This is the multi-page printable view of this section. Click here to print.
Vunnel Release Notes
Anchore Vunnel Release Notes
1 - v0.40.0
Release notes for vunnel v0.40.0
Release Notes
Version v0.40.0
Added Features
- Add support for annotated openvex with observed fix dates [#885 @wagoodman]
Bug Fixes
- Remove old CSAF archives when downloading new ones [#883 @wagoodman]
2 - v0.39.2
Release notes for vunnel v0.39.2
Release Notes
Version v0.39.2
Bug Fixes
- Update RHEL parser to account for missing module in CSAF product tree [#882 @wagoodman]
3 - v0.39.1
Release notes for vunnel v0.39.1
Release Notes
Version v0.39.1
Bug Fixes
- Use context managers for provider and parser resource cleanup [#881 @wagoodman]
4 - v0.39.0
Release notes for vunnel v0.39.0
Release Notes
Version v0.39.0
Added Features
- add vex as valid vulnerability format [#847 @CrosleyZack]
- Track first observed fix dates on each run [#880 @wagoodman]
Bug Fixes
- Apply fix dates and overrides together [#879 @wagoodman]
5 - v0.38.3
Release notes for vunnel v0.38.3
Release Notes
Version v0.38.3
Bug Fixes
- Process all NVD records to ensure a fix date is associated [#878 @wagoodman]
6 - v0.38.2
Release notes for vunnel v0.38.2
Release Notes
Version v0.38.2
Bug Fixes
- Wire ecosystem normalization [#877 @wagoodman]
Additional Changes
- Add nocase statements to schema (remove from queries) [#876 @wagoodman]
7 - v0.38.1
Release notes for vunnel v0.38.1
Release Notes
Version v0.38.1
Bug Fixes
- Ensure fetching entries from the fixdates db is case insensitive [#873 @wagoodman]
8 - v0.38.0
Release notes for vunnel v0.38.0
Release Notes
Version v0.38.0
Added Features
- Include fix dates by default [#869 @wagoodman]
- Track published/modified date for debian data [#732 #840 @wagoodman]
Bug Fixes
- Incorrectly interpreting debian vulns marked end of life [#848 #850 @joshbressers]
Additional Changes
- Normalize names during fixdate lookup [#868 @wagoodman]
- Add fix date processing for rocky and bitnami [#858 @wagoodman]
9 - v0.37.0
Release notes for vunnel v0.37.0
Release Notes
Version v0.37.0
Added Features
- add mapping for upcoming 25.10 release (Questing Quokka) [#844 @westonsteimel]
- add future mappings for debian 14 and 15 [#843 @westonsteimel]
Additional Changes
- bump match labels [#838 @willmurphyscode]
10 - v0.36.0
Release notes for vunnel v0.36.0
Release Notes
Version v0.36.0
Added Features
- Add configuration to bypass RHEL hydra API failures [#819 @wagoodman]
Bug Fixes
- account for new rpmmod purl shape [#836 @westonsteimel]
11 - v0.35.1
Release notes for vunnel v0.35.1
Release Notes
Version v0.35.1
Bug Fixes
- Fix JSON output [#831 @wagoodman]
12 - v0.35.0
Release notes for vunnel v0.35.0
Release Notes
Version v0.35.0
Added Features
- add –json flag to status command for structured output [#825 @jamestexas]
- Add support for RedHat EUS data [#796 @willmurphyscode]
- [alpine,wolfi,chainguard]: prefer specific vulnerability reference urls [#828 @westonsteimel]
13 - v0.34.2
Release notes for vunnel v0.34.2
Release Notes
Version v0.34.2
Bug Fixes
- 0.32.0 broke Python 3.13 build [#809 #823 @chenrui333]
14 - v0.34.1
Release notes for vunnel v0.34.1
Release Notes
Version v0.34.1
Additional Changes
- Revert “chore: remove redundant release check (#820)” [#821 @willmurphyscode]
17 - v0.32.0
Release notes for vunnel v0.32.0
Release Notes
Version v0.32.0
Added Features
- Support the github actions ecosystem within the GitHub provider [#807 @wagoodman]
- enable skipping downloads in RHEL provider [#804 @willmurphyscode]
- add skip download CLI option [#802 @willmurphyscode]
- rocky linux OSV provider [#794 @willmurphyscode]
Bug Fixes
- Fix v6 archive extension [#779 @wagoodman]
Additional Changes
- switch to uv dependabot ecosystem [#801 @willmurphyscode]
18 - v0.31.0
Release notes for vunnel v0.31.0
Release Notes
Version v0.31.0
Added Features
- Add known exploited & EPSS data for CVES [#632 #634 @nurmi #774 @wagoodman]
19 - v0.30.0
Release notes for vunnel v0.30.0
Release Notes
Version v0.30.0
Added Features
- Switch RedHat vulnerability provider from OVAL to CSAF [#323 #772 @willmurphyscode]
Additional Changes
- Add date information to OS schema [#760 @wagoodman]
- update upload-artifact to v4 [#745 @kzantow]
20 - v0.29.0
Release notes for vunnel v0.29.0
Release Notes
Version v0.29.0
Added Features
- Wire up retry count config to NVD provider [#738 @wagoodman]
- Add processor to workspace state [#730 @wagoodman]
21 - v0.28.0
Release notes for vunnel v0.28.0
Release Notes
Version v0.28.0
Added Features
- add Azure Linux 3 vulnerability feed [#569 @willmurphyscode]
Additional Changes
22 - v0.27.0
Release notes for vunnel v0.27.0
Release Notes
Version v0.27.0
Added Features
- Upstream SUSE OVAL archives and CVSS data is changing [#571 #625 @westonsteimel]
Bug Fixes
- Potential missing CVE/package associations in database for SLES [#655 #650 @BenoitGui]
Additional Changes
- pretty-print JSON in snapshots [#647 @willmurphyscode]
- CODE_OF_CONDUCT.md [#631 @popey]
23 - v0.26.2
Release notes for vunnel v0.26.2
Release Notes
Version v0.26.2
Bug Fixes
- hack: move debian priority ignore to account for legacy records [#624 @westonsteimel]
24 - v0.26.1
Release notes for vunnel v0.26.1
Release Notes
Version v0.26.1
Bug Fixes
- hack: prevent more debian package-specific priorities from overriding upstream severity [#622 @joshbressers]
25 - v0.26.0
Release notes for vunnel v0.26.0
Release Notes
Version v0.26.0
Added Features
- Add support for reading result DBs for Debian provider [#613 @wagoodman]
26 - v0.25.0
Release notes for vunnel v0.25.0
Release Notes
Version v0.25.0
Added Features
- treat needs-triage as vulnerable until determination made [#597 @westonsteimel]
- add ubuntu 24.10 codename to version mapping [#601 @westonsteimel]
27 - v0.24.0
Release notes for vunnel v0.24.0
Release Notes
Version v0.24.0
Added Features
- add version range to mariner provider [#585 @willmurphyscode]
31 - v0.22.2
Release notes for vunnel v0.22.2
Release Notes
Version v0.22.2
Bug Fixes
- Allow for missing ALAS files in Amazon provider [#564 @wagoodman]
32 - v0.22.1
Release notes for vunnel v0.22.1
Release Notes
Version v0.22.1
Bug Fixes
- Keep original import timestamp on results archive import [#560 @wagoodman]
33 - v0.22.0
Release notes for vunnel v0.22.0
Release Notes
Version v0.22.0
Added Features
- add mapping for ubuntu 24.04 [#536 @westonsteimel]
34 - v0.21.2
Release notes for vunnel v0.21.2
Release Notes
Version v0.21.2
Bug Fixes
- os.rename -> shutil.move [#534 @westonsteimel]
35 - v0.21.1
Release notes for vunnel v0.21.1
Release Notes
Version v0.21.1
Bug Fixes
- Input sqlite db should follow lowercase identifier convention [#526 @willmurphyscode]
36 - v0.21.0
Release notes for vunnel v0.21.0
Release Notes
Version v0.21.0
Added Features
- add ability to download cached workspace [#520 @willmurphyscode]
37 - v0.20.0
Release notes for vunnel v0.20.0
Release Notes
Version v0.20.0
Added Features
- Allows overriding CPE configurations on NVD records [#502 @westonsteimel]
38 - v0.19.0
Release notes for vunnel v0.19.0
Release Notes
Version v0.19.0
Added Features
Bug Fixes
- remove sha256 verification for oval parser [#505 @spiffcs]
- Bump orjson from 3.9.13 to 3.9.14 [#483 @dependabot]
Additional Changes
- Use https for submodule [#501 @wagoodman]
- commit lint fix of poetry.lock [#499 @willmurphyscode]
- drop python-future [#492 @westonsteimel]
39 - v0.18.5
Release notes for vunnel v0.18.5
Release Notes
Version v0.18.5
Bug Fixes
- improve the ubuntu provider to emit vuln rows for out of support entries [#477 @westonsteimel]
40 - v0.18.4
Release notes for vunnel v0.18.4
Release Notes
Version v0.18.4
Bug Fixes
- Check download digest of rhel oval files [#462 @wagoodman]
Additional Changes
- change dependabot to auto-approve only [#458 @willmurphyscode]
41 - v0.18.3
Release notes for vunnel v0.18.3
Release Notes
Version v0.18.3
Additional Changes
- disable auto merging of dependabot PRs [#456 @westonsteimel]
- Bump urllib3 from 2.0.5 to 2.0.7 (#454)
- Bump jinja2 from 3.1.2 to 3.1.3 (#455)
42 - v0.18.2
Release notes for vunnel v0.18.2
Release Notes
Version v0.18.2
Bug Fixes
- update vulnerability urls [#451 @westonsteimel]
Additional changes
- hard-code severity for debian CVE-2023-44487 to inherit NVD severity [#448 @willmurphyscode]
43 - v0.18.1
Release notes for vunnel v0.18.1
Release Notes
Version v0.18.1
Bug Fixes
- Redhat
package_namewith/do not always reference modules [#443 #444 @westonsteimel]
44 - v0.18.0
Release notes for vunnel v0.18.0
Release Notes
Version v0.18.0
Added Features
- extract description from Oracle Security Advisories [#437 @westonsteimel]
Bug Fixes
- Alleviate RHEL provider CVE-list race condition [#438 @wagoodman]
Additional Changes
- Load all schema url refs for offline validation [#436 @wagoodman]
- Check PR author login, instead of actor [#434 @willmurphyscode]
- Update dependabot-auto-merge to cancel itself on human push [#432 @willmurphyscode]
45 - v0.17.12
Release notes for vunnel v0.17.12
Release Notes
Version v0.17.12
Bug Fixes
- update vulnerability reference links [#426 @westonsteimel]
- update vulnerability reference links [#425 @westonsteimel]
- improve parsing severity from priority [#419 @westonsteimel]
46 - v0.17.11
Release notes for vunnel v0.17.11
Release Notes
Version v0.17.11
Bug Fixes
- http.get does not support exponential backoff on retries [#415 #418 @willmurphyscode]
47 - v0.17.10
Release notes for vunnel v0.17.10
Release Notes
Version v0.17.10
Bug Fixes
- improve oval v2 parsing to prevent unnecessary exceptions [#410 @westonsteimel]
48 - v0.17.9
Release notes for vunnel v0.17.9
Release Notes
Version v0.17.9
Bug Fixes
- Disallow all bare try-except clauses [#310]
Additional Changes
- new http wrapper in rhel provider [#392 @willmurphyscode]
- improved handling CVSS V3 parsing [#404 @westonsteimel]
- replace usage of json with orjson [#407 @westonsteimel]
49 - v0.17.8
Release notes for vunnel v0.17.8
Release Notes
Version v0.17.8
Bug Fixes
- remove filtering on vuln ids for wolfi and chainguard [#399 @westonsteimel]
50 - v0.17.7
Release notes for vunnel v0.17.7
Release Notes
Version v0.17.7
Bug Fixes
- NVD api key should not be required [#397 @westonsteimel]
51 - v0.17.6
Release notes for vunnel v0.17.6
Release Notes
Version v0.17.6
Additional Changes
- bump dockerfile to python 3.11 [#391 @westonsteimel]
52 - v0.17.5
Release notes for vunnel v0.17.5
Release Notes
Version v0.17.5
Bug Fixes
- respect GitHub rate limiting [#377 @willmurphyscode]
Additional Changes
- introduce http get wrapper; use it in mariner provider [#376 @willmurphyscode]
- Move nightly quality gate to be roughly after the latest DB build [#381 @wagoodman]
- Only ask for release on quality gate step [#378 @wagoodman]
53 - v0.17.4
Release notes for vunnel v0.17.4
Release Notes
Version v0.17.4
Additional Changes
- remove remaining blanket noqas [#375 @willmurphyscode]
- remove file noqa from utils fdb [#373 @willmurphyscode]
- remove file scoped noqa for ubuntu parser [#372 @willmurphyscode]
- bump yardstick [#374 @willmurphyscode]
54 - v0.17.3
Release notes for vunnel v0.17.3
Release Notes
Version v0.17.3
Additional Changes
- Make troubleshooting quality gate failures easier [#360 #364 @wagoodman]
- remove file scoped noqa in RHEL parser [#369 @willmurphyscode]
- remove file noqa on SLES parser [#367 @willmurphyscode]
- remove file noqa for utils oval parser [#366 @willmurphyscode]
- remove file noqa ubuntu git provider [#365 @willmurphyscode]
- remove file noqa from rhel oval parser [#361 @willmurphyscode]
- ignore trailing slash in GH CVSS strings [#357 @willmurphyscode]
- remove file-scoped noqa from NVD [#355 @willmurphyscode]
- Remove file noqa on alpine parser [#353 @willmurphyscode]
- Remove bare “except:” clauses except those that re-raise [#351 @willmurphyscode]
- remove file noqa from utils OVAL V2 parser [#368 @willmurphyscode]
- Remove incorrect quality gate configuration [#354 @wagoodman]
55 - v0.17.2
Release notes for vunnel v0.17.2
Release Notes
Version v0.17.2
Bug Fixes
- align retry timeout for NVD requests with the rate limit rolling window [#321 @westonsteimel]
Additional Changes
- test chainguard provider via snapshots [#339 @willmurphyscode]
- fix “make build-grype” [#338 @willmurphyscode]
- test alpine provider via snapshots [#336 @willmurphyscode]
- Add snapshot tests to debian provider [#318 @willmurphyscode]
- Fix nightly quality gate notification [#324 @wagoodman]
- Update vunnel list output in README.md [#316 @andrew]
- improve unit tests in debian provider [#311 @willmurphyscode]
56 - v0.17.1
Release notes for vunnel v0.17.1
Release Notes
Version v0.17.1
Bug Fixes
- Revert #284 + fix namespace resolution for quality gate testing [#307 @wagoodman]
Additional Changes
- Bump chronicle to v0.8.0 [#312 @wagoodman]
57 - v0.17.0
Release notes for vunnel v0.17.0
Release Notes
Version v0.17.0
v0.17.0 (2023-09-27)
Added Features
- Add GitHub Security Advisory data for Swift [Issue #293] [PR #302] [westonsteimel]
- Add GitHub Security Advisory data for Dart packages [Issue #294] [PR #302] [westonsteimel]
58 - v0.16.0
Release notes for vunnel v0.16.0
Release Notes
Version v0.16.0
v0.16.0 (2023-09-20)
Added Features
59 - v0.15.3
Release notes for vunnel v0.15.3
Release Notes
Version v0.15.3
v0.15.3 (2023-08-29)
Bug Fixes
- rhel: never filter out-of-support rhel entries [PR #270] [westonsteimel]
- rhel: handle cases where a vulnerability transitions to not-affected [Issue #252] [PR #253] [westonsteimel]
60 - v0.15.2
Release notes for vunnel v0.15.2
Release Notes
Version v0.15.2
v0.15.2 (2023-07-27)
Bug Fixes
- grype showing disputed CVE in Mariner 2.0 [Issue #246]
61 - v0.15.1
Release notes for vunnel v0.15.1
Release Notes
Version v0.15.1
v0.15.1 (2023-07-18)
Bug Fixes
- fix: add retry on alpine and mariner url fetches [PR #236] [westonsteimel]
- fix: bump PyYAML to 6.0.1 to address cython compatibility issue [PR #242] [juanjsebgarcia]
62 - v0.15.0
Release notes for vunnel v0.15.0
Release Notes
Version v0.15.0
v0.15.0 (2023-07-11)
Added Features
- feat: preserve prior results longer with sqlite writer [PR #232] [westonsteimel]
65 - v0.12.2
Release notes for vunnel v0.12.2
Release Notes
Version v0.12.2
v0.12.2 (2023-06-29)
Bug Fixes
- fix: detect updated ubuntu eol labels [PR #222] [westonsteimel]
66 - v0.12.1
Release notes for vunnel v0.12.1
Release Notes
Version v0.12.1
Full Changelog: https://github.com/anchore/vunnel/compare/v0.12.0...v0.12.1
Bug Fixes
- fix: handle more ubuntu git repo errors by @westonsteimel in https://github.com/anchore/vunnel/pull/214
68 - v0.11.0
Release notes for vunnel v0.11.0
Release Notes
Version v0.11.0
v0.11.0 (2023-05-24)
Added Features
- Include CVSS in GitHub Advisory data [Issue #75] [PR #187] [westonsteimel]
70 - v0.9.0
Release notes for vunnel v0.9.0
Release Notes
Version v0.9.0
v0.9.0 (2023-04-27)
Added Features
- feat: support SQLAlchemy 2.x [PR #150] [westonsteimel]
Bug Fixes
- fix: avoid ubuntu git repo check exception on missing directory [PR #160] [westonsteimel]
71 - v0.8.1
Release notes for vunnel v0.8.1
Release Notes
Version v0.8.1
v0.8.1 (2023-03-28)
Features
Additional Changes
- Fix grype-db install within quality gate [PR #135] [wagoodman]
- feat: expose function for provider->version map [PR #136] [westonsteimel]
72 - v0.8.0
Release notes for vunnel v0.8.0
Release Notes
Version v0.8.0
v0.8.0 (2023-03-28)
Bug Fixes
Additional Changes
73 - v0.7.0
Release notes for vunnel v0.7.0
Release Notes
Version v0.7.0
v0.7.0 (2023-03-21)
Added Features
74 - v0.6.0
Release notes for vunnel v0.6.0
Release Notes
Version v0.6.0
v0.6.0 (2023-03-14)
Additional Changes
- chore: bump vuln match quality label dataset [PR #112] [westonsteimel]
75 - v0.5.0
Release notes for vunnel v0.5.0
Release Notes
Version v0.5.0
v0.5.0 (2023-03-13)
Added Features
76 - v0.4.0
Release notes for vunnel v0.4.0
Release Notes
Version v0.4.0
v0.4.0 (2023-03-10)
Added Features
- feat: support Amazon Linux 2023 advisories [PR #107] [westonsteimel]
Bug Fixes
Additional Changes
77 - v0.3.4
Release notes for vunnel v0.3.4
Release Notes
Version v0.3.4
v0.3.4 (2023-02-06)
Bug Fixes
- fix: use correct CVEFile type [PR #58] [westonsteimel]
78 - v0.3.3
Release notes for vunnel v0.3.3
Release Notes
Version v0.3.3
v0.3.3 (2023-01-31)
Bug Fixes
- fix: don’t pass skip_if_exists to centos parser from rhel [PR #54] [westonsteimel]
Additional Changes
- chore: update to poetry >= 1.3 to enable use with dependabot [PR #50] [westonsteimel]
79 - v0.3.2
Release notes for vunnel v0.3.2
Release Notes
Version v0.3.2
v0.3.2 (2023-01-30)
• fix: remove flawed skip_if_exists logic [PR #53] [westonsteimel]
80 - v0.3.1
Release notes for vunnel v0.3.1
Release Notes
Version v0.3.1
v0.3.1 (2023-01-30)
Bug Fixes
- fix: ensure git reset before pull in ubuntu provider [PR #52] [westonsteimel]
81 - v0.3.0
Release notes for vunnel v0.3.0
Release Notes
Version v0.3.0
v0.3.0 (2023-01-30)
Added Features
- ubuntu provider git url should be configurable [Issue #48]
Bug Fixes
- vunnel config command should not show python types [PR #45] [wagoodman]
- fix: consider non-exact renames as modifications [PR #46] [westonsteimel]
- fix: make compatible with python 3.9 [PR #47] [westonsteimel]
82 - v0.2.0
Release notes for vunnel v0.2.0
Release Notes
Version v0.2.0
v0.2.0 (2023-01-17)
Added Features
- Status command does not read records from DB [PR #42] [wagoodman]
- feat: refactor ubuntu driver to eliminate git follow [PR #44] [westonsteimel]
Bug Fixes
- fix: only use –follow for non-active CVEs in ubuntu provider [PR #41] [westonsteimel]
- vunnel config command should not show python types [PR #45] [wagoodman]
84 - v0.1.3
Release notes for vunnel v0.1.3
Release Notes
Version v0.1.3
v0.1.3 (2023-01-12)
Bug Fixes
- Fix NVD provider to not wipe out existing results on incremental update [PR #38] [wagoodman]
- fix: re-enable –follow on ubuntu provider [PR #40] [westonsteimel]
85 - v0.1.2
Release notes for vunnel v0.1.2
Release Notes
Version v0.1.2
v0.1.2 (2023-01-11)
Bug Fixes
- fix: adds missing oval modularity parsing [PR #36] [westonsteimel]