These release notes are for the WhiteSource cloud solution, and do not apply to the on-premises solution that has its own release notes. Click hereto view known issues.
Additionally, we suggest you stay informed by regularly checking the /wiki/spaces/WD/pages/500105346page.
NOTES:
Release notes are subject to change until the actual release date. Note that WhiteSource reserves the right to postpone the release of this page for up to and including 48 hours after the version’s actual release.
This page is "dynamic" and is subject to change between official releases. WhiteSource reserves the right to modify this page retroactively. Check this page periodically between official releases to ensure you are up-to-date with all hotfixes, changes and additions to WhiteSource's products.
...
For organizations that were migrated to vulnerability-based alerting mode, a permission error would appear when clicking on the Alerts section in the Updates notification emails.
Notices
Following improvements in the Gradle resolution, the
gradle.wrapperPathparameter will become obsolete in the next release of the Unified Agent.Starting from Unified Agent release version 21.12.2, the MD5 checksum will be replaced by a SHA256 checksum that will be published next to the released JAR.
Starting from the Jira Server Plugin release version 21.12.2, Jira Server version 7.13 will no longer be supported.
Documentation Updates
The main API page HTTP API v1.3 was updated to include a list of API requests currently supported by WhiteSource.
...
The Unified Agent now supports Yarn 3.
Excluding Docker layers from the Unified Agent’s scan is now available in Beta status via the docker.excludeLayersByLabel configuration parameter.
...
This version introduces support for NPM 7.
A new parameter, fileSystemScan, replaces the soon-to-be-deprecated ignoreSourceFiles.
...
In some cases, information regarding source libraries was not displayed correctly; for example, empty projects were still displayed in some source libraries, or some source libraries appeared as empty.
Running the gcloud auth command failed during Docker scan on Mac computers.
Users with different roles than admins or alert ignorers were able to ignore alerts in VBA mode.
Exceptions occurred when trying to assign licenses as part of update policy alerts.
In the Unified Agent, when scanning NPM, NPM dependencies were not resolved when package.json did not contain name/version attributes.
When downloading a missing jar file, the Unified Agent incorrectly generated success messages.
Added indication for missing copyright references in the Attribution report summary.
When excluding inner modules (projects) in Gradle, the scan would return the wrong dependencies tree.
Azure DevOps Services Integration: In some cases, adding npm.resolveMainPackageJsonOnly=true to the WhiteSource Configuration task parameter led to a scan failing.
...
New Feature Announcements
WhiteSource is launching a Beta release of a new generic platform for issue tracker integrations and a plugin for Jira Server. The new platform will provide the ability to integrate with issue tracking systems, in order to automatically create issues when a policy match occurs. The Jira Server Plugin is the first integration developed using the new platform and more out-of-the-box plugins are planned to be released.
Documentation
The following topic has been deprecated:
...
Azure DevOps Services Integration: Running a pipeline build from a self-hosted agent resulted in a WhiteSource-generated .encrypted file not being deleted at the end of each WhiteSource build task run.
NOTE: Self-hosted agent builds triggered before 14 February may still contain traces of WhiteSource-generated .encrypted files. These files must be manually removed from the self-hosted agent work folder.On rare occasions, library alerts were not created after the vulnerability sync.
Duplicate hashed source files caused the second one to be considered as unmatched.
In Linux, Python scans failed due to a missing space in the execution of one of the commands used for resolution.
In the Unified Agent, there were exceptions when parsing specific pipfile formats.
...
The Unified Agent now supports scanning Google Distroless images.
The optimized NPM resolution method, controlled by the npm.resolveLockFile flag, is now the default dependency detection for NPM.
...
Azure DevOps Services Integration: When opening the Security vulnerabilities tab in the Open Source Risk report, the data was not sorted by severity.
Azure DevOps Services Integration: Adding the WhiteSource task to a YAML-based pipeline without setting any of its parameters resulted in an error. As part of this fix, a default value was added for the cwd parameter.
Fixed failures of inventory update if artifactVersion exceeded the valid length.
The Unified Agent failed to parse a non-lowercase configuration value.
The Unified Agent failed to resolve NuGet dependencies when the project.assets.json file was not found in its standard location.
A Python direct dependency, which was also used as a transitive dependency by another library, was not listed as a direct dependency by the Unified Agent.
RPM packages installed or deleted without using yum were not identified correctly by the Unified Agent.
...
Beginning with this version, every new organization will be created in the new Vulnerability-based Alerting mode.
A new and enhanced source files matching algorithm, SmartMatch, can be activated from Advanced Settings in the Integrate tab. The default will remain Weight.
Two new licenses have been added:
GLWTPL
ODC-By-1.0
Unified Agent
A new parameter, python.includePipenvDevDependencies, has been added to provide the ability to manage the dev dependencies. The default value is true.
...
When searching for a library via global search, then searching for a vulnerability via the same search, the page redirects to the library search page.
When resolving several requirments.txt files, the cache of the dependencies was not cleared between the different resolutions.
When running the Unified Agent, the ArchiveExtractor failed to extract files ending with an empty space.
In the “Source File Inventory” report, if users selected to change the library for files they had no permissions to, the Change Library action had no effect and no message was displayed. Now, this action can only be done by selecting the desired files, then Actions > Change Library menu. The users' permissions are validated and a proper message is displayed.
After repeatedly using "Assign Yourself", the pop-up window appears blank and users need to click "Add License Reference" or "Override All” in order to see the mandatory fields.
When running SBT Coursier, the Unified Agent did not run pre-step commands even though pre-step flags were activated.
Changes to licenses being updated either in the index (libraryDataSync API) or in the Admin Console did not trigger alerts calculation.
The Unified Agent did not support the packages.db RPM database
Documentation Updates
The following integration pages have been archived and will therefore no longer be in use. All the material contained therein will be included in the Unified Agent parameter documentation.
...
In the next Unified Agent release, the optimized NPM resolution method, controlled by the npm.resolveLockFile flag, will become the default dependency detection for NPM. This will be applied by changing the current default value of the npm.resolveLockFile flag from false to true. In addition to improving the scanning time of NPM projects, more accurate results will be produced by this mechanism. Unmet optional and/or peer dependencies that were not taken into consideration by the previous dependency detection will be part of the results when they are found in the lock file.
Version 20.12.1.1 (21-December-2020)
Fixed an issue introduced in the latest version (20.11.2) in which unmatched source libraries were missing from the Project/Product page.
Version 20.12.1 (20-December-2020)
...
For some libraries, the Impact Analysis page did not display results.
Filtering by library in the Attribution Report did not display all results.
In the Web UI, there was no indication when a library contained no licenses. NOTE: Beginning in this version, an indication that review is required is displayed.
In Azure environments, when saving/updating a SAML integration (Domain and Global Account level), an HTTP error 500 was displayed.
In the Vulnerabilities Report, the screen’s legend was unclear.
...
The maximal extraction depth, configured in archiveExtractionDepth, has been increased to 10.
...
Attribution Report: Users now have the ability to exclude versions from the artifacts' names in the attribution report's exported files, by de-selecting the include versions checkbox.
API
Read-only Permissions: A new auditing role can now be assigned to service users through the setOrganizationAssignments API to give them read-only permissions in the scope of a specific organization.
...
An unexcepted output received from the SBT sbtVersion command caused the Unified Agent to throw an exception.
The Unified Agent didn't handle correctly a possible output of the SBT organization command.
The Unified Agent failed to extract .tar files created with special characters on Linux.
When executing update inventory requests which create a new project, the getProjectVitals/getProductProjectVitals API requests did not display the Unified Agent's version.
When trying to add a new admin from the global admins page, the users list was empty.
When configuring SCM via JSON files, the Unified Agent scanned the current directory.
Project Association: Limitation on the number of items in the products list was removed.
...
The Unified Agent’s Artifactory scanner failed to build a URL from strings that contained non-alphanumeric characters.
Dependencies defined in the gemfile.lock file with an exclamation mark suffix were wrongly resolved.
Policies where Action was defined as Issue failed to create Work Items issues.
Under certain conditions, when working with policies of the Issue type, exceptions occurred while loading Work Items data.
Resolved Issues - Azure DevOps Services Integration (added 10-November-2020)
Fixed an issue where in some cases, users with non-admin permissions were not able to view the WhiteSource open-source risk report. All existing WhiteSource for Azure DevOps Services extension users will need to approve the extension permission changes that were applied in this version. To approve the new changes, do as follows:
Go to Organization Settings > Extensions > Installed > WhiteSource for Azure DevOps Services.
Click Review. The Authorize WhiteSource for Azure DevOps Services popup is displayed.
Click Authorize.
Scanning a project based on a GitHub Repository led to a RangeError error.
Version 20.10.1.1 (4-November-2020)
Fixed an issue whereby ending a setProductAssignments request resulted in error code 3000, and an Invalid request parameters error message.
Version 20.10.1.1 (2-November-2020)
Azure DevOps Services Integration: In some cases, when running a pipeline build containing a WhiteSource task, a toString() failed error was displayed in the WhiteSource build task logs, leading to a scan failure.
...
Azure DevOps Services Integration
Added the ability to specify custom Unified Agent Configuration parameters to be used by a particular pipeline build. For this, a new field, WhiteSource Configuration, was added to the WhiteSource task. For more information, see here.
Documentation Updates
Unified Agent
...
Fixed CVE-2020-2213
Prioritize
Aggregate Modules mode supported (using the -aggregateModules field).
Functionality Changes
In the Project Association page, the Product column was changed from a selection column to a text column. The project association is now only available by checking the desired project(s) and choosing “Assign to Product”, then choosing the desired product from the drop-down list.
When using “APPEND” update requests, in the rare case where only a TRANSITIVE dependency has been added - the new transitive dependency will be added as a direct dependency, so all of the application's mechanisms such as alerts and policies will be applied on it. This is a change to the current behavior. In order to have the new dependency added as transitive, users can then run another “OVERRIDE” Update Request after the append request.
...
Upgraded the following:
WildFly to version 10.1.0
JQuery to version 3.5.0
The Unified Agent’s version is now displayed in the Web Application’s Project Vitals.
The docker image retrieval mechanism was improved resulting in a reduction of the UA scanning time.
Resolved Issues
In the Risk Report, in the General Overview panel, when selecting a product, an incorrect title and link were displayed.
While handling getOrganizationInHouseLibraries requests, a Null Pointer Exception occurred.
In situations where Requires review is the least common license in organization/product/project, the License dashboard ceases to function.
The Attribution Report had issues with a misplaced header.
There were issues with proxy settings in the HTML dependency resolution.
The TeamCity plugin always failed as a result of a check policy request.
Under certain conditions, scanning SBT dependencies resulted with errors.
Local libraries used by a Python project were not detected. This ability was introduced in this release, controlled by the python.localPackagePathsToInstall flag.
...
This version introduces support for Bamboo server versions up to 7.0.3.
Functionality Changes
Beginning in this version, ignoreSourceFiles is taken into account in the top folder for all cases.
Beginning in this version, Maven resolver will not ignore .jar,.war,.ear,.zip files when ignoreSourceFiles is set.
When setting a Reporter for issues that require one, the reporter will now be chosen from a list (same as selecting an assignee) instead of the previous way where there were text boxes for inserting a Reporter name and display name.
The Unified Agent setting maven.ignoredScopes=NONE is no longer a pre-condition for running Prioritize on Maven projects, but remains as the default setting. Regardless of the Unified Agent configuration file parameter setting, Prioritize analysis will ignore test scope dependencies.
...
Previously, in the Library Location Report, when a library had no path it was displayed in the UI as "N/A". This has been changed to an empty string.
Within the next two sprints, WhiteSource will be improving the Unified Agent scan results, mostly regarding Maven resolution. Binaries such as .jar,.war,.ear,.zip will be included in the scan when ignoreSourceFiles is set.
In addition, ignoreSourceFiles will be taken into account in the top folder when packaging appears in the pom file.
Resolved Issues
In some nupkg libraries, libraries which didn’t have a dash ('-') in the display name as the version separator, were not recognized as the same library and therefore did not generate the Multiple Library Versions.
When generated to a .PDF, the Use of Different Versions of Same Library section in the Risk Report had a different title.
Under certain situations, goGradle scans failed with a null pointer exception.
An overlap in the resolvers' bom files resulted in the order of the resolvers being changed.
The Effective Usage Analysis dashboard displayed 0% coverage although vulnerabilities existed.
Under certain conditions, a NoSuchElementException occurred when getting a product approver during update requests.
Under certain conditions, the parsing functionality in Go 1.14 did not work correctly.
Under certain conditions, scans of Docker images resulted in exceptions.
Under certain conditions, new version alerts weren't created.
...
For customers who want to have sources files with associated vulnerabilities identified in WhiteSource when possible, a new optional parameter for getProjectAlertsByType API enables the response to include vulnerable source files.
...
Release Unified Agent version 19.9.1
Release WhiteSource Advise for Chrome 19.9.1
Version 19.8.1 (8-September-2019)
...
The new Configuration Recommendation mode identifies the environment that the user wants to scan and creates the configuration file automatically.
Added flexibility in Gradle projects scanning: New configuration parameter 'gradle.includedScopes' enables defining which scopes will be included in the scan.
This version provides support for Serverless Framework via a dedicated plugin.
...
Enhanced resolution for Maven projects that include multiple libraries with the same SHA-1. In these cases, the library page displays a new hyperlink stating "This SHA-1 has multiple matches: Click here to override the original match". Clicking the hyperlink will open a pop-up window, enabling a user to manually select alternative GAV coordinates from a list.
Optimized accuracy of data in Security Trends Dashboard:
After clicking on a chart, the related Alerts report only displays security vulnerability alerts.
The dashboard keeps its predefined context after navigating to another GUI page.
...
GitHub integration: Added information on the path of the dependency file from the vulnerable library in cases where it originates from a package dependency.
Artifactory Plugin: The ‘archiveExtractionDepth’ parameter enables to define the maximum drill down hierarchy level in Java, Ruby and Python archive files (The default value is 2, and the maximum value is 7).
Optimization of user roles: Users may assign licenses/copyrights only if they are one of the following:
License and Copyright Assigner
Organization Administrator
Organization Default Approver
Note: The ability as a 'Product Default Approver' or 'Product Administrator' to assign licenses/copyrights has been removed.
...
Improved csontainer scanning coverage: Added the option to scan a Docker image from a Google Container Registry. See also Google Container Registry Docker Integration
NPM: Added the ability to fetch the project name from the ‘package.json’ dependency file via the Boolean configuration parameter ‘npm.projectNameFromDependencyFile’.
Added support for Julia source files with the file extension ‘.jl’.
Added support for car archive files with the file extension ‘.car’.
Added a behavior rule to the existing 'failErrorLevel' parameter in order to enhance the precision of the scanning policy: If this parameter is ‘ALL’, then scan fails when ‘productName’ and ‘productToken’ are missing, and no ‘projectToken’ is defined in the configuration file. See also The failErrorLevel Parameter of the Unified Agent.
Yarn dependency management: Added the new parameter ‘npm.yarn.frozenLockfile' that enables to run the pre-step with the ‘--frozen.lockfile’ yarn parameter.
Scan report in JSON Format:
Accurate reporting time frames: In addition to a date, a timestamp was also added to the JSON based scan report’s filename. For example, ‘ProjectA-2019-03-01T130102+0200-scan_report.json’.
Added custom attributes data. For each library, the relevant custom attribute values are displayed.
Added policy and vulnerability statistics data to local scan report. See also Unified Agent JSON Report Example
...