Chapter 3. Bug fixes
In this release of Red Hat Trusted Profile Analyzer (RHTPA), we fixed the following bugs. In addition to these fixes, we list the descriptions of previously known issues found in earlier versions that we fixed.
Fixed a potential exploit for CVE-2024-21536
With this release, we updated the http-proxy-middleware
component in RHTPA to a version that mitigates the vulnerability for CVE-2024-21536.
The v11y-walker
job fails when ingesting CVEs
The v11y-walker
job would generate an error when the prefix configuration to ingest Common Vulnerabilities and Exposures (CVE) was not applied properly. The prefix configuration determines the range of CVEs to ingest. Because of the wrong range, this caused RHTPA to ingest unwanted CVEs. With this release, we fixed the CVE ingestion process to only match CVEs that use the supplied prefix configuration.
Fixed a potential exploit for CVE-2024-21538
With this release, we updated the cross-spawn
component in RHTPA to a version that mitigates the vulnerability for CVE-2024-21538.
A timeout error occurs when doing an SBOM bulk upload
When doing a software bill of materials (SBOM) bulk upload, this causes the SBOM dashboard to fail when loading, giving a connection timeout error. With this release, we fixed the livenessProbe
to use curl
to connect to the appropriate endpoint.
The initialDelaySeconds
property for livenessProbe
and readinessProbe
are configurable
Before this update, we had a hard-coded value of 2 seconds set on the initialDelaySeconds
property for livenessProbe
and readinessProbe
. With this release, you can configure the initialDelaySeconds
property in the RHTPA Helm values file.
A partially ingested SBOM gives an error on the Vulnerabilities tab
Uploading a software bill of materials (SBOM) file has many steps to complete during the ingesting process. Until this ingestion process finishes, viewing SBOM vulnerability information is inconsistent, and the page could display an error message, when no real error occurred. With this release, we removed this error message, and return an empty page on the Vulnerabilities tab.
The guac-collectsub-pod-service
pod is caught in an infinite restart loop
Deploying RHTPA on Red Hat Enterprise Linux by using the Ansible Playbook would cause the health check to fail on the guac-collectsub-pod-service
pod. This caused the pod to enter an infinite restart loop. With this release, we fixed the livenessProbe
by enabling the correct API endpoint.
Fixed a timeout issue when ingesting SBOMs for the dashboard charts
When ingesting a software bill of materials (SBOM) file that has a large number of packages, and if those packages have many associated vulnerabilities, then the API call to retrieve the data for the dashboard charts would timeout. With this release, we made improvements to the API calls that give data to the dashboard charts, therefore populating the dashboard charts properly and in a timely manner.
Missing CVSS scores for some CVEs
Some Common Vulnerabilities and Exposures (CVE) have elements in the metrics array, but have no corresponding Common Vulnerability Scoring System (CVSS) score. Not having the CVSS score limits the ability to query for data on CVEs. With this release, we do a check for a valid CVSS score within the elements in the metrics array, and properly display the CVE’s CVSS score.
Nested packages within a CycloneDX SBOM are not ingested
We fixed a bug where only the main package gets ingested, but the nested packages do not. With this release, RHTPA correctly traverses a CycloneDX software bill of materials (SBOM) manifest file, and includes those nested packages in the database.
Large SBOM manifest files generate an error when uploading
When uploading a large software bill of materials (SBOM) manifest file to RHTPA, the index updates properly, but the database does not. We consider a large SBOM manifest file to be 90 MB in size, containing 70,000 packages. With this release, we fixed the issue with the database update.