All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
- Implement Bugzilla SRT notes builder in Bugzilla Backwards Sync (OSIDB-384)
- Implement validation for flaw without affect (OSIDB-353)
- Change logging of celery and django to filesystem (OSIDB-418)
- Implement validation for CWE ID chain in a Flaw (OSIDB-357)
- Implement validation for embargoed flaws not be able to have public trackers (OSIDB-350)
- Fix Jira tracker created and updated timestamps (OSIDB-14)
- Fix errata created and updated timestamps (OSIDB-453)
- Restrict write operations on placeholder flaws (OSIDB-388)
- Make sure the unacked PS update stream is always linked to PS module (OSIDB-637)
- Link unacked PS update stream to PS module on product definitions sync (OSIDB-629)
- Increase PS component name length from 100 to 255 characters (OSIDB-635)
- Catch tracker sync exceptions individually (OSIDB-580)
- Implement complete Bugzilla groups handling in Bugzilla Backwards Sync (OSIDB-387)
- Support (CISA) Major Incident label in tracker description (OSIDB-579)
- Fix Errata collector saving to handle advisory name change (OSIDB-565)
- Fix Errata collector design to periodically refresh data (OSIDB-433)
- Flaw mitigated_by field is now deprecated and will be completely removed in the next major release (OSIDB-126)
- Fix component matching from tracker description (OSIDB-464)
- Store FlawMeta alerts on FlawMeta instead of on Flaw
- Prevent pgtrigger recreating triggers (OSIDB-429)
- Helper for manual flaw synchronization (OSIDB-389)
- Usage of django-deprecate-fields package for model field deprecation (OSIDB-126)
- Fix an issue with FlawSource validation for sources that can be both public and private (OSIDB-450)
- Fix an issue with CVSSv3 validation that was preventing some flaws from being synchronized in OSIDB (OSIDB-426, OSIDB-427)
- Authentication is no longer compulsory for read-only requests against the main OSIDB endpoints such as /flaws, /affects and /trackers (OSIDB-313)
- Fix an issue in which the Jiraffe collector was calling Tracker.affect instead of Tracker.affects (ManyToMany field) which resulted in some failed JIRA tracker synchronizations.
- Treat collector failures due to already running collectors or due to waiting for dependencies as celery Retry exceptions.
- OSIDB now uses publicly available images from docker.io (OSIDB-170)
- fix bug that Major Incident can be unset by unrelated BZ flag (OSIDB-416)
- CISA collector to run hourly rather than daily (PSINSIGHTS-635)
- support for CVE-less flaws (OSIDB-25)
- unified logging across the whole OSIDB
- validate hightouch and hightouch-lite flag value combinations (OSIDB-329)
- validate differences between Red Hat and NVD CVSS score and severity (OSIDB-333)
- validate that embargoed flaws do not have public sources (OSIDB-337)
- validate that flaws from public sources don't contain ack FlawMetas (OSIDB-338)
AlertMixin
for the creation of easily-serializable alerts on a per-record basis for any model that inherits from said mixin (OSIDB-324)- validate that an Affect's
ps_module
exists in product definitions (OSIDB-342) - EPSS data API for Red Hat vulnerabilities (PSINSIGHTS-636)
- disable krb5 log redirection in stage and production playbooks.
- disable opportunistic_auth when contacting Errata Tool and removed the authentication call from the constants file which meant that ET authentication would happen every time the code was loaded, generating a lot of auth calls and logs.
- change the way that data is synchronized to be more fault-tolerant, things like tracker fetching will no longer make the entire flaw sync fail.
- fix a bug where only certain metadata were being correctly synchronized between BZ and OSIDB which resulted in things like typos in acknowledgments persisting in OSIDB despite being removed from BZ.
- fix a bug in which the scheme in next/previous links in paginated responses was http:// and not https://.
- fix a bug with the way that the collector framework parsed crontab strings.
- fix various bugs with the collector framework instantiation process.
- fix a bug with the way that collector dependencies were being handled.
- fix a bug in which FlawMeta were not being updated correctly due to an ACL issue.
- update product exclusion lists.
- fix a bug in which the exploit collectors were not working properly due to an ACL issue.
- fix an issue with duplicate affects generating database errors.
- add various Dockerfile optimizations.
- add API for exploit report processing.
- add a mechanism to reflect CVE changes and/or removals.
- remove audit mechanisms and tables from main models.
- remove obsoleted bzload.py script.
- remove outdated service schema.
- remove obsoleted funcspec.
- remove prodsec lib dependency.
- fix an issue with existing FlawMeta objects not being updated if the parent Flaw was itself updated, meaning that FlawMeta could be kept as embargoed if the Flaw was unembargoed.
- fix a change that broke backwards compatibility with IRD, this fix reverts the changes to the empty value of enumerations from "" back to "NONE", only IRD clients should be affected.
- fix an issue with objects not being saved to the database due to a bad interaction between FlawSaver and TrackerBugConvertor (OSIDB-142)
- add tracker timestamps (OSIDB-62)
- provide erratum ID on API together with advisory ID (OSIDB-128)
- create flaw draft (OSIDB-68)
- API for Insights Vulnerability application (PSINSIGHTS-608)
- start using the "Keep a Changelog" format for the CHANGELOG.md
- reviewed and unified the database fields accross all the models (OSIDB-16)
- fix and unify creation and modification timestamps handling (OSIDB-62, OSIDB-82)
- major Bugzilla collection reliability rework (OSIDB-17, OSIDB-130)
- ignore and remove testing Bugzilla bugs (OSIDB-111)
- reflect related entity removal on flaw sync (OSIDB-78)
- improve flaw source handling (OSIDB-61)
- remove Flawzilla testing app (OSIDB-18)
- remove old collector APIs (OSIDB-20)
- ensure API ordering is reproducible - fixes pagination issue (OSIDB-133)
- add /osidb/whoami endpoint to expose currently logged in user information
- add /affects, /trackers endpoints and allow CRUD operations
- add collector for Errata Tool IDs and expose "errata that fix this tracker"
- track OSIDB users' bugzilla and jira usernames
- unify metadata across all api responses
- fix Bugzilla flag syncing causing Major Incident update issues (PSDEVOPS-3406)
- fix collector ACLs causing unembargo staleness (PSDEVOPS-3449)
- fix flaw source typos causing minor sync issues (PSDEVOPS-3373)
- remove status metadata from responses
- add CPaaS pipeline credential mapping (PSDEVOPS-2569)
- update version to 1.1.2
- apply correct update/create dates to flaws, affects, and trackers (PSDEVOPS-3365)
- move DEVELOP.md and TUTORIAL.md to docs directory
- update version to 1.1.1
- do not pass uuid as groups to set_user_acls
- add update schema step to OSIDB release docs
- add schema extension for custom auth class
- add exploit collectors (PSINSIGHTS-538, PSINSIGHTS-541)
- implement more granular LDAP control groups (PSDEVOPS-2664)
- implement Product Definitions collector
- add tracker QE owner attribute (PSDEVOPS-3219)
- implement read-only mode and enable for prod (PSDEVOPS-3203)
- raise OSIDB version to 1.1.0
- update documentation regarding LDAP groups
- increase osidb-service route timeout from 30s to 300s
- update django version to fix known vulnerabilities
- validate peer cert chain and hostname for LDAP connections
- allow bzimport to import testing embargoed data to stage
- provide redis credentials and certificates for osidb-service
- implement kerberos authentication via SPNEGO protocol
- document OSIDB versioning
- add sections about more advanced Flaw queries in tutorial
- implement collector framework API
- implement example collector
- implement collector framework
- update version to 1.0.0
- enable krb5_auth in stage
- fix CVSS string storing
- migrate from DRF tokens to JWT for auth (PSDEVOPS-3140)
- load Bugzilla dates as timezone aware
- use osidb-service image for flower instead of dockerhub image
- secure redis instance by enabling TLS (PSDEVOPS-3128)
- secure redis instance with basic authentication (PSDEVOPS-3128)
- enable TLS endpoint verification in ansible playbooks (PSDEVOPS-3110)
- improve flaws endpoint performance for cve_id and change_after params (PSDEVOPS-3209)
- refactor URLs and the landing page
- fix changed_after and changed_before filters
- fix or refactor attribute validations
- fix schema definition
- accommodate flawdb->osidb rename in openshift
- fix OSIDB name on the main page
- modify tracker_ids query param to filter out non relevant affects
- update query parameters description in API schema
- update LDAP groups docs
- turn off CWE validation as it is too simple
- deprecate Basic and Session auth for API endpoints (PSDEVOPS-3126)
- update version to 0.0.2
- enable service accounts in prod
- this is the initial OSIDB version
- see git repo for the older changes