OpenCVE v1.5.0

Release notes

The objective of this release is to support the 2.0 API endpoints of the NVD instead of the old data feeds.

Important note: this is the last minor version of the 1.x major one (meaning no 1.6 release will be done). The next major version (2.0.0) is a complete refactoring of the stack (from Flask & Celery to Django & Airflow). You can find information on this page to find out more about this new version and the changes compared to the v1.

NVD CVE 4.0 to CVE 5.0 Transition

At the beginning of November 2023, the NVD started to migrate their datasets from CVE 4.0 to CVE 5.0 format. The list of changes for the users can be found here.

The OpenCVE 1.5.0 release uses the 2.0 API of the NVD, therefore the CVE 5.0 format will be now used. Consequently the OpenCVE API users have to notice that the raw_nvd_data field of the GET /cve/<string:id> endpoint is impacting by this change (its content now returns the CVE 5.0 payload).

Upgrade Process

For the new installation this release has no impact, the process (manual or using docker) remains the same.

For existing installation the users need to follow this process:

1. stop the Celery beat process
2. check the logs of the Celery worker process and stop it too when no task is active
3. backup your database
4. launch the database migration using the upgrade-db command
5. launch the NVD data migration using the migrate-nvd command
6. restart the Celery worker and beat processes

OpenCVE v1.4.1

Added

• Add the cve.org link in CVE html page

Fixed

• Upgrade jsmin package to fix a dependency issue

OpenCVE v1.4.0

Release notes

This release drops support for Python 3.6 (more information here).

It also includes a migration to increase performance by adding indexes on reports and alerts tables. Use the upgrade-db command to execute the migrations

OpenCVE now requires a Redis instance to store a lock and avoid parallel tasks.

The following parameters have been added in the configuration file:

• celery_lock_url
• include_analytics
• reports_cleanup_days
• smtp_use_ssl

Please update your opencve.cfg if you need to change the default values.

Added

• Add vendor name in products subscriptions
• Add a periodic task to clean old reports
• Increase performance with indexes on reports and alerts tables
• Support the MAIL_USE_SSL configuration
• Show subscribed users for vendors and products in admin
• Add column_filters in admin views
• Include custom HTML code in all pages for analytics

Fixed

• Remove duplicates items when pagination is used
• Add a lock in Celery tasks to avoid parallel chains
• Downgrade importlib-metadata to fix a bug in Python 3.7
• Parse modified references with quote in url
• Fix responsive bug in login and register views
• Fix a bug when viewing emails in Outlook
• Rework CPE parsing to improve memory footprint
• Release memory when possible in CVE import

Removed

• Remove Python 3.6 support

OpenCVE v1.3.0

Release notes

This release introduces 2 new migrations:

• one for the first_time notification setting
• one to display all activities in the dashboard or only the subscriptions changes

The first_time notification setting is important: most of the time a new CVE is published without associated CPE, so OpenCVE can not linked it to vendors or products and you don't receive notification (even if you select Receive a notification when a new CVE is created).

With this option the user will receive a notification when one of his subscriptions appears for the first time in a CVE, even if this CVE was already created in the past.

Use the upgrade-db command to execute the migrations.

Added

• feat: add tags in dashboard
• feat: display the change details in a dedicated view
• feat: display all activities (not only subscriptions ones)
• feat: add the first_time event
• feat: display change date in a human format in CVE history
• feat: add new API endpoint to search products without vendor
• feat: improve the vendors and products search
• feat: display recorded change history for CVEs

Fixed

• fix: missing template for the first_time event
• fix: check uuid validity before searching the change

OpenCVE v1.2.3

Fixed

• fix: sort the activities in homepage and increase performance of SQL query

OpenCVE v1.2.2

Release note

This release fixes a latency problem on the homepage.

Fixed

• fix: reduce the list of reports to 5 items in homepage
• fix: remove hardcoded date and number of report alerts in homepage

OpenCVE v1.2.1

Release note

This release introduces a new dashboard listing the last activities of your subscriptions. A new activities_per_page setting is available in your opencve.cfg file, don't forget to add it (default value is 20).

Added

• tests: add tests on subscriptions controller
• tests: added test for admin
• feat: better JSON diff in admin view
• feat: add the last CVE activities in homepage
• tests: add tests on last activities feature

Fixed

• fix: improve error messages in create-user command
• fix: subscribe to invalid ID throws 400 instead of 500 error

OpenCVE v1.2.0

Important note

This release introduces 2 new migrations:

• one to create the cves_tags and users_tags tables,
• the other to add GIN indexes on cves.summary and cves.cve_id columns.

The GIN indexes is part of the pg_trgm module of PostgreSQL. The opencve upgrade-db command will enable it for you, but you can also do it yourself if you prefer (CREATE EXTENSION pg_trgm). From PostgreSQL 13 this module is considered as trusted, meaning it can be installed by non-superusers with the CREATE privilege.

These indexes act on common and widely used columns, so we recommend you to stop the workers (web & celery) during the upgrade.

Added

• Improved search functionality on /cve
• Add GIN indexes on cves.summary and cves.cve_id
• New API Endpoint (user subscriptions)
• Add the tags feature

Fixed

• trim() the text of the 'Subscribe' button
• CVE can be filtered by CWE and vendor in the same query
• Default tag color wasn't correctly handled

OpenCVE v1.1.0

Added

• Display vulnerability type with the CWE ID
• Add more statistics in admin dashboard
• Add opencve-docker repository link
• Release the API
• Return API datetimes in ISO8601
• Add API ratelimit

Fixed

• Check if email is unique when editing a profile
• Check search attribute instead of id in CWEs listing
• Fix "stmp_password" in configuration, ensure compatibility before deprecating it

OpenCVE v1.0.2

Note

• You need to execute opencve upgrade-db to update the database schema

Added

• Refactor the reports task to make it more testable
• Add Github issue templates
• Add the NONE and CRITICAL CVSSv3 filters
• Add Python 3.8 in setup.py classifiers
• Add favicon.ico in website root

Fixed

• Redirect subscribe links to the login page for unauthenticated users
• Fix wrong links for CWE definitions
• Handle exception in case of bad SMTP configuration
• Fix user creation/edition in administration panel
• Make Cwe.cwe_id field not nullable (needs database schema update)
• Clean CVSSv2 and CVSSv3 fields for rejected CVEs (needs database schema update)