Skip to content

Latest commit

 

History

History
712 lines (434 loc) · 23.5 KB

CHANGELOG.md

File metadata and controls

712 lines (434 loc) · 23.5 KB

Releases

1.41.7 (9/24/2024)

New Features

  • imagebuild command to build container images using different build engines.
  • --http-probe-concurrency - new flag to control HTTP probe command execution concurrency
  • --http-probe-fail-on-status-5xx - new flag to treat 5xx (e.g., 500) response status codes as errors

Improvements

  • --http-probe-full is now enabled by default, so all specified custom HTTP probe commands are executed.
  • Improved global --host flag and Docker runtime client connection setup

1.41.6 (8/24/2024)

New Features

  • Podman runtime support for the xray command and the --runtime flag to choose the runtime.
  • Podman runtime support for the images command
  • --http-probe-client-timeout and --http-probe-client-timeout-crawl flags for the slim/profile commands
  • --http-probe-exit-on-failure-count flag for the slim/profile commands
  • --http-probe-retry-off flag for the slim/profile commands

Improvements

  • Created app command and moved the install, update, version and other app management related operations there as sub-commands.
  • --http-probe-retry-count flag now can be used to disable probe retries by setting it to -1 (or use the --http-probe-retry-off flag instead)

Bug Fixes

  • User identity collection bugfix for the xray command.
  • HTTP probing completion logic bugfix to prevent early probing exit.

1.41.5 (6/30/2024)

New Features

  • The --include-distro-info flag for the slim (aka build) command to keep the OS distro metadata in the minified image.

Improvements

  • Using full image IDs (without stripped hash prefix) when calling the "save image" Docker API to make Orbstack happy (more improvements)

1.41.4 (6/22/2024)

New Features

  • The --obfuscate-app-package-names flag for the slim (aka build) command to select the obfuscation mode for the application package names (ignored unless the --obfuscate-metadata flag is enabled).
  • The --include-last-image-layers flag for the slim (aka build) command to keep all files from the last number of layers in the image

Improvements

  • Using full image IDs (without stripped hash prefix) when calling the "save image" Docker API to make Orbstack happy

1.41.3 (6/8/2024)

New Features

  • The --http-probe-cmd-upload flag for the slim (aka build) and profile commands to upload files (and enhanced --http-probe-cmd-file command schema to support uploads).

Improvements

  • Enhanced API spec probing auto-generating POST data (--http-probe-apispec and --http-probe-apispec-file flags).
  • Pinned busybox debug image for the debug command.

1.41.2 (5/28/2024)

New Features

  • The --command-params-file flag now works for the slim (aka build) and xray commands ( thanks to @Billy-North ).
  • The --shell-cmd flag for the debug command allowing you to be more explicit about the intent to use a shell (alternative to --cmd).
  • Basic DNS network probing.

Improvements

  • Renamed the --auto-run-as-non-root debug command flag to --fallback-to-target-user.
  • Improved non-root user handling for the debug command (to disable the automated user identity selection logic set --fallback-to-target-user to false)

Bug Fixes

  • Use the custom entrypoint and cmd when they are not empty for the debug command ( fixed by @sword-jin )

1.41.1 (4/5/2024)

New Features

  • --include-healthcheck flag for the slim (aka build) command
  • Basic Redis network probing.

Improvements

  • creport data and format enhancements.
  • debug command doc updates.
  • debug command improvements for podman

1.41.0 (3/12/2024)

New Features

  • ContainerD container runtime support for debug
  • Podman container runtime support for debug

Improvements

  • Auto-select the container runtime in debug by specifying auto as the --runtime flag value.

1.40.12 (3/12/2024)

Improvements

  • Default Docker API version update.
  • Report document type info in report documents.

1.40.11 (2/2/2024)

New Features

  • New build command flags (--include-dir-bins and --include-ssh-client).
  • Simple images command to list container images.

Improvements

  • OCI image format support in xray.
  • Improved xray command reports to include object type information.

Bug Fixes

  • Fixes and dependency updates to support the new Docker Engine version (25.x).

1.40.10 (1/17/2024)

Bug Fixes

  • Sensor artifact (post-)processing bug fix for additional PT generated artifacts.

1.40.9 (1/15/2024)

Improvements

  • Added command parameter information to process events in mondel.
  • Enhanced mondel event capture to prevent event data loss on sensor shutdown.

1.40.8 (1/7/2024)

New Features

  • New vulnerability command and the epss subcommand to lookup EPSS scores for vulnerabilities.
  • Simple registry server command to have a local OCI registry (thank you Sarvesh Raj, @sarveshraj, for your contribution!).
  • Simple registry push command to push local images to a registry.
  • Simple images command to list container images.
  • RPM packaging for the apps (thank you Rohan Jamadagni, @Rohansjamadagni, for your contribution!)

Improvements

  • Enhanced registry pull command to pull images from authenticated registries.
  • quiet mode improvements (WIP) to hide the standard execution context output when it's enabled.
  • quiet mode for the images command.
  • Interactive prompt updates to include the images, registry and vulnerability commands and a couple of global flags.
  • Monitor Data Event Log (mondel) enhancement to improve the write path.

1.40.7 (12/9/2023)

New Features

  • Simple registry image-index-create command to create multi-architecture images.
  • Simple images command to list container images.

Improvements

  • Improved ptmon syscall handling.
  • Enhanced mondel events with timestamps and sequence numbers.
  • Extra docker socket validation checks.
  • Version info on exit/failure.
  • Temp container cleanup improvements.
  • ARM image build scripts for the containerized distribution.

Bug Fixes

  • Websocket http probe bug fix.
  • Various ptmod bug fixes.

1.40.5/1.40.6 (11/2/2023)

New Features

  • Sensor control commands to control sensor execution when running in the standalone mode (first command: stop-target-app).
  • xray - detect system identities (users, groups) and their properties (--detect-identities flag, enabled by default).
  • build - Keep the OS/libc zoneinfo data (--include-zoneinfo flag, disabled by default).
  • build/profile - Mon(itor) Data Event Log (aka mondel) - optional data event log for sensor monitors to log/stream monitor events (--enable-mondel main app flag, --mondel/-n sensor flag(s)).

Improvements

  • target-app-running sensor lifecycle hook.
  • build/profile: --env-file to load env vars from a file.
  • build/profile: basic input validation to ignore malformed env var data for the --env flag.
  • build: Using internal output image builder by default (--image-build-engine flag)
  • Renamed the reverse engineered Dockerfile from Dockerfile.fat to Dockerfile.reversed

Bug Fixes

  • Various bug fixes

1.40.4 (8/25/2023)

Improvements

  • Auto-complete in the interactive prompt mode for the target, namespace, pod and session flags
  • Interactive debug command terminal that runs as if you are connected directly to the target image you are debugging (enabled by default)
  • Basic sessions for debug command
  • Ability to show logs for the existing debug command sessions
  • More debug command flags (see README)
  • README docs updates for the debug command

Bug Fixes

  • Many debug command bug fixes

1.40.3 (7/13/2023)

New Features

  • Kubernetes runtime support for the debug command
  • appbom command in the main app and --appbom flag in the sensor
  • merge command to merge two container images (optimized to merge two minified images).

Improvements

  • More debug command flags
  • README docs for the debug command
  • Ability to detect the Docker Desktop unix socket
  • Code and logging cleanup

Bug Fixes

  • Sensor volume fix for sensor symlinks (to address the Homebrew installed problems with sensor)
  • Various dependency updates to get security fixes

1.40.2 (5/12/2023)

Improvements

  • New experimental build command flag to prevent the vulnerability scanners from discovering the metadata they need to identify the vulnerabilities (--obfuscate-metadata) inspired by the Malicious Compliance KubeCon EU 2023 talk

Bug Fixes

  • HEALTHCHECK instruction decoding enhancements to handle the data generated by buildah
  • fsutil format string bug fix

1.40.1 (4/5/2023)

Improvements

  • New include flags for the build command (--include-workdir)
  • Debug/trace logging improvements

Bug Fixes

  • todo: add info

1.40.0 (1/15/2023)

New Features

  • Base image metadata for xray
  • Basic support for multiple image build engines (--image-build-engine, --image-build-arch parameters)

Improvements

  • dockerfile reverse engineering updates
  • buildkit dockerfile instruction support
  • name change

Bug Fixes

  • todo: add info

1.39.1 (11/12/2022)

1.39.0 (10/24/2022)

1.38.0 (8/27/2022)

New Features

  • Experimental 'debug' command
  • JSON console output format

Improvements

  • refactored http-probe-exec and http-probe-exec-file to be host-exec and host-exec-file (breaking change)

Bug Fixes

  • todo: add info

1.37.6 (4/22/2022)

Improvements

  • Source image label in minified images
  • Full image path enhancements for container entry info

Bug Fixes

  • Traced application signal handling bugfix
  • Healthcheck instruction parsing bugfix

1.37.5 (3/20/2022)

New Features

  • Experimental Node.js package include flag
  • Experimental Next.js(React.js) app include flags
  • Experimental Nuxt.js(Vue.js) app include flags
  • Ability to disable the ptrace data source

1.37.4 (2/27/2022)

New Features

  • Container probe feature to use one of the compose services to test/probe the target container (--container-probe-compose-svc flag and container.probe continue-after mode)
  • Ability to override the container image name and/or tag when targetting a compose service (--target-compose-svc-image flag)
  • Ability to wait before executing the HTTP probes (--http-probe-start-wait flag)
  • Ability to wait before starting each compose service (--compose-svc-start-wait flag)
  • Basic FastCGI protocol support in HTTP probes (docs TBD)
  • New registry command and a basic pull subcommand
  • --include-new build flag to keep new files created by target during dynamic analysis
  • Supprot for stored global param in slim.config.json

Improvements

  • Improved containerized CI/CD environments support (sensor-ipc-mode and sensor-ipc-endpoint flags for build and profile)
  • Docker host detection improvements
  • Target container IP detection improvements
  • Not minifying onbuild base images by default
  • Not minifying already minified images
  • Cleanup container resources on exit
  • include-cert-all build flag enabled by default
  • Propagate logging flags to sensor
  • Not using default http probe if custom probes are already defined
  • Many compose related enhancements (volume lookup enhancements, compose image detection and error handling, etc)
  • Various monitoring engine enhancements
  • Migrate from urfave/cli/v1 to urfave/cli/v2
  • Dockerfile reverse engineering enhancements (HEALTHCHECK instruction support, improved RUN instruction reversing when ARGs are also used)

1.37.3 (12/10/2021)

New Features

  • Install command / docker cli plugin install option (preview version)

Improvements

  • Container and compose link handling enhancements
  • Volume mounting enhancements
  • Static analysis improvements
  • Symlink handling improvements for builds
  • Collecting file check filesystem activity
  • Entrypoint/cmd override handling improvements

Bug Fixes

  • Volume mounting bug fixes for compose

1.37.1/1.37.2 (11/7/2021)

New Features

  • Ability to pull images from private registries (--registry-account, --registry-secret, --docker-config-path flags)

Improvements

  • Additional flags for compose (dep-include-target-compose-svc-deps, compose-env-nohost, compose-env-file, compose-workdir, compose-project-name)
  • Variable substitution support in compose
  • Detect duplicates by default in xray
  • Resource cleanup when the build command exits
  • delete-generated-fat-image flag to cleanup the non-optimized images when docker-slim builds images from source/Dockerfile
  • Improved maintainer info collection for xray

Bug Fixes

  • Volume mounting bug fixes for compose

1.37.0 (9/23/2021)

New Features

  • Experimental docker-compose support for the build command
  • Include cert flags to make it easier to keep certificate data in the optimized images

Improvements

  • Install script

1.36.4

1.36.3 (8/30/2021)

1.36.2 (8/5/2021)

1.36.1 (6/20/2021)

Improvements

  • --cro-host-config-file, --cro-sysctl and --cro-shm-size flags.
  • M1 builds.

Bug Fixes

  • xray and sensor volume detection bug fixes.

Improvements

  • Ability to detect additional shells.
  • Saving command report to /tmp directory if it's not possible to save it in the current working directory.
  • Printing tag information for build command.

Bug Fixes

  • Default continue-after value handling fix (remove probe mode if http probing is disabled).
  • Sensor not exiting when it's trying to copy a directory it already copied.

1.36.0 (6/12/2021)

New Features

  • Ability to find duplicate files for xray (--detect-duplicates, --show-duplicates).
  • Ability to find all utf8 encoded files for xray using the --detect-utf8 flag (optionally dumping them to console, directory or tar file).
  • Ability to find the files with special permissions (--show-special-perms).
  • Ability to find all installed shells for xray.
  • Container entry information for xray with file detection.
  • Inherited image instructions (aka ONBUILD instructions) for xray.
  • More image level stats for xray.

Improvements

  • Multiple tags for the build command.
  • --http-probe-off flag for the build command to provide a shortcut to disable HTTP probing.
  • Flexible target image handling to use non-default tags if the latest tag doesn't exist and no explicit tag is provided.

1.35.2 (5/2/2021)

New Features

  • change-match-layers-only xray flag to print only the layers that contain the matches.

Improvements

  • xray enhancement: printing to console by default for pattern or data matches.

Bug Fixes

  • Various xray command bug fixes.

1.35.1 (4/27/2021)

Improvements

  • Ability to combine probe and exec continue-after modes

Bug Fixes

  • Various xray command bug fixes

1.35.0 (4/14/2021)

New Features

  • Console color output (on by default; disable with no-color)
  • Loading http probe request data from separate files
  • Ability to execute external probe commands (--http-probe-exec and --http-probe-exec-file flags)
  • Ability to preserve original files in the target container discarding its test runtime data (--preserve-path and --preserve-path-file)
  • Ability to pull container images if they don't exist locally yet (--pull and --show-plogs)
  • File hashing for xray (--hash-data)
  • Additional flags to control the xray command executions (--top-changes-max, --reuse-saved-image)
  • Ability to match by file path, file data and file hash for xray (--change-path value, --change-data value, --change-data-hash value)

Improvements

  • Lots of additional container build flags (--tag-fat, --cbo-add-host, --cbo-build-arg, --cbo-label, --cbo-target, --cbo-network, --cbo-cache-from).
  • Additional container runtime flags (--cro-runtime)
  • sigint should kill the running container (#186)

Bug Fixes

  • Various xray image layer inspection bug fixes

1.34.0 (1/29/2021)

New Features

  • New xray flags to control what layer change data to include in the generated reports (layer-changes-max, all-changes-max, add-changes-max, modify-changes-max, delete-changes-max)

Improvements

  • host network flag handling enhancements.
  • Returning non-zero exit codes on failures
  • Additional image checks to catch missing ENTRYPOINT/CMD instructions

Bug Fixes

  • Fixed container image listing bug that broke the --target value suggestions in the interactive prompt mode.

1.33.0 (12/12/2020)

New Features

  • Ability to interact with the temporary containers using the --exec and --exec-file flags

Improvements

  • npm support enhancements (makes it possible to use npm start in Dockerfiles, which isn't recommended though)

Bug Fixes

  • Various bug fixes.

1.32.0 (8/23/2020)

New Features

  • Mapping container ports to specific host ports analyzing image at runtime (--publish-port and --publish-exposed-ports flags)

Improvements

  • seccomp security profile generation capability updates
  • User namespace handling improvements (thanks to @solarnz)

1.31.0 (8/13/2020)

New Features

  • Experimental HTTP probe command generation based on the API descriptions from the Swagger and OpenAPI specs (--http-probe-apispec and --http-probe-apispec-file flags)
  • Image metadata editing capabilities to add, remove and update the LABEL, VOLUME, EXPOSE, ENV and WORKDIR instructions (--new-workdir, --new-expose, --new-label, --new-volume, --remove-volume, --remove-env, --remove-label, --remove-expose and --image-overrides combined with --expose, --workdir, --env, --volume, --label, --env)

Improvements

  • Layer change details available in the xray command reports when the --changes flag is set.
  • System and engine information in the command reports to improve debugging
  • Ability to enable crawling for the HTTP probes specified using the --http-probe-cmd flag
  • Improved HTTP probe crawler documentation

1.30.0 (7/27/2020)

New Features

  • lint command (initial Dockerfile linting capabilities with a basic set of checks)
  • HTTP probe crawler (automatically probes additional endpoints referenced in the processed targets; see the --http-probe-crawl and related flags)

Improvements

  • ARM64 support (need more people to test!)
  • --http-probe-exit-on-failure flag to exit execution when all HTTP probe calls fail
  • --include-bin-file and --include-exe-file flags to make it easier to specify multiple binaries and executables loading them from files
  • xray command report enhancements

1.29.0 (3/18/2020)

New Features

  • Interactive CLI prompt

Improvements

  • xray command output improvements
  • Additional image data saved with the xray command reports (--add-image-manifest and --add-image-config flags)

1.28.1 (3/9/2020)

Improvements

  • New xray parameters to control how much to show when it's printing the layer details (--changes value and --layer value)
  • Image history enhancements and more data saved in the xray command reports

1.28.0 (3/6/2020)

New Features

  • xray command enhancements to show the detailed container image information including its layers and their files and directories (initial version).

Improvements

  • The --exclude-pattern build parameter to filter/exclude the artifacts in the optimized container.

1.27.0 (2/28/2020)

New Features

  • Option to set permissions, user and group information for the artifacts included with the --include-* parameters.
  • Option to overwrite the permissions and ownership info in the optimized image using the new --path-perms and path-perms-file parameters.

Improvements

  • Option to run the containerized application using user and group information from the USER instruction.
  • Filter leftover PID files.
  • UX enhancements for the containers created using Dockerfiles.
  • Additional debugging information.

Bug Fixes

  • Support for special install directories on Linux (to prevent failures when docker-slim is trying to save its state).

1.26.1 (11/28/2019)

Improvements

  • Saving command execution report, by default (slim.report.json).
  • CLI output UX enhancements.
  • Docker connect info checks.

Bug Fixes

  • Version check fixes when running in containers.

1.26 (11/16/2019)

New Features

  • Run docker-slim in containers.
  • New distribution option (dslim/docker-slim image available in Docker Hub).
  • Archive docker-slim state into a separate Docker volume.

Improvements

  • Default to continuing docker-slim execution after the http probing step is done when http probing is enabled.
  • Improved IPC.
  • Improved seccomp and metadata artifact copy option.
  • Improved execution report.

1.25.3 (8/4/2019)

New Features

  • Build minified images from source using the new --from-dockerfile build flag (see README.md for details).

Improvements

  • Custom HTTP POST probes support request bodies

1.25.2 (7/21/2019)

New Features

  • Enhanced build command reports with additional container image metadata (using the global --report flag)
  • Ability to update the minified image Dockerfile instructions (using the --new-cmd, --new-entrypoint, --new-expose, --new-workdir, --new-env and --image-overrides flags)
  • Dockerfile volume support

Improvements

  • HTTP probes by default (you will have to disable HTTP probes if you don't need them)
  • Various UX enhancements to provide better CLI feedback and to avoid generating minified images that might not work

Bug Fixes

  • TTY bug fix caused by an external dependency (used to track update download progress)

1.25.0 (4/23/2019)

New Features

  • Experimental ARM32 support
  • Easy way to keep a shell in your image (just pass --include-shell to the build command)
  • Easy way to include additional executables (--include-exe flag) and binary objects (--include-bin flag), which will also include their binary dependencies, so you don't have to explicitly include them all yourself
  • update command - now you can update docker-slim from docker-slim!
  • Current version checks to know if the installed release is out of date

Improvements

  • Improvements to handle complex --entrypoint and --cmd parameters

Previous Releases

  • Better Mac OS X support - when you install docker-slim to /usr/local/bin or other special/non-shared directories docker-slim will detect it and use the /temp directory to save its artifacts and to mount its sensor
  • HTTP Probing enhancements and new flags to control the probing process
  • Better Nginx support
  • Support for non-default users
  • Improved symlink handling
  • Better failure monitoring and reporting
  • The --include-path-file option to make it easier to load extra files you want to keep in your image
  • CentOS support
  • Enhancements for ruby applications with extensions
  • Save the docker-slim command results in a JSON file using the --report flag
  • Better support for applications with dynamic libraries (e.g., python compiled with --enable-shared)
  • Additional network related Docker parameters
  • Extended version information
  • Alpine image support
  • Ability to override ENV variables analyzing target image
  • Docker 1.12 support
  • User selected location to store DockerSlim state (global --state-path parameter).
  • Auto-generated seccomp profiles for Docker 1.10.
  • Python 3 support
  • Docker connect options
  • HTTP probe commands
  • Include extra directories and files in minified images