0.3.5

Changelog

v0.3.5 (2025-07-16)

Fixes

• nested external sboms in cdx (bd00b8b)

0.3.4

Changelog

v0.3.4 (2025-07-15)

Features

• add scores and severities to response (a9dd813)

Fixes

• storage: ensure an empty string is "none" compression (31076b2)
• fundamental: change response of analyse purl endpoint (730ca5d)

0.3.3

Changelog

v0.3.3 (2025-07-11)

Features

• query field names may include any character except \ (291b64d), closes
  #1849

Fixes

• storage: clean up the returned content encoding [Backport release/0.3.z]
  (#1861) (d73755a), closes #1861 #1850

0.3.2

Changelog

v0.3.2 (2025-07-04)

Fixes

• add support for golang versions with 'v' prefix (#1823) (578cac1), closes
  #1823

0.3.1

Changelog

v0.3.1 (2025-06-30)

Fixes

• add indexes to sbom_node_checksum (239f019)

0.3.0

Changelog

v0.3.0 (2025-06-24)

⚠ BREAKING-CHANGE

• The /vulnerabilities search paramteres are changed from 'average_severity'and 'average_score' to 'base_severity' and 'base_score'

• The upgraded parser aligns with RFC 9535, and notlonger supports the $.[] notation. It must be converted into $[].
  This is important for the group extraction with OIDC, specifically
  with AWS Cognito.

Features

• analysis: reduce memory consumption by ~15% (#1781) (a5dc0b8), closes
  #1781
• analysis: provide for status details (19c275f)
• analysis: ensure parallel loads await each other (7782757)
• start exctracting vulnerability scores from cvss v4 and v2 (7f07450)
• analysis: log graph cache size during startup (01816cf)
• import SBOM attachments from Quay repositories (d16f0a2)
• track number and size of evictions [Backport release/0.3.z] (#1730)
  (32c87ef), closes #1730
• implement validation of labels (6ff25c9), closes #1708
• implement PURL extraction endpoint (1b53d51), closes #1665
• Setting compression to None will remove the header (745191b), closes #1682
• allow using path style for S3 (1672635), closes #1678
• parse and store cvss3 scores for cve files (474f82e)
• allow string arrays to be queried in the q= syntax (42f99b9), closes #1558
• refactored license type management in CSV license export (#10) (3cf0d1a),
  closes #10
• analysis: log cache eviction note on info level (895a360)
• allow control populating the cache after ingestion (cc8d4ff)
• allow providing the format type during the upload (advisory) (4c2ab4c)
• allow providing the format type during the upload (99fbae2)
• filter SBOM's and Advisories by labels (7bcb993), closes #491
• now supporting json objects for in-memory queries (16f6a57)
• support unlimited multi-part field names for json columns (513bcdc)
• support nested fields within in-memory query contexts (c4d3661)
• query json objects with ':' to delimit column name and key (ad808aa), closes
  #491
• return a list of valid fields in a query error message (6978eb1)
• add api/v2/analyis/latest/component (a61b511)
• allow upload gzip compressed files (16d6066)
• a new dataset containing a few sboms and osv advisories that had issues in
  correlation (8f150ce)
• collect and report SBOM supplier information (26c0bf2)
• add analyze endpoint for purl-based vulnerability scan (0709de3)
• add score to response (6718869), closes #1473
• add pg_stats to the compose database (9a2efbc)

Fixes

• set RUSTFLAGS for Windows binary build (a5a382a)
• remove 'runs-on' from 'backport' CI job (7cf7712)
• ensure latest cpe query returns latest roots [Backport release/0.3.z]
  (#1788) (691823f), closes #1788
• mark advisory average scores and severites deprecated (31248e4)
• prevent dumping massive amounts of log info (4403387)
• don't force ansi colors, respect NO_COLOR, default on (#1760) (69afce8),
  closes #1760
• analysis: don't load all SBOMs when checking by name (84da372)
• timeout the DB ping and return "false" (ef8dd57)
• storage: urlencode bucket name (89a0c3e)
• align the embedded postgres version with the CI (f1ba554), closes #1674
• set vulnerability score from cve advisory (c21c65b)
• delete advisory performance (a605ad6)
• add sorting and pagination to importer report endpoint (5f1a927), closes
  #1636
• return 404 when /weakness has no results (a00a709)
• use correct env variable (29feec1)
• remove duplicate UNION in gc_purls SELECT (9297a06)
• properly evaluate the UpdateSbom permission (a0cee9f)
• show null severity in vuln when it's null in advisory (e542e2b), closes
  #1374
• support custom trust anchors, fix a "not found" issue (34274f3)
• remove advisory_vulnerability gist index (ac0c728)
• don't queue work on the worker queue if there is none (57146a1)
• fully-qualify table names in json filters (6f419f5)
• when deleting an entity, delete also a source document (and scores for the
  advisory) (4cb8ceb)
• prevent panic when handling non YAML content (d6d37cb)
• ensure that container build aligns with deployment architecture (6316078)
• Python versions PLSQL comparator (TC-2469) (ffce45d)
• ensure that an invalid CVSS does not panic (a5eceda), closes #1547
• scale test references the PR number commented (76e2d7d)
• scale test references the PR number (583d39b)
• return 400 instead of 500 in case of validation errors (a0d052c)
• correct documentation of API (1584c6a)
• prevent deadlock when inserting in parallel (0a75ac4), closes #1531
• reap crashed jobs so they don't appear "stuck" in the UI (d418222), closes
  #1499
• pythonver_cmp function to properly handle local versions (12fb17e)
• cvss scores with I:N and A:N score properly now (f5fe0c5), closes #1519
• mavenver_cmp add logic to compare builds (6992b4e)
• mavenver_cmp function fail to compare versions with build numbers properly
  (df0afbe)
• add a migration to fix null values for suppliers (8b0d1fe)
• ensure load order does not impact analysis graph dependency queries
  (55bb20d)
• TC-2388 OSV range with last_affected (564ec89)
• allow setting devmode with container keycloak (3fb1032)
• get_purl now deals with missing ns properly (9209645), closes #1456
• set title for vunerabilities with non typical description language code
  (a0de6e1)
• use patched version of spdx-rs until the fix is merged and released
  (8f1cab6), closes #1492
• /sbom/by-package api can now sort results by name (0099fb3), closes #1476
• add vulnerability details in purl details for product statuses (0f1f780)
• purl components now properly encoded in Display impl (1997349)

0.3.0-rc.3

Changelog

v0.3.0-rc.3 (2025-06-13)

⚠ BREAKING-CHANGE

• The /vulnerabilities search paramteres are changed from 'average_severity'and 'average_score' to 'base_severity' and 'base_score'

• The upgraded parser aligns with RFC 9535, and notlonger supports the $.[] notation. It must be converted into $[].
  This is important for the group extraction with OIDC, specifically
  with AWS Cognito.

Features

• analysis: ensure parallel loads await each other (7782757)
• start exctracting vulnerability scores from cvss v4 and v2 (7f07450)
• analysis: log graph cache size during startup (01816cf)
• import SBOM attachments from Quay repositories (d16f0a2)
• track number and size of evictions [Backport release/0.3.z] (#1730)
  (32c87ef), closes #1730
• implement validation of labels (6ff25c9), closes #1708
• implement PURL extraction endpoint (1b53d51), closes #1665
• Setting compression to None will remove the header (745191b), closes #1682
• allow using path style for S3 (1672635), closes #1678
• parse and store cvss3 scores for cve files (474f82e)
• allow string arrays to be queried in the q= syntax (42f99b9), closes #1558
• refactored license type management in CSV license export (#10) (3cf0d1a),
  closes #10
• analysis: log cache eviction note on info level (895a360)
• allow control populating the cache after ingestion (cc8d4ff)
• allow providing the format type during the upload (advisory) (4c2ab4c)
• allow providing the format type during the upload (99fbae2)
• filter SBOM's and Advisories by labels (7bcb993), closes #491
• now supporting json objects for in-memory queries (16f6a57)
• support unlimited multi-part field names for json columns (513bcdc)
• support nested fields within in-memory query contexts (c4d3661)
• query json objects with ':' to delimit column name and key (ad808aa), closes
  #491
• return a list of valid fields in a query error message (6978eb1)
• add api/v2/analyis/latest/component (a61b511)
• allow upload gzip compressed files (16d6066)
• a new dataset containing a few sboms and osv advisories that had issues in
  correlation (8f150ce)
• collect and report SBOM supplier information (26c0bf2)
• add analyze endpoint for purl-based vulnerability scan (0709de3)
• add score to response (6718869), closes #1473
• add pg_stats to the compose database (9a2efbc)

Fixes

• timeout the DB ping and return "false" (ef8dd57)
• storage: urlencode bucket name (89a0c3e)
• align the embedded postgres version with the CI (f1ba554), closes #1674
• set vulnerability score from cve advisory (c21c65b)
• delete advisory performance (a605ad6)
• add sorting and pagination to importer report endpoint (5f1a927), closes
  #1636
• return 404 when /weakness has no results (a00a709)
• use correct env variable (29feec1)
• remove duplicate UNION in gc_purls SELECT (9297a06)
• properly evaluate the UpdateSbom permission (a0cee9f)
• show null severity in vuln when it's null in advisory (e542e2b), closes
  #1374
• support custom trust anchors, fix a "not found" issue (34274f3)
• remove advisory_vulnerability gist index (ac0c728)
• don't queue work on the worker queue if there is none (57146a1)
• fully-qualify table names in json filters (6f419f5)
• when deleting an entity, delete also a source document (and scores for the
  advisory) (4cb8ceb)
• prevent panic when handling non YAML content (d6d37cb)
• ensure that container build aligns with deployment architecture (6316078)
• Python versions PLSQL comparator (TC-2469) (ffce45d)
• ensure that an invalid CVSS does not panic (a5eceda), closes #1547
• scale test references the PR number commented (76e2d7d)
• scale test references the PR number (583d39b)
• return 400 instead of 500 in case of validation errors (a0d052c)
• correct documentation of API (1584c6a)
• prevent deadlock when inserting in parallel (0a75ac4), closes #1531
• reap crashed jobs so they don't appear "stuck" in the UI (d418222), closes
  #1499
• pythonver_cmp function to properly handle local versions (12fb17e)
• cvss scores with I:N and A:N score properly now (f5fe0c5), closes #1519
• mavenver_cmp add logic to compare builds (6992b4e)
• mavenver_cmp function fail to compare versions with build numbers properly
  (df0afbe)
• add a migration to fix null values for suppliers (8b0d1fe)
• ensure load order does not impact analysis graph dependency queries
  (55bb20d)
• TC-2388 OSV range with last_affected (564ec89)
• allow setting devmode with container keycloak (3fb1032)
• get_purl now deals with missing ns properly (9209645), closes #1456
• set title for vunerabilities with non typical description language code
  (a0de6e1)
• use patched version of spdx-rs until the fix is merged and released
  (8f1cab6), closes #1492
• /sbom/by-package api can now sort results by name (0099fb3), closes #1476
• add vulnerability details in purl details for product statuses (0f1f780)
• purl components now properly encoded in Display impl (1997349)

0.3.0-rc.2

Changelog

v0.3.0-rc.2 (2025-06-06)

⚠ BREAKING-CHANGE

• The /vulnerabilities search paramteres are changed from 'average_severity'and 'average_score' to 'base_severity' and 'base_score'

• The upgraded parser aligns with RFC 9535, and notlonger supports the $.[] notation. It must be converted into $[].
  This is important for the group extraction with OIDC, specifically
  with AWS Cognito.

Features

• implement validation of labels (6ff25c9), closes #1708
• implement PURL extraction endpoint (1b53d51), closes #1665
• Setting compression to None will remove the header (745191b), closes #1682
• allow using path style for S3 (1672635), closes #1678
• parse and store cvss3 scores for cve files (474f82e)
• allow string arrays to be queried in the q= syntax (42f99b9), closes #1558
• refactored license type management in CSV license export (#10) (3cf0d1a),
  closes #10
• analysis: log cache eviction note on info level (895a360)
• allow control populating the cache after ingestion (cc8d4ff)
• allow providing the format type during the upload (advisory) (4c2ab4c)
• allow providing the format type during the upload (99fbae2)
• filter SBOM's and Advisories by labels (7bcb993), closes #491
• now supporting json objects for in-memory queries (16f6a57)
• support unlimited multi-part field names for json columns (513bcdc)
• support nested fields within in-memory query contexts (c4d3661)
• query json objects with ':' to delimit column name and key (ad808aa), closes
  #491
• return a list of valid fields in a query error message (6978eb1)
• add api/v2/analyis/latest/component (a61b511)
• allow upload gzip compressed files (16d6066)
• a new dataset containing a few sboms and osv advisories that had issues in
  correlation (8f150ce)
• collect and report SBOM supplier information (26c0bf2)
• add analyze endpoint for purl-based vulnerability scan (0709de3)
• add score to response (6718869), closes #1473
• add pg_stats to the compose database (9a2efbc)

Fixes

• storage: urlencode bucket name (89a0c3e)
• align the embedded postgres version with the CI (f1ba554), closes #1674
• set vulnerability score from cve advisory (c21c65b)
• delete advisory performance (a605ad6)
• add sorting and pagination to importer report endpoint (5f1a927), closes
  #1636
• return 404 when /weakness has no results (a00a709)
• use correct env variable (29feec1)
• remove duplicate UNION in gc_purls SELECT (9297a06)
• properly evaluate the UpdateSbom permission (a0cee9f)
• show null severity in vuln when it's null in advisory (e542e2b), closes
  #1374
• support custom trust anchors, fix a "not found" issue (34274f3)
• remove advisory_vulnerability gist index (ac0c728)
• don't queue work on the worker queue if there is none (57146a1)
• fully-qualify table names in json filters (6f419f5)
• when deleting an entity, delete also a source document (and scores for the
  advisory) (4cb8ceb)
• prevent panic when handling non YAML content (d6d37cb)
• ensure that container build aligns with deployment architecture (6316078)
• Python versions PLSQL comparator (TC-2469) (ffce45d)
• ensure that an invalid CVSS does not panic (a5eceda), closes #1547
• scale test references the PR number commented (76e2d7d)
• scale test references the PR number (583d39b)
• return 400 instead of 500 in case of validation errors (a0d052c)
• correct documentation of API (1584c6a)
• prevent deadlock when inserting in parallel (0a75ac4), closes #1531
• reap crashed jobs so they don't appear "stuck" in the UI (d418222), closes
  #1499
• pythonver_cmp function to properly handle local versions (12fb17e)
• cvss scores with I:N and A:N score properly now (f5fe0c5), closes #1519
• mavenver_cmp add logic to compare builds (6992b4e)
• mavenver_cmp function fail to compare versions with build numbers properly
  (df0afbe)
• add a migration to fix null values for suppliers (8b0d1fe)
• ensure load order does not impact analysis graph dependency queries
  (55bb20d)
• TC-2388 OSV range with last_affected (564ec89)
• allow setting devmode with container keycloak (3fb1032)
• get_purl now deals with missing ns properly (9209645), closes #1456
• set title for vunerabilities with non typical description language code
  (a0de6e1)
• use patched version of spdx-rs until the fix is merged and released
  (8f1cab6), closes #1492
• /sbom/by-package api can now sort results by name (0099fb3), closes #1476
• add vulnerability details in purl details for product statuses (0f1f780)
• purl components now properly encoded in Display impl (1997349)

0.3.0-rc.1

Changelog

v0.3.0-rc.1 (2025-06-03)

⚠ BREAKING-CHANGE

• The /vulnerabilities search paramteres are changed from 'average_severity'and 'average_score' to 'base_severity' and 'base_score'

• The upgraded parser aligns with RFC 9535, and notlonger supports the $.[] notation. It must be converted into $[].
  This is important for the group extraction with OIDC, specifically
  with AWS Cognito.

Features

• implement PURL extraction endpoint (1b53d51), closes #1665
• Setting compression to None will remove the header (745191b), closes #1682
• allow using path style for S3 (1672635), closes #1678
• parse and store cvss3 scores for cve files (474f82e)
• allow string arrays to be queried in the q= syntax (42f99b9), closes #1558
• refactored license type management in CSV license export (#10) (3cf0d1a),
  closes #10
• analysis: log cache eviction note on info level (895a360)
• allow control populating the cache after ingestion (cc8d4ff)
• allow providing the format type during the upload (advisory) (4c2ab4c)
• allow providing the format type during the upload (99fbae2)
• filter SBOM's and Advisories by labels (7bcb993), closes #491
• now supporting json objects for in-memory queries (16f6a57)
• support unlimited multi-part field names for json columns (513bcdc)
• support nested fields within in-memory query contexts (c4d3661)
• query json objects with ':' to delimit column name and key (ad808aa), closes
  #491
• return a list of valid fields in a query error message (6978eb1)
• add api/v2/analyis/latest/component (a61b511)
• allow upload gzip compressed files (16d6066)
• a new dataset containing a few sboms and osv advisories that had issues in
  correlation (8f150ce)
• collect and report SBOM supplier information (26c0bf2)
• add analyze endpoint for purl-based vulnerability scan (0709de3)
• add score to response (6718869), closes #1473
• add pg_stats to the compose database (9a2efbc)

Fixes

• set vulnerability score from cve advisory (c21c65b)
• delete advisory performance (a605ad6)
• add sorting and pagination to importer report endpoint (5f1a927), closes
  #1636
• return 404 when /weakness has no results (a00a709)
• use correct env variable (29feec1)
• remove duplicate UNION in gc_purls SELECT (9297a06)
• properly evaluate the UpdateSbom permission (a0cee9f)
• show null severity in vuln when it's null in advisory (e542e2b), closes
  #1374
• support custom trust anchors, fix a "not found" issue (34274f3)
• remove advisory_vulnerability gist index (ac0c728)
• don't queue work on the worker queue if there is none (57146a1)
• fully-qualify table names in json filters (6f419f5)
• when deleting an entity, delete also a source document (and scores for the
  advisory) (4cb8ceb)
• prevent panic when handling non YAML content (d6d37cb)
• ensure that container build aligns with deployment architecture (6316078)
• Python versions PLSQL comparator (TC-2469) (ffce45d)
• ensure that an invalid CVSS does not panic (a5eceda), closes #1547
• scale test references the PR number commented (76e2d7d)
• scale test references the PR number (583d39b)
• return 400 instead of 500 in case of validation errors (a0d052c)
• correct documentation of API (1584c6a)
• prevent deadlock when inserting in parallel (0a75ac4), closes #1531
• reap crashed jobs so they don't appear "stuck" in the UI (d418222), closes
  #1499
• pythonver_cmp function to properly handle local versions (12fb17e)
• cvss scores with I:N and A:N score properly now (f5fe0c5), closes #1519
• mavenver_cmp add logic to compare builds (6992b4e)
• mavenver_cmp function fail to compare versions with build numbers properly
  (df0afbe)
• add a migration to fix null values for suppliers (8b0d1fe)
• ensure load order does not impact analysis graph dependency queries
  (55bb20d)
• TC-2388 OSV range with last_affected (564ec89)
• allow setting devmode with container keycloak (3fb1032)
• get_purl now deals with missing ns properly (9209645), closes #1456
• set title for vunerabilities with non typical description language code
  (a0de6e1)
• use patched version of spdx-rs until the fix is merged and released
  (8f1cab6), closes #1492
• /sbom/by-package api can now sort results by name (0099fb3), closes #1476
• add vulnerability details in purl details for product statuses (0f1f780)
• purl components now properly encoded in Display impl (1997349)

0.2.19

Changelog