🏁 The Road to v1.1.0

[xMinhx]

SecureCheckPlus v1.1.0 - Proposed Release Thread

This thread is meant to keep the v1.1.0 release in one place.
It pulls together the current issues, open PRs, and a few recommendations for what should make the cut.
If you want to work on something, review a PR, or suggest a change in scope, jump in.

---

Before anything else: unblock CI

Right now, all PRs are effectively stuck because the workflow still expects self-hosted runners that are no longer available.

That means the first thing we need to do for v1.1.0 is:

• Merge ci: switch workflow jobs to github-hosted runners #60 — switch CI to ubuntu-latest
• Close fixed warning about missing env variable by setting default value #55 after fix: set local adapter SERVER_URL default (supersedes #55) #59 is merged, since fix: set local adapter SERVER_URL default (supersedes #55) #59 supersedes it
• Make sure the pipeline is green again before we try to land the rest

Without that, the rest of the release does not really move.

---

What should be in v1.1.0

The goal for v1.1.0 should be pretty simple:

• make the project easier to understand
• make the core report experience better
• fix incorrect or confusing behavior
• make local and production deployment more reliable

This should mostly be a stabilization and polish release, not a big feature release.

---

1. Better onboarding and documentation

Right now, it is still too hard for a new user or contributor to understand what SecureCheckPlus is, how it is structured, and how to get it running.

For v1.1.0, we should improve that with:

• a clear introduction and graphical overview of the application (Provide motivating introduction including a graphical overview #36)
• an ER diagram so developers can understand the data model faster (Provide diagram of ER model #18)
• completed developer docs, since parts are still incomplete or inconsistent (Complete developer documentation #33)
• a setup note about invalid credentials, so people do not run into a silent failure on first setup (Add note about invalid credentials during setup #1)
• a simple preview Docker Compose setup, so people can spin up a local demo without half a day of setup (Enabling local docker based demo preview #58 / Providing a simple preview docker-compose #57)

Why this matters:
Good onboarding lowers the barrier for contributors and makes the project much easier to try out.

---

2. Improve the report experience

In the report view the UX here should feel finished.

The main improvements we should land are:

• show CVE descriptions directly on the details page (added cve description to the details page #56, closes Show CVE description on details page #41)
• make the whole report row clickable instead of relying on a tiny open icon (made the whole row clickable and removed the column open #49, closes Make whole row of report list hyperlink to details #38)
• add CVSS tooltips so users understand the severity values without needing outside knowledge (Add cvss calculator tooltips #52, closes Add descriptions of CVSS ratings as tool tips #24)
• fix the broken "All" chart label on the project page (added localization for the chart all on the project-page #50, closes Chart "All" misnamed #35)

Why this matters:
These changes make the product easier to use and easier to understand, especially for people who are not deep in security every day.

---

3. Fix confusing or incorrect behavior

There are a few bugs, those should be part of v1.1.0.

• "Removed" state inconsistency — counts, filters, and chart behavior do not line up correctly when a dependency has been removed from the SBOM (Some confusion about state "removed" #34)
• Project name validation mismatch — frontend and backend validation are out of sync, which can cause silent failures (Fix project name length validation #43, 26 extended length of fields project_name and project_id #53, closes Extend field lengths of project id and project name #26 and Check input length of project name #27)
• Profile pictures failing in production (Fix profile picture loading error in production #45, closes Loading the profile picture errors in production #22)

---

4. Production and local deployment stability

For v1.1.0, that means:

• re-enable Gunicorn for production use (48 reactivate gunicorn #54, closes Re-activate Gunicorn run-time for production #48)
• fix the missing SERVER_URL default so local Docker setups do not throw unnecessary warnings (fix: set local adapter SERVER_URL default (supersedes #55) #59, closes Inconsistency in default environment #40)

Small on paper, but important for credibility.

---

5. One additional feature worth considering

If we want to add one small feature on top of the stabilization work, the best candidate is probably this:

• Waiver visibility per project (Provide list of waivers #11)

Right now, waiver information is buried inside individual CVE detail pages. That makes it harder to audit what has already been accepted and why.

A basic first version for v1.1.0 could be:

• a simple list of active waivers for a project
• show the waiver comment
• show the adjusted CVSS score, if there is one

The PDF export part can wait until a later release.

This would be useful, visible to users, and still reasonably contained.

---

What we should not pull into v1.1.0

To keep this release focused, these items should stay out of scope for now:

Issue	Title	Why it should wait	Verdict
#5	Add attestations to CI pipeline	Useful, but not a release blocker for the current setup	Defer
#7	Local CVE server setup	More infrastructure, not urgent right now	Defer
#12	Report statistics history	Bigger backend + frontend feature, deserves its own release	Defer
#14	Support links to JIRA	External integration, needs more product decisions	Defer
#17	Trivy scanner support	Feature expansion, not stabilization	Defer
#19	Email feature	Larger backend feature, not urgent for v1.1.0	Defer
#13	Support for other DB backends	More complexity without clear immediate demand	Defer
#8	Responsive design for mobile	Legitimate improvement, but broader than this release should take on	Defer unless effort is unexpectedly tiny
#9	Improve authorization support	Important, but too large for a stabilization release	Defer
#15	Extend data model	Too broad and not clearly scoped yet	Needs separate discussion
#16	CycloneDX SBOM support	Valuable, but this is feature expansion, not release cleanup	Defer

---

I'd recommend the following merge order, feel free to add your own opinions:

1. ci: switch workflow jobs to github-hosted runners #60: CI runner fix
2. fix: set local adapter SERVER_URL default (supersedes #55) #59: environment variable default fix
   then close fixed warning about missing env variable by setting default value #55 as superseded
3. 48 reactivate gunicorn #54: Gunicorn reactivation
4. 26 extended length of fields project_name and project_id #53: backend field length extension
5. Fix Dockerfile code smells #46: Dockerfile cleanup
6. Fix profile picture loading error in production #45: profile picture fix
7. Fix project name length validation #43: project name validation
8. added localization for the chart all on the project-page #50: chart label fix
9. made the whole row clickable and removed the column open #49: clickable rows
10. Add cvss calculator tooltips #52: CVSS tooltips
11. added cve description to the details page #56: CVE descriptions
12. Enabling local docker based demo preview #58: Docker preview setup

---

A note on #58

PR #58 is valuable, but it is also the biggest change in this batch.

It introduces a cleaner frontend/backend split and a much better local preview story, but it should get a deliberate review because it changes how people run the project locally.

---

Summary

My take for v1.1.0 is:

• fix CI first
• merge the important bug fixes and deployment fixes
• land the existing UX improvements
• improve onboarding
• maybe include one small extra feature, with waiver visibility being the strongest candidate

---

Want to help?

• Pick an issue from the list above and comment on it
• Review one of the open PRs
• Suggest something that is missing from the release scope
• If you think an item should move in or out of v1.1.0, say why

---

Last updated: 2026-04-04