Releases: kubescape/node-agent
Release v0.1.110
PR Type:
Enhancement
PR Description:
This pull request updates the k8s-interface library from version v0.0.141 to v0.0.145. The update is reflected in the go.mod and go.sum files.
PR Main Files Walkthrough:
files:
go.mod: The k8s-interface library version has been updated from v0.0.141 to v0.0.145.
go.sum: The checksums for the k8s-interface library have been updated to reflect the new version (v0.0.145).
User Description:
Overview
Release v0.1.107
PR Type:
Refactoring
PR Description:
This pull request includes major refactoring of the Container Watcher and Relevancy Manager components. It introduces new tracers, reorganizes the container watcher, adds application profile manager, removes libseccomp dependency, adds metadata to CRDs, and const for pool sizes. It also modifies the relevancy manager to handle container events and report file access differently.
PR Main Files Walkthrough:
files:
pkg/containerwatcher/v1/container_watcher.go: The container watcher has been significantly refactored. It now includes a new application profile manager, new tracers, and worker pools for different tasks. The creation and start methods have been updated to accommodate these changes. The stop method has been updated to stop the worker pools and tracers. The libseccomp dependency has been removed.
pkg/relevancymanager/v1/relevancy_manager.go: The relevancy manager has been refactored to handle container events and report file access differently. The ReportContainerStarted and ReportContainerTerminated methods have been replaced with a single ContainerCallback method. The ReportFileAccess method has been simplified. The eventWorkerPool has been removed.
pkg/containerwatcher/v1/container_watcher_private.go: This new file contains private methods for the container watcher, including methods to start and stop the container collection and tracers.
pkg/applicationprofilemanager/v1/applicationprofile_manager.go: This new file introduces the application profile manager, which is used to report capabilities, file execution, and file opening events.
pkg/utils/utils.go: This file has been updated with new utility functions for creating a Kubernetes container ID and checking if a string is in a slice.
pkg/relevancymanager/v1/relevancy_manager_test.go: The tests for the relevancy manager have been updated to reflect the changes in the relevancy manager.
pkg/containerwatcher/v1/capabilities.go: This new file introduces a tracer for capabilities events.
pkg/containerwatcher/v1/open.go: This new file introduces a tracer for file opening events.
pkg/containerwatcher/v1/exec.go: This new file introduces a tracer for file execution events.
pkg/containerwatcher/v1/syscall.go: This new file introduces a tracer for system call events.
Release v0.1.106
PR Type:
Enhancement
PR Description:
This PR updates the dependency github.com/cyphar/filepath-securejoin from version 0.2.3 to 0.2.4. The new version includes a security fix for Windows and improved handling of Windows paths that contain volume names.
PR Main Files Walkthrough:
files:
go.mod: The version of github.com/cyphar/filepath-securejoin dependency is updated from 0.2.3 to 0.2.4.
go.sum: The checksum for github.com/cyphar/filepath-securejoin is updated to reflect the new version 0.2.4.
User Description:
Bumps github.com/cyphar/filepath-securejoin from 0.2.3 to 0.2.4.
Release notes
Sourced from github.com/cyphar/filepath-securejoin's releases.
v0.2.4
This release fixes a potential security issue in filepath-securejoin when used on Windows (GHSA-6xv5-86q9-7xr8, which could be used to generate paths outside of the provided rootfs in certain cases), as well as improving the overall behaviour of filepath-securejoin when dealing with Windows paths that contain volume names. Thanks to Paulo Gomes for discovering and fixing these issues.
In addition, we've switched (at long last) to GitHub Actions and have continuous integration testing on Linux, MacOS, and Windows.
Thanks to the following contributors for making this release possible:
- Aleksa Sarai [email protected]
- Paulo Gomes [email protected]
Signed-off-by: Aleksa Sarai [email protected]
Commits
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the Security Alerts page.
Release v0.1.104
PR Type:
Enhancement
PR Description:
This PR introduces the ability to use a non-default namespace in Kubescape by setting an environment variable. Previously, the namespace was hardcoded to "kubescape", but now it can be customized. If no namespace is specified through the environment variable, it defaults to "kubescape".
PR Main Files Walkthrough:
pkg/storage/v1/storage_nocache.go: Introduced a new variable 'namespace' in the StorageNoCache struct. Added a function 'getNamespace' to fetch the namespace from the environment variable "NAMESPACE". If the environment variable is not set, it defaults to "kubescape". Updated the namespace in CreateFilteredSBOM, GetSBOM, and PatchFilteredSBOM methods to use the new 'namespace' variable instead of the hardcoded "kubescape".
pkg/storage/v1/storage_test.go: Updated the namespace in the test cases to use 'defaultNamespace' instead of the hardcoded "kubescape".
User Description:
Overview
Support non default "kubescape" namespace by env var
Release v0.1.103
PR Type:
Refactoring, Enhancement
PR Description:
This PR introduces changes to handle incomplete Software Bill of Materials (SBOMs) in the Relevancy Manager. It includes the creation of new error types for container termination and incomplete SBOMs, and the modification of existing functions to handle these errors. Additionally, it includes tests for the new functionality and updates to the mock storage client to support testing.
PR Main Files Walkthrough:
pkg/relevancymanager/relevancy_manager_interface.go: Introduced two new error types: ContainerHasTerminatedError and IncompleteSBOMError.
pkg/relevancymanager/v1/relevancy_manager.go: Refactored error handling in the monitorContainer function to accommodate the new error types. Also, updated the ReportContainerTerminated function to use the new ContainerHasTerminatedError.
pkg/relevancymanager/v1/relevancy_manager_test.go: Updated the existing test to use the new mock storage client function. Added a new test to check the handling of incomplete SBOMs.
pkg/sbomhandler/v1/sbomhandler.go: Modified the FilterSBOM function to stop processing and send an IncompleteSBOMError when the SBOM is incomplete.
pkg/sbomhandler/v1/sbomhandler_test.go: Updated the existing tests to use the new mock storage client function.
pkg/storage/storage_mock.go: Updated the CreateSBOMStorageHttpClientMock function to accept a SBOM file name as an argument, allowing for more flexible testing.
pkg/storage/testdata/sbom-incomplete-mock.json: Added a new mock SBOM file for testing the handling of incomplete SBOMs.
Release v0.1.101
PR Type:
Enhancement
PR Description:
This pull request updates the version of the storage client from v0.0.16 to v0.0.18. This update may include bug fixes, enhancements, or new features introduced in the newer version of the storage client.
PR Main Files Walkthrough:
go.mod: The storage client version is updated from v0.0.16 to v0.0.18.
go.sum: The checksums for the storage client are updated to reflect the new version (v0.0.18).
Release v0.1.100
PR Type:
Enhancement
PR Description:
This PR updates the OpenTelemetry dependencies from v1.16.0 to v1.17.0. The changes are reflected in the go.mod and go.sum files.
PR Main Files Walkthrough:
go.mod: The OpenTelemetry dependencies (otel and otel/trace) have been updated from v1.16.0 to v1.17.0.
go.sum: The checksums for the updated OpenTelemetry dependencies have been added.
User Description:
Overview
Release v0.1.98
PR Type:
Refactoring, Enhancement, Tests
PR Description:
This pull request includes a significant refactoring of the SBOM (Software Bill of Materials) handling code. It introduces a new SBOMHandler struct in the pkg/sbomhandler/v1 package, which is responsible for filtering SBOMs and managing image usage counts. The SBOMHandler interacts with a StorageClient to retrieve and store SBOM data. The PR also includes tests for the new SBOMHandler functionality.
Additionally, the PR modifies the FileHandler interface and its implementations, changing the GetFiles method to GetAndDeleteFiles, reflecting the method's behavior more accurately.
The PR also includes the deletion of several files related to the old SBOM handling implementation, indicating a shift towards the new structure.
PR Main Files Walkthrough:
pkg/sbomhandler/v1/sbomhandler.go: Introduces the SBOMHandler struct and its methods. The SBOMHandler is responsible for filtering SBOMs based on relevancy and managing image usage counts. It interacts with a StorageClient to retrieve and store SBOM data.
pkg/sbomhandler/v1/sbomhandler_test.go: Contains unit tests for the SBOMHandler methods, including FilterSBOM, IncrementImageUse, and DecrementImageUse.
pkg/filehandler/v1/filehandler_test.go: Modifies existing tests to accommodate the change from GetFiles to GetAndDeleteFiles in the FileHandler interface.
pkg/storage/v1/storage_test.go: Updates tests to reflect changes in the SBOM handling code.
pkg/storage/v1/storage_nocache.go: Updates the StorageClient implementation to reflect changes in the SBOM handling code.
pkg/storage/storage_mock.go: Updates the mock StorageClient used for testing to reflect changes in the SBOM handling code.
main.go: Updates the main application code to use the new SBOMHandler instead of the old SBOM handling code.
pkg/relevancymanager/v1/relevancy_manager.go: Updates the RelevancyManager code to use the new SBOMHandler.
pkg/relevancymanager/v1/relevancy_manager_test.go: Updates tests for the RelevancyManager to use the new SBOMHandler.
pkg/containerwatcher/v1/container_watcher.go: Updates the ContainerWatcher code to use the new SBOMHandler.