March 28, 2024
Changed- SBOM dashboard: Nested components will now be displayed for CycloneDX SBOMs
- SBOM dashboard: Fixed bug where components table would fail to load for CycloneDX SBOMS if no issue name was set
- SBOM dashboard: Fixed bug where versions were not shown for CSV SBOMs
- SBOM dashboard: Fixed bug that would result in the components table failing to load for Factory SBOMs
March 18, 2024
Changed- SBOM Editor: Editing a license will now result in a new SBOM being created
- CVE Reports: All package identifiers in a SBOM are now scanned instead of a prioritized approach
- CVE Report: Fixed bug that caused licenses to not show for CycloneDX SBOMs
- Compliance Alerts: Fixed bug that would prevent some emails from being sent
- Download SBOM: Fixed bug where additional packages added through the SBOM editor would not be included whenconverting to a SPDX or CycloneDX SBOM
- CVE Report: Fixed bug where "create issue" button could be hidden even when a Jira integration is active
- CVE Report: Fixed issue that could prevent filters from saving
January 26, 2024
Added- CVE Report: Label CVEs that are contained in the Known Exploited Vulnerabilities catalog maintained by CISA.
- CVE Report: Add the status that NVD assigns to CVEs into reports
- SBOM: Add support for CycloneDX 1.5
- SBOM Download API: Add support for downloading CycloneDx or SPDX-lite format
- Compliance Settings: Prompt user before leaving the page if there are unsaved changes
- CVE report filtering: CVEs without an attack vector were not being properly filtered
- CVE report generation: Fixed a bug where invalid package names or versions could cause report generation to fail
October 27, 2023
Changed- CycloneDX SBOMs: improved kernel identification
- CVE report filtering: standardize "All" behavior across filters
- get_folders API: Add
parent_folder_token
field for each folder
- Triage data: notes count could be incorrect when importing triage data from another product
- CVE report: Filtered CVEs count in the summary was not being updated for package, status, and reference filters
- SBOM dashboard: Factory SBOMs failed to populate the components table
- SBOM dashboard: Licenses were shown incorrectly as "unknown" for some SBOMs
- SBOM dashboard: non-ASCII characters caused issues with loading content
- SBOM dashboard: License sorting was not functioning properly
- SBOM conversion: Factory SBOMs were failing to convert to CycloneDX SBOM
September 8, 2023
New Features- SPDX: Add support for 2.3
- PDF Report: Add filtered CVEs to the report.
- Download SBOM: Preserve patches and dependencies when converting to CycloneDX
- Notifications: Fixed bug that could cause SPDX and CycloneDX SBOM notifications to fail.
- Compare SBOMs: Fixed bug that would result in CVEs not being shown in the exported XLSX report.
August 11, 2023
New Features- SBOM Manager: Add support for a new tier of Vigiles
- CVE report: add vendor advisory references and filter
- Compare Reports API: change "pakage" to "package" when returning new and resolved_cves
- Compare Reports API: change "cvssv3" to "cvss_version" when returning new and resolved_cves
- Compare Reports API: add "cvss" field that contains the cvss score when returning new and resolved_cves
- SBOM Search: fixed bug that could exclude SBOMs from results
- SBOM Search: fixed error when searching for a version of a package that does not exist
- Upload API: fixed bug where the custom name was being ignored
July 12, 2023
New Features- SBOM Dashboard: A new way to view and manage your SBOM
- View the components in your SBOM
- View your License Policy violations
- Check if your SPDX SBOM is NTIA minimum element conformant
- Alert settings have been moved to Compliance Settings
- The New SBOM modal has been split into 2 modals to provide a more streamlined experience
- New component policy information is now displayed on the SBOM dashboard instead of on vulnerability reports
- Demo mode uploads: Fixed bug that could result in package name taking priority over CPE name when using this mode
- Export CSV: improve notes parsing
- Compare SBOM: Fixed bug where versions here not correctly shown for linked SBOMs
June 14, 2023
Changes- Export SPDX:
- Include dependency comments from meta-timesys for component relationships (NTIA minimum element conformance)
- Include package checksums if provided
- Include patch information
- CVE Report: Fix bug exporting reports with zero CVEs
- API upload: Remove whitelisted CVEs from CVE counts in returned report
March 14, 2023
New Features- CVE Search: CVE descriptions can now be searched
- route: /vigiles/cves/search/
- Download SBOM: SBOMs can now be downloaded in CycloneDX format
- Available file formats: CSV, JSON, XML
- SPDX, CycloneDX CVE Reports: When searching for vulnerabilities give priority to the package's purl and then CPE when available.
- Export SPDX: use an additional license field for invalid license expressions instead of trying to correct them and store them in the Declared License field.
- CVE Report: Fix a bug that could cause the text in the whitelist button to become out of sync with the CVE status.
January 04, 2023
New Features- SPDX SBOM support: SPDX SBOMs can now be uploaded to Vigiles
- SPDX SBOMs can be uploaded using the timesys-api-toolkit(https://github.com/TimesysGit/timesys-api-toolkit) or the web interface
- CycloneDX SBOM support: CycloneDX SBOMs can now be uploaded to Vigiles
- CycloneDX SBOMs can be uploaded using the timesys-api-toolkit(https://github.com/TimesysGit/timesys-api-toolkit) or the web interface
- Download SBOM: SBOMs can now be converted to additional SPDX and SPDX Lite file formats.
- New file formats include:
- JSON
- XLSX Spreadsheet
- XLS Spreadsheet
- RDF/XML
- YAML
- XML
- New file formats include:
- SBOM Editor: Add CycloneDX support
- CVE report: Improve page load time
- Whitelisting: Performance improvement
- Upload SBOM: New sections added for SPDX and CycloneDX SBOMs
- Download SBOM: New interface
- CVE report: Fix a bug that prevented certain yocto SBOMs of older yocto releases from generating
- Products: Sort SBOMs by name and not version when a product contains linked SBOMs
- CVE report filters: Fix a bug that caused the 'custom score' filter not to display
December 09, 2022
Changes- CVE Data: Coverage has been improved by adding in additional affected configurations for CVEs to our curated database.
- This change may result in both new CVEs being found for your SBOM as well as CVEs moving to the resolved state.
November 18, 2022
New Features- SPDX: Add support for downloading SBOMs in SPDX-lite format
- SPDX: Add homepage to SPDX SBOM
- CVE Report: Add an option to apply note to all CVEs when whitelisting a package
- Alerts: Add an option to receive an alert when a new package is added to a chain of linked SBOMs
- SBOM editor: Redirect to the latest report if the only change was to licenses instead of generating a new report
- SBOM editor: Show license changes in summary modal
- CVE search: Remember the selected search type
- CVE report: Improve page load time
- Search SBOMs: Remove duplicate package entries
- Notifications: Fix an error that prevented some notifications from being emailed
September 23, 2022
New Features- CVE Reports: Improved load time
- SPDX: improved vendor matching accuracy
- SPDX: Improved part type matching when creating a CPE
- API (Prime): Default to only using kernel and U-Boot filters when exporting XLSX report
- SBOM: Set max description length to 4096
- get_cve_info API (Prime): If an invalid field is submitted, a list of valid fields will be returned
- SPDX: Prevent invalid entries in the download location
- SPDX: Fix invalid license formats
- If the SBOM name was set in meta-timesys, it was not being used when no API key was present
- Alert emails were not being sent when the CVE report was automatically generated
- Packages that are not found in our database were not being marked as such in exported reports
- SBOM Search: Fix bug that would cause 404 in certain scenarios
August 17, 2022
New Features- API toolkit docs are now hosted at https://linuxlink.timesys.com/docs/api-toolkit
- Whitelisting: Notes can now be applied to all CVEs when whitelisting
- CVE report: The size of the notes section has been increased.
- Exported report: package notes are now included
- Updated footer to include github link
- Improved whitelisting to better handle packages with different package names but the same cpe name.
- Improved moving linked SBOMs between products and folders.
July 15, 2022
New Features- API toolkit is available now!
- API (Prime): add a route to download SBOM in SPDX format
- API (Prime): add a route to return a list of cve reports for a given manifest token
- API: remove date from search
- API: fix bug when getting manifests when no product or folder token is specified
June 10, 2022
New Features- API: A route for downloading reports has been added
- Available formats: pdf, pdf summary, xlsx, and csv
- https://linuxlink.timesys.com/docs/vigiles-api-manual#Reports.download_report
- CSV SBOM headers are no longer case sensitive
- Manifests are now referred to as SBOMs or Software Bill of Materials
April 29, 2022
New Features- Whitelisting now uses the cpe name to provide better coverage within a product
- SPDX: New fields
- CPE ID
- package supplier
- download location
- APIs
- Added option to apply filters to results
- Added option to return additional cve information when getting cve report data
- Product and folder page load times have been improved
- History page
- The page load time has been improved
- UI enhancements
- Manifest Editor: Fixed bug that prevented saving the manifest to the private workspace of a user
March 15, 2022
Bug Fixes- Edit Manifest: Fixed an issue that prevented changes from being saved under certain conditions.
February 18, 2022
Changes- API: include shared manifests when getting an array of manifests information from a product or folder
- route: /v1/vigiles/manifests Methods: "GET"
- API: default to applying only config filters on latest report
- route: /v1/vigiles/manifests/<token>/reports/latest Methods: "GET"
February 4, 2022
ChangesCVE report: The CVEs table no longer reloads on the following actions:
- Whitelisting a CVE
- Saving a Note
CVE report: Increased notes length to 1000 characters
- OpenWrt CVE report: Fix issue where fixed rfs packages were being shown as unfixed
- OpenWrt Manifest comparison: patches were not being displayed properly
- CVE report: Fixed 'Failed to load CVE child row' bug
December 23, 2021
New Features- Manifests can now be exported in SPDX tag:value format
- OpenWRT support
- Filtered CVEs have been added to exported XLSX reports
- Fixed a bug which would ignore the custom name set in the desktop integration
- Fixed the resizing of notes and comments
- Compare manifests: fixed the count in the summary section when there are multiple versions of the same package
- Fixed a filtering bug that would exclude CVEs with patches available from the unfixed filter
November 7, 2021
New Features- Added manifest package search feature
- Accessible from the side navigation
- Search all of your manifests and shared manifests
- Search by package name and an optional version
- Filter by product, folder, shared manifests, and linked manifests
- Added option to copy folder to new location
- Dynamic subfolder creation for Factory, Buildroot, and Yocto
- CVE reports are loaded in pieces to decrease page load time
- CVE report filters now filter the package section as well
- Whitelist uses cpe names to more accurately whitelist packages across manifests
- Updated exported manifest comparison to match new layout
- Alerts: moved new alerts to their own section when "Compare to previous report" is enabled
- Manifest editor: added option to set a license when adding a new package
- CVE search: pressing enter will submit the search
- Added a link to the dashboard from the boards page
- Automatic manifest scans include filters to calculate counts in notification emails
- All empty folders are now correctly marked as empty
- Fixed linux_kernel not being recognized as the kernel for Buildroot CVE reports
- Fixed intermittent forbidden error when viewing user profile
- Fixed CVE report package table showing some packages twice
- Fixed manifest creator report generation not marking unknown packages
- Fixed alerts causing some older CVE reports to not load correctly
- Fixed inconsistent checkbox behavior on CVE reports
August 20, 2021
New Features- APIs (Prime): New API routes have been added.
- Get CVE Report information in JSON format
- Get manifest information
- Upload manifests
- Scan manifests
- Compare CVE reports
- Search for CVEs by CPE product name and version
- Get an array of folder information that can be filtered by product token
- Delete manifests
- Get CVE info by CVE id
- CVE report: Add Filtered CVEs section containing all CVEs that have been removed from the report due to filters being applied.
- Alerts: Add option to only send an email when there is a new alert.
- Desktop Factory: add Dashboard config support to upload to products.
- CVE info: Provide links to backported fixes when available.
- Manifest Compare: New interface
- Manifests are now compared side-by-side.
- More patch information is shown.
- Manifest and CVE sections are now searchable.
- Filters applied on CVE report are applied to the CVE section.
- CVE comparison is now separated by packages.
- CVE report: Suggest applicable filters when kernel config is applied.
- Alerts: Added link to see alerts in the CVE table.
- Alerts: Added manifest name and location to the notification email.
- Alerts: Fixed bug where duplicate packages caused CVSS alerts count to show number of unique CVEs instead of total CVEs.
- Alerts: Fixed bug that could cause CVE reports to fail to load based on certain alert configurations.
May 21, 2021
New FeaturesCVSS Alerts (Prime)
- Set alerts for CVEs with a CVSS greater than or equal to a severity of your choice.
- Alerts can be enabled and configured on a product or folder level.
- When enabled, alerts are generated during CVE report generation and will add a section to your report detailing the CVEs found. Additionally, CVEs will be highlighted red in the CVE table.
License Alerts (Prime)
- Set alerts for packages with licenses that you would like to be notified about.
- Exact and Contains match types are available.
- When enabled, alerts are generated during CVE report generation and will add a section to your report detailing the packages with licenses that match your alerts. Additionally, package licenses will be highlighted in red in the package summary section.
Alert Emails (Prime)
- Receive an alert every time a report is generated and an alert condition is met.
Alert Jira Issues (Prime)
- Automatically create a Jira issue every time a report is generated and an alert condition is met.
Confidential information notice added to the footer of exported reports.
Vector strings are now included in exported reports.
CVE notification emails now include the full path to report.
Fixed issue where some packages were incorrectly reported as not found in our database when they had no CVEs.
Improved the resizing of the notes section in CVE reports.
March 15, 2021
New FeaturesA single issue can now be created for all CVEs found for a package. There is also an option to create an issue in your issue tracker for only CVEs that will be fixed by upgrading the package.
CVE reports can now be filtered to show CVEs that have reference patches, mitigations, and exploits.
Opening manifest creator within a folder now saves the manifest to that folder by default.
Manifest creator can now save to folders.
Add ability to rescan manifests from compare manifests page.
Yocto manifest linking has been updated to use machine and image.
Buildroot manifest linking has been updated to use machine and hostname.
Filters are applied to the history page now. By using the same filters as the CVE reports the counts will remain consistent.
Folders added to breadcrumbs.
Moving a manifest now loads available locations on modal open.
Copying a manifest now copies its u-boot and kernel configs.
Remove remaining reference in manifest to package when deleted in manifest editor.
Fix bug where certain product names would cause the dashboard config to fail to load.
Fix bug where whitelisted packages without versions were not being included in the fixed count correctly.
January 22, 2021
New FeaturesPackages that are not found in our database based on their cve_product entry are now flagged as such.
Operating System filter is automatically set to linux for buildroot, factory, and yocto manifests during first CVE report generation.
Buildroot versions 2016.11 and older are now accepted and treated as csv manifests.
Architecture filter is automatically applied when a kernel config is uploaded.
Add ability to delete issues from issue tracker integration.
Side navigation has been improved and added to additional vigiles pages.
Improve manifest comparison to treat python 2 and python 3 as separate packages.
Issue descriptions now include more information from the CVE such as notes, suggested fix, references, cvss, status, custom score, and applied fix.
Collapsing the side navigation now saves the state.
Disabled custom scores on shared reports instead of flashing error message.
Kernel recognition was improved within a manifest.
Side navigation collapse button is now in the same place on each page.
Titles have been changed on the compare manifests page to improve clarity.
Additional error codes were added for API routes.
Some entries in the side navigation did not allow the full width to be clickable.
Packages with all CVEs whitelisted were not being marked as resolved in pie graph.
Fixed manifest name wrapping issue in CVE report header.
Fixed bug that would cause email notification settings to be set to the same value if multiple manifest chains of the same type were in the same product.
Improve kernel and u-boot config file checking to avoid cve report crashes.
Set whitelisted counts on the packages tab in exported xlsx reports.
December 10, 2020
New Features- Jira integration has been added to vigiles to create issues from cve reports
- Products and product table settings now persist through login
Recognize kernel added through manifest creator correctly
Fix whitelist count on exported reports
October 22, 2020
ChangesReplace "Create Manifest" and "Upload Manifest" with "New Manifest" on folder pages.
Feedback modal now closes automatically after submitting.
Exported reports now have full names of note and whitelist authors in all cases.
Improved Dashboard Config download from Product/Folder Settings modal to display contents of config.
New Manifest modal now closes correctly after uploading manifest.
Empty Products can now be deleted properly.
Fixed a bug that caused conflicting triage data to fail when importing.
Fixed a bug that could cause copying/moving manifests to incorrectly return an error that there were conflicts in the target product.
Manifest Editor can now save manifests where package versions were removed.
September 18, 2020
ChangesCombine create manifest and upload manifest into one modal. New users will see an additional modal to help get them started with a sample report.
Improve visibility of desktop instructions in new manifest modal.
Add examples to the Import Triage Data from file modal.
Improve import triage data validation and error reporting.
U-boot config filter now applies if u-boot was added from the edit manifest interface.
August 25, 2020
New FeaturesFolders can now be created inside products, to hold separate groups of manifests. The "link manifests" setting is tracked separately for each folder.
Notes and Whitelist data can now be imported to a product from a CSV file.
When a new note is saved to a CVE, no reload is needed before searching by notes.
Manifests are now linked by image name, rather than engine type.
Users are now prompted to re-accept the Terms of Service any time the Terms of Service change.
Tooltips now show properly when the headers are at the top of screen on the report page.
Manifests can now be sorted properly by notification frequency.
Users with seats equivalent to Prime will not be prompted to restart their trial.
Manifests are properly deleted when a product is deleted.
CSV files with spaces at the end of lines no longer fail to upload
Tutorial videos no longer plays audio when the modal is closed.
Scan status shows up in the correct column when a manifest is uploaded.
Shared reports no longer fail to export.
July 15, 2020
New FeaturesManifest comparisons can now be exported as an XLSX file.
CVEs can now be searched by the contents of their notes.
Manifests created using the Manifest Creator can now be given custom names.
Multiple new tutorial videos have been added to a YouTube playlist, accessible via the "Tutorial Videos" button on the sidenav.
An "Expand/Collapse All" button has been added to the CVEs table in CVE reports.
Vigiles will now auto-detect the type of manifest you are uploading.
Manifest Creator now saves the created manifest to the product the creator was accessed from, defaulting to Private Workspace.
Feedback can now be submitted via the "Send Feedback" button on the sidenav.
Users with expired Prime Trials can now request another trial.
Timesys Curation and Triage notes are now available for CVEs.
Curation notes include supporting information regarding the affected package / version when the upstream source (typically NVD) is incomplete or inaccurate, and the Timesys security team has curated the information.
Triage notes include information regarding the vulnerability entered by the Timesys security team to aid evaluating the applicability of the vulnerability (eg: minor issue - documentation only, disputed - upstream maintainer does not consider it a security issue, applicable only when used in a certain configuration, etc.)
Links to the documentation have been added to common actions.
CVEs can now be filtered based on the platform they affect.
Packages outside of Buildroot can now be tracked when using Vigiles-Buildroot.
CVSS Scores are now represented as color-coded blocks, rather than a bar.
The sidenavs have been cleaned up and reduced in size.
"Import Data" is now one button on the sidenav, and can be used to select Custom Scores, Notes, or Whitelist data.
When downloading a CSV Template, Patched/Whitelist columns are unchecked by default.
Manifest Upload Date is now shown in the CVE Report header.
When a package version is changed between manifests, a comparison will not show CVEs that affect both versions.
If a manifest fails to upload, the file will be cleared from the modal.
When creating a manifest using the Manifest Creator, "linux" and "kernel" will be treated as the "linux_kernel" package.
Whitelisted packages are no longer shown in report comparisons.
The "Report Bug" feature was combined with the new "Send Feedback" button.
When a new version of a manifest is created (uploading to a linked product, or using the Manifest Editor) the filters from the previous version of the manifest will be included.
Packages with complex versions shows "Unknown" licenses.
Manifests containing multiple versions of the same package sometimes showed incorrect "Package Summary" information for those packages.
Manifests containing multiple versions of the same package sometimes showed incorrect "Applied Patches" information.
Whitelisting a CVE caused the page to scroll inconsistently.
May 15, 2020
New FeaturesAll Linuxlink Documentation has been made public.
Vigiles-Buildroot has been added to the Git Repos tab.
A Vigiles User Guide has been added to the documentation.
- Whitelist, notes, and custom scores are no longer imported during product creation. They can still be imported from the product page after creation.
Extremely large manifests previously failed to scan.
Notes did not reflect changes if the CVE was collapsed and re-opened.
Whitelisting did not take effect until the page was reloaded.
Vigiles Basic accounts filtered out all CVEs.
The demo page did not properly load summary charts.
May 1, 2020
New FeaturesLinuxLink now has Buildroot integration. This includes:
The ability to run CVE checks from the command line
Automatically upload manifests, kernel configs, and u-boot configs to Vigiles.
U-boot CVEs now show the relevant fixed-by SHAs and config options
Users can now subscribe to chains of manifests, as well as individual manifests. If a product is linked, product subscriptions will be used to determine rescan/email notifications. Private Workspaces cannot be linked, so they will not use product subscriptions.
Custom CVSS Scores can now be assigned to CVEs. These scores are product-wide and allow users to determine their own priority rankings. These can be imported between products.
Users can now share manifests via a generated sharing link. Anybody with the sharing link will be able to view the latest report for the given manifest.
Package CVE summaries are now available on exported XLSX/PDF reports.
With Buildroot integration being added, old Buildroot manifests have been converted to CSV manifests.
A "Cancel" button has been added to the Manifest Editor to discard changes and return to previous page.
The notes textbox limit has been increased to 1000 characters.
CVEs are now sorted by CVSS within each package.
Tooltips have been improved for the Manifest Creator.
If "*" or "version" is specified as the version in the Manifest Creator, it is assumed to mean all versions of the package
U-boot filters are now displayed on exported CSV/XLSX reports
Importing a whitelist from another product now only imports whitelisted entries. Previously, "unwhitelisted" entries were also copied, leading to confusion as to why a single CVE might be unwhitelisted when a package as a whole was whitelisted.
Kernel and U-boot config filters have been moved from the sidenav to the CVE table.
Kernel and U-boot config filters are now copied and applied to manifests created using the Manifest Editor.
Fixed Versions are now displayed properly if no version is specified for a package.
Table headers now resize properly on CVE Reports.
Some CVEs were being reported multiple times for u-boot, due to util packages. This has been fixed.
Fixed an issue causing auto-complete for package names to not work properly when the sidenav was open.
The CVE info modal no longer displays a full page on error.
Exported CSV now has the "Patch Info" and "Kernel Option" headers in the correct order.
Manifest chains are now redrawn every time a manifest is edited, to prevent the history page from getting out of sync.
Kernel/U-boot config filters now apply properly when uploading from the desktop.
Unnecessary filter requests have been removed from the CVE Report page.
Due to package name and CVE Product mismatches, packages added via the Manifest Editor were causing issues with detecting and labeling Fixed CVEs, and kernel config filters. This has been fixed.
Fixed an issue causing Manifest Creator to be unable to save to products shared with the user.
Manifest chains now get copied properly between products in all cases.
Sorting a product based on notification frequency now applies properly.
March 18, 2020
New FeaturesAn editor is now available for Buildroot, CSV, and Yocto manifests. This editor can be used to add packages, modify package names or versions, and, for Buildroot/Yocto, modify licenses. Saving changes will create a new manifest in the same product as the previous manifest with the changes applied.
CVE Reports can now be filtered using a u-boot config
CVE Reports now use the DataTables library to display CVE information. As a result of this:
All CVEs are now in a single table, with a column specifying their status
Filters other than kernel/u-boot config are now applied directly to the table, and can be changed on the fly
CVEs can now be filtered by package name
A package summary section has been added to the CVE report page, displaying CVE and license stats for each package
A CVE Search option has been added to the sidenav to view curated CVE information. CVEs can be searched by package name and version, or by ID.
The package search for the Manifest Creator and Editor now use fuzzy string matching to give relevant results even with typos
If a report is made public, other reports for that manifest are also made public.
Uploading a manifest from the desktop now provides a default name based on the board information. Old unnamed manifests have been renamed to follow this pattern.
The CVE ID links on the CVE Report page now display a modal with Timesys curated information instead of redirecting to NVD.
Uploading a manifest with a large number of manifests in the product sometimes caused auto-scan to fail.
Reports and manifests are now ordered properly on the "compare manifests" modal.
February 7, 2020
New FeaturesManifests can now be linked together as a chain of versions. This allows users to more accurately monitor the progress they've made in securing their system over time, on the 'View History' page. Manifest linking works as follows:
In the Product Settings modal, found on the sidebar, there is an option to link all manifests in the product. This will link or unlink all manifests in the product based on upload date, as selected.
Each engine type in the product will create a separate chain -- for example, if there are Yocto and CSV manifests in the same product, two chains will be created.
If a manifest is uploaded, moved, or copied to a product that has the 'link manifests' option enabled, the manifest will automatically be added to the correct place in the version chain, as decided by upload date.
Private Workspaces do not support manifest linking.
As part of the addition of Manifest Versions, manifests can now be compared. This allows the user to view:
Added, removed, upgraded, or downgraded packages
Added or removed patches (Yocto/Factory only)
A comparison between any two reports for the manifests, defaulting to the most recent for each.
Yocto manifests can now be uploaded directly to a specific product. This can be done by downloading the Dashboard Config for the product you wish to upload to. See meta-timesys for more details.
A sidebar has replaced many of the high-level buttons on Vigiles. This is especially useful for CVE Reports, as it allows buttons such as "Filter", "Rescan", and "Export" to be accessible from anywhere on the page, rather than having to scroll all the way to the top of the page.
CVSS scores are always formatted to one decimal place. This is a purely aesthetic change, and has no effect on the accuracy of the score provided.
Improved report generation speed
If a user tries to upload something that is not a kernel config to the kernel config filter, an error will be displayed, and the file will not be saved. This prevents an incorrect kernel config filter from decreasing accuracy of reports.
A tooltip was added to the "Removed CVEs" header on report comparison to show why CVEs may have been removed.
If a kernel config has not been uploaded to filter a manifest, the Kernel Config Filter option on the sidenav will display an icon with a tooltip recommending the user does so.
Load times and error handling have been improved in many places throughout Vigiles.
- A bug with uploading manifests from Yocto with a kernel config and API key caused the request to fail.
December 4, 2019
New FeaturesA manifest creator has been added to the Upload Manifest dropdown, and is available at "https://linuxlink.timesys.com/vigiles/manifest/create". Manifests created this way can be saved to your Private Workspace by clicking "Save", another product by clicking the dropdown arrow next to Save, or exported to CSV format.
### Changes
On the CVE Report page, Yocto CVEs that have patches available have been combined from their own table into the "Unfixed" table with an icon to signify that a patch is available in the meta-timesys layer.
Products are now sorted by last-modified date on the /vigiles page
Minor UI change to the Filters dropdown: Clear Filters is now separated
Any user that can view a CVE Report can now download the corresponding manifest
The "Download Manifest" button has been removed from the History page. It is now only available from the CVE Report page.
Vigiles has moved from "https://linuxlink.timesys.com/products" to "https://linuxlink.timesys.com/vigiles"
The manifest database has been restructured to allow for faster and easier development.
Load times have been significantly decreased for almost all pages.
- A bug preventing empty notes from being saved has been fixed.
October 17, 2019
New FeaturesAutomatic generation of CVE Reports with email notifications for any manifest can now be scheduled to occur on a daily, weekly, or monthly basis from the Product page.
Registering users can now select multiple products to register for.
Users can now begin trials for Vigiles, TimeStorm, and Factory from the landing page.
CVE Reports can now be exported to a PDF. This can be either a one-page summary, or a full report.
Filters have been moved back to a manifest-level. They will now apply to only the manifest they are set on, instead of all manifests in the product.
The auto-generated graphs in the Summary table of a CVE report, and on the Report History page for a manifest have been changed.
Exporting a report as a CSV is now done server-side, and has more information
Exporting a report as a XLSX is now done server-side, and has more information
CVE Reports that are filtered using a kernel config now load significantly faster than before
Saving a note on a CVE entry is now significantly faster.
Moving a CVE entry to or from the the whitelist is now significantly faster.
CVE Entries are now sorted by package and then severity(CVSS).
- CVSSv2 scores were previously not being reported for CVEs that had no CVSSv3 scores.
September 19, 2019
New FeaturesA public changelog has been added, and can be found by clicking the "What's New" button on the products page.
You can now import notes or whitelist from another product. This can be done either upon creation, or by clicking the import button at any point on the product page.
Automatic CVE Report generation and notification can now be scheduled on a daily, weekly, or monthly basis.
Manifests can now be scanned on the product page without refreshing. Up to three manifests can be scanned at a time.
Entire packages can now be whitelisted/unwhitelisted from the CVE Report page.
Summary emails now include new unfixed CVEs found since the last scan.
A list of packages without any known vulnerabilities is now displayed at the bottom of the CVE report.
If a CSV is uploaded with any spaces in the package names, they will be automatically converted to dashes.
The same manifest can now be uploaded to multiple products.
Tooltips for saving notes and whitelisting now specify that the action is product-wide. A note about this is also displayed at the bottom of the CVE report.
High/Critical CVE counts now only include Unfixed CVEs.
CVE Reports for CSV manifests no longer show the 'Applied Fix' section, as there is no way to know what patches were applied.
Uploading a manifest directly from Yocto/Factory caused the whitelist to not be updated correctly.
A bug with kernel config filters meant that a user could apply an unexisting config, causing many relevant CVEs to be filtered out.
Whitelisted Toolchain CVEs were not included in the header count on the CVE report page.
August 20, 2019
New FeaturesCVE Reports now give totals for any changes between this scan and the previous. This includes:
- New CVEs
- Removed CVEs
- Status Changes (e.g. Unfixed -> Fixed)
Vector and CVSS changes between reports are highlighted, but not counted. Hovering over a highlighted field will display the previous value in a tooltip.
You can now compare any two reports for a manifest by going to the History for that manifest. This can be accessed by clicking the "View History" button on a CVE Report.
CVEs now has a text field displaying when they were last whitelisted/unwhitelisted, and who modified them. Any changes made before this will show "Timesys Migration Bot" as their modifier.
CVE reports on desktop now report a summary of CVEs per package. For example: krb5 (5 Unfixed, 0 Unfixed Patch Not Applied, 0 Fix Available With Upgrade, 0 Fixed)
In order to have the most up to date information, we now pull CVE data from Canonical as well. Any CVEs that are from this source will be displayed with an icon specifying that they are 'early notification' CVEs.
Patch, Mitigation, and Exploit information is now shown for CVEs which have that information available. This appears as a drop-down menu inside the child row of relevant CVEs.
Fixed CVEs now display the fix that was applied.
When uploading a manifest from desktop Factory/Yocto, the time and date are used as the name of the manifest. Previously they appeared as 'None'.
On the kernel config filter modal window, 'Upload and Apply' is now disabled until a file is selected.
CVEs which would be fixed by upgrading to a newer version of Factory are more accurately detected and shown.
If a CVE in the "Patch Not Applied" table is fixed in a newer version of the package, the "Suggested Fix" displayed will be to upgrade the package to the newer version.
Mapping of CVEs to kernel config has been improved.
A bug with filters caused Vigiles Basic users to not be able to see which filters were applied to a report.
A bug with shared products caused them to still appear even after they were deleted.
A bug with manifest uploads caused Factory manifests to break when the version was not found.
August 2, 2019
New FeaturesYou can now view your manifests from the Products page. Clicking on a product row will open a child row with the 10 most recently scanned manifests in the product.
A "View History" button has been added on the CVE Report page to view all CVE reports for this manifest.
You can now download a template CSV from the "CSV Upload" window. Patched and Whitelisted columns are now optional as long as the CSV contains headers.
Notes now have a text field below them showing when they were last modified and who modified them. Any notes written before this was added will show "Timesys Migration Bot" as their author.
You can now download your most recent kernel config from the filter window.
Linuxlink has a new landing page! This page will allow you to access Vigiles, Factory, or TimeStorm.
Your default product has been renamed to Private Workspace.
A product that is created without a description will now show "No Description" instead of "Empty" in the description field.
The summary page for historical CVE Reports now has a column for whitelisted CVEs.
Your login session will now last for one week, instead of 12 hours.
The Save Notes button will only be enabled if notes have been changed since the last save.
Unsharing previously had a bug where having any manifests in the product would cause unsharing to fail. Unsharing now works as intended - as long as no manifests in the product are owned by other users, you can unshare the product at any time.
The summary page for historical CVE Reports previously included whitelisted CVEs in the Unfixed/Fixed categories. These have been removed to standardize whitelisting behavior as a way to ignore CVEs.
A bug with the Filter Reports button on the CVE Report page caused the button to stay blue even after all filters were cleared. The button now changes back to white when there are no filters applied.
Reports could previously be viewed even after deleting the manifests, if you had the URL for them. When a report is deleted it no longer can be viewed.
A bug with uploading manifests previously meant that if a manifest was deleted from Vigiles and re-uploaded, it would not appear in the product list. This has been corrected.