Added new policy condition "Dependency is Protestware". Threats that are associated with protest software are marked with the CSPW identifier
Added interface adaptability for different screen sizes, the system is now easier to use on tablets and mobile devices
Added the ability to specify the name of the VCS project and create multiple VCS projects for one repository
Added the ability to run SCA analysis for a VCS project by selecting a specific branch or tag without changing the default branch
Changed creation and editing of policies: now it is possible to specify a project regardless of selected groups and owners, the policy will work for all selected groups and projects
Added a link to the repository manager to the package page in OSA
Added filter by technology and corresponding column in the "Alerts" section, the column is hidden by default
Added filter by project group in "Alerts" and "Dependencies" sections
Added multiple selection for "Attack Surface", "Security Function", "Found", "Dependency Environment" filters in project dependencies settings
Added "Note" column to the "Policy Ignores" section, the column is hidden by default
Added filters "Type", "Authorisation type", "Active" and search by name and address to "Registries" section
Added time zone in PDF report generation date
Added limitation of the number of login requests from the same user, 10 attempts per minute by default
Added TLS encryption support for PostgreSQL and PgBouncer when installing via docker compose
Added filters to SCA scan history page
Updated project and author activity maps, as well as complexity and duplicates map: changed image file name when downloading, removed captions in cells, improved scaling, fixed rendering errors
Changed handling of sensitive data such as tokens, keys and passwords in API and UI of the system
Changed the logic of how filters work throughout the system. Filters are now loaded on demand (lazy load), optimised part of requests. When returning to the page, filters are not loaded again
Changed adding a user or project to a group: existing ones will not be offered for selection
Updated OpenAPI specification for the References field in the VulnerabilitySummaryDetail type
Added information to metadata tools section when uploading SBoM in CycloneDX format
Changed autovacuum settings to lower thresholds for tables with frequent updates
Added max_client_conn setting for pgbouncer, the parameter regulates the total number of connections, increased default value
Changed validation of phone number field to support international numbers
Changed output of parent dependencies in the project dependencies table, only the first 5 values are shown
Changed output of events in the webhooks table, only the first 5 values are shown
Fixed sorting of image vulnerabilities by Fixed Version
Fixed export of project data to CSV, reduced memory consumption
Added masking of sensitive data in installation logs
Improved Russian localisation
Fixed error output in UI when trying to create an existing project
Fixed access rights restriction errors
Fixed animation when switching between tabs of the project editing form
Support for specifying a database schema other than public via the DATABASE_SCHEMA environment variable has been discontinued. If this configuration is used, please refer to the how-to.
The CodeScoring configuration in Docker Compose has been deeply rewritten and modernized. Please read the how-to before upgrading.
Added support for Swift Package Manager ecosystem manifests
Added granular projects configuration and groups in policy actions to send notifications to different email addresses or different projects in Jira within a single policy
Added modes for sending email notifications and creating issues in Jira within policy actions: one per alert or digest per scan
Added processing of secrets analysis results when working with a module via CLI using the johnny console agent
Added the ability to recalculate secrets information in the ML model management section
Added basic work with the history of secrets scans
Added the "does not match" operator in dictionary policies
Added module icons to the system menu
Added hiding of the API token on the user settings page
Added returning of the uuid of the blocked component in the OSA API in a separate field
Added detailed display of the password validation error when creating a new user
Added detailed display of the password validation error in the password change form
Fixed the filter by project name in the Settings -> Policy ignores section
Fixed display of package links in policy conditions in the Alerts section
Fixed system behavior when receiving results from johnny without the --save-results key specifying a project, now the results will not be saved
Fixed incorrect sorting by project name in project lists
Added hiding of mutually exclusive Access Token and SSH Key fields in different connection settings to VCS to avoid incorrect validation
Fixed incorrect display of the environment on the dependency graph
Fixed the activity of the analysis start button for CLI projects without loaded dependencies
Fixed an error in the logic of applying policies when using groups
Optimized the speed of the policy page
Fixed an error with possible duplication of vulnerabilities
Optimized the mechanism for updating vulnerability information to reduce the number of entries in the database
Added a setting via the environment variable INDEX_API_FAILURE_RATE_THRESHOLD, which determines how much failed requests to the Index API in the OSA module must occur before the system considers the index unreachable
Added pre-connection to Postgres when the connection is lost in the osa-registration service
Updated maps in the TQI module. Rendering has been moved to the frontend, more convenient navigation has been implemented, and additional filters by period and number of projects have been added
Optimized dependency list in SCA modules
Optimized request list in the OSA module
Fixed saving of filter state and pagination settings in the dependency editing table
Fixed a validation error when autofilling the Instance URL field when creating connections to VCS
Fixed an error setting up columns in the project list in the SCA module
Fixed translation errors when using numerals
Fixed links to dependencies and vulnerabilities in the Email digest and Jira Issue
Fixed incorrect behavior while testing connection configuration for Email server settings
Added separate project lists in the SCA, TQI and Secrets modules
Added support for the Conda ecosystem
Added editing of container image dependencies for SBoM export
Added multiple selection of projects and images in the creation of Policy Ignore
Added the ability to specify a policy stage when creating a CLI project
Added the ability to filter lists in the Vulnerabilities, Policy Alerts and Projects sections by multiple Severity, Policy and Technology values
Added saving and displaying SBoM editing in the audit log
Added displaying the name of CLI projects in the audit log
Added filter by image tag to Container Images section
Added dates of first and last SCA scan to projects list
Implemented ability to add projects to existing groups via API, interface and console agent options for users with active flag *Can create CLI projects via API *
The full display of the secret in the section has been moved to a separate Secrets window
Updated translation into Russian
Added validation of API token update
Changed the format of the recommendation field in the SBoM CycloneDX format export to correctly handle cases where a vulnerability affects several versions of the same library
Fixed an error creating a task in Jira when a policy is triggered
Fixed an error filtering by status in Policy Alerts section when resetting filters
URL input errors are now shown after input is complete
Added the ability to send webhooks for key events in the system
Added the ability for the admin user to specify values for the SBoM fields GOST:attack_surface, GOST:security_function and links to VCS, the values will be taken into account when unloading SBoM in the CycloneDX 1.6 Ext format
Updated display of matched criteria in alerts
Added the ability to display the Source files column in the Vulnerabilities section table and in the Affected dependencies table on the vulnerability page
Added hints for the user in the policy creation and editing form
Added links from the project scan results page to the project settings page and back
Improved link typification in the externalReferences section when unloading SBoM in CycloneDX
Accelerated loading of the license distribution graph
Changed the technology distribution graph on the main page of the system and on the SCA tab for VCS projects, the calculation is based on the project dependency technologies based on the results of compositional analysis
Fixed the logic of policies when combining several conditions for the environment (env) of a dependency
Fixed import of SBoM files in CycloneDX format containing information in the components[i].evidence.identity fields
Fixed translations into Russian for numerals and some dictionaries of the system
In emails with alert notifications, the vulnerability identifier is now a hyperlink
Added beta version of interface localization into Russian, language switching is available on the user profile page
Added support for CycloneDX 1.6 specification for SBoM import and export
Added export into CycloneDX 1.6 Ext format with the addition of the fields GOST:source_lang, GOST:attack_surface and GOST:security_function to comply with FSTEC of Russia requirements. The fields are filled with the default value
For new SCA analysis results, the ability to select the CycloneDX version when downloading SBoM has been added
Improved SBoM export into all CycloneDX versions: added information about the scanned application to metadata->component, added information about the installation version to metadata->tools, updated the outdated format for indicating the authorship of components for CycloneDX versions 1.5 and 1.6, fixed the format of the component license. Changes are available for new SCA analysis results
Added “Dangerous package” classification and corresponding policy for OSA module. Packages with known Malware and certain types of CWE in vulnerabilities are marked as dangerous
Added additional dates to the package view page in the OSA module: dates of the first and last request to the package, date of the last policy calculation, and date of updating information on the package
Added the Source files value to the vulnerability dump in the Vulnerabilities section
Added policy conditions for case-sensitive search of a string in the package name contains (case sensitive), and changed the names of case-insensitive conditions from icontains to contains (case insensitive)
Added the Has vulnerabilities filter and a column with the number of vulnerabilities when viewing the list in the Components and Container images sections of the OSA module
Added the ability to run mass analysis of secrets in Workmode
Added processing of the new manifest type application/vnd.docker.distribution.manifest.list.v2+json when analyzing container images
Added a table with projects that use the component to the component view page in the OSA module
Added a new template %USER_DN% for the filter by groups when configuring LDAP
Added the ability to start a package analysis from its page in the Components section
Added a notification about the expiration of the activation key
Fixed key columns in tables during horizontal scrolling
Implemented a periodic restart of background tasks to optimize memory consumption
Stabilized the launch time of scheduled analyzes
Optimized updating of information on the secrets list page when marking up results
Fixed errors in the behavior of some lists with multiple selection
Fixed the display of user group records in the LDAP integration diagnostics section
Fixed loading a list of container images from registries if metadata on some images could not be obtained
Fixed errors in the operation of filters in the Secrets section table
Fixed an error when trying to filter dependencies by License Category = N/A
Fixed display of paginators on the SCA and TQI tabs on the project page
Changed the configuration of connection pools to PostgreSQL. To optimize the memory consumption of the installation, a division of connections to Postgres into connections through connection pools operating in session and transaction mode has been implemented. If the system is installed via docker compose, it is necessary to update the docker-compose.yml file. When using custom connection pool configurations, please consult with the support service on the update process.
Running CodeScoring no longer requires superuser rights inside the container. Instructions for migrating from root containers to rootless are available from the vendor
Added project dependency graphs (link is on the project page)
Added option to disable hash collection during SCA on installation
Added Index API response cache for OSA (by default from 1 hour to 1.5 hours, configured through environment variables)
Added information about restrictions on using OSSIndex
Launch of mass SCA is now logged in Audit log
Swagger no longer requires internet
Changed the path to the statics from the backend (you need to fix docker-compose.yaml)
Fixed a bug due to which in packages of the same name (with different versions) located in different manifests, information about the file in which the package was found was incorrectly displayed