All notable changes to this project will be documented in this file. See Conventional Commits for commit guidelines.
4.11.0 (2024-05-22)
- toggle panel buttons now visible again (72060f6)
- try to fix automatic centering to be more accurate and scale properly (b242383)
- allow/enforce setting CSP frame-ancestors via config (518ad0d)
- Diagrams can now be iframed. Preview when creating model and importing. Diagram should now center and scale automatically to try to fit everything on initial load. New url for quickly accessing the latest threat model for a system: /system//latest (also works with iframes!) (f90fbad)
4.10.0 (2024-04-15)
- deadlock on transaction inserting suggestions in parallel (62e9099)
- faulty user lookup by id (adc9841)
- Importing/Copying a threat model should no longer crash on indiviual threats/controls failing to copy (d9e8871)
- JiraActionItemExporter should not error if the transition fails - this happens if the object is already in the right status (d4cb4f7)
- small css fix on team name on system page (d164b0a)
- tidy up the Home page and model lists (6a0b8fd)
- add ability for admins to change system-id on threat model. Creator of the threat model is now also displayed as the owner in case the threat model is not connected to a system. (f91bd80)
- add toggle to switch direction of dataflow. Fixes #97 (db5db24)
- show popup after importing a threat model to remind users to review the action items marked in a previous threat model. (327935a)
4.9.4 (2024-03-21)
- component tab should no longer disappear if another tab is selected. instead it should stick around so long as a component is selected. (2c01c8c)
- reload action items if threat is deleted. Fixes #95 (0273603)
- set longer timeout for oidc requests (ae186b6)
- update jira issues if they already exist with new values (60c5505)
4.9.3 (2024-03-19)
- add tooltip to the add link button (4bc94c1)
4.9.2 (2024-03-06)
- hide dataflow magnets if diagram is in readonly #88 (3e7b91c)
- hide note button if review has not started yet (48ace6a)
4.9.1 (2024-02-01)
- correctly check reporter is set (20d4688)
- hide exporter button if no exporters are configured (a1c5556)
- make JiraActionItemExporter fallback on the token account as reporter if the reviewer cannot be found (e.g. due to offboarding) (be90c6f)
- missing await (01a1d10)
4.9.0 (2024-01-29)
- control/ops api not correctly routing healthchecks and metadata. Also fix healthchecks with faulty logic. Adds new healthcheck for faulty action item exports. (9d01102)
- control/ops api not correctly routing healthchecks and metadata. Also fix healthchecks with faulty logic. Adds new healthcheck for faulty action item exports. (964a27e)
- improve rendering of validation when creating links and fix javascript url check (4ff6cab)
- improve rendering of validation when creating links and fix javascript url check (a4e45a3)
- jira export can happen before reviewer exists on model - quick fix by falling back on token user as reviewer. (c015a4e)
- make severity slider / assessment on threat less bulky by removing the collapsible part (eeaf6cf)
- make severity slider / assessment on threat less bulky by removing the collapsible part (99fac7c)
- zod errors should now return why they failed in the API response. Add some tests for /api/links (9ea9a1d)
- Ability to add custom links to threats/controls (b237532)
- add new ActionItemExporter functionality (dc5f6d5), closes #61
- add proxying to jira plugin (fe87616)
- add the ability to export action items outside of the review flow. Also make the feature to automatically exporter action items on review approve a boolean config option. (9943fff)
- exported action items are also copied on imported models (6f549e8)
- new Jira Action Item exporter (7c127e4)
4.8.1 (2024-01-02)
Note: Version bump only for package gram
4.8.0 (2024-01-02)
- reorganise tutorial steps and add actions (2fe23e5)
4.7.3 (2023-12-06)
- broken ActiveUsers import and snapshot test (b06a360)
- Make Active Users widget visible again (4c9b072), closes #70
4.7.2 (2023-11-20)
- should no longer crash if importing a model with mitigations on deleted threats/controls (7856989)
4.7.1 (2023-11-16)
4.7.0 (2023-11-15)
- suggestions should now clear correctly if the source no longer suggests them (8d6c988)
- ui crash if copying component with no controls/threats (38e80f6)
- add button to toolbar for adding new component (9fcad2e), closes #28
- add quick and dirty screenshot feature 🖼️ (1218589)
4.6.1 (2023-11-14)
- importing models with deleted components should no longer crash (f5a2681)
- stop SeveritySlider from crashing if severity is null. (25f7654)
4.6.0 (2023-11-14)
- Action Item Tab should no longer crash when component no longer exists. (1b94298), closes #66
- mark snyk zod finding as fp (f687faf)
- more nitpicky normalisation to make lists the same width and use more mui components (1dca954)
- move all DataServices to use GramConnectionPool and transaction instead of the pg.Pool (1f07179)
- threat severity, title and description should now update correctly between multiple component instances (549a9cc), closes #65
4.5.1 (2023-11-01)
- hide mitigate label on suggested controls if there are no mitigated threats to display (e23eda1)
4.5.0 (2023-11-01)
- better 404 handling for model and system (should no longer crash the frontend) (5b2b77d)
- compact review widget by combining multiple buttons into a dropdown (f4c6127)
- display text if no new suggestions are available (14be477)
- ensure suggestion status is copied during import to avoid duplicate suggestions (380e616)
- hide mitigation chip for control suggestions if relevant threat suggestion does not exist (e438fec)
- list control suggestions on threats (e3098a5)
- rendering of Threat if no component is selected, e.g. in the Action Items modal (be2ad22)
- show action item toggle for non-reviewer users (b8e443e)
- temporarily hide stride suggestions from the list view to avoid repetitveness (c051eec)
- threats/controls order being rearranged on imported models. (fa0d30e)
4.4.1 (2023-10-18)
- clean up Team system lists on Home and Team page. (6ac2e32)
- get docker-compose demo working again - improve docs and setup (ea95a5d)
- hide system property box if there are no properties (18dbbdf)
- pagination of static system provider (83d709d)
4.4.0 (2023-10-16)
- change from localhost -> 127.0.0.1 as a potential fix for mac users (c0152fa)
- clientside error when clicking the mitigationchip inside the action items view (548e91b)
- correctly copy threat action item marking and suggestion link when copying a threat model (e9c48a1), closes #29
- hide reviews page from non-reviewer users (9e71ebe)
- add basic modal to view action items as a list (9c3a9d0)
- add StaticTeamProvider to default config with some sample teams (93839d8)
4.3.0 (2023-10-09)
- add azure, cncf, kubernetes plugins (df0b907)
- add azure,cncf and kubernetes plugin to default config (cbba98c)
4.2.1 (2023-10-09)
- make defaultauthz more permissive: Allow reviewers to write and standalone models are write-all (1d2752e)
4.2.0 (2023-10-05)
- cache.has should not return true when an item has expired (174ab4f)
- correctly hide login buttons for identity providers when form is not set (cacc7e7)
- LDAPTeamProvider return empty array if no teams on the user (ce75437)
- oidc should throw more specific error when cookie is not set (3415160)
- version should now be correctly set during runtime (e1e9fe0)
- add optional function for LDAPBasicAuthIdentityProvider to provide different userid in case it differs from dn (b94bb7f)
- allow specifying custom key for OIDCIdentityProvider (38d8c3c)
4.1.0 (2023-09-28)
- add back cache being set (3d09c1f)
- add escaping to teamIds (24e4be4)
- docker-start migrate script no longer exists, migration runs automatically (cc7141c)
- dont perform unbind inside ldap query function (f45689f)
- fix fallback reviewer assignment crashing in case it's not listed as a reviewer by the provider (15f4a7a)
- remove teams attribute from sampleUsers in default config (f49af4d)
- requested_at should be set on review row when created (58a9474)
- single lookup by id can use fallbackreviewer (5ead17e)
- add LDAPGroupBasedReviewerProvider (014140b)
4.0.3 (2023-08-18)
- Component vulnerable/secure indicators should now work in firefox. (8f6d441), closes #5
- hide SystemProperties when viewing a model without system (d638488)
- small ux fix to hint at selecting components in the diagram view (472cb4f)
- very nitpicky adjustment on the height and colours of the panel buttons (1355e09)
4.0.2 (2023-08-16)
Note: Version bump only for package gram
4.0.1 (2023-08-15)
- config not building due to package.json misconfiguration (db83410)
- plugin migrations should now work again (247ae63)
- prevent frontend crash if identity provider doesn't supply form (42f1414)
4.0.0 (2023-08-04)
The way plugins and configuration received a major rewrite.
- badge for review count no longer shows after logout (9ef88aa)
- EmailForm button also needs to be submit (26820b2)
- hide logged in user's team functionality if no team is attached (408433d)
- prevent default form submission (causes page reload) (00a76d8)
- return more informative error message when login succeeds but user lookup returns empty (e0f36f7)
- should no longer crash the ChangeReviewer widget if reviewer no longer exists (263531f)
- add magiclink auth provider. Some refactor of existing auth to allow for a email form (d1441eb)
- submit email form on enter (d82b757)
3.1.2 (2023-05-09)
- emailjs leaking password on authorization failure (0f83912)
- emailjs leaking password on authorization failure (0f83912)