Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[4.6.0] - 2024-12-02

Added

Update field updated_dt on queryset update (OSIDB-3573)
Introduce purl to Affect (OSIDB-3409)
Implement field embargoed for advanced search (OSIDB-3549)
Implement no-week-ending SLA policy support (OSIDB-3500)
Implement complex logic in workflow state requirements (OSIDB-3524)
Validate and set ps_component from purl (OSIDB-3410)
Set Jira Severity and maintain the transition from CVE Severity (OSIDB-3697)

Changed

Add history to several other models: AffectCVSS, FlawAcknowledgment, FlawComment, FlawCVSS, FlawReference, Snippet and Tracker. (OSIDB-3466)
Moved metadata creation during tests to root level conftest and automatically set envs during VCR recording (OSIDB-3492)
Exclude component and version from Jira tracker updates (OSIDB-3677)
Allow moving a flaw to state DONE if it has no trackers but impact is moderate or low (OSIDB-3524)
Set hard limit of paginated results (OSIDB-643)
Add all references as links when creating Jira trackers (OSIDB-3733)
Set security level together with embargo status (OSIDB-3598)

Removed

Remove UBI handler special treatment (OSIDB-3728)

[4.5.6] - 2024-11-08

Fixed

Properly save updated flaw in NVD collector (OSIDB-3661)

[4.5.5] - 2024-11-07

Changed

Publish internal flaws only when the triage is completed (OSIDB-3669)
Adjust the NIST flag instead of removing on NIST score deletion and relieve the NIST flag validation to account for it (OSIDB-3672)
Adjust flaw impact if NIST CVSS is changed (OSIDB-3661)

[4.5.4] - 2024-11-06

Changed

Moved envs monkeypatches to root conftest for reusability (OSIDB-3491)

Fixed

Fix conversion of CVSS severity to impact (OSIDB-3661)
Ignore invalid CVSS from OSV collector (OSIDB-3663)

[4.5.3] - 2024-11-05

Added

Implement resolution steps for duplicate tracker validation (OSIDB-3588)

Changed

Add upstream references to Jira trackers on creation (OSIDB-3148)
Change ACL mixin serializer to support internal ACLs (OSIDB-3578)
Make product definitions collector atomic (OSIDB-3590)
Validate that the CVSSv3 score is zero for flaws with impact "None" (OSIDB-3581)

[4.5.2] - 2024-10-24

Changed

Reduced count of requests to Jira for task management

[4.5.1] - 2024-10-23

Added

Implement validation of PS module and PS update stream correspondance (OSIDB-3584)

Changed

Avoid tracker creation conflicts by async tracker sync (OSIDB-3593)
Skip flaws with CVE ID in OSV collector (OSIDB-3351)

Fixed

Fix Bugzilla flaw summary exceeding (OSIDB-3551)

[4.5.0] - 2024-10-22

Added

Add new flaw reference type "UPSTREAM"

Changed

Check title for keywords in CVEorg collector (OSIDB-3545)
Update delegated resolution mapping so low impact won't fix changes to fix deferred (OSIDB-3575)

Fixed

ValidationError constraint “unique_external_system_id” during tracker filing (OSIDB-3589)

[4.4.1] - 2024-10-17

Added

Auto-reset CVSS validation flag on NVD CVSS removal (OSIDB-3407)

Changed

Restrict tracker file offer by ProdSec support instead of general one (OSIDB-3559)

Fixed

Do not add private tracker CC to flaws (OSIDB-3558)

[4.4.0] - 2024-10-11

Added

Introduce moderate tracker streams pre-selection (OSIDB-3346)
Introduce minor and 0-day incident types (OSIDB-3390)
Collect CVSSv4 in OSV collector (OSIDB-3487)
Set Impact for collector flaws based on CVSS severity (OSIDB-3487)

Changed

Disable flaw drafts creation for NVD collector (OSIDB-3256)
Select most relevant CVE, CVSS, CWE, Source for Vulnerability trackers (OSIDB-3348)
Tracker validations show affect's module/component (OSIDB-3439)

Fixed

Rework and complete the tracker stream pre-selection module to fix it
Exclude unsupported PS modules from tracker file offer (OSIDB-3498)
Update flaw timestamp after updating NIST CVSS
Deprecate field "order" in the "comments" endpoint (OSIDB-3547)

[4.3.4] - 2024-10-03

Added

Create custom DjangoQL lookup field for Flaw.components (OSIDB-3479)
Collect NIST CVSSv4 in NVD collector (OSIDB-2300)

Changed

Record last impact increase in trackers (OSIDB-3448)

Fixed

Remove duplicate results from advanced search (OSIDB-3482)
Collect Jira field metadata for only one issuetype for each project (OSIDB-3485)
parent_uuid field in Alert had wrong type in OpenAPI schema (OSIDB-3451)
Fix Jira Tracker collector to account for Vulnerability issue type (OSIDB-3489)
IntegrityError duplicate key during tracker filing (OSIDB-3433)

[4.3.3] - 2024-09-30

Added

Update Vulnerability trackers on components change (OSIDB-3323)
Enable CVEorg collector in production

Changed

Alert users when Bugzilla sync failed (OSIDB-3252)

Fixed

Remove infinite recursion when SYNC_FLAWS_TO_BZ is disabled (OSIDB-3430)

[4.3.2] - 2024-09-19

Changed

Update the release documentation (OSIDB-3384)

[4.3.1] - 2024-09-11

Added

Create new API endpoints for DjangoQL (OSIDB-3338)
Implement Jira collector sync managers (OSIDB-3177)

Fixed

Unable to unembargo flaws with trackers (OSIDB-3398)

Removed

Remove obsoleted contract priority support (OSIDB-3399)
Remove obsoleted comliance priority support (OSIDB-3335)

[4.3.0] - 2024-09-04

Added

Add CVEorg collector (OSIDB-2234)
Allow trackers to have manually set SLAs (OSIDB-3374)

Changed

Handle frequent Taskman, Trackers and Collectors exceptions instead of internal server error 500 (OSIDB-3280)
Sync trackers on impact decrease (OSIDB-3350)

Fixed

Tracker validations skipping (OSIDB-3336)

[4.2.0] - 2024-08-30

Added

Implement DjangoQL for Flaw filtering (OSIDB-3337)
Support Vulnerability issuetype for Trackers (OSIDB-2980)
Set requires_cve_description to REQUESTED when unset and the flaw has cve_description (OSIDB-3349)

Changed

Extend CVSS vector length (OSIDB-3362)

Fixed

Taskman throwing away logs upon JSON decode error (OSIDB-3296)
Wrong due date when filing new Jira tracker (OSIDB-3376)
Fix date format error (OSIDB-3364)

[4.1.7] - 2024-08-22

Added

Command for manual syncing Jira metadata (OSIDB-3219)

Changed

Saving models only triggers validations once (OSIDB-3108)
Update ACLs of linked objects to match collector flaw (OSIDB-3253)
Allow start dates to come from multiple sources in SLA (OSIDB-3221)
Update public date for collector flaws (OSIDB-3212)
Tracker collector ignores up-to-date entries (OSIDB-3244)
Adjust BBSync to work in one-way mode (OSIDB-3251)
Show only official collectors at the collector status endpoint
Use OSIDB Bugzilla service account API key for majority of bzsync instead of user ones (OSIDB-3261)
Adjust synchronous bzsync to only work one-way
Move DEFER from historical to current possible affect resolution (OSIDB-3281)

Fixed

Cannot modify CVE of existing flaws (OSIDB-3102)
Jira metadata collector is not deleting metadata on failure (OSIDB-3219)
Avoid deadlocks by not triggering nested validations in m2m relationships (OSIDB-3244)
Manually run validation avoiding duplicated trackers (OSIDB-3234)
Add delay between Jira metadata fetch calls to prevent rate limiting (OSIDB-3298)

Removed

Stop syncing Bugzilla SRT notes to Bugzilla flaw bugs

[4.1.6] - 2024-08-02

Fixed

Cannot fill trackers concurrently (OSIDB-3230)

[4.1.5] - 2024-08-01

Removed

Remove message throttling in the API

[4.1.4] - 2024-07-31

Added

Implement message throttling in the API (OSIDB-894)
Added contract priority description in trackers (OSIDB-3165)

Changed

special_handling_flaw_missing_cve_description Alert to special_consideration_flaw_missing_cve_description (OSIDB-2955)
special_handling_flaw_missing_statement Alert to special_consideration_flaw_missing_statement (OSIDB-2955)
Allow setting empty impact value on flaw (OSIDB-3128)
Temporarily move has trackers workflow requirement (OSIDB-3098)
Handle Bugzilla errors in API request as 422 instead of 500 internal server error (OSIDB-3126)
Handle DB deadlock errors triggered by concurrent API requests as 409 instead of 500 internal server error (OSIDB-3048)
Propagate Jira errors to the user (OSIDB-3184)

Fixed

Fix duplicate comment issue leading in internal server error (OSIDB-3086)
Handle flaw comments with&without bzimport or bifurcated history (OSIDB-3030)
Alerts constrained unique so that bzimport doesn't block user requests (OSIDB-3048)
Duplicate Alerts created concurrently in multiple threads handled correctly (OSIDB-3048)
Make task collector ignore outdated issues (OSIDB-3085)
Allow Flaw API to properly unassign owner in Jira (OSIDB-3145)
Remove sync from Bugzilla from the async sync to Bugzilla (OSIDB-3199)
Do not save to backend systems in JiraTaskSaver (OSIDB-3087)

[4.1.3] - 2024-07-25

Changed

UnackedHandler only recommends active unacked streams (OSIDB-3160)

[4.1.2] - 2024-07-03

Added

Extend flaw-task linking to primarily use the CVE ID

Fixed

Fix Jira task collector (OSIDB-3064)
Fix OSIDB-Bugzilla mid-air collision issues (OSIDB-3083)
Null version of PsUpdateStream is not sent to Jira when creating a tracker (OSIDB-3078)

[4.1.1] - 2024-06-28

Added

Prefetch Alerts related models for each API endpoint (OSIDB-3053)

Fixed

Keep vulnerability-draft BZ component when rejecting flaw draft (OSIDB-3023)
Fix external sync order in serializers (OSIDB-3029)
Make Taskman service validate Jira token (OSIDB-2203)

[4.1.0] - 2024-06-25

Added

Implement a way to switch off each collector (OSIDB-2884)
Generate Jira tracker "components" field (OSIDB-2988)
Rudimentary API request logging (OSIDB-2514)
Add query param to force creation of Jira task for old flaws on update (OSIDB-2882)
Add collector for Jira tasks manually edited (OSIDB-1930)

Changed

Update the SLA policy

Fixed

Workflow state of flaws without task automatically changes to 'NEW' (OSIDB-2989)
Fixed Flaw CC list builder to generate CCs in Bugzilla format for both Bugzilla and Jira tracked PS modules (OSIDB-2985)
Flaw comments create action respects is_private (OSIDB-3003)

[4.0.0] - 2024-06-17

Added

Add new OSV option into FlawSource
Allow searching by CVE similarity (OSIDB-2482)
Add CC lists to Jira trackers and to Bugzilla trackers (OSIDB-2191)
Enable flaw draft creation in BZ (OSIDB-2261)
Add support for UAT (OSIDB-2447)
Added API for Alerts (OSIDB-325)
Add bulk PUT for Affects (OSIDB-2407)
Add Bugzilla token to promote API (OSIDB-2262)
Enable creation of Jira tasks for collector flaws (OSIDB-2649)
Add temporary JIRA stage http forwarder passing in params and headers (OSIDB-2734)
Add link between trackers to flaws without CVE (OSIDB-2848)
Support Bugzilla tracker creation/linking for non-Bugzilla flaws (OSIDB-2845)
Add bulk-enabling parameter "sync_to_bz" to POST for Trackers (OSIDB-2609)
Add bulk POST, DELETE for Affects (OSIDB-2722)
Add audit history to Flaws and Affects (OSIDB-2269)
Implement search on emptiness for several fields (OSIDB-2815)
Add major_incident_start_dt field (OSIDB-2728)
Add empty value to workflow_state (OSIDB-2881)

Changed

Make workflows API RESTful (OSIDB-1716)
Collect errata not linked to any flaws (OSIDB-1527)
Minor change to enable perf tests to run in CI (OSIDB-2447)
Allow editing flaws without affects in NEW state (OSIDB-2452)
Fixed read replica to perform HTTP requests as atomic transactions (OSIDB-2585)
Fixed Bugzilla sync not working when Jira task sync is enabled (OSIDB-2628)
Ignore SLA if update stream specifies it's not applicable (OSIDB-2612)
Allow filtering by empty or null CVE IDs (OSIDB-2625)
Redesign of flaw comments to make them independent of Bugzilla (OSIDB-2760)
Allow filling trackers for flaws without bz_id (OSIDB-2819)
Split BBSync enablement switch into flaw and tracker ones (OSIDB-2820)
Set "Target Release" field in Jira trackers (OSIDB-2727)
Tracker resolution is now readonly (OSIDB-2746)
Enable tracker suggestions for affects with new affectedness (OSIDB-2843)
Correct endpoint for tracker filing schema (OSIDB-2847)
Renamed Flaw "description" to "comment_zero" and "summary" to "cve_description" (OSIDB-2740)
Update the workflow check of filed trackers (OSIDB-2799)
Improve affect validation error messages (OSIDB-2893)

Fixed

Fix incorrect ACLs for flaw drafts (OSIDB-2263)
Fix workflow rejection endpoint (OSIDB-2456)
Fix FlawReference article count validation (OSIDB-2651)
Fix not being able to set CVE ID to an empty string through the API (OSIDB-2702)
Comments not properly updating when syncing from Bugzilla (OSIDB-1385)
Account for empty string in target release of PS update stream (OSIDB-2909)
CVSS "comment" field accepts null (OSIDB-2907)

Removed

Remove "type" field from Affect (OSIDB-2743)
Remove "type" field from Flaw (OSIDB-2735)
Remove "state" field from Flaw (OSIDB-2736)
Remove "resolution" field from Flaw (OSIDB-2737)
Remove several cvss fields from Flaw (OSIDB-2749)
Remove several cvss fields from Affect (OSIDB-2749)
Remove "type" field from FlawComment (OSIDB-2745)
Remove FlawMeta (OSIDB-2744)
Remove "is_major_incident" field from Flaw (OSIDB-2741)
Remove "meta_attr" field from FlawReference (OSIDB-2854)
Remove "meta_attr" field from FlawAcknowledgment (OSIDB-2854)
Remove "component" field from Flaw (OSIDB-2839)
Remove "meta_attr" field from FlawComment (OSIDB-2747)

[3.7.3] - 2024-05-28

Fixed

Fix erratum-tracker linking (OSIDB-2752)

[3.7.2] - 2024-05-17

Fixed

Fix JiraTrackerConvertor linking of multi-CVE flaws (OSIDB-2708)

[3.7.1] - 2024-05-16

Changed

Move flaw-affect-tracker linking to the tracker sync (OSIDB-1012, OSIDB-2587)

[3.7.0] - 2024-04-17

Added

Implement flaw unembargo mechanism (OSIDB-1177)
Make ps_product property available in affect API
Add Fedramp stream preselection handler (OSIDB-1876)
Introduce CVSS v4 (OSIDB-528)
Change tests to have default urls strings where it can't be blank (OSIDB-1679)
Add label compliance-priority to jira trackers based on ps-constants compliance_priority.yml (OSIDB-2062)
Expose alerts on API for every model alert supported model, mainly Flaw, Affect, Tracker (OSIDB-2065)
Add support for additional_fields in Jira BTS (OSIDB-696)
Add scripts/restore_pg.sh script for restoring sql dump

Changed

Ignore hosts on VCR recording (OSIDB-1678)
Included workflow fields in OpenAPI document for filtering (OSIDB-2083)
Set migrated/duplicated delegated resolution to be ignored (OSIDB-1406)
Update valid affectedness-resolution combinations (OSIDB-2143)
Change Flaw API filter to allow a list of workflow_state (OSIDB-2208)
SLA for compliance priority brought to parity with SFM2 (OSIDB-2257)
Migrate data with outdated workflow_state values to the current ones (OSIDB-1718)
Flaw CVSS score and Affect CVSS score are now readonly (OSIDB-2347)

Fixed

Fix Jira sync when bugzilla token is present (OSIDB-2171)
Fix Bugzilla summary for first flaw creation (OSIDB-2190)
Fix Jira tracker security level not being set based on embargo (OSIDB-2082)
Removed writing operations in workflows when READ_ONLY is enabled (OSIDB-2336)
Fix Flaw API allowing to sort by all fields (OSIDB-2367)
Fix FlawCVSS and AffectCVSS "cvss_version" on API to show version enum

[3.6.2] - 2024-02-02

Fixed

Fix issue with tracker updates through Affect objects (OSIDB-2059)
Ensure invalid fields passed to include_fields filter are ignored (OSIDB-2048)

[3.6.1] - 2024-02-01

Fixed

Fix issue with Flaw updates through collector (OSIDB-2050)

[3.6.0] - 2024-01-31

Added

Implement writable tracker API (OSIDB-1180)
Command for manual sync of Flaws now also accepts CVEs (OSIDB-1544)
Add new SOURCE option into FlawReferenceType (OSIDB-1556)
Add new NVD option into FlawSource
Implement SLA definition parsing and timestamp computation (OSIDB-1428)
Implement tracker SLA start date setting (OSIDB-1393)
Implement tracker SLA end date setting (OSIDB-96)
Properly link Jira trackers to flaws on creation and update (OSIDB-1426)
Add OSV collector (OSIDB-677)
Added GIN indexes for Row Based Security performance on models
Added MAX_CONNS to django db conf to enable better concurrency
Workflow fields added into Flaw endpoints (OSIDB-1819)
Implement after-flaw-update tracker update mechanism (OSIDB-97)
Add label verification-requested to jira trackers with NEW affects (OSIDB-1185)
Implement after-affect-update tracker update mechanism (OSIDB-97)
Keep jira tracker labels added by people or other tools (OSIDB-1440)
Add label contract-priority to jira trackers based on ps-constants contract_priority.yml (OSIDB-1709)

Fixed

Fix incorrect type bool of is_up2date field in /collectors/api/v1/status endpoint
fix schema to reflect Erratum shipped_dt to be nullable
Ensured serializer db calls are read_only
Expose git commit id via OPENSHIFT_BUILD_COMMIT env var
Fix Jira metadata collector to get all pages from a query (OSIDB-1124)

Changed

Renamed OSIM module to Workflows (OSIDB-1395)
Change settings to allow regex in CORS policy in stage environment (OSIDB-1737)
Enhanced prefetches on Flaw, Affect, and Tracker api querysets
Change default pg configs
Adjust CONN_MAX_AGE and CONN_MAX_CONNS to maintain a minimal pool of idle db conns (OSIDB-1620)
Tracker status field is read-only (OSIDB-1780)
Change Bugzilla collector and Flaw model to allow multiple components in bz_summary (OSIDB-1420)

Removed

Remove daily monitoring email for failed tasks / collectors (OSIDB-1215)
Remove not used taskman APIs and services that has been intregated in OSIM (OSIDB-1321)

[3.5.2] - 2023-12-06

Added

Limit Celery worker to maximum amount of tasks (OSIDB-1540)
Add Celery worker concurrency
Maximum Bugzilla and Jira connection age (OSIDB-1592, OSIDB-1593)

Fixed

Made Querier objects independent on Collector objects (OSIDB-1592, OSIDB-1593)

[3.5.1] - 2023-10-23

Fixed

fix PS contact model (OSIDB-1445)
Improve EPSS collector memory consumption

[3.5.0] - 2023-10-09

Added

Implement collector for ps-constants project (OSIDB-1199)
Validate summary and requires_summary (OSIDB-1164)
Validate impact and summary (OSIDB-1164)
Implement tracker description generation (OSIDB-1173)
Implement endpoint for suggesting trackers to file (OSIDB-90)
Add shipped date to erratum model (OSIDB-1197)
Flaw creation and update triggers a Jira task sync (OSIDB-861)
Config gunicorn access log file depending on environment (OSIDB-879)
Link tracker to flaw(s) on create/update (OSIDB-1182)
Implement FlawCVSS and AffectCVSS APIs with filters (OSIDB-1105)
Implement package_versions API (OSIDB-1066)
is_up2date to collector status API (OSIDB-1328)
Implement flaw filtering based on erratum id in API (OSIDB-1330)
Implement filters for flaw references in API (OSIDB-1368)
Reactivate OSIM module unit tests (OSIDB-1320)

Changed

Deprecate various cvss fields in Flaw and Affect APIs (OSIDB-1105)
Update CORS policy to allow bugzilla-api-key request header (OSIDB-1425)
Change workflows to reflect current IR workflow (OSIDB-1319)

Fixed

Fix schema wrongly showing status code for DELETE methods being 204 whereas the actual returned status code is 200

Removed

Remove the Django admin interface (OSIDB-1188)

[3.4.2] - 2023-08-31

Changed

Reduce the total amount of records per page when querying Bugzilla (OSIDB-1232)
Set AFFECTED as highest precedence resolution when calculating Affect.delegated_resolution (OSIDB-1230)

[3.4.1] - 2023-08-21

Changed

Fix FlawCollector to account for an empty acknowledgment affiliation (OSIDB-1195)

[3.4.0] - 2023-08-14

Added

Implement major_incident_state in Flaw API (OSIDB-266)
Implement a new FlawAcknowledgment API (OSIDB-1002)
Implement requires_summary in Flaw API (OSIDB-1005)
Implement ps_update_stream in Tracker API (OSIDB-1064)
Implement daily monitoring email for failed tasks / collectors
Implement nist_cvss_validation in Flaw API (OSIDB-1006)
Implement additional tracker validations (OSIDB-787)
Validate NIST RH CVSS feedback loop (OSIDB-334)
Validate nist_cvss_validation and cvss_scores (OSIDB-1165)
Implement tracker summary generation (OSIDB-1172)

Changed

Change article link validation to be blocking (OSIDB-1060)
Deprecate the "is_major_incident" field in Flaw (OSIDB-1103)
Change CORS policy to allow credentials (OSIDB-1115)
Validate MI and CISA MI separately (OSIDB-1104)
Fix auto-timestamp issues (OSIDB-1171)

[3.3.0] - 2023-06-28

Added

Implement a new FlawReference API (OSIDB-71)
Implement adding new flaw comments (OSIDB-81)
Erratum advisory name to flaw filter (OSIDB-922)
CORS allow-list functionality (OSIDB-967, OSIDB-965)
Raw bugzilla summary to Flaw.meta_attr (OSIDB-1016)

Changed

Set Jira trackers as public instead of embargoed when private (OSIDB-1013)

[3.2.2] - 2023-06-19

Changed

Account for TRIAGE in the title/summary (OSIDB-999)

[3.2.1] - 2023-06-12

Changed

Fix creation of references on flaw ingestion from Bugzilla

[3.2.0] - 2023-06-05

Added

Introduce flaw ownership through task management system (OSIDB-69)
Implement task rejection in Taskman (OSIDB-74)
Implement article validation for Major Incident flaw (OSIDB-655)
Implement mitigation validation for Major Incident flaw (OSIDB-656)
Implement statement validation for Major Incident flaw (OSIDB-657)
Introduce new module for creating trackers in Jira (OSIDB-93)
Introduce aditional metadata in tasks generated from Taskman (OSIDB-861)

Changed

Integrate Jira tracker collector with collector framework (OSIDB-576)
Make CVSSv3 score mandatory no more (OSIDB-901)
Make Bugzilla collector aware of migration of old style acks to SRT notes (OSIDB-904)
Fix BBSync flaw summary composition (OSIDB-902, OSIDB-909)
Fix Bugzilla import not reflecting some attribute removals (OSIDB-910)
Make flaw Bugzilla children entities respect flaw visibility (OSIDB-914)

[3.1.4] - 2023-05-22

Changed

Git revision information on each request is fault-tolerant

[3.1.3] - 2023-05-08

Added

Retry mechanism for bzimport collector

[3.1.2] - 2023-04-27

Changed

General performance improvements

[3.1.1] - 2023-04-17

Changed

Fix Jira tracker collection bug (OSIDB-848)

[3.1.0] - 2023-04-12

Added

Introduce mitigation field into Flaw and update SRT notes generator (OSIDB-584)
Introduce flaw component attribute
Implement validation for allowed flaw sources (OSIDB-73)
Implement task management module (Taskman) to keep and update task workflow in Jira (OSIDB-228, OSIDB-684, OSIDB-685, OSIDB-754)
Expose task management module (Taskman) REST API (OSIDB-811)
More granular filtering for Flaw, Affect and Tracker API endpoints (OSIDB-667)
Ordering (ascending/descending) for Flaw, Affect and Tracker API endpoints (OSIDB-668)
Implement proper NVD CVSS score collector (OSIDB-632)

Changed

Rework the mapping from Bugzilla sumary to OSIDB title and vice versa (OSIDB-694)
Allow updates of flaws with multiple CVE IDs in Bugzilla (OSIDB-382)
Deprecate "state" and "resolution" in Flaw (OSIDB-73)
Increase the maximum length of "cwe_id" field in Flaw to 255 (OSIDB-73)
Make API requests transactional (OSIDB-232)
Rename REQUIRES_DOC_TEXT to REQUIRES_SUMMARY in FlawMeta (OSIDB-73)
Minimize mid-air collisions (OSIDB-765)
API delete methods now returns HTTP 200 status instead of 204 upon succesful delete

Removed

Remove "state" and "resolution" from FlawHistory (OSIDB-73)

[3.0.0] - 2023-03-21

Added

Implement Bugzilla SRT notes builder in Bugzilla Backwards Sync (OSIDB-384)
Implement validation for flaw without affect (OSIDB-353)
Implement validation for changes in flaws with high criticicity with open tracker (OSIDB-347)
Implement validation for components affected by flaws closed as NOTABUG (OSIDB-363)
Implement validation for invalid components in software collection (OSIDB-356)
Implement Bugzilla metadata collector
Implement validation for services related products with WONTREPORT resolution (OSIDB-362)
Implement validation for combinations of affectedness and resolution (OSIDB-360)
Implement a new API for getting a list of all supported products (PSINSIGHTS-593)
Implement CC list builder in Bugzilla backwards sync (OSIDB-386)
Implement validation for affects with exceptional combination of affectedness and resolution (OSIDB-361)
Implement validation for affects marked as WONTFIX or NOTAFFECTED with open trackers (OSIDB-364)
Implement validation for affected special handled modules without summary or statement (OSIDB-328)
Implement validation for flaws with private source without ACK (OSIDB-339)
Implement validation for unknown component (OSIDB-355)
Implement temporary NVD collector (OSIDB-632)
Implement Exploits report data API endpoint (PSINSIGHTS-764)
Implement ACL validations (OSIDB-691)
Implement non-empty impact validation (OSIDB-758)
Integrate Bugzilla backwards sync into the flaw and affect save (OSIDB-240)
Introduce Bugzilla API key as a serializer attribute (OSIDB-368)
Implement non-empty source validation (OSIDB-759)
Local development instance is now able to switch between stage and production easily via env variables

Changed

Change logging of celery and django to filesystem (OSIDB-418)
Implement validation for CWE ID chain in a Flaw (OSIDB-357)
Implement validation for embargoed flaws not be able to have public trackers (OSIDB-350)
Fix Jira tracker created and updated timestamps (OSIDB-14)
Fix errata created and updated timestamps (OSIDB-453)
Restrict write operations on placeholder flaws (OSIDB-388)
Avoid recreating flaws on CVE ID changes whenever possible (OSIDB-392)
Remove unsused data prestage_eligible_date from schemas (OSIDB-695)
Revise the allowed API view HTTP methods on models restricting flaw deletion and all tracker write methods (OSIDB-748)
Bugzilla API key is send via Bugzilla-Api-Key HTTP header

Removed

Remove deprecated mitigated_by field (OSIDB-753)

[2.3.4] - 2022-12-15

Changed

Make sure the unacked PS update stream is always linked to PS module (OSIDB-637)

[2.3.3] - 2022-12-13

Changed

Link unacked PS update stream to PS module on product definitions sync (OSIDB-629)
Increase PS component name length from 100 to 255 characters (OSIDB-635)

[2.3.2] - 2022-11-28

Changed

Catch tracker sync exceptions individually (OSIDB-580)

Added

Implement complete Bugzilla groups handling in Bugzilla Backwards Sync (OSIDB-387)
Support (CISA) Major Incident label in tracker description (OSIDB-579)

[2.3.1] - 2022-10-25

Changed

Fix Errata collector saving to handle advisory name change (OSIDB-565)

[2.3.O] - 2022-10-24

Changed

Fix Errata collector design to periodically refresh data (OSIDB-433)
Flaw mitigated_by field is now deprecated and will be completely removed in the next major release (OSIDB-126)
Fix component matching from tracker description (OSIDB-464)
Store FlawMeta alerts on FlawMeta instead of on Flaw
Prevent pgtrigger recreating triggers (OSIDB-429)

Added

Helper for manual flaw synchronization (OSIDB-389)
Usage of django-deprecate-fields package for model field deprecation (OSIDB-126)

[2.2.2] - 2022-09-20

Changed

Fix an issue with FlawSource validation for sources that can be both public and private (OSIDB-450)

[2.2.1] - 2022-09-07

Changed

Fix an issue with CVSSv3 validation that was preventing some flaws from being synchronized in OSIDB (OSIDB-426, OSIDB-427)

[2.2.0] - 2022-09-05

Changed

Authentication is no longer compulsory for read-only requests against the main OSIDB endpoints such as /flaws, /affects and /trackers (OSIDB-313)
Fix an issue in which the Jiraffe collector was calling Tracker.affect instead of Tracker.affects (ManyToMany field) which resulted in some failed JIRA tracker synchronizations.
Treat collector failures due to already running collectors or due to waiting for dependencies as celery Retry exceptions.
OSIDB now uses publicly available images from docker.io (OSIDB-170)
fix bug that Major Incident can be unset by unrelated BZ flag (OSIDB-416)
CISA collector to run hourly rather than daily (PSINSIGHTS-635)

Added

support for CVE-less flaws (OSIDB-25)
unified logging across the whole OSIDB
validate hightouch and hightouch-lite flag value combinations (OSIDB-329)
validate differences between Red Hat and NVD CVSS score and severity (OSIDB-333)
validate that embargoed flaws do not have public sources (OSIDB-337)
validate that flaws from public sources don't contain ack FlawMetas (OSIDB-338)
AlertMixin for the creation of easily-serializable alerts on a per-record basis for any model that inherits from said mixin (OSIDB-324)
validate that an Affect's ps_module exists in product definitions (OSIDB-342)
EPSS data API for Red Hat vulnerabilities (PSINSIGHTS-636)

[2.1.0] - 2022-08-02

Changed

disable krb5 log redirection in stage and production playbooks.
disable opportunistic_auth when contacting Errata Tool and removed the authentication call from the constants file which meant that ET authentication would happen every time the code was loaded, generating a lot of auth calls and logs.
change the way that data is synchronized to be more fault-tolerant, things like tracker fetching will no longer make the entire flaw sync fail.
fix a bug where only certain metadata were being correctly synchronized between BZ and OSIDB which resulted in things like typos in acknowledgments persisting in OSIDB despite being removed from BZ.
fix a bug in which the scheme in next/previous links in paginated responses was http:// and not https://.
fix a bug with the way that the collector framework parsed crontab strings.
fix various bugs with the collector framework instantiation process.
fix a bug with the way that collector dependencies were being handled.
fix a bug in which FlawMeta were not being updated correctly due to an ACL issue.
update product exclusion lists.
fix a bug in which the exploit collectors were not working properly due to an ACL issue.
fix an issue with duplicate affects generating database errors.

Added

add various Dockerfile optimizations.
add API for exploit report processing.
add a mechanism to reflect CVE changes and/or removals.

Removed

remove audit mechanisms and tables from main models.
remove obsoleted bzload.py script.
remove outdated service schema.
remove obsoleted funcspec.
remove prodsec lib dependency.

[2.0.3] - 2022-06-16

Changed

fix an issue with existing FlawMeta objects not being updated if the parent Flaw was itself updated, meaning that FlawMeta could be kept as embargoed if the Flaw was unembargoed.

[2.0.2] - 2022-06-14

Changed

fix a change that broke backwards compatibility with IRD, this fix reverts the changes to the empty value of enumerations from "" back to "NONE", only IRD clients should be affected.

[2.0.1] - 2022-06-03

Changed

fix an issue with objects not being saved to the database due to a bad interaction between FlawSaver and TrackerBugConvertor (OSIDB-142)

[2.0.0] - 2022-06-01

Added

add tracker timestamps (OSIDB-62)
provide erratum ID on API together with advisory ID (OSIDB-128)
create flaw draft (OSIDB-68)
API for Insights Vulnerability application (PSINSIGHTS-608)

Changed

start using the "Keep a Changelog" format for the CHANGELOG.md
reviewed and unified the database fields accross all the models (OSIDB-16)
fix and unify creation and modification timestamps handling (OSIDB-62, OSIDB-82)
major Bugzilla collection reliability rework (OSIDB-17, OSIDB-130)
ignore and remove testing Bugzilla bugs (OSIDB-111)
reflect related entity removal on flaw sync (OSIDB-78)
improve flaw source handling (OSIDB-61)

Removed

remove Flawzilla testing app (OSIDB-18)
remove old collector APIs (OSIDB-20)

[1.2.1] - 2022-05-23

Changed

ensure API ordering is reproducible - fixes pagination issue (OSIDB-133)

[1.2.0] - 2022-05-02

Added

add /osidb/whoami endpoint to expose currently logged in user information
add /affects, /trackers endpoints and allow CRUD operations
add collector for Errata Tool IDs and expose "errata that fix this tracker"
track OSIDB users' bugzilla and jira usernames

Changed

unify metadata across all api responses
fix Bugzilla flag syncing causing Major Incident update issues (PSDEVOPS-3406)
fix collector ACLs causing unembargo staleness (PSDEVOPS-3449)
fix flaw source typos causing minor sync issues (PSDEVOPS-3373)

Removed

remove status metadata from responses

[1.1.2] - 2022-04-06

Added

add CPaaS pipeline credential mapping (PSDEVOPS-2569)

Changed

update version to 1.1.2
apply correct update/create dates to flaws, affects, and trackers (PSDEVOPS-3365)
move DEVELOP.md and TUTORIAL.md to docs directory

[1.1.1] - 2022-03-29

Changed

update version to 1.1.1
do not pass uuid as groups to set_user_acls

[1.1.0] - 2022-03-28

Added

add update schema step to OSIDB release docs
add schema extension for custom auth class
add exploit collectors (PSINSIGHTS-538, PSINSIGHTS-541)
implement more granular LDAP control groups (PSDEVOPS-2664)
implement Product Definitions collector
add tracker QE owner attribute (PSDEVOPS-3219)
implement read-only mode and enable for prod (PSDEVOPS-3203)

Changed

raise OSIDB version to 1.1.0
update documentation regarding LDAP groups
increase osidb-service route timeout from 30s to 300s
update django version to fix known vulnerabilities
validate peer cert chain and hostname for LDAP connections
allow bzimport to import testing embargoed data to stage
provide redis credentials and certificates for osidb-service

[1.0.0] - 2022-02-23

Added

implement kerberos authentication via SPNEGO protocol
document OSIDB versioning
add sections about more advanced Flaw queries in tutorial
implement collector framework API
implement example collector
implement collector framework

Changed

update version to 1.0.0
enable krb5_auth in stage
fix CVSS string storing
migrate from DRF tokens to JWT for auth (PSDEVOPS-3140)
load Bugzilla dates as timezone aware
use osidb-service image for flower instead of dockerhub image
secure redis instance by enabling TLS (PSDEVOPS-3128)
secure redis instance with basic authentication (PSDEVOPS-3128)
enable TLS endpoint verification in ansible playbooks (PSDEVOPS-3110)
improve flaws endpoint performance for cve_id and change_after params (PSDEVOPS-3209)
refactor URLs and the landing page
fix changed_after and changed_before filters
fix or refactor attribute validations
fix schema definition
accommodate flawdb->osidb rename in openshift
fix OSIDB name on the main page
modify tracker_ids query param to filter out non relevant affects
update query parameters description in API schema
update LDAP groups docs

Removed

turn off CWE validation as it is too simple
deprecate Basic and Session auth for API endpoints (PSDEVOPS-3126)

[0.0.2] - 2022-01-21

Changed

update version to 0.0.2
enable service accounts in prod

[0.0.1] - 2022-01-21

Added

this is the initial OSIDB version
see git repo for the older changes

Files

CHANGELOG.md

Latest commit

History

CHANGELOG.md

File metadata and controls

Changelog

[4.6.0] - 2024-12-02

Added

Changed

Removed

[4.5.6] - 2024-11-08

Fixed

[4.5.5] - 2024-11-07

Changed

[4.5.4] - 2024-11-06

Changed

Fixed

[4.5.3] - 2024-11-05

Added

Changed

[4.5.2] - 2024-10-24

Changed

[4.5.1] - 2024-10-23

Added

Changed

Fixed

[4.5.0] - 2024-10-22

Added

Changed

Fixed

[4.4.1] - 2024-10-17

Added

Changed

Fixed

[4.4.0] - 2024-10-11

Added

Changed

Fixed

[4.3.4] - 2024-10-03

Added

Changed

Fixed

[4.3.3] - 2024-09-30

Added

Changed

Fixed

[4.3.2] - 2024-09-19

Changed

[4.3.1] - 2024-09-11

Added

Fixed

Removed

[4.3.0] - 2024-09-04

Added

Changed

Fixed

[4.2.0] - 2024-08-30

Added

Changed

Fixed

[4.1.7] - 2024-08-22

Added

Changed

Fixed

Removed

[4.1.6] - 2024-08-02

Fixed

[4.1.5] - 2024-08-01

Removed

[4.1.4] - 2024-07-31

Added

Changed

Fixed

[4.1.3] - 2024-07-25

Changed

[4.1.2] - 2024-07-03

Added

Fixed

[4.1.1] - 2024-06-28