Red Hat SummitEste contenido no está disponible en el idioma seleccionado.
Chapter 3. Bug fixes
In this release of Red Hat Trusted Profile Analyzer (RHTPA), we fixed the following bugs. In addition to these fixes, we list the descriptions of previously known issues found in earlier versions that we fixed.
- After deleting a SBOM the dashboard shows errors
-
Before this update, if an SBOM referenced in user preferences was removed, an
unable to connecterror occurred, and the corresponding SBOM’s vulnerability doughnut chart was replaced with an alert icon. With this release, the application now proactively handles deleted SBOMs, and the affected part on the dashboard resets to its default state. Users have the option to select a different SBOM to track.
- Querying the
latestAPI endpoint omittedancestors -
Before this update, the query system for the
latestendpoint had inconsistent implementations between filling the cache and collecting nodes from it. This inconsistency, at times, prevented the return of items that matched the query filter, depending on the cache state. With this release, we have ensured that the implementation between cache filling and node collection is consistent. As a result, all expected nodes will now be retrieved actively.
- Missing results returned by API endpoint
-
Before this update, the
analysis/latest/componentAPI calls provided incomplete result sets for components. This led to missing components appearing in the API response. With this release, we fixed the issue with theanalysis/latest/componentAPI, ensuring that for every component returned by theanalysis/componentendpoint, a single and latest version is now returned by theanalysis/latest/componentAPI when using the same search criteria. As a result, both endpoints now work consistently, and theanalysis/latest/componentAPI’s response includes one version of every component returned by theanalysis/componentendpoint.
- Metrics not matching the correct API calls
-
In this update, the
/recommendand/analyzeendpoints were actively registered, causing OpenTelemetry to match/v2/purl/{key}instead of/v2/purl/recommend. Consequently, no requests were actively being reported by OpenTelemetry to the/analyzeand/recommendendpoints, but to the/purl/{key}and/vulnerability/{key}endpoints instead. With this release, the/purl/recommendand/vulnerability/analyzeendpoints have been proactively moved before the conflicting endpoints. As a result, metrics are now actively reporting for all endpoints.
- Improved the handling of circular references in SBOM documents
- In this update, a Software Bill of Materials (SBOM) with circular links within their package or component structure will now be actively processed. Before this update, such SBOMs, including their non-circular parts, were passively ignored or missing from the result set. With this release, the system will track visited nodes and halt processing when a node is re-visited, returning all discovered items, but adding a warning field on the re-discovered node. As a result, more SBOMs will actively participate in the processing of the analysis endpoint. Only when an actual loop is encountered will information be actively omitted to prevent an infinite recursion, and a warning will be added.
- CVE importer error for vulnerabilities that use schema 5.2.0
-
An implementation of a new Common Vulnerabilities and Exposures (CVE) schema, version 5.2.0, was done recently. The CVE list project, along with the Trusted Profile Analyzer’s CVE data importer uses this schema for formatting vulnerability information. Before this update, vulnerabilities that use the new schema loaded with the following error message:
data did not match any variant of untagged enum. With this update, we fixed this bug.
- Downloads fail for Zstandard-compressed files uploaded before RHTPA 2.2
-
Upgrading to RHTPA 2.2 results in the inability to download existing Software Bill of Materials (SBOM) documents and advisory files that were uploaded with storage compression set to the Zstandard (
storage.compression=zstd). This is due to an incompatibility between the older Zstandard (Zstd) compression used in RHTPA 2.1.1 and earlier, and the newer Zstd library introduced in version 2.2. This incompatibility was fixed by ensuring the output streams are properly shut down after writing all buffered data.
- Poor performance when retrieving vulnerabilities for an SBOM
- When retrieving large amounts of vulnerabilities for packages from a Software Bill of Materials (SBOM) document was causing poor performance, taking several minutes to load the data into RHTPA. With this release, we have optimized the query, resulting in thousands of vulnerabilities to load in seconds instead of minutes.
- The default value for
spec.imageprevents the RHTPA Operator from upgrading -
The default value for
spec.imagein the custom resource (CR) template contains a hard-coded image version for the RHTPA service container. Any user-created CR configuration that uses this value will not be upgraded automatically, preventing the RHTPA Operator from upgrading. With this release, we removed this value from the CR template. To resolve this issue for existing CRs, you need to removeimagekey fromspec. For example, running the following command patches the CR template:
oc patch rhtpa/trustedprofileanalyzer-sample --type=json -p '[{"op":"remove", "path":"/spec/image"}]'
$ oc patch rhtpa/trustedprofileanalyzer-sample --type=json -p '[{"op":"remove", "path":"/spec/image"}]'- Improved performance when deleting SBOM documents
- In this update, the RHTPA API call that deletes Software Bill of Materials (SBOM) documents, now operates more efficiently by eliminating the Garbage Collector from its execution path. Before this update, the Garbage Collector was triggered with each API call, causing extended completion times for the deletion call. The Garbage Collector tries to identify, and delete all orphaned packages, rather than deleting the packages referenced by a specific SBOM document. For this release, we decoupled the Garbage Collector from the API call doing the SBOM deletion, doing this significantly improving the API’s responsiveness.
- The
rhtpa-operator-controller-managerpod in a reconciliation loop - In this update, we modified the RHTPA Operator Controller Manager to trigger reconciliation every minute, instead of every second. This change reduces the frequency of operator-generated changes to RHTPA deployments, resulting in fewer events and log entries. This reduction makes manual configuration changes less prone to collisions. Additionally, the increased time window for applying changes is now more conducive to manual adjustments.
- Importer pod stays in a pending state
-
When starting the importer pod, OpenShift does not have a default storage class set for Persistent Volume Claims (PVC). This causes the PVC to go into a pending state. We fixed this issue by adding the
modules.importer.storageClassNameandstorage.storageClassNamefields. You can configure these fields before or after deploying RHTPA on Red Hat OpenShift. This allows the PVC to become active as expected.
- An error occurs when an image tag expires while importing images from Quay
- Changes to container images within the Quay registry during the execution of the RHTPA Quay importer could previously result in images expiring or being deleted, causing Quay importer failures. With this release, we fixed the importer to proactively manage potential image or image tag issues, enabling it to complete without interruption and report issues with individual images in its comprehensive log report.
- Removing orphaned documents
- In this update, the document storage no longer lags behind the database, eradicating orphaned documents and thus actively optimizing storage usage. Previously, unnecessary storage was consumed due to the inconsistency between document storage and the database.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}