Releases: broadinstitute/cromwell
70
70 Release Notes
CWL security fix #6510
Fixed an issue that could allow submission of an untrusted CWL file to initiate remote code execution. The vector was improper deserialization of the YAML source file.
CWL execution is enabled by default unless a CWL stanza is present in the configuration that specifies enabled: false. Cromwell instances with CWL disabled were not affected. Consequently, users who wish to mitigate the vulnerability without upgrading Cromwell may do so via this config change.
- Thank you to Bruno P. Kinoshita who first found the issue in a different CWL project (CVE-2021-41110) and Michael R. Crusoe who suggested we investigate ours.
69
68 Hotfix 8e12ab5
This is a hotfix to Cromwell 68 which reverts a library update which allowed incorrect credentials to be used when performing the final copying of log files up to a users bucket in GCS.
There was no known route to exploit this bug but it caused workflows to potentially fail with access denied errors at the final upload step and display another user's service account name in the error message.
When updating to Cromwell 68 please reference the 8e12ab5 hotfix release docker image: broadinstitute/cromwell:68-8e12ab5
68.1
68
68 Release Notes
DO NOT USE! Due to a a security bug in an imported library this version of Cromwell should NOT be used. Its release files have been deleted.
Virtual Private Cloud
Previous Cromwell versions allowed PAPIV2 jobs to run on a specific subnetwork inside a private network by adding the
information to Google Cloud project labels.
Cromwell now allows PAPIV2 jobs to run on a specific subnetwork inside a private network by adding the network and
subnetwork name directly inside the virtual-private-cloud backend configuration. More info
here.
67
67 Release Notes
Configuration updates for improved scaling
Some configuration changes were introduced in Cromwell 67 to support improved scaling. See Cromwell's reference.conf for details on new parameters.
-
I/O throttling moved from
ioto its ownio.throttlestanza; config updates may be required if these values are currently being overridden in local deployments. -
The default
system.job-rate-controlhas been changed from 50 per second to 20 per 10 seconds. -
New configuration parameters have been introduced for values which were previously hardcoded constants:
system.file-hash-batch-size, value updated from100to50.io.gcs.max-batch-size, value stays the same at100.io.gcs.max-batch-duration, value stays the same at5 seconds.
-
New configuration parameters which should not require updating:
io.command-backpressure-stalenessio.backpressure-extension-log-thresholdload-control.io-normal-window-minimumload-control.io-normal-window-maximum
-
io.nio.parallelismwas previously misspelled inreference.confbut not in Cromwell's configuration reading code. Only correct spellings of this configuration key had or will have effect.
66
66 Release Notes
Google Artifact Registry Support
Cromwell now supports call caching when using Docker images hosted on
Google Artifact Registry.
Google Image Repository Hashing Updates
The previously documented docker.hash-lookup.gcr configuration has been renamed to docker.hash-lookup.google and
now applies to both Google Container Registry (GCR) and Google Artifact Registry (GAR) repositories.
Support for the docker.hash-lookup.gcr-api-queries-per-100-seconds configuration key has been formally discontinued
and a bug preventing correct handling of docker.hash-lookup...throttle configuration has been fixed.
Please see Cromwell's bundled
reference.conf
for more details.
65
65 Release Notes
- An additional set of metrics relating to metadata age were added.
64
63
63 Release Notes
Removed refresh token authentication mode
Google Pipelines API v1 supported authentication with refresh tokens, while v2 of the API does not.
Now that v1 has been discontinued and shut down, this version of Cromwell removes support for refresh tokens.