0.3.2

What's Changed

• chore(config): remove cliff.toml since it is unused by @rphillips in #110
• chore(Dockerfile): bump dockerfile to use golang 1.21 by @rphillips in #111
• chore(images): add openshift dockerfile by @rphillips in #112
• add label by @rphillips in #113
• chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.4.6 to 6.4.7 by @dependabot in #114
• Add podman so that we can run the check in the container by @liangxia in #116
• config.toml: add exception for rukpak by @kolyshkin in #117
• exclude a statically-compiled utility for OLM by @stevekuznetsov in #118
• add Java / JDK image scan option by @tchughesiv in #115
• internal/podman: add retry by @kolyshkin in #121
• config: exclude ovnkube-trace for 4.14 by @kolyshkin in #122
• dockerfile: bump base to rhel 9 by @rphillips in #124
• dummy commit to rebuild images by @rphillips in #125
• OCPBUGS-22678: bump builder to rhel9 by @rphillips in #126
• chore(deps): bump github.com/containerd/containerd from 1.5.7 to 1.5.18 by @dependabot in #127
• chore(deps): bump github.com/docker/distribution from 2.8.1+incompatible to 2.8.2+incompatible by @dependabot in #128
• chore(deps): bump golang.org/x/net from 0.8.0 to 0.17.0 by @dependabot in #129
• chore(deps): bump github.com/opencontainers/runc from 1.1.3 to 1.1.5 by @dependabot in #131
• chore(deps): bump k8s.io/klog/v2 from 2.100.1 to 2.110.1 by @dependabot in #132
• chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.4.7 to 6.4.9 by @dependabot in #133
• Add opm so that we can run the operator index image check in the container by @xiaojiey in #135
• README minor fix by @ashwindasr in #136
• add oc to image by @rphillips in #137
• add runc to image by @rphillips in #138
• chore(deps): bump github.com/spf13/cobra from 1.7.0 to 1.8.0 by @dependabot in #134
• Add jq to image by @xiaojiey in #139
• OCPBUGS-24612: check for goexperimental >= 1.18 by @rphillips in #143
• chore(deps): bump golang.org/x/crypto from 0.14.0 to 0.17.0 by @dependabot in #144
• chore(deps): bump github.com/deckarep/golang-set/v2 from 2.3.1 to 2.6.0 by @dependabot in #145
• chore(deps): bump k8s.io/klog/v2 from 2.110.1 to 2.120.0 by @dependabot in #148
• chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.4.9 to 6.5.3 by @dependabot in #149
• x_cgo: check for _cgo_topofstack by @rphillips in #152
• Add a "local" scan sub-command avoids podman mount by @bentito in #154
• chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.5.3 to 6.5.4 by @dependabot in #153
• chore(deps): bump github.com/opencontainers/runc from 1.1.5 to 1.1.12 by @dependabot in #155
• chore(deps): bump k8s.io/klog/v2 from 2.120.0 to 2.120.1 by @dependabot in #151
• Adding /usr/bin/tini-static back to the ignore list by @FilipB in #157
• add 4.15 and 4.16 config files by @rphillips in #158
• update for 4.16 by @rphillips in #159
• fallback to bigendian to check for golang magic number by @rphillips in #164
• add Lance Bragstad to owners by @rphillips in #160
• Add exception for bond cni RHEL 8 binary in RHEL 9 base by @mrunalp in #168
• chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.5.4 to 6.5.8 by @dependabot in #169
• update 4.15 ignores by @ashwindasr in #170
• Update docs to reference correct bundle directory by @rhmdnd in #172
• chore(deps): bump golang.org/x/net from 0.17.0 to 0.23.0 by @dependabot in #173
• chore(deps): bump github.com/stretchr/testify from 1.8.4 to 1.9.0 by @dependabot in #162
• Add exceptions for OpenShift Virtualisation by @dominikholler in #174
• volsync-container exception for diskrsync binary by @tesshuflower in #177
• chore(deps): bump google.golang.org/protobuf from 1.28.1 to 1.33.0 by @dependabot in #161
• Update excludes by @ashwindasr in #176
• Setup 4.17 config.toml by @ashwindasr in #180
• Update 4.11 exclude by @ashwindasr in #181
• [4.15] exclude sriov-cni-container ErrLibcryptoSoMissing by @ashwindasr in #182
• Fix braces by @dominikholler in #183
• chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.5.8 to 6.5.9 by @dependabot in #179
• Update excludes by @ashwindasr in #186
• add Ashwin to config approvers by @rphillips in #187
• add rukpak and lifecycle manager to 4.17 by @ashwindasr in #188
• Add skopeo and umoci to CI image by @swghosh in #189
• chore(deps): bump github.com/BurntSushi/toml from 1.3.2 to 1.4.0 by @dependabot in #190
• int/types: rm NewDefaultConfig by @kolyshkin in #191
• update rukpak and lifecycle manager excludes by @ashwindasr in #192
• CMP-2633: Update check to support golang 1.22 symbols by @rhmdnd in #196
• Fix golang 1.22 symbols check by @karelyatin in #197
• exclude operator-lifecycle-manager-container by @ashwindasr in #200
• chore(deps): bump github.com/spf13/cobra from 1.8.0 to 1.8.1 by @dependabot in #194
• chore(deps): bump k8s.io/klog/v2 from 2.120.1 to 2.130.1 by @dependabot in #198
• Implement an operating system check for FIPS certified distributions by @rhmdnd in #175
• Fix OS scan when -V is not set by @rphillips in #202
• [OSSM-6411] Ignore rhel9 binary in rhel8 istio-cni image by @asmigala in #203
• bump deps by @rphillips in #204
• CMP-2639: Exclude binary libcrypto check using golang 1.22 by @rhmdnd in #205
• Pass component information to scan local check by @rhmdnd in #206
• config: exclude runc by @kolyshkin in #207
• add invalid tag ignore for runc by @rphillips in #208
• add ose-operator-framework-tools-container to 4.16 exclude by @ashwindasr in #209
• MCO: ignore additional binaries for 4.14/4.15 by @yuqi-zhang in #210
• add 4.18 config.toml by @ashwindasr in #211
• OCPBUGS-37846: rpm.runc ignore ErrLibcryptoMissing by @sdodson in #212
• openshift-enterprise-operator-sdk-container update exclude by @ashwindasr in #213
• openshift-enterprise-operator-sdk-container update exclude by @ashwindasr in #214
• Add RHEL 9.4 to certified distributions by @sdodson in #220
• Update checks to support golang 1.21.13 symbols by @olliewalsh in #221
• [ART-11064] create 4.19 config file by @ashwindasr...

0.3.1

Features

• Config de-duplication (moved some rules into the main config.toml)
• Improve config validation for [[ignores]] sections
• Add 4.14 configuration.
• Add semver sort of stored config versions
• Add --walk-scan flag to node scan. If set, the scan is using the same
  algorithm as scan payload (walk the directory tree and scan all files).
  Note that per-payload and per-tag configuration entries are still ignored
  because neither tag nor component is set.
• Add --rpm-scan flag to payload and image scan. If set, the scan is using
  the same algorithm and rules as scan node (only scan files belonging to RPM
  packages, and ignore per-payload and per-tag configuration entries).

Bug fixes

• Fix error text in message when logging scan node failure/warning
• Fix checking for duplicates in config validation logic

0.3.0

[0.3.0] - 2023-08-01

This is a major release, which allows more fine-grained exceptions
configuration. Instead of merely excluding some files from being checked,
it is now possible to ignore specific well known errors for some specific
files or directories in a specific RPM packages, or components, or tags.

In addition, per-rpm configuration rules ([rpm.xxx], previously known as
[node.xxx]) are now applicable to payload and image scans, alleviating the need
to duplicate the exclusions.

The exceptions printing (-p) now prints exceptions in the new format (per-error,
also per-rpm, if possible, or per-component, or per-tag), making it easier to
maintain configurations.

Another notable feature is that a versioned configuration is not merged into
the main one, rather that replacing it, allowing to specify exclusions common
to multiple OpenShift versions to a main configuration file.

The configurations were rewritten mostly using the new rules. Due to this,
some previously added exceptions might be lost and need to be re-added.

Some validations of configuration were added, and invalid configurations might
be rejected now (or warned about, depening on the severity). An example of such
bad configuration is a non-canonical (non-clean or not absolute) file name.

A bunch of performance optimizations has been made, and the tool no longer
requires "file" and "go" binaries to be present on the system.

Features

• Ensure the configuration is fully parsed
• Remove dependency on go binary
• Rename node ignores to rpm ignores in configs
• Use rpm name only (not name-version-release.arch) in configs
• Report rpm name in image/payload scan results
• Use per-rpm config filters in image/payload scans
• Add tag and rpm support to displayExceptions
• Show component, tag, rpm in log
• Unify node and payload/image reports
• Add known errors
• Add ability to ignore specific known errors for specific files/dirs
• Display exceptions in the new per-error format
• Major config facelift using (mostly) per-error exclusions
• Make the versioned config (e.g. -V 4.12) added to the main one,
  implement config merging with duplicate checks
• Add configuration validation (absolute/clean URLs, etc)

Bug fixes

• Node scan: use dbpath in all rpm calls for node
• Add warning where there are no build tags in Golang binary
• Fix "Successful run" message when there are warnings
• Log the entire configuration, not a part of it
• Check for and report errors from isGoExecutable
• node scan: report warnings as such
• Hide "found operator" messages under increased verbosity level
• Do not ignore rpm -qa errors from node scan
• Add/use getTag, getImage, getComponent to avoid potential nil dereferences
• Report, do not lose error from filepath.WalkDir
• Log inner path in node scan
• scan payload: require either --url or -- file

Performance

• Store semver in baton
• Instantiate go semver constraint only once
• Instantiate go tag mapsets only once
• Optimize validateGoVersion, add a benchmark
• Improve regexp use in validateGoTags, add a benchmark
• validateGoTags: simplify and speedup
• validateStringsOpenssl: simplify and speedup
• ReadTable: do not build a map
• Skip all files with no x bit set
• Use debug/elf (rather than spawning file tool) to detect static binaries

Code cleanups

• Removal unused code and variables
• Unify loop in scanBinary
• ExpectedSyms: document, refactor, return bool
• Simplify displayExceptions
• Remove tag argument from validation functions
• Move rpm-related functionality to a separate package
• Simplify file mode check in RunNodeScan
• Simplify returns from validateTag
• Simplify return from RunOperatorScan
• Remove tag and component arguments from ScanBinary

Miscellaneous

• Add OWNERS file
• CI: add golangci-lint timeout
• GH: add dependabot configuration
• GH: add ok-to-test label to dependabot
• Add vendor directory
• CI: add make test
• CI: test that embedded configs are sane
• CI: tests for config merge

0.2.19

[0.2.19] - 2023-07-11

Bug Fixes

• Fix remove container create/rm step
• Remove obsoleted requirements
• Use RPM name in node scan
• perf: validaetGoSymbols and skip early
• perf: compile regexes only once
• perf: isGoExecutable do not use regexp

Features

• Add node ignores
• Add 4.9, 4.10, 4.11, 4.12, 4.13 config files
• Add warning support and ---fail-on-warnings

0.2.17

[0.2.17] - 2023-06-30

Bug fixes

• Fixes to -p output

Features

• Add support for per-tag ignores
• Add config file for 4.12

0.2.16

[0.2.16] - 2023-06-30

Bug fixes

• Cleanup Go symbols error message
• Fix PIE executables detection
• GHA-related fixes to CI
• Add LICENSE

Features

• Add support for per-payload image ignores
• Add exception printer (-p) option
• Configuration: add more exceptions

Documentation

• CHANGELOG: cleanup
• README: add prereqiusites