Vulnerablecode

----------------

- We re-enabled support for the NPM vulnerabilities advisories importer.
- We re-enabled support for the Retiredotnet vulnerabilities advisories importer.
- We are now handling purl fragments in package search. For example:
you can now serch using queries in the UI like this : ``cherrypy2.1.1``,
``cherrypy`` or ``pkg:pypi``.
- We are now ingesting npm advisories data through GitHub API.

----------------

- We added a new Vulntotal command line tool that can compare the vulnerabilities
between multiple vulnerability databases.

- We refactored how we handle CVSS scores. We are no longer storing a CVSS
score separately from a CVSS vector. Instead the vector is stored in the
scoring_elements field.

- We re-enabled support for the PostgreSQL securities advisories importer.

- We fixed the API key request form UI and made it consistent with rest of UI.

- We made bulk search faster by pre-computing `package_url` and
`plain_package_url` in Package model. And provided two options in package
bulk search ``purl_only`` option to get only vulnerable purls without any
extra details, ``plain_purl`` option to filter purls without qualifiers and
subpath and also return them without qualifiers and subpath. The names used
are provisional and may be updated in a future release.

----------------

This is a minor bug fix release.

- We enabled proper CSRF configuration for deployments

----------------

This is a feature update release including minor bug fixes and the introduction
of API keys and API throttling.

- We enabled API throttling for a basic user and for a staff user
they can have unlimited access on API.

- We added throttle rate for each API endpoint and it can be
configured from the settings 991 https://github.com/nexB/vulnerablecode/issues/991

- We improved how we import NVD data
- We refactored and made the purl2cpe script work to dump purl to CPE mappings

Internally:

- We aligned key names internally with the names used in the UI and API (such as affected and fixed)
- We now use querysets as model managers and have streamlined view code

----------------

- We refactored and fixed the LaunchPad API code.
- We now ignore qualifiers and subpath from PURL search lookups.
- We fixed severity table column spillover.

----------------

This is a critical bug fix release including features updates.

- We fixed critical performance issues that made the web UI unusable. This include
removing some less interesting redundant details displayed in the web UI for
vulnerabilities.
- We made minor documentation updates.
- We re-enabled support for Arch linux, Debian, and Ubuntu security advisories importers
- We added a new improver for Oval data sources
- We improved Alpine linux and Gitlab security advisories importers

The summary of performance improvements include these fixes:

- Cascade queries from exact to approximate searches to avoid full table scans
in all cases. This is a band-aid for now. The proper solution will likely
require using full text search instead.
- Avoid iceberg queries with "prefetch related" to limit the number of queries
that are needed in the UI
- Do not recreate querysets from scratch but instead allow these to be chained
for simpler and correct code.
- Remove extra details from the vulnerability pacge: each package was further
listing its related vulnerabilities creating an iceberg query.
- Enable the django-debug-toolbar with a setting to easily profile queries on demand
by setting both VULNERABLECODE_DEBUG and VULNERABLECODE_DEBUG_TOOLBAR enviroment
variables.