2.29.0

What's Changed

• ROX-12238: Add node analysis package by @jvdm in #911
• Do not analyze language vulns unless the feature is enabled by @jvdm in #924
• Refactor common detection function to its own package by @jvdm in #926
• Update style checks by @RTann in #902
• Statically build scanner by @connorgorman in #918
• CI: Continue even with GitHub comment error by @RTann in #933
• Copy over stackrox/stackrox#3032 by @RTann in #931
• ROX-12226: Fetch RHELv2 unpatched CVE components resolution status and store them in scanner db by @daynewlee in #935
• Minor updates for #911 by @RTann in #936
• Bump google.golang.org/api from 0.95.0 to 0.96.0 by @dependabot in #938
• Bump github.com/google/go-cmp from 0.5.8 to 0.5.9 by @dependabot in #932
• Fix local deployment by @RTann in #942
• RHBA-2022:5747 CVSSv3 update by @RTann in #939
• Update docker-entrypoint.sh to match latest version by @RTann in #940
• Update go.mods to 1.18 by @RTann in #944
• ROX-12556: Always initialize from scratch by @RTann in #941
• ROX-12735: add automation to enter new community PRs to OSS Triage board automatically by @tommartensen in #946
• update .editorconfig for protobufs by @RTann in #945
• Bump cloud.google.com/go/storage from 1.26.0 to 1.27.0 by @dependabot in #948
• Bump google.golang.org/api from 0.96.0 to 0.98.0 by @dependabot in #949
• Bump github.com/quay/goval-parser from 0.8.7 to 0.8.8 by @dependabot in #950
• Update stackrox/stackrox dependency by @RTann in #947
• fix resolution state for packages with modules by @RTann in #937
• fix tag used for hourly CI runs by @RTann in #954
• Use http consts for HTTP methods by @dhaus67 in #958
• Update stackrox dependency by @RTann in #959
• Use ROX_SCANNER_DB_INIT env var in ScannerDB initContainer by @RTann in #960
• Bump github.com/containers/image/v5 from 5.20.0 to 5.23.0 by @dependabot in #962
• Update osrelease and redhatrelease detectors to detect Rocky Linux as… by @msierks in #745
• Pass correct arguments to tar when creating db bundle by @vladbologa in #964
• CI: Fix missing CLUSTER_NAME by @gavin-stackrox in #972
• Bump github.com/spf13/cobra from 1.5.0 to 1.6.0 by @dependabot in #969
• Bump github.com/opencontainers/image-spec from 1.1.0-rc1 to 1.1.0-rc2 by @dependabot in #970
• Bump google.golang.org/grpc from 1.49.0 to 1.50.0 by @dependabot in #971
• Update github.com/knqyf263/go-rpm-version dependency by @RTann in #976
• Bump google.golang.org/api from 0.98.0 to 0.99.0 by @dependabot in #978
• ROX-12577 Scanner: load Istio dump by @daynewlee in #955
• e2e: Update (asp|dot)net fixedby version by @RTann in #982
• ROX-12350: Detect CVE-2022-22978 by @RTann in #930
• CI: gate "upload-db-dump" for tag by @RTann in #979
• CI: Cleanup dangling processes by @RTann in #980
• Bump hashstructure to v2 by @RTann in #977
• Deprecate RHELv2PackageInfo by @RTann in #928
• Bump google.golang.org/grpc from 1.50.0 to 1.50.1 by @dependabot in #985
• Bump google.golang.org/api from 0.99.0 to 0.100.0 by @dependabot in #986
• Make gRPC service structs forward-compatible by embedding Unimplemented.. types by @misberner in #987
• Bump github.com/stretchr/testify from 1.8.0 to 1.8.1 by @dependabot in #990
• Bump github.com/spf13/cobra from 1.6.0 to 1.6.1 by @dependabot in #988
• ROX-10613: Use ubi-minimal for scanner-db by @janisz in #956
• Bump google.golang.org/api from 0.100.0 to 0.101.0 by @dependabot in #989
• fix E2E tests based on vuln updates by @RTann in #991
• Replace uses of *zip.ReadCloser with *zip.Reader when Close is not used by @RTann in #992
• Bump GKE provisioning timeout by @RTann in #995
• e2e: Test openssl vulns in RHEL 9 by @RTann in #998
• manually add CVE-2022-3602 and CVE-2022-3786 for ubuntu:22.04 by @RTann in #997
• ROX-13136: Added suport for ubuntu 22.10 by @ksurabhi91 in #996
• CI: Switch to containerd for k8s v1.23 support by @RTann in #1002
• Replace CVE-2022-3602 and CVE-2022-3786 with RHSA-2022:7288 for RHEL 9 and rescore CVE-2022-3602 by @RTann in #1001
• manually add CVE-2022-3602 and CVE-2022-3786 for ubuntu:22.10 by @RTann in #1000
• ROX-13348: Update offline dump source by @RTann in #1005
• Bump google.golang.org/api from 0.101.0 to 0.103.0 by @dependabot in #1007
• Bump github.com/ckaznocha/protoc-gen-lint from 0.2.4 to 0.3.0 by @dependabot in #1009
• Bump cloud.google.com/go/storage from 1.27.0 to 1.28.0 by @dependabot in #1008
• Bump ubi8-minimal from 8.6 to 8.7 by @janisz in #1010
• ROX-13435: fix RHELv2 updates by @RTann in #1012
• e2e: update fixedBy version for freetype in RHEL 8 by @RTann in #1011
• Add Istio request handler and business logics for fetching Istio CVEs by @daynewlee in #984
• Remove TODO in ubuntu:22.04 E2E test by @RTann in #1003
• Minor update for Istio scanning by @daynewlee in #1013
• ROX-12784: fix unpatched OpenShift 4 vulnerability detection by @RTann in #1006
• Generate new genesis dump by @RTann in #1015
• Bump github.com/prometheus/client_golang from 1.13.0 to 1.14.0 by @dependabot in #1018
• Bump github.com/containers/image/v5 from 5.23.0 to 5.23.1 by @dependabot in #1016
• fix release tagging by @RTann in #1020
• e2e: CVE-2022-30945 rescore by @RTann in #1019
• Support following absolute symlinks for node analysis by @RTann in #1014
• e2e: update jenkins-2-plugins fixedby version by @RTann in #1021
• remove user from slack notification by @RTann in #1022
• Bump google.golang.org/grpc from 1.50.1 to 1.51.0 by @dependabot in #1023
• Bump cloud.google.com/go/storage from 1.28.0 to 1.28.1 by @dependabot in #1030
• Update Scanner/ScannerDB certs by @RTann in #1031
• test updated repository-to-cpe.json format by @RTann in #1034
• remove env isolator by @RTann in #1035
• remove timeutil package by @RTann in #1036
• Bump google.golang.org/api from 0.103.0 to 0.105.0 by @dependabot in #1037
• ROX-14082: Create test files and symlinks from code by @msugakov in #1039
• ROX-12967: Fix RHCOS detection and namespace generation by @Maddosaurus in #1026
• fix apple silicon local scanner build by @dcaravel in #1038
• Bump github.com/go-git/go-billy/v5 from 5.3.1 to 5.4.0 by @dependabot in #1041
• ROX-13627: Extend GetNodeVulnerabilities API by supporting Node Inventory by @vikin91 in #1004
• ROX-14035: only read file if within given root by @RTann in #1042
• update binaries used in Makefile by @RTann in #1044
• Improve e2e testcase for RHCOS by @vikin91 in #1045
• Bump google.golang.org/grpc from 1.51.0 to 1.52.0 by @dependabot in #1048
• Bump google.golang.org/api from 0.105.0 to 0.106.0 by @dependabot in #1047
• Bump golang.org/x/sys from 0.3.0 to 0.4.0 by @dependabot in #1049
• e2e: update jenkins-2-plugins fixed by by @RTann in #1046
• e2e: update FixedBy version of dotnet-runtime rpm packages by @RTann in #1052
• Fix E2E: remove CVE-2022-30945 from qa:ose-jenkins by @jvdm in #1056
• ROX-13794: Add content sets to Components proto by @jvdm in #1053
• update github.com/go-git/go-git/v5 version by @RTann in #1057
• Bump google.golang.org/api from 0.106.0 to 0.107.0 by @dependabot in #1058
• ROX-12966: disable node scanning for non RHCOS nodes by @daynewlee in #1054
• ROX-13794: Make node analyzer return content sets, not cpes by @jvdm in #1055
• CI: remove Circle CI by @gavin-stackrox in #1060
• Support RHEL content sets in a call to GetNodeVulnerabilities by @vikin91 in #1059
• Bump cloud.google.com/go/storage from 1.28.1 to 1.29.0 by @dependabot in #1061
• Bump google.golang.org/grpc from 1.52.0 to 1.52.1 by @dependabot in #1063
• Bump github.com/containers/image/v5 from 5.23.1 to 5.24.0 by @dependabot in #1062
• ROX-14459: Alpine 3.17 Support by @dcaravel in #1064
• Add usr/share/buildinfo to node scan by @jvdm in #1066
• ROX-13107: Hardcode content sets in RHCOS 4.7 to 4.9 by @jvdm in #1068
• Refactor e2e RHCOS tests by @vikin91 in #1050
• Bump google.golang.org/grpc from 1.52.1 to 1.52.3 by @dependabot in #1072
• Added fix for ROX-12979- Vulnerability scan doesn't include dependency libs by @ksurabhi91 in #1033
• Bump google.golang.org/api from 0.107.0 to 0.109.0 by @dependabot in #1070
• Update max known OpenShift version to 4.13 by @RTann in #1077
• ROX-14288: Ensure Linux Kernel related packages are not skipped in RHCOS node scanning by @jvdm in #1078
• Update Genesis Dump by @RTann in #1076
• ROX-13107: Add missing content sets to the hard coded list for RHCOS 4.7, 4.8 and 4.9. by @jvdm in #1074
• ROX-14592: Ensure that RHCOS Node scan is not skipped by Scanner by @vikin91 in #1065
• ROX-13796: benchmark node analyze by @daynewlee in #1073
• Test_getFullRHELv2Features compare slices with assert.ElementsMatchf by @RTann in #1082
• Update to go1.19.4 by @RTann in #1083
• Disable safe directory checks in git on CI by @jvdm in #1090
• Bump google.golang.org/grpc from 1.52.3 to 1.53.0 by @dependabot in #1088
• Bump golang.org/x/sys from 0.4.0 to 0.5.0 by @dependabot in #1089
• Bump github.com/golangci/golangci-lint from 1.47.3 to 1.51.1 in /tools/linters by @dependabot in #1085
• Remove lru cache by @janisz in #1080
• fix: Update E2E test after changes in vulnerability data by @jvdm in #1092
• Reduce race condition likelihood, remove redundant diff download by @dcaravel in #1084
• Bump github.com/go-git/go-billy/v5 from 5.4.0 to 5.4.1 by @dependabot in #1087
• Added new readme file by @daynewlee in #1081
• Bump github.com/containers/image/v5 from 5.24.0 to 5.24.1 by @dependabot in #1095
• Bump honnef.co/go/tools from 0.4.0 to 0.4.1 in /tools/linters by @dependabot in #1094
• Bump google.golang.org/api from 0.109.0 to 0.110.0 by @dependabot in #1096
• ROX-15044: Bump nvtools to fix NVD CPE version padded with zeros by @jvdm in #1093
• Bump github.com/containers/image/v5 from 5.24.1 to 5.24.2 by @dependabot in #1101
• Bump golang.org/x/net from 0.6.0 to 0.7.0 by @dependabot in #1102
• Bump honnef.co/go/tools from 0.4.1 to 0.4.2 in /tools/linters by @dependabot in #1099
• Bump github.com/PuerkitoBio/goquery from 1.8.0 to 1.8.1 by @dependabot in #1100
• Bump github.com/golangci/golangci-lint from 1.51.1 to 1.51.2 in /tools/linters by @dependabot in #1098
• e2e: update jenkins-2-plugins FixedBy by @RTann in #1103
• support OpenShift 4 on RHEL 9 CPEs by @RTann in #1079
• e2e: RHSA-2022:7089 updated CVSSv3 score by @RTann in #1105
• Bump github.com/go-git/go-git/v5 from 5.5.2 to 5.6.0 by @dependabot in #1108
• Bump github.com/stretchr/testify from 1.8.1 to 1.8.2 by @dependabot in #1107
• Update FixedBy for UBI9 OpenSSL / VIM by @dcaravel in #1112
• Bump google.golang.org/api from 0.110.0 to 0.111.0 by @dependabot in #1109
• ROX-15421: Remove envisolator & update StackRox dep by @Maddosaurus in #1110
• account for OpenShift 4.x on RHEL 7 by @RTann in #1104
• Ignore "Red Hat Enterprise Linux must be installed" criterion in RHELv1 by @RTann in #1106
• Update FixedBy for microsoft.netcore.app by @dcaravel in #1113
• update scanner defs notification by @RTann in #1115
• update comment by @RTann in #1114
• Bump golang.org/x/sys from 0.5.0 to 0.6.0 by @dependabot in #1117
• Fix 4.7 known fixed vulns and max patch by @jvdm in #1119
• Bump google.golang.org/api from 0.111.0 to 0.112.0 by @dependabot in #1121
• Bump github.com/golang/protobuf from 1.5.2 to 1.5.3 by @dependabot in #1120
• ROX-13934: Scanner running in Node Inventory mode by @fredrb in #1116
• remove warning when content sets aren't detected by @RTann in #1122
• ROX-15834: Add context to nodes.Analyze to allow quitting early by @vikin91 in #1118
• ROX-13835: Define user experience when CPEs not found by @jschnath in #1123
• Add context.Background() to Analyze() in inventorizer by @jvdm in #1129
• Bump go.uber.org/goleak from 1.2.0 to 1.2.1 by @dependabot in #1126
• Bump honnef.co/go/tools from 0.4.2 to 0.4.3 in /tools/linters by @dependabot in #1124
• Set the OS from the scanned namespace by @jvdm in #1131
• ROX-15904: migrate caching node scanner by @Maddosaurus in #1130
• Bump github.com/go-git/go-git/v5 from 5.6.0 to 5.6.1 by @dependabot in #1127
• Bump google.golang.org/api from 0.112.0 to 0.114.0 by @dependabot in #1128
• Bump github.com/golangci/golangci-lint from 1.51.2 to 1.52.1 in /tools/linters by @dependabot in #1125
• dependabot update actions by @RTann in #1132
• remove unused import from node_inventory_service.proto by @RTann in #1133
• Bump cloud.google.com/go/storage from 1.29.0 to 1.30.1 by @dependabot in #1139
• Bump actions/add-to-project from 0.3.0 to 0.4.1 by @dependabot in #1135
• ROX-16095: Migrate DurationSetting by @Maddosaurus in #1134
• Bump google.golang.org/grpc from 1.53.0 to 1.54.0 by @dependabot in #1137
• Bump github.com/golangci/golangci-lint from 1.52.1 to 1.52.2 in /tools/linters by @dependabot in #1136
• ROX-13935: Enable RHCOS FF by @vikin91 in #1145
• remove grpc-middleware direct dependency by @RTann in #1141
• ROX-14358: Ensure RHCOS logging is informative by @vikin91 in #1146
• Bump github.com/docker/docker from 20.10.23+incompatible to 20.10.24+incompatible by @dependabot in #1148
• Bump actions/add-to-project from 0.4.1 to 0.5.0 by @dependabot in #1150
• Bump google.golang.org/api from 0.114.0 to 0.115.0 by @dependabot in #1151
• Bump github.com/spf13/cobra from 1.6.1 to 1.7.0 by @dependabot in #1152
• update genesis manifest by @RTann in #1149
• Bump golang.org/x/sys from 0.6.0 to 0.7.0 by @dependabot in #1153
• ROX-16310 - Fix GetImageComponents ManifestList Not Found by @dcaravel in #1142

New Contributors

• @tommartensen made their first contribution in #946
• @dhaus67 made their first contribution in #958
• @msierks made their first contribution in #745
• @ksurabhi91 made their first contribution in #996
• @Maddosaurus made their first contribution in #1026
• @dcaravel made their first contribution in #1038
• @jschnath made their first contribution in #1123

Full Changelog: 2.26...2.29.0