize

  • 9828576a: use defaults for NewRemoteFetcher

v4.7.3

2 months ago

Highlights:

  • The minimum TLS version is now 1.2. Previously, servers also allowed 1.1 connections.
  • Claircore is updated to v1.5.25:

    • rhcc, rhel: support compression of sideband data

      If a Clair instance is using local files for the data needed for the `rhel` and `rhcc` indexers, this data may now be compressed. This should allow for the files to fit within a Kubernetes ConfigMap, making some deployments easier to wrangle.

    • datastore: add "delta" update interface

      This change should allow for updaters to use fewer resources and consume API-based data sources in the future. As of this change, no in-tree updaters have been converted to this interface.

    • java: size buffers correctly before use

      This should reduce memory consumption for indexing layers that have deeply nested Java archives.

    • postgres: remove internal timeouts

      Database queries now take as long as needed to execute. This shouldn't negatively affect any working uses, and should make some slower or less-optimized queries possible on larger instances.

    • integration: make PGVERSION a pattern

      The behavior of the setup of an embedded PostgreSQL in integration tests has changed. The relevant environment variable (`PGVERSION`) is now a pattern instead of a literal version string. Note that a version string would be a patten that matches itself, so that format continues to work.

      Additionally, the version used is now read from the distributed manifest, rather than hard-coded versions. Other than occasional network calls to fetch this manifest, users shouldn't notice any difference.

    • alpine: add edge support

      Alpine's `edge` version should now be supported for reporting.

    • rpm: support PGP V4 signatures

      Rpm has apparently started using "current"/V4 PGP signatures, which claircore was not handling. This adds support for these signatures.

    • jsonblob: add a disk buffering step

      This improves "offline" operation by eagerly buffering output to disk instead of creating a large in-memory data structure first.

      This makes the API trickier but given that there's a single (known and intended) user, this should be fine.

    • tarfs: check a potential interger overflow

      This change fixes a potential integer overflow in tar handling code.

      The possibility of exploiting this is effectively 0, as it would require more bytes to represent a sufficiently large integer than is available in the tar header.

      See also: https://github.com/quay/claircore/security/code-scanning/5

    • gobin: take into account package replacements

      Previously, there was a bug where package replacements were not considered for go binaries.

    • all: purge http.DefaultClient usage

      Some packages with less churn (`photon`, `oracle`, `aws`) were using older ways of getting an `*http.Client` or using `http.DefaultClient`.

      This change breaks some API in exchange for unifying the *http.Client handling. The practical upshot is that it's much easier to control the network contact surface.

    • all: share single FS implementation

      Claircore components that deal with `Layer` objects now share a single backing File and a single `fs.FS` implementation when using the `FS` method. There should be no noticeable changes for users, but out-of-tree implementations may want to move over to using the new FS method.

      This change should improve memory usage.

    • libindex: move to O_TMPFILE fetcher

      This release uses a new fetcher (the component responsible for pulling layers locally) that makes use of the O_TMPFILE flag to open(2). This ensures that layer files will be cleaned up even in the event of an unclean shutdown, including being sent a KILL signal.

v4.7.3 - 2024-02-26

Admin

  • 9517c7be: add a check for compatible migration version See Also: #1915

Chore

Config

  • 6ba32131: update minimum TLS version for server See Also: #1945

v4.7.2

7 months ago

Unreleased

v4.7.2 - 2023-10-09

Claircore

  • chore: update claircore to v1.5.19
  • crda: remove crda support
    The CRDA API has been decommissioned and the functionality has been superseded by OSV support.
  • chore: update toolkit to latest version v1.1.1
    v1.5.17 (toolkit/v1.1.0) introduced a bug where claircore could not handle empty strings when trying to Scan() a value into a cpe.WFN. toolkit/v1.1.1 mitigates this bug.

Clair

v4.7.1

9 months ago

Unreleased

v4.7.1 - 2023-08-10

Build(Deps)

  • bd4bdbf6: bump github.com/pyroscope-io/godeltaprof

Chore

v4.7.0

9 months ago

Unreleased

v4.7.0 - 2023-07-27

Auto

  • 1e574c25: enable mutex, blocking profiles by default

Build(Deps)

  • adee21df: bump golang.org/x/net from 0.11.0 to 0.12.0
  • 32c9ae2e: bump github.com/klauspost/compress from 1.16.6 to 1.16.7

Chore

  • 1bfbfa1b: bump claircore to v1.5.13
  • 31cf5570: Bump claircore to v1.5.12
  • 2d2d16a1: Bump claircore to v1.5.11
  • 048ad2f1: Bump claircore to v1.5.10
  • 5550b27a: bump Claircore to v1.5.9
  • 7df2b863: add pyroscope to compose setup
  • c28648e5: Update outdated docs and comment with default update period.
  • a02a0f2f: remove refs to deprecated io/ioutil
  • 44638edf: Remove dogstatsd variable and references

Clairctl

  • bccabff1: Add post 4.7 admin command to delete pyupio vulns
  • d2b3d826: Scan the pointer to the pointer of the bool
  • 05bd8fa0: Add log line signifying admin is done
  • c636e207: Remove DSN logging
  • 89cae779: admin subcommand

Cmd

Contrib

  • 70d878eb: Add manifest for a Job to run DB jobs

Docs

  • 394efe15: Fix up debug tools table
  • a4ec17f6: Add description of debugging services available during local-dev

Httptransport

  • 86f7a86a: add request ID to profiler labels

Introspection

v4.7.0-rc.1

10 months ago

Unreleased

v4.7.0-rc.1 - 2023-06-26

Airgap

  • 94757c7d: Remove libindex Airgap option

All

Build(Deps)

  • 00a4279d: bump github.com/prometheus/client_golang
  • f4f22e33: bump golang.org/x/net from 0.10.0 to 0.11.0
  • 36a7c88c: bump github.com/klauspost/compress from 1.16.5 to 1.16.6
  • 17cdc922: bump peter-evans/create-pull-request from 5.0.1 to 5.0.2
  • b95be229: bump github.com/streadway/amqp from 1.0.0 to 1.1.0
  • 45f808da: bump github.com/urfave/cli/v2 from 2.25.5 to 2.25.7
  • b75a00c3: bump github.com/urfave/cli/v2 from 2.25.3 to 2.25.5
  • 22a75603: bump github.com/google/go-containerregistry
  • 300b1374: bump go.opentelemetry.io/otel/exporters/jaeger
  • b2d7a091: bump github.com/urfave/cli/v2 from 2.3.0 to 2.25.3
  • a21fb21d: bump go.opentelemetry.io/otel/exporters/stdout/stdouttrace
  • b188cba7: bump github.com/quay/claircore from 1.5.2 to 1.5.3
  • eb9d1225: bump golang.org/x/sync from 0.1.0 to 0.2.0
  • f35c832f: bump golang.org/x/net from 0.9.0 to 0.10.0
  • 3dbbaf7b: bump github.com/rs/zerolog from 1.29.0 to 1.29.1
  • 1ee7cb8a: bump go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace
  • dcb7a05a: bump go.opentelemetry.io/otel/exporters/jaeger
  • fca257d7: bump go.opentelemetry.io/otel/exporters/stdout/stdouttrace
  • 933cc5c7: bump github.com/ugorji/go/codec from 1.2.9 to 1.2.11
  • 4f39b319: bump github.com/klauspost/compress from 1.16.4 to 1.16.5
  • 3643f9d2: bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
  • c13eaecc: bump go.opentelemetry.io/otel/trace from 1.11.0 to 1.15.1
  • 43e3daea: bump github.com/jackc/pgx/v4 from 4.18.0 to 4.18.1
  • 2180bc40: bump gopkg.in/square/go-jose.v2 from 2.5.1 to 2.6.0
  • f669244a: bump peter-evans/create-pull-request from 5.0.0 to 5.0.1
  • 74bc404f: bump peter-evans/create-pull-request from 4.2.4 to 5.0.0
  • 912c6e47: bump actions/stale from 7 to 8
  • ddec3b43: bump peter-evans/create-pull-request from 4.2.3 to 4.2.4
  • f35a3611: bump actions/setup-go from 3 to 4
  • d3655eef: bump golang.org/x/net from 0.5.0 to 0.7.0
  • 854a2fbf: bump docker/build-push-action from 3 to 4

Chore

  • 9d58dba8: v4.7.0-rc.1 changelog bump
  • 31823df2: bump Claircore to v1.5.8
  • 836c0579: bump Claircore to v1.5.7
  • e688e88b: bump Claircore to v1.5.6
  • 3d61485d: bump Claircore to v1.5.5
  • ddc4cc24: bump Claircore to v1.5.4
  • 76686650: Add the osv updater to the local-dev config
  • 56e63e8b: Update opentelemetry to v1.16.0
  • 5df81b19: bump Claircore to v1.5.2
  • cc0d9df4: bump Claircore to v1.5.1
  • 35971dc9: produce nightly for ppc64le
  • 471da4ee: Only ask dependabot to care about direct dependencies
  • 62119209: updated nightly for s390x support
  • 57774bd9: added s390x support
  • 248a4733: move emulator tests to a nightly run
  • bd0488ee: add gomod ecosystems to dependabot
  • 8174e950: Remove 1.19
  • efe27892: Bump Claircore to v1.4.22
  • 1b857d13: Update go version in go.mod
  • 5faf0fc9: Bump Claircore to v1.4.21
  • a433c93c: Bump Claircore to v1.4.20
  • d565775c: Add back GIT_HASH as needed for image name
  • 12f38e45: Update go-image version in docker-compose manifest
  • 02f311d5: Use our dedicated metric for the go version
  • 896b2dfb: Update go version in Dockerfile
  • d10c06e0: Bump claircore to v1.4.18

Cicd

  • 58c26f4a: don't checkout source on clairctl builds
  • 2eb10895: use common workflow in main module CI
  • 83d9b2f5: use common workflow in config module CI
  • e2f264f4: fix nightly connection strings
  • 1ea95d83: rename yamllint config
  • 7e2ae8fc: fix nightly-ci error
  • 1267335e: use rabbitmq as STOMP broker in nightly CI
  • 2edb4915: use rabbitmq as STOMP broker in tests
  • 74c34c0c: update nightly job to work
  • 30a98697: update go versions

Clair

Clairctl

Cmd

Config

  • cee776b3: add newtype for Durations
  • 1ebbbf24: add some omitempty tags
  • 3b6047ca: update module to remove x/sys dependency

Contrib

  • bb3a4be5: Better versioning when building the service image
  • 8566c525: Add a dashboard panel to surface running versions

Docker-Compose

  • bb777399: use rabbitmq instead of activemq

Dockerfile

Docs

Httptransport

Httputil

Stomp

  • 5b876935: override default behavior for "host" header
  • 643bd1c9: rework tests
  • f84e3491: plumb Context into Dialer
  • 7d476ebd: remove apparent ActiveMQ-ism
  • aa441b3c: switch to module release for stomp client
  • #1739### Updater
  • 95970e28: Extend default updater time to 6 hours

v4.6.1

1 year ago

Unreleased

v4.6.1 - 2023-04-13

Airgap

  • e02aba27: Remove libindex Airgap option

Chore

Go.Mod

Httptransport

Httputil

v4.6.0

1 year ago

Unreleased

v4.6.0 - 2023-01-20

All

  • 577a55d4: use httputil to construct requests

Auto

  • 1f1010fe: add automatic memory limit discovery

Build(Deps)

  • ef896eb6: bump actions/stale from 6 to 7
  • 5a212ffe: bump peter-evans/create-pull-request from 4.1.4 to 4.2.3
  • b883bc2b: bump gsactions/commit-message-checker from 1 to 2

Chore

Cicd

Client

Cmd

  • 8b899803: use git-archive for version information

Documentation

Httptransport

  • 25ac033f: use new signer scheme in test
  • a9228d40: add a request_id to logs
  • #1547### Httputil
  • e746ff05: rework request signing and request restriction

Service

Webhook

  • d99f7005: add explicit signer argument

v4.5.1

1 year ago

[Unreleased]

[v4.5.1] - 2022-11-09

Chore

v4.5.0

1 year ago

Unreleased

v4.5.0 - 2022-11-03

Build(Deps)

  • df77d75a: bump peter-evans/create-pull-request from 4.1.3 to 4.1.4

Chore

Clairctl

Cmd