v0.8.7

• Various bug fixes, additional logs and improvements

What's Changed

• dd1e897 Bump github/codeql-action from 3.26.7 to 3.26.8 (#2143)
• a5463f9 Bump google.golang.org/api from 0.192.0 to 0.198.0 (#2144)
• 0e9506b add logs to determine when certifier starts and ends (#2149)
• a0e6631 bump github.com/99designs/gqlgen from 0.17.49 to 0.17.54 (#2148)
• 3284ed3 bump github.com/aws/aws-sdk-go-v2 from 1.30.5 to 1.31.0 (#2146)
• 28515aa bump github.com/google/osv-scanner from 1.8.4 to 1.8.5 (#2145)
• 821e685 bump github.com/nats-io/nats-server/v2 from 2.10.18 to 2.10.20 (#2147)
• ce75d1f fix bugs that causes panic on query vuln on sbom uri search (#2140)

v0.8.6

• bug fixes

What's Changed

• 9dbf407 drop discovered_license from required index as it is covered by the discovered_license_hash (#2139)

Also includes all the changes from v0.8.5

• Searching for hasSBOMs via Artifacts in Vuln cli
• CDX parser captures version as an artifact for images
• ClearlyDefined certifier to the postgres/demo compose file
• Various bug fixes and improvements

v0.8.5

• Searching for hasSBOMs via Artifacts in Vuln cli
• CDX parser captures version as an artifact for images
• ClearlyDefined certifier to the postgres/demo compose file
• Various bug fixes and improvements

Contributors

• @pxp928
• @nathannaveen
• @funnelfiasco

What's Changed

• c22cf02 Add the ClearlyDefined certifier to the demo compose file (#2129)
• d4abef2 Also add the ClearlyDefined certifier to the postgres compose file (#2130)
• de3897f Bump actions/create-github-app-token from 1.10.4 to 1.11.0 (#2132)
• 2752e40 Bump github/codeql-action from 3.26.6 to 3.26.7 (#2131)
• 477b1d7 CDX parser captures version as an artifact for images (#2126)
• 430b768 Fix guacEmpty being added into the ENT DB causing errors (#2136)
• c7501e8 Searching for hasSBOMs via Artifacts in Vuln cli (#1965)
• 8c9cc5b Update CD certifier to ignore LicenseRef licenses (#2134)
• f5e60a9 create isoccur for top level package when artifact is found (#2137)

v0.8.4

• Fix SPDX SBOM ingestion with multiple purls in externalRefs array
• Add connection timeout for ENT
• Retry on network error for certifiers
• Fix Deps.dev rate limiting
• Various bug fixes and improvements

Contributors

• @pxp928
• @mrizzi
• @nathannaveen

What's Changed

• 9c7f881 [Fix] GRPC rate limit and add exponential backoff for CD (#2125)

Also includes (from v0.8.3):

• e6f20c3 Bump actions/create-github-app-token from 1.10.3 to 1.10.4 (#2116)
• 61da705 Bump actions/setup-python from 5.1.1 to 5.2.0 (#2106)
• 9768dc0 Bump docker/login-action from 2 to 3 (#2107)
• db47d0a Bump getkin/kin-openapi from v0.123.0 to v0.127.0 (#2112)
• 0c72777 Bump github.com/aws/aws-sdk-go-v2 from 1.30.4 to 1.30.5 (#2121)
• ad1f0c2 Bump github.com/aws/aws-sdk-go-v2/config from 1.27.28 to 1.27.31 (#2102)
• 7004fc4 Bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.59.0 to 1.61.2 (#2119)
• a37fef2 Bump github.com/fsouza/fake-gcs-server from 1.49.2 to 1.49.3 (#2104)
• 7d1e437 Bump github/codeql-action from 3.26.5 to 3.26.6 (#2105)
• fcda7d9 Bump gocloud.dev from 0.38.0 to 0.39.0 (#2118)
• 04f8655 Bump gocloud.dev/pubsub/rabbitpubsub from 0.38.0 to 0.39.0 (#2120)
• 8b7b9e2 Bump google.golang.org/grpc from 1.65.0 to 1.66.0 (#2103)
• 8fd7914 Bump google.golang.org/grpc from 1.66.0 to 1.66.1 (#2117)
• 5e29c5d Bumping cdevents/sdk-go from 0.3.2 to 0.4.1 (#2108)
• c9c6acc Fix SPDX SBOM ingestion with multiple purls in externalRefs array (#2101)
• 4c0b9a8 Include documentRef in hasSBOM client operations (#2111)
• 2508663 add connection timeout for ENT (#2115)
• 2f63622 change atlas migration to take into account ent auto migration index names (#2114)
• 2b018e2 retry on network error for certifiers (#2122)

v0.8.3

Changelog

• e6f20c3 Bump actions/create-github-app-token from 1.10.3 to 1.10.4 (#2116)
• 61da705 Bump actions/setup-python from 5.1.1 to 5.2.0 (#2106)
• 9768dc0 Bump docker/login-action from 2 to 3 (#2107)
• db47d0a Bump getkin/kin-openapi from v0.123.0 to v0.127.0 (#2112)
• 0c72777 Bump github.com/aws/aws-sdk-go-v2 from 1.30.4 to 1.30.5 (#2121)
• ad1f0c2 Bump github.com/aws/aws-sdk-go-v2/config from 1.27.28 to 1.27.31 (#2102)
• 7004fc4 Bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.59.0 to 1.61.2 (#2119)
• a37fef2 Bump github.com/fsouza/fake-gcs-server from 1.49.2 to 1.49.3 (#2104)
• 7d1e437 Bump github/codeql-action from 3.26.5 to 3.26.6 (#2105)
• fcda7d9 Bump gocloud.dev from 0.38.0 to 0.39.0 (#2118)
• 04f8655 Bump gocloud.dev/pubsub/rabbitpubsub from 0.38.0 to 0.39.0 (#2120)
• 8b7b9e2 Bump google.golang.org/grpc from 1.65.0 to 1.66.0 (#2103)
• 8fd7914 Bump google.golang.org/grpc from 1.66.0 to 1.66.1 (#2117)
• 5e29c5d Bumping cdevents/sdk-go from 0.3.2 to 0.4.1 (#2108)
• c9c6acc Fix SPDX SBOM ingestion with multiple purls in externalRefs array (#2101)
• 4c0b9a8 Include documentRef in hasSBOM client operations (#2111)
• 2508663 add connection timeout for ENT (#2115)
• 2f63622 change atlas migration to take into account ent auto migration index names (#2114)
• 2b018e2 retry on network error for certifiers (#2122)

v0.8.2

• Batch query support for clearly defined to improve performance
• Atlas Migration image creation with each release for each of migrate the ENT database
• Rate limit added for external services: deps.dev, OSV and clearly defined
• Various bug fixes and improvements

Contributors

• @pxp928
• @nathannaveen

What's Changed

• 0f694a3 Add batch querying for clearly defined to reduce ingestion time (#2088)
• 9b6c7ae Atlas migration image (#2086)
• 5e11532 Bump actions/checkout from 3 to 4 (#2094)
• 00a46f3 Bump anchore/sbom-action from 0.17.0 to 0.17.1 (#2084)
• ce446ae Bump anchore/sbom-action from 0.17.1 to 0.17.2 (#2093)
• 4acfd67 Bump docker/build-push-action from 5 to 6 (#2095)
• 7f0feef Bump docker/setup-buildx-action from 2 to 3 (#2096)
• ac3ddef Bump entgo.io/contrib from 0.5.0 to 0.6.0 (#2092)
• 80a973f Bump github.com/aws/aws-sdk-go-v2/config from 1.27.23 to 1.27.28 (#2081)
• 8e92b01 Bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.58.2 to 1.59.0 (#2083)
• eb4ec8f Bump github.com/aws/aws-sdk-go-v2/service/sqs from 1.34.3 to 1.34.5 (#2091)
• f6f0594 Bump github.com/google/osv-scanner from 1.8.2 to 1.8.4 (#2090)
• 2072dff Bump github/codeql-action from 3.26.0 to 3.26.3 (#2085)
• efa4ffb Bump github/codeql-action from 3.26.3 to 3.26.5 (#2097)
• 7fe8848 Rate limiting outgoing requests (#2053)
• 81e4eb1 add missing search_path, and change workflow to publish only on tag release (#2087)

v0.8.1

• Remove unused daysSinceLastScan for certifiers
• Return hasSBOM and hasSLSA IDs from the assembler
• Various bug fixes and improvements

What's Changed

• e0253d4 Bump cloud.google.com/go/storage from 1.42.0 to 1.43.0 (#2071)
• a576388 Bump docker/login-action from 3.2.0 to 3.3.0 (#2044)
• 5e25e14 Bump github.com/99designs/gqlgen from 0.17.48 to 0.17.49 (#2040)
• e584a1f Bump github.com/aws/aws-sdk-go from 1.55.0 to 1.55.5 (#2070)
• b9dc127 Bump github.com/aws/aws-sdk-go-v2/service/sqs from 1.31.4 to 1.34.3 (#2067)
• ef728ea Bump github.com/docker/docker (#2059)
• 49280fa Bump github.com/regclient/regclient from 0.7.0 to 0.7.1 (#2063)
• e87aa0b Bump github.com/sigstore/sigstore from 1.8.7 to 1.8.8 (#2073)
• 4c61333 Bump github/codeql-action from 3.25.13 to 3.25.15 (#2050)
• e2a257a Bump github/codeql-action from 3.25.15 to 3.26.0 (#2074)
• 31a2687 Bump gocloud.dev/pubsub/rabbitpubsub from 0.37.0 to 0.38.0 (#2065)
• 755f020 Bump golangci/golangci-lint-action from 6.0.1 to 6.1.0 (#2068)
• d00dda3 Bump ossf/scorecard-action from 2.3.3 to 2.4.0 (#2051)
• 47dd237 Bump sigstore/cosign-installer from 3.5.0 to 3.6.0 (#2075)
• e487e96 Clarify GUAC's place in the OpenSSF (#2056)
• 3161b7a Fixed incorrect depsdev getProject (#2009)
• 98ee416 Move the contributor ladder to the website (#2052)
• e4357e5 Return hasSBOM and hasSLSA IDs from the assembler (#2069)
• c6b16de [fix] cdx parser empty purl identifier and deduplication (#2079)
• 054c076 ensure cdx parser does not error on v1.5 or below license parsing (#2062)
• d996ab2 expose hasSBOM and hasSLSA IDs (#2076)
• a3a7525 remove daysSinceLastScan as it is redundant with certifier interval (#2080)
• c4b6a42 update dependency schema to make dependent_package_version_id required (#2060)
• 6aff459 update ent and regen code to fix atlas diff issue (#2061)

v0.8.0

• Clearly Defined Certifier! (Experimental)
• Parse CycloneDX Legal information (#1985)
• Add vulnerability scanning on ingestion
• [ENT] Implement deletion for certifyVuln, hasSBOM and hasSLSA (#1982).
  Keyvalue PR already created (#2033)
• Update slsa parser in-toto attestation library (#1988)
• Update slsa parser to use ResourceDescriptor (#1988)
• [ENT] Fix node , improve package qualifiers query and add missing indexes to speed up query performance (#1989, #1999, #2020 and #2032)
• Include e2e tests for guaccollect, guacingest, and ent (#1998)
• Change isDependency to be only at the pkgVersion
• Fix make all and make build (#2014)

Contributors

• @Yaxhveer
• @nchelluri
• @nathannaveen
• @mlieberman85
• @cberman
• @pxp928
• @mrizzi
• @funnelfiasco
• @mdeicas
• @lumjjb

What's Changed

• 8e8bf52 #1996 Improve package's qualifiers query (#1997)
• d55629f Add default SECURITY.md policy (#2004)
• bf65123 Adds vulnerability scanning on ingestion (#1963)
• e1465d9 Bump actions/checkout from 4.1.6 to 4.1.7 (#1972)
• 681d3b7 Bump actions/create-github-app-token from 1.10.1 to 1.10.3 (#1995)
• 968c0cc Bump actions/setup-go from 5.0.1 to 5.0.2 (#2025)
• 3cacb78 Bump actions/setup-python from 5.1.0 to 5.1.1 (#2024)
• 5b9e79d Bump anchore/sbom-action from 0.16.0 to 0.17.0 (#2023)
• c2983b5 Bump aquasecurity/trivy-action from 0.21.0 to 0.22.0 (#1958)
• 250ecb8 Bump aquasecurity/trivy-action from 0.22.0 to 0.23.0 (#1977)
• a0c0b73 Bump aquasecurity/trivy-action from 0.23.0 to 0.24.0 (#2026)
• f0d7607 Bump cloud.google.com/go/storage from 1.41.0 to 1.42.0 (#1979)
• 07cea77 Bump entgo.io/ent from 0.13.0 to 0.13.1 (#2005)
• 57a219f Bump github.com/99designs/gqlgen from 0.17.45 to 0.17.48 (#1961)
• d81762c Bump github.com/Azure/azure-sdk-for-go/sdk/azidentity (#1962)
• 153f94e Bump github.com/CycloneDX/cyclonedx-go from 0.8.0 to 0.9.0 (#2007)
• dad65eb Bump github.com/aws/aws-sdk-go from 1.53.1 to 1.54.3 (#1968)
• 8ca724a Bump github.com/aws/aws-sdk-go from 1.54.3 to 1.54.6 (#1978)
• 9052a82 Bump github.com/aws/aws-sdk-go from 1.54.6 to 1.55.0 (#2043)
• 809acec Bump github.com/aws/aws-sdk-go-v2 from 1.30.1 to 1.30.3 (#2030)
• e0a7c6b Bump github.com/aws/aws-sdk-go-v2/config from 1.27.16 to 1.27.19 (#1970)
• 6139d24 Bump github.com/aws/aws-sdk-go-v2/config from 1.27.19 to 1.27.23 (#1993)
• c903f1b Bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.55.1 to 1.58.2 (#2027)
• 3c0319a Bump github.com/fsouza/fake-gcs-server from 1.48.0 to 1.49.2 (#1955)
• 5114c80 Bump github.com/google/osv-scanner from 1.7.2 to 1.7.4 (#1960)
• fb3d62a Bump github.com/google/osv-scanner from 1.7.4 to 1.8.2 (#2013)
• f39ad2e Bump github.com/hashicorp/go-retryablehttp from 0.7.4 to 0.7.7 (#1981)
• 5d0a9bf Bump github.com/nats-io/nats-server/v2 from 2.10.16 to 2.10.17 (#2029)
• c1ddb48 Bump github.com/nats-io/nats-server/v2 from 2.10.17 to 2.10.18 (#2041)
• 4fe606f Bump github.com/nats-io/nats.go from 1.34.1 to 1.36.0 (#1971)
• 221a7d3 Bump github.com/pitabwire/natspubsub from 0.1.3 to 0.1.7 (#1990)
• 9e41590 Bump github.com/redis/go-redis/v9 from 9.5.1 to 9.5.3 (#1954)
• 5c09ea6 Bump github.com/regclient/regclient from 0.6.1 to 0.7.0 (#2042)
• cdfebf3 Bump github.com/sigstore/sigstore from 1.8.3 to 1.8.4 (#1980)
• 9e41523 Bump github.com/sigstore/sigstore from 1.8.4 to 1.8.6 (#1991)
• b18df2d Bump github.com/sigstore/sigstore from 1.8.6 to 1.8.7 (#2028)
• 3ac1beb Bump github.com/vektah/gqlparser/v2 from 2.5.12 to 2.5.14 (#1966)
• 1b1ccc5 Bump github.com/vektah/gqlparser/v2 from 2.5.14 to 2.5.16 (#1992)
• ecf9206 Bump github/codeql-action from 3.25.10 to 3.25.11 (#1994)
• b12ce21 Bump github/codeql-action from 3.25.11 to 3.25.12 (#2022)
• 693a21c Bump github/codeql-action from 3.25.12 to 3.25.13 (#2045)
• f18ba93 Bump github/codeql-action from 3.25.7 to 3.25.8 (#1957)
• 21e503c Bump github/codeql-action from 3.25.8 to 3.25.10 (#1973)
• 8a987bd Bump google.golang.org/grpc from 1.64.0 to 1.64.1 (#2012)
• 546a17e Bump goreleaser/goreleaser-action from 5 to 6 (#1959)
• a0762a6 Clearly defined certifier (#2035)
• ff4c8af Expose certifier and deps.dev batch size and add optional latency (defaults to none) (#1967)
• 7306193 Fix Google Container Registry URL typo (#1986)
• 6443db6 Fix make all and make build (#2014)
• 41970b6 Fix guacrest docker compose healthchecks (#2001)
• 82e3f80 Fix the e2e (#2010)
• ee17427 Fix the shebang on the e2e script by (#2017)
• 9a20f1e Fixed Guacone Query Vuln When Keyvalue is Used (#2000)
• 05de293 Implememnt the proposal in guacsec/governance#8 (#1935)
• 53a63ab Include e2e tests for guaccollect, guacingest, and ent (#1998)
• 71dbe34 Move to OpenSSF mail server (#1975)
• 9d51e44 Parse CycloneDX Legal information (#1985)
• 8c54ef5 Remove isDependency to pkgName (#2021)
• 0675b67 Speed up common CertifyVuln ent queries by adding indexes (#1999)
• 2845fad Speed up isDependency query when spec depPkg has pkgID (#2020)
• 2d87d8d Update slsa parser to remove deprecated structs (#1988)
• bc9361d Updated query known and slsa parser (#2018)
• 6a63c22 [ENT] Implement deletion for certifyVuln, hasSBOM and hasSLSA (#1982)
• 0b17411 [ENT] add indexes for common queries on ENT (#2032)
• b6754cf [ENT] add missing nodes from the node query (#1989)
• a4c36b1 add check for paginated queries for nil values in ent (#2031)
• 7eccfa9 add missing csub-tls flags for guaccollect (#1951)
• 0c6dc86 move timestamp up such that it is not skipped (#2046)
• 0c70002 remove GetMatchFlagsFromPkgInput helper as it was not needed for isDependency (#1933)
• e2486e1 support direct connections to ent from the rest api (#1932)
• 621b66f update to skip type guac purls in deps.dev (#2039)

v0.7.2

• Fixes for OSV/Scorecard flag initialization via guacCollect

Contributors

• @pxp928

What's Changed

• 42599e4 fix flag initialization and naming (#1950)

v0.7.1

• Fixes for OSV certifier via guacCollect

Contributors

• @pxp928

What's Changed

• bb96252 Add nil checks for pkgConn and PackagesList (#1948)
• 4204cb0 updates to osv collector to fix issues (#1949)