v1.5.23 Release

v1.5.23 - 2024-02-19

Nothing interesting happened this release.

v1.5.22 Release

v1.5.22 - 2024-02-16

Nothing interesting happened this release.

v1.5.21 Release

v1.5.21 - 2024-02-01

• rhcc, rhel: support compression of sideband data

  If a Clair instance is using local files for the data needed for the `rhel` and `rhcc` indexers, this data may now be compressed. This should allow for the files to fit within a Kubernetes ConfigMap, making some deployments easier to wrangle.

• datastore: add "delta" update interface

  This change should allow for updaters to use fewer resources and consume API-based data sources in the future. As of this change, no in-tree updaters have been converted to this interface.

• java: size buffers correctly before use

  This should reduce memory consumption for indexing layers that have deeply nested Java archives.

• postgres: remove internal timeouts

  Database queries now take as long as needed to execute. This shouldn't negatively affect any working uses, and should make some slower or less-optimized queries possible on larger instances.

• integration: make PGVERSION a pattern

  The behavior of the setup of an embedded PostgreSQL in integration tests has changed. The relevant environment variable (`PGVERSION`) is now a pattern instead of a literal version string. Note that a version string would be a patten that matches itself, so that format continues to work.

  Additionally, the version used is now read from the distributed
  manifest, rather than hard-coded versions. Other than occasional network
  calls to fetch this manifest, users shouldn't notice any difference.

• alpine: add edge support

  Alpine's `edge` version should now be supported for reporting.

• rpm: support PGP V4 signatures

  Rpm has apparently started using "current"/V4 PGP signatures, which claircore was not handling. This adds support for these signatures.

• jsonblob: add a disk buffering step

  This improves "offline" operation by eagerly buffering output to disk instead of creating a large in-memory data structure first.

  This makes the API trickier but given that there's a single (known and
  intended) user, this should be fine.

• tarfs: check a potential interger overflow

  This change fixes a potential integer overflow in tar handling code.

  The possibility of exploiting this is effectively 0, as it would require
  more bytes to represent a sufficiently large integer than is available
  in the tar header.

  See also: https://github.com/quay/claircore/security/code-scanning/5

• gobin: take into account package replacements

  Previously, there was a bug where package replacements were not considered for go binaries.

• all: purge http.DefaultClient usage

  Some packages with less churn (`photon`, `oracle`, `aws`) were using older ways of getting an `*http.Client` or using `http.DefaultClient`.

  This change breaks some API in exchange for unifying the *http.Client
  handling. The practical upshot is that it's much easier to control the
  network contact surface.

• all: share single FS implementation

  Claircore components that deal with `Layer` objects now share a single backing File and a single `fs.FS` implementation when using the `FS` method. There should be no noticeable changes for users, but out-of-tree implementations may want to move over to using the new FS method.

  This change should improve memory usage.

v1.5.20 Release

v1.5.20 - 2023-10-12

• libindex: move to O_TMPFILE fetcher
  This release uses a new fetcher (the component responsible for pulling layers locally) that makes use of the O_TMPFILE flag to open(2). This ensures that layer files will be cleaned up even in the event of an unclean shutdown, including being sent a KILL signal.

v1.5.19 Release

v1.5.19 - 2023-10-03

• chore: update toolkit to latest version v1.1.1
  v1.5.17 (toolkit/v1.1.0) introduced a bug where claircore could not handle empty strings when trying to Scan() a value into a cpe.WFN. toolkit/v1.1.1 mitigates this bug.

v1.5.18 Release

v1.5.18 - 2023-10-03

Nothing interesting happened this release.

v1.5.17 Release

v1.5.17 - 2023-09-28

• crda: remove crda support
  The CRDA API has been decommissioned and the functionality has been superseded by OSV support.

v1.5.16 Release

v1.5.16 - 2023-08-14

Nothing interesting happened this release.

v1.5.15 Release

v1.5.15 - 2023-08-08

Nothing interesting happened this release.

v1.5.14 Release

v1.5.14 - 2023-08-07

• rhel: Include cve defs when parsing through rhel oval feeds
  There was condition that excluded cve definition types when converting OVAL definitions to vulns, currently for rhel8 unpatched feeds the definitions are either oval:com.redhat.cve:def:... or oval:com.redhat.unaffected:def:.... This change adds a condition to only continue to ignore these cve definitions if the config explicitly says to do so. Note: Once these vulns are in the DB they will be surfaced and updating the config won't delete them, they will be queried until the next update cycle.