v32.0.0rc4

This is the fourth release candidate for version 32.
The highlights are:

• We re-enabled support for the mozilla, gentoo, istio, kbmsr2019, suse score, elixir, apache tomcat, xen, istio, ubuntu usn, apache httpd, fireye, apache kafka security advisories importers.
• We added support for CWE.
• We added migrations to remove corrupted advisories as described in #1086.
• We added aliases at package level in the API.
• We added support for conan related vulnerabilities.
• We added valid versions improver to get all versions in a vulnerable range for all ecosystems that we support in vulnerablecode.

What's Changed

• Migrate mozilla importer by @TG1999 in #1043
• Migrate gentoo importer #1055 by @TG1999 in #1056
• Migrate istio importer #1059 by @TG1999 in #1058
• Migrate projectkbmsr2019 importer by @TG1999 in #1066
• Migrate suse scoring importer #1052 by @TG1999 in #1050
• Migrate elixir security importer #1060 by @TG1999 in #1061
• Migrate apache tomcat importer by @johnmhoran in #1057
• Add support for CWE by @ziadhany in #782
• Add migrations to remove corrupted advisories #1086 by @TG1999 in #1087
• Prepare for release v32.0.0rc1 by @TG1999 in #1096
• Add migration for adding apache tomcat option in severity scoring by @TG1999 in #1097
• Prepare for release v32.0.0rc2 by @TG1999 in #1098
• Drop safetydb importer by @TG1999 in #1099
• Migrate xen importer by @TG1999 in #1044
• Use for_purl instead of for_package_url in package detail view by @TG1999 in #1101
• Add istio improver by @TG1999 in #1103
• Migrate ubuntu usn importer #1051 by @TG1999 in #1049
• Bump certifi from 2021.10.8 to 2022.12.7 by @dependabot in #1035
• Bump gitpython from 3.1.27 to 3.1.30 by @dependabot in #1070
• Add apache_httpd improver by @TG1999 in #1102
• Remove redundant API tests #1005 by @TG1999 in #1091
• Add fireeye vulnerabilities #487 by @ziadhany in #795
• use public VulnerableCode instance in VulnTotal by @keshav-space in #1075
• Add vulnerability aliases at package level in API by @TG1999 in #1104
• Modify apache_kafka.py and related tests for migration by @johnmhoran in #1042
• Prepare for release v32.0.0rc3 by @TG1999 in #1123
• minor fix: load env for GitHub DataSource by @keshav-space in #1118
• Fix github importer by @TG1999 in #1149
• Add valid version improver by @TG1999 in #1138
• Add env variables for throttling by @TG1999 in #1140
• Fix kbmsr2019 importer by @TG1999 in #1158
• Add support for conan advisories by @TG1999 in #1155
• Prepare for release of v32.0.0rc4 by @TG1999 in #1159

Full Changelog: v31.1.1...v32.0.0rc4

v32.0.0rc3

This is the third release candidate for version 32.
The highlights are:

• We re-enabled support for the mozilla, gentoo, istio, kbmsr2019, suse score, elixir, apache tomcat, xen, istio, ubuntu usn, apache httpd, fireye, apache kafka security advisories importers.
• We added support for CWE.
• We added migrations to remove corrupted advisories as described in #1086.
• We added aliases at package level in the API.

What's Changed

• Migrate mozilla importer by @TG1999 in #1043
• Migrate gentoo importer #1055 by @TG1999 in #1056
• Migrate istio importer #1059 by @TG1999 in #1058
• Migrate projectkbmsr2019 importer by @TG1999 in #1066
• Migrate suse scoring importer #1052 by @TG1999 in #1050
• Migrate elixir security importer #1060 by @TG1999 in #1061
• Migrate apache tomcat importer by @johnmhoran in #1057
• Add support for CWE by @ziadhany in #782
• Add migrations to remove corrupted advisories #1086 by @TG1999 in #1087
• Prepare for release v32.0.0rc1 by @TG1999 in #1096
• Add migration for adding apache tomcat option in severity scoring by @TG1999 in #1097
• Prepare for release v32.0.0rc2 by @TG1999 in #1098
• Drop safetydb importer by @TG1999 in #1099
• Migrate xen importer by @TG1999 in #1044
• Use for_purl instead of for_package_url in package detail view by @TG1999 in #1101
• Add istio improver by @TG1999 in #1103
• Migrate ubuntu usn importer #1051 by @TG1999 in #1049
• Bump certifi from 2021.10.8 to 2022.12.7 by @dependabot in #1035
• Bump gitpython from 3.1.27 to 3.1.30 by @dependabot in #1070
• Add apache_httpd improver by @TG1999 in #1102
• Remove redundant API tests #1005 by @TG1999 in #1091
• Add fireeye vulnerabilities #487 by @ziadhany in #795
• use public VulnerableCode instance in VulnTotal by @keshav-space in #1075
• Add vulnerability aliases at package level in API by @TG1999 in #1104
• Modify apache_kafka.py and related tests for migration by @johnmhoran in #1042
• Prepare for release v32.0.0rc3 by @TG1999 in #1123

Full Changelog: v31.1.1...v32.0.0rc3second

v32.0.0rc2

This is the second release candidate for version 32.
The highlights are:

• We re-enabled support for the mozilla, gentoo, istio, kbmsr2019, suse score, elixir, apache tomcat security advisories importers.
• We added support for CWE.
• We added migrations to remove corrupted advisories as described in #1086.

What's Changed

• Migrate mozilla importer by @TG1999 in #1043
• Migrate gentoo importer #1055 by @TG1999 in #1056
• Migrate istio importer #1059 by @TG1999 in #1058
• Migrate projectkbmsr2019 importer by @TG1999 in #1066
• Migrate suse scoring importer #1052 by @TG1999 in #1050
• Migrate elixir security importer #1060 by @TG1999 in #1061
• Migrate apache tomcat importer by @johnmhoran in #1057
• Add support for CWE by @ziadhany in #782
• Add migrations to remove corrupted advisories #1086 by @TG1999 in #1087
• Prepare for release v32.0.0rc1 by @TG1999 in #1096
• Add migration for adding apache tomcat option in severity scoring by @TG1999 in #1097
• Prepare for release v32.0.0rc2 by @TG1999 in #1098

Full Changelog: v31.1.1...v32.0.0rc2

v32.0.0rc1

This is the first release candidate for version 32.
The highlights are:

• We re-enabled support for the mozilla, gentoo, istio, kbmsr2019, suse score, elixir, apache tomcat security advisories importers.
• We added support for CWE.
• We added migrations to remove corrupted advisories as described in #1086.

What's Changed

• Migrate mozilla importer by @TG1999 in #1043
• Migrate gentoo importer #1055 by @TG1999 in #1056
• Migrate istio importer #1059 by @TG1999 in #1058
• Migrate projectkbmsr2019 importer by @TG1999 in #1066
• Migrate suse scoring importer #1052 by @TG1999 in #1050
• Migrate elixir security importer #1060 by @TG1999 in #1061
• Migrate apache tomcat importer by @johnmhoran in #1057
• Add support for CWE by @ziadhany in #782
• Add migrations to remove corrupted advisories #1086 by @TG1999 in #1087
• Prepare for release v32.0.0rc1 by @TG1999 in #1096

Full Changelog: v31.1.1...v32.0.0rc1

v31.1.1

What's Changed

• Migrate apache httpd importer#971 by @johnmhoran in #1014
• Support incomplete versions for a valid purl in search by @TG1999 in #1065
• Prepare for release v31.1.1 by @TG1999 in #1073

Full Changelog: v31.1.0...v31.1.1

v31.1.0

What's Changed

• Migrate npm importer by @TG1999 in #960
• Migrate retiredotnet importer by @TG1999 in #1041
• Link sanity by @Hritik14 in #1048
• Handle purl fragments in package search #1032 by @TG1999 in #1033
• Ingest npm data through github api #1025 by @TG1999 in #1027
• Prepare for release v31.1.0 by @TG1999 in #1062

Full Changelog: v31.0.0...v31.1.0

v31.0.0

This is a major new release with data changes that are API breaking: The way we store CVSS scores has changed.
There is a major new feature with Vulntotal which is like https://www.virustotal.com/ for comparing vulnerability databases. We also re-enabled PostgreSQL advisory imports.

What's Changed

• Add initial config for vulntotal by @keshav-space in #777
• Add support for calculating CVSS score from the CVSS vector by @ziadhany in #747
• Add Vulntotal CLI by @keshav-space in #801
• Add GitHubDataSource by @keshav-space in #804
• Add OSS-Index DataSource by @keshav-space in #829
• Add Gitlab datasource by @keshav-space in #883
• Register available datasources by @keshav-space in #901
• Add Vulntotal by @pombredanne in #1009
• Migrate postgresql.py by @johnmhoran in #985
• Fix the API key request form UI and make it consistent with rest of UI by @TG1999 in #1004
• Explicitly state app name in TestMigration by @JonoYang in #1012
• Make bulk search fast by @TG1999 in #1017

New Contributors

• @JonoYang made their first contribution in #1012

Full Changelog: v30.3.1...v31.0.0

v30.3.1

This is a minor bug fix release.

• We enabled proper CSRF configuration for deployments
• We improved the content of API key request emails

What's Changed

• Fix csrf by @pombredanne in #998

Full Changelog: v30.3.0...v30.3.1

v30.3.0

This is a feature update release including minor bug fixes and the introduction of API keys and API throttling.

What's Changed

• Enable throttling by @TG1999 in #988
• Override throttle rate for each endpoint by @TG1999 in #993
• Add API authentication, key request and documentation by @pombredanne in #987
• Improve NVD handling and more by @pombredanne in #997

Full Changelog: v30.2.1...v30.3.0

v30.2.0

This is a critical bug fix release including features updates.

• We fixed critical performance issues that made the web UI unusable. This include
  removing some less interesting redundant details displayed in the web UI for
  vulnerabilities.
• We made minor documentation updates.
• We re-enabled support for Arch linux, Debian, and Ubuntu security advisories importers
• We added a new improver for Oval data sources
• We improved Alpine linux and Gitlab security advisories importers

The summary of performance improvements include these fixes:

• Cascade queries from exact to approximate searches to avoid full table scans
  in all cases. This is a band-aid for now. The proper solution will likely
  require using full text search instead.
• Avoid iceberg queries with "prefetch related" to limit the number of queries
  that are needed in the UI
• Do not recreate querysets from scratch but instead allow these to be chained
  for simpler and correct code.
• Remove extra details from the vulnerability pacge: each package was further
  listing its related vulnerabilities creating an iceberg query.
• Enable the django-debug-toolbar with a setting to easily profile queries on demand
  by setting both VULNERABLECODE_DEBUG and VULNERABLECODE_DEBUG_TOOLBAR enviroment
  variables.

What's Changed

• Refactor Gitimporter using fetchcode by @ziadhany in #817
• test redhat importer performance by profiling by @ziadhany in #843
• Migrate archlinux importer by @johnmhoran in #935
• Fix gitlab importer by @TG1999 in #959
• Migrate debian-oval and ubuntu importer by @TG1999 in #740
• Make search for vulnerabilities faster by @pombredanne in #955
• Update RTD overview by @johnmhoran in #964
• Prepare release 30.2.0 by @pombredanne in #968

Full Changelog: v30.1.1...v30.2.0