All notable changes to this project will be documented in this file. See Conventional Commits for commit guidelines.
4.22.3 (2025-02-25)
- 🐛 fix matching when resource is matched in another model (c1750f8)
- 💄 prevent matching in ui when model is approved (89f6bb1)
4.22.2 (2025-02-19)
4.22.1 (2025-02-19)
- 🐛 fix validation on resource-matching api routes (905bfc6)
4.22.0 (2025-02-18)
- 💄 make left panel tabs scrollable (2d31748)
- ✨ add resource matching api (9d16059)
- ✨ add resource matching to component and resource tab (9f43ffb)
4.21.3 (2025-01-07)
- 🎨 fix text overflow in description preview and resource tab (0a6ded1)
4.21.2 (2024-12-06)
- upgrade express package (3f08d8d)
4.21.1 (2024-12-05)
- 🐛 fix resource tab error when no resources (5322b4d)
4.21.0 (2024-12-05)
- ✨ add resource handler (7a29f1c)
4.20.3 (2024-11-26)
- set the overloaded pagesize this time as well, also 8 fits on the page, not 9 (89eed65)
4.20.2 (2024-11-26)
- database creation for plugins should happen with the default pg pool (1259c32)
- set team list page size to 9 to ensure it fits within the height of the page (daaff8c)
4.20.1 (2024-11-25)
4.20.0 (2024-11-25)
- set precision of quality check badge to 0 decimals and in the correct place (had a case with .9999999998 because of the %-multiplier) (10e137b)
- update the tutorial to hint towards new dataflow functionality. Also make it a bit more interactive by checking that components have been selected. (7b83e5a)
4.19.0 (2024-11-20)
- 🐛 fix blocked tabs with dataflows (793f423)
- 🐛 select reviewer rules based on affectedType (cc172e8)
- broken resolved fields (d34905a)
- can't import via require, move back to import (which unfortunately still starts the bundled sentry binary) (7fcdd07)
- migrations should now use the same pg client as the rest of the application (5126e4e)
- sentry should not load if sentryDSN is not set (b13228b)
- set default SSL to use rejectUnauthorized to enforce signed tls certs (7d37bfc)
- ✨ add review score to bottom panel (a910d42)
- add more ssl options to config (2d595c7)
- add some new default authentication options (#133) (da5252f)
4.18.0 (2024-11-18)
- ⚡ skip reviewer rules under conditions (c4d448e)
4.17.6 (2024-10-28)
- unused imports in Left Panel (2ab6d45)
4.17.5 (2024-10-28)
- restore tabs on left panel (6ac94b4)
4.17.4 (2024-10-28)
- fix New Model page layout (b0f67fd)
4.17.3 (2024-10-23)
- bump the rest of mui packages to v6 (70ab5c5)
4.17.2 (2024-10-23)
4.17.1 (2024-10-23)
- bump vulnerable packages (061a346)
- remove accidental core package (4626cb8)
- remove core from package-lock as well (bb0be3f)
- remove some unused sentry packages (d4fb5bc)
4.17.0 (2024-10-23)
- 🎨 add bottom panel for validation result (a19ab9c)
- Dataflows now have a label, threats/controls and flows with attributes (0fe31be)
- update svgporn from upstream - 200+ new logos (e720d17)
4.16.0 (2024-09-09)
- 🎉 add basic validator (47522a1)
4.15.2 (2024-08-19)
- 🐛 empty description causes crash (99e8f8d)
4.15.1 (2024-08-16)
- 🐛 fix component tab crash (322bc7e)
4.15.0 (2024-08-14)
- support markdown for description (bd28400)
4.14.1 (2024-07-23)
- dataflows should no longer break when clicked after initially being added (0ac54d3)
4.14.0 (2024-07-18)
- add loading text to reviewers dropdown instead of just displaying null (bb221b9)
- adjust center position of component label slightly (93afd51)
- components inside trust boundaries should now be connectable again with data flows. Trust boundaries should not receive data flow click events (70c4505)
- add AWS (just the general AWS cloud service) to tech stacks (0ed99dc)
4.13.0 (2024-07-04)
- console.error from MUI due to chip using a div (9e80a65)
- add trust boundary as a new component
- add tutorial box for trust boundary (1bf4c23)
4.12.2 (2024-06-25)
- bump ws to fix a security vulnerability. bump and rearrange snyk/jest dependencies. (6f5df6f)
4.12.1 (2024-06-14)
Note: Version bump only for package gram
4.12.0 (2024-06-14)
- pass readonly to MultipleSystemsDropdown via props. Make it disabled if readonly. (e58381c)
- Component now has a System dropdown for selecting multiple systems. (80ad59b), closes #103
- handle cases where the reviewer's name is null (8cdd9c2)
- handle null reviewer name in all cases in the Review page (bbd98ba)
4.11.0 (2024-05-22)
- toggle panel buttons now visible again (72060f6)
- try to fix automatic centering to be more accurate and scale properly (b242383)
- allow/enforce setting CSP frame-ancestors via config (518ad0d)
- Diagrams can now be iframed. Preview when creating model and importing. Diagram should now center and scale automatically to try to fit everything on initial load. New url for quickly accessing the latest threat model for a system: /system//latest (also works with iframes!) (f90fbad)
4.10.0 (2024-04-15)
- deadlock on transaction inserting suggestions in parallel (62e9099)
- faulty user lookup by id (adc9841)
- Importing/Copying a threat model should no longer crash on indiviual threats/controls failing to copy (d9e8871)
- JiraActionItemExporter should not error if the transition fails - this happens if the object is already in the right status (d4cb4f7)
- small css fix on team name on system page (d164b0a)
- tidy up the Home page and model lists (6a0b8fd)
- add ability for admins to change system-id on threat model. Creator of the threat model is now also displayed as the owner in case the threat model is not connected to a system. (f91bd80)
- add toggle to switch direction of dataflow. Fixes #97 (db5db24)
- show popup after importing a threat model to remind users to review the action items marked in a previous threat model. (327935a)
4.9.4 (2024-03-21)
- component tab should no longer disappear if another tab is selected. instead it should stick around so long as a component is selected. (2c01c8c)
- reload action items if threat is deleted. Fixes #95 (0273603)
- set longer timeout for oidc requests (ae186b6)
- update jira issues if they already exist with new values (60c5505)
4.9.3 (2024-03-19)
- add tooltip to the add link button (4bc94c1)
4.9.2 (2024-03-06)
- hide dataflow magnets if diagram is in readonly #88 (3e7b91c)
- hide note button if review has not started yet (48ace6a)
4.9.1 (2024-02-01)
- correctly check reporter is set (20d4688)
- hide exporter button if no exporters are configured (a1c5556)
- make JiraActionItemExporter fallback on the token account as reporter if the reviewer cannot be found (e.g. due to offboarding) (be90c6f)
- missing await (01a1d10)
4.9.0 (2024-01-29)
- control/ops api not correctly routing healthchecks and metadata. Also fix healthchecks with faulty logic. Adds new healthcheck for faulty action item exports. (9d01102)
- control/ops api not correctly routing healthchecks and metadata. Also fix healthchecks with faulty logic. Adds new healthcheck for faulty action item exports. (964a27e)
- improve rendering of validation when creating links and fix javascript url check (4ff6cab)
- improve rendering of validation when creating links and fix javascript url check (a4e45a3)
- jira export can happen before reviewer exists on model - quick fix by falling back on token user as reviewer. (c015a4e)
- make severity slider / assessment on threat less bulky by removing the collapsible part (eeaf6cf)
- make severity slider / assessment on threat less bulky by removing the collapsible part (99fac7c)
- zod errors should now return why they failed in the API response. Add some tests for /api/links (9ea9a1d)
- Ability to add custom links to threats/controls (b237532)
- add new ActionItemExporter functionality (dc5f6d5), closes #61
- add proxying to jira plugin (fe87616)
- add the ability to export action items outside of the review flow. Also make the feature to automatically exporter action items on review approve a boolean config option. (9943fff)
- exported action items are also copied on imported models (6f549e8)
- new Jira Action Item exporter (7c127e4)
4.8.1 (2024-01-02)
Note: Version bump only for package gram
4.8.0 (2024-01-02)
- reorganise tutorial steps and add actions (2fe23e5)
4.7.3 (2023-12-06)
- broken ActiveUsers import and snapshot test (b06a360)
- Make Active Users widget visible again (4c9b072), closes #70
4.7.2 (2023-11-20)
- should no longer crash if importing a model with mitigations on deleted threats/controls (7856989)
4.7.1 (2023-11-16)
4.7.0 (2023-11-15)
- suggestions should now clear correctly if the source no longer suggests them (8d6c988)
- ui crash if copying component with no controls/threats (38e80f6)
- add button to toolbar for adding new component (9fcad2e), closes #28
- add quick and dirty screenshot feature 🖼️ (1218589)
4.6.1 (2023-11-14)
- importing models with deleted components should no longer crash (f5a2681)
- stop SeveritySlider from crashing if severity is null. (25f7654)
4.6.0 (2023-11-14)
- Action Item Tab should no longer crash when component no longer exists. (1b94298), closes #66
- mark snyk zod finding as fp (f687faf)
- more nitpicky normalisation to make lists the same width and use more mui components (1dca954)
- move all DataServices to use GramConnectionPool and transaction instead of the pg.Pool (1f07179)
- threat severity, title and description should now update correctly between multiple component instances (549a9cc), closes #65
4.5.1 (2023-11-01)
- hide mitigate label on suggested controls if there are no mitigated threats to display (e23eda1)
4.5.0 (2023-11-01)
- better 404 handling for model and system (should no longer crash the frontend) (5b2b77d)
- compact review widget by combining multiple buttons into a dropdown (f4c6127)
- display text if no new suggestions are available (14be477)
- ensure suggestion status is copied during import to avoid duplicate suggestions (380e616)
- hide mitigation chip for control suggestions if relevant threat suggestion does not exist (e438fec)
- list control suggestions on threats (e3098a5)
- rendering of Threat if no component is selected, e.g. in the Action Items modal (be2ad22)
- show action item toggle for non-reviewer users (b8e443e)
- temporarily hide stride suggestions from the list view to avoid repetitveness (c051eec)
- threats/controls order being rearranged on imported models. (fa0d30e)
4.4.1 (2023-10-18)
- clean up Team system lists on Home and Team page. (6ac2e32)
- get docker-compose demo working again - improve docs and setup (ea95a5d)
- hide system property box if there are no properties (18dbbdf)
- pagination of static system provider (83d709d)
4.4.0 (2023-10-16)
- change from localhost -> as a potential fix for mac users (c0152fa)
- clientside error when clicking the mitigationchip inside the action items view (548e91b)
- correctly copy threat action item marking and suggestion link when copying a threat model (e9c48a1), closes #29
- hide reviews page from non-reviewer users (9e71ebe)
- add basic modal to view action items as a list (9c3a9d0)
- add StaticTeamProvider to default config with some sample teams (93839d8)
4.3.0 (2023-10-09)
- add azure, cncf, kubernetes plugins (df0b907)
- add azure,cncf and kubernetes plugin to default config (cbba98c)
4.2.1 (2023-10-09)
- make defaultauthz more permissive: Allow reviewers to write and standalone models are write-all (1d2752e)
4.2.0 (2023-10-05)
- cache.has should not return true when an item has expired (174ab4f)
- correctly hide login buttons for identity providers when form is not set (cacc7e7)
- LDAPTeamProvider return empty array if no teams on the user (ce75437)
- oidc should throw more specific error when cookie is not set (3415160)
- version should now be correctly set during runtime (e1e9fe0)
- add optional function for LDAPBasicAuthIdentityProvider to provide different userid in case it differs from dn (b94bb7f)
- allow specifying custom key for OIDCIdentityProvider (38d8c3c)
4.1.0 (2023-09-28)
- add back cache being set (3d09c1f)
- add escaping to teamIds (24e4be4)
- docker-start migrate script no longer exists, migration runs automatically (cc7141c)
- dont perform unbind inside ldap query function (f45689f)
- fix fallback reviewer assignment crashing in case it's not listed as a reviewer by the provider (15f4a7a)
- remove teams attribute from sampleUsers in default config (f49af4d)
- requested_at should be set on review row when created (58a9474)
- single lookup by id can use fallbackreviewer (5ead17e)
- add LDAPGroupBasedReviewerProvider (014140b)
4.0.3 (2023-08-18)
- Component vulnerable/secure indicators should now work in firefox. (8f6d441), closes #5
- hide SystemProperties when viewing a model without system (d638488)
- small ux fix to hint at selecting components in the diagram view (472cb4f)
- very nitpicky adjustment on the height and colours of the panel buttons (1355e09)
4.0.2 (2023-08-16)
Note: Version bump only for package gram
4.0.1 (2023-08-15)
- config not building due to package.json misconfiguration (db83410)
- plugin migrations should now work again (247ae63)
- prevent frontend crash if identity provider doesn't supply form (42f1414)
4.0.0 (2023-08-04)
The way plugins and configuration received a major rewrite.
- badge for review count no longer shows after logout (9ef88aa)
- EmailForm button also needs to be submit (26820b2)
- hide logged in user's team functionality if no team is attached (408433d)
- prevent default form submission (causes page reload) (00a76d8)
- return more informative error message when login succeeds but user lookup returns empty (e0f36f7)
- should no longer crash the ChangeReviewer widget if reviewer no longer exists (263531f)
- add magiclink auth provider. Some refactor of existing auth to allow for a email form (d1441eb)
- submit email form on enter (d82b757)
3.1.2 (2023-05-09)
- emailjs leaking password on authorization failure (0f83912)
- emailjs leaking password on authorization failure (0f83912)