Chapter 3. Bug fixes


In this release of Red Hat Trusted Profile Analyzer (RHTPA), we fixed the following bugs. In addition to these fixes, we list the descriptions of previously known issues found in earlier versions that we fixed.

Fixed a potential exploit for CVE-2024-21536

With this release, we updated the http-proxy-middleware component in RHTPA to a version that mitigates the vulnerability for CVE-2024-21536.

The v11y-walker job fails when ingesting CVEs

The v11y-walker job would generate an error when the prefix configuration to ingest Common Vulnerabilities and Exposures (CVE) was not applied properly. The prefix configuration determines the range of CVEs to ingest. Because of the wrong range, this caused RHTPA to ingest unwanted CVEs. With this release, we fixed the CVE ingestion process to only match CVEs that use the supplied prefix configuration.

Fixed a potential exploit for CVE-2024-21538

With this release, we updated the cross-spawn component in RHTPA to a version that mitigates the vulnerability for CVE-2024-21538.

A timeout error occurs when doing an SBOM bulk upload

When doing a software bill of materials (SBOM) bulk upload, this causes the SBOM dashboard to fail when loading, giving a connection timeout error. With this release, we fixed the livenessProbe to use curl to connect to the appropriate endpoint.

The initialDelaySeconds property for livenessProbe and readinessProbe are configurable

Before this update, we had a hard-coded value of 2 seconds set on the initialDelaySeconds property for livenessProbe and readinessProbe. With this release, you can configure the initialDelaySeconds property in the RHTPA Helm values file.

A partially ingested SBOM gives an error on the Vulnerabilities tab

Uploading a software bill of materials (SBOM) file has many steps to complete during the ingesting process. Until this ingestion process finishes, viewing SBOM vulnerability information is inconsistent, and the page could display an error message, when no real error occurred. With this release, we removed this error message, and return an empty page on the Vulnerabilities tab.

The guac-collectsub-pod-service pod is caught in an infinite restart loop

Deploying RHTPA on Red Hat Enterprise Linux by using the Ansible Playbook would cause the health check to fail on the guac-collectsub-pod-service pod. This caused the pod to enter an infinite restart loop. With this release, we fixed the livenessProbe by enabling the correct API endpoint.

Fixed a timeout issue when ingesting SBOMs for the dashboard charts

When ingesting a software bill of materials (SBOM) file that has a large number of packages, and if those packages have many associated vulnerabilities, then the API call to retrieve the data for the dashboard charts would timeout. With this release, we made improvements to the API calls that give data to the dashboard charts, therefore populating the dashboard charts properly and in a timely manner.

Missing CVSS scores for some CVEs

Some Common Vulnerabilities and Exposures (CVE) have elements in the metrics array, but have no corresponding Common Vulnerability Scoring System (CVSS) score. Not having the CVSS score limits the ability to query for data on CVEs. With this release, we do a check for a valid CVSS score within the elements in the metrics array, and properly display the CVE’s CVSS score.

Nested packages within a CycloneDX SBOM are not ingested

We fixed a bug where only the main package gets ingested, but the nested packages do not. With this release, RHTPA correctly traverses a CycloneDX software bill of materials (SBOM) manifest file, and includes those nested packages in the database.

Large SBOM manifest files generate an error when uploading

When uploading a large software bill of materials (SBOM) manifest file to RHTPA, the index updates properly, but the database does not. We consider a large SBOM manifest file to be 90 MB in size, containing 70,000 packages. With this release, we fixed the issue with the database update.

Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.