-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathChangelog.txt
More file actions
8672 lines (4701 loc) · 256 KB
/
Copy pathChangelog.txt
File metadata and controls
8672 lines (4701 loc) · 256 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
# Changelog
## v6.0.0 (2025-12-09)
### Fix
* Add expected configuration files to gitignore. [Esa Jokinen]
* Update dump_last.py HTML output to current CVE format. [Esa Jokinen]
Update the HTML report generator to handle optional fields
(vulnerable configurations, products, references) in CVE data.
* Add exception handling on empty fulltext index. [Esa Jokinen]
* Update cve-search project url. [Esa Jokinen]
* Fulltext processing; auto-download NLTK, optimize. [Esa Jokinen]
- Added safe_nltk_download() to ensure required NLTK corpora are
available and prevent LookupError at runtime.
- Added omw-1.4 resource to improve WordNet lemmatization coverage.
- Updated WordNetLemmatizer import to the supported modern style.
- Cached English stopwords in a set to avoid repeated lookups in
the loop, improving performance.
* Update cve-search project url. [Esa Jokinen]
* Update NIST NVD URLs. [Esa Jokinen]
### Other
* Merge pull request #1194 from oh2fih/release-6-0-0. [Alexandre Dulaunoy]
Release v6.0.0
* Release v6.0.0. [Esa Jokinen]
* Changelog: add missing entry for v5.2.0. [Esa Jokinen]
Contents copied from the GitHub release description.
* Update web/VERSION 5.2.0.dev122. [GitHub Action]
* Merge pull request #1197 from cve-search/dependabot/pip/werkzeug-3.1.4. [Alexandre Dulaunoy]
build(deps): bump werkzeug from 3.0.6 to 3.1.4
* Build(deps): bump werkzeug from 3.0.6 to 3.1.4. [dependabot[bot]]
Bumps [werkzeug](https://github.com/pallets/werkzeug) from 3.0.6 to 3.1.4.
- [Release notes](https://github.com/pallets/werkzeug/releases)
- [Changelog](https://github.com/pallets/werkzeug/blob/main/CHANGES.rst)
- [Commits](https://github.com/pallets/werkzeug/compare/3.0.6...3.1.4)
---
updated-dependencies:
- dependency-name: werkzeug
dependency-version: 3.1.4
dependency-type: direct:production
...
* Merge pull request #1193 from oh2fih/cleanup. [PT]
* Cleanup: remove unused .schema_version. [Esa Jokinen]
This has been handled via CveXplore library for quite some time.
* Cleanup: remove unused setting ListLoginRequired. [Esa Jokinen]
* Cleanup: remove unused imports. [Esa Jokinen]
* Merge pull request #1192 from oh2fih/web-admin-select-configured-feeds. [PT]
* Web(admin): hide password form when login is not required. [Esa Jokinen]
The password change form was only hidden if OIDC was enabled. It is now
also hidden when login is not required, preventing a runtime error
since no authenticator exists without a logged-in user, and there is no
internal password to change.
* Web(admin): render database stats table dynamically. [Esa Jokinen]
Refactor the admin template to generate database statistics rows in a
loop instead of hardcoding each one. This reduces duplication and makes
the table easier to maintain when adding or removing data sources.
* Web(admin): render update source checkboxes dynamically. [Esa Jokinen]
Refactor the admin template to generate source checkboxes in a loop
instead of hardcoding each one. Checkboxes are now automatically
selected if their source is enabled in the configuration, so the UI
defaults match the configured update sources.
* Merge pull request #1191 from oh2fih/cleanup-flask-plugins. [PT]
* Docs: mark Webgui Plugin feature as retired. [Esa Jokinen]
* Web(admin): new, more responsive 3-column layout. [Esa Jokinen]
- Changed admin page layout from 3-3-6 to 4-4-4 for better balance
after removing the Plugin feature management.
- Adjusted column widths and table styles to prevent database table
overflow, improving Bootstrap-based responsiveness.
* Bump Jinja2 3.1.6, flask-menu 0.7.3, Flask-restx 1.3.0 & nltk 3.9.1. [Esa Jokinen]
* Retire the Plugin Feature (Flask-Plugins) [Esa Jokinen]
* Update dependencies: CveXplore, Gunicorn, Werkzeug etc. (#1189) [Esa Jokinen]
* Merge pull request #1188 from oh2fih/simplify-db-updater. [PT]
* Cleanup(db): only include source 'cpeother' if configured. [Esa Jokinen]
There is no need to add the source only to skip it later.
* Cleanup(db): reorder code to be more readable. [Esa Jokinen]
Move additional sources population closer to where it is processed.
* Cleanup(db): remove redundant db_updater.py -m. [Esa Jokinen]
The flag -m / --minimal was nothing but the opposite of -c / --cache.
We don't need two flags for toggling the exactly same feature.
* Cleanup(db): remove dummy flag. [Esa Jokinen]
The dummy flag -v is not required anymore for admin UI compatibility,
as the usage of it was removed in PR #1176 commit e958732.
* Merge pull request #1187 from oh2fih/fix-search-limit. [PT]
* Cleanup(search): remove documentation of removed flag. [Esa Jokinen]
* Cleanup(search): unused import. [Esa Jokinen]
* Fix(search): output limit in search.py. [Esa Jokinen]
Pass -i limit to lib.DatabaseLayer functions that supports it.
* Merge pull request #1186 from oh2fih/update-testdata. [PT]
* Test: update test_search_cveid_desc assertion. [Esa Jokinen]
The test data now includes microseconds like the real data, so
the assertion must account for this increased time precision.
* Test: update mock CVE and CPE data to current schema. [Esa Jokinen]
Refresh test CVE entries to match the current schema while keeping
the same IDs. Long lists truncated where mongosh indicated extra
items; two CPEs replaced as they no longer exist. Ensures tests
reflect current data and uncover hidden issues.
* Merge pull request #1185 from oh2fih/fix-dump-last-html. [PT]
* Test: update dump_last.py tests to match full mock dataset. [Esa Jokinen]
Adjust -l values and assertions to use all 9 CVEs in the test database,
ensuring that all output formats (Atom, RSS1, RSS2, HTML) are tested
against more variable data.
* Test: re-enable dump_last.py tests after fixing HTML output. [Esa Jokinen]
These tests now pass again since the HTML report generator was fixed
to handle the current CVE schema.
* Merge pull request #1184 from oh2fih/separate-fulltext-indexing. [PT]
* Db(update): separate fulltext indexing from database updates. [Esa Jokinen]
The fulltext indexing feature in db_updater.py previously relied on
being able to read the number of updated CVEs during the process. With
the CveXplore backend, this information is no longer available, making
the update operation effectively a no-op. This commit removes indexing
from the script and the admin UI, leaving a hint on the current usage.
* Merge pull request #1183 from oh2fih/minor-fixes. [PT]
* Merge pull request #1182 from oh2fih/cleanup-legacy-scripts. [PT]
* Cleanup(api): remove unused auth API and JWT token logic. [Esa Jokinen]
The authentication API for the retired whitelist/blacklist feature is
no longer required; none of the current endpoints use authentication.
Additionally, the /api/logout endpoint could not properly blacklist
tokens, and the use of Redis DB 8 for token tracking was undocumented.
This commit removes the partially implemented feature from 2020,
reducing complexity and external dependencies.
* Cleanup: remove CVE Reference DB feature (cve_refs.py) [Esa Jokinen]
This script was intended to fetch NIST CVE References from Redis DB 12.
However, the database has never been populated, and most of the
listed `ref_urls` are non-working.
Remove all code related to the Redis "RefDB" from the repository.
This was likely a planned feature from 9 years ago that was never
fully implemented. Also remove completely unsed Redis DB 9.
* Cleanup: remove obsolete cve_doc.py script. [Esa Jokinen]
The /api/cve endpoint is incompatible with the public cve.circl.lu API.
While the script still works with the current local API, it relies on
an Asciidoc template that is unlikely to be maintained in sync with
future changes to the CVE collection schema. Removed the inactive tests
related to this script, as well as the igetcve() function from
lib.Query, since the script was its only consumer.
* Merge pull request #1181 from oh2fih/fix-ranking. [PT]
* Fix(db): modernize ranking functions for PyMongo 4.x. [Esa Jokinen]
Replace deprecated update() and remove() with update_one() and
delete_one(), and fix findRanking() to return actual results,
including regex support. Restores intended ranking feature behavior.
* Merge pull request #1179 from oh2fih/fix-create-index-script. [PT]
* Fix(db): index creation script integration. [Esa Jokinen]
DatabaseIndexer expects a .dbclient attribute, but getMongoConnection()
returns a raw Database object. Add a wrapper so indexes are created in
the correct database instead of under a phantom 'dbclient.*'.
* Merge pull request #1178 from oh2fih/fix-create-index-script. [PT]
* Fix(db): index creation script compatibility. [Esa Jokinen]
Update db_mgmt_create_index.py to work with the current CveXplore API.
* Merge pull request #1177 from oh2fih/manual-updates. [PT]
web(admin): prevent <defunct> processes in /updatedb
* Web(admin): remove unused imports. [Esa Jokinen]
* Web(admin): prevent <defunct> processes in /updatedb. [Esa Jokinen]
Child processes spawned by the /updatedb endpoint could become zombies
if not properly reaped. This change runs them in a daemon thread that
waits for completion, ensuring the process table stays clean while
forwarding logs and keeping the endpoint non-blocking.
* Merge pull request #1176 from oh2fih/manual-updates. [PT]
* Update web/VERSION 5.2.0.dev69. [Esa Jokinen]
Manually update the VERSION file as the workflow is still broken.
* Db(update): auto-remove stale locks in any_lock_active() [Esa Jokinen]
- Remove stale locks before checking for active ones.
- Use timezone-aware UTC datetimes instead of deprecated utcnow().
* Db(update): fix global repopulation locking. [Esa Jokinen]
- Acquire locks for all CveXplore sources during full repopulation.
- Prevents smaller updates from bypassing the global lock.
- Ensure all acquired locks are properly released even on failure.
* Web(admin): add selectable database update sources. [Esa Jokinen]
- Allow manual selection of sources to update in admin UI:
CPE, CVE, CWE, CAPEC, VIA4, and EPSS.
- Pass selected sources as query params to backend.
- Whitelist sources on backend to prevent arbitrary input execution.
* Db(update): log no-op fulltext indexing for debug. [Esa Jokinen]
* Web(admin): add cache/index options to DB update. [Esa Jokinen]
- Add checkboxes in admin UI for Redis cache and fulltext index.
- Pass selected options to backend as query params.
- Map params to updater flags (-c, -i).
- Remove legacy no-op flag (-v).
* Web(admin): add UI and API to clear updater locks. [Esa Jokinen]
- Add /clear_updater_locks endpoint to remove all active updater locks.
- Return list of removed locks in API response for clarity.
- Add "Forcibly Clear Locks" button to admin UI with AJAX call.
- Show feedback in UI when locks are cleared or none exist.
* Web(admin): warn if database update is running. [Esa Jokinen]
- Prevent manual updates from starting if another update is running.
- Return a 409 with a clear message when the updater is locked.
- Display a warning (not error) in the front-end for locked updates.
- Preserve normal error handling and status updates for other failures.
* Db(update): add locking to prevent concurrent updates. [Esa Jokinen]
- Add a global lock to prevent simultaneous inits or repopulations.
- Apply per-source locks to updates, caching and the fulltext indexer.
- Include consistent logging for failures and skipped updates.
- Ensure all locks are released properly even on exceptions.
* Db(update): provide helpers for per-source locking. [Esa Jokinen]
Introduce acquire, release, and check functions backed by a MongoDB
collection. These helpers enable coordination of updates and prevent
concurrent runs for the same source. Stale locks are automatically
removed based on the configured maximum lock duration.
* Web(admin): do not discard logs from manual updates. [Esa Jokinen]
Manual updates no longer redirect stdout/stderr to unused pipes,
preventing errors and status messages from being hidden.
* Merge pull request #1171 from oh2fih/admin-listmanagement. [PT]
* Retire whitelist/blacklist feature. [Esa Jokinen]
Remove the whitelist/blacklist feature entirely. While it could have
been partially recovered, it suffered from severe performance issues,
ambiguity, and unreliability.
* Lib(db): restore whitelist/blacklist functionality. [Esa Jokinen]
Reintroduces the whitelist and blacklist helper functions removed during
the NIST NVD API refactor in commit 8d4c6d4, restoring functionality
lost by their removal. Also updates the functions for MongoDB 4.x
compatibility.
* Web(admin): remove unused Redis exception handling. [Esa Jokinen]
This view only queries MongoDB, not Redis. The Redis-related import and
try/except block were dead code and have been removed for clarity.
* Merge pull request #1175 from oh2fih/fix-fulltext-visualization. [PT]
* Merge pull request #1174 from oh2fih/cleanup-legacy-documentation. [PT]
* Docs: clarify fulltext visualization documentation. [Esa Jokinen]
The documentation now clearly explains that the script generates JSON
data of the most common CVE keywords, without creating visualizations
itself.
* Doc: replace non-working example command. [Esa Jokinen]
Replace command to a non-executable script with links to sections
where the documentation has already been updated.
* Doc: public api is now using vulnerability-lookup. [Esa Jokinen]
* Doc(web): update web interface documentation. [Esa Jokinen]
* Update auto_version.yaml. [PT]
* Merge pull request #1173 from cve-search/P-T-I-patch-1. [PT]
Update auto_version.yaml
* Update auto_version.yaml. [PT]
* Merge pull request #1170 from oh2fih/api-browse-mongodb-fallback. [PT]
MongoDB fallback for browse & search-vendor API
* Lib(query): fix fallback detection logic for empty lists. [Esa Jokinen]
Treat anything evaluating as False equally;
that includes: None, [], (), '', 0, etc.
* Lib(query): reduce repetitive code in Redis/Mongo fallback. [Esa Jokinen]
Refactor getBrowseList(), getVersionsOfProduct(), searchVendors(),
searchProductsByVendor(), and searchVersionsByProduct() to use
redis_or_mongo() for consistent Redis-first, MongoDB-fallback behavior.
This centralizes fallback logic and related logging of warnings.
* Lib(query): unify Redis/Mongo fallback into helper function. [Esa Jokinen]
Add redis_or_mongo() to centralize the pattern of trying Redis
first and falling back to MongoDB if Redis is unavailable or
empty. Provides optional logging context to indicate which
operation triggered the fallback.
* Lib(query): add helper to ensure Redis connection is alive. [Esa Jokinen]
Introduce get_redis_connection() to check if the global Redis
connection is alive and reconnect if necessary. This ensures
Redis calls throughout Query.py are resilient to dropped or
stale connections.
* Lib(Query): MongoDB fallback for /api/search-vendor. [Esa Jokinen]
Fallback to MongoDB in searchVendors(), searchProductsByVendor() and
searchVersionsByProduct() when Redis cache is unavailable or empty.
Fallback warnings are configured via Logging/RedisFallbackWarnings.
* Lib(query): MongoDB fallback for /api/browse. [Esa Jokinen]
Fallback to MongoDB in getVersionsOfProduct(product) and
getBrowseList(vendor) when Redis cache is unavailable or empty.
Setting Logging/RedisFallbackWarnings to False can be used to
suppress fallback warnings if Redis is intentionally not in use.
* Merge pull request #1169 from oh2fih/login-form-error-messages. [PT]
* Web(auth): show specific login form errors to user. [Esa Jokinen]
Login route now detects missing username, invalid/empty password,
and CSRF errors, passing status codes to the frontend. JavaScript
displays clear messages rather than a generic or no error.
* Merge pull request #1168 from oh2fih/fix-flask-authhandler-lazy. [PT]
* Web(auth): lazy-load AuthenticationHandler to fix login. [Esa Jokinen]
Prevents AttributeError in FlaskAuthHandler during user login by
delegating method calls to AuthenticationHandler, doing so only
when needed using lazy loading.
* Merge pull request #1167 from oh2fih/fix-admin-mgmt. [PT]
* Fix(admin): remove misleading error message. [Esa Jokinen]
Remove the generic error message suggesting the problem was always an
outdated database. It was misleading, as it appeared for any unexpected
exception — in this case, calls to deprecated library methods.
* Fix(admin): call correct, local functions. [Esa Jokinen]
The masterLogin() and isLastAdmin() are local,
not provided by MongoPlugin().
* Fix(admin): single master detection logic. [Esa Jokinen]
Correct the isSingleMaster method to properly detect if a user
is the only master admin. Returns True only when no other master
users exist, preventing accidental deletion of the last admin.
* Fix(admin): MongoPlugin PyMongo 4.x compatibility. [Esa Jokinen]
Fix admin/user management scripts broken by PyMongo upgrade.
The issue started when pymongo was updated from 3.12.1
to 4.5.0 (commit 8d4c6d4).
* Merge pull request #1166 from oh2fih/mongodb-lazy-load. [PT]
* Lib: lazy-load MongoDB in AuthenticationHandler. [Esa Jokinen]
Defer MongoDB connection creation until first use to avoid
establishing connections in the Gunicorn master process before
worker forking.
* Merge pull request #1165 from oh2fih/test-db-fixture. [PT]
* Ci(tests): expand MongoDB matrix to cover LTS and latest. [Esa Jokinen]
Add MongoDB 6.0 and 8.0 to the test matrix while keeping 4.4,
ensuring CI tests cover older LTS, current LTS, and the latest
MongoDB release for compatibility.
* Test(db): use dedicated test database with fixture. [Esa Jokinen]
Use a separate test database for all DB tests. A session-scoped
pytest fixture ensures the database is cleaned and populated with
test data before tests run. CLI subprocesses also use the test DB,
allowing local and GitHub tests to run consistently.
* Merge pull request #1164 from oh2fih/mongodb-lazy-load. [PT]
* Lib: simplify DatabaseLayer with safe aggregation pipelines. [Esa Jokinen]
Replace MongoDB version checks with safe_aggregate(), which tries
allowDiskUse=True and falls back on older MongoDB servers. Construct
aggregation pipelines in functions to simplify query logic, preserving
sorting, limits, and skips. Remove repetitive conditionals and lazy
MongoDB version handling, improving readability and maintainability.
* Lib: lazy-load MongoDB connections and collections. [Esa Jokinen]
Refactor DatabaseLayer to use lazy-loaded proxies for the database
and collections. MongoClient, collection objects, and MongoDB
version retrievals are now only created when first accessed.
* Web: lazy-load DatabaseHandler in Flask integration. [Esa Jokinen]
Wrap DatabaseHandler in a LazyDatabaseHandler so the real connection
is only created when first accessed. Update FlaskDatabaseHandler to
use the lazy version, deferring MongoClient creation until needed.
* Web: defer CveXplore initialization to requests. [Esa Jokinen]
Move CveXplore creation into a before_first_request hook to ensure
MongoClient is created after the process fork, avoiding PyMongo
warnings. MongoDB settings are passed via environment variables.
* Web: pass MongoDB config to CveXplore via env vars. [Esa Jokinen]
Avoid deprecated constructor argument; CveXplore now reads
MongoDB settings from environment variables
* Merge pull request #1163 from oh2fih/fix_capeclookup_with_multiple_cwe. [PT]
* Fix handling of CWE as a list in CAPEC lookups. [Esa Jokinen]
CWE values were previously assumed to be strings, but they were
changed to a list in CveXplore v0.3.37. This change iterates over
CWE lists correctly, fixing the crash and producing combined CAPEC
results from all CWE entries.
* Merge pull request #1159 from oh2fih/fix-db-config-passing. [PT]
Fix MongoDB configuration: correct URI construction & pass DnsSrvRecord
* Test: centralized config parsing in lib/Config.py. [Esa Jokinen]
Adds a unit test to prevent ConfigParser or readSetting() usage
outside lib/Config.py. Enforces use of the Configuration class.
* Fix(mongodb): centralize configuration parsing in Config.py. [Esa Jokinen]
- Configuration was redundantly parsed in the MongoDB plugin.
- The getMongoUri() method in Config.py was not being used.
- All configuration parsing is now done in Config.py.
- Both the database plugin and the database handler now rely
on Config.py getters as an abstraction layer.
* Config: fix MongoDB SRV URI construction. [Esa Jokinen]
- SRV records can be used without authentication.
- Include cluster-specific parameters in both
authenticated and unauthenticated SRV URIs.
* Test: add unit tests for (fixed) MongoDB configuration. [Esa Jokinen]
- Parametrized tests for URI generation and env var setup
- Covers username/password and DNS SRV combinations
- Initialization helper clears the env between the tests
- Tests URL generation and environment passing to CveXplore
- SRV records can be used without authentication.
- Include cluster-specific parameters in both
authenticated and unauthenticated SRV URIs.
* Config: pass DnsSrvRecord to CveXplore. [Esa Jokinen]
Set DATASOURCE_DBAPI=srv in the environment for CveXplore
when DnsSrvRecord is true in the configuration.
* Config: unify MongoDB URI construction using helper getters. [Esa Jokinen]
- Added getMongoAuthDB() to complete helper coverage.
- getMongoUri() now uses helper methods for all components.
- Boolean SRV handling uses getMongoSrvBool().
* Test: fix DeprecationWarning by using raw string (#1160) [Esa Jokinen]
Use a raw string for the search pattern in test_search.py
to avoid invalid escape sequence warnings with `\(`.
* Improve SystemD units to support per-source database updates (#1156) [Esa Jokinen]
* Improve SystemD example units
Split the database update unit into template units that handle a
single source at a time, and introduce a target unit to orchestrate
updates across all sources. Retire separate db_repopulate.
Add explanatory comments to each unit for better documentation.
* Update documentation for improved SystemD units
Describe separation of database updates per source, both when calling
the updater script directly and when using the improved SystemD unit
structure. Clarify the optional nature of Redis caching.
* Remove dependencies for retired db_repopulate.service
* Update CPE Redis cache daily; not with every CPE update
* Fix warning 'PEP 8 W605 invalid escape sequence' (#1152) [Martin W. Kirst]
* Bump cvexplore from 0.3.38 to 0.3.39 (#1157) [Esa Jokinen]
* Update EPSS URL (#1153) [Jerry Gamblin]
* Upgrade cvexplore version to newest (#1144) [Paweł Cyrklaf]
* Make the browse endpoint work with products with slashes in their name (#1145) [Maxime Huyghe]
## v5.2.0 (2025-03-17)
### Other
* Update web/VERSION 5.1.0.dev9. [GitHub Action]
* Update requirements.txt (#1141) [PT]
* WebUI: improve tables (#1136) [Esa Jokinen]
* Maintain a CWE array in webui and swagger (#1132) [SashaTail]
* Update requirements.txt. [PT]
* Add cvss4 in webui #1128 (#1129) [SashaTail]
* Add CVSS4 display on the vulnerability page
* Add filter, sorting to vulnerabilities page
* Fix td size for Cvss4 cases
* Improve filter logic for cvss4
* Add CVSSv4 in swagger doc
* Delete score from cvss4
* Update version
* Feat(search): limit results by days since modified (#1121) [Esa Jokinen]
* feat(search): limit results by days since modified
Add search.py -T to limit results to results from n days by the
last modification, while -t does it based on the date published.
* build(ci): update actions/upload-artifact to v4
This test was using a deprecated version of actions/upload-artifact: v2.
* Update web/VERSION 5.1.0.dev2. [GitHub Action]
* Bump nltk from 3.8.1 to 3.9 (#1118) [dependabot[bot]]
Bumps [nltk](https://github.com/nltk/nltk) from 3.8.1 to 3.9.
- [Changelog](https://github.com/nltk/nltk/blob/develop/ChangeLog)
- [Commits](https://github.com/nltk/nltk/compare/3.8.1...3.9)
---
updated-dependencies:
- dependency-name: nltk
dependency-type: direct:production
...
* Remove support for search.py -q (#1117) [Esa Jokinen]
## v5.1.0 (2024-07-24)
### New
* [Changelog] updated. [Alexandre Dulaunoy]
### Changes
* [changelog] release 5.1.0 (#1115) [Esa Jokinen]
### Other
* Retire db_mgmt_[source].py (#1113) [Esa Jokinen]
* Replaced by db_updater.py -s capec
* Replaced by db_updater.py -s cpe
* Replaced by db_updater.py -s cwe
* Replaced by db_updater.py -s cve
* Replaced by db_updater.py -s via4
* Update documentation
* Update SystemD db_init service to retire legacy init
* Set sources & update interval manually for NVD API (#1110) [Esa Jokinen]
* Set update interval (1-120 days) manually for NVD API
Adds -d (--days) options for passing manual interval to CveXplore.
Requires CveXplore with cve-search/CveXplore#300.
* Add long option strings & reorder help
Makes the code more readable and the short option strings more
understandable and memorable. Related options grouped together.
* Update documentation for Updating the database
Update the documentation to reflect these and some other recent changes.
* Set sources manually for NVD API
Adds -s (--sources) option for overriding the configured sources.
Requires #1112 for EPSS source as it is not currently configured.
* Warn about --sources not available in CveXplore
* Update requirements.txt. [PT]
* Pass sources configuration to CveXplore (#1112) [Esa Jokinen]
* Default sources from CveXplore
CPE & CPE feeds are replaced by the API & not configurable.
* Pass sources configuration to CveXplore
* Keep the same order in all sources lists
* Quick fix for sort_dir not working in free queries. (#1109) [Crea Giuseppe]
* Quick fix for sort_dir not working in free queries.
* Update lib/DatabasePlugins/mongodb.py
Covering all undefined cases of sort_dir
* Fix default config & remove unused imports (#1108) [Esa Jokinen]
* None is treated as a string, comment out
* Remove unused import
* Remove unused import
* Update requirements.txt. [PT]
* Pass MongoDB configuration to CveXplore (#1107) [Esa Jokinen]
* Pass proxy configuration to CveXplore (#1102) [Esa Jokinen]
* Update requirements.txt. [PT]
* Update web/VERSION 5.0.3.dev3. [GitHub Action]
* Update requirements.txt (#1105) [PT]
* Avoid dependency conflicts with CveXplore (#1101) [Esa Jokinen]
## v5.0.3 (2024-04-16)
### Changes
* [changelog] updated for release 5.0.2. [Alexandre Dulaunoy]
### Other
* Update requirements.txt. [PT]
## v5.0.2 (2024-04-13)
### Changes
* [VERSION] release 5.0.2. [Alexandre Dulaunoy]
* [changelog] updated. [Alexandre Dulaunoy]
### Other
* Update requirements.txt. [PT]
* Update requirements.txt. [PT]
* Support non-numeric versions in relaxSearch (#1081) [Esa Jokinen]
* Support non-numeric versions in relaxSearch
Use simplified version string for easier comparison.
Avoid using print() in a library.
* New unit tests for improved search.py --lax
* Fix search.py bug with parentheses in version
* Corrections for search.py help in README.md
* Fix import order for lib.cpe_conversion
* README.md lint markdown, syntax highlighting etc.
* Black formatting
* README.md further improve jq highlighting
* Fix CPE name parsing (#1080) [Maxime Huyghe]
* Update web/VERSION 5.0.1.dev16. [GitHub Action]
* Bump cryptography from 42.0.0 to 42.0.4 (#1060) [dependabot[bot]]
Bumps [cryptography](https://github.com/pyca/cryptography) from 42.0.0 to 42.0.4.
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pyca/cryptography/compare/42.0.0...42.0.4)
---
updated-dependencies:
- dependency-name: cryptography
dependency-type: direct:production
...
* Update auto_version.yaml. [PT]
* Refactor db_updater fixing repopulate ordering & removing -v option (#1076) [Esa Jokinen]
* db_updater: fix repopulate ordering
* db_updater: more informative log headers
* db_updater: only drop collections on first iteration
* db_updater: drop non-configured collections
* Remove -v option from dp_updater
Leave dummy option for backwards compatibility.
Clarify the documentation.
* Use same instance of CveXplore() & add main
* SystemD db_updater.timer lower update interval (#1078) [Esa Jokinen]
* Cleanup: remove unused .talismanrc fileignore (#1075) [Esa Jokinen]
* Gitignore entire docs/build (#1074) [Esa Jokinen]
* GitHub workflow for automatic web/VERSION update (#1073) [Esa Jokinen]
* Sync configuration.ini.sample with Config.py & update docs (#1071) [Esa Jokinen]
* Upgrade workflow actions to Node.js 20 (#1072) [Esa Jokinen]
* Downgrade DataTables 2.0.3 -> 1.13.11 (#1067) [Esa Jokinen]
* Major documentation updates (#1069) [Esa Jokinen]
* Improve SystemD service examples (#1065) [Esa Jokinen]
* Update static JS dependencies (#1063) [Esa Jokinen]
* Update jQuery 3.6.0 -> 3.7.1
* Update Popper v2.11.5 -> v2.11.8
* Update clipboard.js v2.0.10 -> v2.0.11
* Update Bootstrap v4.6.0 -> v4.6.2
"One of our last releases for the v4."
* Update DataTables 1.11.3 -> 2.0.3
* Fixes #1057. [Paul Tikken]
* Req bump. [Paul Tikken]
## v5.0.1 (2024-01-28)
### New
* [release] changelog updated to match release v5.0.0. [Alexandre Dulaunoy]
### Other
* Update README.md (#1055) [Esa Jokinen]
* systemd services: rename mongod.service
* black formatting
* README.md add workflow badges
* README.md update copyright years
* README.md update changelog link
The changelog on the site hasn't been updated for ages.
* Systemd services: rename mongod.service (#1052) [Esa Jokinen]
* systemd services: rename mongod.service
* black formatting
* README.md add workflow badges
* Update script tweaks (#1051) [PT]
* tweaks to update script
* Add check for missing 'vulnerable_configuration' field (#1050) [PT]
* Fixes #1038. [Paul Tikken]
* Merge pull request #1047 from cve-search/cve-search-1042. [PT]
Additional check
* Added check for missing epss values. [Paul Tikken]
* Merge pull request #1041 from oh2fih/master. [PT]
Add workflow to check black formatting
* Black formatting (23.12.1) [Esa Jokinen]
* Add workflow to check black formatting. [Esa Jokinen]
* Black formatting. [Paul Tikken]
## v5.0.0 (2023-12-18)
### New
* [ChangeLog] added. [Alexandre Dulaunoy]
### Other
* Update requirements.txt. [PT]
* Merge pull request #1034 from baonq-me/fix/12122023_cli_search_cve. [PT]
* Fix counting results when searching for CVE using cli. [baonq-me]
* Merge pull request #1033 from baonq-me/master. [PT]
* Improve CVEs search speed in bin/search.py. [baonq-me]
Improve CVEs search speed in bin/search.py by passing search query to mongodb instead of getting all ids, then calling db again to get each doc. Some case like "bin/search.py -s linux" can return seven thousand CVEs which result to seven thousand API calls to db by the old way.
* Allow getting CVEs from a MongoDB doc. [baonq-me]
Sometimes we need to getting so many CVE from the database. It's better to getting all mongo doc at the same time to reduce network calls to the database, then use method getCveFromMongoDbDoc() to standardize the document
* Add method searchCVE to DatabaseLayer. [baonq-me]
* Merge pull request #1031 from fazledyn-or/Fix_Inappropriate_Logic. [PT]
Fixed Inappropriate Logical Expression
* Fixed Inappropriate Logical Expression. [fazledyn-or]
* Merge pull request #1032 from baonq-me/fix/11122023_mongodb_count. [PT]
Use count_documents() to count mongo documents instead of old and deprecated count()
* Use method count_documents to count mongo documents instead of old and deprecated count() [baonq-me]
* Merge pull request #1030 from baonq-me/fix/08122023_mongodb_connection. [PT]
* Pass mongodb connection string when initialize CveXplore. [baonq-me]
* Commented out code coverage. [Paul Tikken]
* Fixes #916. [Paul Tikken]
* Update requirements.txt. [PT]
* Merge pull request #1022 from cve-search/CveSearch-1021. [PT]
mongodb connections
* Fixes #1021. [Paul Tikken]
* Req update. [Paul Tikken]
* Merge pull request #1019 from cve-search/fix_1017. [PT]
wrong key when populating redis cache
* Should address #1017. [Paul Tikken]
* Update requirements.txt. [PT]
* Merge pull request #1010 from cve-search/cve-search-929. [PT]
Rewrite of database update to use NVD NIST API from cvexplore lib
* Update web/templates/cve.html. [PT]
* Temp disabling failing test; they break on changed datastructure and need to be revised. [Paul Tikken]
* Temp disabling failing test; they break on changed datastructure and need to be revised. [Paul Tikken]
* Temp disabling failing test; they break on changed datastructure and need to be revised. [Paul Tikken]
* Altered test data to match new structure. [Paul Tikken]
* Reqs update. [Paul Tikken]
* Reqs update. [Paul Tikken]
* Workflow update. [Paul Tikken]
* Workflow update. [Paul Tikken]