Skip to content

v5.2.0

Compare
Choose a tag to compare
@github-actions github-actions released this 05 Sep 14:01
· 28 commits to main since this release
fa72cd4

Changelog

  • Add visual indicator in hierarchy views, when an object on the far left or far right
    also belong or have a hierarchy (relationship tree). #70
  • Add search and pagination on the Product Inventory tab. #3 #112
  • Fix an issue displaying the "Delete" button in the "Edit Product Relationship"
    modal form. #128
  • Add support for PURL(s) in the "Add Package" modal.
    If the PURL type is supported by the packageurl_python library, a download URL
    will be generated for creating the package and submitting a scan. #131
  • Leverage PurlDB during the "Add Package" process.
    DejaCode will look up the PurlDB to retrieve and fetch all available data to
    create the package. #131
  • Populate the Package notice_text using "NOTICE" file content from Scan "key files". #136
  • Added 2 new license related fields on the Component and Package models:
    • declared_license_expression
    • other_license_expression
      #63
  • Added 2 properties on the Component and Package models:
    • declared_license_expression_spdx (computed from declared_license_expression)
    • other_license_expression_spdx (computed from other_license_expression)
      #63
  • Removed 2 fields: Package.declared_license and Component.concluded_license #63
  • The new license fields are automatically populated from the Package scan
    "Update packages automatically from scan".
    The new license fields are pre-filled in the Package form when using the
    "Add Package" from a PurlDB entry.
    The new license fields are pre-filled in the Component form when using the
    "Add Component from Package data".
    The license expression values provided in the form for the new field is now
    properly checked and return a validation error when incorrect. #63
  • Use the declared_license_expression_spdx value in SPDX outputs. #63
  • Add new ProductDependency model to support relating Packages in the context of a
    Product. #138
  • Add a task scheduler service to the Docker Compose stack.
    This service runs a dedicated setupcron management command to create the
    application's scheduled cron jobs.
    The scheduler is configured to run the daily vulnerabilities update task. #94
  • Add a new Vulnerability model and all the code logic to fetch and create
    Vulnerability records and assign those to Package/Component through ManyToMany
    relationships.
    A fetchvulnerabilities management command is available to fetch all the relevant
    data from VulnerableCode for a given Dataspace.
    The latest vulnerability data refresh date is displayed in the Admin dashboard in a
    new "Data updates" section in the bottom right corner.
    It is also available in the "Integration Status" page.
    The Package/Component views that display vulnerability information (icon or tab)
    are now using the data from the Vulnerability model in place of calling the
    VulnerableCode API on each request. This results into much better performances as
    we do not depend on the VulnerableCode service to render the DejaCode view anymore.
    Also, this will make Vulnerability data available in the Reporting system.
    The vulnerability icon is displayed next to the Package/Component identifier in the
    Product views: "Inventory", "Hierarchy", "Dependencies" tabs.
    The vulnerability data is available in Reporting either through the is_vulnerable
    property on Package/Component column template or going through the full
    affected_by_vulnerabilities m2m field.
    This is available in both Query and ColumnTemplate.
    The vulnerabilities are fetched each time a Package is created/modified
    (note that a purl is required on the package for the lookup).
    Also, all the Packages of a Product are updated with latest vulnerabilities from
    the VulnerableCode service following importing data in Product using:
    • Import data from Scan
    • Load Packages from SBOMs
    • Import Packages from manifests
    • Pull ScanCode.io Project data #94
  • Add a new Vulnerabilities list available from the "Tools" menu when
    enable_vulnerablecodedb_access is enabled on a Dataspace.
    This implementation focuses on ranking/sorting: Vulnerabilities can be sorted and
    filtered by severity score.
    It's also possible to sort by the count of affected packages to help prioritize. #94
  • Display warning when a "download_url" could not be determined from a PURL in
    "Add Package". #163
  • Add a Vulnerabilities tab in the Product details view. #95
  • Add a "Improve Packages from PurlDB" action in the Product details view. #45
  • Add the ability to download the CycloneDX VEX-only and SBOM+VEX combined outputs. #108

What's Changed

  • Add visual indicator when an object also have tree in hierarchy view #70 by @tdruez in #126
  • Implement pagination in tab_inventory #3 by @tdruez in #24
  • Set the proper permission for the "Inventory" tab #128 by @tdruez in #134
  • Add support for PURLs in create_package_from_url #131 by @tdruez in #133
  • Populate the Package notice_text from Scan "key files" #136 by @tdruez in #137
  • Store additional license fields #63 by @tdruez in #130
  • Use the declared_license_expression_spdx value in SPDX output #63 by @tdruez in #140
  • Refactor BaseService to take a dataspace in place of user #94 by @tdruez in #142
  • Refine the action triggering the test CI by @tdruez in #143
  • Replace all linter and validation libraries by ruff by @tdruez in #150
  • Put the virtualenv into a .venv directory instead of the project root by @tdruez in #151
  • Upgrade packageurl-python to latest 0.15.6 by @tdruez in #154
  • Add Dependency model and view #138 by @tdruez in #147
  • Update .dockerignore with latest venv changes by @tdruez in #159
  • Enhance the Package search logic #160 by @tdruez in #161
  • Base implementation of a Vulnerability models #94 by @tdruez in #148
  • Migrate repository URL references to aboutcode-org by @tdruez in #169
  • Display warning when a "download_url" could not be determined from a … by @tdruez in #170
  • Add global Vulnerability list #95 by @tdruez in #171
  • Fix an issue with vulnerability m2m when copying a package/component … by @tdruez in #172
  • Add a Vulnerabilities tab in the Product details view #95 by @tdruez in #173
  • 45 improve from purldb by @tdruez in #135
  • Add the ability to download the VEX output #108 by @tdruez in #174
  • Move the vulnerabilities related code to its own module #95 by @tdruez in #177
  • Release 5.2.0 by @tdruez in #178

Full Changelog: v5.1.0...v5.2.0