Johnny Changelog¶
[2024.48.0] – 2024-11-29¶
- Added support for parsing Conda ecosystem manifests:
environment.yml
,meta.yml
,conda-lock.yml
- Added support for parsing Conda components in the build environment
- Added warning output for packages with an invalid name
- Improved dependency graph construction for formats that allow multiple versions of a single package
- Improved dependency graph construction when both files of a manifest-lockfile pair are present
- Fixed errors in generating PURL and go package versions when scanning Docker images
- Fixed handling of SBoM files in CycloneDX format containing information in the
components[i].evidence.identity
fields - Changed the logic for generating the distro property for PURL ALT Linux packages when scanning Docker images
- Added information about Location and Fixed Version of a vulnerability to the
sarif
format export
[2024.44.1] - 2024-11-15¶
- Fixed a bug with skipping gem packages in the
scan bom
command - Fixed the
ignore
flag on Windows OS - Fixed a bug in the parser in the Go environment on projects without dependencies
[2024.44.0] - 2024-11-02¶
- Added parsing of
pnpm-lock.yaml
manifests. Supported versions: 5.0-5.4, 6.0, 9.0 - Added parsing in the pnpm environment
- Takes into account the use of the
pnpm-workspaces.yaml
configuration file when parsingpackage.json
- Added the ability to specify a group when creating a CLI project, for admin role only
- Added the ability to specify the format of the generated SBoM using the
--bom-format
parameter (starting with on-premise version 2024.44.1) - Implemented parsing in the pip environment
- Implemented parsing in the composer environment
- When resolving dependencies in the go environment, the mechanism for determining the parent library for transitive dependencies obtained from the test environment has been improved
- Fixed the
unsupported type
error for composer components in thescan bom
command
[2024.40.2] - 2024-10-18¶
- Fixed dependency graph construction in cases where a component occurs multiple times with different
bom-ref
[2024.40.1] - 2024-10-10¶
- Added merging of
pom.xml
andmvn-dependency-tree.txt
parsing results to avoid unnecessary dependency resolution - Fixed an error in checking for the presence of a lock file when using dependency resolution in the environment
[2024.40.0] - 2024-10-02¶
- Added workspaces parsing when working with npm manifests
- Fixed
Gemfile.lock
parser for cases with multiple Gem sections
[2024.39.0] - 2024-09-23¶
- Separated tags when unloading in sarif format to display all versions of the found package in DefectDojo
- Changed export of severity in sarif format to correctly display CVSS3 in DefectDojo
- Fixed issues with scanning SBoM containing Go packages
- Fixed panic when parsing empty
cargo.lock
- Removed duplication of vulnerabilities in sarif format for cases of multiple versions of the same package
- Removed the ability to simultaneously use the
format
andno-summary
flags
[2024.36.0] - 2024-09-05¶
- Added the ability to configure the used parsers via the configuration file
- Added the ability to specify the parser used in the scan file command
- Fixed parsing of multi-project/module gradle-dependency-tree
[2024.35.0] - 2024-08-20¶
- Fixed gradle-dependency-tree kotlin parsing
[2024.32.0] - 2024-08-09¶
- Added analysis of standard go libraries to the parser in the go environment (
--go-resolve
) - Added the ability to specify a license when creating a project
- Fixed an error when parsing
pom.xml
, which contains variables likexxx.xxx.xxx.xxx
- Fixed
scala-dependency-tree.txt
parser - Fixed an error when scanning SBoM without a component section
[2024.29.0] – 2024-07-19¶
- Added export of links and CWE to sarif format
[2024.26.0] - 2024-06-24¶
- Added parsing in npm environment
- Added parsing in dotnet environment
- Added parsing in the poetry environment
- Added launch parameter
--block-on-empty-result
(returns code 3 if the scan result is empty) - Added
--python-version
flag to specify the python version in the pypi manifest family - Fixed the construction of the dependency graph on the pair
package.json
andpackage-lock.json
- Improved parsing of
project.assets.json
[2024.21.0] - 2024-05-24¶
- Improved yarn.lock parsing
- Fixed parsing in yarn environment
[2024.17.0] – 2024-04-27¶
- Added Johnny build for Mac with Intel processors
- Fixed scala-dependency-tree parser
[2024.15.0] – 2024-04-11¶
- Added support for uploading scan results in CSV format
- The path to the source file in which the dependency was found has been added to the scan result upload
- Improved search for .net packages when scanning images
[2024.13.0] – 2024-03-28¶
- Added support for uploading scan results in SARIF and XML formats
[2024.10.2] – 2024-03-07¶
- Fixed merging lock files with manifests on Windows
[2024.9.0] – 2024-02-29¶
- Fixed crash when parsing go.sum
[2024.7.0] – 2024-02-12¶
- Reduced the size of the Docker image with the agent
- Fixed a bug when hashing empty files
[2024.5.0] – 2024-01-31¶
- Added Scala support
- Added dependency resolution in the go environment (
--go-resolve
) - Added dependency resolution in the maven environment (
--maven-resolve
) - Added dependency resolution in yarn environment (
--yarn-resolve
) - Improved error messages in query parameters
- Added installation variables URL (
cli.api_url
) and TOKEN (cli.api_token
) to the config - The summary now counts the number of vulnerabilities, not packages
- Increased the width of tables when it is impossible to determine the width of the terminal
[2023.49.0] – 2023-12-08¶
- Added support for parsing Rust manifests
cargo.lock
andcargo.toml
- Added
--no-recursion
parameter to disable recursive scanning of the scan dir command
[2023.48.0] – 2023-11-22¶
- Added setting the output format of the table with results
-f --format
(with the ability to turn off colors) - Added setting for grouping vulnerabilities in the output of
-g --group-vulnerabilities-by
- Added setting for sorting vulnerabilities in the output of
-s --sort-vulnerabilities-by
- Added setting of analysis timeout limit
-t --timeout
[2023.43.0] – 2023-10-27¶
- Added summary information about the severity of vulnerabilities to the console output
- Fixed parsing of
.gradle.kts
manifests
[2023.38.0] - 2023-09-20¶
- Improved parsing of package.json and composer.json manifests
[2023.35.0] - 2023-08-31¶
- Improved parsing of the environment field for the
Gemfile
andGemfile.lock
manifests - Removed automatic merging of cells with the same CVSS value in the table with vulnerabilities
[2023.33.0] - 2023-08-17¶
- Optimized output of tables to the console on small screens
[2023.30.0] - 2023-07-27¶
- Added
conanfile.py
parsing for Conan - Added indication of the active analysis process in the form of a progress bar
- Added a table display for displaying alerts and vulnerabilities in the console
- Unified processing of slash at the end of a line for the
scan dir
command
[2023.27.0] - 2023-07-06¶
- Fixed panic when analyzing some Go projects
- Fixed scanning of images in terms of incorrect detection of components that are not dependencies
[2023.26.0] - 2023-06-30¶
- Improved parsing of
gradle-dependency-tree
in terms of working with classPath strings - Fixed output of Policy Alerts to the console
[2023.23.0] - 2023-06-08¶
- Added parsing of different versions of the
conan.lock
format - Fixed the parser flag being reset when reaching an empty line in
conanfile.txt
- Fixed
yarn.lock
parsing
[2023.21.0] - 2023-05-23¶
- Added launch parameter
--scan-depth
to configure archive scanning depth - Added
--scan-files
flag to the scan image command to scan files inside a docker image - Improved detection of nested dependencies of jar packages
- Fixed
Gemfile
parsing
[2023.15.0] - 2023-04-14¶
- Added Fixed version output
- Added the ability to save scan results
- Added the ability to create a project
- Added search for system dependencies in the docker image
- Optimized parsing of
package-lock
v3 manifest for NPM - Fixed some bugs
[2023.11.0] - 2023-03-16¶
- Added support for console commands
- Improved parsing of
pyproject.toml
- Added cleaning of the /tmp directory after scanning the docker image
[2023.5.0] - 2023-02-01¶
- Added scanning of docker images
- Changed behavior when starting without a project
- Updated Golang to 1.19
- Fixed hashing in archives with the
--only-hashes
option - Fixed detection of broken and password-protected archives
[2023.3.0] - 2023-01-20¶
- Fixed a bug when parsing
gradle-dependency-tree
[2023.2.0] - 2023-01-13¶
- Added scanning of archives, flag to run
--scan-archives
[2022.52.0] - 2022-12-30¶
- Fixed parsing of
pom.xml
in terms of working with the dependencyManagement section
[2022.50.0] - 2022-12-12¶
- Added support for parsing
conan.lock
files - Fixed passing additional data for the resolver from Nuget manifests