Red Hat Summit이 콘텐츠는 선택한 언어로 제공되지 않습니다.
Chapter 3. Bug fixes
In this release of Red Hat Trusted Profile Analyzer (RHTPA), we fixed the following bugs. In addition to these fixes, we list the descriptions of previously known issues found in earlier versions that we fixed.
The bombastic-collector does not handle special characters in the id field
Before this update, uploading a software bill of materials (SBOM) file that contains special characters in the id field fails to ingest properly when running RHTPA on Amazon Web Services (AWS) infrastructure. This was causing missing data on the vulnerabilities page. With this release, you can now use special characters in the id field before uploading the SBOM.
The collector-osv fails to ingest vulnerabilities with a CVSS_V4 severity
Before this update, vulnerability data available from the OpenSource Vulnerability (OSV) service fails to associate vulnerabilities with a CVSS_V4 score to the packages that they impact. Because of this, fewer vulnerabilities might be associated to packages and software bill of materials (SBOM) that have been ingested into RHTPA. With this release, this issue has been fixed.
Fixed a potential exploit for CVE-2024-21536
With this release, we updated the http-proxy-middleware component in RHTPA to a version that mitigates the vulnerability for CVE-2024-21536.
The v11y-walker job fails when ingesting CVEs
The v11y-walker job would generate an error when the prefix configuration to ingest Common Vulnerabilities and Exposures (CVE) was not applied properly. The prefix configuration determines the range of CVEs to ingest. Because of the wrong range, this caused RHTPA to ingest unwanted CVEs. With this release, we fixed the CVE ingestion process to only match CVEs that use the supplied prefix configuration.
Fixed a potential exploit for CVE-2024-21538
With this release, we updated the cross-spawn component in RHTPA to a version that mitigates the vulnerability for CVE-2024-21538.
A timeout error occurs when doing an SBOM bulk upload
When doing a software bill of materials (SBOM) bulk upload, this causes the SBOM dashboard to fail when loading, giving a connection timeout error. With this release, we fixed the livenessProbe to use curl to connect to the appropriate endpoint.
The initialDelaySeconds property for livenessProbe and readinessProbe are configurable
Before this update, we had a hard-coded value of 2 seconds set on the initialDelaySeconds property for livenessProbe and readinessProbe. With this release, you can configure the initialDelaySeconds property in the RHTPA Helm values file.
A partially ingested SBOM gives an error on the Vulnerabilities tab
Uploading a software bill of materials (SBOM) file has many steps to complete during the ingesting process. Until this ingestion process finishes, viewing SBOM vulnerability information is inconsistent, and the page could display an error message, when no real error occurred. With this release, we removed this error message, and return an empty page on the Vulnerabilities tab.
The guac-collectsub-pod-service pod is caught in an infinite restart loop
Deploying RHTPA on Red Hat Enterprise Linux by using the Ansible Playbook would cause the health check to fail on the guac-collectsub-pod-service pod. This caused the pod to enter an infinite restart loop. With this release, we fixed the livenessProbe by enabling the correct API endpoint.
Fixed a timeout issue when ingesting SBOMs for the dashboard charts
When ingesting a software bill of materials (SBOM) file that has a large number of packages, and if those packages have many associated vulnerabilities, then the API call to retrieve the data for the dashboard charts would timeout. With this release, we made improvements to the API calls that give data to the dashboard charts, therefore populating the dashboard charts properly and in a timely manner.
Missing CVSS scores for some CVEs
Some Common Vulnerabilities and Exposures (CVE) have elements in the metrics array, but have no corresponding Common Vulnerability Scoring System (CVSS) score. Not having the CVSS score limits the ability to query for data on CVEs. With this release, we do a check for a valid CVSS score within the elements in the metrics array, and properly display the CVE’s CVSS score.
Nested packages within a CycloneDX SBOM are not ingested
We fixed a bug where only the main package gets ingested, but the nested packages do not. With this release, RHTPA correctly traverses a CycloneDX software bill of materials (SBOM) manifest file, and includes those nested packages in the database.
Large SBOM manifest files generate an error when uploading
When uploading a large software bill of materials (SBOM) manifest file to RHTPA, the index updates properly, but the database does not. We consider a large SBOM manifest file to be 90 MB in size, containing 70,000 packages. With this release, we fixed the issue with the database update.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}