Red Hat SummitRelease Notes
Release notes for Red Hat Trusted Profile Analyzer 1.2.2
Abstract
Chapter 1. Introduction
Red Hat’s Trusted Profile Analyzer (RHTPA) is a proactive service that assists in risk management of Open Source Software (OSS) packages and dependencies. The Trusted Profile Analyzer service brings awareness to and remediation of OSS vulnerabilities discovered within the software supply chain.
The Red Hat Trusted Profile Analyzer documentation is available here.
Items added to the RHTPA 1.2.2 Release Notes:
Chapter 2. New features and enhancements
A list of all major enhancements, and new features introduced in this release of Red Hat Trusted Profile Analyzer (RHTPA).
The features and enhancements added by this release are:
Trusted Profile Analyzer on Red Hat Enterprise Linux
With this release, as a Technical Preview, you can deploy RHTPA on Red Hat Enterprise Linux 9 by using an Ansible Playbook. You can customize this deployment solution by using your own PostgreSQL database, OpenID Connect (OIDC) provider, Simple Storage Service (S3), and Simple Queue Service (SQS) services. You can find more information in the RHTPA Deployment Guide.
Redesign of the Trusted Profile Analyzer console, and a new CVE impact panel
With this release, we designed a new Dashboard homepage that is more intuitive, and gives users more pertinent data at a glance. The Dashboard shows the Common Vulnerabilities and Exposures (CVE) impact on the last 10 software bill of materials (SBOM) uploaded. Along with the impact data, you can also see the date and time, and the number of documents, such as, Common Security Advisory Framework (CSAF) advisories, SBOMs and CVEs recently uploaded.
New version of the component registry
With this release, we updated the Graphical Understanding of Artifact Composition (GUAC) component registry to version 0.7.2. This newer GUAC version is easier to support and is more reliable than earlier versions. Currently, there is no upgrade path from RHTPA 1.1 to 1.2. You must do a fresh installation of RHTPA 1.2, and re-upload your documents to use the new features of GUAC 0.7.2.
Support for CycloneDX 1.5 and SPDX 2.3
With this release, we now support software bill of materials (SBOM) documents formatted in CycloneDX version 1.5, and SPDX version 2.3.
Chapter 3. Bug fixes
In this release of Red Hat Trusted Profile Analyzer (RHTPA), we fixed the following bugs. In addition to these fixes, we list the descriptions of previously known issues found in earlier versions that we fixed.
The bombastic-collector does not handle special characters in the id field
Before this update, uploading a software bill of materials (SBOM) file that contains special characters in the id field fails to ingest properly when running RHTPA on Amazon Web Services (AWS) infrastructure. This was causing missing data on the vulnerabilities page. With this release, you can now use special characters in the id field before uploading the SBOM.
The collector-osv fails to ingest vulnerabilities with a CVSS_V4 severity
Before this update, vulnerability data available from the OpenSource Vulnerability (OSV) service fails to associate vulnerabilities with a CVSS_V4 score to the packages that they impact. Because of this, fewer vulnerabilities might be associated to packages and software bill of materials (SBOM) that have been ingested into RHTPA. With this release, this issue has been fixed.
Fixed a potential exploit for CVE-2024-21536
With this release, we updated the http-proxy-middleware component in RHTPA to a version that mitigates the vulnerability for CVE-2024-21536.
The v11y-walker job fails when ingesting CVEs
The v11y-walker job would generate an error when the prefix configuration to ingest Common Vulnerabilities and Exposures (CVE) was not applied properly. The prefix configuration determines the range of CVEs to ingest. Because of the wrong range, this caused RHTPA to ingest unwanted CVEs. With this release, we fixed the CVE ingestion process to only match CVEs that use the supplied prefix configuration.
Fixed a potential exploit for CVE-2024-21538
With this release, we updated the cross-spawn component in RHTPA to a version that mitigates the vulnerability for CVE-2024-21538.
A timeout error occurs when doing an SBOM bulk upload
When doing a software bill of materials (SBOM) bulk upload, this causes the SBOM dashboard to fail when loading, giving a connection timeout error. With this release, we fixed the livenessProbe to use curl to connect to the appropriate endpoint.
The initialDelaySeconds property for livenessProbe and readinessProbe are configurable
Before this update, we had a hard-coded value of 2 seconds set on the initialDelaySeconds property for livenessProbe and readinessProbe. With this release, you can configure the initialDelaySeconds property in the RHTPA Helm values file.
A partially ingested SBOM gives an error on the Vulnerabilities tab
Uploading a software bill of materials (SBOM) file has many steps to complete during the ingesting process. Until this ingestion process finishes, viewing SBOM vulnerability information is inconsistent, and the page could display an error message, when no real error occurred. With this release, we removed this error message, and return an empty page on the Vulnerabilities tab.
The guac-collectsub-pod-service pod is caught in an infinite restart loop
Deploying RHTPA on Red Hat Enterprise Linux by using the Ansible Playbook would cause the health check to fail on the guac-collectsub-pod-service pod. This caused the pod to enter an infinite restart loop. With this release, we fixed the livenessProbe by enabling the correct API endpoint.
Fixed a timeout issue when ingesting SBOMs for the dashboard charts
When ingesting a software bill of materials (SBOM) file that has a large number of packages, and if those packages have many associated vulnerabilities, then the API call to retrieve the data for the dashboard charts would timeout. With this release, we made improvements to the API calls that give data to the dashboard charts, therefore populating the dashboard charts properly and in a timely manner.
Missing CVSS scores for some CVEs
Some Common Vulnerabilities and Exposures (CVE) have elements in the metrics array, but have no corresponding Common Vulnerability Scoring System (CVSS) score. Not having the CVSS score limits the ability to query for data on CVEs. With this release, we do a check for a valid CVSS score within the elements in the metrics array, and properly display the CVE’s CVSS score.
Nested packages within a CycloneDX SBOM are not ingested
We fixed a bug where only the main package gets ingested, but the nested packages do not. With this release, RHTPA correctly traverses a CycloneDX software bill of materials (SBOM) manifest file, and includes those nested packages in the database.
Large SBOM manifest files generate an error when uploading
When uploading a large software bill of materials (SBOM) manifest file to RHTPA, the index updates properly, but the database does not. We consider a large SBOM manifest file to be 90 MB in size, containing 70,000 packages. With this release, we fixed the issue with the database update.
Chapter 4. Known issues
Resolved known issues for this release of Red Hat Trusted Profile Analyzer (RHTPA):
A list of known issues found in this release:
The spog-ui-pod-service pod restarts when launching the Trusted Profile Analyzer console in a web browser
When running Red Hat Trusted Profile Analyzer (RHTPA) on Red Hat Enterprise Linux (RHEL), the spog-ui-pod-service pod restarts when first launching Trusted Profile Analyzer console in a web browser causing the application to be unresponsive. To workaround this issue, you can try refreshing the web page or closing the browser tab and reopening the RHTPA console in a new tab. Doing this loads the RHTPA console successfully.
The Dependency Analytics report gives a storage error when uploading an SBOM file
When uploading a software bill of materials (SBOM) file, 200 MB or larger, the Dependency Analytics report shows an error message about reaching a size limitation. The Dependency Analytics server has a file size limitation for uploaded SBOMs. Currently, there is no workaround for this issue.
The collector-osv gives a GraphQL error
When the collector-osv sends data to the Graph for Understanding Artifact Composition (GUAC) API without complying to the GraphQL GUAC schema, the default values are not applied for some optional fields, for example, a namespace for a package. GUAC returns the following error message: pq: insert or update on table package_versions violates foreign key constraint package_versions_package_names_versions. This causes the ingestion of OpenSource Vulnerability (OSV) data to fail, and as a consequence some packages could have fewer vulnerabilities reported than expected. Currently there is no workaround for this issue.
Package version mismatch between the API response and the HTML report for Red Hat Dependency Analytics
Opening a manifest file for analysis in Visual Studio Code or IntelliJ, can give you a different package version number between the Red Hat Dependency Analytics (RHDA) HTML report and an API client response. Before analyzing the manifest file, the API client compares package versions in the manifest file to the installed package versions within the client’s environment. When there is a difference in package version, you receive an error message containing the first package version mismatch. To workaround this issue, you can disable the Match Manifest Versions option of RHDA extension in your integrated development environment (IDE).
Inconsistencies between the total number of CVEs displayed on the dashboard and the CVE tab
The total number of Common Vulnerabilities and Exposures (CVE) uses different filters between the RHTPA home page dashboard and the CVE tab on the search results page, causing the discrepancy between the two values. Currently, there is no workaround for this known issue.
Data migration fails when upgrading from Trusted Profile Analyzer 1.1.2 to 1.2
The bombastic and vexation collector pods crash when there is no space left on the persistent volume claim (PVC) for the PostgreSQL instance. To workaround this potential issue, increase the size of the PVC by 10 GB.
SBOM data does not load properly when uploading a large SBOM
When uploading a large software bill of materials (SBOM) documents, for example an SBOM that includes 50,000 packages, the RHTPA dashboard does not load properly. This happens because of Keycloak’s access token expiring before the SBOM can finish uploading its data. To workaround this issue, you can increase the lifespan of Keycloak’s access token, and then redeploy Keycloak:
- Log in to the OpenShift cluster from the command-line interface.
Find Keycloak’s URL string:
echo https://$(oc get route keycloak -n keycloak-system | tail -n 1 | awk '{print $2}')/authecho https://$(oc get route keycloak -n keycloak-system | tail -n 1 | awk '{print $2}')/authCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Copy and paste the URL string from the earlier step into a web browser, and go to the authentication page.
Log in to the Keycloak Administration Console.
NoteYou can find the user credentials in the OpenShift web console by expanding the Workloads menu, click Secrets, and click your Keycloak instance name.
- On the home page, click Realm Settings, and select the Tokens tab.
- Change the Access Token Lifespan value from the default of 5 minutes, to 60 minutes, and save the change.
Redeploy Keycloak:
oc scale deployment/keycloak-postgresql --replicas=0 oc scale deployment/rhsso-operator --replicas=0 oc scale deployment/keycloak-postgresql --replicas=1 oc scale deployment/rhsso-operator --replicas=1
oc scale deployment/keycloak-postgresql --replicas=0 oc scale deployment/rhsso-operator --replicas=0 oc scale deployment/keycloak-postgresql --replicas=1 oc scale deployment/rhsso-operator --replicas=1Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Try uploading your SBOM again.
An API error on the package details page
In the RHTPA console, when navigating from the Vulnerabilities page to the package details page, clicking the affected dependencies link gives you the following error message:
API error: Error contacting GUAC (Guac) - Client error: Cannot find an SBOM for PackageUrl
Currently, there is no workaround for this known issue.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}