github quay/clair v4.9.0
v4.9.0 Release
on GitHub

one day ago

Unreleased

v4.9.0 - 2025-12-10

Claircore

  • enrichment: don't consider vulnerability.Description for enrichments

    Descriptions can often refer to different CVEs or multiple CVEs to the actual CVE that is associated to the vulnerability leading to erroneous scores. We should only consider the Name and Links fields.

  • postgres: better GetEnrichments query

    The new query is in "normal" `JOIN`-and-`WHERE` form and does not use the `latest_update_operations` view. In testing, this was much quicker to execute.

  • rpm: fix use of unique.Handle pinning fs.FS

    Previous code wouldn't allow memory resources to be reclaimed and could lead to excessive memory consumption by the indexer in v1.5.40.

  • vex: account for new VEX RPM module logic

    The Red Hat security data team are updating how modules are represented in VEX files, this change accounts for that update. Specifically, module relationships are no longer formally expressed through VEX relationships but rather as PURL qualifiers.

  • cvss: switch to NVD 2.0 JSON feeds

    NVD deprecated their 1.1 JSON feed which claircore relied on for CVSS enrichment data. This change updates the CVSS enricher updater to use the 2.0 feeds.

  • chore: upgrade from pgx v4 to v5

    In July 2025 v4 will reach end of life. This change updates claircore to use v5.

  • vex: allow timeout to pull down VEX archive to be configurable

    As part of the RHEL VEX update process claircore will initially pull down an archive of all CVEs, this archive includes all CVEs not just the ones that affect Red Hat products. This means the file (while compressed) will be quite large. The code previously allowed a timeout of 2 minutes to pull down this file. This value remains the default but users have the option to configure it to a different value using updaters.config.rhel-vex.compressed_file_timeout.

  • rpm: add function to determine if packages are installed from RPMs

    This change allows language detectors to be able to discard packages that have been determined to have come from an RPM package. This ensures that only the RPM package is matched to advisories and reduces false-positives where language packages are patched but their metadata is not updated (or cannot be updated).

  • sbom: add encoder to encode index reports as SPDX documents

    This change adds the ability in claircore to convert an index report into an SPDX-2.3 document.

  • rhel: deprecate updater in favor of VEX updater

    We can extract vulnerability information about containers from the VEX data. This negates the need to look for it in the cvemap.xml file. This change modifies the VEX updater to allow for ingesting vulnerabilities in a way that can be matched my the RHCC matcher.

  • suse: dynamic distribution discovery

    Previously Suse distributions were static/predefined in the code, the lack of updates to those definitions had allowed the Suse support lapse. This change adds dynamic support for two Suse distro flavors: suse.linux.enterprise.server and opensuse.leap.

All

Amqp

Build(Deps)

  • e4feca46: bump golang.org/x/time from 0.7.0 to 0.8.0
  • f54011b5: bump golang.org/x/sync from 0.8.0 to 0.9.0
  • ee5524b8: bump go.opentelemetry.io/otel/sdk from 1.31.0 to 1.32.0
  • 757b649c: bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
  • 20c0040f: bump github.com/go-stomp/stomp/v3 from 3.1.2 to 3.1.3
  • 1607766c: bump github.com/prometheus/client_golang
  • 0a3a4611: bump go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace
  • 12ea7bf9: bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
  • 146d4a67: bump github.com/urfave/cli/v2 from 2.27.3 to 2.27.5
  • 50003694: bump github.com/klauspost/compress from 1.17.10 to 1.17.11
  • 6069bb24: bump go.opentelemetry.io/otel/exporters/stdout/stdouttrace

Chore

  • f6a412cc: v4.9.0 changelog bump
  • cbfd97b6: fix typos in config.yaml.sample
  • 7c9c079b: update claircore to v1.5.48
  • 8e9a6d46: update claircore to v1.5.47
  • 804ef6a4: update claircore to v1.5.46
  • a50727a3: add DVO ignore annotations
  • 8d991938: update claircore to v1.5.45
  • ff2059cf: update claircore to v1.5.44
  • db51ed82: update claircore to v1.5.42
  • c2dc1766: update claircore to v1.5.41
  • 8aa9e1e2: update claircore to v1.5.40
  • eca299b7: update go references to go1.24
  • 1660b66b: upgrade from pgx v4 to v5
  • 68d03bae: remove reviews from dependabot config
  • 0c5292e7: upgrade config module to v1.4.2
  • e5d4c19c: update minimum go version to 1.23
  • e45fbf0e: update claircore to v1.5.35
  • 708bf2f5: update local-dev tracing configs to fix errors
  • 216ca2f1: update claircore to v1.5.34
  • dde57fc1: update openAPI spec to remove SourcePackage
  • e5149fd3: group some dependencies to avoid excessive PRs
  • 60ebea73: update claircore to v1.5.33

Chore(Deps)

  • f598d3ec: bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
  • a952e3c6: bump the otel group with 11 updates
  • 878fbceb: bump github.com/google/go-containerregistry
  • 468e409c: bump actions/upload-artifact from 4 to 5
  • c87bc8f0: bump github.com/klauspost/compress from 1.18.1 to 1.18.2
  • 2a5c11fd: bump actions/checkout from 5 to 6
  • b12439f4: bump golang.org/x/crypto from 0.44.0 to 0.45.0
  • e169a50a: bump google.golang.org/grpc from 1.76.0 to 1.77.0
  • 3e778f2c: bump golang.org/x/net in the golang-x group
  • 4563ccbd: bump github.com/go-stomp/stomp/v3 from 3.1.3 to 3.1.5
  • 195cdb06: bump golang.org/x/sync in the golang-x group
  • b50044f4: bump actions/download-artifact from 5 to 6
  • 1b429595: bump github.com/klauspost/compress from 1.18.0 to 1.18.1
  • e439e4df: bump the golang-x group with 2 updates
  • fe37c68b: bump google.golang.org/grpc from 1.75.1 to 1.76.0
  • ee6ea1c8: bump github.com/quay/claircore from 1.5.42 to 1.5.43
  • afcfd7f0: bump google.golang.org/grpc from 1.75.0 to 1.75.1
  • 6a4937e4: bump the golang-x group across 1 directory with 3 updates
  • 53cf68e9: bump github.com/jackc/pgx/v5 from 5.7.5 to 5.7.6
  • e9850949: bump github.com/prometheus/client_golang
  • 290969cd: bump actions/stale from 9 to 10
  • 5b5519b5: bump actions/github-script from 7 to 8
  • b78c76b1: bump actions/setup-go from 5 to 6
  • b1f4716b: bump go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace
  • 93174450: bump github.com/grafana/pyroscope-go/godeltaprof
  • 0f1fde39: bump the otel group with 11 updates
  • 8dbb0f48: bump golang.org/x/net in the golang-x group
  • a35a1281: bump github.com/ulikunitz/xz from 0.5.11 to 0.5.14
  • 1fa9a753: bump actions/checkout from 4 to 5
  • f0b0949c: bump actions/download-artifact from 4 to 5
  • 890f4a1b: bump github.com/prometheus/client_golang
  • 80add42b: bump google.golang.org/grpc from 1.73.0 to 1.75.0
  • e4746794: bump github.com/jackc/pgx/v5 from 5.7.4 to 5.7.5
  • ba6fe31c: bump go.opentelemetry.io/otel/exporters/prometheus
  • 40b0402e: bump the golang-x group with 2 updates
  • f9635886: bump github.com/quay/zlog from 1.1.8 to 1.1.9
  • 4415106e: bump go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace
  • b7325ada: bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
  • 78b92595: bump the otel group with 11 updates
  • 62956271: bump github.com/urfave/cli/v2 from 2.27.6 to 2.27.7
  • 440eee8e: bump github.com/google/go-containerregistry
  • e75e2e2b: bump the golang-x group with 3 updates
  • cf20adbd: bump google.golang.org/grpc from 1.72.2 to 1.73.0
  • d9c211b4: bump github.com/quay/claircore from 1.5.37 to 1.5.38
  • 6338de8b: bump github.com/ugorji/go/codec from 1.2.12 to 1.2.14
  • 566271a1: bump go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace
  • 3e3a2d33: bump github.com/google/go-containerregistry
  • 81b725ba: bump google.golang.org/grpc from 1.72.1 to 1.72.2
  • faad36e2: bump the otel group with 11 updates
  • 7979e036: bump google.golang.org/grpc from 1.72.0 to 1.72.1
  • 99ab2c1a: bump the golang-x group with 2 updates
  • a166f610: bump github.com/quay/claircore from 1.5.36 to 1.5.37
  • d8e9dcf4: bump google.golang.org/grpc from 1.71.1 to 1.72.0
  • bfa8f11d: bump github.com/quay/claircore from 1.5.35 to 1.5.36
  • f8a41628: bump github.com/prometheus/client_golang
  • 7ce22abe: bump google.golang.org/grpc from 1.71.0 to 1.71.1
  • c53cf2ba: bump the golang-x group with 2 updates
  • a5833a44: bump golang.org/x/net in the golang-x group
  • cc6fb14a: bump github.com/rs/zerolog from 1.33.0 to 1.34.0
  • 851e4a36: bump github.com/urfave/cli/v2 from 2.27.5 to 2.27.6
  • e9997624: bump go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace
  • a73e832b: bump github.com/prometheus/client_golang
  • 35110e9e: bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
  • 0a9866e3: bump the golang-x group with 3 updates
  • 1ce14606: bump the otel group with 11 updates
  • 919d5287: bump github.com/google/go-cmp in /config
  • 2673e4f4: bump github.com/rogpeppe/go-internal from 1.13.1 to 1.14.1
  • cf7af98a: bump github.com/go-jose/go-jose/v3 from 3.0.3 to 3.0.4
  • 6c9fae1e: bump github.com/google/go-cmp from 0.6.0 to 0.7.0
  • 707d8049: bump github.com/prometheus/client_golang
  • 136a618f: bump github.com/klauspost/compress from 1.17.11 to 1.18.0
  • 3e7c6e74: bump the golang-x group with 3 updates
  • 73db520d: bump github.com/evanphx/json-patch/v5 from 5.9.10 to 5.9.11
  • a3a60f10: bump google.golang.org/grpc from 1.69.4 to 1.70.0
  • cc29705c: bump github.com/evanphx/json-patch/v5 from 5.9.0 to 5.9.10
  • d05b4049: bump go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace
  • 8b99d320: bump the otel group with 11 updates
  • b2c66991: bump google.golang.org/grpc from 1.69.2 to 1.69.4
  • ef4a1f11: bump the golang-x group with 2 updates
  • 38b77499: bump golang.org/x/net in the golang-x group
  • 80c0381a: bump the otel group across 1 directory with 2 updates
  • 3eff1ef1: bump go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace
  • 5bf85313: bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
  • 9ebb61d9: bump golang.org/x/crypto from 0.30.0 to 0.31.0
  • 0881e079: bump the golang-x group with 2 updates
  • f556ef16: bump go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace
  • bf8737a1: bump golang.org/x/net in the golang-x group
  • f1d9aae4: bump go.opentelemetry.io/otel/exporters/stdout/stdouttrace

Chore(Manifests)

Ci

  • a0a35fd7: Allow go test to access un-vendored dependencies

Cicd

  • ab791a2e: run multiarch tests without a full container
  • 935a61f3: vendor modules into nightly source

Clairctl

Dev

  • 503215f5: rename dashboard.json file to clair.json
  • 65cd4244: add a grafana dashboard for postgres stats

Docker

  • 10485679: remove version line from docker-compose.yaml

Docker-Compose

Enrichments

  • 6527a9ec: disable enrichers if config option is set

Fix

Go.Mod

Health

Introspection

  • 797c2f45: implement OTLP support for metrics and traces

Misc

  • 5891f64b: remove API doc make target, CI check

Notifier

  • a9a68e18: increase default durations to be more reasonable

Openapi

Signer

Types/V1

  • 50d0164b: add JSON API v1 types and schemas

Reverts

  • cicd: exclude darwin/arm64
Check out latest releases or
releases around quay/clair v4.9.0

Don't miss a new clair release

NewReleases is sending notifications on new releases.

Get notifications