v1.1.230

Socket Firewall v1.1.230 — Release Notes

New Features

• Universal cooldown protection for unscanned packages — Cooldown (recently-published package detection) now applies to all ecosystems, including during metadata filtering. Previously, unscanned packages could only be checked against allow_unknown/fail_open_unscanned settings. Now, when cooldown is enabled, the firewall queries the cooldown API first to determine if an unscanned package was recently published, blocking it if within the cooldown window regardless of ecosystem.

• Automatic cooldown route generation for unsupported ecosystems — When cooldown is enabled, auto-discovery now generates cooldown-checked routes for all repository types (e.g., Docker, Helm) without requiring explicit external_registry_cooldown.registries entries. The cooldown API handles registry lookup automatically.

• Registry name sent with cooldown API requests — Cooldown API calls now include the upstream registry name, enabling more accurate deployment-level lookups for organizations with multiple registries per ecosystem.

• Remote deployment config: API registry merging — Registries defined in the remote deployment configuration are now automatically merged with local cooldown registry settings. Local entries take precedence when names overlap.

Bug Fixes

• NuGet: Fixed package name extraction for Artifactory — Resolved an issue where NuGet package names were not correctly parsed from Artifactory registration URLs, which could cause metadata filtering to skip packages.

• Remote config: Fixed JSON string parsing — The deployment value field from the Socket API is now correctly handled whether it arrives as a JSON object or a JSON-encoded string.

• Fixed cooldown registry timer context crash — Resolved an error that could occur when the cooldown system tried to access per-route authentication tokens during background prefetch operations.

Improvements

• Reduced log noise — PURL error messages (package not yet scanned) downgraded from WARN to DEBUG level, reducing log volume in environments with many unscanned packages.
• Improved decision log detail — Security decision events now include upstream host information for better traceability across proxy topologies.
• User-Agent header added to batch API calls — Batch PURL check requests now identify themselves with the firewall version for better API-side diagnostics.

v1.1.226

Features:

• Google Artifact Registry (GAR) support for PyPI: handles GAR's non-standard flat download paths
• New 'private_registry.type: google-artifact-registry' config option with automatic upstream_type inference
• Combined SSL CA bundle: merges system root CAs + custom CA + Redis CA into a single trust store for all outbound SSL connections
• New ssl.ca_cert config option for specifying a custom CA certificate trusted across all connections
• Block messages now include the specific reason (e.g. 'Known Malware', 'Critical CVE') across all ecosystems

Fixes:

• Fixed release tarball packaging to include all Lua sub-modules
• Fixed Maven version encoding for artifacts with build metadata ('+' in version strings)
• PyPI parser now recognizes direct download patterns in addition to standard /packages/ paths
• Reduced noisy log output at default info log level
• Default 404 handler now serves custom HTML error page"

v1.1.218

Full Changelog: v1.1.212...v1.1.218

Bug Fixes

Path Route Prefix Matching Against Package Names

Path-based routes (e.g., /npm, /pypi) could incorrectly match package names that started with the same characters as the route prefix (e.g., npmlog, npm-run-path). This caused tarball download URLs in metadata responses to be rewritten without the route prefix, resulting in 404 errors during package installation. Route matching now correctly enforces path segment boundaries across all supported ecosystems.

HTTP Response Framing (ALB Compatibility)

When deployed behind an AWS Application Load Balancer (ALB), clients could experience partial response bodies followed by connection hangs, particularly on metadata requests. Two HTTP response framing issues were identified and fixed:

1. Content-Length mismatch — Metadata responses that undergo URL rewriting included a trailing byte beyond the declared Content-Length. AWS ALBs enforce strict byte accounting on keep-alive connections, and the extra byte corrupted HTTP framing for subsequent multiplexed requests. GCP and NGINX load balancers tolerated this.

2. Delayed response finalization — HTTP responses were not explicitly finalized before internal connection cleanup. On chunked transfer-encoded responses, this delayed the chunked encoding terminator, causing the ALB to wait indefinitely for the end-of-response signal.

Response bodies now match the declared Content-Length exactly, and all responses are explicitly finalized immediately after the body is written. No configuration changes required. No impact on existing GCP, NGINX, or direct-connection deployments.

New Features

prefetch_enabled Setting for Metadata Prefetch Control

Added metadata_filtering.prefetch_enabled (default: true) to completely disable background conda metadata prefetch when set to false. When disabled, skips both the initial startup prefetch and all recurring refresh timers.

v1.1.212

v1.1.212 Release Notes

Features:

• Added cooldown policy support for unsupported/external registries
• Added auto-discovery configuration for Nexus and Artifactory external registries
• Added metadata filtering with configurable max body size and URL rewriting
• Improved Cargo ecosystem support including index and crate blocking
• Added Conda ecosystem proxy and filtering support

Fixes:

• Fixed PyPI URL duplication in proxied requests
• Fixed RubyGems package scanning with MD5 etag handling
• Fixed Cargo configuration and package blocking
• Fixed Maven and PyPI metadata cache filtering
• Fixed credential handling for private registry prefetch
• Fixed cache poisoning from HEAD requests
• Fixed organization slug resolution from configuration
• Fixed orphaned daemon processes preventing container shutdown
• Fixed event type normalization across plugins

Improvements:

• Improved binary download performance with chunked transfers and increased concurrency
• Improved Redis connection limits for production workloads
• Modularized Lua codebase into smaller, maintainable sub-modules
• Release workflow now uses signed commits

v1.1.177

Full Changelog: v1.1.104...v1.1.177

v1.1.176

v1.1.176 Release Notes

New Features:

• External Registry Cooldown Protection: Block recently-published packages from unsupported registries via publish-date checks
• Full Decision Logging for Unsupported Registry Routes: Unified SOCKET_DECISION logs, Splunk HEC, and webhook events for cooldown-checked routes
• Client IP Detection: Correctly identify real client IPs behind load balancers, CDNs, or reverse proxies (X-Forwarded-For, X-Real-IP, CF-Connecting-IP)

New Options:

• Auto-Discovery: supported_ecosystems_only (default: true) — only generate API-checked routes for Socket-supported ecosystems
• Configurable Logging for Unmatched Routes: socket.log_no_route (default: true)
• Connection Pooling Tuning: nginx.keepalive_pool_size (default: 64)

Fixes:

• Consistent Event Action Values: Normalized to canonical enum values (error, warn, monitor, ignore) across all outputs
• Metadata Filtering Events: Decisions now correctly sent to Socket dashboard, Splunk, and webhooks
• Artifactory Cargo Route Fix: Support /v1/crates/ paths (Artifactory) in addition to /api/v1/crates/ (crates.io)
• Improved Container Shutdown: Background daemons properly terminated, no orphaned processes

Improvements:

• Binary Download Performance: Chunked streaming with increased concurrency, fixes Cargo and Conda download issues
• Local Cache Stale-While-Revalidate: In-memory cache now mirrors Redis stale-while-revalidate behavior
• Cooldown Caching Without Redis: Local in-memory fallback makes cooldown viable in single-instance deployments

v1.1.151

Add fail_open_unscanned setting for independent control of unscanned packages

New Features:

• New fail_open_unscanned setting (default: true) controls behavior when Socket API returns purlError (package not found or not yet scanned). This is separate from fail_open which handles API connectivity errors.
• New expose_unscanned_header setting (default: false) adds X-Socket-Unscanned response header for unscanned packages.
• purlError detection in both single and batch Socket API responses.

Improvements:

• Decision events now include alert_action, client_action, request_id, trace_id, artifact_purl, event_type, event_category, parser_name, parser_version, and unscanned flag.
• block_reason and warn_reason fields are now populated correctly for all non-alert scenarios (fail_open, fail_closed, API errors, unscanned packages).
• parser_name and parser_version are propagated through all code paths including cached, stale, and error results.

Fixes:

• Telemetry events now use the canonical decision event fields instead of re-deriving artifact_purl and action.
• request_id and trace_id are now included in output logging for all event types.

v1.1.139

Operators can now specify an upstream_token on individual path routes or domain registries. This injects an Authorization: Bearer header on all upstream requests for that route — ideal for authenticated private registries where different routes require different credentials. The token value is read from an environment variable at startup, keeping secrets out of configuration files and logs. Basic auth (user:password) is also auto-detected.

The firewall now captures uber-trace-id and X-Request-Id headers from upstream private registry responses and propagates them as private_registry_request_id across all event outputs — console logs, Splunk HEC, webhooks, and Socket telemetry. The trace ID also appears in native nginx access logs, enabling full request correlation between the firewall and Artifactory/Nexus.

Full Changelog: v1.1.104...v1.1.139

v1.1.136

Full Changelog: v1.1.104...v1.1.136

v1.1.135

Full Changelog: v1.1.104...v1.1.135