Added vulnerability reachability analysis for Java, powered by the Svace call graph builder
Added policy "Vulnerability is reachable"
Added UI display of the reachability attribute for vulnerabilities
Added ability to specify component manufacturer data to be placed in the relevant section of SBOM versions CycloneDX 1.6 and CycloneDX 1.6 ext, both at installation level and per project
Added new environment variables DEFAULT_PROJECT_MANUFACTURER_NAME, DEFAULT_PROJECT_MANUFACTURER_EMAIL, DEFAULT_PROJECT_MANUFACTURER_HOMEPAGE
Added saving of annotated data when importing SBoM
Added suspicious commit links for vulnerabilities with CSPW identifiers in SBoM
Added integration with external identity providers implementing the OpenID Connect protocol
Added localization of PDF reports in the SCA module
Added saving of links for Jira issues and emails created by automatic actions with alerts
Added "Requirement" field displaying the required version range from the manifest in the project dependencies section
Added optional "Priority" field in the Jira task creation policy action form
Added ability to create custom templates for emails and Jira tasks in alert actions (default template is built-in)
Added script for re-encrypting sensitive data when changing the SECRET_KEY token
Added "Release Date" field to the project dependencies list
Added grouping of options in the condition dropdown when configuring a policy
Added rule dragging on the policy configuration page, and updated their appearance
Added ability to automatically update the audit log list
Added project search and filters by project, relation, detection type, and environment for individual vulnerabilities on the dependencies page
Added ability to calculate the number of unique authors in GitLab outside of analysis runs
Added ability to run SBOM scans from scan history to check for new vulnerabilities in historical component data
Added "Max fixed version" field to the dependencies section of the project PDF report
Added filtering by multiple authors on the "List" and "Activity Map" tabs in the TQI -> Authors section
Added tooltip popup with author’s projects when hovering over author’s project count in the TQI -> Authors section
Added author filter on the project list page in the TQI section
Added "Number of Authors" chart on the project page in the TQI section
Added "Author’s Commits" and "Author’s Projects" charts on the author page in the TQI section
Added ability to rename projects
Added ability to perform bulk actions on certain entities in the Settings section
Added ability to stop report generation
Added ability to export a CSV report with secrets on the project tab
Added ability to generate a PDF report with secrets on the project tab
Changed how parameters for connected container images registries are configured: environment-variable configuration has been removed; all settings are now managed in the UI.
SCA Added a condition for the Dependency is a descendant policy to search for child dependencies of a selected package at any level of the dependency graph
SCA Added the Max fixed version column in the dependency table
SCA Added the ability to download the current version of the Johnny binary agent directly from the installation
Added the "Technology" column to the alert list export
Added pop-up notifications with the analysis result upon its completion
Added search in drop-down list of criteria in policy creation and editing forms
Added duplicate block of buttons after the group of conditions in policy creation and editing forms
Added ability to expand the policy conditions management block
The tasks-media queue has been transferred to Celery. The number of workers is controlled by the variables CELERY_MEDIA_WORKER_CONCURRENCY (minimum, default is 2) and CELERY_MEDIA_WORKER_MAX_CONCURRENCY (maximum, default is 4). The variable HUEY_MEDIA_WORKERS has been removed
OSA The OSA background package update mechanism has been optimized. Only relevant packages are updated. By default, packages requested in the last 14 days are considered relevant, the parameter is configured in the installation settings
Improved error messages when checking the availability of repositories via SSH
Improved display of the list of events in the "Webhooks" section
Secrets Improved logic for displaying the ML model management section in the Secrets module
Optimized the algorithm for launching policy recalculation when updating vulnerabilities: launch occurs only when data that affects policies changes
Optimized loading of pages with images and alerts
Changed the choice of a secure protocol for connecting to a mail server from checkboxes to a field with a drop-down list
Unified action buttons in sections with entity tables
Updated the OpenAPI specification in terms of error handling
OSA Changed the base image in the OSA API service from Debian bookworm to Alpine
Updated the pgbouncer image to switch from libevent to c-ares as a DNS backend for support SOA record resource types and EDNS0 protocol
Secrets Updated gitleaks version for Secrets module to 8.27.0
Updated Redis image from 7.0.12 to 7.4.3
Updated PostgreSQL image from 13.4 to 13.21
SCA Updated Johnny version on installation to 2025.29.1
Added new policy condition "Dependency is Protestware". Threats that are associated with protest software are marked with the CSPW identifier
Added interface adaptability for different screen sizes, the system is now easier to use on tablets and mobile devices
Added the ability to specify the name of the VCS project and create multiple VCS projects for one repository
Added the ability to run SCA analysis for a VCS project by selecting a specific branch or tag without changing the default branch
Changed creation and editing of policies: now it is possible to specify a project regardless of selected groups and owners, the policy will work for all selected groups and projects
Added a link to the repository manager to the package page in OSA
Added filter by technology and corresponding column in the "Alerts" section, the column is hidden by default
Added filter by project group in "Alerts" and "Dependencies" sections
Added multiple selection for "Attack Surface", "Security Function", "Found", "Dependency Environment" filters in project dependencies settings
Added "Note" column to the "Policy Ignores" section, the column is hidden by default
Added filters "Type", "Authorisation type", "Active" and search by name and address to "Registries" section
Added time zone in PDF report generation date
Added limitation of the number of login requests from the same user, 10 attempts per minute by default
Added TLS encryption support for PostgreSQL and PgBouncer when installing via docker compose
Added filters to SCA scan history page
Updated project and author activity maps, as well as complexity and duplicates map: changed image file name when downloading, removed captions in cells, improved scaling, fixed rendering errors
Changed handling of sensitive data such as tokens, keys and passwords in API and UI of the system
Changed the logic of how filters work throughout the system. Filters are now loaded on demand (lazy load), optimised part of requests. When returning to the page, filters are not loaded again
Changed adding a user or project to a group: existing ones will not be offered for selection
Updated OpenAPI specification for the References field in the VulnerabilitySummaryDetail type
Added information to metadata tools section when uploading SBoM in CycloneDX format
Changed autovacuum settings to lower thresholds for tables with frequent updates
Added max_client_conn setting for pgbouncer, the parameter regulates the total number of connections, increased default value
Changed validation of phone number field to support international numbers
Changed output of parent dependencies in the project dependencies table, only the first 5 values are shown
Changed output of events in the webhooks table, only the first 5 values are shown
Fixed sorting of image vulnerabilities by Fixed Version
Fixed export of project data to CSV, reduced memory consumption
Added masking of sensitive data in installation logs
Improved Russian localisation
Fixed error output in UI when trying to create an existing project
Fixed access rights restriction errors
Fixed animation when switching between tabs of the project editing form
Support for specifying a database schema other than public via the DATABASE_SCHEMA environment variable has been discontinued. If this configuration is used, please refer to the how-to.
The CodeScoring configuration in Docker Compose has been deeply rewritten and modernized. Please read the how-to before upgrading.
Added support for Swift Package Manager ecosystem manifests
Added granular projects configuration and groups in policy actions to send notifications to different email addresses or different projects in Jira within a single policy
Added modes for sending email notifications and creating issues in Jira within policy actions: one per alert or digest per scan
Added processing of secrets analysis results when working with a module via CLI using the johnny console agent
Added the ability to recalculate secrets information in the ML model management section
Added basic work with the history of secrets scans
Added the "does not match" operator in dictionary policies
Added module icons to the system menu
Added hiding of the API token on the user settings page
Added returning of the uuid of the blocked component in the OSA API in a separate field
Added detailed display of the password validation error when creating a new user
Added detailed display of the password validation error in the password change form
Fixed the filter by project name in the Settings -> Policy ignores section
Fixed display of package links in policy conditions in the Alerts section
Fixed system behavior when receiving results from johnny without the --save-results key specifying a project, now the results will not be saved
Fixed incorrect sorting by project name in project lists
Added hiding of mutually exclusive Access Token and SSH Key fields in different connection settings to VCS to avoid incorrect validation
Fixed incorrect display of the environment on the dependency graph
Fixed the activity of the analysis start button for CLI projects without loaded dependencies
Fixed an error in the logic of applying policies when using groups
Optimized the speed of the policy page
Fixed an error with possible duplication of vulnerabilities
Optimized the mechanism for updating vulnerability information to reduce the number of entries in the database
Added a setting via the environment variable INDEX_API_FAILURE_RATE_THRESHOLD, which determines how much failed requests to the Index API in the OSA module must occur before the system considers the index unreachable
Added pre-connection to Postgres when the connection is lost in the osa-registration service
Updated maps in the TQI module. Rendering has been moved to the frontend, more convenient navigation has been implemented, and additional filters by period and number of projects have been added
Optimized dependency list in SCA modules
Optimized request list in the OSA module
Fixed saving of filter state and pagination settings in the dependency editing table
Fixed a validation error when autofilling the Instance URL field when creating connections to VCS
Fixed an error setting up columns in the project list in the SCA module
Fixed translation errors when using numerals
Fixed links to dependencies and vulnerabilities in the Email digest and Jira Issue
Fixed incorrect behavior while testing connection configuration for Email server settings
Added separate project lists in the SCA, TQI and Secrets modules
Added support for the Conda ecosystem
Added editing of container image dependencies for SBoM export
Added multiple selection of projects and images in the creation of Policy Ignore
Added the ability to specify a policy stage when creating a CLI project
Added the ability to filter lists in the Vulnerabilities, Policy Alerts and Projects sections by multiple Severity, Policy and Technology values
Added saving and displaying SBoM editing in the audit log
Added displaying the name of CLI projects in the audit log
Added filter by image tag to Container Images section
Added dates of first and last SCA scan to projects list
Implemented ability to add projects to existing groups via API, interface and console agent options for users with active flag *Can create CLI projects via API *
The full display of the secret in the section has been moved to a separate Secrets window
Updated translation into Russian
Added validation of API token update
Changed the format of the recommendation field in the SBoM CycloneDX format export to correctly handle cases where a vulnerability affects several versions of the same library
Fixed an error creating a task in Jira when a policy is triggered
Fixed an error filtering by status in Policy Alerts section when resetting filters
URL input errors are now shown after input is complete
Added the ability to send webhooks for key events in the system
Added the ability for the admin user to specify values for the SBoM fields GOST:attack_surface, GOST:security_function and links to VCS, the values will be taken into account when unloading SBoM in the CycloneDX 1.6 Ext format
Updated display of matched criteria in alerts
Added the ability to display the Source files column in the Vulnerabilities section table and in the Affected dependencies table on the vulnerability page
Added hints for the user in the policy creation and editing form
Added links from the project scan results page to the project settings page and back
Improved link typification in the externalReferences section when unloading SBoM in CycloneDX
Accelerated loading of the license distribution graph
Changed the technology distribution graph on the main page of the system and on the SCA tab for VCS projects, the calculation is based on the project dependency technologies based on the results of compositional analysis
Fixed the logic of policies when combining several conditions for the environment (env) of a dependency
Fixed import of SBoM files in CycloneDX format containing information in the components[i].evidence.identity fields
Fixed translations into Russian for numerals and some dictionaries of the system
In emails with alert notifications, the vulnerability identifier is now a hyperlink
Added beta version of interface localization into Russian, language switching is available on the user profile page
Added support for CycloneDX 1.6 specification for SBoM import and export
Added export into CycloneDX 1.6 Ext format with the addition of the fields GOST:source_lang, GOST:attack_surface and GOST:security_function to comply with FSTEC of Russia requirements. The fields are filled with the default value
For new SCA analysis results, the ability to select the CycloneDX version when downloading SBoM has been added
Improved SBoM export into all CycloneDX versions: added information about the scanned application to metadata->component, added information about the installation version to metadata->tools, updated the outdated format for indicating the authorship of components for CycloneDX versions 1.5 and 1.6, fixed the format of the component license. Changes are available for new SCA analysis results
Added “Dangerous package” classification and corresponding policy for OSA module. Packages with known Malware and certain types of CWE in vulnerabilities are marked as dangerous
Added additional dates to the package view page in the OSA module: dates of the first and last request to the package, date of the last policy calculation, and date of updating information on the package
Added the Source files value to the vulnerability dump in the Vulnerabilities section
Added policy conditions for case-sensitive search of a string in the package name contains (case sensitive), and changed the names of case-insensitive conditions from icontains to contains (case insensitive)
Added the Has vulnerabilities filter and a column with the number of vulnerabilities when viewing the list in the Components and Container images sections of the OSA module
Added the ability to run mass analysis of secrets in Workmode
Added processing of the new manifest type application/vnd.docker.distribution.manifest.list.v2+json when analyzing container images
Added a table with projects that use the component to the component view page in the OSA module
Added a new template %USER_DN% for the filter by groups when configuring LDAP
Added the ability to start a package analysis from its page in the Components section
Added a notification about the expiration of the activation key
Fixed key columns in tables during horizontal scrolling
Implemented a periodic restart of background tasks to optimize memory consumption
Stabilized the launch time of scheduled analyzes
Optimized updating of information on the secrets list page when marking up results
Fixed errors in the behavior of some lists with multiple selection
Fixed the display of user group records in the LDAP integration diagnostics section
Fixed loading a list of container images from registries if metadata on some images could not be obtained
Fixed errors in the operation of filters in the Secrets section table
Fixed an error when trying to filter dependencies by License Category = N/A
Fixed display of paginators on the SCA and TQI tabs on the project page
Changed the configuration of connection pools to PostgreSQL. To optimize the memory consumption of the installation, a division of connections to Postgres into connections through connection pools operating in session and transaction mode has been implemented. If the system is installed via docker compose, it is necessary to update the docker-compose.yml file. When using custom connection pool configurations, please consult with the support service on the update process.
Running CodeScoring no longer requires superuser rights inside the container. Instructions for migrating from root containers to rootless are available from the vendor
Added project dependency graphs (link is on the project page)
Added option to disable hash collection during SCA on installation
Added Index API response cache for OSA (by default from 1 hour to 1.5 hours, configured through environment variables)
Added information about restrictions on using OSSIndex
Launch of mass SCA is now logged in Audit log
Swagger no longer requires internet
Changed the path to the statics from the backend (you need to fix docker-compose.yaml)
Fixed a bug due to which in packages of the same name (with different versions) located in different manifests, information about the file in which the package was found was incorrectly displayed