cqrenet/aoc
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 29 Wiki Activity

29 Releases 37 Tags

RSS Feed
  • v1.7.14 fe95dfcfce
    Compare

    AOC v1.7.14 — Threat Model Remediation
    All checks were successful
    Release / build-and-push (push) Successful in 21s
    Details
    CI / lint-and-test (push) Successful in 25s
    Details
    Stable

    tomas.kracmar released this 2026-04-27 14:58:15 +00:00 | 0 commits to main since this release

    AOC v1.7.14 — Threat Model Remediation

    This release addresses all high-severity findings from the internal threat model review (see THREAT_MODEL_v1.7.13.md).

    New Security Features

    LLM Domain Allowlist

    • New config: LLM_ALLOWED_DOMAINS (e.g. api.openai.com,*.openai.azure.com)
    • Prevents audit data exfiltration via compromised LLM endpoints

    SIEM Webhook SSRF Guard

    • New config: SIEM_ALLOWED_DOMAINS
    • SIEM_WEBHOOK_URL is validated with HTTPS-only, private IP blocking, and domain restrictions

    Subresource Integrity (SRI)

    • CDN scripts (Alpine.js, MSAL.js) now include integrity hashes
    • Browser refuses to execute scripts if CDN content is tampered with

    Auth Misconfiguration Warning

    • Logs a WARNING at startup if AUTH_ENABLED=true but no roles/groups are configured

    Azure Key Vault Integration (Optional)

    • New config: AZURE_KEY_VAULT_NAME
    • Loads CLIENT_SECRET, LLM_API_KEY, MONGO_URI, WEBHOOK_CLIENT_SECRET from Key Vault at startup
    • Eliminates long-lived secrets from .env files

    Previous v1.7.12 Security Fixes (Included)

    • CORS credentials leak fixed — wildcard origins no longer get allow_credentials=true when auth is enabled
    • Security headers added: X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy
    • Rate limiter fails closed on Redis outage (returns 429)
    • OpenAPI docs disabled by default (DOCS_ENABLED=false)
    • Config auth hides tenant/client IDs when auth is disabled
    • Webhook validationToken validated before echo
    • Metrics endpoint gated behind IP allowlist

    Upgrade Notes

    1. Pull the new tag: git fetch origin && git checkout v1.7.14
    2. Review .env.example for new settings
    3. If using AI features, set LLM_ALLOWED_DOMAINS to your LLM provider
    4. If using SIEM forwarding, set SIEM_ALLOWED_DOMAINS
    5. Consider Azure Key Vault for secrets storage

    Docker image: git.cqre.net/cqrenet/aoc-backend:v1.7.14

    Downloads
  • v1.7.11 c086fa4260
    Compare

    AOC v1.7.11
    All checks were successful
    CI / lint-and-test (push) Successful in 1m26s
    Details
    Release / build-and-push (push) Successful in 3m1s
    Details
    Stable

    tomas.kracmar released this 2026-04-27 08:39:33 +00:00 | 4 commits to main since this release

    Hotfix: CSP unsafe-eval for Alpine.js

    Fixed

    • Added 'unsafe-eval' to script-src in the Content-Security-Policy header.
    • Alpine.js v3 uses new Function() internally to evaluate expressions, which requires unsafe-eval under CSP.
    • Without this, the UI fails to initialise and auth buttons do not render.
    export AOC_VERSION=v1.7.11
docker compose -f docker-compose.prod.yml pull
docker compose -f docker-compose.prod.yml up -d
    Downloads
  • v1.7.10 be700fefc3
    Compare

    AOC v1.7.10
    All checks were successful
    CI / lint-and-test (push) Successful in 1m29s
    Details
    Release / build-and-push (push) Successful in 2m53s
    Details
    Stable

    tomas.kracmar released this 2026-04-27 08:32:35 +00:00 | 5 commits to main since this release

    Hotfix: CSP font-src directive

    Fixed

    • Added font-src 'self' data: to the Content-Security-Policy header to allow embedded base64 fonts loaded by the UI.
    • Without this, browsers refuse to load data:font/ttf resources, which can break icon fonts or custom typefaces.
    export AOC_VERSION=v1.7.10
docker compose -f docker-compose.prod.yml pull
docker compose -f docker-compose.prod.yml up -d
    Downloads
  • v1.7.9 e2cea50d87
    Compare

    AOC v1.7.9
    All checks were successful
    CI / lint-and-test (push) Successful in 2m30s
    Details
    Release / build-and-push (push) Successful in 4m46s
    Details
    Stable

    tomas.kracmar released this 2026-04-27 08:09:52 +00:00 | 6 commits to main since this release

    Hotfix: auth diagnostics and rate-limit exemptions

    Fixed

    • Rate-limit exemptions/api/config/auth, /api/config/features, /health, and /metrics are now exempt from rate limiting so config fetching cannot be blocked.
    • Generic exception handlerHTTPException responses now return proper JSON instead of re-raising, preventing potential response corruption.

    Diagnostics added

    • Frontend auth button now shows Auth: OFF or Auth: misconfigured instead of an empty circle when auth is disabled or misconfigured.
    • Browser console logginginitAuth() now logs clear console.error / console.warn messages when the auth config fetch fails or auth is disabled.
    • Backend startup log — prints auth_enabled=True/False and version on boot so you can verify configuration from container logs.
    • Backend debug logging/api/config/auth endpoint logs each request.

    Who should upgrade

    Anyone who deployed v1.7.7 or v1.7.8 and experiences missing login/logout buttons or auth failures.

    Troubleshooting auth

    After upgrading, open browser Developer Tools → Console and look for:

    • AOC auth is disabled. Set AUTH_ENABLED=true in .env to enable login. → Your .env has AUTH_ENABLED=false
    • AOC auth misconfigured: missing client_id or tenant_idAUTH_CLIENT_ID or AUTH_TENANT_ID is missing
    • Auth config fetch failed: 500 → Backend error; check docker compose logs backend
    export AOC_VERSION=v1.7.9
docker compose -f docker-compose.prod.yml pull
docker compose -f docker-compose.prod.yml up -d
    Downloads
  • v1.7.8 7fe53f882a
    Compare

    AOC v1.7.8
    All checks were successful
    CI / lint-and-test (push) Successful in 51s
    Details
    Release / build-and-push (push) Successful in 2m4s
    Details
    Stable

    tomas.kracmar released this 2026-04-27 07:41:36 +00:00 | 7 commits to main since this release

    Hotfix: login/logout restored

    Fixed

    • CORS wildcard no longer stripped automatically — v1.7.7 removed * from CORS_ORIGINS when AUTH_ENABLED=true, which broke deployments using the default wildcard. v1.7.8 restores the wildcard and only logs a warning.
    • CSP headers now allow MSAL auth flows — Added login.microsoftonline.com to connect-src, frame-src, and form-action so Microsoft Entra authentication works correctly.

    Who should upgrade

    Anyone who deployed v1.7.7 and experiences missing login/logout buttons or auth failures.

    export AOC_VERSION=v1.7.8
docker compose -f docker-compose.prod.yml pull
docker compose -f docker-compose.prod.yml up -d
    Downloads
  • v1.7.7 d01e7801ed
    Compare

    AOC v1.7.7
    All checks were successful
    CI / lint-and-test (push) Successful in 51s
    Details
    Release / build-and-push (push) Successful in 1m57s
    Details
    Stable

    tomas.kracmar released this 2026-04-27 07:16:57 +00:00 | 8 commits to main since this release

    Security Hardening

    This release is a focused security patch addressing findings from an internal audit. All users running AOC in production are encouraged to upgrade.

    Webhook authentication

    • ClientState validation — Notifications now require a matching WEBHOOK_CLIENT_SECRET.
    • Rejects spoofed notification payloads with 401 Unauthorized.

    Rate limiting

    • Redis-backed fixed-window rate limiting is now enabled by default.
    • Per-category limits: fetch 10/hr, ask 30/min, write 20/min, default 120/min.
    • Returns 429 Too Many Requests with Retry-After header.

    SSRF protection for LLM calls

    • LLM_BASE_URL is now validated before every outbound request.
    • Blocks non-HTTPS URLs, localhost, link-local addresses, and private IP ranges.

    CORS enforcement

    • Wildcard (*) origins are automatically stripped when AUTH_ENABLED=true.

    Content Security Policy

    • API and HTML responses now include a Content-Security-Policy header.

    Audit trail integrity

    • The audit middleware no longer parses JWT tokens without signature verification.
    • Verified claims are now propagated safely via contextvars.

    Standalone MCP server

    • Prints a prominent security warning on startup.

    Operational Improvements

    • Bulk tag capPOST /api/events/bulk-tags limited to 10,000 events.
    • Generic error responses — Internal exception details no longer leaked to clients.
    • Alert rule schema — Strict AlertCondition Pydantic model replaces unconstrained list[dict].
    • Docker Compose — MongoDB and Redis ports removed from host exposure.

    Upgrade notes

    No breaking changes. Existing event data, tags, comments, and saved searches are preserved.

    export AOC_VERSION=v1.7.7
docker compose -f docker-compose.prod.yml pull
docker compose -f docker-compose.prod.yml up -d
    Downloads
  • v1.7.6 7cd7709b4a
    Compare

    v1.7.6
    All checks were successful
    CI / lint-and-test (push) Successful in 1m7s
    Details
    Release / build-and-push (push) Successful in 2m25s
    Details
    Stable

    tomas.kracmar released this 2026-04-22 13:20:19 +00:00 | 9 commits to main since this release

    Bug Fixes

    • Startup crash with duplicate alert rules: Fixed DuplicateKeyError on startup when existing alert_rules collection contained duplicate names. The deduplication step now runs before the unique index on name is created in setup_indexes().
    Downloads
  • v1.7.5 9cd50d1257
    Compare

    v1.7.5
    All checks were successful
    CI / lint-and-test (push) Successful in 30s
    Details
    Release / build-and-push (push) Successful in 1m29s
    Details
    Stable

    tomas.kracmar released this 2026-04-22 13:13:55 +00:00 | 10 commits to main since this release

    v1.7.5 — Fix duplicate rules (dedupe + unique index)

    Fixes

    • Unique index on alert_rules.name — prevents duplicate rules at the database level
    • One-time deduplication on startup — seed_default_rules() now removes existing duplicates by name before upserting, keeping the oldest document
    • After upgrading to v1.7.5 and restarting, duplicate rules will be automatically cleaned up

    Full changelog since v1.7.4

    • fix: dedupe existing rules + unique index to prevent duplicates
    • chore: bump version to 1.7.5
    Downloads
  • v1.7.4 5f7a98f21c
    Compare

    v1.7.4
    All checks were successful
    CI / lint-and-test (push) Successful in 28s
    Details
    Release / build-and-push (push) Successful in 1m30s
    Details
    Stable

    tomas.kracmar released this 2026-04-22 12:57:06 +00:00 | 12 commits to main since this release

    v1.7.4 — Fix duplicate rules

    Fixes

    • Prevent duplicate default rules on multi-worker startup. Previously, multiple gunicorn workers could race and each insert the 10 default rules, resulting in 20+ duplicates.
    • Now uses replace_one(name, ..., upsert=True) so each rule is uniquely keyed by name and safely upserted even with concurrent workers.

    Full changelog since v1.7.3

    • fix: prevent duplicate default rules on multi-worker startup
    • chore: bump version to 1.7.4
    Downloads
  • v1.7.3 f812fda150
    Compare

    v1.7.3
    All checks were successful
    CI / lint-and-test (push) Successful in 44s
    Details
    Release / build-and-push (push) Successful in 1m40s
    Details
    Stable

    tomas.kracmar released this 2026-04-22 12:48:17 +00:00 | 14 commits to main since this release

    v1.7.3 — Collapsible panels

    What's new

    • All panels are now collapsible — click any panel header to expand/collapse:
      • Source Health
      • Alerts
      • Alert Rules
      • Filters
      • Ask a question
      • Events
    • Chevron indicator rotates to show open/closed state
    • State persists to localStorage — your panel layout is remembered across sessions

    Full changelog since v1.7.2

    • feat: all panels are now collapsible
    • chore: bump version to 1.7.3
    Downloads