Skip to content

VAT 2022.06.09

  • VAT BE: 1.9.35
  • VAT FE: 2.9.30
  • ROSIE: none

BLUF of release

  • Fixed bug where some findings would be miscalculated for CVE age in the details popup on the container page.
  • As a response to feedback from AMA, findings can now be updated by Container Contributor or Vendor Contributor at any time, even if approved. Such an edit will result in the state of the finding being reverted back to 'Justified'. This change is critical given the importance of proper justification and designation under the ABC/ORA system.
  • ORA scores 1A (Rate of Vulnerability Remediation) and 2B (How Recent are Vulnerabilities) have been temporarily disabled. After feedback from customers, and upon further investigation, it was determined that while the calculations were implemented as designed, those calculations don't align with reasonable expectations. This primarily is due to the fact that while VAT provides a convincing illusion of findings coming from other base containers, those findings are in fact in the individual container in question. The history of any findings are therefore also on the individual container. This would lead to new containers being brutally punished in scoring for findings that come from base containers, while older containers would see little issue. These calculations will be re-engineered and re-introduced or possibly replaced in the future.
  • Modularization of logging. Changes were made to allow for logging levels to be independently set using environment variables for various aspects of the VAT BE containers. See HERE for example of usage.
  • Implemented way to better test auth changes in local development and staging.

P1 API Breaking Changes

  • IBFE endpoints were moved to internal location and are now deprecated on p1 and will be removed from p1 next release.


There will be more such changes in future releases to standardize values

Tickets Completed

ABC/ORA updates

  • IBVAT-1072: Fixed issue where some findings could fail (or improperly pass) ABCs due to Improper selection of CVE publish date.
  • IBVAT-1076: Disable 1A and 2B ORA scores.



BE Enhancements

  • IBVAT-1056: Fix 500 error on requests to /containers endpoint w/o token.
  • IBVAT-1063: Updated URLs to move container argument to query parameter.

FE/UI Enhancements

  • IBVAT-1065: Prevent "BETA" from wrapping in the container table on vat main page.
  • IBVAT-1067: Added product/vendor logos to container page when available.
  • IBVAT-1073: CC needs to be able to update findings even after being approved

Misc work (No user experience changes)

  • IBVAT-1038: Migrate to React 18.
  • IBVAT-1055: Modularize logging for vat back-end.
  • IBVAT-879: Controller decorators in back-end are not being utilized/unnecessary
  • IBVAT-1053: Replace deprecated Type ORM Connection.
  • IBVAT-1045: Implement a way to test no auth and auth in local dev/staging.
  • IBVAT-1009: Reorganize and update minikube README


  • IBVAT-583: Create new VAT Import API business rules. (OBE)
  • IBVAT-960: Disable caching on all endpoints in express. (OBE)
  • IBVAT-797: Reduce sonarqube complexity for Api.tsx. (OBE)
  • IBVAT-1044, IBVAT-986: Environment variable for throttle control. (OBE)
  • IBVAT-482: Verify stored procedures and grants on startup (duplicate of ticket implemented last sprint) (OBE)
  • IBVAT-278: Display CVE Description from Official source. (OBE)
  • IBVAT-755: FE Need to show CAs when a container was force approved. (OBE)
  • IBVAT-765: Move filter and sort drop-downs into dedicated side bar (findings view). (OBE)