Red Hat SummitRelease Notes
Release notes for Red Hat Trusted Profile Analyzer 2.1
Abstract
Chapter 1. Introduction
Red Hat’s Trusted Profile Analyzer (RHTPA) is a proactive service that assists in risk management of Open Source Software (OSS) packages and dependencies. The Trusted Profile Analyzer service brings awareness to and remediation of OSS vulnerabilities discovered within the software supply chain.
The Trusted Profile Analyzer software Release Notes documents new features and enhancements, bug fixes, and known issues for the latest version, 2.1. We add the newest items to the top in each chapter, as we build upon the official release notes over the lifecycle of the major, and minor releases.
- New for this release
- Installing the RHTPA operator for Red Hat’s OpenShift Container Platform is a Technology Preview feature.
- Added Quay as data importers for Software Bill of Materials (SBOM) documents.
- The ability to add labels to SBOM documents and advisories.
- Collection of metric and tracing data for enhanced observability and troubleshooting.
Chapter 2. New features and enhancements
A list of all major enhancements, and new features introduced in this release of Red Hat Trusted Profile Analyzer (RHTPA).
The features and enhancements added by this release are:
- Red Hat Trusted Profile Analyzer operator for OpenShift Container Platform is available
With this release, you can deploy the Trusted Profile Analyzer service on Red Hat’s OpenShift Container Platform (RHOCP) by installing the RHTPA operator provided by Red Hat’s Marketplace on the OperatorHub. Installing the RHPTA operator is a Technology Preview feature and is not recommended for running production workloads.
ImportantDeploying the RHTPA operator is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs), might not be functionally complete, and Red Hat does not recommend to use them for production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process. See the support scope for Red Hat Technology Preview features for more details.
- Improvements for handling CVSS scores
With this release, we improved how RHTPA handles Common Vulnerability Scoring System (CVSS) scores for vulnerabilities. To take advantage of these improvements, you must remove, and add the Common Vulnerabilities and Exposures (CVE) importer again.
Using the RHTPA API endpoints, do the following steps:
-
Remove the existing CVE importer:
http DELETE <RHTPA_BASE_URL>/api/v2/importer/cve -
Add the CVE importer back:
http POST <RHTPA_BASE_URL>/api/v2/importer/cve cve[source]=https://github.com/CVEProject/cvelistV5 cve[disabled]:=false cve[period]=30s cve[description]="CVE List V5"
-
Remove the existing CVE importer:
- Aggregated severity value removed from RHTPA console
- With this release, we removed the Aggregated severity value from the RHTPA console. This value calculated the averages from vulnerability and advisory scores, however this information is not useful to know.
- Collecting metrics and tracing data
With this release, we added the ability to stream metrics and tracing data to the OpenTelemetry collector. By using the OpenTelemetry protocol (OTLP), this helps with observability, and troubleshooting problems as they occur. You can enable metrics and tracing by enabling the following options in the Helm chart or in the Ansible Playbook.
Helm chart
metrics.enabled=true tracing.enabled=true collector.endpoint="<OPENTELEMETRY_COLLECTOR_URL_ENDPOINT>"
metrics.enabled=true tracing.enabled=true collector.endpoint="<OPENTELEMETRY_COLLECTOR_URL_ENDPOINT>"Copy to Clipboard Copied! Toggle word wrap Toggle overflow Ansible Playbook
TPA_OTEL_METRICS_ENABLED=true TPA_OTEL_TRACING_ENABLED=true TPA_OTEL_COLLECTOR_ENDPOINT=<OPENTELEMETRY_COLLECTOR_URL_ENDPOINT>
TPA_OTEL_METRICS_ENABLED=true TPA_OTEL_TRACING_ENABLED=true TPA_OTEL_COLLECTOR_ENDPOINT=<OPENTELEMETRY_COLLECTOR_URL_ENDPOINT>Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Chapter 3. Bug fixes
In this release of Red Hat Trusted Profile Analyzer (RHTPA), we fixed the following bugs. In addition to these fixes, we list the descriptions of previously known issues found in earlier versions that we fixed.
- Search queries with a special characters do not work as expected
- When searching by text for Software Bill of Material (SBOM) documents you can use some special characters to affect the meaning of a search query. But in some cases an SBOM document name can contain a special character, resulting in an HTTP error response, because the API considers the special character as structured filters. With this release, we fixed this issue by automatically escaping special characters before sending the search query.
- SBOM uploads start at 100%
- We fixed an issue when uploading multiple files from the Upload page within the RHTPA console would erroneously show 100% completed. The uploading percentage for the SBOM documents is accurately represented.
- Long SBOM names display outside the pie chart boundaries
- When a Software Bill of Materials (SBOM) has a long name, the name can exceed the pie chart boundaries. With this release, we fixed this issue.
- Importer pod stays in a pending state
-
When starting the importer pod, the OpenShift cluster does not have a default storage class set for persistent volume claims (PVC). This causes the PVC to go into a pending state. We fixed this issue by adding the
modules.importer.storageClassNameandstorage.storageClassNamefields. You can configure these fields before or after deploying RHTPA on OpenShift. This allow the PVC to become active as expected.
Chapter 4. Known issues
Resolved known issues for this release of Red Hat Trusted Profile Analyzer (RHTPA):
A list of unresolved known issues found in this release:
- License information does not comply with SPDX specification standards
-
The embedded license information within a package or component of a Software Bill of Materials (SBOM) does not comply with the SPDX specification standards. Because of this issue, RHTPA marks the package URL license details as
NOASSERTION. Currently, there is no workaround for this issue.
- A custom Quay source with self signed certificate does not import data
- When you set a custom Quay source with self signed certificate, the data is not import into RHTPA. This is because the trust anchor for data importers is missing. Currently, there is no workaround for this issue.
- An
IncompleteBodyerror when using OpenShift Data Foundation -
Red Hat’s OpenShift Data Foundation does not support compression logic that uses the
aws-sdkRust client. When using OpenShift Data Foundation as an object store for RHTPA, you can get a409response code, along with anIncompleteBodyerror message. This issue resides within the OpenShift Data Foundation code base. To workaround this issue, we removed the compression logic capability from RHTPA’s source code when using OpenShift Data Foundation. This workaround results in Software Bill of Materials (SBOM) and Vulnerability Exploitability eXchange (VEX) documents uploading without errors.
- The
rhtpa-operator-controller-managerpod in a reconciliation loop -
The
rhtpa-operator-controller-managerpod keeps going into a reconciliation loop each time after updating the server or resource. This makes manual changes impossible because it conflicts with the configuration updates automatically done during reconciliation. This also cause the logs to fill up with a line every second for each new reconciliation trigger event. Currently, there is no workaround for this issue.
- Large number of vulnerabilities reported
- The logic that correlates vulnerability data between advisories and large Software Bill of Materials (SBOM) documents can cause pages to load slowly, and display large number of vulnerabilities. Currently, there is no workaround for this issue.
- Searching by SBOM version gives inconsistent results
-
When using Software Bill of Materials (SBOM) version numbers as search criteria, you can get inconsistent results. In some cases, the search engine can find SBOM version numbers that have the version number in the file name or in the
document_idfield. In other cases, the search engine finds no matching SBOM versions, even with a valid SBOM version number. There is currently no workaround for this issue.
- Remote server connection drops on bulk uploads that use the API
- When uploading a compressed SBOM document that uses the RHTPA API, for example, a 350 MB compressed file, the connection to the remote RHTPA service can drop. This causes a partial uploading of the files. To workaround this issue, split the larger SBOM document into smaller sizes, for example, a compressed file roughly 10-20 MB in size. This allows the uploading to finish successfully.
- Vulnerability information cannot be deleted by using the API
-
Using the RHTPA API to delete vulnerabilities and Common Vulnerabilities and Exposures (CVE) information gives a foreign key constraints error message. With this release, we added a
Not implementedmessage in the return code. In a future release, we are going to deprecate this delete function.
- No support for CPE version 2.3
- The Common Platform Enumeration (CPE) specification and Software Bill of Materials (SBOM) formatted with string bindings does not render properly in the RHTPA console, and when exporting license information. There is currently no workaround for this issue.
- Trusted Profile Analyzer 2.0 requires Helm version 3.17 or later
- To install RHTPA 2.0 and later, you must use Helm version 3.17 or later to deploy the Trusted Profile Analyzer service on the Red Hat OpenShift Container Platform.
- No support for CVSS v4 scores
- Currently, there is no support for Common Vulnerability Scoring System (CVSS) version 4 scores in RHTPA.
- Advisories with an environment or temporal score fails to upload
- A Common Security Advisory Framework (CSAF) document with a Common Vulnerability Scoring System (CVSS) vector that has an environment or temporal score can fail when uploading it to RHTPA. Because of this upload failure, you cannot see the advisory within the RHTPA console. Currently, there is no workaround for this issue.
Chapter 5. Deprecated functionality
An overview of deprecated functionality in all supported releases up to this release of Red Hat Trusted Profile Analyzer (RHTPA).
- Vulnerability information cannot be deleted by using the API
-
Using the RHTPA API to delete vulnerabilities and Common Vulnerabilities and Exposures (CVE) information gives a foreign key constraints error message. With this release, we added a
Not implementedmessage in the return code, and deprecated this delete function.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}