rel-37

What's Changed

• Implement help in Makefile by @gliptak in #1019
• Bump the loader-minor-updates group in /function/loader with 1 update by @dependabot[bot] in #1025
• Update the K8S deb repo to the community repo. by @calebbrown in #1026
• Bump the parsing-minor-updates group in /internal/staticanalysis/parsing with 2 updates by @dependabot[bot] in #1024
• Bump the gomod-minor-updates group with 8 updates by @dependabot[bot] in #1023
• Bump the actions-minor-updates group with 2 updates by @dependabot[bot] in #1020
• Bump GVisor to the latest release 20240212. by @calebbrown in #1027
• Refactor docker/* targets in Makefile by @gliptak in #1028
• Bump google.golang.org/protobuf from 1.32.0 to 1.33.0 by @dependabot[bot] in #1031
• Bump google.golang.org/protobuf from 1.32.0 to 1.33.0 in /function/loader by @dependabot[bot] in #1030
• Rename ExtractTarGzFile to ExtractArchiveFile by @gliptak in #1033
• Bump golangci/golangci-lint-action from 3.7.0 to 4.0.0 by @dependabot[bot] in #1022
• Bump the gomod-minor-updates group with 6 updates by @dependabot[bot] in #1036
• Bump actions/dependency-review-action from 3.1.4 to 4.2.5 by @dependabot[bot] in #1040
• upgrade golang.org/x/net package to remediate vulnerability by @maxfisher-g in #1042
• golangci-lint: disable deprecated linters by @thepwagner in #1054
• Bump the actions-minor-updates group across 1 directory with 7 updates by @dependabot[bot] in #1062
• Bump the parsing-minor-updates group across 1 directory with 2 updates by @dependabot[bot] in #1060
• Bump cloud.google.com/go/bigquery from 1.59.1 to 1.62.0 in /function/loader in the loader-minor-updates group by @dependabot[bot] in #1059
• Update the perms to allow OSV scanning to work. by @calebbrown in #1064
• fix: word in queries.md by @Yao-Wen-Chang in #1049
• Bump Go to v1.23.1 by @calebbrown in #1065
• Bump the actions-minor-updates group across 1 directory with 4 updates by @dependabot[bot] in #1073
• Bump golangci/golangci-lint-action from 4.0.0 to 6.1.1 by @dependabot[bot] in #1070
• Bump github/codeql-action from 2.13.4 to 3.26.12 by @dependabot[bot] in #1071
• Bump the gomod-minor-updates group across 1 directory with 9 updates by @dependabot[bot] in #1074
• Bump the parsing-minor-updates group in /internal/staticanalysis/parsing with 2 updates by @dependabot[bot] in #1079
• Bump golang.org/x/crypto from 0.27.0 to 0.31.0 by @dependabot[bot] in #1085
• Bump golang.org/x/crypto from 0.25.0 to 0.31.0 in /function/loader by @dependabot[bot] in #1086
• Rename deadline to the correct timeout so linting completes. by @calebbrown in #1089
• Bump Go dependencies to the latest versions. by @calebbrown in #1090
• Bump the gomod-minor-updates group across 1 directory with 3 updates by @dependabot[bot] in #1095
• Bump the actions-minor-updates group across 1 directory with 7 updates by @dependabot[bot] in #1096
• Bump the parsing-minor-updates group across 1 directory with 2 updates by @dependabot[bot] in #1097
• Update deps for the Cloud Run Function loader. by @calebbrown in #1098
• Use .removesuffix of .rstrip when trying to import Python files. by @calebbrown in #1099
• Update README to use correct Makefile target name. by @mathew-horner in #1080
• Bump the version of gvisor used so it runs on newer kernels. by @calebbrown in #1126
• Bump docker base image versions. by @calebbrown in #1127

New Contributors

• @gliptak made their first contribution in #1019
• @thepwagner made their first contribution in #1054
• @Yao-Wen-Chang made their first contribution in #1049
• @mathew-horner made their first contribution in #1080

Full Changelog: rel-36...rel-37

rel-36

What's Changed

• enable code execution feature by default by @maxfisher-g in #958
• Add environment variable baits by @elainechien in #948
• cmd/analyze: use exit status 1 and 2 for errors, improve error messages for invalid cli arguments by @maxfisher-g in #967
• python dynamic analysis: support async and generator function execution by @maxfisher-g in #968
• update babel parser to match babel traverse version by @maxfisher-g in #969
• strace parsing: fix regex issue when unlink syscall does not have path by @maxfisher-g in #970
• add python3-dev package to dynamic analysis dockerfile by @maxfisher-g in #974
• cmd/analyze: add resolved package version to logging context by @maxfisher-g in #975
• Add archive checksum by @h0x0er in #978
• Fix compose path by @lukehinds in #983
• move DynamicAnalysisRecord struct to public API by @maxfisher-g in #986
• sandboxes/README.md: fix some sentences by @maxfisher-g in #992
• pkg/api/analysisrun refactoring by @maxfisher-g in #995
• static analysis: collect basic information about archive file by @maxfisher-g in #993
• Move images using load/save instead of docker daemon. by @calebbrown in #998
• Switch to osv-scanner-action repo, pin action version by @another-rex in #1006
• Shard dynamic analysis data loading across ecosystems and simplify implementation. by @calebbrown in #1007
• Add option to force cloud logging for BigQuery loading in cloudbuild. by @calebbrown in #1008
• Set the entrypoint explicitly to /bin/bash in the BQ Loader cloudbuild.yaml by @calebbrown in #1009
• Fix a bug where the RESULT_BUCKET env var wasn't used correctly. by @calebbrown in #1010
• Add headless flag to BQ command to improve output. by @calebbrown in #1011
• Add option to BigQuery SQL to remove expiration from "like" table. by @calebbrown in #1012
• Add support to build sample python package with docker by @elainechien in #1002
• Disable the currently failing crates.io test until it is fixed. by @calebbrown in #1016
• Point the new dynamic analysis loader at the real table. by @calebbrown in #1017
• Add user-agents to http requests sent by Package Analysis by @calebbrown in #1018

New Contributors

• @h0x0er made their first contribution in #978
• @lukehinds made their first contribution in #983

Full Changelog: rel-35...rel-36

rel-35

What's Changed

• Add script for kubernetes deployment by @maxfisher-g in #939
• fix issues with deploy script and move it to the scripts/ folder by @maxfisher-g in #941
• update static analysis json schema for bigquery ingestion by @maxfisher-g in #942
• add BigQuery loader function for static analysis by @maxfisher-g in #943
• update dynamic analysis Load function by @maxfisher-g in #947
• enable code execution feature in worker by @maxfisher-g in #946
• Add OSV-Scanner github action by @maxfisher-g in #949
• add execute phase to dynamic analysis JSON schema and update loader deployment commands by @maxfisher-g in #953
• add osv-scanner.toml by @maxfisher-g in #951
• add separate result bucket for execution log by @maxfisher-g in #950
• add explicit go setup step for CodeQL analysis by @maxfisher-g in #954
• add alias of scanned vulnerability by @maxfisher-g in #955

Full Changelog: rel-34...rel-35

rel-34

What's Changed

• Use os.Create to truncate the results file if a previous one exists. by @calebbrown in #940

Full Changelog: rel-33...rel-34

rel-33

What's Changed

• worker: run dynamic and static analysis unconditionally by @maxfisher-g in #921
• static analysis: rename "description" field to "detected_type" by @maxfisher-g in #923
• make token.IdentifierType into an integer enum by @maxfisher-g in #922
• Inline single-key JSON structs in static analysis formatter script by @maxfisher-g in #925
• Make public API struct for static analysis data by @maxfisher-g in #920
• omit null JS and valuecounts data from staticanalysis result struct by @maxfisher-g in #924
• Update CONTRIBUTING.md with style guide note by @calebbrown in #931
• Add execute phase to dynamic analysis by @maxfisher-g in #926
• disable strace debug logging in worker, add feature flag to enable separate logging in analysis image by @maxfisher-g in #932
• Add ssh key pair bait to sandbox by @elainechien in #916
• write static analysis results to v1 bucket by @maxfisher-g in #908
• update docs for static analysis data schema by @maxfisher-g in #936
• add Makefile recipe to build test images for e2e test by @maxfisher-g in #937

Full Changelog: rel-32...rel-33

rel-32

What's Changed

• Enable package saving. by @calebbrown in #882
• Add dnsutils to dynamic analysis image + remove extra update/upgrades by @calebbrown in #890
• dependabot: group all minor and patch updates by @maxfisher-g in #891
• Fix dockerfile to match best practices by @calebbrown in #892
• Remove result_bucket_override support. by @calebbrown in #895
• Default "on" SaveAnalyzedPackages now it is enabled in prod. by @calebbrown in #896
• Add test credential access functionality and package structure refactor by @elainechien in #856
• add doc for results data format by @maxfisher-g in #898
• bring static analysis schema JSON into line with actual data format by @maxfisher-g in #899
• Update go version in README.md by @maxfisher-g in #900
• create /root/.ssh directory in dynamic analysis Dockerfile by @maxfisher-g in #901

Full Changelog: rel-31...rel-32

rel-31

What's Changed

• Handle missing PyPI packages properly as well. by @calebbrown in #881

Full Changelog: rel-30...rel-31

rel-30

What's Changed

• remove email address from static analysis schema by @maxfisher-g in #879
• Fix Packagist JSON parsing to correctly parse dist fields. by @calebbrown in #880

Full Changelog: rel-29...rel-30

rel-29

What's Changed

• static analysis minor bugfixes by @maxfisher-g in #877
• don't upload static analysis results when there is no data by @maxfisher-g in #878

Full Changelog: rel-28...rel-29

rel-28

Main changes:

• Static analysis data schema updates
• Migrate logging to log/slog
• Bug fix to allow package saving to work

What's Changed

• Migrate the analyze cmd to slog. Remove unused log funcs. by @calebbrown in #846
• static analysis: rename FileType to Description, fix some json names by @maxfisher-g in #847
• loader: add static analysis schema, rename dynamic analysis schema to match by @maxfisher-g in #848
• Use node v18 instead of v12 (the default for Ubuntu 22.04) by @calebbrown in #849
• Replace more logging calls with slog and context. by @calebbrown in #850
• Fix bugs in static analysis schema by @maxfisher-g in #855
• JS parsing: Improve handling of string templates by @maxfisher-g in #854
• Move more logs over to slog. by @calebbrown in #851
• Move the sandbox code over to slog and propogate context everywhere. by @calebbrown in #857
• Add xxd to dynamic analysis sandbox. by @calebbrown in #858
• Make explicit top-level structs for serialised analysis results by @maxfisher-g in #859
• Turn the result dest into a result store instance. by @calebbrown in #860
• move created field to top level in static analysis schema by @maxfisher-g in #861
• fix null values in static analysis parsing results by @maxfisher-g in #863
• Rename obfuscation package to signals by @maxfisher-g in #866
• Add env var support to sandboxes so LOGGING_ENV can be passed to static analysis. by @calebbrown in #864
• Add parsed string value to EscapedStrings struct by @maxfisher-g in #867
• move key fields to top level in static analysis schema by @maxfisher-g in #868
• Static analysis: unify result struct into single array of file data (second try) by @maxfisher-g in #872
• Migrate to slog in static analysis, and remove now-dead logging code. by @calebbrown in #871
• clean up dependabot config and check for GH actions updates weekly by @maxfisher-g in #873
• Complete the slogging changes. by @calebbrown in #874
• add constant for static analysis schema version by @maxfisher-g in #875
• remove email address detection in string literals by @maxfisher-g in #876

Full Changelog: rel-27...rel-28