What's Changed

• NV Protect: add compatibility for pre-5.4 alpine pods during roling upgrade by @jayhuang-suse in #1557
• NV Protect: backward compatible for k8s readiness by @jayhuang-suse in #1562
• NV Protect: add adapter as allowed parent process by @jayhuang-suse in #1564
• NV Protect: add scannerTask as allowed parent process by @jayhuang-suse in #1566
• NV Protect: add sigstore-interface as allowed parent process by @jayhuang-suse in #1568
• NVSHAS-8583, separate network policy mode and profile mode at per group level by @gfsuse in #1513
• feat: golangci-lint as git hook by @holyspectral in #1571
• NVSHAS-9416 fix several issues with jar parsing by @Acmarr in #1556
• NVSHAS-9440: support separate network mode and Process and File mode … by @williamlin-suse in #1576
• NVSHAS-9369 Add debug log category via helm deployment support for co… by @kyledong-suse in #1574
• NVSHAS-8583, add profile related group count by @gfsuse in #1577
• NVSHAS-9447: Controller/Scanner pods crashing - "Unsupported system Exit" by @jayhuang-suse in #1580
• sync from github.com/neuvector/k8s by @williamlin-suse in #1585
• CVE-2024-41110: Upgrade docker package by @jayhuang-suse in #1584
• NVSHAS-9467: custom group defined by the pod label does not propagate its profile data on the children containers. by @jayhuang-suse in #1586
• NVSHAS-9325: NVProtect: Manager/Controller is not blocking not-allowed commands by @jayhuang-suse in #1588
• fix: NVSHAS-9442 create lease object for ArgoCD by @holyspectral in #1570
• NVSHAS-9484: Enable Mode Automation on the separate policy and profile modes by @jayhuang-suse in #1591
• Enhanced NV Protect: block unallowed processes. by @jayhuang-suse in #1593
• feat: enable golangci-lint by @holyspectral in #1594
• Change implicit mockup test data to explicit mockup test data by @williamlin-suse in #1596
• NVSHAS-9525/agent: Resolve existing Go linter issues in the NeuVector repository by @jayhuang-suse in #1603
• fix: NVSHAS-9525 fix linter issue in upgrader by @holyspectral in #1600
• fix: NVSHAS-9430 redundant type from array warnings by @holyspectral in #1561
• NVSHAS-9525: Resolve existing Go linter issues in the NeuVector repository by @williamlin-suse in #1604
• fix: NVSHAS-9525 fix lint issue in kv/cm by @holyspectral in #1605
• fix: NVSHAS-9525 fix lint issue in controller, gofmt category by @jeffhuang4704 in #1606
• NVSHAS-9436 add CompareWithoutEpoch function by @Acmarr in #1598
• NVSHAS-9525: Resolve existing Go linter issues in the NeuVector repository by @williamlin-suse in #1607
• NVSHAS-9525: Resolve existing Go linter issues in the NeuVector repository by @williamlin-suse in #1609
• Disable NV Protect block feature by @jayhuang-suse in #1610
• fix: NVSHAS-9525 resolve golint issue by @jeffhuang4704 in #1608
• NVSHAS-9541, Fix and check potential buffer overflow cases in c code by @gfsuse in #1612
• NVSHAS-9525: Resolve existing Go linter issues by @williamlin-suse in #1615
• NVSHAS-9542: Rewrite ringbuffer package by @jayhuang-suse in #1613
• feat: add CODEOWNERS file by @holyspectral in #1617
• NVSHAS-9525: Resolve existing Go linter issues in the NeuVector repository by @williamlin-suse in #1616
• Update security policy by @macedogm in #1611
• fix: NVSHAS-9525 lint issues by @holyspectral in #1618
• NVSHAS-9560 Use placeholder keys in apis.yaml by @jeffhuang4704 in #1623
• NVSHAS-9525: Resolve existing Go linter issues by @williamlin-suse in #1625
• NVSHAS-9468: Fix CVE-2020-26160 to replace jwt-go with jwt:v5 by @kyledong-suse in #1619
• NVSHAS-9525: Resolve existing Go linter issues in the NeuVector repository by @williamlin-suse in #1626
• NVSHAS-9517: Admission control is not consistent, getting incorrect r… by @williamlin-suse in #1627
• NVSHAS-9574: Remove license-related REST APIs by @williamlin-suse in #1628
• NVSHAS-9532: The image scan is completed but deployment is still not allowed by @williamlin-suse in #1629
• Modified version for java and scala by @xingzhang-suse in #1632
• NVSHAS-9558: JWT token expire reports http.StatusRequestTimeout 408 by @williamlin-suse in #1633
• [NVSHAS-9576] Clear password field for registry data when user use controller mode with Jenkins to scan by @pohanhuangtw in #1634
• ReadCmdLine failure: Fix golint PR error. by @jayhuang-suse in #1621
• NVSHAS-9425: create nfq when container has vxlan by @gfsuse in #1637
• NVSHAS-9571 fix image asset advanced filter issue by @jeffhuang4704 in #1638
• NVSHAS-9589: Managed clusters disconnected - Version mismatch with primary cluster by @williamlin-suse in #1639
• fix: linter: use new-from-rev by @holyspectral in #1642
• NVSHAS-8824: User fails to delete own groups, cannot create namespace-scoped groups by @williamlin-suse in #1640
• NVSHAS-9605: Export group with invalid policy mode & process profile mode values is mistakenly allowed by @williamlin-suse in #1643
• NVSHAS-9608:grpc client failed to rx > 4MB pkt by @jayhuang-suse in #1644
• NVSHAS-9609:Fix clang-tidy(lint) warning on c code in repository. by @gfsuse in #1646
• NVSHAS-9534: Display error in admission controls by @williamlin-suse in #1647
• NVSHAS-9537: Change existing builders base image to BCI - neuvector portion by @kyledong-suse in #1631
• NVSHAS-9600: Fix disable controller debug category by @kyledong-suse in #1650
• NVSHAS-9525: resolve go linter warnings by @jeffhuang4704 in #1648
• fix: NVSHAS-9624 rewrite swagger validation by @holyspectral in #1652
• NVSHAS-9631: Reduce some enforcer errors by @jayhuang-suse in #1653
• NVSHAS-9539: 5.4.1 update Tls_cipher_suites for consul 1.20.1 by @kyledong-suse in #1657
• NVSHAS-9645: pre-existing CRD processing fails by @williamlin-suse in #1660
• NVSHAS-9651: Quay.io needs user name and password for scanning by @williamlin-suse in #1662
• NVSHAS-9592: requeue in-progress workloads on db update by @alopez-suse in #1665

New Contributors

• @macedogm made their first contribution in #1611
• @xingzhang-suse made their first contribution in #1632

Full Changelog: v5.4.0...v5.4.1

What's Changed

• NVSHAS-8423, detect group level bandwidth, active session count and session-rate violation based on configured per group threshold by @gfsuse in #1197
• NVSHAS-8461 - Review and support CIS benchmarks for managed k8s services in the cloud by @pohanhuangtw in #1152
• NVSHAS-7664: Help reduce ISP data charges when performing registry scanning by @jayhuang-suse in #1141
• NVSHAS-6740: Improvement of zero-drift baseline profile by enforcing the learned list in protect mode by @jayhuang-suse in #1206
• NVSHAS-8692: NV Protect: consolidate all scripts in a folder by @pohanhuangtw in #1221
• NVSHAS-8692 - consolidate all scripts (tmpl and rem) in a folder for enforcer by @pohanhuangtw in #1224
• NVSHAS-8692: NV Protect: consolidate all shell scripts into scripts folder by @pohanhuangtw in #1226
• NVSHAS-8676: Review: NV Protect improvement by @jayhuang-suse in #1239
• Add statistic data interface of the scanner cacher by @jayhuang-suse in #1267
• Add the REST handlers on the scanner cache statistics by @jayhuang-suse in #1268
• Add access control for the REST handlers on the scanner cache statistics by @williamlin-suse in #1269
• Scanner cacher: update API json item names by @jayhuang-suse in #1270
• Scan cacher: add its REST data into the apis.yaml by @jayhuang-suse in #1272
• NVSHAS-8423, add new group fields to apis.yaml file by @gfsuse in #1274
• NVSHAS-7518 auto rotate internal cert by @holyspectral in #1280
• move k8s.io packages out of neuvector/k8s repo (with golang 1.22.1) by @williamlin-suse in #1276
• fix: a few issues by @holyspectral in #1286
• NVSHAS-7062: Make agent compile with 1.22.x by @becitsthere in #1290
• NVSHAS-7062: Enable NV build to use 1.22 golang version(update deprec… by @williamlin-suse in #1300
• Remove extra debug line by @becitsthere in #1303
• fix: do not call cancel in all path in newClient() by @holyspectral in #1307
• [NVSHAS-8926] Scanner read not-exist path when stand alone mode by @pohanhuangtw in #1302
• NVSHAS-8486, to support multinetwork container with additional non-veth interface by @gfsuse in #1301
• Sync with main branch by @becitsthere in #1316
• Close rpmdb, port PR 1310 by @becitsthere in #1317
• NVSHAS-7447: Rancher RBAC integration with NeuVector by @williamlin-suse in #1326
• NVSHAS-7822: federation automation without having to script API calls by @williamlin-suse in #1338
• NVSHAS-8699: unable to distinguish the user if rancher ad user is the… by @williamlin-suse in #1339
• NVSHAS-8799 Create a Compliance Framework for importing Compliance Templates by @pohanhuangtw in #1289
• NVSHAS-8773: EKS add-on support: Accommodate initial password not sup… by @williamlin-suse in #1350
• NVSHAS-9062: Displaying Rancher SSO users on NV UI that have the same user name (Conversion on controller) by @williamlin-suse in #1357
• NVSHAS-9037 remove 3DES cipher suites by @holyspectral in #1367
• NVSHAS-9071: some modules are not reported in the container scan only by @jayhuang-suse in #1368
• NVSHAS-9075: Include Rancher k8s platform user's mapped permissions in GET(/v… by @williamlin-suse in #1370
• Merge dev-5.4 into main by @becitsthere in #1376
• Fix Makefile disable vcs by @becitsthere in #1382
• NVSHAS-8242: grpc call to test if controller handles critical severity by @becitsthere in #1381
• NVSHAS-6740: Improvement of zero-drift baseline profile by @jayhuang-suse in #1384
• NVSHAS-8908, parse X-Forwarded-Port correctly considering comma separator by @gfsuse in #1383
• NVSHAS-9024 AdmissionControl Risky Role Perf by @jeffhuang4704 in #1385
• NVSHAS-9091: convert rpmdb to neuvector repo by @becitsthere in #1386
• NVSHAS-8997, largely reduce per node policy slot number to improve performance by @gfsuse in #1387
• NVSHAS-9059: CRD groups visible in NV even after deletion from K8s by @williamlin-suse in #1390
• NVSHAS-8325, enforce container namespace boundary for network rule by @gfsuse in #1380
• NVSHAS-8723: Archive cloud billing data by @williamlin-suse in #1391
• NVSHAS-8325, change namespace label to NeuvectorNamespaceBoundary by @gfsuse in #1392
• NVSHAS-9107: goroutine crash at rest.handlerConfigLocalCluster({0x41f… by @williamlin-suse in #1394
• NVSHAS-8676: Patch benchmark executions. by @jayhuang-suse in #1393
• fix: NVSHAS-9108 port 18500 shouldn't be open by @holyspectral in #1399
• NVSHAS-9119: goroutine crash at probe.(*FileNotificationCtr).AddContainer() by @jayhuang-suse in #1400
• NVSHAS-9086 Reduce controller process memory usage by eliminating vul… by @jeffhuang4704 in #1396
• NVSHAS-9105: Revert fsnotify to 1.4.9 by @becitsthere in #1403
• NVSHAS-9110,9106,9104,9100, improve granularity by monitoring past 5, 60 and 300sec's metrics by @gfsuse in #1402
• NVSHAS-9125: CRD entry with invalid setting should not allow to create by @williamlin-suse in #1407
• NVSHAS-9076, resolve concurrent map iteration and map write on lprWrapperMap by @gfsuse in #1406
• NVSHAS-9129: unexpected NV.Protect incidents is found on grep command by @jayhuang-suse in #1410
• [NVSHAS-9042] Add cloudPlatform as new variable to avoid Racher is not detected on EKS. by @pohanhuangtw in #1411
• NVSHAS-9147: goroutine crash at main.(*Bench).BenchLoop() by @jayhuang-suse in #1418
• NVSHAS-9146,9136, sampling past 60sec to monitor metric by @gfsuse in #1421
• NVSHAS-9124: docker: many unexpected healthcheck processes incidents are reported by @jayhuang-suse in #1415
• [NVSHAS-9111] NV should check --event-qps > 0. by @pohanhuangtw in #1413
• NVSHAS-9109: no need to show the user in get /v1/server/platform/us… by @williamlin-suse in #1409
• NVSHAS-9082 Upgrade dependencies by @holyspectral in #1405
• NVSHAS-9130: unexpected Container.Package.Updated incidents are found after a specific container is started by @jayhuang-suse in #1408
• NVSHAS-9091: patch container scan by @jayhuang-suse in #1401
• NVSHAS-9080: fed reader user is uanble to access some REST APIs by @williamlin-suse in #1422
• NVSHAS-9156: the rbac error message is changed by @williamlin-suse in #1425
• NVSHAS-9161: unexpected Container.FileAccess.Violation incidents are found after a specific container is started by @jayhuang-suse in #1426
• correcting the registry_typ example as per https://github.com/neuvect… by @rajeshkio in #1424
• NVSHAS-9173: Show the "ps" result of the "consul" in the /v1/controller/.../counter by @jayhuang-suse in #1432
• NVSHAS-9092-namespaced user should not see global assets by @jeffhuang4704 in #1431
• Allow monitoring DDOS metric when Network Policy Enforcement is disabled by @gfsuse in #1429
• NVSHAS-8873: suspected false positive alerts on /etc/hosts modified by @jayhuang-suse in #1428
• NVSHAS-9116: the worker cluster is able to leave if the connection is… by @williamlin-suse in https://github.com/neuvector/neuvector/p...