ChangeLog

# ------------------------------------------------------------
# cawk is subjet to a MIT open-source licence
# please refer to the MIT licence file for further information
# ------------------------------------------------------------
# cawk is Copyright (C) 2024-2026 by Cedric Llorens
# ------------------------------------------------------------

v3.4.0 (March 2026):
	Makefile:
	- (beta) You may add an environment variable CAWK_SYSNAME to use special common functions implemented in database/common/special_common.gawk.template
	  instead of common/common.gawk.template (refer to the README for further information)
	- Added a new TMP_ASSESSMENT_FILES variable used to clean all intermediate supplier assessment files, set to <yes> by default
	 (remain onlu *all* report files) (see Makefile.support.mk)
	- Updated Makefile for performance enhancements
	Package Integrity:
	- Added an additional sha521sum check to verify the integrity of the package before running an assessment
	Makefile.docker:	
	- Updated to inherit variables from Makefile.support.mk (see: CAWK_VERSION in Makefile.support.mk)
	Tests:
	- Reviewed all existing tests for ACL consistency and added new supplier ones: <packetfilter-fwcli>, <ekinops-oneos>
	- The ACL consistency library has been thoroughly reviewed (ref. common/common_hypercube-lib.gawk.template)

v3.3.0 (January 2026):
	Makefile:
	- add new supplier <ekinops-oneos>
	- add a new target <sync_teststoconfs_run> : sync tests to confs for <audit=AUDIT_NAME> assessment
	- add a new target <sync_teststoconfs_run_audit> : sync tests to confs for only all <audit=AUDIT_NAME> assessments
	- optimize Makefile to avoid reaching Unix shell maximum line length
	Tests:
	- add new tests for <iptables-fwcli> and <ekinops-oneos> (ref new authors)
	Makefile.cawk.version:
	- This is a specific Makefile used to manage the cawk version packages (please refer to the README for further information)
	  (this Makefile must be located in the parent directory of cawk installations)

v3.2.0 (December 2025):
	Makefile:
	- add a new variable that can be called with gmake like:
		gmake check_run audit=<AUDIT_NAME> PSIRT=yes : only compute PSIRT tests if you intend to build an audit only for psirt purpose
		gmake check_run audit=<AUDIT_NAME> PSIRT=no (dfault value) : compute all the tests
		(ref Makefile.support.mk file)
	- fix a bug in database.repo copy to database
	Docker:
	- 3 new files have been added to build a cawk container based on:
		- Makefile.docker file, 
		- Dockerfile file, 
		- cawk_docker_run.sh script
		(please refer to the README for further information)

v3.1.0 (October 2025):
	Makefile:
	- add a new script <database_sync_psirt.sh> in <database/scripts> in order to build psirt inventory
	  (this script is runned with <sync_psirt> target)
	  (refer to README for further information)
	- add a new target <sync_psirt> target to build psirt inventory
	- add a new target <database_repo_copy> allowing to update <database> directory only with missing 
	  files (database.repo -> database), this target is runned with <migrate> target
	  (refer to README for further information)
	- fix a bug with $(ECHO) -e command (not portable and printing "-e" in files)
	- fix a bug with <backup_audit_run> find command (-type f -o -type d not portable, database not fully backup)
	- update database_sync with a new option regex_path_exclude in order to exclude configurations based on their
	  paths, all associated cawk files have been updated
	Tests:
	- add advanced psirt test code allowing to match line, block, os version, etc.
	  - one advanced psirt code has been added for cisco-ios, cisco-xe, cisco-viptela and cisco-xr
	  - it is built over <common/test_generic_psirt.gawk.template> v1.0 code
	  - such psirt test has <.gawk.include> suffix
	- <username> test is now available for cisco-xe supplier scope
	- all cisco-ios tests are now available for cisco-xe supplier scope

v3.0.0 (October 2025):
	Makefile:
	- update Makefile in order to have a new type of test allowing to check advanced psirt vulnerabilities 
	  (statements match, ios versions regex match, chassis regex match, etc.) in a future release
	- update Makefile to support running cawk as a Docker container in a future release
	- enforce Makefile controls during processing
	- set a <EGREP variable> in Makefile.support.mk for pointing to <grep -E> rather than to <egrep>
	- add a new target <clean_archive_older> to remove archive files older than the ARCHIVE_OLDER_DAYS value defined in Makefile.support.mk
	- <sync_run target> update 
	  - to add a new regex allowing to match os supplier during the sync
	  (refer to README for further information)
	  - remove the confs directories by default and create only the ones linked to existing configurations
	  (refer to README for further information)
	Tests:
	- <banner> tests are now available for all cisco supplier scopes
	- <enable password> tests are now available for all cisco supplier scopes
	- <logging> tests are now available for all cisco supplier scopes

v2.9.0 (September 2025):
	Makefile:
	- improved test execution performance by allowing multiple configuration files per test run
	  (this option can be changed in Makefile.support.mk with the TEST_EXE variable)
	- general performance improvements (.INTERMEDIATE and *.swap for all scopes)
	- add a new target gmake version to display the current cawk version
	- add two targets gmake tests_check and tests_check_nok to check the compliance validity of all tests
	Tests:
	- add a banner test for cisco-ios scope only (to be replicated for other scopes in future releases)
	- updated tests for older crypto algorithms across all supplier scopes (ref support/tests.sed)
	- fixed all inconsistent test output names and include an internal check before package release. 
	  note that some tests names have changed to be more consistent (it could impact existing exceptions)
	  (ref common/check_test.gawk.template will check test consistency and format compliance)
	  (inconsisstencies can be checked directly with gmake tests_check and gmake tests_check_nok targets)

v2.8.0 (July 2025):
	Makefile:
	- in reports, include the number of exceptions in the summary report
	- in reports, include the number of deadbeef configurations in the summary report
	- in email_send target, add the summary as a file attached and only display the common/common_message.txt in the email body
	- in view_error and view_run targets, simplify the output
	- in targets tests_run_copy and tests_run_audit_copy, add a check to avoid copying files that already exist in run_audit
	Tests:
	- for the following suppliers scopes : cisco-ios, cisco-xe and cisco-cedge, update global tests to take into consideration 
	the default commands (hidden commands), avoiding to set many exceptions for each supplier scope assessment
	- for the following suppliers scopes : cisco-ios, cisco-xe, update line aux tests to take into consideration that other 
	line commands can be defined for modem, etc.
	Common:
	- review code of timeline reporting to enhance performance

v2.7.0 (June 2025):
	Makefile:
		- in reports:
			- rename ".all.full." substring to ".all." substring for the final reports
			- build *.idx (index of configurations assessed)
			- build a new final psirt report (.all(.security./.audit./.psirt./.exception./.deadbeef.)) gathering 
			all psirt errors
			- build a timeline report for each final report (.all(.security./.audit./.psirt./.exception./.deadbeef.))
			that could be injected into Microsoft PowerBI, Grafana, etc. as it includes a timestamp header for each error 
			(year, month, day, week, number of devices assessed)
			- for the final reports, the concept of deadbeef can be activated in Makefile.support.mk or by calling 
			gmake with DEADBEEF like (gmake check_run audit=cawk DEADBEEF=yes):
				- if DEADBEEF is set to "yes", then the deadbeef final report is generated and deadbeef devices 
				are removed from other final reports (.all.security.,.all.audit.,.all.psirt.,all.exception.)
				- if DEADBEEF is set to "no", then the deadbeef final report is generated and deadbeef devices 
				are kept in other final reports (.all.security.,.all.audit.,.all.psirt.,all.exception.)
				- a device is considered deadbeef by default if its configuration is older than the days value 
				set in DEADBEEF_THRESHOLD_DAYS (default value is 30 days)
		- in backup_run target, enforce that logs/run_audit/AUDIT_NAME logs are also backed up in the gzipped 
		file (needed for cawk version migration)
		- in migrate target, enforce the copy of tests by several finds rather than a single find command which can 
		generate issues at some systems
	Common:
		- update the summary format for a better readability
	Tests:
		- updated 6wind-linux tests (enhanced test outputs)

v2.6.0 (may 2025):
	Tests:
		- update cisco-ios, cisco-xe, cisco-cedge *acls*defref* tests
		- update cisco-ios, cisco-xe, cisco-cedge, cisco-xr *routing*defref* tests
		- update juniper-junos *filter*defref* tests
		- fix issues for sync_run target not working properly, update Makefile and common/sync_cawk_conf.gawk.template
	Common:
		- add a new "error stats" section showing a sorted list of most frequent test error names by occurrence by risk level
	Cawk Makefile:
		- update targets create_audit and delete_audit which write or remove audit=AUDIT_NAME in the various databases
		- add a new status code psirt : to classify the errors as psirt
		- add new targets: 
			- tests_run_copy audit=AUDIT_NAME supplier=SUPPLIER_NAME
				allows copying tests from repo to run_audit (supplier scope)
			- tests_run_audit_copy 
				allows copying tests from repo to run_audit (all supplier scopes) for all audit=AUDIT_NAME
			- database_postaudit_(add,del,update) 
				allows running post-assessment tasks like creating helpdesk tickets, etc. 
				(please refer to the README for further information)
			- migrate file=BACKUP_PATH_FILE 
			  allowing to migrate from a cawk version to an another one
				(please refer to the README for further information)

v2.5.0 (april 2025):
	Tests:
		- add a new scope : 6wind-linux
		- review the risk level and status codes of all *defref* tests
	Cawk Makefile: 
	  - by default reporting is linked to each supplier scope. now, in addition of the default reporting, a full reporting is 
		  generated for all suppliers allowing to generate a full report, security report, audit report and summary report.
		- generate cawk msg (only for assessment audit=AUDIT_NAME) when confs or tests directories are not found. it allows to 
		  remove unused directories if needed. 
		- add new targets to manage email notifications for cawk assessments, it refers to database_email_(add,del,update), 
		  email_send(_audit)? targets (please refer to the README for further information)
		- update gmake database_sync_(add,update) audit=AUDIT_NAME dir=SYNC_PATH regex=REGEX_PATTERN/.* scope=SCOPE_FILE/none
		  a scope can be provided to limit the configuration synchronization to a specific scope based on internal inventory
			(please refer to the README for further information)
		- fix some bugs when using view targets
	Cawk Makefile.support.mk:
		- JSON var is set to "no" by default, if set to "yes" json reporting is activated (i.e. Makefile.support.mk)
	Cawk directories:
		- add a log directory to store all cawk logs

v2.4.0 (march 2025):
	Tests:
 	- update and add new tests for supplier scopes : packetfilter-fwcli, iptables-fwcli, checkpoint-fwcli
	- add a new supplier scope : cisco-xr
	Cawk Makefile:
	- add new sync targets to synchronize configurations from a central confs repository to a cawk assessment audit=AUDIT_NAME
	  it refers to sync_run, sync_run_audit targets (please refer to the README for further information)
	- add new backup targets to backup data linked to a cawk assessment audit=AUDIT_NAME (confs, tests, exceptions, reports)
	  it refers to backup_run, backup_run_audit targets (please refer to the README for further information)
	- add new restore targets to restore data linked to a cawk assessment audit=AUDIT_NAME (confs, tests, exceptions, reports)
	  it refers to restore_run, restore_run_audit targets (please refer to the README for further information)
	- add new targets to manage the cawk sync database used for confs synchronization
	  it refers to database_view, database_sync_(add,del,update)
	Directory structure:
	- add a new directory <database> in the cawk root directory to store all cawk options in flat files
	- add a new directory <backup> in the cawk root directory to store backup and restore data

v2.3.0 (march 2025):
	Tests:
	- add a new supplier scope cisco-xe
	- add new tests (snmp v3) for all these supplier scopes :
	  cisco-ios, cisco-cedge, cisco-xe, cisco-viptela, nokia-sros, paloalto-panos, huawei-vrp, fortinet-fortios, juniper-junos
	Reports:
	- computation of two key security indicators in the summary report:
		- security Compliance : expressed as a percentage between 0% and 100%, where 100% is the best score
		- average number of errors per Device : measured from 0 up to an upper bound, where 0 is the best score
	- generate automatically json reports from csv reports using the cawk assessment format (ref README)
	- generate automatically json reports from txt summary reports using the cawk summary headers
	Cawk makefile:
	- automatically build a tar.gz file in archives directory in reports/repo or reports/run or reports/run_AUDIT_NAME
	  each time an assessment is runned, the date of day is part of the tar.gz filename
	- you may clean reports or archives by new clean targets (clean_report_repo, ..., clean_archive_repo, ...), please
	  refer to the cawk gmake help

v2.2.0 (february 2025):
	- add a new target <run_audit>, allowing to run all the assessments with AUDIT_NAMEs (audit=AUDIT_NAME)
	- review all purpose/author sections and add new tests (lldp/cdp) for all supplier scopes :
	  cisco-ios, cisco-cedge, cisco-viptela, nokia-sros, paloalto-panos, huawei-vrp, fortinet-fortios, juniper-junos
	- add new supplier scopes thanks to new authors : packetfilter-fw, iptables-fw, checkpoint-fw and new associated tests
	  maxime souris, adrien lebout, pierre bertrand, lucas vanhaaren, gautier goncalves, wael elsingaby

v2.1.0 (january 2025): enforce a stabilized version of the v2.0.0 release train
	- update date 2024-2025 in cawk root directory
	- change checkdiff output generated by <gmake check> to be compliant with all linux/unix systems (default sort output may differ from os to os)
	- add <.gitkeep> in all empty cawk directories to avoid that empty directories are not pushed in github
	- enforce that the <run> repository is a full copy of the <repo> repository
	- add a new target gicheckdist (implement counter-measures checks) in cawk Makefile to avoid deployment errors before github push
	- optimize the cawk root Makefile for future supplier os deployment
	- provide the procedure to submit a pull request

v2.0.1 (december 2024): add .gitkeep reports/repo and reports/run as not pushed in github

v2.0.0 (november 2024): this is a major update with new usage of building <AUDIT-NAME> assessments
	Common:
	- add <number_of_pass_error> in the summary report
	- review the output of the <gmake> command at cawk root directory (provide full help on the cawk gmake targets)
	Makefile:
	- review the Makefile parts
	- use of variables to point out all cawk core directories
	- able to create/delete/list an assessment based on an <AUDIT_NAME> thanks to new cawk targets : 
		- gmake create_audit audit=AUDIT_NAME
		- gmake delete_audit audit=AUDIT_NAME
		- gmake list_audit
		You may refer to README for further information and the number of assessments that can be built is limited by system resources
	Directories:
	- confs, tests, exceptions and reports directories setup have been reviewed and organized on the same design 
	Tests:
	- add new tests for cisco-ios, cisco-cedge, cisco-viptela, nokia-sros, paloalto-panos, huawei-vrp, fortinet-fortios, juniper-junos

v1.9.0 (october 2024):
	Common:
	- fix a small bug (Makefile - gmake catalog)
        - add a new target : gmake common to provide the list of functions available in the common directory for tests
	Tests:
	- add new tests for cisco-ios, cisco-cedge, cisco-viptela, nokia-sros, paloalto-panos, huawei-vrp, fortinet-fortios, juniper-junos
	- review the paloalto-panos conf (add <deviceconfig> block) and update the tests accordingly

v1.8.0 (august 2024):
	Common:
	- fix some little bugs or bad ouputs of the Makefile
	- include m4 preprocessing of exceptions to include later friendly m4 functions
	- a test can has <.template> suffix and <.m4> suffix, for <.m4> a preprocessing 
          is performed by m4 functions available in the cawk m4 directory. m4 allows to
          define predefined templates of tests managing configuration block hierarchy 
	  automatically
	Tests:
	- add a new supplier : cisco-cedge
	- add new tests for cisco-ios, cisco-cedge, cisco-viptela (tests with *.m4 extension)

v1.7.0 (june 2024):
	Common:
	- build exceptions directory with empty exception files per supplier
	- update Makefile to build for each assessment an exception report
	Tests:
	- Run and fix bugs on all suppliers tests

v1.6.0 (june 2024):
	Common:
	- migrate the fw rules assessment library in common directory
	- add the <research> as supplier target for development purpose
	- add a new risk level = info for audit purpose
	- update reporting to take into consideration the new risk level info and sort the list of tests
	Tests:
	- add new tests checking cisco-ios simple acl with risk level info and add other tests
	- add new tests checking huawei-vrp acl (partially done) with risk level info and add other tests
	- add ntp tests for cisco-ios,juniper-junos,huawei-vrp,cisco-viptela and nokia-sros

v1.5.0 (may 2024):
	Common:
	- add new Makefile target <view_error> to only view assessments errors
	Tests:
	- review all the tests and fix some bugs
	For future release:
	- work on firewall rules analysis in order to find redundant && inconsistent rules
	- progress for cisco-ios scope
	(i.e. research directory, only for dvt/test purpose) 

v1.4.0 (april 2024):
	Common:
	- remove the init target in generated parallel Makefile built to avoid missing tests and silent mode
	- enhance reporting with high, medium, low and review % computation with float
	System:
	- remove colors and add OK/NOK for gmake system (portability purpose)
	Tests:
	- add tests for cisco-ios,juniper-junos,huawei-vrp,cisco-viptela and nokia-sros
	For future release:
	- work on firewall rules analysis in order to find redundant && inconsistent rules
	(i.e. research directory, only for dvt/test purpose) 
	
v1.3.0 (march 2024):
	Makefile:
	- add Makefile.support.mk in order to set make options (i.e. cawk parallel mode)
	- update Makefile to turn on cawk in parallel mode
	- add a new <system> target to check if the system is ready to run cawk
	Tests:
	- add tests for all suppliers (fix some tests outputs / reporting)
	- add cisco-viptela supplier
	For next release:
	- work on analysis firewall rules to find redundant && inconsistent rules
	(research directory, only for dvt/test purpose) 

v1.2.0 (march 2024):
	Makefile:
	- review catalog output and tests running output
	Tests:
	- update all tests purposes with similar syntax
	- add tests for all suppliers
	- add paloalto-panos supplier
	For next release:
	- work to generate a Makefile that can runned in parallel, enforcing stable system and managing write race conditions
	(commmon/gen_cawk_makefile.gawk.template), it will be used for huge number of devices assessment

v1.1.0 (february 2024):
	Makefile:
	- add new suppliers for future tests and add os suffix for each scope
	- add view per scope thanks to <supplier=> variable called with view target
	  gmake clean check_repo supplier=cisco-ios (or juniper-junos, etc.)
	  gmake clean check_run supplier=cisco-ios (or juniper-junos, etc.)
	  gmake view supplier=cisco-ios (or juniper-junos, etc.)
	Tests:
	- add tests in existing suppliers and configure a better writting approach for matching block
	- add nokia-sros supplier

v1.0.0 (february 2024): initial version
	- basis tests covering cisco-ios, huawei, fortiner, juniper-junos
	- integrate a basic reporting
	- fully automated by gmake