Version 3.1.4

Version 3.1.4 is a maintenance release focused on specific fixes and minor enhancements. See below for the entire list.

Enhancements:

Added support to make the file upload size configurable

Added support for multi-file uploads

In the Runtimes list page, added support to distinguish between REST and BATCH deployments in the Last Activity Column

Updated the error messages when the ModelOp runtime receives a malformed asset

For the ModelOp Monitoring package, added support to allow non-predictor columns to be monitored for drift

Added support to configure the client-registration-id to the Opaque query param Introspector. This update allows EndUsers to define the {{client-registration-id}} for the QueryParamIntrospector and AuthenticationManager, if added value is empty, then it will use the default one as {{query_param_introspector}}

Added support to be able to do a hot-update of the list of protected endpoints through the Gateway, so that an admin can add/remove endpoints without having to redeploy / restart GW.

Added additional optional access control for BPMN deployments to restrict to certain authorized groups

Added support to automatically distinguish PySpark models from regular python models

Addressed minor issue with the PowerBI plugin to handle Gateway link issues

Upgraded ModelOp Center to use Angular 14

Added a new Custom Metadata UX for adding/editing custom metadata via the UI

Optimized the ModelOp OOTB monitors to be more efficient in terms of memory usage

Added support for the ModelOp runtimes to resolve configuration values from SCCS

Added support to the ModelOp runtime to allow for more configuration tuning via configuration files

Added support to select the Runtime kafka credentials based on producer/consumer and/or topic

Added support to the ModelOp runtime for aws:kms encryption

Allow multiclass classification metrics in the Performance Monitor: Classification Metrics

Updated the MLC diagrams in the Snapshot and MLC pages to provide more detailed information when hovering over a step in the MLC

Updated the Job Details page to make the Model Test Result more prominent

Added a service alert banner if a core ModelOp Center service experiences degredation

Updated deployments label in the Model Snapshot page

Updated the labels in the Monitoring Scheduling tab

Added support for further filtering in the Jobs page

Added UI tabs for Associated Models in the business model and snapshot pages

Added support to include the full Jenkins job error message when a Jenkins job fails in any type of Jenkins service interaction

Added support to generate and verify schemas via a Jupyter notebook

Updated the default "deployment" MLC to automatically add a standard set of monitors to the model snapshot

Added a new Deployment details UI page to allow the user to see details of the deployment

Added criteria to search for associatedModelSnapshotId in the MTRSummary findByOptional Endpoint

Added the capability to add additionalAssets on a DeployedModel, such that a DMN (e.g. Dashboard dmn) can be added to the Deployment

Added a new asset role DASHBOARD_RESULT_COMPARATOR (to be used in deployedModel for Dashboard recognition

Updated the Jobs UI details page to handle jobs that do not contain a model

Added support for external credentials for Gitlab pipeline integration

Updated the Job details page to include more details of Jenkins and Gitlab pipeline job information

Added support to re-run Jenkins or Gitlab Pipeline jobs

Added a GitLab Service to talk to REST API client

Added a GitLab Job MLC Delegate to launch jobs

Added a GitLab Job Monitor to process Gitlab Pipelines

Added support for a GitLab job output 

Added support for Gitlab Job input variables

Created an updated ModelOp runtime image that includes support for loading CSV's directly into an R dataframe

Optimized handling of json input files for metrics jobs to have the python runner read the files directly via a Pandas call

Added support to store the output of Dashboard jobs in external storage (e.g. S3)

Optimized the default bpmns and delegates to use object IDs instead of the fully hydrated objects, allowing for more efficient memory and storage usage for the mlc service

Added support for sending custom variables when triggering an mlc signal (e.g. when sending a scheduler signal)

Created a new MLC to send an email instead of opening a ticket if a Monitoring job fails

Added new delegates for all ModelOp Center core objects that take a PATCH statement

Addressed issue with "next gen" Jira environments where there can be duplicate issue type names with different ids

Added support for mTLS configuration to the ModelOp runtime

Added support for AzureAD for the ModelOp Center Tableau plugin

Added support for AzureAD for the ModelOp Center PowerBI plugin

Added support for AzureAD for the ModelOp Center SageMaker integration

Added support for AzureAD for the ModelOp Center Jupyter integration

Added support for AzureAD for the ModelOp Center Spark integration

Added support for AzureAD for the ModelOp Center CLI

Added support for Okta for the ModelOp Center Tableau plugin

Added support for Okta  for the ModelOp Center PowerBI plugin

Added support to the standard MLC to configure how generic runtime matching should be done when group isolation is not required

For the ModelOp monitoring package, for models where input features are not provided, added ability to to run comprehensive Volumetrics on the score fields to allow for univariate analysis.

Added support for configuring the logging level of the ModelOp Center python packages. If the environment variable {{MODELOP_SDK_ENV_VAR_NAME}} is present then general LOG levels should be adjusted to the  env variable value

Added the ability to create generic bar, table, and line charts from a metrics model

Updated the ModelOp UI tags to trim any whitespace, thus avoiding any issues in matching tags in the MLC

Added support for a downloadable link to S3 assets for authorized users

Updated the UX of Model Test Results when the model has a large number of columns

Added business model name (reference model) in the main Job list page for each of the jobs

Updated the OOTB Stability monitor to be able to run even without a Score column

For the ModelOp monitoring package, added improve error messaging if the Identifier is not specified for the OOTB Volumetrics Comparison monitor

Added support for creating snapshots of SageMaker models directly in the ModelOp Center UI

Added Approval notification type and Approval section of the UI to distinguish specific model approvals throughout a model's life cycle

Added support to the ModelOp Runtime to send an access token when connecting to the web socket in secured mode

Addressed Vulnerability: <[https://nvd.nist.gov/vuln/detail/CVE-2019-17495|https://nvd.nist.gov/vuln/detail/CVE-2019-17495|smart-link] > - Critical - A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value

For the ModelOp monitoring package, added a new OOTB Monitoring Model that calculates Data Drift using Wasserstein Distance

Added UI support for custom fields in the Home Dashboard screen

Fixed several styling issues with the charts/graphs in UI dark mode

Updated the MLC tab of a Snapshot to sort the MLC's by start time

Addressed a minor UI issue with the highlighting of sub-menu items

Updated the Dashboard population approach to read the most recent model test results for a given model. This will allow more flexibility and improved performance for the Home Dashboard population

Updated the Spark runtime service to support AWS Cognito

Updated AWS Cognito support for the "refresh_token" mechanism

Improved end user error messages for non source code files when failing with a git import issue

Updated the Jobs UI page to allow for canceling Jenkins and Gitlab Pipeline jobs

Created an updated ModelOp runtime image that includes support for R-4.2.1

Updated the Compliance report to include the Approvers for all Approvals

Added support for AzureAD to feth the group-name in addition to the GroupID

Updated the Oauth2 implemenation process to create default generic OAuth2 clients for existing idPs, following these providers definitions:

  • gateway-service

  • internal-client

  • go-cli

  • external-integration-client

Added support for PingFederate integration to dynamically extract the user values from LDAP

For the ModelOp monitoring package, added a new OOTB monitor for calculting Linearity metrics via Box-Tidwell

Updated SparkSQL Support, including:
(1) centralizing the Spark configurations
(2) adding additional Spark Job options to the Job creation screen
(3) ability to write Spark job outputs as embedded assets in ModelOp Center
(4) ability to configure authorization options for Cloudera clusters
(5) limiting the log size for a Spark-submit job to 10MB
(6) updating the error messaging if a the HADOOP_CON_DIR is not present

Added the ModelOp runtime image name in the Platform information tab of the Runtime details UI page

Formerly added support to the ModelOp runtime for reading/writing data sets from Redshift 

Added /actuator/refresh endpoint to runtimes to support reloading configuration from SCCS without having to restart the runtime.

Updated how the MLC history is being managed to optimize overall memory and storage usage of the MLC service

Added support for connecting to RDS through an IAM DB Auth Token

Bug Fixes:

Updated Champion/Challenger user experience, including entering the comparison view from within a Snapshot

Added a date range filter on the Model Test Results page

Fixed a url redirect issue from the Dashboard to the model test result

Fixed several Text styling issues in UI light mode

Addressed a minor UI issue where a user is not logged out of all tabs for a given browser session

Addressed minor issue when importing a new business model that requires writing external assets to Azure blob storage

Updated error messages for Monitoring jobs when there are no available runtimes to execute the monitor

Addressed minor UI issue for the "Filter by User" capability on the Business Models and Monitors inventory pages, when the User filter contains a comma

Update the CreateModelNotification delegate to pass storedModelId OR deployableModelId

Addressed minor issue when uploading assets to Azure blob store for a ModelOp Center environment that supports both Azure blob and S3-based assets

Update ModelOp Center CLI support for Training job output

Addressed minor issue in Model Test Result generation when an "\" escape character is included in the monitor job output

Addressed minor UI issue where the Runtime "platform information" tab is not updated when the underlying runtime docker container is updated

Addressed minor UI issue for SageMaker model import, where the UI creates the model under group="null"

Addressed minor security issue to require valid credentials to view the backend Stomp queue messages

Addressed UI filtering issue when a user provides a filter of {{(}}

Addressed minor UI issue on the Runtimes page when sorting the runtimes by Name

Addressed minor API issue when a user provides a non-existent group in an API call

Addressed minor issue when a user provides a group in SCCS that includes "-" in the name

Added additional error messaging support for model deployment edge cases

Addressed minor issue with Jenkins job creation when the job generation would result in a redirection error

Updated Annual Review MLC to create a refreshed Deployed Model entity upon the successful sign-off of the annual review, thus allowing for the Compliance charts to display correctly

Addressed minor issue upon ModelOp Center upgrade process, if for some reason, a MongoDB index was not dropped successfully during the upgrade process

Added support to allow the Delegate Annotation Framework to create Delegates with no input variables

Optimized how the ModelOp runtime processes log messages to be more efficient with large logs

Added support for REST-based data assets

Added an error messaging when a gitlab pipeline job request does not include the branch of the gitlab pipeline repo.

Addressed minor AzureAD issue when a new user logs in that is not associated with any existing groups

Made multiple updates to Helm install support

Addressed minor issue with the schema and assets links in a Jupyter notebook

Added a configuration to not reload the default MLC's upon ModelOp Center restart

Added enhanced error messages when BUILD_PARAMETERS are not sent in request for a JENKINS PIPELINE JOB that requires build parameters

Addressed minor issue where MLC external tasks were limited to 100 active tickets

Addressed issue where Jira Attachments were being re-uploaded after the document was deleted from the Jira ticket

For the ModelOp Monitoring package, removed the requirement that dataframes must have the same column ordering

For the ModelOp Monitoring package, addressed issue where the Summary methods return INFs if input data has INF values

For the ModelOp Monitoring package, added support to handle binary classification in bias with labels not in [0,1]

For the ModelOp Center Jupyter notebooks, updated the error messaging for failure to authenticate to a Cognito-backed ModelOp Center instance

Improved model import for SageMaker models that have a large number of artifacts and/or jobs so that the model can be imported without issue, despite how large it may be

Addressed minor UI issue where the MLC diagram would re-center when the user tries to navigate on the MLC diagram or change the zoom level

Addressed minor UI issue where the auto-refresh toggle would not turn back "on"

Addressed minor UI issue on the MLC page where the breadcrumbs were not refreshing appropriately

Addressed minor issue where scoring errors were not being propagated back to the appropriate REST handler in the ModelOp runtime

Addressed minor UI issue where the browser zoom level caused unnecessary scroll bars in the ModelOp UI tables

Addressed a minor issue with Model Test Results that contain "dots" as keys in the json job output

Addressed minor UI issue where the "Non-compliant models in Production" chart was still showing tickets that were already CLOSED

Added additional error handling support for when an input asset to a job mistakenly contains no data (null)

Addressed an issue with the OpenAPI swagger generator where the enum collection was not being displayed in the swagger UI correctly

Added support to use a Web Identity token for SageMaker models

Addressed minor UI issue where the group information was not being correctly passed into the Add a Monitor wizard

Addressed minor UI issue where Variable Name filtering was not working properly on the MLC process Instance page

Addressed minor UI issue on the Home Dashboard - Cumulative Value card

Improved the error messaging when a user uploads an invalid extended schema to a model

Improved error handling when a Job fails due to schema-CSV header mismatch

Addressed minor UI paging issue in the Deployments page when filters are applied

Added support for importing a Git repository when the repository does not contain a recognized primary source code file

Vulnerabilities Addressed:

Vulnerability: FasterXML, jackson-bind

*Issue Link:* [https://access.redhat.com/security/cve/CVE-2022-42003|https://access.redhat.com/security/cve/CVE-2022-42003|smart-link]

Addressed Vulnerability: HTTP Response Splitting when calling `DefaultHttpHeaders` on an iterator of values, because header value validation is not performed.

*Issue Link:*

[https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-3167773|https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-3167773|smart-link]

Addressed Vulnerability: RHEL-8 - A flaw was found in the org.yaml.snakeyaml package

*Issue Link:* [https://access.redhat.com/security/cve/CVE-2022-25857|https://access.redhat.com/security/cve/CVE-2022-25857|smart-link]

Addressed Vulnerability: DoS org.yaml:snakeyaml

*Issue Link:*  [https://security.snyk.io/vuln/SNYK-JAVA-ORGYAML-2806360|https://security.snyk.io/vuln/SNYK-JAVA-ORGYAML-2806360|smart-link]

[https://github.com/advisories/GHSA-3mc7-4q67-w48m|https://github.com/advisories/GHSA-3mc7-4q67-w48m|smart-link]

Addressed Vulnerability: Invalid HTTP requests in Reactor Netty HTTP Server may reveal access tokens

*Issue Link:*

[https://github.com/advisories/GHSA-7w4x-4h67-pgmv|https://github.com/advisories/GHSA-7w4x-4h67-pgmv|smart-link]

Addressed Vulnerability: com.squareup.okhttp3:okhttp vulnerable to Information Exposure

*Issue Link:*

[https://security.snyk.io/vuln/SNYK-JAVA-COMSQUAREUPOKHTTP3-2958044|https://security.snyk.io/vuln/SNYK-JAVA-COMSQUAREUPOKHTTP3-2958044|smart-link]

Addressed Vulnerability: Denial of Service by injecting highly recursive collections or maps in XStream

Issues links:

1-  [https://github.com/advisories/GHSA-rmr5-cpv2-vgjf|https://github.com/advisories/GHSA-rmr5-cpv2-vgjf|smart-link]

2- [https://security.snyk.io/vuln/SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-2388977|https://security.snyk.io/vuln/SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-2388977|smart-link]

3- [https://access.redhat.com/security/cve/CVE-2022-40151|https://access.redhat.com/security/cve/CVE-2022-40151|smart-link]

Addressed Vulnerability: Apache Commons Beanutils 1.9.2

*Issue Link:* [https://github.com/advisories/GHSA-6phf-73q6-gh87|https://github.com/advisories/GHSA-6phf-73q6-gh87|smart-link]

Addressed Vulnerability: Denial of Service by stack overflow in the `map` parameter.

*Issue link:*

1- [https://security.snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSJETTISON-3168084|https://security.snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSJETTISON-3168084|smart-link]

2- [https://access.redhat.com/security/cve/CVE-2022-40149|https://access.redhat.com/security/cve/CVE-2022-40149|smart-link]

Addressed Vulnerability: org.codehaus.jettison:jettison

*Issue Link:* [https://access.redhat.com/security/cve/CVE-2022-40150|https://access.redhat.com/security/cve/CVE-2022-40150|smart-link]

Addressed Vulnerability: Cross-site scripting vulnerability in swagger-ui 3.26.2

Additional information: [https://www.tenable.com/plugins/was/113267|https://www.tenable.com/plugins/was/113267|smart-link]

Addressed Vulnerability: SNYK-JAVA-COMFASTERXMLWOODSTOX-2928754

Source: [https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLWOODSTOX-2928754|https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLWOODSTOX-2928754|smart-link

Addressed Vulnerability: On com.google.code.gson-gson

Additional details here: [https://access.redhat.com/security/cve/CVE-2022-25647|https://access.redhat.com/security/cve/CVE-2022-25647|smart-link

Vulnerabilities: Apache Xalan Java XSLT library- GHSA-9339-86wc-4qgf [poi-ooxml] - CVE-2022-34169

Additional Info: [https://github.com/advisories/GHSA-9339-86wc-4qgf|https://github.com/advisories/GHSA-9339-86wc-4qgf|smart-link

Addressed Vulnerability: Document-Service - SNYK-JAVA-XALAN-2953385 - [poi-ooxml]

[xalan:xalan|http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22xalan%22] is a XSLT processor for transforming XML documents into HTML, text, or other XML document types

Addressed Vulnerability: In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check, related to the same CVE-2022-42003

Vulnerability: Parsing a XML document with the XML_PARSE_HUGE option enabled can result in an integer overflow.

Additional Info:  [https://access.redhat.com/security/cve/CVE-2022-40303|https://access.redhat.com/security/cve/CVE-2022-40303|smart-link

Addressed Vulnerability:  [Git]-  Integer overflow can result in arbitrary heap writes, which may allow arbitrary code execution.

CVE’s:

Addressed Vulnerability: <[https://nvd.nist.gov/vuln/detail/CVE-2016-3086|https://nvd.nist.gov/vuln/detail/CVE-2016-3086|smart-link] > - Critical - The YARN NodeManager in Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3 can leak the password for credential store provider used by the NodeManager to YARN Applications.
<[https://nvd.nist.gov/vuln/detail/CVE-2021-37404|https://nvd.nist.gov/vuln/detail/CVE-2021-37404|smart-link] > - Critical - There is a potential heap buffer overflow in Apache Hadoop lib hdfs native code. Opening a file path provided by user without validation may result in a denial of service or arbitrary code execution. Users should upgrade to Apache Hadoop 2.10.2, 3.2.3, 3.3.2 or higher.

Addressed Vulnerability: |[CVE-2017-1000190|https://us-east-2.console.aws.amazon.com/inspector/v2/home?region=us-east-2#/findings?by=all&findingArn=arn:aws:inspector2:us-east-2:685917037183:finding/1081782d6faf01e0f61cf1fe918a77ab]|org.simpleframework:simple-xml|CRITICAL|SimpleXML (latest version 2.7.1) is vulnerable to an XXE vulnerability resulting SSRF, information disclosure, DoS and so on.

Addressed Vulnerability: Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed
Additional details here:
[https://github.com/advisories/GHSA-hfrx-6qgj-fp6c|https://github.com/advisories/GHSA-hfrx-6qgj-fp6c|smart-link

Addressed Vulnerability: Upgrade org.apache.poi ; org.apache.poi.poi-ooxml and org.apache.poi.poi-scratchpad from 5.0.0 

Addressed Vulnerability: org.apache.santuario:xmlsec - [poi-ooxml] - GHSA-j8wc-gxx9-82hx - CVE-2021-40690

Additional info: [https://access.redhat.com/security/cve/CVE-2021-40690|https://access.redhat.com/security/cve/CVE-2021-40690|smart-link

Vulnerability :  org.apache.xmlgraphics:xmlgraphics-commons - [poi-ooxml] - GHSA-fmj2-7wx8-qj4v CVE-2020-11988

More info: [https://github.com/advisories/GHSA-fmj2-7wx8-qj4v|https://github.com/advisories/GHSA-fmj2-7wx8-qj4v|smart-link

Addressed Vulnerability: org.apache.xmlgraphics:batik-svgbrowser - [poi-ooxml] - SNYK-JAVA-ORGAPACHEXMLGRAPHICS-1074910  - CVE-2022-41704

Additional info: [https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHEXMLGRAPHICS-1074910|https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHEXMLGRAPHICS-1074910]

Addressed Vulnerability: org.apache.xmlgraphics:batik - [poi-ooxml] - https://access.redhat.com/security/cve/CVE-2022-40146 - CVE-2022-40146  - CVE-2020-11987 - GHSA-2h63-qp69-fwvw - CVE-2022-42890

Additional info here: [https://access.redhat.com/security/cve/CVE-2022-40146|https://access.redhat.com/security/cve/CVE-2022-40146|smart-link

Vulnerability: Upgrade org.apache.pdfbox:pdfbox to version 2.0.23 or higher - [poi-ooxml] - SNYK-JAVA-ORGAPACHEPDFBOX-1088012 - SNYK-JAVA-ORGAPACHEPDFBOX-1088011 - SNYK-JAVA-ORGAPACHEPDFBOX-1304912 - SNYK-JAVA-ORGAPACHEPDFBOX-1304913

Additional Info: [org.apache.pdfbox:pdfbox|http://pdfbox.apache.org/] is an open source Java tool for working with PDF documents. Affected versions of this package are vulnerable to Denial of Service (DoS)

Addressed Vulnerability: Upgrade org.apache.xmlgraphics:batik-bridge to version 1.15 or higher - [poi-ooxml] - SNYK-JAVA-ORGAPACHEXMLGRAPHICS-3031729 - SNYK-JAVA-ORGAPACHEXMLGRAPHICS-3031730 - CVE-2022-40152

Additional info:

Addressed Remove dependency `Apache Commons JXPath package` with identified vulnerability

Additional Info: [https://access.redhat.com/security/cve/CVE-2022-41852|https://access.redhat.com/security/cve/CVE-2022-41852|smart-link]: A flaw was found in the Apache Commons JXPath package. This flaw allows an attacker to use the interpreter to execute untrusted expressions and a remote code attack{quote}

Addressed Vulnerability: Cross-site scripting at api level. Reflected Cross-site Scripting (XSS) is another name for non-persistent or Type-II XSS, in which the attack doesn't load with the vulnerable web application but is instead originated by the victim loading the offending URI.