github AlexGustafsson/cupdate v0.20.0-beta.1
on GitHub

latest releases: v0.21.2, v0.21.1, v0.21.0...
pre-release4 months ago

Thanks to everyone who created feature requests, bug reports and tested fixes. Your help is instrumental to continue to improve Cupdate!

Features

Attestations

Cupdate now supports identifying, storing and presenting attestations. Attestations are documents that provide valuable information from the build process of container images. Projects making use of attestations store and ship them within the container image. See: https://docs.docker.com/build/metadata/attestations/attestation-storage/.

There are mainly two types of attestations, both of which are now supported by Cupdate.

Provenance

Provenance attestations include facts about the build process of a container image. It include details such as build timestamps, build parameters and version control metadata. It can also include the actual Dockerfile used to build the image.

image

More information: https://docs.docker.com/build/metadata/attestations/slsa-provenance/

SBOMs and vulnerability scanning

Software Bill of Materials (SBOM) attestations describe the software contained in a container image. It includes metadata such as names of packages, their versions, authors and licenses. This metadata can be used to further understand what building blocks were used to make up the program packaged within the container image.

Cupdate now not only identifies and stores these SBOMs, it also uses them to scan for known vulnerabilities. This feature enables more advanced scanning than previously.

The existing sources of vulnerabilities (such as Docker Scout) are still used and have been reworked to ensure that all vulnerabilities are identifiable as to integrate well with vulnerabilities found in SBOMs. As part of this change, the API for vulnerabilities has changed. Cupdate now serves vulnerabilities on a separate API path as opposed to including the data with the image data. Additionally, to promote open standards, the OSV format is now used.

image

image

image

Cupdate publishes provenance attestations and an SBOM attestation for itself. Provenance attestations are signed and can be verified here: https://github.com/AlexGustafsson/cupdate/attestations.

UI improvements

A lot of changes have been made to improve the UI and UX of the web app, as well as its accessability.

All cards are now minimizable. The state of each card is persistent in local storage.

image

Links have been moved to their own card, allowing Cupdate to show a description for known URL types.

image

Graph rendering has been reworked to better render graphs with many nodes. The controls have been reworked to be more clear and in-line with the rest of the UI.

image

image

Tags have been reworked to better convey their meaning and urgency. Tags are now sorted based on their importance / urgency. For example, that an image is vulnerable is shown before that it's part of a specific namespace and that an image is outdated is shown before its "bump". Additionally, colors have been chosen to better depict the urgency of tags - making it easier to quickly identify the state of an image. To further improve the context of tags like bumps, more tags are now namespaced.

image

On small screens, the grid view will now show two columns.

image

Other changes:

  • The UI has been made more accessible by allowing the entire app to be used with the keyboard.
  • Graphs will now continue to automatically center when the screen size changes
  • Dialogs, toasts and tooltips are animated
  • The reference names such as ghcr.io/alexgustafsson/cupdate will now word break on slashes
  • Move "schedule processing" button to the workflow card
  • Reset scroll on page change

Status clarifications

Cupdate runs a lot of checks for every image to identify as much useful information as possible. Not all checks succeed all of the time, depending on whether the data is at all available, or locked behind authentication. Cupdate will now more clearly show the status of images, splitting the "failed" status to "failed" and "incomplete".

  • Failed: images are considered failed if the information required to identify the latest version failed
  • Incomplete: images are considered incomplete if one or more parts of the workflow that provides additional information failed to run

image

Towards 1.0.0

A lot of features and improvements have been added to Cupdate over the past minor releases, taking steps towards a first stable release (in the semantic sense). In order to get there and to make it possible to develop improvements and fixes with confidence that they don't break existing features or installations, a lot of effort has gone in to writing additional comprehensive test suites for Cupdate, targeting wide test coverage through unit and integration tests.

Improvements and fixes

  • Add hosts / nodes to dependency graph
  • Fix vulnerabilities not being upserted correctly
  • Delete potentially outdated data
  • Cache immutable web assets, making page load faster
  • Serve web content with gzip, making page load faster
  • Fix incorrect use of Docker config's auth field
  • Don't send traceresponse when not tracing
  • Include all known tags in UI dropdown
  • Support an "or" operator in tag filters - not yet exposed in UI
  • Improve web server error handling
  • Fix web server returning wrong status code in edge case
  • Set image description from annotations if no other means are found
  • Fix constant trace id shown i UI

Breaking changes

  • The vulnerabilities field of the image document now only includes the number of identified vulnerabilities
  • Vulnerabilities are now served on a separate API path (/image/vulnerabilities), using the OSV format

Refer to the api documentation for more details.

Full Changelog: v0.19.0...v0.20.0-beta.1

Check out latest releases or
releases around AlexGustafsson/cupdate v0.20.0-beta.1

Don't miss a new cupdate release

NewReleases is sending notifications on new releases.

Get notifications