-
Notifications
You must be signed in to change notification settings - Fork 8
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
chore: release blog post for Hipcheck 3.9.1
Signed-off-by: jlanson <[email protected]>
- Loading branch information
Showing
6 changed files
with
96 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -2,7 +2,7 @@ | |
|
|
||
| FROM node:bookworm-slim | ||
|
|
||
| ARG HC_VERSION="3.9.0" | ||
| ARG HC_VERSION="3.9.1" | ||
|
|
||
| WORKDIR /app | ||
|
|
||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,92 @@ | ||
| --- | ||
| title: Hipcheck 3.9.1 Release | ||
| authors: | ||
| - Julian Lanson | ||
| extra: | ||
| author_img: "images/authors/julian.png" | ||
| --- | ||
|
|
||
| Hipcheck 3.9.1 introduces some bugfixes related to the auto-installer and binary | ||
| releases, as well as some improvements to target resolution. | ||
|
|
||
| <!-- more --> | ||
|
|
||
| --- | ||
|
|
||
| ## 📦 Installation and Containerization Fixes | ||
|
|
||
| Thanks to an [issue][container_issue] submitted by [Aeva Black], we were made | ||
| aware that running Hipcheck in our official Containerfile was not as | ||
| effortless as we would like. Investigation of this issue led to further | ||
| realization that key values used in installer script generation had not been | ||
| updated in a couple versions, and so our installers shipped with versions | ||
| `3.8.0` and `3.9.0` were still pulling down Hipcheck `3.7.0`. | ||
|
|
||
| This release addresses the above issues, the installer with this release will | ||
| properly download Hipcheck `3.9.1`. | ||
|
|
||
| ## 📦 Policy File Support for Relative Paths | ||
|
|
||
| The other main reason binary installations were not running properly was because | ||
| the default policy file that ships with Hipcheck has plugin configurations that | ||
| specify relative paths to plugin-specific configuration files. | ||
|
|
||
| When a policy file is loaded, the configurations specified for each plugin are | ||
| sent to that plugin as-is; the `hc` binary is not expected to understand the | ||
| parameters of a particular plugin's configuration at all. This means that | ||
| relative paths specified in a plugin's configuration will be interpreted | ||
| relative to the running plugin's current working directory, which is the same as | ||
| the one from which `hc` was started. This is often nowhere near where the | ||
| configuration files are stored. | ||
|
|
||
| It has become clear that our policy file needs to be able to specify paths | ||
| relative to the policy file itself, which requires `hc` core to do a little more | ||
| than basic file format processing. In this release we introduce the `#rel()` | ||
| macro for use in policy files, which can be placed around a KDL string (e.g. | ||
| `#rel("Binary.toml")`. When `hc` loads a policy from file, it will now run a | ||
| pre-processing step to re-interpret the contents of `#rel()` as a path relative | ||
| to the directory containing the policy file itself. In this way, | ||
| `#rel("Binary.toml")` indicates a file in the same directory as the policy file. | ||
| We have applied this macro to the default policy file that releases with | ||
| Hipcheck, so now plugins that rely on config files can correctly locate them. | ||
|
|
||
| ## 📦 Target Resolution Refactor | ||
|
|
||
| This release also includes the initial implementation of [RFD #5], a refactor of | ||
| our target resolution mechanism. While for now the changes are mostly internal, | ||
| there are a few improvements for users. Firstly, there is better fuzzy-matching | ||
| for finding the git repo tag associated with a given SemVer version string. Even | ||
| more exciting, NPM and PyPI packages specified without a version will now cause | ||
| Hipcheck to find the repo tag associated with the latest version of that | ||
| package. Previously, a user would have to use the `--ref` flag and specify a Git | ||
| reference or commit directly if a package version was not provided. | ||
|
|
||
| ## 🗺️ How to Get Involved | ||
|
|
||
| We're always looking for new contributors! If you'd like to learn more about | ||
| Hipcheck and get involved in contributing, please checkout our [Roadmap] and | ||
| feel free to get in touch with us through our [Discussions] board! | ||
|
|
||
| ## ⭐️ Thank You to Our Contributors and Supporters | ||
|
|
||
| As always, we want to say a big "Thank you!" to everyone who supports the | ||
| project at MITRE, to CISA for [sponsoring our current work on it][cisa_hipcheck], | ||
| to our prior government sponsors who have helped advance Hipcheck, and to | ||
| everyone who has contributed, given feedback, or encouraged us in building it. | ||
|
|
||
| The following team members contributed to this release: | ||
|
|
||
| - [Julian Lanson], Hipcheck Development Team Lead at MITRE | ||
| - [Aeva Black], Open Source Security Section Chief at CISA | ||
| - [Michael Chernicoff], Hipcheck Developer at MITRE | ||
| - [Patrick Casey], Hipcheck Developer at MITRE | ||
|
|
||
| [container_issue]: https://github.com/mitre/hipcheck/issues/752 | ||
| [Aeva Black]: https://github.com/AevaOnline | ||
| [Julian Lanson]: https://github.com/j-lanson | ||
| [Michael Chernicoff]: https://github.com/mchernicoff | ||
| [Patrick Casey]: https://github.com/patrickjcasey | ||
| [RFD #5]: @/docs/rfds/0005-target-resolution-refactor.md | ||
| [Roadmap]: https://github.com/orgs/mitre/projects/33/views/15 | ||
| [Discussions]: https://github.com/mitre/hipcheck/discussions | ||
| [cisa_hipcheck]: https://www.cisa.gov/news-events/news/continued-progress-towards-secure-open-source-ecosystem |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.