Skip to content

Release Notes

All notable changes to Sentari are documented here. This file covers customer-visible changes to the agent, server, and dashboard. Changes are listed in reverse chronological order.

[1.0.0] — 2026-06-26 — General Availability

First generally-available release. Sentari is now a multi-ecosystem package management platform (Python, npm, Maven, NuGet, and APT/YUM OS packages) with CVE correlation, runtime end-of-life tracking, supply-chain signals, SBOM generation, and tamper-evident compliance evidence for NIS2 / DORA / CRA — all air-gap-tolerant and on-premise. The highlights below landed in this release.

Added

Maven ecosystem — General Availability - Java / Maven support is now GA. The server resolves package coordinates from POM metadata, the Maven CVE feed is enabled by default, JDK runtimes are detected on managed endpoints, and Maven supply-chain signals are ingested alongside the existing ecosystems. Java packages now correlate against CVEs and surface in inventory, compliance, and supply-chain views without any opt-in. - The dashboard ships a Maven-aware version comparator, coverage flags, and ecosystem-maturity badges so operators can see at a glance which ecosystems are GA versus Preview.

Multi-ecosystem workspaces — General Availability - Per-ecosystem workspaces (npm, PyPI, Maven, NuGet, APT, YUM) are GA, each with its own inventory, supply-chain, and license views. - Supply-chain signals can be suppressed and un-suppressed directly from the workspace UI, so teams can mute known-accepted findings without losing the audit trail. - Per-ecosystem settings have moved into Admin → Settings → Workspaces, consolidating workspace configuration in one place.

Release-keyed APT / YUM distro CVE correlation - The agent and server now correlate operating-system package CVEs using the distribution's own versioning. dpkg and rpm version comparison is applied against per-distro OSV feeds, so a backported security fix in a Debian or RHEL package is recognised as patched rather than flagged on upstream version alone — eliminating a major source of false positives for system packages.

Per-finding CVE audit evidence (NIS2 / DORA / CRA) - Every CVE finding now writes an immutable cve_correlation.detected audit record when first correlated, and a cve_correlation.resolved record when it is remediated or no longer present. These append-only, hash-chained rows give regulators a complete, tamper-evident detection-to-resolution trail per finding.

Changed

  • Runtime EOL panels (Python / Node / JDK) were redesigned for clearer at-a-glance end-of-life status, with a clickable drill-down to the affected devices.
  • Remediation guidance is now ecosystem-aware: upgrade and uninstall commands are generated per ecosystem (npm, NuGet, uv, JVM) with a safe fallback instead of an incorrect pip command.
  • Runtime-EOL remediation campaigns can now be created and tracked from the Runtime page, with auto-verification on the next scan.

Fixed

  • Inventory and device search are noticeably faster on large fleets thanks to trigram (pg_trgm) indexes.
  • Helm and OpenShift deployments now admit and run cleanly; several deploy-blocking template issues were resolved.
  • The agent fails closed on tokenless registration in the production posture, preventing unauthenticated enrolment.

[2026-06-15] — Runtime EOL correlation and device certificate renewal

Added

Runtime end-of-life correlation - The agent detects Python, Node.js, and JDK runtimes on managed endpoints, and the server correlates their versions against endoflife.date to flag runtimes that are approaching or past end-of-life. A fleet-wide rollup and a per-device drill-down surface the results, with a compliance widget summarising EOL exposure. - Air-gap support: the EOL feed can be loaded from an offline NDJSON bundle instead of fetching endoflife.date, so the correlation works with zero internet access.

Server-side device certificate renewal - The internal CA now supports server-side renewal of agent mTLS certificates, and the server enforces certificate expiry (fail-closed). Fleets can rotate device certificates before they lapse without re-enrolment, keeping long-lived deployments compliant with mTLS-everywhere.

[2026-04-24] — Multi-ecosystem scanning (JVM) and container scanning

Added

Multi-ecosystem scanning (JVM) - The agent now inventories Java / JVM packages alongside Python. Coverage includes Maven workstation caches (~/.m2/repository), Gradle caches, JDK runtimes (OpenJDK / Oracle / Adoptium / Zulu / GraalVM), and the six major application servers (Tomcat, JBoss/WildFly/EAP, WebLogic, WebSphere, Jetty, GlassFish/Payara). Shaded uber-jars and Spring Boot BOOT-INF layouts are walked recursively so transitive dependencies surface as first-class records. - Server-side ecosystem partitioning: every package and CVE correlation is partitioned by ecosystem (pypi, maven, future ecosystems). Eliminates cross-ecosystem false positives. - Dashboard ecosystem filter on Inventory and CVE pages; URL-persisted for shareable deep-links.

Container-image scanning (opt-in, agent-side only) - New agent scan mode discovers every Docker, Podman, and CRI-O container on the endpoint and inventories its contents through the existing plugin registry. Every emitted record carries container_image_id, container_id, container_runtime fields on the scan upload. - Disabled by default; enable with [scanner] containers = true in the agent config or SENTARI_SCAN_CONTAINERS=true. Caps at 100 containers per cycle with a 60-second per-target timeout to keep CI hosts stable. - Note: server-side promotion of container fields onto dedicated columns, plus dashboard filter UI, are planned for a subsequent release.

Signed vulnerability-map push - Server can now publish a signed ed25519 envelope of critical/high CVE advisories to agents. Agents verify the signature and apply the map locally — turns air-gapped fleets into full offline SCA without a network round-trip to OSV / NVD.

Changed

  • Agent binary imports the JVM scanner plugin by default. The -scan flag help text now reads "Run a scan of all supported ecosystems (Python + JVM)".
  • Package.ecosystem and VulnerabilityRecord.ecosystem columns are NOT NULL, default pypi.

Fixed

  • CVE correlation idempotency key now includes ecosystem. Prior behaviour could suppress a Maven correlation when a PyPI correlation with the same package name + version already existed on the same device.

[2026-04-06] — Early Access: Python version tracking and scanner coverage

Added

Python Version Tracking - Fleet-wide Python version distribution view, accessible from the new Runtime tab under Fleet. Versions approaching or past end-of-life are highlighted to support prioritisation. - Version trend charts covering 30-day, 90-day, 180-day, and 1-year windows, with per-version filtering for longitudinal analysis. - Excel and CSV export of Python version distribution data for use in audit reports, asset management systems, and compliance evidence packages. - Python version badges on individual Device Detail pages.

Fleet Navigation Restructure - New Fleet Overview landing page providing at-a-glance fleet metrics: total devices, active scan coverage, packages tracked, and open alert count. - Runtime tab under Fleet for Python version management. - Diagnostics tab (renamed from Health) consolidating scan errors and connectivity issues across the fleet.

Scanner Coverage - Explicit discovery of pyenv-managed environments (~/.pyenv/versions/) and asdf-managed Python installations (~/.asdf/installs/python/). - Detection of legacy editable installs using .egg-link files, covering packages installed via pip install -e with older setuptools (below 60.0).

Security - New --bootstrap-ca-fingerprint flag for the Enterprise agent. Pins the server's TLS certificate by SHA-256 fingerprint during initial registration. - New --enroll-token-file flag for the Enterprise agent. Reads the enrollment token from a file instead of a command-line argument.

Changed

  • Default MaxDepth increased from 8 to 12 directory levels.
  • The offline scan cache now auto-purges entries that exceed the configured retention window.
  • The Health tab has been renamed to Diagnostics.

Fixed

  • pyenv and asdf installations deeper than the previous default depth (8 levels) were silently skipped. These are now discovered reliably.
  • Legacy editable installs using .egg-link files were previously not reported. They are now detected and included.
  • In rare cases, a cache database failure during an outage could result in a scan being neither uploaded nor queued. A fallback write path now ensures the scan result is preserved.

Security

This release includes security hardening across the agent and server:

  • Integer overflow fixes in the agent's filesystem depth counter and package count accumulator.
  • TLS certificate pinning for the initial registration handshake via --bootstrap-ca-fingerprint.
  • HTTP redirect blocking — the agent now rejects all HTTP redirects from the server.
  • Audit log tamper protection — database triggers in the local audit log now prevent UPDATE and DELETE operations on existing entries.
  • File permission hardening — the agent data directory and all sensitive files are now created with explicit restrictive permissions (0700 / 0600).