Versions Compared

Old Version 794

changes.mady.by.user Michelle Friedman

Saved on

compared with

New Version 795

changes.mady.by.user Michelle Friedman

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

These release notes are for the WhiteSource cloud solution, and do not apply to the on-premises solution that has its own release notes. Click hereto view known issues.

...

Info

IMPORTANT

Beginning in version 21.3.2, WhiteSource will be modifying the various topics, plus the overall structure, of the documentation. This includes editing and condensing the existing content (therefore archiving certain topics) for better usability, removing unnecessary and/or duplicate content, and restructuring the topic hierarchy for a logical flow. Since this project will be a “work in progress” for an unspecified amount of time, WhiteSource apologizes in advance for any inconvenience this might cause.

Version 22.1.1 (23-January-2022)

New Features and Updates

WhiteSource Core

  • To provide customers with easy access to the support portal, an icon (i.e., wrench) was added to the top menu that links directly to the WhiteSource Support Portal: support.whitesourcesoftware.com.

Azure DevOps Integration

  • The WhiteSource task within the Azure DevOps integration now follows semantic versioning. This allows customers to receive release updates automatically.

Notices

  • In the next six months, WhiteSource targets to release a Jira Data Center approved version of the Jira plugin.

  • The Jenkins plugin will be deprecated and reach its End Of Life starting August 1, 2022.

Version 21.12.2 (9-January-2022)

New Features and Updates

Issue Tracker Integration Generic Platform and Jira Plugins

...

  • In Jira Server, when clicking Save on the configuration page, there was no indication if the Default Jira Project setting was saved successfully.

Notices

  • Following the GA release of the generic Issue Tracking Platform and the Jira Server and Jira Cloud plugins, the previous Jira integration will be deprecated on July 1st, 2022.

...

Version 21.12.1 (26-December-2021)

New Features and Updates

Artifactory Plugin

  • A new and improved Artifactory plugin is introduced in this release, providing important updates, such as performance improvements, more granular control over downloaded components, and easier installation. The triggerBeforeDownload property was updated to control downloading of components from local repositories only, while a new property triggerBeforeRemoteDownloadcontrols downloading of components from remote repositories. In addition, the userKey property is now mandatory.

...

Version 21.11.2 (12-December-2021)

New Features and Updates

Unified Agent

  • Scanning of OCI Docker images is now supported via the docker.scanTarFiles parameter.

...

  • A new parameter resolvedType was added to the following APIs: getOrganizationLicenses, getProductLicenses, getProjectLicenses

Azure DevOps Integration

  • The organizational setting of the Azure DevOps Services extension was updated to determine the WhiteSource mapping resolution.

  • Addressed CVE-2021-44228 identified for Apache Log4j2.

...

  • For organizations that were migrated to vulnerability-based alerting mode, a permission error would appear when clicking on the Alerts section in the Updates notification emails.

Notices

  • Following improvements in the Gradle resolution, the gradle.wrapperPath parameter will become obsolete in the next release of the Unified Agent.   

  • Starting from Unified Agent release version 21.12.2, the MD5 checksum will be replaced by a SHA256 checksum that will be published next to the released JAR.

  • Starting from the Jira Server Plugin release version 21.12.2, Jira Server version 7.13 will no longer be supported.

...

Version 21.11.1 (28-November-2021)

New Features and Updates

Application API

  • A new parameter resolvedTypewas added to the getProductAlertByTypeAPI.

  • A new HTTP v1.3 API was added that reassigns organization-level policies to a different owner. 

...

  • The Jira Server plugin is now compatible with the latest Jira Server version 8.20.

  • The dependency hierarchy information is now displayed within the Jira ticket created by the Jira Server plugin or Jira Cloud plugin.

Azure DevOps Integration

  • Failing a pipeline build based on policy violations is now supported (by utilizing the Unified Agent’s policy-related settings).

  • The open-source risk report is now retained as part of the Azure DevOps Extension pipeline build, allowing build history auditing, faster report retrieval, and better user experience.

...

  • GitHub Enterprise private key field was limited to 5,000 characters.

  • Generating an activation token would fail when the organization’s name had non-alphanumeric characters.

Notices

The next release of the Artifactory plugin (planned for December 26th) will introduce important updates, such as performance improvements, more granular control over downloaded components, and easier installation. The triggerBeforeDownload property will be updated to control downloading of components from local repositories only, while a new property triggerBeforeRemoteDownload will control downloading of components from remote repositories. In addition, starting this release, the userKey property will become mandatory.

...

Version 21.10.2 (14-November-2021)

New Features and Updates

Unified Agent

  • The Dockerized Unified Agent was updated to the latest version which includes support for Conda.

  • The option to upload a zipped offline request for a scanned project is now supported.

...

Version 21.10.1 (31-October-2021)

New Features and Updates

Unified Agent

  • The Unified Agent now supports Yarn 3.

  • Excluding Docker layers from the Unified Agent’s scan is now available in Beta status via the docker.excludeLayersByLabel configuration parameter. 

...

  • The dependencies of the docker layer would not reflect the project in the UI.

Notices

Improvements to the Azure DevOps integration will be introduced in release 21.11.1. The open-source risk report will be retained as part of the pipeline build, allowing build history auditing, faster report retrieval, and better user experience.

...

Version 21.9.1 (17-October-2021)

New Features and Updates

Unified Agent

  • A new configuration parameter commandTimeout is now available for controlling the timeout of all the commands executed by the Unified Agent during a scan.

...

Info

NOTE

The Application release is delayed to October 10th due to maintenance and stabilization improvements.

New Features and Updates

Unified Agent

  • Conda dependencies detection is now enabled by default - the default value for the conda.resolveDependencies parameter is set to true.

  • The Gradle dependencies' detection mechanism was improved significantly. As a result, the following Gradle parameters are now obsolete:  

    • gradle.runAssembleCommand

    • gradle.runPreStep  

    • gradle.localRepositoryPath

    • gradle.downloadMissingDependencies

    • gradle.wrapperPath

    In addition, the default value of the gradle.preferredEnvironment was changed to wrapper, to improve the scan results and align to Gradle best practices.

  • The Unified Agent now supports Yarn 2.

...

Version 21.8.1 (29-August-2021)

New Features and Updates

Unified Agent

  • The Unified Agent now supports scanning of Conda dependencies specified in environment.yml files. Conda dependencies detection is controlled by a new parameter conda.resolveDependencies which is disabled by default. Note: WhiteSource Conda vulnerabilities coverage is currently limited to Python dependencies only and will be extended in coming releases.

  • The includes parameter now has a default value (comprising all the WhiteSource supported extensions) that will be applied to all the Unified Agent's configuration methods (environment variables, config file, etc.).

  • The excludes parameter now has a default value of:
    **/.*, **/node_modules, **/src/test, **/testdata, **/*sources.jar, **/*javadoc.jar

  • Go dependency detection now enables the optimized resolver for Go Modules by default. In addition, the Go resolution will no longer be triggered by Go source files and will be aligned to the other resolvers to be triggered only by the package managers' manifest files.

  • Performance improvements are introduced to the NPM dependencies detection.

...

Version 21.7.2 (15-August-2021)

New Features and Updates

Jira Server Plugin (Beta)

...

  • In the Library Security Vulnerabilities page, when the same library appeared in several projects, the wrong shield was displayed.

  • Under certain conditions, when using the Vulnerabilities Report, an error occurred.

  • In the Unified Agent, when scanning in SCM mode, a debug exception occurred before cloning the repository.

  • In the Unified Agent, when scanning yarn projects, the hierarchy tree was not deduped, resulting in memory issues.

  • A runtime error occurred in the Artifactory plugin.

  • The minutes-to-milliseconds conversion during cloning of WhitesourceService.class caused an invalid value in wss.connectionTimeoutMinutes.

  • When scanning via Github scanner, when scanning a repository by a tag (not branch), the scan failed in the cloning phase.

Notices

Within the next two releases of the Unified Agent, the Gradle dependencies' detection mechanism will be improved significantly. This will make the following Gradle parameters obsolete: 

...

Version 21.7.1 (1-August-2021)

New Features and Updates

Unified Agent

  • The default of php.removeDuplicateDependencies has been changed to True.

...

  • When the same NuGet dependency was defined in both the csproj and nuspec, it appeared twice in the application.

  • In the Unified Agent, setting multiple archives in the "-d" argument sometimes led to incorrect results.

  • The Maven, OCaml, Modules, and the R resolvers of the Unified Agent were not failing the scan if the relevant package manager was not installed when failErrorLevel was set to ALL.

  • In the Unified Agent, the parameter gradle.additionalArguments was only being applied to a subset of Gradle commands, instead of all Gradle commands.

  • When scanning projects with the Unified Agent, and archiveIncludes and archiveExtractionDepth were set, corrupted zip files resulted in null pointer exceptions in certain Java versions.

  • In the Unified Agent, the Maven resolver did not detect the dependency tree path when the Maven log was altered.

Notices

  • Within the next two releases of the Unified Agent, the behavior of the includes and excludes and parameters will be fixed with respect to the use of the projectPerFolder parameter by matching their values relative to the main root path.  

  • Within the next two releases of the Unified Agent, several improvements to the default configuration will be introduced:

    • The includes parameter will have a default value (comprises of all the WhiteSource supported extensions) that will be applied to all the Unified Agent's configuration methods (environment variables, config file, etc)  

    • The excludes parameter will have a default value of **/.*, **/node_modules, **/src/test, **/testdata, **/*sources.jar, **/*javadoc.jar

  • Within the next two releases of the Unified Agent, the Go dependency detection will be improved by enabling the optimized resolver for Go Modules by default. In addition, the Go resolution will no longer be triggered by Go source files and will be aligned to the other resolvers to be triggered only by the package managers' manifest files.

...

Version 21.6.3 (18-July 2021)

New Features and Updates

  • The detection accuracy of security vulnerabilities was improved for the Unified Agent Linux package manager scan (scanPackageManager).

  • The base image of the CircleCI orb executor was updated to Ubuntu 18.04.

  • The image of the WhiteSource integration for Bitbucket was updated.

...

  • In the Azure DevOps Services Integration, an issue prevented updating the project settings.

Notices

  • In the next Unified Agent release, the Gradle resolution will be improved, removing non-resolvable dependencies from the results..  

Version 21.6.2 (4-July 2021)

New Features and Updates

Azure DevOps Services Integration

...

  • The IntelliJ IDE would cease to function when scanning Maven projects with the WhiteSource plugin.

  • When a server was stopped, there were problems continuing the scan that had already started.

  • Persist ManagedResource failed after a database Lock exception.

  • Manually remapping of all the source files did not close pending requests for the old source library.

  • In the Unified Agent, projectPerFolderIncludes failed to detect subfolders.

  • When scanning a Yarn project with the Unified Agent, if the "resolved" section was missing for a dependency within the yarn.lock file, a Null Pointer Exception occurred.

  • WhiteSource now supports the ability to run bower and yarn in the same directory.

  • In the case of GitHub.com integration, the SCM scanner scanned the root folder instead of the cloning folder, causing the scanner to scan additional libraries.

Notices

  • Starting August 1, 2021, Unified Agent versions will be available for a year after their release.  

  • Within the next two releases of the Unified Agent, the default value of the php.removeDuplicateDependencies parameter will be changed from false to true.

  • Within the next two releases of the Unified Agent, the gradle.additionalArguments parameter for specifying additional arguments to be added to the Gradle commands executed by the agent - will be applied to all Gradle commands (not only to the gradle dependencies command). 

  • Within the next two releases of the Unified Agent, the Maven, OCaml, Modules and the R resolvers will be aligned to the behavior of the other detectors when failErrorLevel is set to ALL by failing the scan if the relevant package manager is not installed.

...

Version 21.6.1 (20-June 2021)

New Features and Updates

Unified Agent

  • Beginning in this version, support is added for Cargo workspaces.

...

Version 21.5.2 (6-June 2021)

New Features and Updates

Reports

  • A new report is introduced in beta phase - the Multiple Library Version report. This report displays information regarding multiple versions of the same library that are being used in the selected project/product. With the release of this report, we are announcing that the alert for Multiple Library Version will be disabled to all customers on August 15th, 2021. All information that was available on Multiple Library Version alerts will be available in the dedicated report, for both past and future scans.

...

  • In the Image Registries section:

    • UA - Amazon Elastic Container Registry (ECR) - Docker Integration

    • UA - Azure Container Registry Integration

    • UA - Docker Image Integration

    • UA - Google Container Registry Docker Integration

    • UA - JFrog Artifactory Docker Registry Integration

  • In the AVM section:

    • Migrating Fortify/ThreadFix Agent to the AVM Agent

Notices

Major improvements to the Azure DevOps integration will be introduced in July 2021. The underlying scanning mechanism will be modified to allow a direct WhiteSource scan from within the Azure DevOps pipeline. As part of this change, the following updates will be introduced:

...

Version 21.5.1 (23-May-2021)

New Features and Updates

Web UI

  • When working in Vulnerability-based alerting mode, the Details column was returned to the exported License and Compliance Alerts Report, providing more specific information on the alert.

  • A new license, Saucy 2.0, has been added. See here for details.

  • In Vulnerability-based Alerts organizations, new button was added to the pending tasks page, More Information. When selecting tasks from the list (up to 50) and clicking on this button, a new pop-up screen will appear, presenting information regarding the number of vulnerabilities and the license of each of the selected tasks' libraries. The user will be able to change the tasks selection in the pop-up, and the new selection will be saved upon clicking Save. The users will then be returned to the original pending tasks screen, and will be able to choose to approve or reject the tasks, based on the information that was provided in the pop-up

...

Version 21.4.2.1 (11-May-2021)

New Features and Updates

Jira Server Plugin (Beta)

...

Version 21.4.2 (9-May-2021)

New Features and Updates

Unified Agent

  • NPM and Yarn configuration are now optimized by automatically executing the relevant pre-step (npm install or yarn install) based on the lock file detected (yarn.lock or package-lock.json) when npm.runPreStep = true.

  • Beginning in this version, nuget.runPreStep and nuget.restoreDependencies will be combined. This works the following way: if nuget.runPreStep = true, then dotnet restore will be performed on found .csproj files. As a result of this merge, nuget.restoreDependencies will be deprecated.

Notices

The TeamCity plugin will reach its End Of Life starting November 1, 2021. After this date, WhiteSource will no longer provide standard support, including updates and fixes, for the deprecated plugin. Extended Support, which is limited to configuration and Support troubleshooting, will continue until May 1, 2022. Following this date, the TeamCity plugin will no longer be supported by WhiteSource. Please make sure to migrate to the Unified Agent before the end of standard support on November 1, 2021 to maintain full support of your product.

...

Version 21.3.2 (11-April-2021)

New Features and Updates

Web UI

  • Customers can now configure SAML integration for multiple global organizations with the same Identity Provider (IDP).

  • Product and Library Priority Scoring Reports: New reports provide information on the priority of a library or product, taking different threat and impact factors into account. See here for details.

  • Starting this version, SmartMatch is the default algorithm used for source files matching when a new WhiteSource Organization is created.

  • The name of the Sun license was changed to Sun Public License.

...

  • Archive extraction of the Zstandard format RPM file failed.

  • A problem with missing shields occurred during Prioritize scans with NPM due to incorrect handling of duplicate dependencies.

  • Some Unified Agent's log messages were not taken into account when setting the logLevel parameter.

  • Running the Generating the Due Diligence Report resulted in a blank report.

  • When Jira Server was connected to PostgreSQL, an exception occurred in Jira Plugin when trying to add a new row to the table.

Notices

The following is planned for the next Unified Agent releases:

...

Version 21.3.1 (4-April-2021)

New Features and Updates

Azure DevOps Services Integration:

...

  • The NuGet Plugin page was deprecated.

  • In the next version, 21.3.2, the following changes will be implemented:

    • The Deprecated Features topic will be deprecated and the content will move to the Noticespage

    • The High Severity Bugs Report topic will be deprecated

    • The File Systemtopic will be deprecated

  • Additional modifications will be implemented to the opening documentation sections, beginning with the login/homepage documentation. 

Notices

In the next Unified Agent release, major improvements to the Go Modules dependencies detection will be introduced with the addition of a new optimized resolver for Modules, controlled by a separate set of parameters. After this change, two separate settings will be supported: new parameters for controlling the new Modules resolution and the existing Go parameters for controlling Modules and the other Go package managers. The new Modules resolver will detect only the actively used dependencies and will enable controlling whether to include test dependencies and duplicate dependencies. 

Version 21.2.2 (14-March-2021)

New Features and Updates

Unified Agent

  • This version introduces support for NPM 7.

  • A new parameter, fileSystemScan, replaces the soon-to-be-deprecated ignoreSourceFiles.

...

Version 21.2.1 (28-February-2021)

New Features and Updates

Unified Agent

  • Scala dependencies detection was improved, by supporting the sbt-dependency-graph plugin when applicable.

...

New Feature Announcements

  • WhiteSource is launching a Beta release of a new generic platform for issue tracker integrations and a plugin for Jira Server. The new platform will provide the ability to integrate with issue tracking systems, in order to automatically create issues when a policy match occurs. The Jira Server Plugin is the first integration developed using the new platform and more out-of-the-box plugins are planned to be released.

Documentation

The following topic has been deprecated:

...

Version 21.1.1 (31-January-2021)

New Features and Updates

Web UI

  • Beginning in this version, the Auditor role for service users can be assigned to users from the UI.

...

  • Several issues have been resolved regarding Docker Layers:

    • Layers with the same SHA1 were represented as one resource.

    • Layers with a SHA1 already created as “unknown” from previous scans were recognized as that resource, and therefore the display name did not reflect the layer

    • Layers with SHA1 were unnecessarily looked up in the index 

  • Discrepancies were found between the Alerts Widget and the Library Page.

  • Vulnerability-based alerting: In the 'Vulnerable Libraries' section on the 'Security Vulnerability' page, the libraries were not filtered by the specific CVE. As a result, the CVEs were ignored and the filter returned all the vulnerable libraries in the organization.

Notices

  • In the Unified Agent’s upcoming releases, major improvements to the Go Modules’ dependencies detection will be introduced. A new optimized resolver for Go Modules, controlled by a separate set of parameters will become active, paving the way for more specific control over Go resolution.

Version 20.12.3 (17-January-2021)

New Features and Updates

  • The Unified Agent now supports scanning Google Distroless images.

  • The optimized NPM resolution method, controlled by the npm.resolveLockFile flag, is now the default dependency detection for NPM.

...

Version 20.12.2 (3-January-2021)

New Features and Updates

Web UI

...

  • When searching for a library via global search, then searching for a vulnerability via the same search, the page redirects to the library search page.

  • When resolving several requirments.txt files, the cache of the dependencies was not cleared between the different resolutions.

  • When running the Unified Agent, the ArchiveExtractor failed to extract files ending with an empty space.

  • In the “Source File Inventory” report, if users selected to change the library for files they had no permissions to, the Change Library action had no effect and no message was displayed. Now, this action can only be done by selecting the desired files, then Actions > Change Library menu. The users' permissions are validated and a proper message is displayed.

  • After repeatedly using "Assign Yourself", the pop-up window appears blank and users need to click "Add License Reference" or "Override All” in order to see the mandatory fields.

  • When running SBT Coursier, the Unified Agent did not run pre-step commands even though pre-step flags were activated.

  • Changes to licenses being updated either in the index (libraryDataSync API) or in the Admin Console did not trigger alerts calculation.

  • The Unified Agent did not support the packages.db RPM database

Documentation Updates

The following integration pages have been archived and will therefore no longer be in use. All the material contained therein will be included in the Unified Agent parameter documentation.

...

Version 20.12.1.1 (21-December-2020)

  • Fixed an issue introduced in the latest version (20.11.2) in which unmatched source libraries were missing from the Project/Product page.

Version 20.12.1 (20-December-2020)

New Features and Updates

Web UI

  • Resetting forgotten passwords is now validated with a CAPTCHA test.

  • A disclaimer has been added to the Library Details page for temporary matches on Go dependencies.

...

Version 20.11.2 (6-December-2020)

New Features and Updates

Web UI

  • The Product Page and the Project Page now feature filtering and improved pagination in the Libraries panel, thereby improving performance and user experience for projects with over 1000 libraries.

...

Version 20.11.1 (22-November-2020)

New Features and Updates

Unified Agent

  • The maximal extraction depth, configured in archiveExtractionDepth, has been increased to 10.

...

Version 20.10.2 (8-November-2020)

New Features and Updates

Prioritize

  • Added support for C# in Prioritize.

  • Added Fast Scan Analysis mode for Java in Prioritize.

...

Resolved Issues - Azure DevOps Services Integration (added 10-November-2020) 

  • Fixed an issue where in some cases, users with non-admin permissions were not able to view the WhiteSource open-source risk report. All existing WhiteSource for Azure DevOps Services extension users will need to approve the extension permission changes that were applied in this version. To approve the new changes, do as follows:

    1. Go to Organization Settings > Extensions > Installed > WhiteSource for Azure DevOps Services.

    2. Click Review. The Authorize WhiteSource for Azure DevOps Services popup is displayed.

    3. Click Authorize.

  • Scanning a project based on a GitHub Repository led to a RangeError error.

Version 20.10.1.1 (4-November-2020)

...

Version 20.10.1 (25-October-2020)

New Features and Updates

WhiteSource Core

  • In order to comply with industry standards, WhiteSource has decided to remove the option of searching a library via drag and drop. Library searching can now only be done by entering the library’s name (added November 1, 2020).

Azure DevOps Services Integration

  • Added the ability to specify custom Unified Agent Configuration parameters to be used by a particular pipeline build. For this, a new field, WhiteSource Configuration, was added to the WhiteSource task. For more information, see here.

Documentation Updates

Unified Agent

...

Version 20.9.2.2 (15-October-2020)

WhiteSource Core

  • CREATE_ISSUE policies defined in Product scope that were applied to libraries removed from in-house/whitelist, caused tickets creation in all of the organization's projects when there were no CREATE_ISSUE policies in the organization's scope.

...

Version 20.9.2 (11-October-2020)

WhiteSource Core

  • The optimized NPM resolution method, controlled by the npm.resolveLockFile parameter, is now the default dependency detection method for NPM. This change is introduced by switching the previous default value of npm.resolveLockFile from false to true. This will significantly improve the scanning time of NPM projects and produce more accurate results.

...

Version 20.9.1 (4-October-2020)

New Features and Updates

WhiteSource Core

  • Currently, when accessing the Custom Attributes report, the report’s data is fetched automatically. This can be time-consuming if the organization has many libraries and many custom attributes defined. Beginning in this version, an Apply button has been added, enabling users to query the data on demand only.

...

Version 20.8.2 (13-September-2020)

New Features and Updates

  • Helm version 3 support is officially introduced for the Kubernetes integration.

...

  • If hex.ignoreSourceFiles was set to true, the Unified Agent did not ignore .erl source files.

  • When groups were created via SAML integration and were then deleted manually from the dashboard, an exception occurred.

Notices

  • Within the next two releases of the Unified Agent, a significant improvement to the NPM dependency detection will be introduced. An optimized NPM resolution method, controlled by the npm.resolveLockFile flag, will become the default dependency detection for NPM. This will be applied by changing the current default value of the npm.resolveLockFile flag from false to true. This will significantly improve the scanning time of NPM projects and produce more accurate results. 

...

Version 20.8.1 (30-August-2020)

New Features and Updates

Unified Agent

A new format of Docker project name is now supported - repositoryName - which is based on the Docker repository name only. This format can be applied by setting the docker.projectNameFormat parameter to repositoryName.

...

  • Fixed CVE-2020-2213 

Prioritize

  • Aggregate Modules mode supported (using the -aggregateModules field).

Functionality Changes

  • In the Project Association page, the Product column was changed from a selection column to a text column. The project association is now only available by checking the desired project(s) and choosing “Assign to Product”, then choosing the desired product from the drop-down list.

  • When using “APPEND” update requests, in the rare case where only a TRANSITIVE dependency has been added - the new transitive dependency will be added as a direct dependency, so all of the application's mechanisms such as alerts and policies will be applied on it. This is a change to the current behavior. In order to have the new dependency added as transitive, users can then run another “OVERRIDE” Update Request after the append request.

...

Version 20.7.3 (16-August-2020)

New Features and Updates

Web UI

  • Beginning in this version, when creating/editing a policy based on a Jira project with a mandatory field from a type which isn't currently supported, but has a default value defined for it in Jira, the operation will succeed.

...

  • Scanning docker images with source files leads to duplicate appearances of the source libraries in the Hierarchy view.

Notices

  • Within the next two releases, WhiteSource will be improving the Unified Agent configuration by removing the requirement to have a configuration file, if all the mandatory parameters are set (passed as command-line parameters or by environment variables).

Version 20.7.2 (2-August-2020)

New Features and Updates

WhiteSource Core

  • SAML session token duration (the time between the IDP authentication and the WhiteSource login) was changed from 10 minutes to 5 minutes.

...

Version 20.7.1 (19-July-2020)

New Features and Updates

Unified Agent

  • Users scanning docker images can now receive information regarding packages in layer granularity. The new functionality can be enabled by setting the docker.layers parameter to true. The layer granularity can be viewed in the UI under the hierarchical display (Show as Hierarchy).

  • Improvements to the optimized NPM resolution method controlled by the npm.resolveLockFile flag are introduced. The improvements include a reduction in the scan time, in addition to enhanced accuracy. This functionality can be enabled by setting the npm.resolveLockFile to True.

  • A new flag, npm.ignoreDirectoryPatterns, enables users to determine the list of ignored directories.

  • The Bazel support was extended to Go projects. The Unified Agent can now scan on Linux machines Go projects using the go_repository rules generated by Bazel Gazelle (see here).

WhiteSource Core

  • Under certain conditions, when an application had no vulnerability, it was not updated by the AVM agent

...

Version 20.6.2 (5-July-2020)

New Features and Updates

WhiteSource Core

Unified Agent

  • The Unified Agent’s checkPolicies-json.txt file now includes the system path and manifest file path for each of the components, when this information is available.

  • A new parameter, python.localPackagePathsToInstall, enables users to configure a list of local package paths that will be installed during the pre-step, if required.

...

  • Upgraded the following:

    • WildFly to version 10.1.0 

    • JQuery to version 3.5.0

  • The Unified Agent’s version is now displayed in the Web Application’s Project Vitals.

  • The docker image retrieval mechanism was improved resulting in a reduction of the UA scanning time.

Resolved Issues

  • In the Risk Report, in the General Overview panel, when selecting a product, an incorrect title and link were displayed.

  • While handling getOrganizationInHouseLibraries requests, a Null Pointer Exception occurred.

  • In situations where Requires review is the least common license in organization/product/project, the License dashboard ceases to function.

  • The Attribution Report had issues with a misplaced header.

  • There were issues with proxy settings in the HTML dependency resolution.

  • The TeamCity plugin always failed as a result of a check policy request. 

  • Under certain conditions, scanning SBT dependencies resulted with errors.

  • Local libraries used by a Python project were not detected. This ability was introduced in this release, controlled by the python.localPackagePathsToInstall flag.

...

  • If the field last scan comment contains multiple lines, only the first line will be displayed in the project vitals area.

Notices

  • In the next release, improvements to the optimized NPM resolution method controlled by the npm.resolveLockFile flag will be introduced. The improvements will include a reduction in the scan time, in addition to enhanced accuracy. This functionality can be enabled by setting the npm.resolveLockFile to true. 

...

Version 20.6.1 (21-June-2020)

New Features and Updates

WhiteSource Core

Web UI

  • The Attribution Report has undergone several enhancements, including the following:

    • select which fields to include/exclude from the report

    • apply filters to the report

    • include a custom attribute in the report

    • export the report to a JSON format

    • hide fields containing empty values 

  • Beginning in this version, an indication on the vulnerability page displays which vulnerabilities were modified in the previous month.

  • Beginning in this version, the WhiteSource Expert Fix is the first solution recommended to customers in the list of suggested fixes.

...

Version 20.5.2 (7-June-2020)

WhiteSource Core

Web UI

  • For customers where Prioritize is installed: Beginning in this version, when creating a policy, you can match by Vulnerability Severity and Efficiency,

  • A new option in the Change Origin Library screen, Only repositories matching all source files, makes requests more efficient by enabling users to display only libraries where all source files exist.

  • Custom attributes are now supported in the APIs and the Attribution Report.

...

Version 20.5.1 (24-May-2020)

New Features and Updates

WhiteSource Core

Web UI

  • In the ADD/EDIT policy function, mandatory fields of types string, string array, user, number are now also supported. When choosing the issue type in the project, the mandatory fields as displayed and you must fill them in.

  • In certain reports, the following was added to all panels with multiple selections

    • A count indicator for the number of selected rows that appear when selecting rows of a data grid panel. This counter updates automatically when selecting/deselecting rows.

    • Next to the counter, a 'clear selection' button clears all selected rows when clicked.

...

Version 20.4.2 (10-May-2020)

New Features & Updates

WhiteSource Core

Web UI

  • In the Library Details screen, the new Aggregated Data tab displays aggregated data for licenses, policies, vulnerabilities, and library data.

...

Version 20.4.1 (26-April-2020)

New Features & Updates

WhiteSource Core

Web UI

  • A risk score was added for license Open LDAP 2.4.

...

  • This version introduces support for Bamboo server versions up to 7.0.3.

Functionality Changes

  • Beginning in this version, ignoreSourceFiles is taken into account in the top folder for all cases.

  • Beginning in this version, Maven resolver will not ignore .jar,.war,.ear,.zip files when ignoreSourceFiles is set.

  • When setting a Reporter for issues that require one, the reporter will now be chosen from a list (same as selecting an assignee) instead of the previous way where there were text boxes for inserting a Reporter name and display name.

  • The Unified Agent setting maven.ignoredScopes=NONE is no longer a pre-condition for running Prioritize on Maven projects, but remains as the default setting. Regardless of the Unified Agent configuration file parameter setting, Prioritize analysis will ignore test scope dependencies.

...

Version 20.3.3, 20.3.2 (12-April-2020)

New Features & Updates

WhiteSource Core

Web UI

  • In the library details page, users can now manually override the license text to their library's specific license text. The new license text will be displayed in the Attribution Report and in the Release Management Dashboard, both in the UI and via APIs.

  • In the Attribution Report, for manually assigned copyrights with a comment, the comment now appears in a new section called Comments in the library’s Copyrights section.

...

Version 20.3.2, 20.3.1 (29-March-2020)

New Features & Updates

WhiteSource Core

Unified Agent

  • Support for Cabal version 3 is now provided.

...

  • Previously, in the Library Location Report, when a library had no path it was displayed in the UI as "N/A". This has been changed to an empty string.

  • Within the next two sprints, WhiteSource will be improving the Unified Agent scan results, mostly regarding Maven resolution. Binaries such as .jar,.war,.ear,.zip will be included in the scan when ignoreSourceFiles is set.

  • In addition, ignoreSourceFiles will be taken into account in the top folder when packaging appears in the pom file.

Resolved Issues

  • In some nupkg libraries, libraries which didn’t have a dash ('-') in the display name as the version separator, were not recognized as the same library and therefore did not generate the Multiple Library Versions.

  • When generated to a .PDF, the Use of Different Versions of Same Library section in the Risk Report had a different title.

  • Under certain situations, goGradle scans failed with a null pointer exception.

  • An overlap in the resolvers' bom files resulted in the order of the resolvers being changed.

  • The Effective Usage Analysis dashboard displayed 0% coverage although vulnerabilities existed.

  • Under certain conditions, a NoSuchElementException occurred when getting a product approver during update requests.

  • Under certain conditions, the parsing functionality in Go 1.14 did not work correctly.

  • Under certain conditions, scans of Docker images resulted in exceptions.

  • Under certain conditions, new version alerts weren't created.

Version 20.3.1, 20.2.2 (15-March-2020)

New Features & Updates

WhiteSource Core

Unified Agent

  • A new parameter, python.resolvePipEditablePackages, enables the support of pip in editable mode (-e), thus presenting additional dependencies in WhiteSource for Python projects.

  • New Package Manager support: This version introduces support for Gradle Kotlin DSL.

...

Version 20.2.1, 20.2.2 (1-March-2020)

New Features & Updates

WhiteSource Core

Unified Agent

  • The Library Details page has been redesigned whereby the information is now organized into four separate tabs.

  • The Unified Agent now supports SBT 1.3.x and above.

...

Version 20.1.3 (16-February-2020)

New Features & Updates

WhiteSource Core

Unified Agent

  • In the Policies functionality, the bug rating and version activity match types have been removed, and there is no longer a way to add new policies of these types. Existing policies with these types, though, will be editable.

...

Version 20.1.2 (2-February-2020)

New Features & Updates

WhiteSource Core

Unified Agent

  • This version introduces support for the DNF Package manager for CentOS.

...

Version 20.1.1 (26-January-2020)

New Features & Updates

WhiteSource Core

Unified Agent

  • This version introduces support for Poetry, a new package manager for Python.

...

Version 19.12.2 (5-January-2020)

New Features & Updates

WhiteSource Core

Unified Agent

  • NPM Resolution: Optimized scanning behavior and reduced scan time. The new functionality relies only on the package.json instead of NPM commands and can be enabled using the flag: npm.resolveLockFile=true.

  • The Unified Agent has been enhanced to cover more cases of Maven configuration (i.e., for customers using different formats for Maven tree output).

...

Version 19.12.1 (22-December-2019)

New Features & Updates

WhiteSource Core

Unified Agent

  • Added flexibility for “R” programming language scanning: This version provides support for the R programming language for customers who are not using its main package manager, Packrat. 

  • The Unified Agent has been enhanced to cover more cases of Maven configuration (i.e., for customers using different formats for Maven tree output).

...

Version 19.11.2 (8-December-2019)

New Features & Updates

WhiteSource Core

Unified Agent

  • Easier Onboarding for JFrog Artifactory Docker Integration: Beginning in this version, the Unified Agent is now able to download Docker images from artifactory as an archive file, then extract and scan them.

  • Added flexibility for JFrog Artifactory Docker image scan: Two new parameters, artifactory.includes and artifactory.excludes, provides customers with the ability to filter which images to scan in their repositories.

  • A new parameter, php.ignoreSourcefiles, provides more extensive results for customers using PHP by enabling users to decide whether to ignore source files scanning.

...

Version 19.11.1 (24-November-2019)

New Features & Updates

WhiteSource Core

Unified Agent

  • Detect Mode - Enhanced environment-based recommended configuration capability: The generated configuration file now supports the ‘includes’ parameter.

  • In cases where the Unified Agent execution has an issue (for example, policy violation), the Bitbucket pipe will reflect it and fail the build.

  • This version introduces better customization and control, where customers can change the default location where Unified Agent logs are saved.

...

Version 19.10.1 (10-November-2019)

New Features & Updates

WhiteSource Core

Unified Agent

  • The Unified Agent now supports scanning the opam package manager for the OCaml programming language.

  • Aligning the Unified Agent to the Maven plugin behavior: A new boolean parameter in the Unified Agent, maven.projectNameFromDependencyFile, controls if a project name will be taken from the dependency file.

  • Aligning the Unified Agent to the NPM plugin behavior: An existing parameter, npm.projectNameFromDependencyFile, controls whether the project name will be taken from the dependency file.

  • Added flexibility: It is now possible to set project metadata information using a project tag (key and value) via the Unified Agent command line and the Unified Agent configuration file.

  • When scanning Docker images, and NPM is not available, in order to extract global dependencies, the new npm.resolveGlobalPackages parameter eliminates the need to rely on NPM being installed and available.

...

Version 19.9.2 (27-October-2019)

New Features & Updates

WhiteSource Core

Web UI

  • Extending auditing capabilities: In the Change Log History Report, there is now support for auditing changes in vulnerability score/severity.

  • This version brings the following enhancements:

    • Added granularity -  Support for changing a library to a source file in the Product level and not only in the Organization level.

    • Alignment with API - The user must be a Product or Organization Administrator as required in the API of the change library and not a regular user.

  • New auditing enhancement that extends existing functionality to the Change Log History Report: When changing a library, customers can now track when the changes occurred, according to new records in the ChangeLog.

...

Version 19.9.1 (22-September-2019)

New Features & Updates

WhiteSource Core

Web UI

  • The following improvements have been made to the License Compatibility Report:

    • As part of ongoing enhancements to this report, the accuracy has been improved,  and the results are more detailed.

    • “Type” (the library’s programming language) has been removed in favor of “Incompatibility Type” (the type of conflict between two library’s licenses).

    • A new Incompatibility Type, Potential Incompatibility, has been added. Potential Incompatibility indicates that the library being evaluated is licensed under multiple licenses, indicating that the user must choose under which license the library will be licensed. 

  • Better customization for the Attribution Report:

    • Users can now select whether to include licensing text in the existing Licensing section, or in a new dedicated section “Appendix: License Details” section.

    • Users can now select whether Primary Attributes (a.k.a. custom attributes) will be featured in the Attribution report.

...

Version 19.8.1 (8-September-2019)

New Features & Updates

WhiteSource Core

Web UI

  • The Dashboard view has undergone the following changes:

    • The Top Alerts pane now displays a dedicated summary count of system category alerts reported for a given organization, product or project. This includes the total count of policy violations, versions, licenses, quality and security alerts.

    • A detailed listing of alerts reported for an alert category is now displayed by clicking on the category name or count, displaying an Alert View corresponding to the category of the clicked item, thus enabling the user to perform tasks on the listed alerts.

  • Marking libraries as in-house enhancements:

    • Auditing enhancement: Rules added or removed through In-House Rules are now tracked and can be displayed in Change Log History.

    • It is now possible to create an in-house rule whose name matches that of the selected library.

    • The help text on the In-House page has been revised and improved.

  • It is now possible to disable all email notifications for administrators.

...

Version 19.7.3 (18-August-2019)

New Features & Updates

WhiteSource Core

Unified Agent

  • Docker Artifactory integration is now enabled with a read-only user via the new configuration parameter docker.artifactory.dockerAccessMethod.

  • The new configuration parameters log.files.level, log.files.maxFileSize, and log.files.maxFilesCount enable you to store logs by default. Storing logs is useful, for example, to avoid situations when users have issues with certain scans, and therefore will not need to redo those scans in order to provide logs to the Support team. Note that this feature is enabled by default. Customers who do not need these logs can manually disable it.

  • Enhanced Detection: This version introduces the automatic identification of Maven libraries with multiple instances of SHA-1.

  • It is now possible to include/exclude specific Gradle modules to scan.

  • The Unified Agent now supports scanning the Cabal package manager for the Haskell programming language.

...

Version 19.7.2 (4-August-2019)

New Features & Updates

WhiteSource Core

GUI (Web Interface)

  • In the Library Details page, a new widget enables users to view library security trends for a specific library across different versions, color-coded according to severity.

  • In the Alerts report, new versions no longer include “Dev” versions.

  • In the Assign Copyrights functionality, in order to reflect that specific years are not defined for the copyrights, the ability to set a "None" value in the Years range is now possible.

  • The Library Vulnerability wheel now displays vulnerable libraries first, before other metrics.

...

  • The new Configuration Recommendation mode identifies the environment that the user wants to scan and creates the configuration file automatically.

  • Added flexibility in Gradle projects scanning: New configuration parameter 'gradle.includedScopes' enables defining which scopes will be included in the scan.

  • This version provides support for Serverless Framework via a dedicated plugin.

...

Version 19.7.1 (21-July-2019)

New Features & Updates

WhiteSource Core

GUI (Web Interface)

  • New Advanced search option: In the Web application, a new dialog box makes it easy to select and display a library.

  • Improved visibility of resolution request statuses: A new Request Resolution Status Report enables admins to view the status of their requests to WhiteSource.

  • This version introduces support for bulk actions on copyrights request resolutions, thereby minimizing the request time to send a request for bulk of libraries.

  • In the Admin console, in NuGet alerts, previews for non-major versions are now included.

...

Version 19.6.1 (07-July-2019)

New Features & Updates

WhiteSource Core

GUI (Web Interface)

  • Vulnerability Search functionality: In the WhiteSource application, a new search mechanism enables users to search their files for CVEs, and proceed accordingly based on whether CVEs are found or not.

...

Version 19.5.3 (23-June-2019)

New Features & Updates

WhiteSource Core

GUI (Web Interface)

  • Users: In the Administration Users page, there is an improved UI indication to distinguish between 'regular' users and service users.

  • Improved user experience: In the Library Details page, when there are many source files to display, the system will display first X files immediately, and users can see all related source files by clicking ‘View all source files’.

  • Product-level customization: In the Product Administration page, it is now possible to define product tags (or product-level tags) that enable you to define additional metadata for WhiteSource products.

...

  • Enhanced resolution for Maven projects that include multiple libraries with the same SHA-1. In these cases, the library page displays a new hyperlink stating "This SHA-1 has multiple matches: Click here to override the original match". Clicking the hyperlink will open a pop-up window, enabling a user to manually select alternative GAV coordinates from a list. 

  • Optimized accuracy of data in Security Trends Dashboard:

    • After clicking on a chart, the related Alerts report only displays security vulnerability alerts. 

    • The dashboard keeps its predefined context after navigating to another GUI page. 

...