Comply release notes
Sections
These are the new features, enhancements, and resolved issues for the Puppet Comply 1.x release series.
Comply 1.0.4
Released May 2021.
New in this release:
-
CIS-CAT Pro Assessor v4.6.0.
Comply 1.0.4 includes the latest version of the CIS-CAT assessor
and its associated benchmarks:
- CentOS Linux 7 v3.1.0
- Microsoft Windows Server 2019 Benchmark v1.2.0
- Microsoft Windows Server 2019 STIG Benchmark v1.0.0
- Red Hat Enterprise Linux 7 Benchmark v3.1.0
- Red Hat Enterprise Linux 7 STIG Benchmark v1.0.1
- SUSE Linux Enterprise Server 12 Benchmark v3.0.0
- Ubuntu Linux 20.04 LTS Benchmark v1.1.0
- Windows 2016 Datacenter. The Windows 2016 Datacenter is now available as a desired compliance benchmark.
-
Updated module dependencies. The
complymodule now includes the latest dependency releases.
Resolved in this release:
- License check errors. This release fixes an issue where the licence check returned an error if you installed Comply at the same time as Continuous Delivery for PE.
Security notice:
-
Vulnerability in
bluemondaydependency. This release updates thebluemondaypackage to version 1.0.9.
Comply 1.0.3
Released April 2021.
New in this release:
-
CIS-CAT Pro Assessor v4.4.0. Comply 1.0.3
includes the latest version of the CIS-CAT
assessor and its associated benchmarks:
- CentOS Linux 6 v3.0.0
- Microsoft Windows 10 Enterprise Release 20H2 v1.10.0
- Oracle Linux 6 v2.0.0
- Red Hat Enterprise Linux 6 v3.0.0
- Mac OS X benchmark support. Comply now supports Mac OS X 10.14 and 10.15 benchmarks.
- Windows 10 Enterprise benchmark support. Comply now supports Windows 10 Enterprise benchmarks. Note that these are compatible with Windows PRO.
-
The
oauth2-proxyfile server v7.1.1. Theoauth2-proxyimage, that provides authentication in Comply, has been updated to version 7.1.1. - Benchmark name displayed in tables. Comply now includes the benchmark name in the Desired compliance set column on the Inventory page.
- Updated navigation icon for Inventory. Comply has a new custom icon for Inventory in the side navigation bar.
Resolved in this release:
- Node results table shows incorrect time. This release fixes an issue in the node results table that showed the last scan as being an hour behind the current time.
Security notice:
-
Vulnerability remediation in the
handlebarsdependency. This release updateshandlebarsto version 4.7.7, remediating the vulnerability. -
Vulnerability remediation in the
ejsdependency. This release updatesbull-boardto 1.3.0, which includes version 3.1.6 of theejsdependency, remediating the vulnerability. -
Vulnerabilities remediation in the OpenSSL dependency. These vulnerabilities are remediated for all images except
postgresandoauth2_proxy, and resolves the following CVEs:
Comply 1.0.2
Released March 2021.
New in this release:
- CIS assessor upgraded to 4.3.1. Comply now uses a licensed version of the CIS assessor. To upgrade, see Upgrade the CIS assessor.
- Windows Server 2016 STIG benchmark. This new benchmark includes the Level 3 STIG Domain Controller profile.
Resolved in this release:
- Activity feed empty. Previously, the activity feed broke when the job had been purged in Puppet Enterprise (PE). This is now fixed.
- TheQ logs not included. TheQ logs are now included in the support bundle.
- Large reports cannot be ingested. Comply can now ingest XML files up to 32MB.
- UI sending incorrect parameters. This release fixes an issue where custom profile rules could not be updated.
- Timeout prevents assessor download. This release fixes an issue that prevented the assessor archive from downloading.
- Custom profile ID not passing. Comply now passes the custom profile ID in a scan task.
- License uses incorrect casing. This release fixes incorrect casing of the scarp response in the Comply license.
Security notice:
-
Vulnerability in lodash. This release resolves the following risk vulnerabilities in the lodash library: CVE-2021-23337 and CVE-2020-28500.
-
Vulnerability in echo. This release removes the echo dependency.
-
Vulnerability in i18next dependency. This release resolves the vulnerability in the i18next dependency.
- Vulnerability found in image. This release resolves CVE-2021-23840.
-
Postgres 12.5 vulnerable. The version of Postgres included in Comply has been upgraded to version 12.6 and resolves the following CVEs: CVE-2020-36221, CVE-2020-36222, CVE-2020-36223, CVE-2020-36224, CVE-2020-36225, CVE-2020-36226, CVE-2020-36227, CVE-2020-36228, CVE-2020-36229, CVE-2020-36230, CVE-2020-36221, CVE-2020-36222, CVE-2020-36223, CVE-2020-36224, CVE-2020-36225, CVE-2020-36226, CVE-2020-36227, CVE-2020-36228, CVE-2020-36229, and CVE-2020-36230
Comply 1.0.1
Released February 2021.
New in this release:
- Preflight check for volume use. This preflight check verifies the Ceph storage layer.
- Preflight check to verify hostname is reachable. This preflight check ensures that the Comply application can communicate with the configured hostname.
- Support bundle analyzers. Support bundles now include analyzers for preflight checks and issues with application components. Preflight checks also verify that schedulable CPU and memory capacity are available to perform upgrades.
- Updated log levels. A new configuration option in the KOTS admin allows you to modify Comply's debugging output.
Resolved in this release:
- Pre-flight false positive. The hostname preflight check no longer returns false positives.
- Report files left in queue. Report files are no longer left in the queue service filesystem.
Security notice:
- Comply UI vulnerabilities. This release fixes UI service vulnerabilities.
- Queue service vulnerabilities. This release fixes queue service vulnerabilities.
- Postgres container base image issues. This release updates the postgres container to fix the following security issues: CVE-2020-29361, CVE-2020-29362, and CVE-2020-29363.
Comply 1.0.0
Released December 2020.
Features in this release:
- CIS scans. Check the compliance of your nodes against CIS Benchmarks. For a list of supported operating systems, see system requirements.
- Desired compliance. Set a default benchmark and profile that you want your scans to be measured against.
- Custom profiles. Customize profiles to specify which rules you want visible in scan reports.
- Compliance status.The Compliance dashboard shows the compliance status of your nodes based on the latest scan results.
- Node breakdown. The Node compliance page shows an individual node's compliance status.
- Rule breakdown. The Rules results page shows the status of a rule on each node that is checked, why the rule is important, and specific operating system steps you can take to fix a rule that is failing scans.