These release notes are for the Mend cloud solution, and do not apply to the on-premises solution that has its own release notes.

...

New Feature Announcements

• Mend is launching a Beta release of a new generic platform for issue tracker integrations and a plugin for Jira Server. The new platform will provide the ability to integrate with issue tracking systems, in order to automatically create issues when a policy match occurs. The Jira Server Plugin is the first integration developed using the new platform and more out-of-the-box plugins are planned to be released.

Documentation

The following topic has been deprecated:

...

• When searching for a library via global search, then searching for a vulnerability via the same search, the page redirects to the library search page.

• When resolving several requirments.txt files, the cache of the dependencies was not cleared between the different resolutions.

• When running the Unified Agent, the ArchiveExtractor failed to extract files ending with an empty space.

• In the “Source File Inventory” report, if users selected to change the library for files they had no permissions to, the Change Library action had no effect and no message was displayed. Now, this action can only be done by selecting the desired files, then Actions > Change Library menu. The users' permissions are validated and a proper message is displayed.

• After repeatedly using "Assign Yourself", the pop-up window appears blank and users need to click "Add License Reference" or "Override All” in order to see the mandatory fields.

• When running SBT Coursier, the Unified Agent did not run pre-step commands even though pre-step flags were activated.

• Changes to licenses being updated either in the index (libraryDataSync API) or in the Admin Console did not trigger alerts calculation.

• The Unified Agent did not support the packages.db RPM database

Documentation Updates

The following integration pages have been archived and will therefore no longer be in use. All the material contained therein will be included in the Unified Agent parameter documentation.

...

Version 20.12.1.1 (21-December-2020)

• Fixed an issue introduced in the latest version (20.11.2) in which unmatched source libraries were missing from the Project/Product page.

Version 20.12.1 (20-December-2020)

...

Resolved Issues - Azure DevOps Services Integration (added 10-November-2020) 

• Fixed an issue where in some cases, users with non-admin permissions were not able to view the Mend open-source risk report. All existing Mend for Azure DevOps Services extension users will need to approve the extension permission changes that were applied in this version. To approve the new changes, do as follows:

  1. Go to Organization Settings > Extensions > Installed > Mend for Azure DevOps Services.

  2. Click Review. The Authorize Mend for Azure DevOps Services popup is displayed.

  3. Click Authorize.

• Scanning a project based on a GitHub Repository led to a RangeError error.

Version 20.10.1.1 (4-November-2020)

...

Azure DevOps Services Integration

• Added the ability to specify custom Unified Agent Configuration parameters to be used by a particular pipeline build. For this, a new field, Mend Configuration, was added to the Mend task. For more information, see here.

Documentation Updates

Unified Agent

...

• Fixed CVE-2020-2213 

Prioritize

• Aggregate Modules mode supported (using the -aggregateModules field).

Functionality Changes

• In the Project Association page, the Product column was changed from a selection column to a text column. The project association is now only available by checking the desired project(s) and choosing “Assign to Product”, then choosing the desired product from the drop-down list.

• When using “APPEND” update requests, in the rare case where only a TRANSITIVE dependency has been added - the new transitive dependency will be added as a direct dependency, so all of the application's mechanisms such as alerts and policies will be applied on it. This is a change to the current behavior. In order to have the new dependency added as transitive, users can then run another “OVERRIDE” Update Request after the append request.

...

• Upgraded the following:

  • WildFly to version 10.1.0 

  • JQuery to version 3.5.0

• The Unified Agent’s version is now displayed in the Web Application’s Project Vitals.

• The docker image retrieval mechanism was improved resulting in a reduction of the UA scanning time.

Resolved Issues

• In the Risk Report, in the General Overview panel, when selecting a product, an incorrect title and link were displayed.

• While handling getOrganizationInHouseLibraries requests, a Null Pointer Exception occurred.

• In situations where Requires review is the least common license in organization/product/project, the License dashboard ceases to function.

• The Attribution Report had issues with a misplaced header.

• There were issues with proxy settings in the HTML dependency resolution.

• The TeamCity plugin always failed as a result of a check policy request. 

• Under certain conditions, scanning SBT dependencies resulted with errors.

• Local libraries used by a Python project were not detected. This ability was introduced in this release, controlled by the python.localPackagePathsToInstall flag.

...

• This version introduces support for Bamboo server versions up to 7.0.3.

Functionality Changes

• Beginning in this version, ignoreSourceFiles is taken into account in the top folder for all cases.

• Beginning in this version, Maven resolver will not ignore .jar,.war,.ear,.zip files when ignoreSourceFiles is set.

• When setting a Reporter for issues that require one, the reporter will now be chosen from a list (same as selecting an assignee) instead of the previous way where there were text boxes for inserting a Reporter name and display name.

• The Unified Agent setting maven.ignoredScopes=NONE is no longer a pre-condition for running Prioritize on Maven projects, but remains as the default setting. Regardless of the Unified Agent configuration file parameter setting, Prioritize analysis will ignore test scope dependencies.

...

• Previously, in the Library Location Report, when a library had no path it was displayed in the UI as "N/A". This has been changed to an empty string.

• Within the next two sprints, Mend will be improving the Unified Agent scan results, mostly regarding Maven resolution. Binaries such as .jar,.war,.ear,.zip will be included in the scan when ignoreSourceFiles is set.

• In addition, ignoreSourceFiles will be taken into account in the top folder when packaging appears in the pom file.

Resolved Issues

• In some nupkg libraries, libraries which didn’t have a dash ('-') in the display name as the version separator, were not recognized as the same library and therefore did not generate the Multiple Library Versions.

• When generated to a .PDF, the Use of Different Versions of Same Library section in the Risk Report had a different title.

• Under certain situations, goGradle scans failed with a null pointer exception.

• An overlap in the resolvers' bom files resulted in the order of the resolvers being changed.

• The Effective Usage Analysis dashboard displayed 0% coverage although vulnerabilities existed.

• Under certain conditions, a NoSuchElementException occurred when getting a product approver during update requests.

• Under certain conditions, the parsing functionality in Go 1.14 did not work correctly.

• Under certain conditions, scans of Docker images resulted in exceptions.

• Under certain conditions, new version alerts weren't created.

...

• Release Unified Agent version 19.9.1

• Release Mend Advise for Chrome 19.9.1

Version 19.8.1 (8-September-2019)

...

• The new Configuration Recommendation mode identifies the environment that the user wants to scan and creates the configuration file automatically.

• Added flexibility in Gradle projects scanning: New configuration parameter 'gradle.includedScopes' enables defining which scopes will be included in the scan.

• This version provides support for Serverless Framework via a dedicated plugin.

...

• Enhanced resolution for Maven projects that include multiple libraries with the same SHA-1. In these cases, the library page displays a new hyperlink stating "This SHA-1 has multiple matches: Click here to override the original match". Clicking the hyperlink will open a pop-up window, enabling a user to manually select alternative GAV coordinates from a list. 

• Optimized accuracy of data in Security Trends Dashboard:

  • After clicking on a chart, the related Alerts report only displays security vulnerability alerts. 

  • The dashboard keeps its predefined context after navigating to another GUI page. 

...

The page “Unified Agent Parameters Used When Overriding the Azure DevOps Services Integration Default Setting” was archived and is no longer in use. Its content was moved to Azure DevOps Services Integration.

Version 21.10.2 (14-November-2021)

...

• For organizations in Vulnerability-Based Alerts mode, the Containers Dashboard would show incorrect data.

• In some cases, the Vulnerabilities Report for the different scopes failed to generate or returned an empty response.

• Notification emails for new alerts were sometimes sent when no new alerts were created.

• For some API calls, the response JSON returned incorrect charset encoding.

• A duplicate key in the projectSecurityVulnerability resulted in incorrect alerts displayed for the project.

• In some cases, alerts were not removed after recalculating In-House rules.

• The Unified Agent failed to calculate the SHA-1 of NPM packages residing at the local workspace.

• Building the Dockerized Unified Agent resulted in errors.

• When Essentials users were using the Azure DevOps Services extension, the Organization Settings page would not be displayed.

• After an extension was uninstalled from the Azure DevOps Services, subsequent installation and on-boarding of the services extension would fail when the organization was inactive.

• After removing a Bolt extension from the Azure DevOps Services, the Mend Organization would be deactivated.

Documentation

A new topic Getting Started with mend was published in the User Guide. This topic is designed to help users navigate the main Mend GUI dashboard and menu options, in order to get up and running quickly with mend. It provides an overview of the options that users can access from the menu bar at the top of the Mend Home page.

...

• New documentation was published for Linux Distributions Vulnerabilities Detection. See here.

• The main API page HTTP API v1.3 was updated.

...

• New and updated documentation has been published for the Global Org/Organization/Product/Project-Level APIs and Product and Project-Level APIs.

• The information in the Utilizing Security Vulnerabilities Information was moved to Understanding and Managing Security Vulnerabilities, and the page was deprecated.

• The main API page, HTTP API v1.3, will be deprecated on September 1, 2021. All the information contained in this page already appears in the API sub-topics, such as Product and Project-Level APIs, etc.

...

• The Unified Agent now supports scanning Google Distroless images.

• The optimized NPM resolution method, controlled by the npm.resolveLockFile flag, is now the default dependency detection for NPM.

...

• Beginning with this version, every new organization will be created in the new Vulnerability-based Alerting mode.

• A new and enhanced source files matching algorithm, SmartMatch, can be activated from Advanced Settings in the Integrate tab. The default will remain Weight.

• Two new licenses have been added:

  • GLWTPL

  • ODC-By-1.0

...

The following integration pages have been archived and will therefore no longer be in use. All the material contained therein will be included in the Unified Agent parameter documentation.

• Gradle

• Maven

• Python

Notice

In the next Unified Agent release, the optimized NPM resolution method, controlled by the npm.resolveLockFile flag, will become the default dependency detection for NPM. This will be applied by changing the current default value of the npm.resolveLockFile flag from false to true. In addition to improving the scanning time of NPM projects, more accurate results will be produced by this mechanism. Unmet optional and/or peer dependencies that were not taken into consideration by the previous dependency detection will be part of the results when they are found in the lock file. 

...

The following integration pages have been archived and will therefore no longer be in use. All the material contained therein will be included in the Unified Agent parameter documentation.

• Bower

• Cargo

• Cocoapods

• Haskell

• Hex (Erlang/Elixir)

• Ocaml

• Paket

• php

• Poetry

• Ruby

• SBT

...

The following integration pages will be archived in release 20.12.2 and will therefore no longer be in use. All the material contained therein will be included in the Unified Agent parameter documentation.

• Gradle

• Maven

• Python

Version 20.11.2 (6-December-2020)

...

Beginning in version 20.12.1 the following integration pages will be archived and therefore no longer be in use. All the material contained therein will included in the Unified Agent parameter documentation.

• Bower

• Cargo

• Cocoapods

• Haskell

• Hex (Erlang/Elixir)

• Ocaml

• npm

• Paket

• php

• Poetry

• Ruby

• SBT

...

• Added the ability to specify custom Unified Agent Configuration parameters to be used by a particular pipeline build. For this, a new field, Mend Configuration, was added to the Mend task. For more information, see here.

Documentation Updates

Unified Agent

...

Beginning in this version, Mend Developer Integrations will have its own release notes. Please refer here.

Resolved Issues

• [Fixed] Under certain conditions in app.whitesourcesoftware.com, some libraries were missing although the update request contained them.

• [Fixed] Servers received imported licenses that have license names but no license types, resulting in no license creation.

• [Fixed] Under certain conditions, the Unified Agent did not collect all the dependencies in yarn projects.

• [Fixed] Under certain conditions, it was impossible to create sub-task issues using Jira integration.

• [Fixed] When trying to create a new copyright template without years, an error was displayed.

• [Fixed] When exporting HTML attribution report by project in partial data organization, an error was displayed.

• [Fixed] Under certain conditions, the Unified Agent Docker Hub scan returned no results.

• [Fixed] An out-of-memory issue occurred for Yarn.

• [Fixed] Detect configurations did not work correctly for GO projects.

• Release Unified Agent version 19.11.1

...

• Release Unified Agent version 19.5.3.1

• Release Mend Advise version 19.5.3

• Release Bamboo Agent version 19.5.3

• Release Team City version 19.5.3

Version 19.5.2 (02-June-2019)

...

Mend Developer Integrations:

• Mend Developer Integrations is a new paid bundle that augments Mend Core offering and includes four enhanced capabilities:

• Mend Remediate - Continuously track repositories to identify vulnerable open source components and generate fix pull requests (PR) automatically thus automating the remediation process.

• IDE Integration - Alerts developers on vulnerable open source components while coding within the IDE UI so developers don’t have to switch between applications or wait until they’ve committed the code.

• Repo Integration - A native integration detecting all open source components in the repos, providing alerts, enforcing compliance, failing builds and pull requests and automating remediation guidance.

• Browser Integration (formerly called Web Advisor) - A Chrome extension that allows developers to view a snapshot of a component’s details while browsing on web pages such as StackOverflow, Maven Central, GitHub and many more before they download it and incorporate it into the product.

• For more information click here

Mend for Containers

• Integration with Docker Hub - Support seamless scanning of Docker images from Docker Hub by pulling selected list of Docker images. The following configuration parameters were added: ‘docker.hub.enabled’, ‘docker.hub.userName’, ‘docker.hub.userPassword’, ‘docker.hub.organizationsNames’, ‘docker.pull.images’.

• Support more flexible scanning of Kubernetes resources by providing the ability to scan entire cluster or more specific context.

• Support the ability to enforce vulnerability verification on an entire Kubernetes cluster or on a specific context. 

• Support Role Based Access Control when using Affinity on Kubernetes nodes.

• Support more flexible image name to scan in order to use same project in Mend (as imageID changes between builds). A new configuration parameter added ‘docker.projectNameFormat’.

...

• Release Unified Agent version 19.5.1

• Release Maven Plugin version 19.5.1

Version 19.4.2 (5-May-2019)

...

• Release Unified Agent version 19.4.2

• Release Maven Plugin version 19.5.1

Version 19.4.1 (21-April-2019)

...

• Release Unified Agent version 19.3.2

• Release Artifactory Plugin version 19.3.2.

Version 19.3.1 (24-March-2019)

...

• The new Containers dashboard enables you to pinpoint security vulnerabilities at various levels, providing a clear view of Kubernetes resources along with the ability to filter, sort, and view the vulnerabilities per pod and image in the cluster. See also The Containers Dashboard.

Unified Agent

• Improved csontainer scanning coverage: Added the option to scan a Docker image from a Google Container Registry.  See also Google Container Registry Docker Integration

• NPM: Added the ability to fetch the project name from the ‘package.json’ dependency file via the Boolean configuration parameter ‘npm.projectNameFromDependencyFile’.

• Added support for Julia source files with the file extension ‘.jl’. 

• Added support for car archive files with the file extension ‘.car’. 

• Added a behavior rule to the existing 'failErrorLevel' parameter in order to enhance the precision of the scanning policy: If this parameter is ‘ALL’, then scan fails when ‘productName’ and ‘productToken’ are missing, and no ‘projectToken’ is defined in the configuration file. See also The failErrorLevel Parameter of the Unified Agent.

• Yarn dependency management: Added the new parameter ‘npm.yarn.frozenLockfile' that enables to run the pre-step with the ‘--frozen.lockfile’ yarn parameter.

• Scan report in JSON Format:

• Accurate reporting time frames: In addition to a date, a timestamp was also added to the JSON based scan report’s filename. For example, ‘ProjectA-2019-03-01T130102+0200-scan_report.json’.

  • Added custom attributes data. For each library, the relevant custom attribute values are displayed.

  • Added policy and vulnerability statistics data to local scan report. See also Unified Agent JSON Report Example

...

• Release Unified Agent version 19.3.1

• Release Bamboo Plugin version 19.3.1

• Release Web Advisor version 19.3.1

• Release Artifactory Plugin version 19.3.1

Version 19.2.2 (10-March-2019)

...

• New level of automation is available by defining ‘Service Users’. These programmatic users are only allowed to access Mend via APIs. Service Users cannot log into the GUI, and they can communicate with Mend via the API for automation and CI/CD purposes. The Organization Administrator can manage service users (Home Page → Admin → Users). See also Managing Service Users.

• Improved navigation in Project Page:

  • Added a 'View Licenses' link to access the Due Diligence report directly from the Licenses widget while maintaining the Project scope.

  • Added a 'View Vulnerabilities' link to access the Vulnerabilities report directly from the 'Library Vulnerability' widget while maintaining the Project scope.

...

• Added support for the ‘vgo’ (‘Go Modules’) package manager for ‘Go’. See also related documentation.

• Serverless scanning: Added support to include and exclude components when scanning serverless functions (‘serverless.includes’ and ‘serverless.excludes’).

• Added the ability to run the Effective Usage Analysis (EUA) feature without the need to maintain a configuration file.

...

• Release Unified Agent version 19.2.1

• Release NPM Plugin version 19.2.1

• Release TFS /VSTS Integration version 19.2.1

• Release Nuget plugin version 19.2.1

• Release Web Advisor 19.2.1

...

• Release Unified Agent version 19.1.2

• Release TeamCity Plugin version 19.1.2

Version 19.1.1 (27-January-2019)

...

• Release Unified Agent version 19.1.1

• Release Bamboo Plugin version 19.1.1

• Release Jenkins Plugin version 19.1.1

• Release Artifactory Plugin version 19.1.1

Version 18.12.2 (13-January-2019)

...

• A Security Trends Dashboard presents users with a view of the organizational security posture over time. The dashboard is mainly intended for the organization's administrators, security officers, and application R&D managers. See also related documentation. 

• Effective Usage Analysis: Support for JavaScript has been added. 

• Risk report: Added a ‘How Do We Compare?’ section that displays how select measurements of your organization's risk and compliance levels compare to overall average statistics calculated for Mend customers.

• Mend Serverless Integration: Enables you to scan and monitor deployed FaaS, utilizing the Unified Agent and Effective Usage Analysis technologies. Mend is capable of understanding the effective references from the serverless functions to the vulnerable code in the called open source components. Mend serverless integration enables you to scan and monitor deployed Lambda functions. See also related documentation. 

• License Compatibility Report: This report provides information on the compatibility issues of library licenses in a project or product level. See also related documentation.

...

• Effective Usage Analysis (EUA):

  • Policies: Added an option to create a policy based on Effective Usage Analysis shields. See also related documentation.

  • CVE detail displayed on the Security Vulnerabilities screen features a 'Top Fix' column that includes EUA analysis results. 

• Due Diligence report: Added a ‘License Type’ column that indicates one of the following license types: ‘Open Source’, ‘Commercial’, ‘Closed Source’, and ‘Unknown’.  

• The Attribution report now includes an option to export the report data by project as well as by component (library). 

• Dependency resolution is performed even when no binary or source file extension exists on a repository. 

• Support has been added for the Visual Studio 2017 new format of ‘.csproj’ files.

...

The page “Unified Agent Parameters Used When Overriding the Azure DevOps Services Integration Default Setting” was archived and is no longer in use. Its content was moved to Azure DevOps Services Integration.

Version 21.10.2 (14-November-2021)

...

• For organizations in Vulnerability-Based Alerts mode, the Containers Dashboard would show incorrect data.

• In some cases, the Vulnerabilities Report for the different scopes failed to generate or returned an empty response.

• Notification emails for new alerts were sometimes sent when no new alerts were created.

• For some API calls, the response JSON returned incorrect charset encoding.

• A duplicate key in the projectSecurityVulnerability resulted in incorrect alerts displayed for the project.

• In some cases, alerts were not removed after recalculating In-House rules.

• The Unified Agent failed to calculate the SHA-1 of NPM packages residing at the local workspace.

• Building the Dockerized Unified Agent resulted in errors.

• When Essentials users were using the Azure DevOps Services extension, the Organization Settings page would not be displayed.

• After an extension was uninstalled from the Azure DevOps Services, subsequent installation and on-boarding of the services extension would fail when the organization was inactive.

• After removing a Bolt extension from the Azure DevOps Services, the Mend Organization would be deactivated.

Documentation

A new topic Getting Started with mend was published in the User Guide. This topic is designed to help users navigate the main Mend GUI dashboard and menu options, in order to get up and running quickly with mend. It provides an overview of the options that users can access from the menu bar at the top of the Mend Home page.

...

• New documentation was published for Linux Distributions Vulnerabilities Detection. See here.

• The main API page HTTP API v1.3 was updated.

...

• New and updated documentation has been published for the Global Org/Organization/Product/Project-Level APIs and Product and Project-Level APIs.

• The information in the Utilizing Security Vulnerabilities Information was moved to Understanding and Managing Security Vulnerabilities, and the page was deprecated.

• The main API page, HTTP API v1.3, will be deprecated on September 1, 2021. All the information contained in this page already appears in the API sub-topics, such as Product and Project-Level APIs, etc.

...

• The Unified Agent now supports scanning Google Distroless images.

• The optimized NPM resolution method, controlled by the npm.resolveLockFile flag, is now the default dependency detection for NPM.

...

• Beginning with this version, every new organization will be created in the new Vulnerability-based Alerting mode.

• A new and enhanced source files matching algorithm, SmartMatch, can be activated from Advanced Settings in the Integrate tab. The default will remain Weight.

• Two new licenses have been added:

  • GLWTPL

  • ODC-By-1.0

...

The following integration pages have been archived and will therefore no longer be in use. All the material contained therein will be included in the Unified Agent parameter documentation.

• Gradle

• Maven

• Python

Notice

In the next Unified Agent release, the optimized NPM resolution method, controlled by the npm.resolveLockFile flag, will become the default dependency detection for NPM. This will be applied by changing the current default value of the npm.resolveLockFile flag from false to true. In addition to improving the scanning time of NPM projects, more accurate results will be produced by this mechanism. Unmet optional and/or peer dependencies that were not taken into consideration by the previous dependency detection will be part of the results when they are found in the lock file. 

...

The following integration pages have been archived and will therefore no longer be in use. All the material contained therein will be included in the Unified Agent parameter documentation.

• Bower

• Cargo

• Cocoapods

• Haskell

• Hex (Erlang/Elixir)

• Ocaml

• Paket

• php

• Poetry

• Ruby

• SBT

...

The following integration pages will be archived in release 20.12.2 and will therefore no longer be in use. All the material contained therein will be included in the Unified Agent parameter documentation.

• Gradle

• Maven

• Python

Version 20.11.2 (6-December-2020)

...

Beginning in version 20.12.1 the following integration pages will be archived and therefore no longer be in use. All the material contained therein will included in the Unified Agent parameter documentation.

• Bower

• Cargo

• Cocoapods

• Haskell

• Hex (Erlang/Elixir)

• Ocaml

• npm

• Paket

• php

• Poetry

• Ruby

• SBT

...

• Added the ability to specify custom Unified Agent Configuration parameters to be used by a particular pipeline build. For this, a new field, Mend Configuration, was added to the Mend task. For more information, see here.

Documentation Updates

Unified Agent

...

Beginning in this version, Mend Developer Integrations will have its own release notes. Please refer here.

Resolved Issues

• [Fixed] Under certain conditions in app.whitesourcesoftware.com, some libraries were missing although the update request contained them.

• [Fixed] Servers received imported licenses that have license names but no license types, resulting in no license creation.

• [Fixed] Under certain conditions, the Unified Agent did not collect all the dependencies in yarn projects.

• [Fixed] Under certain conditions, it was impossible to create sub-task issues using Jira integration.

• [Fixed] When trying to create a new copyright template without years, an error was displayed.

• [Fixed] When exporting HTML attribution report by project in partial data organization, an error was displayed.

• [Fixed] Under certain conditions, the Unified Agent Docker Hub scan returned no results.

• [Fixed] An out-of-memory issue occurred for Yarn.

• [Fixed] Detect configurations did not work correctly for GO projects.

• Release Unified Agent version 19.11.1

...

• Release Unified Agent version 19.5.3.1

• Release Mend Advise version 19.5.3

• Release Bamboo Agent version 19.5.3

• Release Team City version 19.5.3

Version 19.5.2 (02-June-2019)

...

Mend Developer Integrations:

• Mend Developer Integrations is a new paid bundle that augments Mend Core offering and includes four enhanced capabilities:

• Mend Remediate - Continuously track repositories to identify vulnerable open source components and generate fix pull requests (PR) automatically thus automating the remediation process.

• IDE Integration - Alerts developers on vulnerable open source components while coding within the IDE UI so developers don’t have to switch between applications or wait until they’ve committed the code.

• Repo Integration - A native integration detecting all open source components in the repos, providing alerts, enforcing compliance, failing builds and pull requests and automating remediation guidance.

• Browser Integration (formerly called Web Advisor) - A Chrome extension that allows developers to view a snapshot of a component’s details while browsing on web pages such as StackOverflow, Maven Central, GitHub and many more before they download it and incorporate it into the product.

• For more information click here

Mend for Containers

• Integration with Docker Hub - Support seamless scanning of Docker images from Docker Hub by pulling selected list of Docker images. The following configuration parameters were added: ‘docker.hub.enabled’, ‘docker.hub.userName’, ‘docker.hub.userPassword’, ‘docker.hub.organizationsNames’, ‘docker.pull.images’.

• Support more flexible scanning of Kubernetes resources by providing the ability to scan entire cluster or more specific context.

• Support the ability to enforce vulnerability verification on an entire Kubernetes cluster or on a specific context. 

• Support Role Based Access Control when using Affinity on Kubernetes nodes.

• Support more flexible image name to scan in order to use same project in Mend (as imageID changes between builds). A new configuration parameter added ‘docker.projectNameFormat’.

...

• Release Unified Agent version 19.5.1

• Release Maven Plugin version 19.5.1

Version 19.4.2 (5-May-2019)

...

• Release Unified Agent version 19.4.2

• Release Maven Plugin version 19.5.1

Version 19.4.1 (21-April-2019)

...

• Release Unified Agent version 19.3.2

• Release Artifactory Plugin version 19.3.2.

Version 19.3.1 (24-March-2019)

...

• The new Containers dashboard enables you to pinpoint security vulnerabilities at various levels, providing a clear view of Kubernetes resources along with the ability to filter, sort, and view the vulnerabilities per pod and image in the cluster. See also The Containers Dashboard.

Unified Agent

• Improved csontainer scanning coverage: Added the option to scan a Docker image from a Google Container Registry.  See also Google Container Registry Docker Integration

• NPM: Added the ability to fetch the project name from the ‘package.json’ dependency file via the Boolean configuration parameter ‘npm.projectNameFromDependencyFile’.

• Added support for Julia source files with the file extension ‘.jl’. 

• Added support for car archive files with the file extension ‘.car’. 

• Added a behavior rule to the existing 'failErrorLevel' parameter in order to enhance the precision of the scanning policy: If this parameter is ‘ALL’, then scan fails when ‘productName’ and ‘productToken’ are missing, and no ‘projectToken’ is defined in the configuration file. See also The failErrorLevel Parameter of the Unified Agent.

• Yarn dependency management: Added the new parameter ‘npm.yarn.frozenLockfile' that enables to run the pre-step with the ‘--frozen.lockfile’ yarn parameter.

• Scan report in JSON Format:

• Accurate reporting time frames: In addition to a date, a timestamp was also added to the JSON based scan report’s filename. For example, ‘ProjectA-2019-03-01T130102+0200-scan_report.json’.

  • Added custom attributes data. For each library, the relevant custom attribute values are displayed.

  • Added policy and vulnerability statistics data to local scan report. See also Unified Agent JSON Report Example

...

• Release Unified Agent version 19.3.1

• Release Bamboo Plugin version 19.3.1

• Release Web Advisor version 19.3.1

• Release Artifactory Plugin version 19.3.1

Version 19.2.2 (10-March-2019)

...

• New level of automation is available by defining ‘Service Users’. These programmatic users are only allowed to access Mend via APIs. Service Users cannot log into the GUI, and they can communicate with Mend via the API for automation and CI/CD purposes. The Organization Administrator can manage service users (Home Page → Admin → Users). See also Managing Service Users.

• Improved navigation in Project Page:

  • Added a 'View Licenses' link to access the Due Diligence report directly from the Licenses widget while maintaining the Project scope.

  • Added a 'View Vulnerabilities' link to access the Vulnerabilities report directly from the 'Library Vulnerability' widget while maintaining the Project scope.

...

• Added support for the ‘vgo’ (‘Go Modules’) package manager for ‘Go’. See also related documentation.

• Serverless scanning: Added support to include and exclude components when scanning serverless functions (‘serverless.includes’ and ‘serverless.excludes’).

• Added the ability to run the Effective Usage Analysis (EUA) feature without the need to maintain a configuration file.

...

• Release Unified Agent version 19.2.1

• Release NPM Plugin version 19.2.1

• Release TFS /VSTS Integration version 19.2.1

• Release Nuget plugin version 19.2.1

• Release Web Advisor 19.2.1

...

• Release Unified Agent version 19.1.2

• Release TeamCity Plugin version 19.1.2

Version 19.1.1 (27-January-2019)

...

• Release Unified Agent version 19.1.1

• Release Bamboo Plugin version 19.1.1

• Release Jenkins Plugin version 19.1.1

• Release Artifactory Plugin version 19.1.1

Version 18.12.2 (13-January-2019)

...

• A Security Trends Dashboard presents users with a view of the organizational security posture over time. The dashboard is mainly intended for the organization's administrators, security officers, and application R&D managers. See also related documentation. 

• Effective Usage Analysis: Support for JavaScript has been added. 

• Risk report: Added a ‘How Do We Compare?’ section that displays how select measurements of your organization's risk and compliance levels compare to overall average statistics calculated for Mend customers.

• Mend Serverless Integration: Enables you to scan and monitor deployed FaaS, utilizing the Unified Agent and Effective Usage Analysis technologies. Mend is capable of understanding the effective references from the serverless functions to the vulnerable code in the called open source components. Mend serverless integration enables you to scan and monitor deployed Lambda functions. See also related documentation. 

• License Compatibility Report: This report provides information on the compatibility issues of library licenses in a project or product level. See also related documentation.

...

• Effective Usage Analysis (EUA):

  • Policies: Added an option to create a policy based on Effective Usage Analysis shields. See also related documentation.

  • CVE detail displayed on the Security Vulnerabilities screen features a 'Top Fix' column that includes EUA analysis results. 

• Due Diligence report: Added a ‘License Type’ column that indicates one of the following license types: ‘Open Source’, ‘Commercial’, ‘Closed Source’, and ‘Unknown’.  

• The Attribution report now includes an option to export the report data by project as well as by component (library). 

• Dependency resolution is performed even when no binary or source file extension exists on a repository. 

• Support has been added for the Visual Studio 2017 new format of ‘.csproj’ files.

...