Mend for GitHub Enterprise
Mend for GitLab
Mend for Bitbucket Server

The setup.cfg file is now supported for triggering a scan through the Unified Agent Controller.

Mend for GitHub Enterprise
Mend for GitHub.com
Mend for GitLab
Mend for Bitbucket Server
Mend for Azure Repos

Names of all Checks (Security, License, SAST, IaC) were changed from “WhiteSource” to “Mend”.

Mend for Bitbucket Server

Added the ability to scan cloud infrastructure configurations (IaC) to find misconfigurations before they are deployed. For this, a Mend IaC Check was introduced which runs in parallel to the existing Mend Security/License Check. In addition, IaC violation alerts are displayed via Issues.

Mend for GitHub Enterprise
Mend for GitLab
Mend for Bitbucket Server

Enabled Smart Fix for Java projects.

NOTE: An update to this version will cause an increase in plugin activity for the repositories with Java projects in the first few days (up to a week). The number of scan requests will temporarily increase by 20%-50% depending on how many Java projects there are in the organization. Consider temporarily increasing the number of scanners for this period.

Mend for GitLab

Added the ability to scan cloud infrastructure configurations (IaC) to find misconfigurations before they are deployed. For this, a Mend IaC Check was introduced which runs in parallel to the existing Mend Security/License Check. In addition, IaC violation alerts are displayed via GitHub Issues.

Mend for Github.com
Mend for GitHub Enterprise
Mend for GitLab
Mend for Bitbucket Server
Mend for Azure Repos

Added a new tag commitId to the Mend application Projects that will contain the latest scanned commit ID.

Mend for Azure Repos

The issueType setting was added to the issueSettings parameter of the Mend configuration file. This setting defines the type of issues that will be enabled in the repository - one for each vulnerability or one for each dependency with all vulnerabilities grouped within.

Mend for Github.com
Mend for Azure Repos

Python version 3.8 is now supported when performing a scan with the SCM scanner. Note that Python version 3.7.12 is still the supported default version.

Mend for Github.com
Mend for Azure Repos

The scanning of Dotnet 6 projects is now supported.

Mend for Github.com
Mend for Azure Repos

Dev dependencies in the NPM and Yarn projects will not be scanned by default.

Mend for Github.com
Mend for GitHub Enterprise
Mend for GitLab
Mend for Bitbucket Server
Mend for Azure Repos

Enabled Smart Fix for Java projects.

Mend for GitHub.com

Mend has launched the ability to scan cloud infrastructure configurations (IaC) to find misconfigurations before they are deployed. For this, a Mend IaC Check was introduced which runs in parallel to the existing Mend Security/License Check. In addition, IaC violation alerts are displayed via GitHub Issues.

Mend for Bitbucket Server, 
Mend for Bitbucket Data Center,
Mend for GitHub Enterprise,
Mend for GitLab

Previously, the only way to provide the integration's activation key to the Remediate container was by using a prop.json file.
Beginning in this version, the activation key is also supported as an environment variable called W4D_BOLT_OP_ACTIVATION_KEY (as an alternative to providing it as a prop.json file).

Mend Advise for IntelliJ,
Mend Advise for WebStorm,
Mend Advise for PyCharm,
Mend Advise for Eclipse,
Mend Advise for Visual Studio,
Mend Advise for VS Code

Beginning in this version, you can configure the plugin/extension to alert only on detected vulnerabilities satisfying a given minimum severity level (as opposed to always showing Low, Medium and High severity vulnerabilities).

Mend Advise for WebStorm

Beginning in this version, Mend Advise will not scan the node_modules folder of a selected project.

Mend Advise for IntelliJ,
Mend Advise for WebStorm,
Mend Advise for PyCharm,

Better handling when the developers' environment is disconnected from the internet or has no access to the Mend servers.

Mend Advise for Visual Studio

In some cases, scanning a C# project resulted in an exception, and in addition, no vulnerabilities were displayed.

Mend for GitHub.com

When adding an empty whitesource-config repository from a default "main" branch to the integration, it was not initialized with Mend configuration files.

Mend for GitLab

When using the security dashboard, issues were published but the commit comment was not updated with scan results and remained with a "scan in progress" indication.

Mend Advise for IntelliJ IDEA,
Mend Advise for WebStorm

An improved notification message is now displayed when no vulnerabilities are found in a scanned project.

Mend Advise for IntelliJ IDEA

Added support for the "apply from" script plugin in Gradle projects, which can reference a dependency file contained within the scanned project or outside of it.
NOTE: Remote script location is not supported.

Mend Advise for Eclipse,
Mend Advise for Visual Studio

Beginning in this version, you can configure the plugin to alert only on direct dependency vulnerabilities (as opposed to both direct and transitive vulnerabilities).

Mend for Bitbucket Server, 
Mend for Bitbucket Data Center,
Mend for GitHub Enterprise,
Mend for GitLab,
Mend for GitHub.com

For NPM projects only - Added support for remediation of transitive npm packages when a package-lock.json is present. 
NOTE: This functionality is disabled by default.

Mend for Bitbucket Server, 
Mend for Bitbucket Data Center,
Mend for GitHub Enterprise,
Mend for GitLab,
Mend for GitHub.com

Beginning in this version, a new Mend Security/License Check summary will be displayed in case a scan results in an empty inventory (as opposed to when one or more Security/License issues are detected).

Mend Remediate

Remediate sometimes, and Renovate often, needs to query github.com for tags and releases (e.g. for release notes fetching).
Customers using Renovate especially will get rate limited by github.com quickly if they don't provide authentication with every request. Guidelines on how to do that are provided here.

Mend Advise for PyCharm,
Mend Advise for WebStorm

Mend has launched Mend Advise for PyCharm and Mend Advise for WebStorm plugins, empowering JetBrains developers with important, valuable information on security vulnerabilities concerning open-source components employed in their development projects. 

Mend Advise for IntelliJ IDEA

• Added support for IntelliJ IDEA 2020.2

• Added support for IntelliJ IDEA 2020.3

• Added support for displaying scan results in the Problems Tool window (in addition to the Inspection Results window).
  NOTE: This feature is available in version 2020.2 and above of the IDE.

Mend for Bitbucket Server,
Mend for Bitbucket Data Center

From this version onwards, the Administration > Mend Integration page enables the Bitbucket administrator to select Projects to integrate with Mend, instead of Repositories.

Once a project is selected by the Bitbucket administrator, the project administrator will be able to access the Mend Integration page from the  Project > Project settings page and decide which repositories within that project to integrate with Mend.

NOTE: Customers upgrading from an older version of the integration will be automatically migrated to the new Mend Integration model. This means that for each already integrated repository, the repository will be automatically selected inside the Project > Project settings page.

Mend Advise for IntelliJ IDEA

Scanning a Gradle project following file changes would sometimes not show markers for detected vulnerabilities.

Mend for Bitbucket Server,
Mend for Bitbucket Data Center

In an integrated repository page, the Critical severity metric inside the Mend Security widget was modified to High in order to align with the Mend UI severity metrics.

Mend for GitHub Enterprise,
Mend for GitHub.com

Added ability to define a whitelist of GitHub Organizations and/or GitHub repository owners who can integrate with the Mend integration.

Mend for Bitbucket Server, 
Mend for Bitbucket Data Center,
Mend for GitHub Enterprise,
Mend for GitHub.com,
Mend for GitLab

Global Repo Configuration:

• Added the ability to migrate existing repositories to the Global Configuration for a specified list of repository owners only.

• Added the ability to control whether a migration will trigger a Mend scan.

• Added a new migration mode, fixInheritance to update the inheritedFrom parameter values in local .whitesource configuration files to the correct whitesource-config Global Configuration repository.

Mend Advise for Visual Studio Code

• Added support for macOS.

• Added a configuration setting allowing to enable/disable scanning of devDependencies. The default is "disabled" mode.

Mend Advise for IntelliJ IDEA

The No proxy HTTP setting was ignored by the plugin.

Mend for Bitbucket Server, 
Mend for Bitbucket Data Center,
Mend for GitHub Enterprise,
Mend for GitLab

The scanner container did not clean up between container restarts, resulting in a potentially large growth in the container’s disk size.

Mend for GitHub Enterprise

Renovate config presets were not being resolved.

Mend for Bitbucket Server, 
Mend for Bitbucket Data Center

In the Mend Security Report (Code Insights), the table listing each vulnerability was not displayed correctly.

Mend Advise for IntelliJ,
Mend Advise for Eclipse,
Mend Advise for VS Code

• When CVSS3 data was available for a vulnerability, Mend Advise displayed CVSS2 severity instead of CVSS3 severity information.

Mend Advise for IntelliJ

• When no Mend suggested fix was available for a vulnerability, Mend Advise skipped the display of such vulnerability.

Mend for GitHub Enterprise

In some cases, two scans were triggered for the same commit. This led the issue publishing process to run twice at the exact same time, causing duplicate issues to be created.

Mend Advise for IntelliJ IDEA

• Added support for Gradle

Mend for Bitbucket Server,
Mend for GitHub Enterprise,
Mend for GitHub.com,
Mend for GitLab

• The Mend Security Check now displays a summary of the number of total remaining vulnerabilities present on the base branch. NOTE: Both the baseBranches and displayMode configuration parameters need to be used, and the displayMode parameter needs to be set to diff.

Mend for Bitbucket Server

In the Mend Integration page:

• When selecting repositories to integrate with Mend, it is now possible to search for a particular repository name.

• A Clear Selection button was added in order to clear selected repositories after having selected multiple repositories via the Selected repositories only option.

Mend for Bitbucket Server

• The Mend Add-on had a limitation where you could only integrate up to 1,000 repositories.

• In the Global Repo Configuration, it was not possible to specify a Project Key when using the ignoredRepos parameter inside the global-config.json file.

Mend for Bitbucket Server,
Mend for GitHub Enterprise,
Mend for GitHub.com,
Mend for GitLab

• Remediate - No fix Pull Request/Merge Request was generated for library yaml.v2-v2.2.2.

• When Global Repo Configuration was enabled, in some cases, scans were not triggered after a valid push was performed.

Mend for Bitbucket Server,
Mend for GitHub Enterprise,
Mend for GitHub.com,
Mend for GitLab

• Global Repo Configuration: Ability to exclude specific repositories from the integration. A new parameter ignoredRepos was added to the global-config.json file.

• The following features are supported only when using the baseBranches configuration:

  • When a scan is triggered, any existing Issue content will be updated if a change occurred (for example, when an additional base branch contains the same issue, or if the severity of a vulnerability was modified)

  • When a scan is triggered, if a previously auto-closed Issue has resurfaced inside a repository, Mend will re-open the closed issue and add a comment to it to specify the reason for re-opening. NOTE: In Mend for Bitbucket Server, a new Issue will be opened in such cases, and no comment will be added.

Mend for Bitbucket Server,
Mend for GitHub Enterprise,
Mend for GitLab

• Added a new parameter, controller.url, to the UI configuration tool for when configuring the deployment file (prop.json), which lets you modify the name of the App container (default is wss-ghe-app/wss-gls-app/wss-bb-app).

Mend Advise for Visual Studio Code

• Ability to perform an automatic scan after activating the extension or after changes are applied to any of your workspace folders (for example, a new folder is added, an existing project was re-built). A new parameter Enable Automatic Scanning in Workspace was added to the extension settings (enabled by default).

• Added performance enhancements.

Mend for Bitbucket Server,
Mend for GitHub Enterprise,
Mend for GitHub.com,
Mend for GitLab

• Global Repo Configuration: When adding the whitesource-config repository to the integration, a README file is automatically generated with instructions on how to start.

• When removing and then re-adding a repository to the integration, its associated Mend Project will now be re-used instead of creating a new project with a numbered prefix. NOTE: Existing projects containing the numbered prefix will remain with the prefix. To remove this prefix, delete the relevant Mend project and in the next valid push, a new project will be created with the correct naming convention.

• The following features are supported only when using the baseBranches configuration:

  • Mend Security Check summary: Added the ability to only show the diff of detected vulnerabilities between the current commit and its base branch commit, for non-base branches. A new configuration parameter displayMode was added for this purpose, and it contains two options ("baseline" and "diff"). Newly integrated repositories will automatically inherit the "diff" functionality. Refer to the relevant integration's ".whitesource File" section for more information.

  • Issues generated by the integration that are no longer part of the Mend project inventory (due to alerts being ignored or libraries being removed) will be auto-closed by the integration upon the next valid push. NOTE: In Mend for Bitbucket Server, such issues will be deleted (instead of closed).

  • The originating branch of a detected security vulnerability is now added to the content of an Issue (inside the Vulnerable Library) section. 

Mend Advise for Visual Studio Code

• Added performance enhancements.

Mend Advise for Eclipse, Mend Advise for IntelliJ IDEA

• Added minor enhancements.

Mend for Bitbucket Server,
Mend for GitHub Enterprise,
Mend for GitHub.com,
Mend for GitLab

• (BETA) Ability to migrate existing repositories to inherit a global configuration. 

• After a vulnerable source library is introduced on an integrated repository, more details on the specific vulnerable source file(s) are now displayed both inside the generated issue as well as inside the Mend Security Check (as part of a Check Run for GitHub.com/GitHub Enterprise, Commit Status for GitLab, and Build Status for Bitbucket Server). 

Mend Advise for Visual Studio

• Added support for scanning non SDK-style projects (such as VSIX extensions) which generate an assets file.

• Added performance enhancements.

Mend for Bitbucket Server,
Mend for GitHub Enterprise,
Mend for GitHub.com,
Mend for GitLab

• Added support for Poetry package manager.

• (BETA) Ability to generate a global configuration, to be applied to all newly-selected repositories. This requires the creation of a new repository called whitesource-config which will contain the configuration file template. In addition, it is now possible to define and apply one of the following onboarding options for all your newly-selected repositories:

  • Create an onboarding PR/MR including the .whitesource configuration file with inherited configuration

  • A .whitesource configuration file with inherited configuration will immediately be pushed to the default branch of all integrated repositories without creating any onboarding PRs/MRs

  • Integrated repositories will be scanned without creating a .whitesource file or onboarding PR/MR

• This version introduces the ability to specify multiple base branches. A new parameter baseBranches was added to the .whitesource configuration file for this purpose. Specifying one or more base branches in this parameter means that:

  • For each specified branch, scanning results will be sent to a new Mend Project containing the branch name as a suffix.

  • An Issue will only be created for the specified branch names.

  • For existing integrated repositories which do not contain the baseBranches parameter, Issues will be generated for all branches.

• After a valid push is performed on an integrated repository, more information such as a dependency hierarchy and a suggested fix is now displayed inside the Mend Security Check (as part of a Check Run for GitHub.com/GitHub Enterprise, Commit Status for GitLab, and Build Status for Bitbucket Server). 

Mend for Bitbucket Server

• Users with Write (in addition to Admin) permissions on an integrated repository can now see the Mend Integration tab inside the Bitbucket Server instance.

Mend for GitHub Enterprise

• From this version onward, the Remediate database image and container (remediate-db) will no longer be required as part of the integration. Instead, Remediate will operate in-memory.

Mend for Bitbucket Server, Mend for GitHub Enterprise, and Mend for GitLab

• Support for Gradle Kotlin projects

• Support for Gradle in Mend Remediate  

Mend for GitHub.com

Support for Gradle Kotlin projects

Mend for GitHub.com

Support for Gradle in Mend Remediate

Mend for Bitbucket Server

• From this version onward, the Remediate database image and container (remediate-db) will no longer be required as part of the integration. Instead, Remediate will operate in-memory.

• Improved usability and enhanced control over the Mend scanning. An onboarding Pull Request is now generated on each selected repository upon the Mend add-on configuration. A .whitesource configuration file will be part of the PR. Mend will only start scanning the repository once the PR is merged.

• Using the new projectToken configuration parameter in the .whitesource configuration file, it is now possible to map a Bitbucket repository to an existing Mend project. This provides added flexibility in terms of organizing projects in Mend originating from various integrations.

• The .whitesource configuration file now includes a parameter configMode, which lets you use an existing Unified Agent configuration file. This can be done by providing either a local Unified Agent configuration file, or fetching the config file from an external location using the configExternalURL parameter.

• This version introduces the ability to generate fix PRs on-demand without defining workflow rules in advance.