Versions Compared

Old Version 695

changes.mady.by.user Tsur Rothfeld

Saved on

compared with

New Version 696

changes.mady.by.user Tsur Rothfeld

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
maxLevel1

...

  • In the Image Registries section:

    • UA - Amazon Elastic Container Registry (ECR) - Docker Integration

    • UA - Azure Container Registry Integration

    • UA - Docker Image Integration

    • UA - Google Container Registry Docker Integration

    • UA - JFrog Artifactory Docker Registry Integration

  • In the AVM section:

    • Migrating Fortify/ThreadFix Agent to the AVM Agent

Notices

Major improvements to the Azure DevOps integration will be introduced in July. The underlying scanning mechanism will be modified to allow a direct WhiteSource scan from within the Azure DevOps pipeline. As part of this change, the following updates will be introduced:

  • The extension activation procedure will be moved to the Organization settings section by navigating to Organization settings > Extensions > WhiteSource page.

  • The WhiteSource tab under Project > Pipelines will be deprecated.

  • The WhiteSource Open Source Risk Report will be available at the Azure DevOps build level only, deprecating the project level aggregated report.

  • The direct WhiteSource scan from within the Azure DevOps pipeline will be the only scanning option.

Version 21.5.1 (23-May-2021)

...

  • NPM and Yarn configuration are now optimized by automatically executing the relevant pre-step (npm install or yarn install) based on the lock file detected (yarn.lock or package-lock.json) when npm.runPreStep = true.

  • Beginning in this version, nuget.runPreStep and nuget.restoreDependencies will be combined. This works the following way: if nuget.runPreStep = true, then dotnet restore will be performed on found .csproj files. As a result of this merge, nuget.restoreDependencies will be deprecated.

Notices

The TeamCity plugin will reach its End Of Life starting November 1, 2021. After this date, WhiteSource will no longer provide standard support, including updates and fixes, for the deprecated plugin. Extended Support, which is limited to configuration and Support troubleshooting, will continue until May 1, 2022. Following this date, the TeamCity plugin will no longer be supported by WhiteSource. Please make sure to migrate to the Unified Agent before the end of standard support on November 1, 2021 to maintain full support of your product.

...

  • Archive extraction of the Zstandard format RPM file failed.

  • A problem with missing shields occurred during Prioritize scans with NPM due to incorrect handling of duplicate dependencies.

  • Some Unified Agent's log messages were not taken into account when setting the logLevel parameter.

  • Running the Generating the Due Diligence Report resulted in a blank report.

  • When Jira Server was connected to PostgreSQL, an exception occurred in Jira Plugin when trying to add a new row to the table.

Notices

The following is planned for the next Unified Agent releases:

...

  • The NuGet Plugin page was deprecated.

  • In the next version, 21.3.2, the following changes will be implemented:

    • The Deprecated Features topic will be deprecated and the content will move to the Noticespage

    • The High Severity Bugs Report topic will be deprecated

    • The File Systemtopic will be deprecated

  • Additional modifications will be implemented to the opening documentation sections, beginning with the login/homepage documentation. 

Notices

In the next Unified Agent release, major improvements to the Go Modules dependencies detection will be introduced with the addition of a new optimized resolver for Modules, controlled by a separate set of parameters. After this change, two separate settings will be supported: new parameters for controlling the new Modules resolution and the existing Go parameters for controlling Modules and the other Go package managers. The new Modules resolver will detect only the actively used dependencies and will enable controlling whether to include test dependencies and duplicate dependencies. 

...

New Feature Announcements

  • WhiteSource is launching a Beta release of a new generic platform for issue tracker integrations and a plugin for Jira Server. The new platform will provide the ability to integrate with issue tracking systems, in order to automatically create issues when a policy match occurs. The Jira Server Plugin is the first integration developed using the new platform and more out-of-the-box plugins are planned to be released.

Documentation

The following topic has been deprecated:

...

  • Several issues have been resolved regarding Docker Layers:

    • Layers with the same SHA1 were represented as one resource.

    • Layers with a SHA1 already created as “unknown” from previous scans were recognized as that resource, and therefore the display name did not reflect the layer

    • Layers with SHA1 were unnecessarily looked up in the index 

  • Discrepancies were found between the Alerts Widget and the Library Page.

  • Vulnerability-based alerting: In the 'Vulnerable Libraries' section on the 'Security Vulnerability' page, the libraries were not filtered by the specific CVE. As a result, the CVEs were ignored and the filter returned all the vulnerable libraries in the organization.

Notices

  • In the Unified Agent’s upcoming releases, major improvements to the Go Modules’ dependencies detection will be introduced. A new optimized resolver for Go Modules, controlled by a separate set of parameters will become active, paving the way for more specific control over Go resolution.

...

  • When searching for a library via global search, then searching for a vulnerability via the same search, the page redirects to the library search page.

  • When resolving several requirments.txt files, the cache of the dependencies was not cleared between the different resolutions.

  • When running the Unified Agent, the ArchiveExtractor failed to extract files ending with an empty space.

  • In the “Source File Inventory” report, if users selected to change the library for files they had no permissions to, the Change Library action had no effect and no message was displayed. Now, this action can only be done by selecting the desired files, then Actions > Change Library menu. The users' permissions are validated and a proper message is displayed.

  • After repeatedly using "Assign Yourself", the pop-up window appears blank and users need to click "Add License Reference" or "Override All” in order to see the mandatory fields.

  • When running SBT Coursier, the Unified Agent did not run pre-step commands even though pre-step flags were activated.

  • Changes to licenses being updated either in the index (libraryDataSync API) or in the Admin Console did not trigger alerts calculation.

  • The Unified Agent did not support the packages.db RPM database

Documentation Updates

The following integration pages have been archived and will therefore no longer be in use. All the material contained therein will be included in the Unified Agent parameter documentation.

...

Version 20.12.1.1 (21-December-2020)

  • Fixed an issue introduced in the latest version (20.11.2) in which unmatched source libraries were missing from the Project/Product page.

Version 20.12.1 (20-December-2020)

...

Resolved Issues - Azure DevOps Services Integration (added 10-November-2020) 

  • Fixed an issue where in some cases, users with non-admin permissions were not able to view the WhiteSource open-source risk report. All existing WhiteSource for Azure DevOps Services extension users will need to approve the extension permission changes that were applied in this version. To approve the new changes, do as follows:

    1. Go to Organization Settings > Extensions > Installed > WhiteSource for Azure DevOps Services.

    2. Click Review. The Authorize WhiteSource for Azure DevOps Services popup is displayed.

    3. Click Authorize.

  • Scanning a project based on a GitHub Repository led to a RangeError error.

Version 20.10.1.1 (4-November-2020)

...

Azure DevOps Services Integration

  • Added the ability to specify custom Unified Agent Configuration parameters to be used by a particular pipeline build. For this, a new field, WhiteSource Configuration, was added to the WhiteSource task. For more information, see here.

Documentation Updates

Unified Agent

...

  • If hex.ignoreSourceFiles was set to true, the Unified Agent did not ignore .erl source files.

  • When groups were created via SAML integration and were then deleted manually from the dashboard, an exception occurred.

Notices

  • Within the next two releases of the Unified Agent, a significant improvement to the NPM dependency detection will be introduced. An optimized NPM resolution method, controlled by the npm.resolveLockFile flag, will become the default dependency detection for NPM. This will be applied by changing the current default value of the npm.resolveLockFile flag from false to true. This will significantly improve the scanning time of NPM projects and produce more accurate results. 

...

  • Fixed CVE-2020-2213 

Prioritize

  • Aggregate Modules mode supported (using the -aggregateModules field).

Functionality Changes

  • In the Project Association page, the Product column was changed from a selection column to a text column. The project association is now only available by checking the desired project(s) and choosing “Assign to Product”, then choosing the desired product from the drop-down list.

  • When using “APPEND” update requests, in the rare case where only a TRANSITIVE dependency has been added - the new transitive dependency will be added as a direct dependency, so all of the application's mechanisms such as alerts and policies will be applied on it. This is a change to the current behavior. In order to have the new dependency added as transitive, users can then run another “OVERRIDE” Update Request after the append request.

...

  • Scanning docker images with source files leads to duplicate appearances of the source libraries in the Hierarchy view.

Notices

  • Within the next two releases, WhiteSource will be improving the Unified Agent configuration by removing the requirement to have a configuration file, if all the mandatory parameters are set (passed as command-line parameters or by environment variables).

...

  • Upgraded the following:

    • WildFly to version 10.1.0 

    • JQuery to version 3.5.0

  • The Unified Agent’s version is now displayed in the Web Application’s Project Vitals.

  • The docker image retrieval mechanism was improved resulting in a reduction of the UA scanning time.

Resolved Issues

  • In the Risk Report, in the General Overview panel, when selecting a product, an incorrect title and link were displayed.

  • While handling getOrganizationInHouseLibraries requests, a Null Pointer Exception occurred.

  • In situations where Requires review is the least common license in organization/product/project, the License dashboard ceases to function.

  • The Attribution Report had issues with a misplaced header.

  • There were issues with proxy settings in the HTML dependency resolution.

  • The TeamCity plugin always failed as a result of a check policy request. 

  • Under certain conditions, scanning SBT dependencies resulted with errors.

  • Local libraries used by a Python project were not detected. This ability was introduced in this release, controlled by the python.localPackagePathsToInstall flag.

...

  • If the field last scan comment contains multiple lines, only the first line will be displayed in the project vitals area.

Notices

  • In the next release, improvements to the optimized NPM resolution method controlled by the npm.resolveLockFile flag will be introduced. The improvements will include a reduction in the scan time, in addition to enhanced accuracy. This functionality can be enabled by setting the npm.resolveLockFile to true. 

...

  • This version introduces support for Bamboo server versions up to 7.0.3.

Functionality Changes

  • Beginning in this version, ignoreSourceFiles is taken into account in the top folder for all cases.

  • Beginning in this version, Maven resolver will not ignore .jar,.war,.ear,.zip files when ignoreSourceFiles is set.

  • When setting a Reporter for issues that require one, the reporter will now be chosen from a list (same as selecting an assignee) instead of the previous way where there were text boxes for inserting a Reporter name and display name.

  • The Unified Agent setting maven.ignoredScopes=NONE is no longer a pre-condition for running Prioritize on Maven projects, but remains as the default setting. Regardless of the Unified Agent configuration file parameter setting, Prioritize analysis will ignore test scope dependencies.

...

  • Previously, in the Library Location Report, when a library had no path it was displayed in the UI as "N/A". This has been changed to an empty string.

  • Within the next two sprints, WhiteSource will be improving the Unified Agent scan results, mostly regarding Maven resolution. Binaries such as .jar,.war,.ear,.zip will be included in the scan when ignoreSourceFiles is set.

  • In addition, ignoreSourceFiles will be taken into account in the top folder when packaging appears in the pom file.

Resolved Issues

  • In some nupkg libraries, libraries which didn’t have a dash ('-') in the display name as the version separator, were not recognized as the same library and therefore did not generate the Multiple Library Versions.

  • When generated to a .PDF, the Use of Different Versions of Same Library section in the Risk Report had a different title.

  • Under certain situations, goGradle scans failed with a null pointer exception.

  • An overlap in the resolvers' bom files resulted in the order of the resolvers being changed.

  • The Effective Usage Analysis dashboard displayed 0% coverage although vulnerabilities existed.

  • Under certain conditions, a NoSuchElementException occurred when getting a product approver during update requests.

  • Under certain conditions, the parsing functionality in Go 1.14 did not work correctly.

  • Under certain conditions, scans of Docker images resulted in exceptions.

  • Under certain conditions, new version alerts weren't created.

...

Version 19.8.1 (8-September-2019)

...

  • The new Configuration Recommendation mode identifies the environment that the user wants to scan and creates the configuration file automatically.

  • Added flexibility in Gradle projects scanning: New configuration parameter 'gradle.includedScopes' enables defining which scopes will be included in the scan.

  • This version provides support for Serverless Framework via a dedicated plugin.

...

  • Enhanced resolution for Maven projects that include multiple libraries with the same SHA-1. In these cases, the library page displays a new hyperlink stating "This SHA-1 has multiple matches: Click here to override the original match". Clicking the hyperlink will open a pop-up window, enabling a user to manually select alternative GAV coordinates from a list. 

  • Optimized accuracy of data in Security Trends Dashboard:

    • After clicking on a chart, the related Alerts report only displays security vulnerability alerts. 

    • The dashboard keeps its predefined context after navigating to another GUI page. 

...