| Table of Contents | ||
|---|---|---|
|
...
| Info |
|---|
IMPORTANTBeginning in version 21.3.2, WhiteSource will be modifying the opening topics of the User Guide section of the documentation. This includes editing and condensing the existing content (therefore archiving certain topics) for better usability, removing unnecessary and/or duplicate content, and restructuring the topic hierarchy for a logical flow. Since this project will be a “work in progress” for an unspecified amount of time, WhiteSource apologizes in advance for any inconvenience this might cause. |
Version 21.4.2.1 (11-May-2021)
New Features and Updates
The WhiteSource issue type will now be created with the default values for commonly-used JIRA fields.
Version 21.4.2 (9-May-2021)
New Features and Updates
Unified Agent
NPM and Yarn configuration are now optimized by automatically executing the relevant pre-step (npm install or yarn install) based on the lock file detected (yarn.lock or package-lock.json) when npm.runPreStep = true.
Beginning in this version, nuget.runPreStep and nuget.restoreDependencies will be combined. This works the following way: if nuget.runPreStep = true, then dotnet restore will be performed on found .csproj files. As a result of this merge, nuget.restoreDependencies will be deprecated.
...
Version 21.4.1 (25-April-2021)
New Features and Updates
Unified Agent
The Unified Agent now supports Apache Ivy as part of the Ant dependencies detection.
...
Version 21.3.2 (11-April-2021)
New Features and Updates
Web UI
Customers can now configure SAML integration for multiple global organizations with the same Identity Provider (IDP).
Product and Library Priority Scoring Reports: New reports provide information on the priority of a library or product, taking different threat and impact factors into account. See here for details.
Starting this version, SmartMatch is the default algorithm used for source files matching when a new WhiteSource Organization is created.
The name of the Sun license was changed to Sun Public License.
...
Version 21.3.1 (4-April-2021)
New Features and Updates
Azure DevOps Services Integration:
...
Version 21.2.2 (14-March-2021)
New Features and Updates
Unified Agent
This version introduces support for NPM 7.
A new parameter, fileSystemScan, replaces the soon-to-be-deprecated ignoreSourceFiles.
...
Version 21.2.1 (28-February-2021)
New Features and Updates
Unified Agent
Scala dependencies detection was improved, by supporting the sbt-dependency-graph plugin when applicable.
...
New Feature Announcements
WhiteSource is launching a Beta release of a new generic platform for issue tracker integrations and a plugin for Jira Server. The new platform will provide the ability to integrate with issue tracking systems, in order to automatically create issues when a policy match occurs. The Jira Server Plugin is the first integration developed using the new platform and more out-of-the-box plugins are planned to be released.
Documentation
The following topic has been deprecated:
...
Version 21.1.1 (31-January-2021)
New Features and Updates
Web UI
Beginning in this version, the Auditor role for service users can be assigned to users from the UI.
...
Version 20.12.3 (17-January-2021)
New Features and Updates
The Unified Agent now supports scanning Google Distroless images.
The optimized NPM resolution method, controlled by the npm.resolveLockFile flag, is now the default dependency detection for NPM.
...
Version 20.12.2 (3-January-2021)
New Features and Updates
Web UI
Beginning with this version, every new organization will be created in the new Vulnerability-based Alerting mode.
A new and enhanced source files matching algorithm, SmartMatch, can be activated from Advanced Settings in the Integrate tab. The default will remain Weight.
Two new licenses have been added:
GLWTPL
ODC-By-1.0
...
When searching for a library via global search, then searching for a vulnerability via the same search, the page redirects to the library search page.
When resolving several requirments.txt files, the cache of the dependencies was not cleared between the different resolutions.
When running the Unified Agent, the ArchiveExtractor failed to extract files ending with an empty space.
In the “Source File Inventory” report, if users selected to change the library for files they had no permissions to, the Change Library action had no effect and no message was displayed. Now, this action can only be done by selecting the desired files, then Actions > Change Library menu. The users' permissions are validated and a proper message is displayed.
After repeatedly using "Assign Yourself", the pop-up window appears blank and users need to click "Add License Reference" or "Override All” in order to see the mandatory fields.
When running SBT Coursier, the Unified Agent did not run pre-step commands even though pre-step flags were activated.
Changes to licenses being updated either in the index (libraryDataSync API) or in the Admin Console did not trigger alerts calculation.
The Unified Agent did not support the packages.db RPM database
Documentation Updates
The following integration pages have been archived and will therefore no longer be in use. All the material contained therein will be included in the Unified Agent parameter documentation.
...
Version 20.12.1.1 (21-December-2020)
Fixed an issue introduced in the latest version (20.11.2) in which unmatched source libraries were missing from the Project/Product page.
Version 20.12.1 (20-December-2020)
New Features and Updates
Web UI
Resetting forgotten passwords is now validated with a CAPTCHA test.
A disclaimer has been added to the Library Details page for temporary matches on Go dependencies.
...
Version 20.11.2 (6-December-2020)
New Features and Updates
Web UI
The Product Page and the Project Page now feature filtering and improved pagination in the Libraries panel, thereby improving performance and user experience for projects with over 1000 libraries.
...
Version 20.11.1 (22-November-2020)
New Features and Updates
Unified Agent
The maximal extraction depth, configured in archiveExtractionDepth, has been increased to 10.
...
Version 20.10.2 (8-November-2020)
New Features and Updates
Prioritize
Added support for C# in Prioritize.
Added Fast Scan Analysis mode for Java in Prioritize.
...
Resolved Issues - Azure DevOps Services Integration (added 10-November-2020)
Fixed an issue where in some cases, users with non-admin permissions were not able to view the WhiteSource open-source risk report. All existing WhiteSource for Azure DevOps Services extension users will need to approve the extension permission changes that were applied in this version. To approve the new changes, do as follows:
Go to Organization Settings > Extensions > Installed > WhiteSource for Azure DevOps Services.
Click Review. The Authorize WhiteSource for Azure DevOps Services popup is displayed.
Click Authorize.
Scanning a project based on a GitHub Repository led to a RangeError error.
Version 20.10.1.1 (4-November-2020)
...
Version 20.10.1 (25-October-2020)
New Features and Updates
WhiteSource Core
In order to comply with industry standards, WhiteSource has decided to remove the option of searching a library via drag and drop. Library searching can now only be done by entering the library’s name (added November 1, 2020).
Azure DevOps Services Integration
Added the ability to specify custom Unified Agent Configuration parameters to be used by a particular pipeline build. For this, a new field, WhiteSource Configuration, was added to the WhiteSource task. For more information, see here.
Documentation Updates
Unified Agent
...
Version 20.9.1 (4-October-2020)
New Features and Updates
WhiteSource Core
Currently, when accessing the Custom Attributes report, the report’s data is fetched automatically. This can be time-consuming if the organization has many libraries and many custom attributes defined. Beginning in this version, an Apply button has been added, enabling users to query the data on demand only.
...
Version 20.8.2 (13-September-2020)
New Features and Updates
Helm version 3 support is officially introduced for the Kubernetes integration.
...
Version 20.8.1 (30-August-2020)
New Features and Updates
Unified Agent
A new format of Docker project name is now supported - repositoryName - which is based on the Docker repository name only. This format can be applied by setting the docker.projectNameFormat parameter to repositoryName.
...
Fixed CVE-2020-2213
Prioritize
Aggregate Modules mode supported (using the -aggregateModules field).
Functionality Changes
In the Project Association page, the Product column was changed from a selection column to a text column. The project association is now only available by checking the desired project(s) and choosing “Assign to Product”, then choosing the desired product from the drop-down list.
When using “APPEND” update requests, in the rare case where only a TRANSITIVE dependency has been added - the new transitive dependency will be added as a direct dependency, so all of the application's mechanisms such as alerts and policies will be applied on it. This is a change to the current behavior. In order to have the new dependency added as transitive, users can then run another “OVERRIDE” Update Request after the append request.
...
Version 20.7.3 (16-August-2020)
New Features and Updates
Web UI
Beginning in this version, when creating/editing a policy based on a Jira project with a mandatory field from a type which isn't currently supported, but has a default value defined for it in Jira, the operation will succeed.
...
Version 20.7.2 (2-August-2020)
New Features and Updates
WhiteSource Core
SAML session token duration (the time between the IDP authentication and the WhiteSource login) was changed from 10 minutes to 5 minutes.
...
Version 20.7.1 (19-July-2020)
New Features and Updates
Unified Agent
Users scanning docker images can now receive information regarding packages in layer granularity. The new functionality can be enabled by setting the docker.layers parameter to true. The layer granularity can be viewed in the UI under the hierarchical display (Show as Hierarchy).
Improvements to the optimized NPM resolution method controlled by the npm.resolveLockFile flag are introduced. The improvements include a reduction in the scan time, in addition to enhanced accuracy. This functionality can be enabled by setting the npm.resolveLockFile to True.
A new flag, npm.ignoreDirectoryPatterns, enables users to determine the list of ignored directories.
The Bazel support was extended to Go projects. The Unified Agent can now scan on Linux machines Go projects using the go_repository rules generated by Bazel Gazelle (see here).
...
Version 20.6.2 (5-July-2020)
New Features and Updates
WhiteSource Core
Unified Agent
...
Upgraded the following:
WildFly to version 10.1.0
JQuery to version 3.5.0
The Unified Agent’s version is now displayed in the Web Application’s Project Vitals.
The docker image retrieval mechanism was improved resulting in a reduction of the UA scanning time.
Resolved Issues
In the Risk Report, in the General Overview panel, when selecting a product, an incorrect title and link were displayed.
While handling getOrganizationInHouseLibraries requests, a Null Pointer Exception occurred.
In situations where Requires review is the least common license in organization/product/project, the License dashboard ceases to function.
The Attribution Report had issues with a misplaced header.
There were issues with proxy settings in the HTML dependency resolution.
The TeamCity plugin always failed as a result of a check policy request.
Under certain conditions, scanning SBT dependencies resulted with errors.
Local libraries used by a Python project were not detected. This ability was introduced in this release, controlled by the python.localPackagePathsToInstall flag.
...
Version 20.6.1 (21-June-2020)
New Features and Updates
WhiteSource Core
Web UI
The Attribution Report has undergone several enhancements, including the following:
select which fields to include/exclude from the report
apply filters to the report
include a custom attribute in the report
export the report to a JSON format
hide fields containing empty values
Beginning in this version, an indication on the vulnerability page displays which vulnerabilities were modified in the previous month.
Beginning in this version, the WhiteSource Expert Fix is the first solution recommended to customers in the list of suggested fixes.
...
Version 20.5.1 (24-May-2020)
New Features and Updates
WhiteSource Core
Web UI
In the ADD/EDIT policy function, mandatory fields of types string, string array, user, number are now also supported. When choosing the issue type in the project, the mandatory fields as displayed and you must fill them in.
In certain reports, the following was added to all panels with multiple selections
A count indicator for the number of selected rows that appear when selecting rows of a data grid panel. This counter updates automatically when selecting/deselecting rows.
Next to the counter, a 'clear selection' button clears all selected rows when clicked.
...
This version introduces support for Bamboo server versions up to 7.0.3.
Functionality Changes
Beginning in this version, ignoreSourceFiles is taken into account in the top folder for all cases.
Beginning in this version, Maven resolver will not ignore .jar,.war,.ear,.zip files when ignoreSourceFiles is set.
When setting a Reporter for issues that require one, the reporter will now be chosen from a list (same as selecting an assignee) instead of the previous way where there were text boxes for inserting a Reporter name and display name.
The Unified Agent setting maven.ignoredScopes=NONE is no longer a pre-condition for running Prioritize on Maven projects, but remains as the default setting. Regardless of the Unified Agent configuration file parameter setting, Prioritize analysis will ignore test scope dependencies.
...
Previously, in the Library Location Report, when a library had no path it was displayed in the UI as "N/A". This has been changed to an empty string.
Within the next two sprints, WhiteSource will be improving the Unified Agent scan results, mostly regarding Maven resolution. Binaries such as .jar,.war,.ear,.zip will be included in the scan when ignoreSourceFiles is set.
In addition, ignoreSourceFiles will be taken into account in the top folder when packaging appears in the pom file.
Resolved Issues
In some nupkg libraries, libraries which didn’t have a dash ('-') in the display name as the version separator, were not recognized as the same library and therefore did not generate the Multiple Library Versions.
When generated to a .PDF, the Use of Different Versions of Same Library section in the Risk Report had a different title.
Under certain situations, goGradle scans failed with a null pointer exception.
An overlap in the resolvers' bom files resulted in the order of the resolvers being changed.
The Effective Usage Analysis dashboard displayed 0% coverage although vulnerabilities existed.
Under certain conditions, a NoSuchElementException occurred when getting a product approver during update requests.
Under certain conditions, the parsing functionality in Go 1.14 did not work correctly.
Under certain conditions, scans of Docker images resulted in exceptions.
Under certain conditions, new version alerts weren't created.
...
Release Unified Agent version 19.9.1
Release WhiteSource Advise for Chrome 19.9.1
Version 19.8.1 (8-September-2019)
...
The new Configuration Recommendation mode identifies the environment that the user wants to scan and creates the configuration file automatically.
Added flexibility in Gradle projects scanning: New configuration parameter 'gradle.includedScopes' enables defining which scopes will be included in the scan.
This version provides support for Serverless Framework via a dedicated plugin.
...
Enhanced resolution for Maven projects that include multiple libraries with the same SHA-1. In these cases, the library page displays a new hyperlink stating "This SHA-1 has multiple matches: Click here to override the original match". Clicking the hyperlink will open a pop-up window, enabling a user to manually select alternative GAV coordinates from a list.
Optimized accuracy of data in Security Trends Dashboard:
After clicking on a chart, the related Alerts report only displays security vulnerability alerts.
The dashboard keeps its predefined context after navigating to another GUI page.
...