Release Notes

Download license data from an SBOM

With this release, you can download license data from a Software Bill of Materials (SBOM) documents in either the CycloneDX or Software Package Data Exchange (SPDX) formats. This new feature can help identify potential license compliant issues early in the developmental cycle, and can help organizations mitigate legal risks and adherence to open source licensing obligations.

Fixed an inconsistency when a CVE has many CVSS scores

Before this update, vulnerabilities with many Common Vulnerability Scoring System (CVSS) scores were inconsistently displayed when applying a filter. This was happening because the first CVSS score ordered the initial list of vulnerabilities, but the second score reordered the same list when applying a filter giving an inconsistent list of vulnerabilities. With this release, we fixed this order inconsistency by always applying the highest score when ordering the list of vulnerabilities, even when applying a filter. This gives consistency to the vulnerabilities list.

Changed the strategy type for deploying the spog-api and the collectorist-api in OpenShift

Before this update, the default strategy type for deploying the spog-api and the collectorist-api in OpenShift was a rolling strategy. Using the rolling strategy when deploying these 2 APIs mounts a volume with a ReadWriteOnce policy. This causes the pods to fail when redeploying the RHTPA application, because the rolling strategy does not scale down, and the volume is in use by the existing pods. With this release, we changed the default strategy from rolling to recreate for the spog-api and the collectorist-api pods.

Vulnerability count mismatch

Before this update, there is a vulnerability count mismatch between the Common Vulnerability and Exposures (CVE) panel and the Software Bill of Materials (SBOM) dashboard. With this release, we fixed the vulnerability count mismatch between the CVE panel and the SBOM dashboard.

Duplicate SBOMs displayed in the RHTPA console

We fixed a bug when retrieving data from the Graph for Understanding Artifact Composition (GUAC) engine by implementing a proper identification for packages that use a hash within software bill of materials (SBOM) documents. This fix eliminates the showing of any duplicate SBOMs when referring to the same SBOM.

Errors with cyclical dependencies within SBOM documents

Some software bill of materials (SBOM) documents contain cyclical dependencies for packages, which was causing errors with the expected data. We fixed a bug with the Graph for Understanding Artifact Composition (GUAC) engine, so the graph is properly traversed from a package to the product it belongs to. With this update, the package details page reports the correct product association.

SBOM data does not load properly when uploading a large SBOM

Before this update, when uploading a large software bill of materials (SBOM) documents, for example an SBOM that includes 50,000 packages, the RHTPA dashboard does not load properly. With this release, we fixed an issue with Keycloak’s access token expiring before the SBOM can finish uploading its data. Uploading large SBOM document work as expected and display properly in the RHTPA dashboard.

Value inconsistencies between the SBOM bar chart and the pie chart

The Software Bill of Materials (SBOM) documents listed on the bar chart have different values than the pie chart on the RHTPA home page. There is currently no workaround for this issue, and will be fixed in a later release.

The spog-ui-pod-service pod restarts when launching the Trusted Profile Analyzer console in a web browser

When running Red Hat Trusted Profile Analyzer (RHTPA) on Red Hat Enterprise Linux (RHEL), the spog-ui-pod-service pod restarts when first launching Trusted Profile Analyzer console in a web browser causing the application to be unresponsive. To workaround this issue, you can try refreshing the web page or closing the browser tab and reopening the RHTPA console in a new tab. Doing this loads the RHTPA console successfully.

The collector-osv gives a GraphQL error

When the collector-osv sends data to the Graph for Understanding Artifact Composition (GUAC) API without complying to the GraphQL GUAC schema, the default values are not applied for some optional fields, for example, a namespace for a package. GUAC returns the following error message: pq: insert or update on table package_versions violates foreign key constraint package_versions_package_names_versions. This causes the ingestion of OpenSource Vulnerability (OSV) data to fail, and as a consequence some packages could have fewer vulnerabilities reported than expected. Currently there is no workaround for this issue.

Inconsistencies between the total number of CVEs displayed on the dashboard and the CVE tab

The total number of Common Vulnerabilities and Exposures (CVE) uses different filters between the RHTPA home page dashboard and the CVE tab on the search results page, causing the discrepancy between the two values. Currently, there is no workaround for this known issue.

Data migration fails when upgrading from Trusted Profile Analyzer 1.1.2 to 1.2

The bombastic and vexation collector pods crash when there is no space left on the persistent volume claim (PVC) for the PostgreSQL instance. To workaround this potential issue, increase the size of the PVC by 10 GB.

An API error on the package details page

In the RHTPA console, when navigating from the Vulnerabilities page to the package details page, clicking the affected dependencies link gives you the following error message:

Package version mismatch between the API response and the HTML report for Red Hat Dependency Analytics

Opening a manifest file for analysis in Visual Studio Code or IntelliJ, can give you a different package version number between the Red Hat Dependency Analytics (RHDA) HTML report and an API client response. Before analyzing the manifest file, the API client compares package versions in the manifest file to the installed package versions within the client’s environment. When there is a difference in package version, you receive an error message containing the first package version mismatch. To workaround this issue, you can disable the Match Manifest Versions option of RHDA extension in your integrated development environment (IDE).

Removed the Dependency Analytics report from Red Hat Trusted Profile Analyzer

With this release, we removed the Dependency Analytics report functionality from Red Hat’s Trusted Profile Analyzer product.