v3.0.0

Highlights

• Require only Go 1.20 (was Go 1.21) to support broader library usage.
• Fixed time filtering when downloading advisories.
• Added support for legacy security.txt location.
• Added function to find product identification (Thanks to @juan131)
• Smaller improvements in the documention.

PRs

• #519 Advisories: Time filter download by 'updated' field in ROLIE entries.
• #516 Go 1.20 compat: Remove usage of slices in enum generator.
• #514 Support Go 1.20
• #513 Older version
• #512 Downloader: Add tlp label to path if no custom directory is configured. Refactor accordingly
• #510 Add GH Action execution on PRs
• #506 PMD: Support legacy security.txt location as fallback.
• #505 feat: Add function to find^ product identification helpers inspecting the tree
• #502 docs: underline that we are not offering an API yet
• #501 docs: move link to final CSAF 2.0 in README

v3.0.0 RC1

Highlights

• Breaking: All command line and configuration file options are now unified to use snake_case notation.
  You may need to update your configuration files or calling shell scripts.
• Add a model to serialize/deserialize advisories.
• Add an example how to use this to find PURLs by product IDs.
• Use our own fork of the JSONPath library as upstream patches are still pending.
• Improve the docs.
• Add community support for building the tools on macOS (thanks to @fjd-anh).

PRs

• #502: docs: underline that we are not offering an API yet
• #501: docs: move link to final CSAF 2.0 in README
• #499: API examples: Improved wording in examples/README.md
• #498: Convert a lot of command line arguments to snake case
• #497: API: Fix pattern matching of purls and document categories in advisory model
• #496: Dependencies: Update 3rd-party dependencies
• #495: Docs: Fix link to development doc page.
• #493: Docs: Add Development.md
• #492: Checker: Fix doc of TOML config of validator
• #490: Use Intevation's JSONPath fork
• #489: API examples: move csaf_searcher to a lower prio place
• #483: Time ranges: Accept days, months and years
• #482: docs: improve timerange documentation
• #481: Fix: improve logging for downloader and aggregator
• #476: Add build for macOS
• #475: Schema validation: Add AssertFormat flag to schema compiler
• #473: Adding advisory model

v3.0.0 - Beta 2

Highlights

• This is a mainly a bug fix release with no new features.
• The documentation was slightly improved.
• The unit test coverage for the new parts of the downloader was extended.
• The used third party libraries were brought up to date.

PRs

• #470: Downloader: unit test forwarder
• #475: Schema validation: Add AssertFormat flag to schema compiler
• #472: Checker: Fix year folder check
• #469: docs: update main README
• #468: Update 3rd-party dependencies

v3.0.0 - Beta 1

Highlights

• All tools are now able to store their configurations in .toml files.
• Breaking change: Support for .ini files in the uploader is dropped.
• The checker, downloader and aggreator are now able to filter down the fetched advisories by time ranges and regular expressions of their URLs.
• Breaking change: The legacy -years flag is removed from the checker.
• The downloader now uses structured logging to make it easier to process the resulting logs.
• The downloader is now able to use a configurable folder to download into.
• Breaking change: The -verbose flag was removed. The level of detail is now handled by the configurable log level.
• The downloader is now able to forward the downloaded advisories to a configurable endpoint.
• Breaking change: To compile the tools at least Go 1.21 is needed.

To reflect the breaking changes we bumped the major version from v2 to v3.

PRs

• #467: Lift distribution from v2 to v3
• #466: Integration Tests: Remove verbose flag from downloader
• #465: Downloader: Document the implementes forward API
• #464: Downloader: Remove verbose flag
• #463: Downloader: unit tests for stats
• #461: Change release action to use elder Ubuntu runner
• #460: Unit tests of internal packages
• #458: feat: log redirects
• #450: downloader: Drop time precision below seconds in log output.
• #447: downloader: Fix logging docs and some comments
• #445: Improve code comment
• #444: downloader: improve code comments
• #443: Downloader: Add structured logging, fails storing and statistics
• #442: Downloader: Add forwarding to HTTP endpoint
• #441: Checker: Fix checking of missing files
• #440: aggregator: Look for config files in similiar places like the other tools
• #439: uploader: use the TOML config file infrastructure, too.
• #436: Update dependencies
• #435: Document potential security issue with plain PEM passwords.
• #443: Document regular expression syntax used for filtering URLs.
• #442: Aggregator: Add time range filtering
• #431: No longer set timestamp of version as part of go version in prepareUbuntuInstanceForITests
• #430: Checker: remove years flag
• #429: Error to explaining warning when loading lpmd messages in checker
• #424: Aggregator: Add support for client certificates and extra header
• #423: Downloader: Add support for client certificates
• #422: Checker: Add time range to report
• #421: Aggregator: ignore advisories by given patterns
• #420: Checker: ignore advisories by given patterns
• #419: Downloader: ignore advisories by given patterns
• #418: Add option to specify download folder
• #416: Fix version config and make aggreator use new command line parser.
• #414: Checker: Make time range configurable to check advisories from
• #413: Downloader: Make time range configurable to download advisories from
• #412: Add TOML config to checker
• #409: Make rolie or directory listing mandatory
• #406: Track whether files could not be accessed and report it when reporting about accessibility of TLP:WHITE advisories
• #405: Use TOML as config file format in downloader
• #404: Add support for config files in downloader.

Release 2.2.0

Highlights

• Role based reporting in the checker.
• Improved output in error cases and in the checker report.
• The downloader is now able to fetch more than one advisory at once.
• Needs at least Go 1.20 to build the tools.
• Various bug fixes.

PRs

• #391: Complete requirement 4 (ROLIE)
• #401: Add info for Req 8-10 if direct url was given and as such no checks were performed.
• #400: Allow http redirects
• #393: Dont use string comparison to rank labels.
• #390: Check for advisoryLabel instead of feedlabel.
• #388: Use Set type
• #389: Update third party libraries
• #382: Improve error message if filename does not match document/tracking/id and let it be reported by the proper reporter
• #357: Empty rolie
• #373: Role requirements 11-14 or 15-17
• #378: Burn v2 version into binaries.
• #370: Fix pmd crash
• #369: Simplified requirement 15
• #372: We need at least Go 1.20
• #371: Fix go.mod and internal dependencies for major verison v2
• #366: Prepare infrastructure for role based reporting
• #365: Check that filename matches /document/tracking/id
• #361: Be more verbose in case of signature check failures
• #363: Add concurrent downloads to downloader.
• #362: Update 3rd party libraries.
• #364: doc: improve rate default documentation
• #355: Add revive action to workflows
• #328: Enforce application/json when uploading advisories to provider.

2.1.0

For changes see milestone "Release 2.1.0"

2.0.0

• BREAKING CHANGE: code can now only be compiled with Go versions newer than 1.19.1
• add a .gitignore

First stable release

This is considered the first stable version as it has passed the internal testings. :-)

v0.9.6

• Interim mode of aggregator should work now.
• Publishers are now llisted in aggregator.json correctly.
• Columns in changes.csv are now always written in double quotes.
• Various bug fixes.

v0.9.5

More bug fixes.