Releases: gocsaf/csaf
Releases · gocsaf/csaf
v3.1.0
Release 3.1.0
- The repository has been moved to
github.com/gocsaf/csaf
and thus uses a new go module path. - Uses a custom HTTP user-agent header by default.
- Avoids a race condition when downloading in parallel (#546).
- Turns missing an OpenPGP fingerprint into a warning (#555).
- Checking several domains in one command line call works better (#523).
- Utilizes currently maintained go version 1.22 (#573).
- Switched licenses of original content from MIT to Apache2.0.
- 13 Issues were closed.
- 28 PRs were merged.
v3.0.0
Highlights
- Require only Go 1.20 (was Go 1.21) to support broader library usage.
- Fixed time filtering when downloading advisories.
- Added support for legacy security.txt location.
- Added function to find product identification (Thanks to @juan131)
- Smaller improvements in the documention.
PRs
- #519 Advisories: Time filter download by 'updated' field in ROLIE entries.
- #516 Go 1.20 compat: Remove usage of slices in enum generator.
- #514 Support Go 1.20
- #513 Older version
- #512 Downloader: Add tlp label to path if no custom directory is configured. Refactor accordingly
- #510 Add GH Action execution on PRs
- #506 PMD: Support legacy security.txt location as fallback.
- #505 feat: Add function to find^ product identification helpers inspecting the tree
- #502 docs: underline that we are not offering an API yet
- #501 docs: move link to final CSAF 2.0 in README
v3.0.0 RC1
Highlights
- Breaking: All command line and configuration file options are now unified to use
snake_case
notation.
You may need to update your configuration files or calling shell scripts. - Add a model to serialize/deserialize advisories.
- Add an example how to use this to find PURLs by product IDs.
- Use our own fork of the JSONPath library as upstream patches are still pending.
- Improve the docs.
- Add community support for building the tools on macOS (thanks to @fjd-anh).
PRs
- #502: docs: underline that we are not offering an API yet
- #501: docs: move link to final CSAF 2.0 in README
- #499: API examples: Improved wording in examples/README.md
- #498: Convert a lot of command line arguments to snake case
- #497: API: Fix pattern matching of purls and document categories in advisory model
- #496: Dependencies: Update 3rd-party dependencies
- #495: Docs: Fix link to development doc page.
- #493: Docs: Add Development.md
- #492: Checker: Fix doc of TOML config of validator
- #490: Use Intevation's JSONPath fork
- #489: API examples: move csaf_searcher to a lower prio place
- #483: Time ranges: Accept days, months and years
- #482: docs: improve timerange documentation
- #481: Fix: improve logging for downloader and aggregator
- #476: Add build for macOS
- #475: Schema validation: Add AssertFormat flag to schema compiler
- #473: Adding advisory model
v3.0.0 - Beta 2
Highlights
- This is a mainly a bug fix release with no new features.
- The documentation was slightly improved.
- The unit test coverage for the new parts of the downloader was extended.
- The used third party libraries were brought up to date.
PRs
v3.0.0 - Beta 1
Highlights
- All tools are now able to store their configurations in
.toml
files. - Breaking change: Support for
.ini
files in the uploader is dropped. - The checker, downloader and aggreator are now able to filter down the fetched advisories by time ranges and regular expressions of their URLs.
- Breaking change: The legacy
-years
flag is removed from the checker. - The downloader now uses structured logging to make it easier to process the resulting logs.
- The downloader is now able to use a configurable folder to download into.
- Breaking change: The
-verbose
flag was removed. The level of detail is now handled by the configurable log level. - The downloader is now able to forward the downloaded advisories to a configurable endpoint.
- Breaking change: To compile the tools at least Go 1.21 is needed.
To reflect the breaking changes we bumped the major version from v2
to v3
.
PRs
- #467: Lift distribution from v2 to v3
- #466: Integration Tests: Remove verbose flag from downloader
- #465: Downloader: Document the implementes forward API
- #464: Downloader: Remove verbose flag
- #463: Downloader: unit tests for stats
- #461: Change release action to use elder Ubuntu runner
- #460: Unit tests of internal packages
- #458: feat: log redirects
- #450: downloader: Drop time precision below seconds in log output.
- #447: downloader: Fix logging docs and some comments
- #445: Improve code comment
- #444: downloader: improve code comments
- #443: Downloader: Add structured logging, fails storing and statistics
- #442: Downloader: Add forwarding to HTTP endpoint
- #441: Checker: Fix checking of missing files
- #440: aggregator: Look for config files in similiar places like the other tools
- #439: uploader: use the TOML config file infrastructure, too.
- #436: Update dependencies
- #435: Document potential security issue with plain PEM passwords.
- #443: Document regular expression syntax used for filtering URLs.
- #442: Aggregator: Add time range filtering
- #431: No longer set timestamp of version as part of go version in prepareUbuntuInstanceForITests
- #430: Checker: remove years flag
- #429: Error to explaining warning when loading lpmd messages in checker
- #424: Aggregator: Add support for client certificates and extra header
- #423: Downloader: Add support for client certificates
- #422: Checker: Add time range to report
- #421: Aggregator: ignore advisories by given patterns
- #420: Checker: ignore advisories by given patterns
- #419: Downloader: ignore advisories by given patterns
- #418: Add option to specify download folder
- #416: Fix version config and make aggreator use new command line parser.
- #414: Checker: Make time range configurable to check advisories from
- #413: Downloader: Make time range configurable to download advisories from
- #412: Add TOML config to checker
- #409: Make rolie or directory listing mandatory
- #406: Track whether files could not be accessed and report it when reporting about accessibility of TLP:WHITE advisories
- #405: Use TOML as config file format in downloader
- #404: Add support for config files in downloader.
Release 2.2.0
Highlights
- Role based reporting in the checker.
- Improved output in error cases and in the checker report.
- The downloader is now able to fetch more than one advisory at once.
- Needs at least Go 1.20 to build the tools.
- Various bug fixes.
PRs
- #391: Complete requirement 4 (ROLIE)
- #401: Add info for Req 8-10 if direct url was given and as such no checks were performed.
- #400: Allow http redirects
- #393: Dont use string comparison to rank labels.
- #390: Check for advisoryLabel instead of feedlabel.
- #388: Use Set type
- #389: Update third party libraries
- #382: Improve error message if filename does not match document/tracking/id and let it be reported by the proper reporter
- #357: Empty rolie
- #373: Role requirements 11-14 or 15-17
- #378: Burn v2 version into binaries.
- #370: Fix pmd crash
- #369: Simplified requirement 15
- #372: We need at least Go 1.20
- #371: Fix go.mod and internal dependencies for major verison v2
- #366: Prepare infrastructure for role based reporting
- #365: Check that filename matches /document/tracking/id
- #361: Be more verbose in case of signature check failures
- #363: Add concurrent downloads to downloader.
- #362: Update 3rd party libraries.
- #364: doc: improve rate default documentation
- #355: Add revive action to workflows
- #328: Enforce application/json when uploading advisories to provider.
2.1.0
For changes see milestone "Release 2.1.0"
2.0.0
- BREAKING CHANGE: code can now only be compiled with Go versions newer than
1.19.1
- add a .gitignore
First stable release
This is considered the first stable version as it has passed the internal testings. :-)
v0.9.6
- Interim mode of aggregator should work now.
- Publishers are now llisted in
aggregator.json
correctly. - Columns in
changes.csv
are now always written in double quotes. - Various bug fixes.