CHANGELOG.md

Changelog

All notable changes to this project will be documented in this file.

The format is partially based on Keep a Changelog, and this project adheres to Semantic Versioning. The entries in this changelog are primarily automatically generated through the use of conventional commits and the Python Semantic Release tool. However, some entries may be manually edited, where it helps for clarity and understanding.

v0.52.0 (2024-11-07)

Breaking

• Add organization support (#499) (1ad0ea7)
  • Phylum CLI installs before v7.1.4-rc1 are no longer supported. That release is the first one providing support for analysis with organizations via extensions.

v0.51.0 (2024-10-09)

Feature

• Add windows standalone archive install option (#481) (83538a0)

Fix

• Include phylum-ci.exe in release artifacts (#477) (23c1e28)

v0.50.0 (2024-10-02)

Breaking

• Add windows support with standalone binary (#474) (24a20c9)
  • Phylum CLI installs before v7.1.0-rc1 are no longer supported. That release is the first one providing full Windows support.

Documentation

• Add exit code information (#465) (b5842eb)

v0.49.0 (2024-08-21)

Feature

• Add option to exclude dependency files (#462) (258709b)

v0.48.0 (2024-07-26)

Feature

• Add git-lfs to docker images (#453) (3ad6de5)

Documentation

• Add missing jenkins link (#444) (83587b9)

v0.47.0 (2024-06-28)

Feature

• Allow groups to be specified without a project (#443) (ec3bd63)

v0.46.0 (2024-06-21)

Feature

• Add ps to docker images (#441) (474c9b2)

v0.45.0 (2024-06-12)

Feature

• Add support for jenkins pipelines (#438) (910cca7)

Documentation

• Update docs based on user feedback (#434) (f5c12ec)

v0.44.1 (2024-06-04)

Fix

• Account for cargo_suffix in cli version (#433) (bfbd426)

v0.44.0 (2024-04-04)

Feature

• Ensure bitbucket repo urls use https scheme (#406) (5ea8cb2)

Documentation

• Recommend triggering scans for default branch (#407) (efa67d0)

v0.43.0 (2024-03-08)

Feature

• Implement audit mode (#400) (1613851)

v0.42.4 (2024-03-05)

Fix

• pre-commit hook failures (#397) (a6d0f5e)

Documentation

• Restore integration documentation (#395) (a209f58)

v0.42.3 (2024-02-22)

Fix

• Image failures for non-root uses of yarn and pnpm (#391) (345ecd2)

v0.42.2 (2024-02-09)

Performance

• Reduce phylum binary size for slim images (#385) (ac5e477)

v0.42.1 (2024-01-05)

Documentation

• Update documentation links (#370) (60ee5ca)

v0.42.0 (2023-12-13)

Breaking

• Phylum CLI installs before v6.0.0-rc3 are no longer supported. That release introduced a number of breaking changes which are only functional with this release of the phylum package. (35adcaf)
• The --lockfile/-l argument to to the phylum-ci script has changed to --depfile/-d. (35adcaf)

v0.41.0 (2023-12-05)

Feature

• Extend GHA integration to support pull_request_target events (#341) (6ed6c14)

Breaking

• Phylum CLI installs before v5.9.0-rc2 are no longer supported. A version with support for disabling lockfile generation and skipping sandbox usage is required. (6ed6c14)
• The phylum-ci return code for a policy violation that results from a Phylum analysis has been changed from 1 to 2 in order to make it distinct from the default failure code that is generated for all raised SystemExit exceptions with a message instead of a code. (6ed6c14)

v0.40.0 (2023-12-04)

Feature

• Parse current dependencies only once (#359) (a96dccb)

Fix

• Repository URL sometimes formatted with False (#361) (195136d)

v0.39.0 (2023-11-27)

Feature

• Set repository URL for CI environments (#355) (28cf1a9)
• Ensure remote HEAD set for CINone implementation (#351) (e303919)

v0.38.0 (2023-11-09)

Feature

• Support workspace projects for all lockfile types (#344) (2bf66c7)
• Cache parsing results of current dependency files (#342) (1ceff86)

Breaking

• CLI installs prior to v5.8.0 are no longer supported. A Phylum CLI version with the find-lockable-files command is needed. (2bf66c7)

v0.37.1 (2023-10-20)

Fix

• More container tools broken when home-less (#337) (403eb7d)

v0.37.0 (2023-10-19)

Feature

• Add Python 3.12 support and drop Python 3.8 support (#335) (feb3502)
• Enforce strict engine control for npm (#336) (4e69e3e)

Breaking

• Support for Python 3.8 was removed due to the change in CONTRIBUTING policy to support only the current/latest release plus the previous three minor versions of Python. (feb3502)

v0.36.0 (2023-10-16)

Feature

• Account for dependency file types (#324) (918902d)
• Replace lockfile detection with phylum status (#322) (224e3a6)
• Add lockfile generation support (#318) (f96ff48)

Fix

• Container tools broken when home-less (#329) (f951e3c)

Breaking

• The phylum-ci docker image created from the default Dockerfile is much larger, containing all the required tools for lockfile generation across all supported ecosystems. To retain the previous functionality, a new slim tag is offered for those instances where no manifest files are present and/or only lockfiles are used. (f96ff48)

Documentation

• Add more detail for manifest file support (#328) (3241d2d)

v0.35.2 (2023-09-18)

Fix

• Integrations should check for previous comments (#305) (12e7445)

v0.35.1 (2023-09-07)

Fix

• Incorrect new dependency logic (#304) (b447b46)

v0.35.0 (2023-08-29)

Feature

• Add CycloneDX lockfile support (#297) (3897879)

Breaking

• CLI installs prior to v5.7.0 are no longer supported. A Phylum CLI version with ability to parse CycloneDX lockfiles is needed. (3897879)

v0.34.0 (2023-08-15)

Feature

• Improve GitLab integration for partial checkouts (#291) (ca33672)

v0.33.0 (2023-08-09)

Feature

• Add packages.*.lock.json lockfile detection (#287) (00e1d57)

v0.32.1 (2023-08-08)

Chore

• Add lockfile to PackageDescriptor (#282)

v0.32.0 (2023-07-19)

Feature

• Add pnpm-lock.yaml and packages.lock.json lockfile support (#277) (a24b2c2)

Breaking

• CLI installs prior to v5.5.0 are no longer supported. A Phylum CLI version with ability to parse pnpm-lock.yaml and packages.lock.json lockfiles is needed. (a24b2c2)

v0.31.0 (2023-06-29)

Feature

• Update the phylum analysis technique (#269) (4a6367b)

Documentation

• Remove docs hosted in documentation repo (#264) (1bcc72b)

v0.30.1 (2023-06-09)

Style

• Account for new report format (#259)

v0.30.0 (2023-05-24)

Feature

• Add npm-shrinkwrap.json and requirements*.txt to supported lockfiles (#250) (c21b0e6)

v0.29.0 (2023-05-23)

Feature

• Add logging support and better error output (#247) (0350be9)

v0.28.1 (2023-04-14)

Fix

• Link to Phylum UI project clipped in logs (#227) (8d2e91e)

v0.28.0 (2023-04-13)

Feature

• Switch to policy based operation (#226) (ed3532e)

Breaking

• The risk domain threshold options have been removed. (ed3532e)
• CLI installs prior to v5.0.0 are no longer supported. A Phylum CLI version with ability to return policy results and specify the --base option in the analyze command is required. (ed3532e)

v0.27.0 (2023-04-07)

Feature

• Provide ability to specify Phylum API URI (#222) (80a54db)

Breaking

• The short option -u for --vul-threshold was removed. (80a54db)

v0.26.0 (2023-04-05)

Feature

• Detect SPDX formatted SBOM files (#220) (8325cc3)

Breaking

• Support for Python 3.7 was removed due to its imminent end of life (1b65787)

v0.25.0 (2023-03-28)

Feature

• Allow .phylum_project file to be optional (#209) (7092c93)

Breaking

• CLI installs prior to v4.5.0 are no longer supported. A Phylum CLI version with ability to specify multiple lockfiles is required. (7092c93)

Documentation

• Fix support link (#210) (ba0240e)

v0.24.1 (2023-02-14)

Fix

• Duplicate PR comments are possible (#199) (d660406)

Documentation

• Align to main website (#198) (cc5ff48)

v0.24.0 (2023-02-10)

Feature

• Add support for Bitbucket Pipelines (#196) (3a95dce)

Documentation

• Update GitLab CI documentation (#191) (8bd9c72)

v0.23.1 (2023-01-10)

Fix

• Link to Phylum UI project clipped in logs (#186) (95d6838)

v0.23.0 (2023-01-03)

Feature

• Improve experience around GitHub rate limiting API requests (#179) (df5f1e2)

Breaking

• The --phylum-release option (-r) default is no longer latest. Default behavior now is to use the installed version and fall back to latest when no Phylum CLI is already installed. (df5f1e2)

v0.22.1 (2022-12-19)

Fix

• Issue summary entries repeated in output (#175) (30d9e42)

v0.22.0 (2022-12-15)

Feature

• Support Azure Pipelines CI triggers (#173) (7d6d859)

Breaking

• For GitLab branch pipelines, the analyzed dependencies are now determined by comparing the lockfile in the branch to the default branch instead of the previous commit that ran in that branch pipeline. All dependencies will be analyzed when the branch pipeline is run on the default branch. (7d6d859)

v0.21.0 (2022-12-06)

Feature

• Add go.sum and Cargo.lock as supported lockfiles (#169) (187a863)

v0.20.0 (2022-11-29)

Feature

• Support RSA SHA256 signature verification in phylum-init (#165) (4fad7dd)

Breaking

• CLI installs prior to v3.12.0 are no longer supported.
• CLI installs and upgrades can no longer be confirmed with .minisig minisign signatures and must instead use .signature RSA SHA256 based signatures. (4fad7dd)

v0.19.0 (2022-11-15)

Feature

• Extend Azure Pipelines integration to support GitHub repos (#160) (39e80ac)

v0.18.0 (2022-11-04)

Feature

• Add Python 3.11 support (#157) (815c368)

v0.17.1 (2022-10-17)

Fix

• Sanitize user input to guard against possible cmd injection (#144) (4d72ece)

Documentation

• Provide more hints about using the SVG files (#146) (747e230)

v0.17.0 (2022-10-10)

Feature

• Allow for creating projects (#139) (e47abec)
• Support GitLab branch pipelines (#137) (1dee2ac)

v0.16.1 (2022-10-05)

Fix

• Account for shallow fetch in Azure Pipelines integration (#135) (36e2413)

v0.16.0 (2022-09-29)

Feature

• Add support for Azure Pipelines CI environment (#127) (a22de2c)

Documentation

• Use long form options in documentation examples (#129) (bbca9d3)

v0.15.0 (2022-09-14)

Feature

• Allow docker image use for non-root users (3e87aa9)
• Don't require serial processing of pre-commit hook (#115) (b0fb110)

Breaking

• CLI installs prior to v2.2.0 are no longer supported. (e5c0fca)

v0.14.0 (2022-08-26)

Feature

• Change supported maven lockfile to effective-pom.xml (#112) (c98fa8e)

v0.13.3 (2022-08-24)

Documentation

• Revert bad script options SVG files (907e8f2)

v0.13.2 (2022-08-24)

Fix

• Script options auto update still can't find package (#108) (967c1c0)

Documentation

• Revert bad script options SVG files (0c9dfc2)

v0.13.1 (2022-08-23)

Fix

• Script options auto update can't find package (#107) (9fb7164)

Documentation

• Revert bad script options SVG files (9d7d6fc)

v0.13.0 (2022-08-22)

Feature

• Provide a Docker image with glibc instead of musl libc (#104) (c5fadb4)

Breaking

• Versions of the CLI older than v3.8.0-rc2 are no longer possible to install on Linux systems with the phylum-init script. (c5fadb4)

Documentation

• Add script options docs with auto updates (#102) (6ba8e96)

v0.12.1 (2022-08-12)

Fix

• Issue Summary data missing for vulnerability domain (#99) (3a833cf)

v0.12.0 (2022-08-11)

Feature

• Host phylum-ci Docker image on GitHub Container Registry (#97) (ebc882e)

v0.11.0 (2022-08-04)

Feature

• Add git pre-commit hook integration (#91) (99c5726)

Fix

• Incorrect vulnerability risk domain package key name (#94) (247b4a4)

Documentation

• Update CONTRIBUTING.md to show how to add dependencies without constraints (d25dd1f)
• Create exclusive directory for Integrations docs to sync properly (#80) (d8b608b)

v0.10.0 (2022-07-14)

Feature

• Check for and list valid versions and targets programmatically in phylum-init (#74) (7066565)

Documentation

• Add integration documentation to Phylum docs page (5b988b9)

Performance

• Allow native Docker image creation (#77) (9ee4123)

v0.9.1 (2022-07-01)

Fix

• Detect lockfile changes in GitHub PRs (#73) (c119a4a)
• Apply total threshold to all risk domains (#71) (0b19167)

v0.9.0 (2022-06-27)

Feature

• Add support for GitHub Actions CI environment (#68) (b59da0a)

v0.8.1 (2022-06-16)

Fix

• Docker image tags are inconsistent (#67) (00a2b53)

v0.8.0 (2022-06-15)

Feature

• Coordinate phylum-ci Docker image releases with new CLI releases (#63) (82b57e2)
• Expose version arguments with a short form -V (92e9149)

Fix

• Using gh cli requires specifying a token (#65) (1e070fd)
• Logical prefixed not fails GitHub workflow syntax (#64) (00a5cb1)
• Re-enable building docker images with pre-built distributions (c5d7aa0)

Documentation

• Add a Code of Conduct (#60) (c953f68)
• Add a security policy (21fce1b)
• Reformat code examples to add whitespace lines (a31fdce)

Performance

• Optimize Docker image (0e28066)

v0.7.0 (2022-06-01)

Feature

• Use a single character for "single dash" options (6a4b032)

Breaking

• The short options for the following arguments changed (6a4b032):
  • --force-analysis was changed from -fa to -f
  • --force-install was changed from -fi to -i
  • --vul-threshold was changed from -vt to -u
  • --mal-threshold was changed from -mt to -m
  • --eng-threshold was changed from -et to -e
  • --lic-threshold was changed from -lt to -c
  • --aut-threshold was changed from -at to -o

v0.6.0 (2022-05-27)

Feature

• Provide an option to force analysis (#55) (4d6fc3b)
• Default to project settings for risk domain thresholds (#52) (9f10442)
• Default to analyzing new dependencies only (#53) (e0894fc)

Fix

• Ensure the "CI Platform Name" portion of a label is correct (#55) (1867fb6)
• Enable Phylum UI links for groups (#54) (8775a63)

Breaking Changes

• Individual risk domain threshold values can be set with command line options, which now accept values between 0 and 100, inclusive
  • Previously, the accepted values were between 0 and 99, inclusive
• The option to analyze --new-deps-only was removed and replaced with one that has the opposite meaning: --all-deps
• The short option to --force-install was changed from -f to -fi

v0.5.2 (2022-05-24)

Fix

• Ensure notes are not duplicated in GitLab MRs (#43) (a8ffe7f)

v0.5.1 (2022-05-20)

Fix

• Sync package issue key name changes from CLI v3.4.0 release (#41) (2f5f8d5)

v0.5.0 (2022-05-19)

Feature

• Add support for GitLab CI environment (#38) (732daea)

v0.4.0 (2022-05-18)

Feature

• Expose the Python package as a Docker image (#37) (0976f1d)

v0.3.0 (2022-05-12)

Feature

• Add phylum-ci script entry point to analyze lockfile changes (#36) (f1cbac7)

v0.2.1 (2022-05-04)

Fix

• Use phylum-bot account instead of a personal account (#34) (40ba743)

v0.2.0-rc.0 (2022-05-03)

Added

• Modern release workflow

v0.1.1 (2022-04-25)

Added

• phylum-init script entry point and initial functionality
• Test workflows for local and CI based testing
• Preview and Release workflows for Staging and Production environments
• Phylum analyze workflow for PRs

v0.0.1 (2022-03-28)

Added

• Basic Python project structure
  • Make use of poetry for environment, dependency, and package build/publish workflows
  • Not enough to provide any real functionality
  • Just enough to have a first release on TestPyPI and PyPI to claim the package name
• Basic test structure, making use of pytest
• This CHANGELOG.md file to adhere to a standard for documenting changes
• A README.md file to explain how to do local development with this structure