Highlights:
-
The minimum TLS version is now 1.2.
Previously, servers also allowed 1.1 connections. -
Claircore is updated to v1.5.25:
-
rhcc, rhel: support compression of sideband data
If a Clair instance is using local files for the data needed for the `rhel` and `rhcc` indexers, this data may now be compressed. This should allow for the files to fit within a Kubernetes ConfigMap, making some deployments easier to wrangle. -
datastore: add "delta" update interface
This change should allow for updaters to use fewer resources and consume API-based data sources in the future. As of this change, no in-tree updaters have been converted to this interface. -
java: size buffers correctly before use
This should reduce memory consumption for indexing layers that have deeply nested Java archives. -
postgres: remove internal timeouts
Database queries now take as long as needed to execute. This shouldn't negatively affect any working uses, and should make some slower or less-optimized queries possible on larger instances. -
integration: make
PGVERSIONa patternThe behavior of the setup of an embedded PostgreSQL in integration tests has changed. The relevant environment variable (`PGVERSION`) is now a pattern instead of a literal version string. Note that a version string would be a patten that matches itself, so that format continues to work.Additionally, the version used is now read from the distributed
manifest, rather than hard-coded versions. Other than occasional network
calls to fetch this manifest, users shouldn't notice any difference. -
alpine: add edge support
Alpine's `edge` version should now be supported for reporting. -
rpm: support PGP V4 signatures
Rpm has apparently started using "current"/V4 PGP signatures, which claircore was not handling. This adds support for these signatures. -
jsonblob: add a disk buffering step
This improves "offline" operation by eagerly buffering output to disk instead of creating a large in-memory data structure first.This makes the API trickier but given that there's a single (known and
intended) user, this should be fine. -
tarfs: check a potential interger overflow
This change fixes a potential integer overflow in tar handling code.The possibility of exploiting this is effectively 0, as it would require
more bytes to represent a sufficiently large integer than is available
in the tar header.See also: https://github.com/quay/claircore/security/code-scanning/5
-
gobin: take into account package replacements
Previously, there was a bug where package replacements were not considered for go binaries. -
all: purge
http.DefaultClientusageSome packages with less churn (`photon`, `oracle`, `aws`) were using older ways of getting an `*http.Client` or using `http.DefaultClient`.This change breaks some API in exchange for unifying the
*http.Client
handling. The practical upshot is that it's much easier to control the
network contact surface. -
all: share single FS implementation
Claircore components that deal with `Layer` objects now share a single backing File and a single `fs.FS` implementation when using the `FS` method. There should be no noticeable changes for users, but out-of-tree implementations may want to move over to using the new FS method.This change should improve memory usage.
-
libindex: move to O_TMPFILE fetcher
This release uses a new fetcher (the component responsible for pulling layers locally) that makes use of the O_TMPFILE flag to open(2). This ensures that layer files will be cleaned up even in the event of an unclean shutdown, including being sent a KILL signal.
-