Skip to content

Releases: guacsec/guac

v0.8.6

19 Sep 15:24
9dbf407
Compare
Choose a tag to compare
  • bug fixes

What's Changed

  • 9dbf407 drop discovered_license from required index as it is covered by the discovered_license_hash (#2139)

Also includes all the changes from v0.8.5

  • Searching for hasSBOMs via Artifacts in Vuln cli
  • CDX parser captures version as an artifact for images
  • ClearlyDefined certifier to the postgres/demo compose file
  • Various bug fixes and improvements

v0.8.5

19 Sep 11:00
f5e60a9
Compare
Choose a tag to compare
  • Searching for hasSBOMs via Artifacts in Vuln cli
  • CDX parser captures version as an artifact for images
  • ClearlyDefined certifier to the postgres/demo compose file
  • Various bug fixes and improvements

Contributors

What's Changed

  • c22cf02 Add the ClearlyDefined certifier to the demo compose file (#2129)
  • d4abef2 Also add the ClearlyDefined certifier to the postgres compose file (#2130)
  • de3897f Bump actions/create-github-app-token from 1.10.4 to 1.11.0 (#2132)
  • 2752e40 Bump github/codeql-action from 3.26.6 to 3.26.7 (#2131)
  • 477b1d7 CDX parser captures version as an artifact for images (#2126)
  • 430b768 Fix guacEmpty being added into the ENT DB causing errors (#2136)
  • c7501e8 Searching for hasSBOMs via Artifacts in Vuln cli (#1965)
  • 8c9cc5b Update CD certifier to ignore LicenseRef licenses (#2134)
  • f5e60a9 create isoccur for top level package when artifact is found (#2137)

v0.8.4

11 Sep 19:19
9c7f881
Compare
Choose a tag to compare
  • Fix SPDX SBOM ingestion with multiple purls in externalRefs array
  • Add connection timeout for ENT
  • Retry on network error for certifiers
  • Fix Deps.dev rate limiting
  • Various bug fixes and improvements

Contributors

What's Changed

  • 9c7f881 [Fix] GRPC rate limit and add exponential backoff for CD (#2125)

Also includes (from v0.8.3):

  • e6f20c3 Bump actions/create-github-app-token from 1.10.3 to 1.10.4 (#2116)
  • 61da705 Bump actions/setup-python from 5.1.1 to 5.2.0 (#2106)
  • 9768dc0 Bump docker/login-action from 2 to 3 (#2107)
  • db47d0a Bump getkin/kin-openapi from v0.123.0 to v0.127.0 (#2112)
  • 0c72777 Bump github.com/aws/aws-sdk-go-v2 from 1.30.4 to 1.30.5 (#2121)
  • ad1f0c2 Bump github.com/aws/aws-sdk-go-v2/config from 1.27.28 to 1.27.31 (#2102)
  • 7004fc4 Bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.59.0 to 1.61.2 (#2119)
  • a37fef2 Bump github.com/fsouza/fake-gcs-server from 1.49.2 to 1.49.3 (#2104)
  • 7d1e437 Bump github/codeql-action from 3.26.5 to 3.26.6 (#2105)
  • fcda7d9 Bump gocloud.dev from 0.38.0 to 0.39.0 (#2118)
  • 04f8655 Bump gocloud.dev/pubsub/rabbitpubsub from 0.38.0 to 0.39.0 (#2120)
  • 8b7b9e2 Bump google.golang.org/grpc from 1.65.0 to 1.66.0 (#2103)
  • 8fd7914 Bump google.golang.org/grpc from 1.66.0 to 1.66.1 (#2117)
  • 5e29c5d Bumping cdevents/sdk-go from 0.3.2 to 0.4.1 (#2108)
  • c9c6acc Fix SPDX SBOM ingestion with multiple purls in externalRefs array (#2101)
  • 4c0b9a8 Include documentRef in hasSBOM client operations (#2111)
  • 2508663 add connection timeout for ENT (#2115)
  • 2f63622 change atlas migration to take into account ent auto migration index names (#2114)
  • 2b018e2 retry on network error for certifiers (#2122)

v0.8.3

10 Sep 16:12
2b018e2
Compare
Choose a tag to compare

Changelog

  • e6f20c3 Bump actions/create-github-app-token from 1.10.3 to 1.10.4 (#2116)
  • 61da705 Bump actions/setup-python from 5.1.1 to 5.2.0 (#2106)
  • 9768dc0 Bump docker/login-action from 2 to 3 (#2107)
  • db47d0a Bump getkin/kin-openapi from v0.123.0 to v0.127.0 (#2112)
  • 0c72777 Bump github.com/aws/aws-sdk-go-v2 from 1.30.4 to 1.30.5 (#2121)
  • ad1f0c2 Bump github.com/aws/aws-sdk-go-v2/config from 1.27.28 to 1.27.31 (#2102)
  • 7004fc4 Bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.59.0 to 1.61.2 (#2119)
  • a37fef2 Bump github.com/fsouza/fake-gcs-server from 1.49.2 to 1.49.3 (#2104)
  • 7d1e437 Bump github/codeql-action from 3.26.5 to 3.26.6 (#2105)
  • fcda7d9 Bump gocloud.dev from 0.38.0 to 0.39.0 (#2118)
  • 04f8655 Bump gocloud.dev/pubsub/rabbitpubsub from 0.38.0 to 0.39.0 (#2120)
  • 8b7b9e2 Bump google.golang.org/grpc from 1.65.0 to 1.66.0 (#2103)
  • 8fd7914 Bump google.golang.org/grpc from 1.66.0 to 1.66.1 (#2117)
  • 5e29c5d Bumping cdevents/sdk-go from 0.3.2 to 0.4.1 (#2108)
  • c9c6acc Fix SPDX SBOM ingestion with multiple purls in externalRefs array (#2101)
  • 4c0b9a8 Include documentRef in hasSBOM client operations (#2111)
  • 2508663 add connection timeout for ENT (#2115)
  • 2f63622 change atlas migration to take into account ent auto migration index names (#2114)
  • 2b018e2 retry on network error for certifiers (#2122)

v0.8.2

30 Aug 15:50
0f694a3
Compare
Choose a tag to compare
  • Batch query support for clearly defined to improve performance
  • Atlas Migration image creation with each release for each of migrate the ENT database
  • Rate limit added for external services: deps.dev, OSV and clearly defined
  • Various bug fixes and improvements

Contributors

What's Changed

  • 0f694a3 Add batch querying for clearly defined to reduce ingestion time (#2088)
  • 9b6c7ae Atlas migration image (#2086)
  • 5e11532 Bump actions/checkout from 3 to 4 (#2094)
  • 00a46f3 Bump anchore/sbom-action from 0.17.0 to 0.17.1 (#2084)
  • ce446ae Bump anchore/sbom-action from 0.17.1 to 0.17.2 (#2093)
  • 4acfd67 Bump docker/build-push-action from 5 to 6 (#2095)
  • 7f0feef Bump docker/setup-buildx-action from 2 to 3 (#2096)
  • ac3ddef Bump entgo.io/contrib from 0.5.0 to 0.6.0 (#2092)
  • 80a973f Bump github.com/aws/aws-sdk-go-v2/config from 1.27.23 to 1.27.28 (#2081)
  • 8e92b01 Bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.58.2 to 1.59.0 (#2083)
  • eb4ec8f Bump github.com/aws/aws-sdk-go-v2/service/sqs from 1.34.3 to 1.34.5 (#2091)
  • f6f0594 Bump github.com/google/osv-scanner from 1.8.2 to 1.8.4 (#2090)
  • 2072dff Bump github/codeql-action from 3.26.0 to 3.26.3 (#2085)
  • efa4ffb Bump github/codeql-action from 3.26.3 to 3.26.5 (#2097)
  • 7fe8848 Rate limiting outgoing requests (#2053)
  • 81e4eb1 add missing search_path, and change workflow to publish only on tag release (#2087)

v0.8.1

18 Aug 19:36
a3a7525
Compare
Choose a tag to compare
  • Remove unused daysSinceLastScan for certifiers
  • Return hasSBOM and hasSLSA IDs from the assembler
  • Various bug fixes and improvements

What's Changed

  • e0253d4 Bump cloud.google.com/go/storage from 1.42.0 to 1.43.0 (#2071)
  • a576388 Bump docker/login-action from 3.2.0 to 3.3.0 (#2044)
  • 5e25e14 Bump github.com/99designs/gqlgen from 0.17.48 to 0.17.49 (#2040)
  • e584a1f Bump github.com/aws/aws-sdk-go from 1.55.0 to 1.55.5 (#2070)
  • b9dc127 Bump github.com/aws/aws-sdk-go-v2/service/sqs from 1.31.4 to 1.34.3 (#2067)
  • ef728ea Bump github.com/docker/docker (#2059)
  • 49280fa Bump github.com/regclient/regclient from 0.7.0 to 0.7.1 (#2063)
  • e87aa0b Bump github.com/sigstore/sigstore from 1.8.7 to 1.8.8 (#2073)
  • 4c61333 Bump github/codeql-action from 3.25.13 to 3.25.15 (#2050)
  • e2a257a Bump github/codeql-action from 3.25.15 to 3.26.0 (#2074)
  • 31a2687 Bump gocloud.dev/pubsub/rabbitpubsub from 0.37.0 to 0.38.0 (#2065)
  • 755f020 Bump golangci/golangci-lint-action from 6.0.1 to 6.1.0 (#2068)
  • d00dda3 Bump ossf/scorecard-action from 2.3.3 to 2.4.0 (#2051)
  • 47dd237 Bump sigstore/cosign-installer from 3.5.0 to 3.6.0 (#2075)
  • e487e96 Clarify GUAC's place in the OpenSSF (#2056)
  • 3161b7a Fixed incorrect depsdev getProject (#2009)
  • 98ee416 Move the contributor ladder to the website (#2052)
  • e4357e5 Return hasSBOM and hasSLSA IDs from the assembler (#2069)
  • c6b16de [fix] cdx parser empty purl identifier and deduplication (#2079)
  • 054c076 ensure cdx parser does not error on v1.5 or below license parsing (#2062)
  • d996ab2 expose hasSBOM and hasSLSA IDs (#2076)
  • a3a7525 remove daysSinceLastScan as it is redundant with certifier interval (#2080)
  • c4b6a42 update dependency schema to make dependent_package_version_id required (#2060)
  • 6aff459 update ent and regen code to fix atlas diff issue (#2061)

v0.8.0

25 Jul 18:11
0c6dc86
Compare
Choose a tag to compare
  • Clearly Defined Certifier! (Experimental)
  • Parse CycloneDX Legal information (#1985)
  • Add vulnerability scanning on ingestion
  • [ENT] Implement deletion for certifyVuln, hasSBOM and hasSLSA (#1982).
    Keyvalue PR already created (#2033)
  • Update slsa parser in-toto attestation library (#1988)
  • Update slsa parser to use ResourceDescriptor (#1988)
  • [ENT] Fix node , improve package qualifiers query and add missing indexes to speed up query performance (#1989, #1999, #2020 and #2032)
  • Include e2e tests for guaccollect, guacingest, and ent (#1998)
  • Change isDependency to be only at the pkgVersion
  • Fix make all and make build (#2014)

Contributors

What's Changed

  • 8e8bf52 #1996 Improve package's qualifiers query (#1997)
  • d55629f Add default SECURITY.md policy (#2004)
  • bf65123 Adds vulnerability scanning on ingestion (#1963)
  • e1465d9 Bump actions/checkout from 4.1.6 to 4.1.7 (#1972)
  • 681d3b7 Bump actions/create-github-app-token from 1.10.1 to 1.10.3 (#1995)
  • 968c0cc Bump actions/setup-go from 5.0.1 to 5.0.2 (#2025)
  • 3cacb78 Bump actions/setup-python from 5.1.0 to 5.1.1 (#2024)
  • 5b9e79d Bump anchore/sbom-action from 0.16.0 to 0.17.0 (#2023)
  • c2983b5 Bump aquasecurity/trivy-action from 0.21.0 to 0.22.0 (#1958)
  • 250ecb8 Bump aquasecurity/trivy-action from 0.22.0 to 0.23.0 (#1977)
  • a0c0b73 Bump aquasecurity/trivy-action from 0.23.0 to 0.24.0 (#2026)
  • f0d7607 Bump cloud.google.com/go/storage from 1.41.0 to 1.42.0 (#1979)
  • 07cea77 Bump entgo.io/ent from 0.13.0 to 0.13.1 (#2005)
  • 57a219f Bump github.com/99designs/gqlgen from 0.17.45 to 0.17.48 (#1961)
  • d81762c Bump github.com/Azure/azure-sdk-for-go/sdk/azidentity (#1962)
  • 153f94e Bump github.com/CycloneDX/cyclonedx-go from 0.8.0 to 0.9.0 (#2007)
  • dad65eb Bump github.com/aws/aws-sdk-go from 1.53.1 to 1.54.3 (#1968)
  • 8ca724a Bump github.com/aws/aws-sdk-go from 1.54.3 to 1.54.6 (#1978)
  • 9052a82 Bump github.com/aws/aws-sdk-go from 1.54.6 to 1.55.0 (#2043)
  • 809acec Bump github.com/aws/aws-sdk-go-v2 from 1.30.1 to 1.30.3 (#2030)
  • e0a7c6b Bump github.com/aws/aws-sdk-go-v2/config from 1.27.16 to 1.27.19 (#1970)
  • 6139d24 Bump github.com/aws/aws-sdk-go-v2/config from 1.27.19 to 1.27.23 (#1993)
  • c903f1b Bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.55.1 to 1.58.2 (#2027)
  • 3c0319a Bump github.com/fsouza/fake-gcs-server from 1.48.0 to 1.49.2 (#1955)
  • 5114c80 Bump github.com/google/osv-scanner from 1.7.2 to 1.7.4 (#1960)
  • fb3d62a Bump github.com/google/osv-scanner from 1.7.4 to 1.8.2 (#2013)
  • f39ad2e Bump github.com/hashicorp/go-retryablehttp from 0.7.4 to 0.7.7 (#1981)
  • 5d0a9bf Bump github.com/nats-io/nats-server/v2 from 2.10.16 to 2.10.17 (#2029)
  • c1ddb48 Bump github.com/nats-io/nats-server/v2 from 2.10.17 to 2.10.18 (#2041)
  • 4fe606f Bump github.com/nats-io/nats.go from 1.34.1 to 1.36.0 (#1971)
  • 221a7d3 Bump github.com/pitabwire/natspubsub from 0.1.3 to 0.1.7 (#1990)
  • 9e41590 Bump github.com/redis/go-redis/v9 from 9.5.1 to 9.5.3 (#1954)
  • 5c09ea6 Bump github.com/regclient/regclient from 0.6.1 to 0.7.0 (#2042)
  • cdfebf3 Bump github.com/sigstore/sigstore from 1.8.3 to 1.8.4 (#1980)
  • 9e41523 Bump github.com/sigstore/sigstore from 1.8.4 to 1.8.6 (#1991)
  • b18df2d Bump github.com/sigstore/sigstore from 1.8.6 to 1.8.7 (#2028)
  • 3ac1beb Bump github.com/vektah/gqlparser/v2 from 2.5.12 to 2.5.14 (#1966)
  • 1b1ccc5 Bump github.com/vektah/gqlparser/v2 from 2.5.14 to 2.5.16 (#1992)
  • ecf9206 Bump github/codeql-action from 3.25.10 to 3.25.11 (#1994)
  • b12ce21 Bump github/codeql-action from 3.25.11 to 3.25.12 (#2022)
  • 693a21c Bump github/codeql-action from 3.25.12 to 3.25.13 (#2045)
  • f18ba93 Bump github/codeql-action from 3.25.7 to 3.25.8 (#1957)
  • 21e503c Bump github/codeql-action from 3.25.8 to 3.25.10 (#1973)
  • 8a987bd Bump google.golang.org/grpc from 1.64.0 to 1.64.1 (#2012)
  • 546a17e Bump goreleaser/goreleaser-action from 5 to 6 (#1959)
  • a0762a6 Clearly defined certifier (#2035)
  • ff4c8af Expose certifier and deps.dev batch size and add optional latency (defaults to none) (#1967)
  • 7306193 Fix Google Container Registry URL typo (#1986)
  • 6443db6 Fix make all and make build (#2014)
  • 41970b6 Fix guacrest docker compose healthchecks (#2001)
  • 82e3f80 Fix the e2e (#2010)
  • ee17427 Fix the shebang on the e2e script by (#2017)
  • 9a20f1e Fixed Guacone Query Vuln When Keyvalue is Used (#2000)
  • 05de293 Implememnt the proposal in guacsec/governance#8 (#1935)
  • 53a63ab Include e2e tests for guaccollect, guacingest, and ent (#1998)
  • 71dbe34 Move to OpenSSF mail server (#1975)
  • 9d51e44 Parse CycloneDX Legal information (#1985)
  • 8c54ef5 Remove isDependency to pkgName (#2021)
  • 0675b67 Speed up common CertifyVuln ent queries by adding indexes (#1999)
  • 2845fad Speed up isDependency query when spec depPkg has pkgID (#2020)
  • 2d87d8d Update slsa parser to remove deprecated structs (#1988)
  • bc9361d Updated query known and slsa parser (#2018)
  • 6a63c22 [ENT] Implement deletion for certifyVuln, hasSBOM and hasSLSA (#1982)
  • 0b17411 [ENT] add indexes for common queries on ENT (#2032)
  • b6754cf [ENT] add missing nodes from the node query (#1989)
  • a4c36b1 add check for paginated queries for nil values in ent (#2031)
  • 7eccfa9 add missing csub-tls flags for guaccollect (#1951)
  • 0c6dc86 move timestamp up such that it is not skipped (#2046)
  • 0c70002 remove GetMatchFlagsFromPkgInput helper as it was not needed for isDependency (#1933)
  • e2486e1 support direct connections to ent from the rest api (#1932)
  • 621b66f update to skip type guac purls in deps.dev (#2039)

v0.7.2

06 Jun 19:42
42599e4
Compare
Choose a tag to compare
  • Fixes for OSV/Scorecard flag initialization via guacCollect

Contributors

What's Changed

v0.7.1

06 Jun 16:26
4204cb0
Compare
Choose a tag to compare
  • Fixes for OSV certifier via guacCollect

Contributors

What's Changed

v0.7.0

04 Jun 15:34
64e4b0e
Compare
Choose a tag to compare
  • Include Pagination for KeyValue
  • Added annotate-metadata command via guacone CLI (Experimental)
  • WIP for Get Next Actionable Critical Dependencies (Experimental - REST API)
  • Improved CDX parsing for transitive dependencies
  • GraphQL - Expose all client queries (paginated and non-paginated)
  • [ENT] Controlled and automated schema version migration via Atlas
  • Update certifiers to use paginated query for package and source
  • Update S3 collector to support collecting from a directory within the bucket

Contributors

What's Changed