Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Table of Contents
maxLevel1

Version 22.6.1 (26-June-2022)

New Features and Updates

  • The Artifactory plugin now supports Mend Supply Chain Defender (SCD) in addition to the existing SCA capabilities. If SCD functionality is enabled for the Artifactory beforeRemoteDownloadevent, the plugin will check with the Supply Chain Defender API before each new download to ensure that known malicious or suspicious releases are blocked.

  • The CLI output now includes a legend in the “Paths as risk” section that clarifies its format.

Resolved Issues

  • When using the Azure DevOps extension, the projectPerFolder parameter was mistakenly included in the permitted configuration properties.

  • The Jira Server and Data Center plugin did not trigger the re-indexing of tickets and events when adding comments to them.

  • When scanning a Ruby project with the Unified Agent and the cache folder was missing, dependencies were not detected.

Version 22.5.2 (12-June-2022)

Resolved Issues

  • Jira tickets were not created successfully by the Jira Data Center/Server plugin when a Mend organization included many Prioritize scans.

  • When using the Jira Cloud plugin, when more than one policy configuration was defined for the same project, a ticket would be opened for an arbitrary Jira project.

Version 22.5.1 (29-May-2022)

New Features and Updates

  • The setup.cfg file is now supported as part of the Unified Agent's Python resolution, introduced via a new parameter python.resolveSetupFiles.
    The python.resolveSetupFiles controls the resolution of both setup.py and setup.cfg files and replaces the soon to be deprecated python.resolveSetupPyFiles parameter.

Resolved Issues

  • Setting a Jira project with trailing spaces was not handled correctly by the Jira Server plugin.

  • An error occurred while trying to execute a govendor command as part of the Unified Agent's Govendor resolution.

Version 22.4.2.1 (15-May-2022)

Resolved Issues

  • Addressed security vulnerabilities identified for the Jira Data Center/Server plugin’s dependencies.

Version 22.4.2 (15-May-2022)

New Features and Updates

  • (Mend CLI) Detailed information about policy violations will now be available as part of the JSON format.

Resolved Issues

  • The Maven resolution of the Unified Agent did not work as expected with specific versions of the Apache Maven Dependency Plugin.

  • Under certain conditions, an NPE exception would occur when the Jira Server plugin tried to create new Jira tickets.

  • When using the Azure DevOps Pipelines extension for scanning certain projects, the Mend step in the pipeline would fail due to a timeout.

Version 22.4.1.1 (2-May-2022)

Resolved Issues

  • Fixed an issue in the Unified Agent in which the NPM or Maven resolution failed when an Amazon Correto JDK was used.

Version 22.4.1 (1-May-2022)

New Features and Updates

  • The Jira Data Center and Server Plugin now supports version 8.22.

Resolved Issues

  • The number of library paths in the ticket description of the Jira Data Center/Server plugin was limited to 5.

...

Version 22.3.3 (17-April-2022)

New Features and Updates

Mend CLI (Beta)

  • It is now possible to set the Mend scope (full or partial) of the scanned project as part of the CLI scan command.

  • Detailed information about policy violations will now be displayed in the output of the CLI scan command.

  • The output of the CLI scan command can now be displayed in JSON format, replacing the previous --json <file> option.

Resolved Issues

  • Under certain circumstances, not all the Unified Agent's processes were terminated on Windows.

  • Addressed security vulnerabilities identified for the Jira Data Center/Server plugin’s dependencies.

Version 22.3.2.2 (10-April-2022)

Resolved Issues

  • When the user uninstalls the Jira Cloud Integration and then installs it again before synchronization occurs, the old installation would override the new installation.

...

Version 22.3.2 (3-April-2022)

Resolved Issues

  • The Unified Agent did not support proxy settings missing a username.

  • The number of library paths in the ticket description for the Jira Cloud plugin was limited to 5.

...

A Jira Data Center approved version of the Jira Server plugin is now available.

Resolved Issues

  • The Dependency Hierarchy in the ticket description was limited to 3 hierarchical paths.

Version 22.3.1 (20-March-2022)

Resolved Issues

  • In Bower projects with local dependencies, the Unified Agent was unable to detect dependencies.

  • In a specific case, when the Unified Agent scanned a Gradle project, a stack trace exception was thrown without the error information.

  • Addressed security vulnerabilities identified for the Artifactory plugin’s dependencies.

...

Version 22.2.2.1 (9-March-2022)

Resolved Issues

  • The Python resolution was fixed by reducing the total number of duplicate dependencies in the Unified Agent.

Version 22.2.2 (6-March-2022)

New Features and Updates

Unified Agent

  • A message is displayed when no dependencies are found in a package.json file for an NPM project.

...

  • A new parameter showing a library’s release date (if it has one) was added to the Inventory report at the organization, product and project-level.

Resolved Issues

  • When running Go commands in the Unified Agent to download dependencies that were not in the cache, warning messages would be displayed.

  • The Unified Agent was unable to extract layers with extension .tar.gz when scanning a docker tar file.

Version 22.2.1 (20-February-2022)

New Features and Updates

  • The scanning of Yocto projects in the Unified Agent is now supported in Beta status for Poky projects.

  • A new column titled “Matching Policy” was added to the Libraries table in the Pending Tasks Approval page of the UI, highlighting the policy that triggered the action on the pending request.

  • To differentiate between tickets that were opened by the Jira Server/cloud plugin for direct dependencies and transitive dependencies, a new field WS-LibraryHierarchy was added. This field will contain the value DIRECT or TRANSITIVE.

...

Version 22.1.2 (6-February-2022)

New Features and Updates

  • In the Unified Agent, the ignoreSourceFiles parameter, superseded by the fileSystemScan parameter, will be deprecated from release version 22.5.1.

  • New licenses TTWL and Attribution-NonCommercial 2.0 Generic are now supported in the Application.

  • A new optional parameter includeOutdatedLibraryData was addedto the getProjectInventoryReport API request to improve the API performance.
    By default, the value is true, in order to maintain backward compatibility. When the value is false, theoutdatedModel and outdated fields will not be populated with information.

  • The Azure DevOps extension now supports Azure DevOps Server. The extension name was changed from "Mend for Azure DevOps Services" to "Mend for Azure DevOps".

Resolved Issues

  • The Docker Container scan in the Unified Agent did not perform a general scan of the container file system.

  • When selecting the Organizational level in the Members report in the Application, the data would not load.

Version 22.1.1.1 (27-January-2022)

Resolved Issues

  • An NPE exception would occur when trying to generate a scan report in the Unified Agent.

Version 22.1.1 (23-January-2022)

New Features and Updates

  • The Unified Agent now supports Java 17.

  • Mend Prioritize now supports Java 17.

  • To provide customers with easy access to the support portal, an icon (i.e., wrench) was added to the top menu that links directly to the Mend Support Portal:support.mend.io

  • The Mend task within the Azure DevOps integration now follows semantic versioning. This allows customers to receive release updates automatically.

...

Version 21.12.2 (9-January-2022)

New Features and Updates

Issue Tracker Integration Generic Platform and Jira Plugins

...

  • The remapping of source files to different source libraries was refactored to improve speed and prevent errors.

Resolved Issues

  • In the Unified Agent, when scanning a project with no libraries, an NPE exception would occur when trying to generate a scan report.

  • In certain cases, in bower resolution, an NPE exception would occur when the Unified Agent trimmed missing dependencies from the dependencies tree.

  • In Jira Server, when clicking Save on the configuration page, there was no indication if the Default Jira Project setting was saved successfully.

...

Version 21.12.1 (26-December-2021)

New Features and Updates

Artifactory Plugin

  • A new and improved Artifactory plugin is introduced in this release, providing important updates, such as performance improvements, more granular control over downloaded components, and easier installation. The triggerBeforeDownload property was updated to control downloading of components from local repositories only, while a new property triggerBeforeRemoteDownloadcontrols downloading of components from remote repositories. In addition, the userKey property is now mandatory.

...

  • Prioritize shields are now displayed for every security vulnerability as part of the Jira ticket, when applicable.

Resolved Issues

  • Cargo workspaces would not be handled correctly if a wildcard was used in the members list.

  • Effective Usage Analysis would only support Python projects with the appPathending with requirements.txt.

  • When a Prioritize scan failed due to a pre-step error, a typo would appear in the scan log.

  • In the Unified Agent, if more than one extra-index-url was defined in a Pipfile, the pipenv resolution would fail.

Version 21.11.2.1 (16-December-2021)

Resolved Issues

  • Minor fix for Mend Prioritize reflection mechanism.

Version 21.11.2 (12-December-2021)

New Features and Updates

  • In the Unified Agent, scanning of OCI Docker images is now supported via the docker.scanTarFiles parameter.

  • A new parameter resolvedType was added to the following APIs: getOrganizationLicenses, getProductLicenses, getProjectLicenses

  • The organizational setting of the Azure DevOps Services extension was updated to determine the Mend mapping resolution.

  • Addressed CVE-2021-44228 identified for Apache Log4j2.

  • Prioritize shields are now displayed for every security vulnerability as part of the Jira Cloud plugin ticket, when applicable.

  • (Kubernetes Integration) Addressed security vulnerabilities identified for the integration dependencies.

Resolved Issues

  • An exception occurred when the Unified Agent tried to resolve pipenv dependencies.

  • In some cases, the SBT resolver failed to detect dependencies.

  • When parsing GitHub commits in a Python project with a PIP dependency manager, errors occurred when parsing the GitHub dependencies.

  • In the Unified Agent, a local NPM package with no version caused an exception.

  • When scanning a Docker image by the Unified Agent, a vulnerability detected in a deleted file was included in the scan results.

  • (Application API) For organizations that were migrated to vulnerability-based alerting mode, a permission error would appear when clicking on the Alerts section in the Updates notification emails.

...

Version 21.11.1 (28-November-2021)

New Features and Updates

Application API

  • A new parameter resolvedTypewas added to the getProductAlertByTypeAPI.

  • A new HTTP v1.3 API was added that reassigns organization-level policies to a different owner. 

...

  • Failing a pipeline build based on policy violations is now supported (by utilizing the Unified Agent’s policy-related settings).

  • The open-source risk report is now retained as part of the Azure DevOps Extension pipeline build, allowing build history auditing, faster report retrieval, and better user experience.

Resolved Issues

Unified Agent

  • When scanning a Yarn project containing a yarn.lock file of a certain format, the UA would fail to parse the lock file and the resulting dependencies would contain null values.

  • The Go resolution of the Unified Agent missed dependencies in some cases when the "replace" directive was used in the go.mod file.

  • The Unified Agent didn't ignore comments appearing in the requirements.txt.

  • In the Unified Agent, when scanning Packrat projects, an exception occurred from missing or inaccessible packrat/libdirectory.

  • In the Unified Agent, incorrect parsing of the poetry dependency tree resulted in an incorrect dependency tree to be sent in the update request.

  • In the Unified Agent, scanning of Go projects would fail when using a Go version earlier than 1.14.

...

Version 21.10.2 (14-November-2021)

New Features and Updates

  • The Dockerized Unified Agent was updated to the latest version which includes support for Conda.

  • The option to upload a zipped offline request for a scanned project is now supported.

  • In the Advanced Settings of the Jira Server and Jira Cloud Plugins' configuration page, you can now choose whether or not to ignore alerts for issues that are closed.

Resolved Issues

  • For organizations in Vulnerability-Based Alerts mode, the Containers Dashboard would show incorrect data.

  • In some cases, the Vulnerabilities Report for the different scopes failed to generate or returned an empty response.

  • Notification emails for new alerts were sometimes sent when no new alerts were created.

  • For some API calls, the response JSON returned incorrect charset encoding.

  • A duplicate key in the projectSecurityVulnerability resulted in incorrect alerts displayed for the project.

  • In some cases, alerts were not removed after recalculating In-House rules.

  • The Unified Agent failed to calculate the SHA-1 of NPM packages residing at the local workspace.

  • Building the Dockerized Unified Agent resulted in errors.

  • When Essentials users were using the Azure DevOps Services extension, the Organization Settings page would not be displayed.

  • After an extension was uninstalled from the Azure DevOps Services, subsequent installation and on-boarding of the services extension would fail when the organization was inactive.

  • After removing a Bolt extension from the Azure DevOps Services, the Mend Organization would be deactivated.

...

Version 21.10.1 (31-October-2021)

New Features and Updates

  • The Unified Agent now supports Yarn 3.

  • Excluding Docker layers from the Unified Agent’s scan is now available in Beta status via the docker.excludeLayersByLabel configuration parameter. 

  • Links to the Mend policy and library are now added to the Jira tickets for Jira Server/Cloud plugins.

Resolved Issues

  • The dependencies of the docker layer would not reflect the project in the UI.

...

Version 21.9.1.1 (25-October-2021)

Resolved Issues

  • When the Unified Agent scanned a multi-module Gradle project, the project name would contain a version.

  • When the Unified Agent scanned a Gradle project containing a dependency with no version, no dependencies would be found and an exception would be thrown.

  • When the Unified Agent scanned a project on a Windows machine, if the “-d” parameter had a trailing whitespace, an exception would be thrown.

  • When a Unified Agent scanned a Go Modules project, test dependencies were incorrectly identified.

Azure DevOps Integration Version 21.9.11 (18-October-2021)

Resolved Issues

  • In the Azure DevOps integration (Services and Bolt extensions), an erroneous redirect prevented loading the organizational and project settings of the extensions.

Version 21.9.1 (17-October-2021)

New Features and Updates

Unified Agent

  • A new configuration parameter commandTimeout is now available for controlling the timeout of all the commands executed by the Unified Agent during a scan.

Resolved Issues

  • When performing a global search to check for CVE vulnerabilities in the library inventory, the results would display "No files in your inventory are vulnerable" when in fact there were vulnerabilities.

  • Poetry updated dependencies that were not identified, would not show in the Application at all because the Artifact ID was missing.

  • The Unified Agent did not comply with the default branch name change when scanning an SCM GitHub repository.

  • If some of the entries were missing from the go.sum file, the Unified Agent's Go Modules resolution would fail to detect dependencies.

...

Info

NOTE

The Application release is delayed to October 10th due to maintenance and stabilization improvements.

New Features and Updates

Unified Agent

  • Conda dependencies detection is now enabled by default - the default value for the conda.resolveDependencies parameter is set to true.

  • The Gradle dependencies' detection mechanism was improved significantly. As a result, the following Gradle parameters are now obsolete:  

    • gradle.runAssembleCommand

    • gradle.runPreStep  

    • gradle.localRepositoryPath

    • gradle.downloadMissingDependencies

    • gradle.wrapperPath

    In addition, the default value of the gradle.preferredEnvironment was changed to wrapper, to improve the scan results and align to Gradle best practices.

  • The Unified Agent now supports Yarn 2.

...

  • The Jira plugins now support the automatic updates of tickets following changes identified on Mend - whether the policy no longer affects the project or the library is no longer in the project's inventory.

Resolved Issues

  • In the Unified Agent, some NPM dependencies would be missing when the npm.removeDuplicateDependencies parameter was set to true.

  • Building the scanner Dockerfile would fail when trying to install Cocoapods for managing the library dependencies.

  • In the Unified Agent, the PIP resolution would fail in cases when the pyproject.toml was found.

Version 21.8.1.1 (31-August-2021)

Resolved Issues

  • Removed unreachable libraries from the Unified Agent’s jar.

Version 21.8.1 (29-August-2021)

New Features and Updates

Unified Agent

  • The Unified Agent now supports scanning of Conda dependencies specified in environment.yml files. Conda dependencies detection is controlled by a new parameter conda.resolveDependencies which is disabled by default. Note: Mend Conda vulnerabilities coverage is currently limited to Python dependencies only and will be extended in coming releases.

  • The includes parameter now has a default value (comprising all the Mend supported extensions) that will be applied to all the Unified Agent's configuration methods (environment variables, config file, etc.).

  • The excludes parameter now has a default value of:
    **/.*, **/node_modules, **/src/test, **/testdata, **/*sources.jar, **/*javadoc.jar

  • Go dependency detection now enables the optimized resolver for Go Modules by default. In addition, the Go resolution will no longer be triggered by Go source files and will be aligned to the other resolvers to be triggered only by the package managers' manifest files.

  • Performance improvements are introduced to the NPM dependencies detection.

...

  • Resolved an issue that occurred when using an Oracle database.

 Resolved Issues

  • In the Unified Agent, the excludes parameter was being called for every project in a folder, instead of per project directory.

  • In the Unified Agent, when scanning a target folder while extracting a jar file, a null pointer exception occurred.

  • A Prioritize scan would fail with an EUA error due to missing SHA-1 library dependency.

  • An Artifactory Plugin scan would fail to get the SHA-1 library dependency.

...

Azure DevOps Integration Version 21.7.21 (17-August-2021)

Resolved Issues

  • In the Azure DevOps Services Integration, authentication issues required downgrading the azure-devops-node-api NPM library used by the extension.

Version 21.7.2 (15-August-2021)

New Features and Updates

Jira Server Plugin (Beta)

  • Support was extended to the latest Jira Server versions.

Resolved Issues

  • In the Library Security Vulnerabilities page, when the same library appeared in several projects, the wrong shield was displayed.

  • Under certain conditions, when using the Vulnerabilities Report, an error occurred.

  • In the Unified Agent, when scanning in SCM mode, a debug exception occurred before cloning the repository.

  • In the Unified Agent, when scanning yarn projects, the hierarchy tree was not deduped, resulting in memory issues.

  • A runtime error occurred in the Artifactory plugin.

  • The minutes-to-milliseconds conversion during cloning of MendService.class caused an invalid value in wss.connectionTimeoutMinutes.

  • When scanning via Github scanner, when scanning a repository by a tag (not branch), the scan failed in the cloning phase.

...

Version 21.7.1 (1-August-2021)

New Features and Updates

Unified Agent

  • The default of php.removeDuplicateDependencies was changed to True.

...

  • A new report, the Early Warnings Report, is released. This report displays same-day indications of vulnerabilities automatically identified by Mend even before being certified by the Researchers.  The report has limited availability for select customers. It is being slowly rolled out and will be available for all customers and environments in the next couple of weeks, a separate notice will be announced in the release notes for GA.

  • Note that as was announced on June 6th, on August 15th the Multiple Library Version report will replace the alert for Multiple Library Version, which will be disabled for all customers. All information that was available in Multiple Library Version alerts will be available in the dedicated report, for both past and future scans.

Resolved Issues

  • When the same NuGet dependency was defined in both the csproj and nuspec, it appeared twice in the application.

  • In the Unified Agent, setting multiple archives in the "-d" argument sometimes led to incorrect results.

  • The Maven, OCaml, Modules, and the R resolvers of the Unified Agent were not failing the scan if the relevant package manager was not installed when failErrorLevel was set to ALL.

  • In the Unified Agent, the parameter gradle.additionalArguments was only being applied to a subset of Gradle commands, instead of all Gradle commands.

  • When scanning projects with the Unified Agent, and archiveIncludes and archiveExtractionDepth were set, corrupted zip files resulted in null pointer exceptions in certain Java versions.

  • In the Unified Agent, the Maven resolver did not detect the dependency tree path when the Maven log was altered.

...

Version 21.6.3 (18-July 2021)

New Features and Updates

  • The detection accuracy of security vulnerabilities was improved for the Unified Agent Linux package manager scan (scanPackageManager).

  • The base image of the CircleCI orb executor was updated to Ubuntu 18.04.

  • The image of the Mend integration for Bitbucket was updated.

...

  • The library path was added to the Jira ticket.

Resolved Issues

  • In the Security Alerts reports, there were no checks to determine if the organization had partial data property.

  • Jira Server Plugin: instead of assigning the Mend issue type only to the relevant project, it was added to all the screens in the user's Jira environment.

...

Azure DevOps Integration Version 21.6.3.1 (14-July 2021)

Resolved Issues

  • In the Azure DevOps Services Integration, a corrupted setting of the extension was not handled correctly.

Azure DevOps Integration Version 21.6.3 (8-July 2021)

Resolved Issues

  • In the Azure DevOps Services Integration, an issue prevented executing the Mend task.

Version 21.6.2.2 (6-July 2021)

Resolved Issues

  • In the Unified Agent, when the gradle.preferredEnvironment parameter was set to wrapper, gradle commands were executed instead of gradlew commands.

Azure DevOps Integration Version 21.6.2.1 (5-July 2021)

Resolved Issues

  • In the Azure DevOps Services Integration, an issue prevented updating the project settings.

...

Version 21.6.2 (4-July 2021)

New Features and Updates

Azure DevOps Services Integration

...

  • A new variable for specifying options for the Java command executing the Unified Agent's JAR is now available in the Bitbucket integration.

Resolved Issues

  • The IntelliJ IDE would cease to function when scanning Maven projects with the Mend plugin.

  • When a server was stopped, there were problems continuing the scan that had already started.

  • Persist ManagedResource failed after a database Lock exception.

  • Manually remapping of all the source files did not close pending requests for the old source library.

  • In the Unified Agent, projectPerFolderIncludes failed to detect subfolders.

  • When scanning a Yarn project with the Unified Agent, if the "resolved" section was missing for a dependency within the yarn.lock file, a Null Pointer Exception occurred.

  • Mend now supports the ability to run bower and yarn in the same directory.

  • In the case of GitHub.com integration, the SCM scanner scanned the root folder instead of the cloning folder, causing the scanner to scan additional libraries.

...

Version 21.6.1 (20-June 2021)

New Features and Updates

Unified Agent

  • Beginning in this version, support is added for Cargo workspaces.

Resolved Issues

  • When defined only from the fromDate parameter, the getXXXXAlertsByType API call returned an empty list in VBA mode.

  • The Vulnerability Report opened with a partial mode disclaimer even in non-partial mode organizations.

  • In the Unified Agent, NPM 6 failed to resolve dependencies originating from registry.npm.tabao.org.

Version 21.5.2 (6-June 2021)

New Features and Updates

  • A new report is introduced in beta phase - the Multiple Library Version report. This report displays information regarding multiple versions of the same library that are being used in the selected project/product. With the release of this report, we are announcing that the alert for Multiple Library Version will be disabled to all customers on August 15th, 2021. All information that was available on Multiple Library Version alerts will be available in the dedicated report, for both past and future scans.

Resolved Issues

  • Under certain conditions in the Library Location Report, the same file locations were displayed multiple times for the same library.

  • A transitive dependency declared for both the "test" and "compile" scopes was omitted from the scan results.

  • An NPM scan failed with a null pointer when it identified a package.json missing the name or the version.

  • In the Unified Agent, a null pointer exception occurred during Maven dependency downloads.

...

Version 21.5.1 (23-May-2021)

New Features and Updates

Web UI

  • When working in Vulnerability-based alerting mode, the Details column was returned to the exported License and Compliance Alerts Report, providing more specific information on the alert.

  • A new license, Saucy 2.0, has been added. See here for details.

  • In Vulnerability-based Alerts organizations, new button was added to the pending tasks page, More Information. When selecting tasks from the list (up to 50) and clicking on this button, a new pop-up screen will appear, presenting information regarding the number of vulnerabilities and the license of each of the selected tasks' libraries. The user will be able to change the tasks selection in the pop-up, and the new selection will be saved upon clicking Save. The users will then be returned to the original pending tasks screen, and will be able to choose to approve or reject the tasks, based on the information that was provided in the pop-up

Resolved Issues

  • In rare cases, there was a discrepancy between the vulnerabilities number shown in the Library page and that shown in the Alerts report.

  • When the organization's name included the character ".", creating an access key of the issue tracker integration failed.

  • Queries used to calculate match types fetched all project resource usages of the product/project, taking a long time to return server responses.

  • The Unified Agent did not handle Gradle artifact relocation correctly.

  • In some cases, when the Artifactory Plugin deleted Temp folders, not all folders were deleted.

...

Version 21.4.2.1 (11-May-2021)

New Features and Updates

Jira Server Plugin (Beta)

...

Version 21.4.2 (9-May-2021)

New Features and Updates

Unified Agent

  • NPM and Yarn configuration are now optimized by automatically executing the relevant pre-step (npm install or yarn install) based on the lock file detected (yarn.lock or package-lock.json) when npm.runPreStep = true.

  • Beginning in this version, nuget.runPreStep and nuget.restoreDependencies will be combined. This works the following way: if nuget.runPreStep = true, then dotnet restore will be performed on found .csproj files. As a result of this merge, nuget.restoreDependencies will be deprecated.

...

Version 21.4.1 (25-April-2021)

Resolved Issues

  • Users encountered errors logging in to Mend.

  • Project name or project token were mandatory parameters for Docker scanning unnecessarily.

  • Users were unable to delete roles when there were no roles remaining.

  • When the Inventory Report was exported to MS Excel, there was extra whitespace between the project name and the Direct Dependency.

  • When password complexity validation was enabled, users were unable to reset their passwords.

  • NPM/Yarn downloaded artifacts were not always removed at the end of the Unified Agent scan.

  • In the Unified Agent, a null pointer exception occurred when scanning ANT-based projects with an empty zip file.

...

Version 21.3.2.2 (19-April-2021)

Resolved Issues

  • Resolved a security issue in the Jira Server plugin.

Version 21.3.2.1 (13-April-2021)

Resolved Issues

  • Resolved an issue where running the Unified Agent with “-v” resulted in its version printed with a console log message header.

Version 21.3.2 (11-April-2021)

New Features and Updates

Web UI

  • Customers can now configure SAML integration for multiple global organizations with the same Identity Provider (IDP).

  • Product and Library Priority Scoring Reports: New reports provide information on the priority of a library or product, taking different threat and impact factors into account. See here for details.

  • Starting this version, SmartMatch is the default algorithm used for source files matching when a new Mend Organization is created.

  • The name of the Sun license was changed to Sun Public License.

...

  • The following documentation changes were implemented:

    • The Deprecated Features topic was deprecated and the content was moved to the Notices page.

    • The Setting the Home Page topic was deprecated and the content was moved to the Mend Home Page topic.

    • The High Severity Bugs Report topic was deprecated.

    • The File Systemtopic was deprecated.

  • Structural modifications were implemented to the opening documentation sections, beginning with the login/homepage documentation. As a result, the following pages were deprecated:

    • Getting Started

    • Setup Projects

    • Automate the Process by Using the Unified Agent

  • In the next version, the R Integration page will be deprecated.

Resolved Issues

  • Archive extraction of the Zstandard format RPM file failed.

  • A problem with missing shields occurred during Prioritize scans with NPM due to incorrect handling of duplicate dependencies.

  • Some Unified Agent's log messages were not taken into account when setting the logLevel parameter.

  • Running the Generating the Due Diligence Report resulted in a blank report.

  • When Jira Server was connected to PostgreSQL, an exception occurred in Jira Plugin when trying to add a new row to the table.

...

Version 21.3.1 (4-April-2021)

New Features and Updates

Azure DevOps Services Integration:

...

The Jira Server Plugin is now available in the Atlassian marketplace. Please note that the Jira Server Plugin is currently in beta.

Resolved Issues

  • Using the Unified Agent’s Archive Extractor when trying to scan the root of the operating system resulted in a null pointer exception.

  • In AVM, a timeout occurred when fetching vulnerabilities information from Fortify.

...

Version 21.2.2 (14-March-2021)

New Features and Updates

Unified Agent

  • This version introduces support for NPM 7.

  • A new parameter, fileSystemScan, replaces the soon-to-be-deprecated ignoreSourceFiles.

...

  • A new API is now available for unmarking manually-assigned in-house libraries - unmarkManualInHouseLibrary.

Resolved Issues

  • In some cases, information regarding source libraries was not displayed correctly; for example, empty projects were still displayed in some source libraries, or some source libraries appeared as empty.

  • Running the gcloud auth command failed during Docker scan on Mac computers.

  • Users with different roles than admins or alert ignorers were able to ignore alerts in VBA mode.

  • Exceptions occurred when trying to assign licenses as part of update policy alerts.

  • In the Unified Agent, when scanning NPM, NPM dependencies were not resolved when package.json did not contain name/version attributes.

  • When downloading a missing jar file, the Unified Agent incorrectly generated success messages.

  • Added indication for missing copyright references in the Attribution report summary.

  • When excluding inner modules (projects) in Gradle, the scan would return the wrong dependencies tree.

  • Azure DevOps Services Integration: In some cases, adding npm.resolveMainPackageJsonOnly=true to the Mend Configuration task parameter led to a scan failing.

...

Version 21.2.1 (28-February-2021)

New Features and Updates

Unified Agent

  • Scala dependencies detection was improved, by supporting the sbt-dependency-graph plugin when applicable.

Resolved Issues

  • When working in vulnerability-based alerting mode, user roles were not being validated when ignoring/reactivating alerts.

...

Version 21.1.2 (14-February-2021)

Resolved Issues

  • Azure DevOps Services Integration: Running a pipeline build from a self-hosted agent resulted in a Mend-generated .encrypted file not being deleted at the end of each Mend build task run.
    NOTE: Self-hosted agent builds triggered before 14 February may still contain traces of Mend-generated .encrypted files. These files must be manually removed from the self-hosted agent work folder.

  • On rare occasions, library alerts were not created after the vulnerability sync.

  • Duplicate hashed source files caused the second one to be considered as unmatched.

  • In Linux, Python scans failed due to a missing space in the execution of one of the commands used for resolution.

  • In the Unified Agent, there were exceptions when parsing specific pipfile formats.

...

Version 21.1.1 (31-January-2021)

New Features and Updates

Web UI

  • Beginning in this version, the Auditor role for service users can be assigned to users from the UI.

...

  • Updated the Mend task version from 20 to 21. In order to use the new version(s) of the extension, you will need to update the task from Mend@20 to Mend@21 inside your pipeline definition.

  • Added ability to map an Azure Project to an existing Mend Product in addition to creating a new Mend Product) via the Project Settings > Extensions > Mend page.

Resolved Issues

  • Several issues have been resolved regarding Docker Layers:

    • Layers with the same SHA1 were represented as one resource.

    • Layers with a SHA1 already created as “unknown” from previous scans were recognized as that resource, and therefore the display name did not reflect the layer

    • Layers with SHA1 were unnecessarily looked up in the index 

  • Discrepancies were found between the Alerts Widget and the Library Page.

  • Vulnerability-based alerting: In the 'Vulnerable Libraries' section on the 'Security Vulnerability' page, the libraries were not filtered by the specific CVE. As a result, the CVEs were ignored and the filter returned all the vulnerable libraries in the organization.

...

Version 20.12.3 (17-January-2021)

New Features and Updates

  • The Unified Agent now supports scanning Google Distroless images.

  • The optimized NPM resolution method, controlled by the npm.resolveLockFile flag, is now the default dependency detection for NPM.

Resolved Issues

  • Azure DevOps Services Integration: When opening the Security vulnerabilities tab in the Open Source Risk report, the data was not sorted by severity.

  • Azure DevOps Services Integration: Adding the Mend task to a YAML-based pipeline without setting any of its parameters resulted in an error. As part of this fix, a default value was added for the cwd parameter.

  • Fixed failures of inventory update if artifactVersion exceeded the valid length.

  • The Unified Agent failed to parse a non-lowercase configuration value.

  • The Unified Agent failed to resolve NuGet dependencies when the project.assets.json file was not found in its standard location.

  • A Python direct dependency, which was also used as a transitive dependency by another library, was not listed as a direct dependency by the Unified Agent.

  • RPM packages installed or deleted without using yum were not identified correctly by the Unified Agent.

Version 20.12.2 (3-January-2021)

New Features and Updates

Web UI

...

  • A new parameter, python.includePipenvDevDependencies, has been added to provide the ability to manage the dev dependencies. The default value is true.

Resolved Issues

  • When searching for a library via global search, then searching for a vulnerability via the same search, the page redirects to the library search page.

  • When resolving several requirments.txt files, the cache of the dependencies was not cleared between the different resolutions.

  • When running the Unified Agent, the ArchiveExtractor failed to extract files ending with an empty space.

  • In the “Source File Inventory” report, if users selected to change the library for files they had no permissions to, the Change Library action had no effect and no message was displayed. Now, this action can only be done by selecting the desired files, then Actions > Change Library menu. The users' permissions are validated and a proper message is displayed.

  • After repeatedly using "Assign Yourself", the pop-up window appears blank and users need to click "Add License Reference" or "Override All” in order to see the mandatory fields.

  • When running SBT Coursier, the Unified Agent did not run pre-step commands even though pre-step flags were activated.

  • Changes to licenses being updated either in the index (libraryDataSync API) or in the Admin Console did not trigger alerts calculation.

  • The Unified Agent did not support the packages.db RPM database

...

Version 20.12.1 (20-December-2020)

New Features and Updates

Web UI

  • Resetting forgotten passwords is now validated with a CAPTCHA test.

  • A disclaimer has been added to the Library Details page for temporary matches on Go dependencies.

Resolved Issues

  • For some libraries, the Impact Analysis page did not display results.

  • Filtering by library in the Attribution Report did not display all results.

  • In the Web UI, there was no indication when a library contained no licenses. NOTE: Beginning in this version, an indication that review is required is displayed.

  • In Azure environments, when saving/updating a SAML integration (Domain and Global Account level), an HTTP error 500 was displayed.

  • In the Vulnerabilities Report, the screen’s legend was unclear.

...

Version 20.11.2 (6-December-2020)

New Features and Updates

Web UI

  • The Product Page and the Project Page now feature filtering and improved pagination in the Libraries panel, thereby improving performance and user experience for projects with over 1000 libraries.

...

  • Attribution Report: It is now possible to exclude versions from an exported Attribution Report via API

Resolved Issues

  • Exceptions occurred when saving Global Account policies.

  • In the Unified Agent’s scan log, certain Gradle configurations were missing.

  • Azure DevOps Services Integration: In some cases, build artifacts over 200MB resulted in one of the following errors:

    • ##[error]RangeError: Maximum call stack size exceeded

    • ##[error]Error: "toString()" failed

  • Azure DevOps Services Integration: In some cases, scanning a project containing an npm project resulted in the following error:
    ##[error]Error: ENOTDIR: not a directory, scandir '/home/....../node_modules/.bin/acorn'

...

Version 20.11.1 (22-November-2020)

New Features and Updates

Unified Agent

  • The maximal extraction depth, configured in archiveExtractionDepth, has been increased to 10.

...

  • Read-only Permissions: A new auditing role can now be assigned to service users through the setOrganizationAssignments API to give them read-only permissions in the scope of a specific organization. 

Resolved Issues

  • An unexcepted output received from the SBT sbtVersion command caused the Unified Agent to throw an exception.

  • The Unified Agent didn't handle correctly a possible output of the SBT organization command.

  • The Unified Agent failed to extract .tar files created with special characters on Linux.

  • When executing update inventory requests which create a new project, the getProjectVitals/getProductProjectVitals API requests did not display the Unified Agent's version.

  • When trying to add a new admin from the global admins page, the users list was empty.

  • When configuring SCM via JSON files, the Unified Agent scanned the current directory.

  • Project Association: Limitation on the number of items in the products list was removed. 

Version 20.10.2 (8-November-2020)

New Features and Updates

Prioritize

  • Added support for C# in Prioritize.

  • Added Fast Scan Analysis mode for Java in Prioritize.

...

A modified Policies page will be launched, with the intent to update existing content, fill in missing gaps, and create a linear flow. This page merges the two existing policies topics - Automated Policies and Managing Policies Throughout Your SDLC. The latter has been archived and is therefore no longer in use.

Resolved Issues

  • The Unified Agent’s Artifactory scanner failed to build a URL from strings that contained non-alphanumeric characters.

  • Dependencies defined in the gemfile.lock file with an exclamation mark suffix were wrongly resolved.

  • Policies where Action was defined as Issue failed to create Work Items issues.

  • Under certain conditions, when working with policies of the Issue type, exceptions occurred while loading Work Items data.

...

Version 20.10.1 (25-October-2020)

New Features and Updates

Mend Core

  • In order to comply with industry standards, Mend has decided to remove the option of searching a library via drag and drop. Library searching can now only be done by entering the library’s name (added November 1, 2020).

...

Beginning in version 20.10.2 (approximate release - November 8), a modified Policies page will be launched, with the intent to update existing content, fill in missing gaps, and create a linear flow. This page merges the two existing policies topics - Automated Policies and Managing Policies Throughout Your SDLC. The latter will be archived and therefore no longer be in use.

Resolved Issues

  • When the project information object did not have a version in its coordinates, the Unified Agent failed to run.

  • The Unified Agent failed when trying to resolve a large PHP project.

  • Azure DevOps Services Integration: A pipeline build with the Mend task failed to scan GitHub repositories when using a Linux build agent.

  • The optimized NPM resolution method, controlled by the npm.resolveLockFile parameter, did not handle duplicate dependencies correctly. This caused an increase in the size of requests sent by the Unified Agent.

  • When applying Create Issue policies, issues were created incorrectly for all projects in the organization (added November 1, 2020).

  • When updating group assignments, SAML incorrectly removed users from the domain (added November 1, 2020).

  • When entering multiple values for either groupAssignments or userAssignments in the setProductAssignments and setOrganizationAssignments API calls, these values were ignored. The fix - from now on, the first value is assigned (added November 1, 2020).

  • Users were unable to change a source file library if there was already an existing mapping with a comment (added November 1, 2020).

...

  • The license name of Oracle Development License (as it previously appeared in the application) will now appear according to its official name, Oracle Technology Network License Agreement.

Resolved Issues

  • During Kubernetes agent scanning, when the scanned component included the same image multiple times, irregularities occurred causing an exception.

  • In the Attribution report, GPL 2.0 with exception licenses was mistakenly displayed as insert GPL v2 license text here.

  • When scanning PHP, the Unified Agent threw an exception if one (or more) of the packages did not have a "source" element in the lock file.

Version 20.9.1 (4-October-2020)

New Features and Updates

Mend Core

  • Currently, when accessing the Custom Attributes report, the report’s data is fetched automatically. This can be time-consuming if the organization has many libraries and many custom attributes defined. Beginning in this version, an Apply button has been added, enabling users to query the data on demand only.

...

  • Beginning in this version, the strict requirement of running the Unified Agent with the configuration file has been removed. If the mandatory parameters are passed to the Unified Agent, in any of the supported methods, the Unified Agent can be run without failing even if the configuration file is missing.

  • Beginning in this version, if the Yarn lock file (yarn.lock) is found during the scan, it will be used for the dependencies detection, without the need to explicitly set the npm.yarnProject flag.

Resolved Issues

  • When applying policies to existing inventory from the organizational policies page, the product and project policies were ignored.

  • When reassigning all of a user’s pending tasks of a user, the inventory request approver was not properly updated.

  • When two Maven projects were defined with the same name, both projects were created however with partial data. The introduced fix will now add a suffix (_1, _2) to a project name in case there is more than one project with the same name.

Version 20.8.2 (13-September-2020)

New Features and Updates

  • Helm version 3 support is officially introduced for the Kubernetes integration.

Resolved Issues

  • If hex.ignoreSourceFiles was set to true, the Unified Agent did not ignore .erl source files.

  • When groups were created via SAML integration and were then deleted manually from the dashboard, an exception occurred.

...

Version 20.8.1 (30-August-2020)

New Features and Updates

Unified Agent

A new format of Docker project name is now supported - repositoryName - which is based on the Docker repository name only. This format can be applied by setting the docker.projectNameFormat parameter to repositoryName.

...

  • In the Project Association page, the Product column was changed from a selection column to a text column. The project association is now only available by checking the desired project(s) and choosing “Assign to Product”, then choosing the desired product from the drop-down list.

  • When using “APPEND” update requests, in the rare case where only a TRANSITIVE dependency has been added - the new transitive dependency will be added as a direct dependency, so all of the application's mechanisms such as alerts and policies will be applied on it. This is a change to the current behavior. In order to have the new dependency added as transitive, users can then run another “OVERRIDE” Update Request after the append request.

Resolved Issues

  • When running the Gradle resolver, if the dependency is missing the Unified Agent will try to download .jar dependencies only.

  • In the rare use case of a change in the GAV coordinates of an artifact, Gradle scans didn't produce the correct signature for this artifact.

  • The Request Resolution Status Report displayed the wrong path on the top of the report.

  • In the Vulnerability Report, the Locations column was missing from the JSON format.

  • When scanning the plan.json file in a Haskell project, a nullPointerException would occur when building hierarchies where one child did not have dependencies.

  • In the application’s home screen, some bulk actions of approval/rejection of pending tasks were timed out. This caused the UI to hang and requests were not marked as reviewed.

  • When scanning a Docker image with source libraries, the “hierarchy” tree included duplications of the source library matched with those source files.

  • Layer information was missing when detecting FOSS components in Docker .tar files.

...

Version 20.7.3 (16-August-2020)

New Features and Updates

Web UI

  • Beginning in this version, when creating/editing a policy based on a Jira project with a mandatory field from a type which isn't currently supported, but has a default value defined for it in Jira, the operation will succeed.

...

  • When a scan for a project is requested while there is already a scan for the same project being executed simultaneously, the new scan is being skipped. Starting in this version, the JSON file returned for the scan will specify the status SKIPPED instead of FINISHED.

Resolved Issues

  • In cases of empty status files in Debian Docker images, the scan resulted in zero dependencies.

  • In the Policies screens, a popup indicating that changes will not be saved was displayed even though all changes were properly saved.

  • A TimeoutException was thrown when calling the method updateNodesParentAndMr in the DependencyNodeRepositoryImpl class.

  • Priority and Assignee fields appeared in Jira-based policy creation, even when those fields were not defined in the Jira project itself.

  • Following a change in Jfrog Artifactory version 7 whereby the property name haAwareEtcDir was changed to etcDir, exceptions were thrown in the Mend artifactory plugin.

...

Version 20.7.2 (2-August-2020)

New Features and Updates

Mend Core

  • SAML session token duration (the time between the IDP authentication and the Mend login) was changed from 10 minutes to 5 minutes.

...

  • Improvements were made to the Docker scanning of the Linux RPM-based images.

  • Users can now configure Unified Agent parameters using environment variables.

  • The Bazel support for Go projects was extended to Windows. The Unified Agent can now scan on both Linux and Windows Go projects using the go_repository rules generated by Bazel Gazelle (see here).

Resolved Issues

  • When organizations were deleted, data was removed, specifically alerts. This caused timeout exceptions if the table was locked.

  • Under certain scenarios, a null pointer exception occurred when loading the product assignment.

  • Under certain conditions, there were problems with dependency resolving from yarn.lock

  • Under certain conditions in Unified Agent Docker scans, exceptions occurred when there were similar file names but different content or formats.

  • Kubernetes deployment procedure didn't take into consideration initial configured delays.

  • When running the Prioritize Multi-Module Analyzer for Gradle, modules that did not have build.gradle were not handled correctly.

  • Under certain conditions, there were issues with the format of the link field within the policyRejectionSummary file.

  • Under certain conditions, the Project Associations page loaded slowly and resulted in a 404 error.

...

Version 20.7.1 (19-July-2020)

New Features and Updates

Unified Agent

  • Users scanning docker images can now receive information regarding packages in layer granularity. The new functionality can be enabled by setting the docker.layers parameter to true. The layer granularity can be viewed in the UI under the hierarchical display (Show as Hierarchy).

  • Improvements to the optimized NPM resolution method controlled by the npm.resolveLockFile flag are introduced. The improvements include a reduction in the scan time, in addition to enhanced accuracy. This functionality can be enabled by setting the npm.resolveLockFile to True.

  • A new flag, npm.ignoreDirectoryPatterns, enables users to determine the list of ignored directories.

  • The Bazel support was extended to Go projects. The Unified Agent can now scan on Linux machines Go projects using the go_repository rules generated by Bazel Gazelle (see here).

...

  • The "Resolution Request Status" report can now be accessed through the Reports menu.

Resolved Issues

  • Under certain conditions, the Unified Agent returns no dependencies after failing to parse the packages database when scanning docker images.

  • In the Source Files widget, after refreshing the page the Change Library column was not displayed.

  • Under certain conditions, there were inaccuracies in the Effective Usage Analysis Summary Report.

  • Under certain conditions, the Unified Agent had an issue following a redirect when trying to download a Gradle dependency.

Version 20.6.2 (5-July-2020)

New Features and Updates

Mend Core

Unified Agent

  • The Unified Agent’s checkPolicies-json.txt file now includes the system path and manifest file path for each of the components, when this information is available.

  • A new parameter, python.localPackagePathsToInstall, enables users to configure a list of local package paths that will be installed during the pre-step, if required.

...

  • Upgraded the following:

    • WildFly to version 10.1.0 

    • JQuery to version 3.5.0

  • The Unified Agent’s version is now displayed in the Web Application’s Project Vitals.

  • The docker image retrieval mechanism was improved resulting in a reduction of the UA scanning time.

Resolved Issues

  • In the Risk Report, in the General Overview panel, when selecting a product, an incorrect title and link were displayed.

  • While handling getOrganizationInHouseLibraries requests, a Null Pointer Exception occurred.

  • In situations where Requires review is the least common license in organization/product/project, the License dashboard ceases to function.

  • The Attribution Report had issues with a misplaced header.

  • There were issues with proxy settings in the HTML dependency resolution.

  • The TeamCity plugin always failed as a result of a check policy request. 

  • Under certain conditions, scanning SBT dependencies resulted with errors.

  • Local libraries used by a Python project were not detected. This ability was introduced in this release, controlled by the python.localPackagePathsToInstall flag.

...

Version 20.6.1.1 (30-June-2020)

Resolved Issues

  • Under certain circumstances, the NuGet dependency detection of csproj files resulted in an inaccurate version of the dependency.

Version 20.6.1 (21-June-2020)

New Features and Updates

Mend Core

Web UI

  • The Attribution Report has undergone several enhancements, including the following:

    • select which fields to include/exclude from the report

    • apply filters to the report

    • include a custom attribute in the report

    • export the report to a JSON format

    • hide fields containing empty values 

  • Beginning in this version, an indication on the vulnerability page displays which vulnerabilities were modified in the previous month.

  • Beginning in this version, the Mend Expert Fix is the first solution recommended to customers in the list of suggested fixes.

...

  • This version introduces a Dockerized Unified Agent. More information can be found here.

  • Bazel resolution is now enabled by default. The UA now supports Bazel for Java projects. The following two rules are supported: maven_install, maven_jar.

  • This version introduces support for OpenSUSE leap images via the Unified Agent Docker scan.

Resolved Issues

  • Artifactory Docker Virtual Repository scans failed when containing a remote repository.

  • Under certain conditions, the UA will exit without appropriate log messages.

  • Under certain circumstances, there was an issue with C# package identification.

  • In the Library Details page, Only library with effective vulnerability was not displayed.

  • When trying to create a Jira issue when defining a policy based on vulnerability effectiveness, an exception occurred.

  • In the Web Application, in the Alerts Report, the EUA “shields” were not displayed.

  • Jira server issues were not created due to wrong assignee parameters.

  • During NuGet scans, exceptions were caused following references to missing files.

...

  • For customers where Prioritize is installed: An “effectiveVulnerabilitiesOnly” flag was added to VULNERABILITY_SEVERITY in Policies API.

Resolved Issues

  • Under certain circumstances, a specific format of package version in the nuspec file caused a failure in NuGet resolution.

  • Under certain circumstances, a wrong command was run in NuGet resolution when packages.config is present.

  • There was no option to provide a full path in a csproj file when referencing other csproj files.

  • Jira API parameter "query" (which replaced “username”) did not work for all customers.

  • In the wss_resourceVulnerabilities table, security alerts aren't calculated when there' was no sourceFileHashes mapping.

  • Under certain circumstances, Ruby scans failed.

  • In the Unified Agent, when dependencies in Yarn scans had two versions, the scans failed.

...

Version 20.5.1 (24-May-2020)

New Features and Updates

Mend Core

Web UI

  • In the ADD/EDIT policy function, mandatory fields of types string, string array, user, number are now also supported. When choosing the issue type in the project, the mandatory fields as displayed and you must fill them in.

  • In certain reports, the following was added to all panels with multiple selections

    • A count indicator for the number of selected rows that appear when selecting rows of a data grid panel. This counter updates automatically when selecting/deselecting rows.

    • Next to the counter, a 'clear selection' button clears all selected rows when clicked.

...

  • Beginning this release, the Nuget resolution will be improved and aligned to the other resolvers by excluding the system packages from the scan results by default.

  • Beginning in this version, the .coffee source files will not be taken into consideration when npm.ignoreSourceFiles is set.

Resolved Issues

  • Missing proxy support in one of the HTTP calls of the lambda serverless implementation.

  • Under certain circumstances in Gradle resolution, a hash was calculated on an empty file.

  • License links that didn’t contain a protocol were considered relative resources in the site, therefore the base URL were added to the href.

  • After executing actions in the Inventory Report, the selection wasn’t cleared.

  • When trying to sync a source library which has a duplicate in the database, it tried to remove the existing source library.

  • Some reports with multiple selection (such as checkboxes) didn’t have any actions to execute on selected items.

  • When an assignee existed but didn’t appear in the Unified Agent’s initial list, users were unable to create an issue type policy.

  • Under certain conditions, the Artifactory Plugin would send product parameters as Repository Name in check policy compliance requests.

...

  • Currently, when entering an invalid role in the setProductAssignments API call, the response is "Successfully set product assignments". Beginning in this version, the response is changed to include the assignments that were successfully set by the API call. Also included is an additional list named “warningMessages” (available from API version 1.3 and up), that includes various warning messages.

  • In the next Unified Agent release, the NuGet resolution will be improved and aligned to the other resolvers by excluding the system packages from the scan results by default. 

Resolved Issues

  • The License Compatibility report did not recognize licenses that were manually overridden.

  • Uninstalled OS packages were included in the scan.

  • Under certain circumstances, the Alert ignorers role was missing from the setProductAssignments API.

  • The security severity calculations of the "policyStatistics" and "vulnerabilityStatistics" sections of the scan report are not aligned.

  • Issue with scanned projects including circular symbolic links in Linux.

  • Unnecessary information printed to the Unified Agent’s log when Azure registry images are scanned

...

  • Beginning in this version, ignoreSourceFiles is taken into account in the top folder for all cases.

  • Beginning in this version, Maven resolver will not ignore .jar,.war,.ear,.zip files when ignoreSourceFiles is set.

  • When setting a Reporter for issues that require one, the reporter will now be chosen from a list (same as selecting an assignee) instead of the previous way where there were text boxes for inserting a Reporter name and display name.

  • The Unified Agent setting maven.ignoredScopes=NONE is no longer a pre-condition for running Prioritize on Maven projects, but remains as the default setting. Regardless of the Unified Agent configuration file parameter setting, Prioritize analysis will ignore test scope dependencies.

Resolved Issues

  • Under certain conditions, when the MultiModuleAnalyzer ran on large Gradle multiModule projects, it ignored certain modules.

  • In Prioritize, the Maven pre-conditions incorrectly used mavenIgnoredScopes.

  • Under certain conditions, the Unified Agent sent empty dependencies values in offline requests.

  • Jira projects were not taken into consideration when fetching the mandatory fields to open a Jira issue.

  • Under certain conditions, some docker image packages (centos) had the same hash value key.

  • In cases involving the R manager packager, when the match library flag is ON and there is no sha1 for the package, the additional sha1 of this package was ignored.

  • When fetching the last RVI sync attempt, an OptimisticLockException (AbstractSyncServiceImpl:78) is thrown because another process is updating the same object; hence the version is changed.

  • When an RVI sync task was created for the first time, it was created without a task name.

  • Under certain conditions, RedHat libraries were missing from customer databases.

  • Under certain conditions, after the Docker image (Centos:8) rpm scan ran, there were over 110 items remaining to resolve.

  • In Jira, under certain conditions, the following occurred due to Jira API changes:

    • Issues were created without an assignee

    • When a reporter was defined as mandatory, issues were not created

    • Adding issue policies via the API failed

    This fix applies automatically for new policies. For existing policies, if customers defined a reporter or assignee, they must edit those policies and re-enter the assignee and reporter, and then save.

...

  • In the Attribution Report, the license text is no longer displayed in the Copyrights section.

  • In the Plugin Request History report, "fs-agent"  has been changed to "unified-agent".

Resolved Issues

  • A permissions issue existed where the Source File Inventory Report did not filter projects according to user privileges, i.e. users who weren't members of project A were still able to view source files and libraries of that project.

  • The All Products drop-down list was not sorted alphabetically.

  • Under certain conditions on large-scale NPM projects, running two scans led to a StackOverflowError.

  • Under certain conditions, there were parsing irregularities in the modules.txt file.

  • Under certain conditions, when parsing a “paket.lock” file, an exception occurred.

  • Under certain conditions, Paket scan results displayed information regarding NuGet.

  • Under certain conditions, in the Unified Agent, Gradle failed due to the merging of impactAnalysis with failErrorLevel.

  • In AVM’s Fortify Client, there was an error parsing clients with URLs that contained “ssc”.

  • Under certain conditions, the maven.ignoredScopes flag did not work as expected.

  • Maven scans resulted in missing Maven dependencies.

  • The License Compatibility Report displayed multiple licenses even after using the override function.

  • The ignoreSourceFiles affected the "includes/excludes" scan results

  • The default paket.exe path was mistakenly assigned a wrong path.

  • Under certain conditions, the NuGet resolver contained the wrong version.

...

  • Previously, in the Library Location Report, when a library had no path it was displayed in the UI as "N/A". This has been changed to an empty string.

  • Within the next two sprints, Mend will be improving the Unified Agent scan results, mostly regarding Maven resolution. Binaries such as .jar,.war,.ear,.zip will be included in the scan when ignoreSourceFiles is set.

  • In addition, ignoreSourceFiles will be taken into account in the top folder when packaging appears in the pom file.

Resolved Issues

  • In some nupkg libraries, libraries which didn’t have a dash ('-') in the display name as the version separator, were not recognized as the same library and therefore did not generate the Multiple Library Versions.

  • When generated to a .PDF, the Use of Different Versions of Same Library section in the Risk Report had a different title.

  • Under certain situations, goGradle scans failed with a null pointer exception.

  • An overlap in the resolvers' bom files resulted in the order of the resolvers being changed.

  • The Effective Usage Analysis dashboard displayed 0% coverage although vulnerabilities existed.

  • Under certain conditions, a NoSuchElementException occurred when getting a product approver during update requests.

  • Under certain conditions, the parsing functionality in Go 1.14 did not work correctly.

  • Under certain conditions, scans of Docker images resulted in exceptions.

  • Under certain conditions, new version alerts weren't created.

...

  • A new API request "getProjectLicensesTextZip" enables project-level scope for the getLicensesTextZip API, providing more granular results for legal business needs.

  • A new API request "getProjectCopyrightsTextFile" enables project-level scope for the getCopyrightsTextFile API, providing more granular results for legal business needs.

Resolved Issues

  • When the Multi-Module Analyzer scanned at least a dozen projects, it sometimes randomly failed on some of them; although when scanning a single project, no such problem existed.

...

  • The Library Details page has been redesigned whereby the information is now organized into four separate tabs.

  • The Unified Agent now supports SBT 1.3.x and above.

Resolved Issues

  • In Prioritize, in the Vulnerability Analysis pane, the Analysis Coverage exceeded 100%.

  • The Unified Agent failed to resolve python dependencies using the virtualenv command.

  • There were incorrect descriptions for some of the Python libraries.

  • The Debian importer was unable to download files without release dates.

  • Under certain situations, CVEs still appeared in the web application even after blacklisting all vulnerable source files.

  • In Effective Usage Analysis, when the multi-module-analyzer scanned several projects, it sometimes randomly failed some of them, although when it scanned a single project no problem occurred.

  • "Base directory" was different between the old Unified Agent to the new, thereby causing wrong results to customers.

...

  • For customers who want to have sources files with associated vulnerabilities identified in Mend when possible, a new optional parameter for getProjectAlertsByType API enables the response to include vulnerable source files.

Resolved Issues

  • In Prioritize, the Analysis Coverage exceeded 100% in the Effective Vulnerability widget.

  • Under certain conditions, Scala project scans failed on SBT dependencies.

  • Under certain conditions, in the Unified Agent, when the 'gradle' commands failed, the Unified Agent did not execute 'gradlew' commands.

  • Under certain conditions, library folders appeared in the wrong module.

  • In the Attribution report, the provided license reference was not necessarily the license text itself.

  • Under certain conditions, after a customer removed an organization, it remained in the customer’s system.

  • Alerts for new NPM versions included pre-release versions.

...

  • This version introduces support for the DNF Package manager for CentOS.

Resolved Issues

  • [Fixed] Under certain conditions, problems occurred when logging in to to the Mend application via Microsoft Azure.

...

  • A License column has been added to the Attribution Report, enabling users to filter libraries by license in the preview screen.

  • Added report flexibility: The Attribution Report now enables users to select multiple projects for inclusion in the report’s output.

Resolved Issues

  • [Fixed] New alerts emails were sent to customers that disabled email notifications.

  • [Fixed] Under certain circumstances, the License Compatibility Report did not display results.

...

  • Attribution Report data improvement - When there is no license reference in the library, a generic license will be presented.

Resolved Issues

Under certain conditions, library names were truncated and thus displayed incorrectly in the interface.

...

  • Attribution Report data improvement - In various cases, a valid license text will be displayed in the report instead of the previously-used JSON/XML.

Resolved Issues

Under certain conditions, library names were truncated and thus displayed incorrectly in the interface.

...

  • A new screen option, Nested Licenses, provides added granularity for complex cases where nested licenses are being used in a library's repository, such as 3rd party licenses.

  • In the Due Diligence report, the range of years for the library's copyright (in from-to format) is now displayed in the Copyright column. Additionally, in the By Copyrights filter, it is now possible to filter according to the from-to values.

Resolved Issues

  • [Fixed] Under certain conditions, newly-imported JavaScript libraries were included in Gitta lookups.

  • [Fixed] After closing a request for a Source Library, a new request was opened again after scanning.

  • [Fixed] Under certain conditions, Null Pointer Exceptions occurred when the CVSS 3 extraData field was null.

  • [Fixed] When passing float values to the client, these values changed their original value, causing incorrect data to be presented.

  • [Fixed] Due to the system path of the Gradle dependencies, the EUA analysis coverage was inaccurate.

  • [Fixed] When inserting a copyright date range in the Due Diligence report, the report did not filter properly and the results were therefore inaccurate.

  • [Fixed] When the Unified Agent .jar file was extracted while running, the Unified Agent would cease to function.

...

Beginning in this version, Mend Developer Integrations will have its own release notes. Please refer here.

Resolved Issues

  • [Fixed] Under certain conditions in app.whitesourcesoftware.com, some libraries were missing although the update request contained them.

  • [Fixed] Servers received imported licenses that have license names but no license types, resulting in no license creation.

  • [Fixed] Under certain conditions, the Unified Agent did not collect all the dependencies in yarn projects.

  • [Fixed] Under certain conditions, it was impossible to create sub-task issues using Jira integration.

  • [Fixed] When trying to create a new copyright template without years, an error was displayed.

  • [Fixed] When exporting HTML attribution report by project in partial data organization, an error was displayed.

  • [Fixed] Under certain conditions, the Unified Agent Docker Hub scan returned no results.

  • [Fixed] An out-of-memory issue occurred for Yarn.

  • [Fixed] Detect configurations did not work correctly for GO projects.

  • Release Unified Agent version 19.11.1

...

  • The Unified Agent now runs Effective Usage Analysis even if npm.includeDevDependencies is set to false.

Resolved Issues

  • [Fixed] After creating an issue, when trying to parse the JSON response from Jira, an exception occurred, resulting in Jira issues created several times for the same libraries in the same projects.

  • [Fixed] In the Attribution Report, XML was not displayed properly (for example, XML tags were removed).

  • [Fixed] In specific circumstances, the Gradle resolver did not create a full dependency tree, resulting in missing libraries from Docker image scans.

  • [Fixed] When trying to upload an offline request with a specific Gradle dependency, the dependency was not found in the inventory.

  • [Fixed] Uploading a metadata file to the Mend application resulted in errors.

  • [Fixed] In Mend for Bitbucket Server, Mend for GitHub Enterprise, and Mend for GitHub.com, when an issue for multiple components was created, the Automatic Remediation information was displayed.

  • Release Unified Agent version 19.10.1

...

  • The GPL 2.0, MPL 1.0, MPL 1.1, and MPL 2.0 licenses now have a copyright risk score of 65.

  • Risk analysis information was added for the GPL 1.0 and OpenSSL licenses.

Resolved Issues

  • [Fixed] An error in the RVI sync process caused the alert creation to fail.

  • [Fixed] A null pointer exception occurred while calculating the check policy hash.

  • [Fixed] In the Risk Report, when a project had duplicate dependencies in the hierarchy, negative values were displayed.

  • [Fixed] Mend for GitHub Enterprise, Mend for GitHub.com - Duplicate GitHub Issues were generated for the same library and CVE when multiple scans were triggered in parallel for a commit.

  • Release Unified Agent version 19.9.2

...

  • An indicator has been added to Mend for GitHub Enterprise, Mend for GitHub.com and Mend for BitBucket Server indicating when automatic remediation is available for the specific vulnerability.

  • Mend is launching the Mend for GitLab Core beta version, enabling GitLab users to access Mend security alerts within GitLab’s native environment.

Resolved Issues

  • [Fixed] The getChangesReport API request was disregarding the time specified in the "startDateTime" field, fetching results from 00:00 on the specified date.

  • [Fixed] In an EUA-enabled organization, under certain conditions in 'Library Security Vulnerabilities' view, projects referencing the vulnerability were not filtered by the projects to which the user has privileges, resulting in errors.

  • [Fixed] In some cases, the Containers dashboard did not display any results.

  • [Fixed] Mend for GitHub Enterprise - When upgrading to image version 19.8.1, a Java error in the wss-ghe-app logs is displayed.

...

  • The API requests getProductLicenses, getOrganizationLicenses, and getProjectLicenses have an optional new field, excludeProjectOccurrences (default value = false) which enables getting product/domain licenses without project occurrences.

Resolved Issues

  • [Fixed] In the Risk Report PDF, in the Policy Name field, Chinese characters were omitted.

  • [Fixed] In selected instances when Prioritize’s multi-module setup failed, the log reported it as successful.

  • [Fixed] The response of the "getAllOrganizations" API request yields a "Success" message in scenarios where it should fail.

  • [Fixed] When resolving Yarn dependencies, the wrong line was printed in the log.

  • [Fixed] The Unified Agent did not identify all SBT dependencies in the *compile.xml file.

...

  • Mend Advise for Chrome now detects licensing and vulnerabilities information on Rust packages found in Rust-related websites.

  • Mend Advise for Chrome now detects licensing and vulnerabilities information on Haskell packages found in Haskell-related websites.

  • Mend Advise for Chrome now detects licensing and vulnerabilities information on OCaml packages found in OCaml-related websites.

Resolved Issues

  • [Fixed] If SAML has been configured, under certain conditions login failed with a NullPointerException.

  • [Fixed] On a Go project using the Godep dependency manager, the Unified Agent did not find all GO dependencies.

...

  • The new Configuration Recommendation mode identifies the environment that the user wants to scan and creates the configuration file automatically.

  • Added flexibility in Gradle projects scanning: New configuration parameter 'gradle.includedScopes' enables defining which scopes will be included in the scan.

  • This version provides support for Serverless Framework via a dedicated plugin.

Resolved Issues

  • [Fixed] Users were unable to create a policy with an 'Issue' action linking to their 'Work Items' tracker type.

  • [Fixed] Under certain conditions, after a project was updated, a server failure message was displayed.

  • [Fixed] In the Security section in the Risk Report, large numbers did not display correctly.

  • [Fixed] When a request was assigned to a group, conditions did not appear in Pending Tasks.

  • [Fixed] Under certain conditions, the Unified Agent failed to retrieve projects from Artifactory.Releases.

...

  • For customers using Application Vulnerability Management platforms such as ThreadFix or Fortify, this version introduces the synchronization of Open Source Software scanning results from Mend to the aforementioned platforms.

Resolved Issues

  • [Fixed] In the Users page, the names do not sort correctly in alphabetical order.

  • [Fixed] In the Risk Report, in the Security area, when displaying data with a large number of libraries, the last digit was displayed in a line of its own.

  • [Fixed] Users received errors when trying to approve their library requests.

  • [Fixed] The Library Details page was stuck indefinitely with a “Loading Data” message.

  • [Fixed] When trying to approve tasks from the Pending Tasks screen, users received a message stating insufficient permissions.

  • [Fixed] Using the Unified Agent on Windows 10 via command line led to “illegal operations” warnings.

  • [Fixed] When configuring ‘excludeDependenciesFromNodes’, the wrong dependency was excluded.  

  • [Fixed] File paths with special characters caused the Unified Agent to crash.

  • [Fixed] When activating Mend Advise, using the wrong regular expression in the URL caused the activation process to fail.

...

  • A new CLI parameter, detect, automatically creates a configuration file based on your scanned libraries and files (relevant for all package managers). NOTE: This is the first step in new configuration recommendations. Future versions will contain additional features.

  • Added flexibility by supporting custom build environments: The Unified Agent now has the ability to pass arguments to the gradlew and gradle ‘dependencies’ command. A new configuration parameter was added for this purpose, gradle.additionalArguments.

  • This version adds support for scanning Go 1.11 projects without the need for a dependency manager.

Resolved Issues

  • [Fixed] Projects were limited to exporting 32766 lines.

  • [Fixed] In the Users page, when the page was reduced, the column names were hidden.

  • [Fixed] When generating a Risk Report with a large number of libraries, the last digit was displayed in its own line.

  • [Fixed] Under certain conditions, failures occurred when trying to resolve Python dependencies.

  • [Fixed] The Unified Agent took an excessively long time to run.

  • [Fixed] When trying to approve requests and clicking Override and Approve, administrators were sent back to the Home page with a message notifying insufficient permissions.

  • [Fixed] When an API request for the getProjectAlertsReport was sent, the output was an .xlsx file in which the last title, Library Type, and the entries underneath it were not in the same column.

...

  • New streamlined multi-module process - In the multi-module Prioritize, a new command-line parameter, overrideExistingSetup = true, enables users to remove the pause between multi-module steps.

Resolved Issues

  • [Fixed] In the Inventory report, when match by filename was not selected, a filename match still occurred.

  • [Fixed] Under certain conditions, alerts weren't removed for deleted vulnerabilities.

  • [Fixed] Handling changed paths and vulnerability traces tasks took over 10 hours to complete.

  • [Fixed] After performing the Apply to Pending Requests action on product-level policies, a “server error” message was displayed.

  • [Fixed] Several identical licenses were assigned to the same library.

  • [Fixed] The API call getProductRiskReport took an excessively long time to run.

  • [Fixed] In the Dashboard, in License Analysis, clicking Facebook BSD + Patents displayed an empty report even though the relevant license exists.

  • [Fixed] When retrieving Gitta cached results under certain conditions, a NullPointerException was displayed.

  • [Fixed] When handling update requests, an exception occurred.

  • [Fixed] The Unified Agent experienced memory issues.

  • [Fixed] When scanning a GitLab repository using Source Control Management (SCM) configuration, an error message was received.

  • [Fixed] Mend Bolt for Azure report was not available in the Azure DevOps multi-stage pipelines preview.

  • [Fixed] When integrating Prioritize with Gradle, the log analysis process failed for sub-modules.

  • [Fixed] Under certain conditions, the config file mistakenly created a new Mend directory instead of including all configuration settings in the build directory.

  • [Fixed] R resolvers-library name is not according to DESCRIPTION dependency file package.

  • [Fixed] Docker scans would hang when retrieving images.

  • [Fixed] In the Unified Agent, in the log, different parameters had the same name.

  • [Fixed] The Library WhiteList did not block Reject policy violations.

  • [Fixed] After the Unified Agent scanned .js files, some of the files were replaced by other versions with a different SHA-1 version.

  • [Fixed] Under certain conditions, the Mend Application did not identify NuGet packages.

  • [Fixed] Under certain conditions, when the Unified Agent ran on NuGet, it did not clear the packages directory and failed on a second run.

  • [Fixed] The Unified Agent log displayed thousands of attempts to access irrelevant URLs.

  • [Fixed] A proper error message for the Python errors in the debug log level was not generated.

  • [Fixed] Python dependencies were not resolved in hierarchical mode.

...

  • Extended JFrog Artifactory Integration -

  • Support updating JFrog Artifactory “properties” tab of an artifact with vulnerabilities and licensing information from Mend scan.

  • Support accessing JFrog Artifactory repository using a token for enhanced security. The following configuration parameters were added: ‘artifactory.accessToken’, ‘artifactory.url’. 

  • Support more informative summary statistics at the end of a scan - displaying different language extensions for which binary/source files were found and for each extension how many source/binary files were scanned. 

Resolved Issues

  • [Fixed] In certain scenarios in alerts report when using a filter on the report the screen was hanging with “Loading Data” message.
    [Fixed] JIRA integration - An error was returned while trying to create a JIRA ticket as part of a policy action due to missing JIRA credentials set.

  • [Fixed] In certain scenarios request processing time of the application was very long in Azure EU system.

  • [Fixed] In certain scenarios when manually changing the origin library of two different libraries consecutively the "Show me some options" results of the second library are refreshed only after few seconds.

  • [Fixed] HTML resolver - In certain scenarios an error occurred when resolving HTML dependencies.

  • [Fixed] In some cases when scanning Android projects there were created duplicated entries in the inventory.

  • [Fixed] Mend Bolt activation for Azure DevOps Server 2019 failed due to registration phase error.

  • [Fixed] In certain scenarios archive extraction didn’t work correctly for some jar & war files.

  • [Fixed] Mend For Containers - Docker image which was configured in the ‘docker.includes’ parameter wasn’t scanned.

  • [Fixed] When running a scan using UA with debug mode the reported path in the log was the executable path instead of file path.

  • [Fixed] When running UA with command line parameters which include “.” in their names using PowerShell a parsing error was returned.

  • [Fixed] In certain scenarios when a proxy is configured in the UA configuration file an error was returned from a scan.

...

  • Maven Plugin: Support creating empty projects in Mend for maven projects with multi-modules when some of the modules are empty by using a new configuration parameter ‘updateEmptyProject’.

Resolved Issues

  • [Fixed] In certain scenarios when the request with source files to match is very large (over 1M source files) there was an error from Gitta lookup.

  • [Fixed] In certain scenarios there were several issues with libraries incorrectly identified with security vulnerabilities or ignore comments were deleted.

  • [Fixed] Attribution Report - extra separation lines added when adding Header text.

  • [Fixed] Informative text on Alert Ignorers is missing in the Admin → Assignments page in Product level.

  • [Fixed] In certain scenarios when applying in house rules on pending requests the process took a long time. Performance improvement was done. 

  • [Fixed] UA fails to resolve Ant dependencies due to external Ant parameters. New configuration parameter was added: ‘ant.external.parameters’ which should contain comma separated list of <key=value> pairs.

...

  • GitHub integration: Added the ability to enable/disable the creation of open issues after the scan has been completed.

Resolved Issues

  • [Fixed] In certain scenarios the number of libraries displayed on the ‘Top 10 Products’ panel may be different than the number of libraries displayed on the specific product page.

  • [Fixed] Ignored Alerts report: Comments are not displayed after the project is filtered. 

  • [Fixed] Unified Agent: In certain scenarios when the configuration parameter ‘npm.includeDevDependencies’ is set to ‘true’, the scan ignores this setting.

  • [Fixed] Unified Agent Go code with Gogradle environment: Issue may occur when passing information to the Unified Agent while using a custom build file ('build-inner.gradle') and settings file ('settings-inner.gradle') 

  • [Fixed] Informative text on Alert Ignorers is missing in the Admin → Assignments page. 

...

  • Release management automation: Added the ability to obtain an attribution report via the API requests ‘getProductAttributionReport’ and ‘getProjectAttributionReport’.

  • The ‘getProjectComparisonReport’ API provides a project comparison report in an Excel format.

Resolved Issues

  • [Fixed] Alerts report may not always be updated after the source files are moved to a new source library.

  • [Fixed] Classification of specific Microsoft ASP.NET libraries may be erroneous.

  • [Fixed] Library Details page: Library type column of Alerts table is not always populated.

  • [Fixed] Requests may occasionally pause when a JIRA issue is created during a request update.

  • [Fixed] When the 'go.dependencyManager' parameter is not defined, the Unified Agent may not go through all the supported resolvers.

...

Note: The ability as a 'Product Default Approver' or 'Product Administrator' to assign licenses/copyrights has been removed.

Resolved Issues

  • [Fixed] In specific settings the ‘getVulnerabilitiesBetweenDates’ API call may not function properly.

  • [Fixed] Attribution report: In certain browsers, the 'Library' column may not be properly displayed.

  • [Fixed] 'Set as Home Page' option does not work with SAML.

  • [Fixed] Project Page: The Library pane size may change when switching between ‘Flat list’ and ‘Hierarchy’ views.

  • [Fixed] Attribution report: Occasionally, issues may occur while exporting the report as a  ‘.txt’ file.

  • [Fixed] Gradle based projects: Issues may occur during the scan in specific cases when no source files are in the project.

...

  • Enhanced service user automation: The new API call 'createServiceUser' enables adding a service user.

  • The following API calls enable fetching a list of all custom attributes along with their set of values for each library on a Project/Product/Organization level: ‘getOrganizationCustomAttributeValues’, ‘getProductCustomAttributeValues’, ‘getProjectCustomAttributeValues’.

  • Improved automation for granular policy enforcement: Added API calls to manage policies on a Project level. These API calls include ‘getProjectPolicies’, ‘addProjectPolicy’, ‘updateProjectPolicy’, ‘removeProjectPolicies’,  ‘reorderProjectPolicyPriorities’.

Resolved Issues

  • [Fixed] Library Version Comparison page: An error in loading the page may occur for specific libraries.

  • [Fixed] In specific libraries, the alert on a library is marked as ‘ignored’, but the scan still fails.

  • [Fixed] Inventory report: Sorting by license may not always display the report in the desired order.

  • Unified Agent:

    • [Fixed] An error related to the stopwatch class has been fixed. 

    • [Fixed] In certain cases, the temporary Mend directory names may be too long and their paths may exceed 260 characters.

...

  • The ‘productName’ parameter is now supported in the CLI when running the xModuleAnalyzer. See also related documentation.

Resolved Issues

  • [Fixed] Ignored Alerts report: Manual comments may not be displayed properly.

  • [Fixed] Attribution report: Issues may occur when exporting a report with the ‘Reference generic license’ option selected.

  • [Fixed] Security Trends Dashboard: The entire organizational data is displayed for all users, including the users who do not have permissions to view all of the Products.

  • [Fixed] Effective Usage Analysis (EUA): A Java exception may occur when running the Unified Agent with both Gradle and Maven related parameters enabled.

...

  • The new Containers vulnerabilities report displays the vulnerabilities per pod, namespace, and cluster. It enables the user to filter specific resources according to their context in the cluster. See also related documentation

  • Attribution report: Missing copyright references are now marked with an asterisk (‘*’) character. 

  • It is possible to export the following reports in JSON format via the GUI or via an API request: Alerts report, and Vulnerabilities report.

  • Due Diligence report: Added option to view the report data only for a specific project, in addition to a particular product.

Resolved Issues

  • [Fixed] Unified Agent: Microsoft TFS Integration: An ‘Invalid diff JSON structure’ error may be displayed in specific configuration settings.

  • [Fixed] An error message is not displayed when trying to create a user via the 'Create User' functionality, and providing an email address of a user that already exists with the same email address.

  • Inventory report:

    • [Fixed] The ‘Primary Attribute’ is not included in the export output of the report.

    • [Fixed] A number of options in the search dropdown menu are not displayed when searching by product name.

    • [Fixed] In certain scenarios the ‘Suspected unspecified license’ filter erroneously displays no records in the results.

  • [Fixed] Risk report: PDF output may include issues when exporting the report for a selected product.

  • [Fixed] Occasional pauses may occur while submitting new libraries via the Drag and Drop UI.

  • [Fixed] ‘Admin’ → ‘Users’ page → ‘Invite Users’ button: Email addresses that include a  space as the last character of the address are not processed, and an error message is displayed.

  • [Fixed] The process of renaming a project may occasionally require a relatively long interval, and no indication is displayed on when the process will be completed.

  • [Fixed] SAML: Single Sign On (SSO) may not work properly after a certificate update.

  • [Fixed] In specific configurations a source library may be uploaded without its source files after the scan.

  • [Fixed] Security Trends Dashboard: Issues may occur in the output when selecting 3 months and 6 months time frames.

  • [Fixed] In certain configurations libraries may be matched by their name although the ‘Match libraries by filename’ checkbox is cleared.

...

  • It is possible to export the following reports in JSON format via the GUI or via an API request: Inventory report, Source File Inventory report, and Due Diligence report. The following API requests include a new optional parameter called 'format'. The format is 'xlsx' by default, and valid options include 'json' and 'xlsx': ‘getOrganizationInventoryReport’, ‘getProductInventoryReport’, ‘‘getProjectInventoryReport’, ‘getOrganizationSourceFileInventoryReport’, ‘getProductSourceFileInventoryReport’, ‘getProjectSourceFileInventoryReport’, ‘getOrganizationDueDiligenceReport’, ‘getProductDueDiligenceReport’.

  • Risk Report: Added an ‘Apply’ button for the selected scope (Organizational or Product) that generates the report only after it is pressed.

  • Attribution Report: A new option enables the user to select one of the following outputs in cases where the license reference cannot be obtained:

    • Leave license blank

    • Reference a generic license

Resolved Issues

  • Jira Integration:

    • [Fixed] Unclear error message is displayed when the Issue Tracker URL is invalid.

    • [Fixed] In certain scenarios, exceptions may occur when fetching Jira mandatory fields.

  • [Fixed] Manual Comments: The ‘&’ and ‘%’ characters are classified as illegal characters, and therefore, some URLs cannot be entered.

  • [Fixed] The Attribution report does not fully support foreign language characters in Unicode.

  • [Fixed] The ’getOrganizationProjectVitals’ API request may require a relatively long time to complete.

  • Unified Agent:

    • [Fixed] When scanning a remote repository (using SCM settings), the Unified Agent also scans the directory where the Unified Agent was executed.  

    • [Fixed] In certain Yarn based projects, dev dependencies are resolved even though the parameter ‘npm.includeDevDependencies’ is set to ‘false’.

    • [Fixed] The ‘productToken’ parameter is always ignored when running the Unified Agent with the ‘-requestFiles’ CLI parameter.

    • [Fixed] A returned output message is out of context when the Unified Agent runs on an SBT project without a defined target folder. 

...

  • Checks API support for GitHub Integration: Added support for the Completed with 'Neutral' conclusion. See also related documentation. This conclusion is displayed when a 'push' command is not valid. See also related documentation.

  • Attribution Report: Added custom attributes specified for the component in the summary report for both HTML and Text export formats.

  • Risk report: Added the ‘How Do We Compare?’ section to the PDF export of this report. 

  • License compatibility report: Added an option to export the report in Excel and XML formats.

  • Unified Agent:

    • The following updates were made as part of the overall plan to move to a single scanning interface:

      • JAR file changed to ‘wss-unified-agent-<x.x.x>.jar’

      • Configuration file changed to ‘wss-unified-agent-<x.x.x>.config’

      • License changed from Open Source (Apache) to a Mend Commercial license.

      • New distribution repo on GitHub (unified-agent-distribution)

      • Backwards compatible (fs-agent-distribution and fs-agent repositories are still available for previous open source versions of the Unified Agent)

    • The checkbox ‘Add project to default product when only project name is provided’ has been added to the ‘Integrate’ tab.
      If only 'projectName' is provided in the configuration file (‘projectToken’, ‘productName’, ‘productToken’ are left empty), and the checkbox is not selected (default), then the first found project with the identical name is overridden. If the checkbox is selected in the same scenario, then the project is added by default to the product named 'My Product'.

    • Added the configuration parameter 'failErrorLevel', which sets additional scenarios to 'error' instead of 'success'.

Resolved Issues

  • Unified Agent:

    • [Fixed] Issues may occur while scanning a multi-module SBT project.

    • [Fixed] Issues may occur while scanning multiple projects on Bamboo.

  • Effective Usage Analysis (EUA):

    • [Fixed] While using the multi-module feature, sub modules are being overridden due to identical names. See also related documentation on updates to the setup file.

    • [Fixed] The summary of the Effective and non Effective libraries may not always match when comparing them on a Product vs. Project level.

  • [Fixed] High Severity Bugs report: An error may occur in the generation of the report in specific scenarios.

  • [Fixed] Attribution report: HTML export of report does not support Chinese characters.

  • API:

    • [Fixed] It is not possible to create a product with a name that includes non-Latin characters.

    • [Fixed] A fetched Due Diligence report in Excel format may not be properly formatted.

...

Version 22.5.2 (12-June-2022)

Resolved Issues

  • Jira tickets were not created successfully by the Jira Data Center/Server plugin when a Mend organization included many Prioritize scans.

  • When using the Jira Cloud plugin, when more than one policy configuration was defined for the same project, a ticket would be opened for an arbitrary Jira project.

Version 22.5.1 (29-May-2022)

New Features and Updates

  • The setup.cfg file is now supported as part of the Unified Agent's Python resolution, introduced via a new parameter python.resolveSetupFiles.
    The python.resolveSetupFiles controls the resolution of both setup.py and setup.cfg files and replaces the soon to be deprecated python.resolveSetupPyFiles parameter.

Resolved Issues

  • Setting a Jira project with trailing spaces was not handled correctly by the Jira Server plugin.

  • An error occurred while trying to execute a govendor command as part of the Unified Agent's Govendor resolution.

Version 22.4.2.1 (15-May-2022)

Resolved Issues

  • Addressed security vulnerabilities identified for the Jira Data Center/Server plugin’s dependencies.

Version 22.4.2 (15-May-2022)

New Features and Updates

  • (Mend CLI) Detailed information about policy violations will now be available as part of the JSON format.

Resolved Issues

  • The Maven resolution of the Unified Agent did not work as expected with specific versions of the Apache Maven Dependency Plugin.

  • Under certain conditions, an NPE exception would occur when the Jira Server plugin tried to create new Jira tickets.

  • When using the Azure DevOps Pipelines extension for scanning certain projects, the Mend step in the pipeline would fail due to a timeout.

Version 22.4.1.1 (2-May-2022)

Resolved Issues

  • Fixed an issue in the Unified Agent in which the NPM or Maven resolution failed when an Amazon Correto JDK was used.

Version 22.4.1 (1-May-2022)

New Features and Updates

  • The Jira Data Center and Server plugin now supports version 8.22.

Resolved Issues

  • The number of library paths in the ticket description for the Jira Data Center and Server plugin was limited to 5.

...

Version 22.3.3 (17-April-2022)

New Features and Updates

Mend CLI (Beta)

  • It is now possible to set the Mend scope (full or partial) of the scanned project as part of the CLI scan command.

  • Detailed information about policy violations will now be displayed in the output of the CLI scan command.

  • The output of the CLI scan command can now be displayed in JSON format, replacing the previous --json <file> option.

Resolved Issues

  • Under certain circumstances, not all the Unified Agent's processes were terminated on Windows.

  • Addressed security vulnerabilities identified for the Jira Data Center/Server plugin’s dependencies.

Version 22.3.2.2 (10-April-2022)

Resolved Issues

  • When the user uninstalls the Jira Cloud Integration and then installs it again before synchronization occurs, the old installation would override the new installation.

...

Version 22.3.2 (3-April-2022)

Resolved Issues

  • The Unified Agent did not support proxy settings missing a username.

  • The number of library paths in the ticket description for the Jira Cloud plugin was limited to 5.

...

A Jira Data Center approved version of the Jira Server plugin is now available.

Resolved Issues

  • The Dependency Hierarchy in the ticket description was limited to 3 hierarchical paths.

Version 22.3.1 (20-March-2022)

Resolved Issues

  • In Bower projects with local dependencies, the Unified Agent was unable to detect dependencies.

  • In a specific case, when the Unified Agent scanned a Gradle project, a stack trace exception was thrown without the error information.

  • Addressed security vulnerabilities identified for the Artifactory plugin’s dependencies.

...

Version 22.2.2.1 (9-March-2022)

Resolved Issues

  • The Python resolution was fixed by reducing the total number of duplicate dependencies detected by the Unified Agent.

Version 22.2.2 (6-March-2022)

New Features and Updates

  • A message is displayed when no dependencies are found by the Unified Agent in a package.json file for an NPM project.

  • (Application API) A new parameter showing a library’s release date (if it has one) was added to the Inventory report at the organization, product and project-level.

Resolved Issues

  • When running Go commands in the Unified Agent to download dependencies that were not in the cache, warning messages would be displayed.

  • The Unified Agent was unable to extract layers with extension .tar.gz when scanning a docker tar file.

Version 22.2.1 (20-February-2022)

New Features and Updates

  • The scanning of Yocto projects in the Unified Agent is now supported in Beta status for Poky projects.

  • A new column titled “Matching Policy” was added to the Libraries table in the Pending Tasks Approval page of the UI, highlighting the policy that triggered the action on the pending request.

  • To differentiate between tickets that were opened by the Jira Server/Cloud plugin for direct dependencies and transitive dependencies, a new field WS-LibraryHierarchy was added. This field will contain the value DIRECT or TRANSITIVE.

...

Version 22.1.2 (6-February-2022)

New Features and Updates

  • (UA) The ignoreSourceFiles parameter, superseded by the fileSystemScan parameter, will be deprecated from release version 22.5.1.

  • New licenses TTWL and Attribution-NonCommercial 2.0 Generic are now supported in the Application.

  • A new optional parameter includeOutdatedLibraryData was addedto the getProjectInventoryReport API request to improve the API performance.
    By default, the value is true, in order to maintain backward compatibility. When the value is false, theoutdatedModel and outdated fields will not be populated with information.

  • The Azure DevOps extension now supports Azure DevOps Server. The extension name was changed from "Mend for Azure DevOps Services" to "Mend for Azure DevOps".

Resolved Issues

  • The Unified Agent’s Docker Container scan did not perform a general scan of the container file system.

  • When selecting the Organizational level in the Members report, the data would not load.

Version 22.1.1.1 (27-January-2022)

Resolved Issues

  • An NPE exception would occur when trying to generate a scan report in the Unified Agent.

Version 22.1.1 (23-January-2022)

New Features and Updates

  • The Unified Agent now supports Java 17.

  • Mend Prioritize now supports Java 17.

  • To provide customers with easy access to the support portal, an icon (i.e., wrench) was added to the top menu that links directly to the Mend Support Portal: support.whitesourcesoftware.com.

  • The Mend task within the Azure DevOps integration now follows semantic versioning. This allows customers to receive release updates automatically.

...

Version 21.12.2 (9-January-2022)

New Features and Updates

Resolved Issues

  • In the Unified Agent, when scanning a project with no libraries, an NPE exception would occur when trying to generate a scan report.

  • In certain cases, in bower resolution, an NPE exception would occur when the Unified Agent trimmed missing dependencies from the dependencies tree.

  • In Jira Server, when clicking Save on the configuration page, there was no indication if the Default Jira Project setting was saved successfully.

...

Version 21.12.1 (26-December-2021)

New Features and Updates

  • A new and improved Artifactory plugin is introduced in this release, providing important updates, such as performance improvements, more granular control over downloaded components, and easier installation. The triggerBeforeDownload property was updated to control downloading of components from local repositories only, while a new property triggerBeforeRemoteDownloadcontrols downloading of components from remote repositories. In addition, the userKey property is now mandatory.

  • Following improvements in the Gradle resolution, the gradle.wrapperPath parameter has now been deprecated.

  • (Application API) The library Uuid parameter was added to the getProjectSecurityAlertsByLibraryReport API response to enable the Issue Tracker plugin to get the aggregated shield indication for the specified library.

  • In the Jira Server Plugin, Prioritize shields are now displayed for every security vulnerability as part of the Jira ticket, when applicable.

Resolved Issues

Unified Agent

  • Cargo workspaces would not be handled correctly if a wildcard was used in the members list.

  • Effective Usage Analysis would only support Python projects with the appPathending with requirements.txt.

  • When a Prioritize scan failed due to a pre-step error, a typo would appear in the scan log.

  • In the Unified Agent, if more than one extra-index-url was defined in a Pipfile, the pipenv resolution would fail.

Version 21.11.2.1 (16-December-2021)

Resolved Issues

  • Minor fix for Mend Prioritize reflection mechanism.

Version 21.11.2 (12-December-2021)

New Features and Updates

  • Scanning of OCI Docker images in the Unified Agent is now supported via the docker.scanTarFiles parameter.

  • (Application API) A new parameter resolvedType was added to the following APIs: getOrganizationLicenses, getProductLicenses, getProjectLicenses

  • The organizational setting of the Azure DevOps Services extension was updated to determine the Mend mapping resolution.

  • Addressed CVE-2021-44228 identified for Apache Log4j2.

  • In the Jira Cloud plugin, Prioritize shields are now displayed for every security vulnerability as part of the Jira ticket, when applicable.

  • Addressed CVE-2021-44228 identified for Apache Log4j2.

  • (Kubernetes Integration) Addressed security vulnerabilities identified for the integration dependencies.

Resolved Issues

  • An exception occurred when the Unified Agent tried to resolve pipenv dependencies.

  • In some cases, the SBT resolver failed to detect dependencies.

  • When parsing GitHub commits in a Python project with a PIP dependency manager, errors occurred when parsing the GitHub dependencies.

  • In the Unified Agent, a local NPM package with no version caused an exception.

  • When scanning a Docker image by the Unified Agent, a vulnerability detected in a deleted file was included in the scan results.

  • (Application API) For organizations that were migrated to vulnerability-based alerting mode, a permission error would appear when clicking on the Alerts section in the Updates notification emails.

...

Version 21.11.1 (28-November-2021)

New Features and Updates

Application API

  • A new parameter resolvedTypewas added to the getProductAlertByTypeAPI.

  • A new HTTP v1.3 API was added that reassigns organization-level policies to a different owner. 

...

  • Failing a pipeline build based on policy violations is now supported (by utilizing the Unified Agent’s policy-related settings).

  • The open-source risk report is now retained as part of the Azure DevOps Extension pipeline build, allowing build history auditing, faster report retrieval, and better user experience.

Resolved Issues

  • When scanning a Yarn project containing a yarn.lock file of a certain format, the UA would fail to parse the lock file and the resulting dependencies would contain null values.

  • The Go resolution of the Unified Agent missed dependencies in some cases when the "replace" directive was used in the go.mod file.

  • The Unified Agent didn't ignore comments appearing in the requirements.txt.

  • In the Unified Agent, when scanning Packrat projects, an exception occurred from missing or inaccessible packrat/libdirectory.

  • In the Unified Agent, incorrect parsing of the poetry dependency tree resulted in an incorrect dependency tree to be sent in the update request.

  • In the Unified Agent, scanning of Go projects would fail when using a Go version earlier than 1.14.

  • (Application API) When exporting the getProjectLicensesAPI in JSON format, the Download link would be missing from all the libraries.

  • GitHub Enterprise private key field was limited to 5,000 characters.

  • Generating an activation token would fail when the organization’s name had non-alphanumeric characters.

...

Version 21.10.2 (14-November-2021)

New Features and Updates

  • The Dockerized Unified Agent was updated to the latest version which includes support for Conda.

  • The option to upload a zipped offline request for a scanned project is now supported.

  • In the Advanced Settings of the Jira Server and Jira Cloud Plugins' configuration page, you can now choose whether or not to ignore alerts for issues that are closed.

Resolved Issues

  • For organizations in Vulnerability-Based Alerts mode, the Containers Dashboard would show incorrect data.

  • In some cases, the Vulnerabilities Report for the different scopes failed to generate or returned an empty response.

  • Notification emails for new alerts were sometimes sent when no new alerts were created.

  • For some API calls, the response JSON returned incorrect charset encoding.

  • A duplicate key in the projectSecurityVulnerability resulted in incorrect alerts displayed for the project.

  • In some cases, alerts were not removed after recalculating In-House rules.

  • The Unified Agent failed to calculate the SHA-1 of NPM packages residing at the local workspace.

  • Building the Dockerized Unified Agent resulted in errors.

  • When Essentials users were using the Azure DevOps Services extension, the Organization Settings page would not be displayed.

  • After an extension was uninstalled from the Azure DevOps Services, subsequent installation and on-boarding of the services extension would fail when the organization was inactive.

  • After removing a Bolt extension from the Azure DevOps Services, the Mend Organization would be deactivated.

...

Version 21.10.1 (31-October-2021)

New Features and Updates

  • The Unified Agent now supports Yarn 3.

  • Excluding Docker layers from the Unified Agent’s scan is now available in Beta status via the docker.excludeLayersByLabel configuration parameter. 

  • Links to the Mend policy and library are now added to the Jira tickets for the Jira Server and Cloud plugins.

Resolved Issues

  • The dependencies of the docker layer would not reflect the project in the UI.

...

Version 21.9.1.1 (25-October-2021)

Resolved Issues

  • When the Unified Agent scanned a multi-module Gradle project, the project name would contain a version.

  • When the Unified Agent scanned a Gradle project containing a dependency with no version, no dependencies would be found and an exception would be thrown.

  • When the Unified Agent scanned a project on a Windows machine, if the “-d” parameter had a trailing whitespace, an exception would be thrown.

  • When a Unified Agent scanned a Go Modules project, test dependencies were incorrectly identified.

Azure DevOps Integration Version 21.9.11 (18-October-2021)

Resolved Issues

  • In the Azure DevOps integration (Services and Bolt extensions), an erroneous redirect prevented loading the organizational and project settings of the extensions.

Version 21.9.1 (17-October-2021)

New Features and Updates

  • A new configuration parameter commandTimeout is now available for controlling the timeout of all the commands executed by the Unified Agent during a scan.

Resolved Issues

  • When performing a global search to check for CVE vulnerabilities in the library inventory, the results would display "No files in your inventory are vulnerable" when in fact there were vulnerabilities.

  • Poetry updated dependencies that were not identified, would not show in the Application at all because the Artifact ID was missing.

  • The Unified Agent did not comply with the default branch name change when scanning an SCM GitHub repository.

  • If some of the entries were missing from the go.sum file, the Unified Agent's Go Modules resolution would fail to detect dependencies.

...

Info

NOTE

The Application release is delayed to October 10th due to maintenance and stabilization improvements.

New Features and Updates

  • Conda dependencies detection is now enabled by default - the default value for the conda.resolveDependencies parameter is set to true.

  • The Gradle dependencies' detection mechanism was improved significantly. As a result, the following Gradle parameters are now obsolete:  

    • gradle.runAssembleCommand

    • gradle.runPreStep  

    • gradle.localRepositoryPath

    • gradle.downloadMissingDependencies

    • gradle.wrapperPath

    In addition, the default value of the gradle.preferredEnvironment was changed to wrapper, to improve the scan results and align to Gradle best practices.

  • The Unified Agent now supports Yarn 2.

  • The Jira Server and Cloud plugins now support the automatic updates of tickets following changes identified on Mend - whether the policy no longer affects the project or the library is no longer in the project's inventory.

Resolved Issues

  • In the Unified Agent, some NPM dependencies would be missing when the npm.removeDuplicateDependencies parameter was set to true.

  • Building the scanner Dockerfile would fail when trying to install Cocoapods for managing the library dependencies.

  • In the Unified Agent, the PIP resolution would fail in cases when the pyproject.toml was found.

Version 21.8.1.1 (31-August-2021)

Resolved Issues

  • Removed unreachable libraries from the Unified Agent’s jar.

Version 21.8.1 (29-August-2021)

New Features and Updates

  • The Unified Agent now supports scanning of Conda dependencies specified in environment.yml files. Conda dependencies detection is controlled by a new parameter conda.resolveDependencies which is disabled by default. Note: Mend Conda vulnerabilities coverage is currently limited to Python dependencies only and will be extended in coming releases.

  • The includes parameter now has a default value (comprising all the Mend supported extensions) that will be applied to all the Unified Agent's configuration methods (environment variables, config file, etc.).

  • The excludes parameter now has a default value of:
    **/.*, **/node_modules, **/src/test, **/testdata, **/*sources.jar, **/*javadoc.jar

  • Go dependency detection now enables the optimized resolver for Go Modules by default. In addition, the Go resolution will no longer be triggered by Go source files and will be aligned to the other resolvers to be triggered only by the package managers' manifest files.

  • Performance improvements are introduced to the NPM dependencies detection.

...

  • Resolved an issue that occurred when using an Oracle database.

 Resolved Issues

  • In the Unified Agent, the excludes parameter was being called for every project in a folder, instead of per project directory.

  • In the Unified Agent, when scanning a target folder while extracting a jar file, a null pointer exception occurred.

  • A Prioritize scan would fail with an EUA error due to missing SHA-1 library dependency.

  • An Artifactory Plugin scan would fail to get the SHA-1 library dependency.

...

Azure DevOps Integration Version 21.7.21 (17-August-2021)

Resolved Issues

  • In the Azure DevOps Services Integration, authentication issues required downgrading the azure-devops-node-api NPM library used by the extension.

Version 21.7.2 (15-August-2021)

New Features and Updates

Jira Server Plugin (Beta)

  • Support was extended to the latest Jira Server versions.

Resolved Issues

  • In the Library Security Vulnerabilities page, when the same library appeared in several projects, the wrong shield was displayed.

  • Under certain conditions, when using the Vulnerabilities Report, an error occurred.

  • In the Unified Agent, when scanning in SCM mode, a debug exception occurred before cloning the repository.

  • In the Unified Agent, when scanning yarn projects, the hierarchy tree was not deduped, resulting in memory issues.

  • A runtime error occurred in the Artifactory plugin.

  • The minutes-to-milliseconds conversion during cloning of mendService.class caused an invalid value in wss.connectionTimeoutMinutes.

  • When scanning via Github scanner, when scanning a repository by a tag (not branch), the scan failed in the cloning phase.

...

Version 21.7.1 (1-August-2021)

New Features and Updates

Unified Agent

  • The default of php.removeDuplicateDependencies was changed to True.

...

  • A new report, the Early Warnings Report, is released. This report displays same-day indications of vulnerabilities automatically identified by Mend even before being certified by the Researchers.  The report has limited availability for select customers. It is being slowly rolled out and will be available for all customers and environments in the next couple of weeks, a separate notice will be announced in the release notes for GA.

  • Note that as was announced on June 6th, on August 15th the Multiple Library Version report will replace the alert for Multiple Library Version, which will be disabled for all customers. All information that was available in Multiple Library Version alerts will be available in the dedicated report, for both past and future scans.

Resolved Issues

  • When the same NuGet dependency was defined in both the csproj and nuspec, it appeared twice in the application.

  • In the Unified Agent, setting multiple archives in the "-d" argument sometimes led to incorrect results.

  • The Maven, OCaml, Modules, and the R resolvers of the Unified Agent were not failing the scan if the relevant package manager was not installed when failErrorLevel was set to ALL.

  • In the Unified Agent, the parameter gradle.additionalArguments was only being applied to a subset of Gradle commands, instead of all Gradle commands.

  • When scanning projects with the Unified Agent, and archiveIncludes and archiveExtractionDepth were set, corrupted zip files resulted in null pointer exceptions in certain Java versions.

  • In the Unified Agent, the Maven resolver did not detect the dependency tree path when the Maven log was altered.

...

Version 21.6.3 (18-July 2021)

New Features and Updates

  • The detection accuracy of security vulnerabilities was improved for the Unified Agent Linux package manager scan (scanPackageManager).

  • The base image of the CircleCI orb executor was updated to Ubuntu 18.04.

  • The image of the Mend integration for Bitbucket was updated.

...

  • The library path was added to the Jira ticket.

Resolved Issues

  • In the Security Alerts reports, there were no checks to determine if the organization had partial data property.

  • Jira Server Plugin: instead of assigning the Mend issue type only to the relevant project, it was added to all the screens in the user's Jira environment.

...

Azure DevOps Integration Version 21.6.3.1 (14-July 2021)

Resolved Issues

  • In the Azure DevOps Services Integration, a corrupted setting of the extension was not handled correctly.

Azure DevOps Integration Version 21.6.3 (8-July 2021)

Resolved Issues

  • In the Azure DevOps Services Integration, an issue prevented executing the Mend task.

Version 21.6.2.2 (6-July 2021)

Resolved Issues

  • In the Unified Agent, when the gradle.preferredEnvironment parameter was set to wrapper, gradle commands were executed instead of gradlew commands.

Azure DevOps Integration Version 21.6.2.1 (5-July 2021)

Resolved Issues

  • In the Azure DevOps Services Integration, an issue prevented updating the project settings.

...

Version 21.6.2 (4-July 2021)

New Features and Updates

Azure DevOps Services Integration

...

  • A new variable for specifying options for the Java command executing the Unified Agent's JAR is now available in the Bitbucket integration.

Resolved Issues

  • The IntelliJ IDE would cease to function when scanning Maven projects with the Mend plugin.

  • When a server was stopped, there were problems continuing the scan that had already started.

  • Persist ManagedResource failed after a database Lock exception.

  • Manually remapping of all the source files did not close pending requests for the old source library.

  • In the Unified Agent, projectPerFolderIncludes failed to detect subfolders.

  • When scanning a Yarn project with the Unified Agent, if the "resolved" section was missing for a dependency within the yarn.lock file, a Null Pointer Exception occurred.

  • Mend now supports the ability to run bower and yarn in the same directory.

  • In the case of GitHub.com integration, the SCM scanner scanned the root folder instead of the cloning folder, causing the scanner to scan additional libraries.

...

Version 21.6.1 (20-June 2021)

New Features and Updates

Unified Agent

  • Beginning in this version, support is added for Cargo workspaces.

Resolved Issues

  • When defined only from the fromDate parameter, the getXXXXAlertsByType API call returned an empty list in VBA mode.

  • The Vulnerability Report opened with a partial mode disclaimer even in non-partial mode organizations.

  • In the Unified Agent, NPM 6 failed to resolve dependencies originating from registry.npm.tabao.org.

Version 21.5.2 (6-June 2021)

New Features and Updates

Reports

  • A new report is introduced in beta phase - the Multiple Library Version report. This report displays information regarding multiple versions of the same library that are being used in the selected project/product. With the release of this report, we are announcing that the alert for Multiple Library Version will be disabled to all customers on August 15th, 2021. All information that was available on Multiple Library Version alerts will be available in the dedicated report, for both past and future scans.

Resolved Issues

  • Under certain conditions in the Library Location Report, the same file locations were displayed multiple times for the same library.

  • A transitive dependency declared for both the "test" and "compile" scopes was omitted from the scan results.

  • An NPM scan failed with a null pointer when it identified a package.json missing the name or the version.

  • In the Unified Agent, a null pointer exception occurred during Maven dependency downloads.

...

Version 21.5.1 (23-May-2021)

New Features and Updates

Web UI

  • When working in Vulnerability-based alerting mode, the Details column was returned to the exported License and Compliance Alerts Report, providing more specific information on the alert.

  • A new license, Saucy 2.0, has been added. See here for details.

  • In Vulnerability-based Alerts organizations, new button was added to the pending tasks page, More Information. When selecting tasks from the list (up to 50) and clicking on this button, a new pop-up screen will appear, presenting information regarding the number of vulnerabilities and the license of each of the selected tasks' libraries. The user will be able to change the tasks selection in the pop-up, and the new selection will be saved upon clicking Save. The users will then be returned to the original pending tasks screen, and will be able to choose to approve or reject the tasks, based on the information that was provided in the pop-up

Resolved Issues

  • In rare cases, there was a discrepancy between the vulnerabilities number shown in the Library page and that shown in the Alerts report.

  • When the organization's name included the character ".", creating an access key of the issue tracker integration failed.

  • Queries used to calculate match types fetched all project resource usages of the product/project, taking a long time to return server responses.

  • The Unified Agent did not handle Gradle artifact relocation correctly.

  • In some cases, when the Artifactory Plugin deleted Temp folders, not all folders were deleted.

...

Version 21.4.2.1 (11-May-2021)

New Features and Updates

Jira Server Plugin (Beta)

...

Version 21.4.2 (9-May-2021)

New Features and Updates

Unified Agent

  • NPM and Yarn configuration are now optimized by automatically executing the relevant pre-step (npm install or yarn install) based on the lock file detected (yarn.lock or package-lock.json) when npm.runPreStep = true.

  • Beginning in this version, nuget.runPreStep and nuget.restoreDependencies will be combined. This works the following way: if nuget.runPreStep = true, then dotnet restore will be performed on found .csproj files. As a result of this merge, nuget.restoreDependencies will be deprecated.

...

Version 21.4.1 (25-April-2021)

Resolved Issues

  • Users encountered errors logging in to mend.

  • Project name or project token were mandatory parameters for Docker scanning unnecessarily.

  • Users were unable to delete roles when there were no roles remaining.

  • When the Inventory Report was exported to MS Excel, there was extra whitespace between the project name and the Direct Dependency.

  • When password complexity validation was enabled, users were unable to reset their passwords.

  • NPM/Yarn downloaded artifacts were not always removed at the end of the Unified Agent scan.

  • In the Unified Agent, a null pointer exception occurred when scanning ANT-based projects with an empty zip file.

...

Version 21.3.2.2 (19-April-2021)

Resolved Issues

  • Resolved a security issue in the Jira Server plugin.

Version 21.3.2.1 (13-April-2021)

Resolved Issues

  • Resolved an issue where running the Unified Agent with “-v” resulted in its version printed with a console log message header.

Version 21.3.2 (11-April-2021)

New Features and Updates

Web UI

  • Customers can now configure SAML integration for multiple global organizations with the same Identity Provider (IDP).

  • Product and Library Priority Scoring Reports: New reports provide information on the priority of a library or product, taking different threat and impact factors into account. See here for details.

  • Starting this version, SmartMatch is the default algorithm used for source files matching when a new Mend Organization is created.

  • The name of the Sun license was changed to Sun Public License.

...

  • The following documentation changes were implemented:

    • The Deprecated Features topic was deprecated and the content was moved to the Notices page.

    • The Setting the Home Page topic was deprecated and the content was moved to the Mend Home Page topic.

    • The High Severity Bugs Report topic was deprecated.

    • The File Systemtopic was deprecated.

  • Structural modifications were implemented to the opening documentation sections, beginning with the login/homepage documentation. As a result, the following pages were deprecated:

    • Getting Started

    • Setup Projects

    • Automate the Process by Using the Unified Agent

  • In the next version, the R Integration page will be deprecated.

Resolved Issues

  • Archive extraction of the Zstandard format RPM file failed.

  • A problem with missing shields occurred during Prioritize scans with NPM due to incorrect handling of duplicate dependencies.

  • Some Unified Agent's log messages were not taken into account when setting the logLevel parameter.

  • Running the Generating the Due Diligence Report resulted in a blank report.

  • When Jira Server was connected to PostgreSQL, an exception occurred in Jira Plugin when trying to add a new row to the table.

...

Version 21.3.1 (4-April-2021)

New Features and Updates

Azure DevOps Services Integration:

...

The Jira Server Plugin is now available in the Atlassian marketplace. Please note that the Jira Server Plugin is currently in beta.

Resolved Issues

  • Using the Unified Agent’s Archive Extractor when trying to scan the root of the operating system resulted in a null pointer exception.

  • In AVM, a timeout occurred when fetching vulnerabilities information from Fortify.

...

Version 21.2.2 (14-March-2021)

New Features and Updates

Unified Agent

  • This version introduces support for NPM 7.

  • A new parameter, fileSystemScan, replaces the soon-to-be-deprecated ignoreSourceFiles.

...

  • A new API is now available for unmarking manually-assigned in-house libraries - unmarkManualInHouseLibrary.

Resolved Issues

  • In some cases, information regarding source libraries was not displayed correctly; for example, empty projects were still displayed in some source libraries, or some source libraries appeared as empty.

  • Running the gcloud auth command failed during Docker scan on Mac computers.

  • Users with different roles than admins or alert ignorers were able to ignore alerts in VBA mode.

  • Exceptions occurred when trying to assign licenses as part of update policy alerts.

  • In the Unified Agent, when scanning NPM, NPM dependencies were not resolved when package.json did not contain name/version attributes.

  • When downloading a missing jar file, the Unified Agent incorrectly generated success messages.

  • Added indication for missing copyright references in the Attribution report summary.

  • When excluding inner modules (projects) in Gradle, the scan would return the wrong dependencies tree.

  • Azure DevOps Services Integration: In some cases, adding npm.resolveMainPackageJsonOnly=true to the Mend Configuration task parameter led to a scan failing.

...

Version 21.2.1 (28-February-2021)

New Features and Updates

Unified Agent

  • Scala dependencies detection was improved, by supporting the sbt-dependency-graph plugin when applicable.

Resolved Issues

  • When working in vulnerability-based alerting mode, user roles were not being validated when ignoring/reactivating alerts.

...

Version 21.1.2 (14-February-2021)

Resolved Issues

  • Azure DevOps Services Integration: Running a pipeline build from a self-hosted agent resulted in a mend-generated .encrypted file not being deleted at the end of each Mend build task run.
    NOTE: Self-hosted agent builds triggered before 14 February may still contain traces of mend-generated .encrypted files. These files must be manually removed from the self-hosted agent work folder.

  • On rare occasions, library alerts were not created after the vulnerability sync.

  • Duplicate hashed source files caused the second one to be considered as unmatched.

  • In Linux, Python scans failed due to a missing space in the execution of one of the commands used for resolution.

  • In the Unified Agent, there were exceptions when parsing specific pipfile formats.

...

Version 21.1.1 (31-January-2021)

New Features and Updates

Web UI

  • Beginning in this version, the Auditor role for service users can be assigned to users from the UI.

...

  • Updated the Mend task version from 20 to 21. In order to use the new version(s) of the extension, you will need to update the task from mend@20 to mend@21 inside your pipeline definition.

  • Added ability to map an Azure Project to an existing Mend Product in addition to creating a new Mend Product) via the Project Settings > Extensions > mend page.

Resolved Issues

  • Several issues have been resolved regarding Docker Layers:

    • Layers with the same SHA1 were represented as one resource.

    • Layers with a SHA1 already created as “unknown” from previous scans were recognized as that resource, and therefore the display name did not reflect the layer

    • Layers with SHA1 were unnecessarily looked up in the index 

  • Discrepancies were found between the Alerts Widget and the Library Page.

  • Vulnerability-based alerting: In the 'Vulnerable Libraries' section on the 'Security Vulnerability' page, the libraries were not filtered by the specific CVE. As a result, the CVEs were ignored and the filter returned all the vulnerable libraries in the organization.

...

Version 20.12.3 (17-January-2021)

New Features and Updates

  • The Unified Agent now supports scanning Google Distroless images.

  • The optimized NPM resolution method, controlled by the npm.resolveLockFile flag, is now the default dependency detection for NPM.

Resolved Issues

  • Azure DevOps Services Integration: When opening the Security vulnerabilities tab in the Open Source Risk report, the data was not sorted by severity.

  • Azure DevOps Services Integration: Adding the Mend task to a YAML-based pipeline without setting any of its parameters resulted in an error. As part of this fix, a default value was added for the cwd parameter.

  • Fixed failures of inventory update if artifactVersion exceeded the valid length.

  • The Unified Agent failed to parse a non-lowercase configuration value.

  • The Unified Agent failed to resolve NuGet dependencies when the project.assets.json file was not found in its standard location.

  • A Python direct dependency, which was also used as a transitive dependency by another library, was not listed as a direct dependency by the Unified Agent.

  • RPM packages installed or deleted without using yum were not identified correctly by the Unified Agent.

Version 20.12.2 (3-January-2021)

New Features and Updates

Web UI

...

  • A new parameter, python.includePipenvDevDependencies, has been added to provide the ability to manage the dev dependencies. The default value is true.

Resolved Issues

  • When searching for a library via global search, then searching for a vulnerability via the same search, the page redirects to the library search page.

  • When resolving several requirments.txt files, the cache of the dependencies was not cleared between the different resolutions.

  • When running the Unified Agent, the ArchiveExtractor failed to extract files ending with an empty space.

  • In the “Source File Inventory” report, if users selected to change the library for files they had no permissions to, the Change Library action had no effect and no message was displayed. Now, this action can only be done by selecting the desired files, then Actions > Change Library menu. The users' permissions are validated and a proper message is displayed.

  • After repeatedly using "Assign Yourself", the pop-up window appears blank and users need to click "Add License Reference" or "Override All” in order to see the mandatory fields.

  • When running SBT Coursier, the Unified Agent did not run pre-step commands even though pre-step flags were activated.

  • Changes to licenses being updated either in the index (libraryDataSync API) or in the Admin Console did not trigger alerts calculation.

  • The Unified Agent did not support the packages.db RPM database

...

Version 20.12.1 (20-December-2020)

New Features and Updates

Web UI

  • Resetting forgotten passwords is now validated with a CAPTCHA test.

  • A disclaimer has been added to the Library Details page for temporary matches on Go dependencies.

Resolved Issues

  • For some libraries, the Impact Analysis page did not display results.

  • Filtering by library in the Attribution Report did not display all results.

  • In the Web UI, there was no indication when a library contained no licenses. NOTE: Beginning in this version, an indication that review is required is displayed.

  • In Azure environments, when saving/updating a SAML integration (Domain and Global Account level), an HTTP error 500 was displayed.

  • In the Vulnerabilities Report, the screen’s legend was unclear.

...

Version 20.11.2 (6-December-2020)

New Features and Updates

Web UI

  • The Product Page and the Project Page now feature filtering and improved pagination in the Libraries panel, thereby improving performance and user experience for projects with over 1000 libraries.

...

  • Attribution Report: It is now possible to exclude versions from an exported Attribution Report via API

Resolved Issues

  • Exceptions occurred when saving Global Account policies.

  • In the Unified Agent’s scan log, certain Gradle configurations were missing.

  • Azure DevOps Services Integration: In some cases, build artifacts over 200MB resulted in one of the following errors:

    • ##[error]RangeError: Maximum call stack size exceeded

    • ##[error]Error: "toString()" failed

  • Azure DevOps Services Integration: In some cases, scanning a project containing an npm project resulted in the following error:
    ##[error]Error: ENOTDIR: not a directory, scandir '/home/....../node_modules/.bin/acorn'

...

Version 20.11.1 (22-November-2020)

New Features and Updates

Unified Agent

  • The maximal extraction depth, configured in archiveExtractionDepth, has been increased to 10.

...

  • Read-only Permissions: A new auditing role can now be assigned to service users through the setOrganizationAssignments API to give them read-only permissions in the scope of a specific organization. 

Resolved Issues

  • An unexcepted output received from the SBT sbtVersion command caused the Unified Agent to throw an exception.

  • The Unified Agent didn't handle correctly a possible output of the SBT organization command.

  • The Unified Agent failed to extract .tar files created with special characters on Linux.

  • When executing update inventory requests which create a new project, the getProjectVitals/getProductProjectVitals API requests did not display the Unified Agent's version.

  • When trying to add a new admin from the global admins page, the users list was empty.

  • When configuring SCM via JSON files, the Unified Agent scanned the current directory.

  • Project Association: Limitation on the number of items in the products list was removed. 

Version 20.10.2 (8-November-2020)

New Features and Updates

Prioritize

  • Added support for C# in Prioritize.

  • Added Fast Scan Analysis mode for Java in Prioritize.

...

A modified Policies page will be launched, with the intent to update existing content, fill in missing gaps, and create a linear flow. This page merges the two existing policies topics - Automated Policies and Managing Policies Throughout Your SDLC. The latter has been archived and is therefore no longer in use.

Resolved Issues

  • The Unified Agent’s Artifactory scanner failed to build a URL from strings that contained non-alphanumeric characters.

  • Dependencies defined in the gemfile.lock file with an exclamation mark suffix were wrongly resolved.

  • Policies where Action was defined as Issue failed to create Work Items issues.

  • Under certain conditions, when working with policies of the Issue type, exceptions occurred while loading Work Items data.

...

Version 20.10.1 (25-October-2020)

New Features and Updates

Mend Core

  • In order to comply with industry standards, Mend has decided to remove the option of searching a library via drag and drop. Library searching can now only be done by entering the library’s name (added November 1, 2020).

...

Beginning in version 20.10.2 (approximate release - November 8), a modified Policies page will be launched, with the intent to update existing content, fill in missing gaps, and create a linear flow. This page merges the two existing policies topics - Automated Policies and Managing Policies Throughout Your SDLC. The latter will be archived and therefore no longer be in use.

Resolved Issues

  • When the project information object did not have a version in its coordinates, the Unified Agent failed to run.

  • The Unified Agent failed when trying to resolve a large PHP project.

  • Azure DevOps Services Integration: A pipeline build with the Mend task failed to scan GitHub repositories when using a Linux build agent.

  • The optimized NPM resolution method, controlled by the npm.resolveLockFile parameter, did not handle duplicate dependencies correctly. This caused an increase in the size of requests sent by the Unified Agent.

  • When applying Create Issue policies, issues were created incorrectly for all projects in the organization (added November 1, 2020).

  • When updating group assignments, SAML incorrectly removed users from the domain (added November 1, 2020).

  • When entering multiple values for either groupAssignments or userAssignments in the setProductAssignments and setOrganizationAssignments API calls, these values were ignored. The fix - from now on, the first value is assigned (added November 1, 2020).

  • Users were unable to change a source file library if there was already an existing mapping with a comment (added November 1, 2020).

...

  • The license name of Oracle Development License (as it previously appeared in the application) will now appear according to its official name, Oracle Technology Network License Agreement.

Resolved Issues

  • During Kubernetes agent scanning, when the scanned component included the same image multiple times, irregularities occurred causing an exception.

  • In the Attribution report, GPL 2.0 with exception licenses was mistakenly displayed as insert GPL v2 license text here.

  • When scanning PHP, the Unified Agent threw an exception if one (or more) of the packages did not have a "source" element in the lock file.

Version 20.9.1 (4-October-2020)

New Features and Updates

Mend Core

  • Currently, when accessing the Custom Attributes report, the report’s data is fetched automatically. This can be time-consuming if the organization has many libraries and many custom attributes defined. Beginning in this version, an Apply button has been added, enabling users to query the data on demand only.

...

  • Beginning in this version, the strict requirement of running the Unified Agent with the configuration file has been removed. If the mandatory parameters are passed to the Unified Agent, in any of the supported methods, the Unified Agent can be run without failing even if the configuration file is missing.

  • Beginning in this version, if the Yarn lock file (yarn.lock) is found during the scan, it will be used for the dependencies detection, without the need to explicitly set the npm.yarnProject flag.

Resolved Issues

  • When applying policies to existing inventory from the organizational policies page, the product and project policies were ignored.

  • When reassigning all of a user’s pending tasks of a user, the inventory request approver was not properly updated.

  • When two Maven projects were defined with the same name, both projects were created however with partial data. The introduced fix will now add a suffix (_1, _2) to a project name in case there is more than one project with the same name.

Version 20.8.2 (13-September-2020)

New Features and Updates

  • Helm version 3 support is officially introduced for the Kubernetes integration.

Resolved Issues

  • If hex.ignoreSourceFiles was set to true, the Unified Agent did not ignore .erl source files.

  • When groups were created via SAML integration and were then deleted manually from the dashboard, an exception occurred.

...

Version 20.8.1 (30-August-2020)

New Features and Updates

Unified Agent

A new format of Docker project name is now supported - repositoryName - which is based on the Docker repository name only. This format can be applied by setting the docker.projectNameFormat parameter to repositoryName.

...

  • In the Project Association page, the Product column was changed from a selection column to a text column. The project association is now only available by checking the desired project(s) and choosing “Assign to Product”, then choosing the desired product from the drop-down list.

  • When using “APPEND” update requests, in the rare case where only a TRANSITIVE dependency has been added - the new transitive dependency will be added as a direct dependency, so all of the application's mechanisms such as alerts and policies will be applied on it. This is a change to the current behavior. In order to have the new dependency added as transitive, users can then run another “OVERRIDE” Update Request after the append request.

Resolved Issues

  • When running the Gradle resolver, if the dependency is missing the Unified Agent will try to download .jar dependencies only.

  • In the rare use case of a change in the GAV coordinates of an artifact, Gradle scans didn't produce the correct signature for this artifact.

  • The Request Resolution Status Report displayed the wrong path on the top of the report.

  • In the Vulnerability Report, the Locations column was missing from the JSON format.

  • When scanning the plan.json file in a Haskell project, a nullPointerException would occur when building hierarchies where one child did not have dependencies.

  • In the application’s home screen, some bulk actions of approval/rejection of pending tasks were timed out. This caused the UI to hang and requests were not marked as reviewed.

  • When scanning a Docker image with source libraries, the “hierarchy” tree included duplications of the source library matched with those source files.

  • Layer information was missing when detecting FOSS components in Docker .tar files.

...

Version 20.7.3 (16-August-2020)

New Features and Updates

Web UI

  • Beginning in this version, when creating/editing a policy based on a Jira project with a mandatory field from a type which isn't currently supported, but has a default value defined for it in Jira, the operation will succeed.

...

  • When a scan for a project is requested while there is already a scan for the same project being executed simultaneously, the new scan is being skipped. Starting in this version, the JSON file returned for the scan will specify the status SKIPPED instead of FINISHED.

Resolved Issues

  • In cases of empty status files in Debian Docker images, the scan resulted in zero dependencies.

  • In the Policies screens, a popup indicating that changes will not be saved was displayed even though all changes were properly saved.

  • A TimeoutException was thrown when calling the method updateNodesParentAndMr in the DependencyNodeRepositoryImpl class.

  • Priority and Assignee fields appeared in Jira-based policy creation, even when those fields were not defined in the Jira project itself.

  • Following a change in Jfrog Artifactory version 7 whereby the property name haAwareEtcDir was changed to etcDir, exceptions were thrown in the Mend artifactory plugin.

...

Version 20.7.2 (2-August-2020)

New Features and Updates

Mend Core

  • SAML session token duration (the time between the IDP authentication and the Mend login) was changed from 10 minutes to 5 minutes.

...

  • Improvements were made to the Docker scanning of the Linux RPM-based images.

  • Users can now configure Unified Agent parameters using environment variables.

  • The Bazel support for Go projects was extended to Windows. The Unified Agent can now scan on both Linux and Windows Go projects using the go_repository rules generated by Bazel Gazelle (see here).

Resolved Issues

  • When organizations were deleted, data was removed, specifically alerts. This caused timeout exceptions if the table was locked.

  • Under certain scenarios, a null pointer exception occurred when loading the product assignment.

  • Under certain conditions, there were problems with dependency resolving from yarn.lock

  • Under certain conditions in Unified Agent Docker scans, exceptions occurred when there were similar file names but different content or formats.

  • Kubernetes deployment procedure didn't take into consideration initial configured delays.

  • When running the Prioritize Multi-Module Analyzer for Gradle, modules that did not have build.gradle were not handled correctly.

  • Under certain conditions, there were issues with the format of the link field within the policyRejectionSummary file.

  • Under certain conditions, the Project Associations page loaded slowly and resulted in a 404 error.

...

Version 20.7.1 (19-July-2020)

New Features and Updates

Unified Agent

  • Users scanning docker images can now receive information regarding packages in layer granularity. The new functionality can be enabled by setting the docker.layers parameter to true. The layer granularity can be viewed in the UI under the hierarchical display (Show as Hierarchy).

  • Improvements to the optimized NPM resolution method controlled by the npm.resolveLockFile flag are introduced. The improvements include a reduction in the scan time, in addition to enhanced accuracy. This functionality can be enabled by setting the npm.resolveLockFile to True.

  • A new flag, npm.ignoreDirectoryPatterns, enables users to determine the list of ignored directories.

  • The Bazel support was extended to Go projects. The Unified Agent can now scan on Linux machines Go projects using the go_repository rules generated by Bazel Gazelle (see here).

...

  • The "Resolution Request Status" report can now be accessed through the Reports menu.

Resolved Issues

  • Under certain conditions, the Unified Agent returns no dependencies after failing to parse the packages database when scanning docker images.

  • In the Source Files widget, after refreshing the page the Change Library column was not displayed.

  • Under certain conditions, there were inaccuracies in the Effective Usage Analysis Summary Report.

  • Under certain conditions, the Unified Agent had an issue following a redirect when trying to download a Gradle dependency.

Version 20.6.2 (5-July-2020)

New Features and Updates

Mend Core

Unified Agent

  • The Unified Agent’s checkPolicies-json.txt file now includes the system path and manifest file path for each of the components, when this information is available.

  • A new parameter, python.localPackagePathsToInstall, enables users to configure a list of local package paths that will be installed during the pre-step, if required.

...

  • Upgraded the following:

    • WildFly to version 10.1.0 

    • JQuery to version 3.5.0

  • The Unified Agent’s version is now displayed in the Web Application’s Project Vitals.

  • The docker image retrieval mechanism was improved resulting in a reduction of the UA scanning time.

Resolved Issues

  • In the Risk Report, in the General Overview panel, when selecting a product, an incorrect title and link were displayed.

  • While handling getOrganizationInHouseLibraries requests, a Null Pointer Exception occurred.

  • In situations where Requires review is the least common license in organization/product/project, the License dashboard ceases to function.

  • The Attribution Report had issues with a misplaced header.

  • There were issues with proxy settings in the HTML dependency resolution.

  • The TeamCity plugin always failed as a result of a check policy request. 

  • Under certain conditions, scanning SBT dependencies resulted with errors.

  • Local libraries used by a Python project were not detected. This ability was introduced in this release, controlled by the python.localPackagePathsToInstall flag.

...

Version 20.6.1.1 (30-June-2020)

Resolved Issues

  • Under certain circumstances, the NuGet dependency detection of csproj files resulted in an inaccurate version of the dependency.

Version 20.6.1 (21-June-2020)

New Features and Updates

Mend Core

Web UI

  • The Attribution Report has undergone several enhancements, including the following:

    • select which fields to include/exclude from the report

    • apply filters to the report

    • include a custom attribute in the report

    • export the report to a JSON format

    • hide fields containing empty values 

  • Beginning in this version, an indication on the vulnerability page displays which vulnerabilities were modified in the previous month.

  • Beginning in this version, the Mend Expert Fix is the first solution recommended to customers in the list of suggested fixes.

...

  • This version introduces a Dockerized Unified Agent. More information can be found here.

  • Bazel resolution is now enabled by default. The UA now supports Bazel for Java projects. The following two rules are supported: maven_install, maven_jar.

  • This version introduces support for OpenSUSE leap images via the Unified Agent Docker scan.

Resolved Issues

  • Artifactory Docker Virtual Repository scans failed when containing a remote repository.

  • Under certain conditions, the UA will exit without appropriate log messages.

  • Under certain circumstances, there was an issue with C# package identification.

  • In the Library Details page, Only library with effective vulnerability was not displayed.

  • When trying to create a Jira issue when defining a policy based on vulnerability effectiveness, an exception occurred.

  • In the Web Application, in the Alerts Report, the EUA “shields” were not displayed.

  • Jira server issues were not created due to wrong assignee parameters.

  • During NuGet scans, exceptions were caused following references to missing files.

...

  • For customers where Prioritize is installed: An “effectiveVulnerabilitiesOnly” flag was added to VULNERABILITY_SEVERITY in Policies API.

Resolved Issues

  • Under certain circumstances, a specific format of package version in the nuspec file caused a failure in NuGet resolution.

  • Under certain circumstances, a wrong command was run in NuGet resolution when packages.config is present.

  • There was no option to provide a full path in a csproj file when referencing other csproj files.

  • Jira API parameter "query" (which replaced “username”) did not work for all customers.

  • In the wss_resourceVulnerabilities table, security alerts aren't calculated when there' was no sourceFileHashes mapping.

  • Under certain circumstances, Ruby scans failed.

  • In the Unified Agent, when dependencies in Yarn scans had two versions, the scans failed.

...

Version 20.5.1 (24-May-2020)

New Features and Updates

Mend Core

Web UI

  • In the ADD/EDIT policy function, mandatory fields of types string, string array, user, number are now also supported. When choosing the issue type in the project, the mandatory fields as displayed and you must fill them in.

  • In certain reports, the following was added to all panels with multiple selections

    • A count indicator for the number of selected rows that appear when selecting rows of a data grid panel. This counter updates automatically when selecting/deselecting rows.

    • Next to the counter, a 'clear selection' button clears all selected rows when clicked.

...

  • Beginning this release, the Nuget resolution will be improved and aligned to the other resolvers by excluding the system packages from the scan results by default.

  • Beginning in this version, the .coffee source files will not be taken into consideration when npm.ignoreSourceFiles is set.

Resolved Issues

  • Missing proxy support in one of the HTTP calls of the lambda serverless implementation.

  • Under certain circumstances in Gradle resolution, a hash was calculated on an empty file.

  • License links that didn’t contain a protocol were considered relative resources in the site, therefore the base URL were added to the href.

  • After executing actions in the Inventory Report, the selection wasn’t cleared.

  • When trying to sync a source library which has a duplicate in the database, it tried to remove the existing source library.

  • Some reports with multiple selection (such as checkboxes) didn’t have any actions to execute on selected items.

  • When an assignee existed but didn’t appear in the Unified Agent’s initial list, users were unable to create an issue type policy.

  • Under certain conditions, the Artifactory Plugin would send product parameters as Repository Name in check policy compliance requests.

...

  • Currently, when entering an invalid role in the setProductAssignments API call, the response is "Successfully set product assignments". Beginning in this version, the response is changed to include the assignments that were successfully set by the API call. Also included is an additional list named “warningMessages” (available from API version 1.3 and up), that includes various warning messages.

  • In the next Unified Agent release, the NuGet resolution will be improved and aligned to the other resolvers by excluding the system packages from the scan results by default. 

Resolved Issues

  • The License Compatibility report did not recognize licenses that were manually overridden.

  • Uninstalled OS packages were included in the scan.

  • Under certain circumstances, the Alert ignorers role was missing from the setProductAssignments API.

  • The security severity calculations of the "policyStatistics" and "vulnerabilityStatistics" sections of the scan report are not aligned.

  • Issue with scanned projects including circular symbolic links in Linux.

  • Unnecessary information printed to the Unified Agent’s log when Azure registry images are scanned

...

  • Beginning in this version, ignoreSourceFiles is taken into account in the top folder for all cases.

  • Beginning in this version, Maven resolver will not ignore .jar,.war,.ear,.zip files when ignoreSourceFiles is set.

  • When setting a Reporter for issues that require one, the reporter will now be chosen from a list (same as selecting an assignee) instead of the previous way where there were text boxes for inserting a Reporter name and display name.

  • The Unified Agent setting maven.ignoredScopes=NONE is no longer a pre-condition for running Prioritize on Maven projects, but remains as the default setting. Regardless of the Unified Agent configuration file parameter setting, Prioritize analysis will ignore test scope dependencies.

Resolved Issues

  • Under certain conditions, when the MultiModuleAnalyzer ran on large Gradle multiModule projects, it ignored certain modules.

  • In Prioritize, the Maven pre-conditions incorrectly used mavenIgnoredScopes.

  • Under certain conditions, the Unified Agent sent empty dependencies values in offline requests.

  • Jira projects were not taken into consideration when fetching the mandatory fields to open a Jira issue.

  • Under certain conditions, some docker image packages (centos) had the same hash value key.

  • In cases involving the R manager packager, when the match library flag is ON and there is no sha1 for the package, the additional sha1 of this package was ignored.

  • When fetching the last RVI sync attempt, an OptimisticLockException (AbstractSyncServiceImpl:78) is thrown because another process is updating the same object; hence the version is changed.

  • When an RVI sync task was created for the first time, it was created without a task name.

  • Under certain conditions, RedHat libraries were missing from customer databases.

  • Under certain conditions, after the Docker image (Centos:8) rpm scan ran, there were over 110 items remaining to resolve.

  • In Jira, under certain conditions, the following occurred due to Jira API changes:

    • Issues were created without an assignee

    • When a reporter was defined as mandatory, issues were not created

    • Adding issue policies via the API failed

    This fix applies automatically for new policies. For existing policies, if customers defined a reporter or assignee, they must edit those policies and re-enter the assignee and reporter, and then save.

...

  • In the Attribution Report, the license text is no longer displayed in the Copyrights section.

  • In the Plugin Request History report, "fs-agent"  has been changed to "unified-agent".

Resolved Issues

  • A permissions issue existed where the Source File Inventory Report did not filter projects according to user privileges, i.e. users who weren't members of project A were still able to view source files and libraries of that project.

  • The All Products drop-down list was not sorted alphabetically.

  • Under certain conditions on large-scale NPM projects, running two scans led to a StackOverflowError.

  • Under certain conditions, there were parsing irregularities in the modules.txt file.

  • Under certain conditions, when parsing a “paket.lock” file, an exception occurred.

  • Under certain conditions, Paket scan results displayed information regarding NuGet.

  • Under certain conditions, in the Unified Agent, Gradle failed due to the merging of impactAnalysis with failErrorLevel.

  • In AVM’s Fortify Client, there was an error parsing clients with URLs that contained “ssc”.

  • Under certain conditions, the maven.ignoredScopes flag did not work as expected.

  • Maven scans resulted in missing Maven dependencies.

  • The License Compatibility Report displayed multiple licenses even after using the override function.

  • The ignoreSourceFiles affected the "includes/excludes" scan results

  • The default paket.exe path was mistakenly assigned a wrong path.

  • Under certain conditions, the NuGet resolver contained the wrong version.

...

  • Previously, in the Library Location Report, when a library had no path it was displayed in the UI as "N/A". This has been changed to an empty string.

  • Within the next two sprints, Mend will be improving the Unified Agent scan results, mostly regarding Maven resolution. Binaries such as .jar,.war,.ear,.zip will be included in the scan when ignoreSourceFiles is set.

  • In addition, ignoreSourceFiles will be taken into account in the top folder when packaging appears in the pom file.

Resolved Issues

  • In some nupkg libraries, libraries which didn’t have a dash ('-') in the display name as the version separator, were not recognized as the same library and therefore did not generate the Multiple Library Versions.

  • When generated to a .PDF, the Use of Different Versions of Same Library section in the Risk Report had a different title.

  • Under certain situations, goGradle scans failed with a null pointer exception.

  • An overlap in the resolvers' bom files resulted in the order of the resolvers being changed.

  • The Effective Usage Analysis dashboard displayed 0% coverage although vulnerabilities existed.

  • Under certain conditions, a NoSuchElementException occurred when getting a product approver during update requests.

  • Under certain conditions, the parsing functionality in Go 1.14 did not work correctly.

  • Under certain conditions, scans of Docker images resulted in exceptions.

  • Under certain conditions, new version alerts weren't created.

...

  • A new API request "getProjectLicensesTextZip" enables project-level scope for the getLicensesTextZip API, providing more granular results for legal business needs.

  • A new API request "getProjectCopyrightsTextFile" enables project-level scope for the getCopyrightsTextFile API, providing more granular results for legal business needs.

Resolved Issues

  • When the Multi-Module Analyzer scanned at least a dozen projects, it sometimes randomly failed on some of them; although when scanning a single project, no such problem existed.

...

  • The Library Details page has been redesigned whereby the information is now organized into four separate tabs.

  • The Unified Agent now supports SBT 1.3.x and above.

Resolved Issues

  • In Prioritize, in the Vulnerability Analysis pane, the Analysis Coverage exceeded 100%.

  • The Unified Agent failed to resolve python dependencies using the virtualenv command.

  • There were incorrect descriptions for some of the Python libraries.

  • The Debian importer was unable to download files without release dates.

  • Under certain situations, CVEs still appeared in the web application even after blacklisting all vulnerable source files.

  • In Effective Usage Analysis, when the multi-module-analyzer scanned several projects, it sometimes randomly failed some of them, although when it scanned a single project no problem occurred.

  • "Base directory" was different between the old Unified Agent to the new, thereby causing wrong results to customers.

...

  • For customers who want to have sources files with associated vulnerabilities identified in Mend when possible, a new optional parameter for getProjectAlertsByType API enables the response to include vulnerable source files.

Resolved Issues

  • In Prioritize, the Analysis Coverage exceeded 100% in the Effective Vulnerability widget.

  • Under certain conditions, Scala project scans failed on SBT dependencies.

  • Under certain conditions, in the Unified Agent, when the 'gradle' commands failed, the Unified Agent did not execute 'gradlew' commands.

  • Under certain conditions, library folders appeared in the wrong module.

  • In the Attribution report, the provided license reference was not necessarily the license text itself.

  • Under certain conditions, after a customer removed an organization, it remained in the customer’s system.

  • Alerts for new NPM versions included pre-release versions.

...

  • This version introduces support for the DNF Package manager for CentOS.

Resolved Issues

  • [Fixed] Under certain conditions, problems occurred when logging in to to the Mend application via Microsoft Azure.

...

  • A License column has been added to the Attribution Report, enabling users to filter libraries by license in the preview screen.

  • Added report flexibility: The Attribution Report now enables users to select multiple projects for inclusion in the report’s output.

Resolved Issues

  • [Fixed] New alerts emails were sent to customers that disabled email notifications.

  • [Fixed] Under certain circumstances, the License Compatibility Report did not display results.

...

  • Attribution Report data improvement - When there is no license reference in the library, a generic license will be presented.

Resolved Issues

Under certain conditions, library names were truncated and thus displayed incorrectly in the interface.

...

  • Attribution Report data improvement - In various cases, a valid license text will be displayed in the report instead of the previously-used JSON/XML.

Resolved Issues

Under certain conditions, library names were truncated and thus displayed incorrectly in the interface.

...

  • A new screen option, Nested Licenses, provides added granularity for complex cases where nested licenses are being used in a library's repository, such as 3rd party licenses.

  • In the Due Diligence report, the range of years for the library's copyright (in from-to format) is now displayed in the Copyright column. Additionally, in the By Copyrights filter, it is now possible to filter according to the from-to values.

Resolved Issues

  • [Fixed] Under certain conditions, newly-imported JavaScript libraries were included in Gitta lookups.

  • [Fixed] After closing a request for a Source Library, a new request was opened again after scanning.

  • [Fixed] Under certain conditions, Null Pointer Exceptions occurred when the CVSS 3 extraData field was null.

  • [Fixed] When passing float values to the client, these values changed their original value, causing incorrect data to be presented.

  • [Fixed] Due to the system path of the Gradle dependencies, the EUA analysis coverage was inaccurate.

  • [Fixed] When inserting a copyright date range in the Due Diligence report, the report did not filter properly and the results were therefore inaccurate.

  • [Fixed] When the Unified Agent .jar file was extracted while running, the Unified Agent would cease to function.

...

Beginning in this version, Mend Developer Integrations will have its own release notes. Please refer here.

Resolved Issues

  • [Fixed] Under certain conditions in app.whitesourcesoftware.com, some libraries were missing although the update request contained them.

  • [Fixed] Servers received imported licenses that have license names but no license types, resulting in no license creation.

  • [Fixed] Under certain conditions, the Unified Agent did not collect all the dependencies in yarn projects.

  • [Fixed] Under certain conditions, it was impossible to create sub-task issues using Jira integration.

  • [Fixed] When trying to create a new copyright template without years, an error was displayed.

  • [Fixed] When exporting HTML attribution report by project in partial data organization, an error was displayed.

  • [Fixed] Under certain conditions, the Unified Agent Docker Hub scan returned no results.

  • [Fixed] An out-of-memory issue occurred for Yarn.

  • [Fixed] Detect configurations did not work correctly for GO projects.

  • Release Unified Agent version 19.11.1

...

  • The Unified Agent now runs Effective Usage Analysis even if npm.includeDevDependencies is set to false.

Resolved Issues

  • [Fixed] After creating an issue, when trying to parse the JSON response from Jira, an exception occurred, resulting in Jira issues created several times for the same libraries in the same projects.

  • [Fixed] In the Attribution Report, XML was not displayed properly (for example, XML tags were removed).

  • [Fixed] In specific circumstances, the Gradle resolver did not create a full dependency tree, resulting in missing libraries from Docker image scans.

  • [Fixed] When trying to upload an offline request with a specific Gradle dependency, the dependency was not found in the inventory.

  • [Fixed] Uploading a metadata file to the Mend application resulted in errors.

  • [Fixed] In Mend for Bitbucket Server, Mend for GitHub Enterprise, and Mend for GitHub.com, when an issue for multiple components was created, the Automatic Remediation information was displayed.

  • Release Unified Agent version 19.10.1

...

  • The GPL 2.0, MPL 1.0, MPL 1.1, and MPL 2.0 licenses now have a copyright risk score of 65.

  • Risk analysis information was added for the GPL 1.0 and OpenSSL licenses.

Resolved Issues

  • [Fixed] An error in the RVI sync process caused the alert creation to fail.

  • [Fixed] A null pointer exception occurred while calculating the check policy hash.

  • [Fixed] In the Risk Report, when a project had duplicate dependencies in the hierarchy, negative values were displayed.

  • [Fixed] Mend for GitHub Enterprise, Mend for GitHub.com - Duplicate GitHub Issues were generated for the same library and CVE when multiple scans were triggered in parallel for a commit.

  • Release Unified Agent version 19.9.2

...

  • An indicator has been added to Mend for GitHub Enterprise, Mend for GitHub.com and Mend for BitBucket Server indicating when automatic remediation is available for the specific vulnerability.

  • Mend is launching the Mend for GitLab Core beta version, enabling GitLab users to access Mend security alerts within GitLab’s native environment.

Resolved Issues

  • [Fixed] The getChangesReport API request was disregarding the time specified in the "startDateTime" field, fetching results from 00:00 on the specified date.

  • [Fixed] In an EUA-enabled organization, under certain conditions in 'Library Security Vulnerabilities' view, projects referencing the vulnerability were not filtered by the projects to which the user has privileges, resulting in errors.

  • [Fixed] In some cases, the Containers dashboard did not display any results.

  • [Fixed] Mend for GitHub Enterprise - When upgrading to image version 19.8.1, a Java error in the wss-ghe-app logs is displayed.

...

  • The API requests getProductLicenses, getOrganizationLicenses, and getProjectLicenses have an optional new field, excludeProjectOccurrences (default value = false) which enables getting product/domain licenses without project occurrences.

Resolved Issues

  • [Fixed] In the Risk Report PDF, in the Policy Name field, Chinese characters were omitted.

  • [Fixed] In selected instances when Prioritize’s multi-module setup failed, the log reported it as successful.

  • [Fixed] The response of the "getAllOrganizations" API request yields a "Success" message in scenarios where it should fail.

  • [Fixed] When resolving Yarn dependencies, the wrong line was printed in the log.

  • [Fixed] The Unified Agent did not identify all SBT dependencies in the *compile.xml file.

...

  • Mend Advise for Chrome now detects licensing and vulnerabilities information on Rust packages found in Rust-related websites.

  • Mend Advise for Chrome now detects licensing and vulnerabilities information on Haskell packages found in Haskell-related websites.

  • Mend Advise for Chrome now detects licensing and vulnerabilities information on OCaml packages found in OCaml-related websites.

Resolved Issues

  • [Fixed] If SAML has been configured, under certain conditions login failed with a NullPointerException.

  • [Fixed] On a Go project using the Godep dependency manager, the Unified Agent did not find all GO dependencies.

...

  • The new Configuration Recommendation mode identifies the environment that the user wants to scan and creates the configuration file automatically.

  • Added flexibility in Gradle projects scanning: New configuration parameter 'gradle.includedScopes' enables defining which scopes will be included in the scan.

  • This version provides support for Serverless Framework via a dedicated plugin.

Resolved Issues

  • [Fixed] Users were unable to create a policy with an 'Issue' action linking to their 'Work Items' tracker type.

  • [Fixed] Under certain conditions, after a project was updated, a server failure message was displayed.

  • [Fixed] In the Security section in the Risk Report, large numbers did not display correctly.

  • [Fixed] When a request was assigned to a group, conditions did not appear in Pending Tasks.

  • [Fixed] Under certain conditions, the Unified Agent failed to retrieve projects from Artifactory.Releases.

...

  • For customers using Application Vulnerability Management platforms such as ThreadFix or Fortify, this version introduces the synchronization of Open Source Software scanning results from Mend to the aforementioned platforms.

Resolved Issues

  • [Fixed] In the Users page, the names do not sort correctly in alphabetical order.

  • [Fixed] In the Risk Report, in the Security area, when displaying data with a large number of libraries, the last digit was displayed in a line of its own.

  • [Fixed] Users received errors when trying to approve their library requests.

  • [Fixed] The Library Details page was stuck indefinitely with a “Loading Data” message.

  • [Fixed] When trying to approve tasks from the Pending Tasks screen, users received a message stating insufficient permissions.

  • [Fixed] Using the Unified Agent on Windows 10 via command line led to “illegal operations” warnings.

  • [Fixed] When configuring ‘excludeDependenciesFromNodes’, the wrong dependency was excluded.  

  • [Fixed] File paths with special characters caused the Unified Agent to crash.

  • [Fixed] When activating Mend Advise, using the wrong regular expression in the URL caused the activation process to fail.

...

  • A new CLI parameter, detect, automatically creates a configuration file based on your scanned libraries and files (relevant for all package managers). NOTE: This is the first step in new configuration recommendations. Future versions will contain additional features.

  • Added flexibility by supporting custom build environments: The Unified Agent now has the ability to pass arguments to the gradlew and gradle ‘dependencies’ command. A new configuration parameter was added for this purpose, gradle.additionalArguments.

  • This version adds support for scanning Go 1.11 projects without the need for a dependency manager.

Resolved Issues

  • [Fixed] Projects were limited to exporting 32766 lines.

  • [Fixed] In the Users page, when the page was reduced, the column names were hidden.

  • [Fixed] When generating a Risk Report with a large number of libraries, the last digit was displayed in its own line.

  • [Fixed] Under certain conditions, failures occurred when trying to resolve Python dependencies.

  • [Fixed] The Unified Agent took an excessively long time to run.

  • [Fixed] When trying to approve requests and clicking Override and Approve, administrators were sent back to the Home page with a message notifying insufficient permissions.

  • [Fixed] When an API request for the getProjectAlertsReport was sent, the output was an .xlsx file in which the last title, Library Type, and the entries underneath it were not in the same column.

...

  • New streamlined multi-module process - In the multi-module Prioritize, a new command-line parameter, overrideExistingSetup = true, enables users to remove the pause between multi-module steps.

Resolved Issues

  • [Fixed] In the Inventory report, when match by filename was not selected, a filename match still occurred.

  • [Fixed] Under certain conditions, alerts weren't removed for deleted vulnerabilities.

  • [Fixed] Handling changed paths and vulnerability traces tasks took over 10 hours to complete.

  • [Fixed] After performing the Apply to Pending Requests action on product-level policies, a “server error” message was displayed.

  • [Fixed] Several identical licenses were assigned to the same library.

  • [Fixed] The API call getProductRiskReport took an excessively long time to run.

  • [Fixed] In the Dashboard, in License Analysis, clicking Facebook BSD + Patents displayed an empty report even though the relevant license exists.

  • [Fixed] When retrieving Gitta cached results under certain conditions, a NullPointerException was displayed.

  • [Fixed] When handling update requests, an exception occurred.

  • [Fixed] The Unified Agent experienced memory issues.

  • [Fixed] When scanning a GitLab repository using Source Control Management (SCM) configuration, an error message was received.

  • [Fixed] Mend Bolt for Azure report was not available in the Azure DevOps multi-stage pipelines preview.

  • [Fixed] When integrating Prioritize with Gradle, the log analysis process failed for sub-modules.

  • [Fixed] Under certain conditions, the config file mistakenly created a new Mend directory instead of including all configuration settings in the build directory.

  • [Fixed] R resolvers-library name is not according to DESCRIPTION dependency file package.

  • [Fixed] Docker scans would hang when retrieving images.

  • [Fixed] In the Unified Agent, in the log, different parameters had the same name.

  • [Fixed] The Library WhiteList did not block Reject policy violations.

  • [Fixed] After the Unified Agent scanned .js files, some of the files were replaced by other versions with a different SHA-1 version.

  • [Fixed] Under certain conditions, the Mend Application did not identify NuGet packages.

  • [Fixed] Under certain conditions, when the Unified Agent ran on NuGet, it did not clear the packages directory and failed on a second run.

  • [Fixed] The Unified Agent log displayed thousands of attempts to access irrelevant URLs.

  • [Fixed] A proper error message for the Python errors in the debug log level was not generated.

  • [Fixed] Python dependencies were not resolved in hierarchical mode.

...

  • Extended JFrog Artifactory Integration -

  • Support updating JFrog Artifactory “properties” tab of an artifact with vulnerabilities and licensing information from Mend scan.

  • Support accessing JFrog Artifactory repository using a token for enhanced security. The following configuration parameters were added: ‘artifactory.accessToken’, ‘artifactory.url’. 

  • Support more informative summary statistics at the end of a scan - displaying different language extensions for which binary/source files were found and for each extension how many source/binary files were scanned. 

Resolved Issues

  • [Fixed] In certain scenarios in alerts report when using a filter on the report the screen was hanging with “Loading Data” message.
    [Fixed] JIRA integration - An error was returned while trying to create a JIRA ticket as part of a policy action due to missing JIRA credentials set.

  • [Fixed] In certain scenarios request processing time of the application was very long in Azure EU system.

  • [Fixed] In certain scenarios when manually changing the origin library of two different libraries consecutively the "Show me some options" results of the second library are refreshed only after few seconds.

  • [Fixed] HTML resolver - In certain scenarios an error occurred when resolving HTML dependencies.

  • [Fixed] In some cases when scanning Android projects there were created duplicated entries in the inventory.

  • [Fixed] Mend Bolt activation for Azure DevOps Server 2019 failed due to registration phase error.

  • [Fixed] In certain scenarios archive extraction didn’t work correctly for some jar & war files.

  • [Fixed] Mend For Containers - Docker image which was configured in the ‘docker.includes’ parameter wasn’t scanned.

  • [Fixed] When running a scan using UA with debug mode the reported path in the log was the executable path instead of file path.

  • [Fixed] When running UA with command line parameters which include “.” in their names using PowerShell a parsing error was returned.

  • [Fixed] In certain scenarios when a proxy is configured in the UA configuration file an error was returned from a scan.

...

  • Maven Plugin: Support creating empty projects in Mend for maven projects with multi-modules when some of the modules are empty by using a new configuration parameter ‘updateEmptyProject’.

Resolved Issues

  • [Fixed] In certain scenarios when the request with source files to match is very large (over 1M source files) there was an error from Gitta lookup.

  • [Fixed] In certain scenarios there were several issues with libraries incorrectly identified with security vulnerabilities or ignore comments were deleted.

  • [Fixed] Attribution Report - extra separation lines added when adding Header text.

  • [Fixed] Informative text on Alert Ignorers is missing in the Admin → Assignments page in Product level.

  • [Fixed] In certain scenarios when applying in house rules on pending requests the process took a long time. Performance improvement was done. 

  • [Fixed] UA fails to resolve Ant dependencies due to external Ant parameters. New configuration parameter was added: ‘ant.external.parameters’ which should contain comma separated list of <key=value> pairs.

...

  • GitHub integration: Added the ability to enable/disable the creation of open issues after the scan has been completed.

Resolved Issues

  • [Fixed] In certain scenarios the number of libraries displayed on the ‘Top 10 Products’ panel may be different than the number of libraries displayed on the specific product page.

  • [Fixed] Ignored Alerts report: Comments are not displayed after the project is filtered. 

  • [Fixed] Unified Agent: In certain scenarios when the configuration parameter ‘npm.includeDevDependencies’ is set to ‘true’, the scan ignores this setting.

  • [Fixed] Unified Agent Go code with Gogradle environment: Issue may occur when passing information to the Unified Agent while using a custom build file ('build-inner.gradle') and settings file ('settings-inner.gradle') 

  • [Fixed] Informative text on Alert Ignorers is missing in the Admin → Assignments page. 

...

  • Release management automation: Added the ability to obtain an attribution report via the API requests ‘getProductAttributionReport’ and ‘getProjectAttributionReport’.

  • The ‘getProjectComparisonReport’ API provides a project comparison report in an Excel format.

Resolved Issues

  • [Fixed] Alerts report may not always be updated after the source files are moved to a new source library.

  • [Fixed] Classification of specific Microsoft ASP.NET libraries may be erroneous.

  • [Fixed] Library Details page: Library type column of Alerts table is not always populated.

  • [Fixed] Requests may occasionally pause when a JIRA issue is created during a request update.

  • [Fixed] When the 'go.dependencyManager' parameter is not defined, the Unified Agent may not go through all the supported resolvers.

...

Note: The ability as a 'Product Default Approver' or 'Product Administrator' to assign licenses/copyrights has been removed.

Resolved Issues

  • [Fixed] In specific settings the ‘getVulnerabilitiesBetweenDates’ API call may not function properly.

  • [Fixed] Attribution report: In certain browsers, the 'Library' column may not be properly displayed.

  • [Fixed] 'Set as Home Page' option does not work with SAML.

  • [Fixed] Project Page: The Library pane size may change when switching between ‘Flat list’ and ‘Hierarchy’ views.

  • [Fixed] Attribution report: Occasionally, issues may occur while exporting the report as a  ‘.txt’ file.

  • [Fixed] Gradle based projects: Issues may occur during the scan in specific cases when no source files are in the project.

...

  • Enhanced service user automation: The new API call 'createServiceUser' enables adding a service user.

  • The following API calls enable fetching a list of all custom attributes along with their set of values for each library on a Project/Product/Organization level: ‘getOrganizationCustomAttributeValues’, ‘getProductCustomAttributeValues’, ‘getProjectCustomAttributeValues’.

  • Improved automation for granular policy enforcement: Added API calls to manage policies on a Project level. These API calls include ‘getProjectPolicies’, ‘addProjectPolicy’, ‘updateProjectPolicy’, ‘removeProjectPolicies’,  ‘reorderProjectPolicyPriorities’.

Resolved Issues

  • [Fixed] Library Version Comparison page: An error in loading the page may occur for specific libraries.

  • [Fixed] In specific libraries, the alert on a library is marked as ‘ignored’, but the scan still fails.

  • [Fixed] Inventory report: Sorting by license may not always display the report in the desired order.

  • Unified Agent:

    • [Fixed] An error related to the stopwatch class has been fixed. 

    • [Fixed] In certain cases, the temporary Mend directory names may be too long and their paths may exceed 260 characters.

...

  • The ‘productName’ parameter is now supported in the CLI when running the xModuleAnalyzer. See also related documentation.

Resolved Issues

  • [Fixed] Ignored Alerts report: Manual comments may not be displayed properly.

  • [Fixed] Attribution report: Issues may occur when exporting a report with the ‘Reference generic license’ option selected.

  • [Fixed] Security Trends Dashboard: The entire organizational data is displayed for all users, including the users who do not have permissions to view all of the Products.

  • [Fixed] Effective Usage Analysis (EUA): A Java exception may occur when running the Unified Agent with both Gradle and Maven related parameters enabled.

...

  • The new Containers vulnerabilities report displays the vulnerabilities per pod, namespace, and cluster. It enables the user to filter specific resources according to their context in the cluster. See also related documentation

  • Attribution report: Missing copyright references are now marked with an asterisk (‘*’) character. 

  • It is possible to export the following reports in JSON format via the GUI or via an API request: Alerts report, and Vulnerabilities report.

  • Due Diligence report: Added option to view the report data only for a specific project, in addition to a particular product.

Resolved Issues

  • [Fixed] Unified Agent: Microsoft TFS Integration: An ‘Invalid diff JSON structure’ error may be displayed in specific configuration settings.

  • [Fixed] An error message is not displayed when trying to create a user via the 'Create User' functionality, and providing an email address of a user that already exists with the same email address.

  • Inventory report:

    • [Fixed] The ‘Primary Attribute’ is not included in the export output of the report.

    • [Fixed] A number of options in the search dropdown menu are not displayed when searching by product name.

    • [Fixed] In certain scenarios the ‘Suspected unspecified license’ filter erroneously displays no records in the results.

  • [Fixed] Risk report: PDF output may include issues when exporting the report for a selected product.

  • [Fixed] Occasional pauses may occur while submitting new libraries via the Drag and Drop UI.

  • [Fixed] ‘Admin’ → ‘Users’ page → ‘Invite Users’ button: Email addresses that include a  space as the last character of the address are not processed, and an error message is displayed.

  • [Fixed] The process of renaming a project may occasionally require a relatively long interval, and no indication is displayed on when the process will be completed.

  • [Fixed] SAML: Single Sign On (SSO) may not work properly after a certificate update.

  • [Fixed] In specific configurations a source library may be uploaded without its source files after the scan.

  • [Fixed] Security Trends Dashboard: Issues may occur in the output when selecting 3 months and 6 months time frames.

  • [Fixed] In certain configurations libraries may be matched by their name although the ‘Match libraries by filename’ checkbox is cleared.

...

  • It is possible to export the following reports in JSON format via the GUI or via an API request: Inventory report, Source File Inventory report, and Due Diligence report. The following API requests include a new optional parameter called 'format'. The format is 'xlsx' by default, and valid options include 'json' and 'xlsx': ‘getOrganizationInventoryReport’, ‘getProductInventoryReport’, ‘‘getProjectInventoryReport’, ‘getOrganizationSourceFileInventoryReport’, ‘getProductSourceFileInventoryReport’, ‘getProjectSourceFileInventoryReport’, ‘getOrganizationDueDiligenceReport’, ‘getProductDueDiligenceReport’.

  • Risk Report: Added an ‘Apply’ button for the selected scope (Organizational or Product) that generates the report only after it is pressed.

  • Attribution Report: A new option enables the user to select one of the following outputs in cases where the license reference cannot be obtained:

    • Leave license blank

    • Reference a generic license

Resolved Issues

  • Jira Integration:

    • [Fixed] Unclear error message is displayed when the Issue Tracker URL is invalid.

    • [Fixed] In certain scenarios, exceptions may occur when fetching Jira mandatory fields.

  • [Fixed] Manual Comments: The ‘&’ and ‘%’ characters are classified as illegal characters, and therefore, some URLs cannot be entered.

  • [Fixed] The Attribution report does not fully support foreign language characters in Unicode.

  • [Fixed] The ’getOrganizationProjectVitals’ API request may require a relatively long time to complete.

  • Unified Agent:

    • [Fixed] When scanning a remote repository (using SCM settings), the Unified Agent also scans the directory where the Unified Agent was executed.  

    • [Fixed] In certain Yarn based projects, dev dependencies are resolved even though the parameter ‘npm.includeDevDependencies’ is set to ‘false’.

    • [Fixed] The ‘productToken’ parameter is always ignored when running the Unified Agent with the ‘-requestFiles’ CLI parameter.

    • [Fixed] A returned output message is out of context when the Unified Agent runs on an SBT project without a defined target folder. 

...

  • Checks API support for GitHub Integration: Added support for the Completed with 'Neutral' conclusion. See also related documentation. This conclusion is displayed when a 'push' command is not valid. See also related documentation.

  • Attribution Report: Added custom attributes specified for the component in the summary report for both HTML and Text export formats.

  • Risk report: Added the ‘How Do We Compare?’ section to the PDF export of this report. 

  • License compatibility report: Added an option to export the report in Excel and XML formats.

  • Unified Agent:

    • The following updates were made as part of the overall plan to move to a single scanning interface:

      • JAR file changed to ‘wss-unified-agent-<x.x.x>.jar’

      • Configuration file changed to ‘wss-unified-agent-<x.x.x>.config’

      • License changed from Open Source (Apache) to a Mend Commercial license.

      • New distribution repo on GitHub (unified-agent-distribution)

      • Backwards compatible (fs-agent-distribution and fs-agent repositories are still available for previous open source versions of the Unified Agent)

    • The checkbox ‘Add project to default product when only project name is provided’ has been added to the ‘Integrate’ tab.
      If only 'projectName' is provided in the configuration file (‘projectToken’, ‘productName’, ‘productToken’ are left empty), and the checkbox is not selected (default), then the first found project with the identical name is overridden. If the checkbox is selected in the same scenario, then the project is added by default to the product named 'My Product'.

    • Added the configuration parameter 'failErrorLevel', which sets additional scenarios to 'error' instead of 'success'.

Resolved Issues

  • Unified Agent:

    • [Fixed] Issues may occur while scanning a multi-module SBT project.

    • [Fixed] Issues may occur while scanning multiple projects on Bamboo.

  • Effective Usage Analysis (EUA):

    • [Fixed] While using the multi-module feature, sub modules are being overridden due to identical names. See also related documentation on updates to the setup file.

    • [Fixed] The summary of the Effective and non Effective libraries may not always match when comparing them on a Product vs. Project level.

  • [Fixed] High Severity Bugs report: An error may occur in the generation of the report in specific scenarios.

  • [Fixed] Attribution report: HTML export of report does not support Chinese characters.

  • API:

    • [Fixed] It is not possible to create a product with a name that includes non-Latin characters.

    • [Fixed] A fetched Due Diligence report in Excel format may not be properly formatted.

...

Version 22.5.1 (29-May-2022)

New Features and Updates

  • The setup.cfg file is now supported as part of the Unified Agent's Python resolution, introduced via a new parameter python.resolveSetupFiles.
    The python.resolveSetupFiles controls the resolution of both setup.py and setup.cfg files and replaces the soon to be deprecated python.resolveSetupPyFiles parameter.

Resolved Issues

  • Setting a Jira project with trailing spaces was not handled correctly by the Jira Server plugin.

  • An error occurred while trying to execute a govendor command as part of the Unified Agent's Govendor resolution.

Version 22.4.2.1 (15-May-2022)

Resolved Issues

Jira Data Center and Server Plugin

...

Version 22.4.2 (15-May-2022)

New Features and Updates

Mend CLI

  • Detailed information about policy violations will now be available as part of the JSON format.

Resolved Issues

Unified Agent

  • The Maven resolution of the Unified Agent did not work as expected with specific versions of the Apache Maven Dependency Plugin.

...

Version 22.4.1.1 (2-May-2022)

Resolved Issues

  • Fixed an issue in the Unified Agent in which the NPM or Maven resolution failed when an Amazon Correto JDK was used.

Version 22.4.1 (1-May-2022)

New Features and Updates

Jira Data Center and Server Plugin

  • The Jira Data Center and Server Plugin now supports version 8.22.

Resolved Issues

Jira Data Center and Server Plugin

...

Version 22.3.3 (17-April-2022)

New Features and Updates

Mend CLI (Beta)

  • It is now possible to set the Mend scope (full or partial) of the scanned project as part of the CLI scan command.

  • Detailed information about policy violations will now be displayed in the output of the CLI scan command.

  • The output of the CLI scan command can now be displayed in JSON format, replacing the previous --json <file> option.

Resolved Issues

Unified Agent

  • Under certain circumstances, not all the Unified Agent's processes were terminated on Windows.

...

Version 22.3.2.2 (10-April-2022)

Resolved Issues

Jira Cloud Plugin

  • When the user uninstalls the Jira Cloud Integration and then installs it again before synchronization occurs, the old installation would override the new installation.

...

Version 22.3.2 (3-April-2022)

Resolved Issues

Unified Agent

  • The Unified Agent did not support proxy settings missing a username.

...

A Jira Data Center approved version of the Jira Server plugin is now available.

Resolved Issues

  • The Dependency Hierarchy in the ticket description was limited to 3 hierarchical paths.

Version 22.3.1 (20-March-2022)

Resolved Issues

Unified Agent

  • In Bower projects with local dependencies, the Unified Agent was unable to detect dependencies.

  • In a specific case, when the Unified Agent scanned a Gradle project, a stack trace exception was thrown without the error information.

...

Version 22.2.2.1 (9-March-2022)

Resolved Issues

Unified Agent

  • The Python resolution was fixed by reducing the total number of duplicate dependencies.

Version 22.2.2 (6-March-2022)

New Features and Updates

Unified Agent

  • A message is displayed when no dependencies are found in a package.json file for an NPM project.

...

  • A new parameter showing a library’s release date (if it has one) was added to the Inventory report at the organization, product and project-level.

Resolved Issues

Unified Agent

  • When running Go commands in the Unified Agent to download dependencies that were not in the cache, warning messages would be displayed.

  • The Unified Agent was unable to extract layers with extension .tar.gz when scanning a docker tar file.

Version 22.2.1 (20-February-2022)

New Features and Updates

Unified Agent

  • The scanning of Yocto projects in the Unified Agent is now supported in Beta status for Poky projects.

...

Version 22.1.2 (6-February-2022)

New Features and Updates

Unified Agent

  • The ignoreSourceFiles parameter, superseded by the fileSystemScan parameter, will be deprecated from release version 22.5.1.

...

  • The Azure DevOps extension now supports Azure DevOps Server. The extension name was changed from "Mend for Azure DevOps Services" to "Mend for Azure DevOps".

Resolved Issues

Unified Agent

  • The Docker Container scan did not perform a general scan of the container file system.

...

Version 22.1.1.1 (27-January-2022)

Resolved Issues

Unified Agent

  • An NPE exception would occur when trying to generate a scan report.

Version 22.1.1 (23-January-2022)

New Features and Updates

Unified Agent

  • The Unified Agent now supports Java 17.

...

Version 21.12.2 (9-January-2022)

New Features and Updates

Issue Tracker Integration Generic Platform and Jira Plugins

...

  • The remapping of source files to different source libraries was refactored to improve speed and prevent errors.

Resolved Issues

Unified Agent

  • In the Unified Agent, when scanning a project with no libraries, an NPE exception would occur when trying to generate a scan report.

  • In certain cases, in bower resolution, an NPE exception would occur when the Unified Agent trimmed missing dependencies from the dependencies tree.

...

Version 21.12.1 (26-December-2021)

New Features and Updates

Artifactory Plugin

  • A new and improved Artifactory plugin is introduced in this release, providing important updates, such as performance improvements, more granular control over downloaded components, and easier installation. The triggerBeforeDownload property was updated to control downloading of components from local repositories only, while a new property triggerBeforeRemoteDownloadcontrols downloading of components from remote repositories. In addition, the userKey property is now mandatory.

...

  • Prioritize shields are now displayed for every security vulnerability as part of the Jira ticket, when applicable.

Resolved Issues

Unified Agent

  • Cargo workspaces would not be handled correctly if a wildcard was used in the members list.

  • Effective Usage Analysis would only support Python projects with the appPathending with requirements.txt.

  • When a Prioritize scan failed due to a pre-step error, a typo would appear in the scan log.

  • In the Unified Agent, if more than one extra-index-url was defined in a Pipfile, the pipenv resolution would fail.

Version 21.11.2.1 (16-December-2021)

Resolved Issues

Mend Prioritize

  • Minor fix for Prioritize reflection mechanism.

Version 21.11.2 (12-December-2021)

New Features and Updates

Unified Agent

  • Scanning of OCI Docker images is now supported via the docker.scanTarFiles parameter.

...

  • Addressed security vulnerabilities identified for the integration dependencies.

Resolved Issues

Unified Agent

  • An exception occurred when the Unified Agent tried to resolve pipenv dependencies.

  • In some cases, the SBT resolver failed to detect dependencies.

  • When parsing GitHub commits in a Python project with a PIP dependency manager, errors occurred when parsing the GitHub dependencies.

  • In the Unified Agent, a local NPM package with no version caused an exception.

  • When scanning a Docker image by the Unified Agent, a vulnerability detected in a deleted file was included in the scan results.

...

Version 21.11.1 (28-November-2021)

New Features and Updates

Application API

  • A new parameter resolvedTypewas added to the getProductAlertByTypeAPI.

  • A new HTTP v1.3 API was added that reassigns organization-level policies to a different owner. 

...

  • Failing a pipeline build based on policy violations is now supported (by utilizing the Unified Agent’s policy-related settings).

  • The open-source risk report is now retained as part of the Azure DevOps Extension pipeline build, allowing build history auditing, faster report retrieval, and better user experience.

Resolved Issues

Unified Agent

  • When scanning a Yarn project containing a yarn.lock file of a certain format, the UA would fail to parse the lock file and the resulting dependencies would contain null values.

  • The Go resolution of the Unified Agent missed dependencies in some cases when the "replace" directive was used in the go.mod file.

  • The Unified Agent didn't ignore comments appearing in the requirements.txt.

  • In the Unified Agent, when scanning Packrat projects, an exception occurred from missing or inaccessible packrat/libdirectory.

  • In the Unified Agent, incorrect parsing of the poetry dependency tree resulted in an incorrect dependency tree to be sent in the update request.

  • In the Unified Agent, scanning of Go projects would fail when using a Go version earlier than 1.14.

...

Version 21.10.2 (14-November-2021)

New Features and Updates

Unified Agent

  • The Dockerized Unified Agent was updated to the latest version which includes support for Conda.

  • The option to upload a zipped offline request for a scanned project is now supported.

...

In the Advanced Settings of the Jira Server and Jira Cloud Plugins' configuration page, you can now choose whether or not to ignore alerts for issues that are closed.

Resolved Issues

  • For organizations in Vulnerability-Based Alerts mode, the Containers Dashboard would show incorrect data.

  • In some cases, the Vulnerabilities Report for the different scopes failed to generate or returned an empty response.

  • Notification emails for new alerts were sometimes sent when no new alerts were created.

  • For some API calls, the response JSON returned incorrect charset encoding.

  • A duplicate key in the projectSecurityVulnerability resulted in incorrect alerts displayed for the project.

  • In some cases, alerts were not removed after recalculating In-House rules.

  • The Unified Agent failed to calculate the SHA-1 of NPM packages residing at the local workspace.

  • Building the Dockerized Unified Agent resulted in errors.

  • When Essentials users were using the Azure DevOps Services extension, the Organization Settings page would not be displayed.

  • After an extension was uninstalled from the Azure DevOps Services, subsequent installation and on-boarding of the services extension would fail when the organization was inactive.

  • After removing a Bolt extension from the Azure DevOps Services, the Mend Organization would be deactivated.

...

Version 21.10.1 (31-October-2021)

New Features and Updates

Unified Agent

  • The Unified Agent now supports Yarn 3.

  • Excluding Docker layers from the Unified Agent’s scan is now available in Beta status via the docker.excludeLayersByLabel configuration parameter. 

...

  • Links to the Mend policy and library are now added to the Jira tickets.

Resolved Issues

  • The dependencies of the docker layer would not reflect the project in the UI.

...

Version 21.9.1.1 (25-October-2021)

Resolved Issues

  • When the Unified Agent scanned a multi-module Gradle project, the project name would contain a version.

  • When the Unified Agent scanned a Gradle project containing a dependency with no version, no dependencies would be found and an exception would be thrown.

  • When the Unified Agent scanned a project on a Windows machine, if the “-d” parameter had a trailing whitespace, an exception would be thrown.

  • When a Unified Agent scanned a Go Modules project, test dependencies were incorrectly identified.

Azure DevOps Integration Version 21.9.11 (18-October-2021)

Resolved Issues

  • In the Azure DevOps integration (Services and Bolt extensions), an erroneous redirect prevented loading the organizational and project settings of the extensions.

Version 21.9.1 (17-October-2021)

New Features and Updates

Unified Agent

  • A new configuration parameter commandTimeout is now available for controlling the timeout of all the commands executed by the Unified Agent during a scan.

Resolved Issues

  • When performing a global search to check for CVE vulnerabilities in the library inventory, the results would display "No files in your inventory are vulnerable" when in fact there were vulnerabilities.

  • Poetry updated dependencies that were not identified, would not show in the Application at all because the Artifact ID was missing.

  • The Unified Agent did not comply with the default branch name change when scanning an SCM GitHub repository.

  • If some of the entries were missing from the go.sum file, the Unified Agent's Go Modules resolution would fail to detect dependencies.

...

Info

NOTE

The Application release is delayed to October 10th due to maintenance and stabilization improvements.

New Features and Updates

Unified Agent

  • Conda dependencies detection is now enabled by default - the default value for the conda.resolveDependencies parameter is set to true.

  • The Gradle dependencies' detection mechanism was improved significantly. As a result, the following Gradle parameters are now obsolete:  

    • gradle.runAssembleCommand

    • gradle.runPreStep  

    • gradle.localRepositoryPath

    • gradle.downloadMissingDependencies

    • gradle.wrapperPath

    In addition, the default value of the gradle.preferredEnvironment was changed to wrapper, to improve the scan results and align to Gradle best practices.

  • The Unified Agent now supports Yarn 2.

...

  • The Jira plugins now support the automatic updates of tickets following changes identified on Mend - whether the policy no longer affects the project or the library is no longer in the project's inventory.

Resolved Issues

  • In the Unified Agent, some NPM dependencies would be missing when the npm.removeDuplicateDependencies parameter was set to true.

  • Building the scanner Dockerfile would fail when trying to install Cocoapods for managing the library dependencies.

  • In the Unified Agent, the PIP resolution would fail in cases when the pyproject.toml was found.

Version 21.8.1.1 (31-August-2021)

Resolved Issues

  • Removed unreachable libraries from the Unified Agent’s jar.

Version 21.8.1 (29-August-2021)

New Features and Updates

Unified Agent

  • The Unified Agent now supports scanning of Conda dependencies specified in environment.yml files. Conda dependencies detection is controlled by a new parameter conda.resolveDependencies which is disabled by default. Note: Mend Conda vulnerabilities coverage is currently limited to Python dependencies only and will be extended in coming releases.

  • The includes parameter now has a default value (comprising all the Mend supported extensions) that will be applied to all the Unified Agent's configuration methods (environment variables, config file, etc.).

  • The excludes parameter now has a default value of:
    **/.*, **/node_modules, **/src/test, **/testdata, **/*sources.jar, **/*javadoc.jar

  • Go dependency detection now enables the optimized resolver for Go Modules by default. In addition, the Go resolution will no longer be triggered by Go source files and will be aligned to the other resolvers to be triggered only by the package managers' manifest files.

  • Performance improvements are introduced to the NPM dependencies detection.

...

  • Resolved an issue that occurred when using an Oracle database.

 Resolved Issues

  • In the Unified Agent, the excludes parameter was being called for every project in a folder, instead of per project directory.

  • In the Unified Agent, when scanning a target folder while extracting a jar file, a null pointer exception occurred.

  • A Prioritize scan would fail with an EUA error due to missing SHA-1 library dependency.

  • An Artifactory Plugin scan would fail to get the SHA-1 library dependency.

...

Azure DevOps Integration Version 21.7.21 (17-August-2021)

Resolved Issues

  • In the Azure DevOps Services Integration, authentication issues required downgrading the azure-devops-node-api NPM library used by the extension.

Version 21.7.2 (15-August-2021)

New Features and Updates

Jira Server Plugin (Beta)

  • Support was extended to the latest Jira Server versions.

Resolved Issues

  • In the Library Security Vulnerabilities page, when the same library appeared in several projects, the wrong shield was displayed.

  • Under certain conditions, when using the Vulnerabilities Report, an error occurred.

  • In the Unified Agent, when scanning in SCM mode, a debug exception occurred before cloning the repository.

  • In the Unified Agent, when scanning yarn projects, the hierarchy tree was not deduped, resulting in memory issues.

  • A runtime error occurred in the Artifactory plugin.

  • The minutes-to-milliseconds conversion during cloning of mendService.class caused an invalid value in wss.connectionTimeoutMinutes.

  • When scanning via Github scanner, when scanning a repository by a tag (not branch), the scan failed in the cloning phase.

...

Version 21.7.1 (1-August-2021)

New Features and Updates

Unified Agent

  • The default of php.removeDuplicateDependencies has been changed to True.

...

  • A new report, the Early Warnings Report, is released. This report displays same-day indications of vulnerabilities automatically identified by Mend even before being certified by the Researchers.  The report has limited availability for select customers. It is being slowly rolled out and will be available for all customers and environments in the next couple of weeks, a separate notice will be announced in the release notes for GA.

  • Note that as was announced on June 6th, on August 15th the Multiple Library Version report will replace the alert for Multiple Library Version, which will be disabled for all customers. All information that was available in Multiple Library Version alerts will be available in the dedicated report, for both past and future scans.

Resolved Issues

  • When the same NuGet dependency was defined in both the csproj and nuspec, it appeared twice in the application.

  • In the Unified Agent, setting multiple archives in the "-d" argument sometimes led to incorrect results.

  • The Maven, OCaml, Modules, and the R resolvers of the Unified Agent were not failing the scan if the relevant package manager was not installed when failErrorLevel was set to ALL.

  • In the Unified Agent, the parameter gradle.additionalArguments was only being applied to a subset of Gradle commands, instead of all Gradle commands.

  • When scanning projects with the Unified Agent, and archiveIncludes and archiveExtractionDepth were set, corrupted zip files resulted in null pointer exceptions in certain Java versions.

  • In the Unified Agent, the Maven resolver did not detect the dependency tree path when the Maven log was altered.

...

Version 21.6.3 (18-July 2021)

New Features and Updates

  • The detection accuracy of security vulnerabilities was improved for the Unified Agent Linux package manager scan (scanPackageManager).

  • The base image of the CircleCI orb executor was updated to Ubuntu 18.04.

  • The image of the Mend integration for Bitbucket was updated.

...

  • The library path was added to the Jira ticket.

Resolved Issues

  • In the Security Alerts reports, there were no checks to determine if the organization had partial data property.

  • Jira Server Plugin: instead of assigning the Mend issue type only to the relevant project, it was added to all the screens in the user's Jira environment.

...

Azure DevOps Integration Version 21.6.3.1 (14-July 2021)

Resolved Issues

  • In the Azure DevOps Services Integration, a corrupted setting of the extension was not handled correctly.

Azure DevOps Integration Version 21.6.3 (8-July 2021)

Resolved Issues

  • In the Azure DevOps Services Integration, an issue prevented executing the Mend task.

Version 21.6.2.2 (6-July 2021)

Resolved Issues

  • In the Unified Agent, when the gradle.preferredEnvironment parameter was set to wrapper, gradle commands were executed instead of gradlew commands.

Azure DevOps Integration Version 21.6.2.1 (5-July 2021)

Resolved Issues

  • In the Azure DevOps Services Integration, an issue prevented updating the project settings.

...

Version 21.6.2 (4-July 2021)

New Features and Updates

Azure DevOps Services Integration

...

  • A new variable for specifying options for the Java command executing the Unified Agent's JAR is now available in the Bitbucket integration.

Resolved Issues

  • The IntelliJ IDE would cease to function when scanning Maven projects with the Mend plugin.

  • When a server was stopped, there were problems continuing the scan that had already started.

  • Persist ManagedResource failed after a database Lock exception.

  • Manually remapping of all the source files did not close pending requests for the old source library.

  • In the Unified Agent, projectPerFolderIncludes failed to detect subfolders.

  • When scanning a Yarn project with the Unified Agent, if the "resolved" section was missing for a dependency within the yarn.lock file, a Null Pointer Exception occurred.

  • Mend now supports the ability to run bower and yarn in the same directory.

  • In the case of GitHub.com integration, the SCM scanner scanned the root folder instead of the cloning folder, causing the scanner to scan additional libraries.

...

Version 21.6.1 (20-June 2021)

New Features and Updates

Unified Agent

  • Beginning in this version, support is added for Cargo workspaces.

Resolved Issues

  • When defined only from the fromDate parameter, the getXXXXAlertsByType API call returned an empty list in VBA mode.

  • The Vulnerability Report opened with a partial mode disclaimer even in non-partial mode organizations.

  • In the Unified Agent, NPM 6 failed to resolve dependencies originating from registry.npm.tabao.org.

Version 21.5.2 (6-June 2021)

New Features and Updates

Reports

  • A new report is introduced in beta phase - the Multiple Library Version report. This report displays information regarding multiple versions of the same library that are being used in the selected project/product. With the release of this report, we are announcing that the alert for Multiple Library Version will be disabled to all customers on August 15th, 2021. All information that was available on Multiple Library Version alerts will be available in the dedicated report, for both past and future scans.

Resolved Issues

  • Under certain conditions in the Library Location Report, the same file locations were displayed multiple times for the same library.

  • A transitive dependency declared for both the "test" and "compile" scopes was omitted from the scan results.

  • An NPM scan failed with a null pointer when it identified a package.json missing the name or the version.

  • In the Unified Agent, a null pointer exception occurred during Maven dependency downloads.

...

Version 21.5.1 (23-May-2021)

New Features and Updates

Web UI

  • When working in Vulnerability-based alerting mode, the Details column was returned to the exported License and Compliance Alerts Report, providing more specific information on the alert.

  • A new license, Saucy 2.0, has been added. See here for details.

  • In Vulnerability-based Alerts organizations, new button was added to the pending tasks page, More Information. When selecting tasks from the list (up to 50) and clicking on this button, a new pop-up screen will appear, presenting information regarding the number of vulnerabilities and the license of each of the selected tasks' libraries. The user will be able to change the tasks selection in the pop-up, and the new selection will be saved upon clicking Save. The users will then be returned to the original pending tasks screen, and will be able to choose to approve or reject the tasks, based on the information that was provided in the pop-up

Resolved Issues

  • In rare cases, there was a discrepancy between the vulnerabilities number shown in the Library page and that shown in the Alerts report.

  • When the organization's name included the character ".", creating an access key of the issue tracker integration failed.

  • Queries used to calculate match types fetched all project resource usages of the product/project, taking a long time to return server responses.

  • The Unified Agent did not handle Gradle artifact relocation correctly.

  • In some cases, when the Artifactory Plugin deleted Temp folders, not all folders were deleted.

...

Version 21.4.2.1 (11-May-2021)

New Features and Updates

Jira Server Plugin (Beta)

...

Version 21.4.2 (9-May-2021)

New Features and Updates

Unified Agent

  • NPM and Yarn configuration are now optimized by automatically executing the relevant pre-step (npm install or yarn install) based on the lock file detected (yarn.lock or package-lock.json) when npm.runPreStep = true.

  • Beginning in this version, nuget.runPreStep and nuget.restoreDependencies will be combined. This works the following way: if nuget.runPreStep = true, then dotnet restore will be performed on found .csproj files. As a result of this merge, nuget.restoreDependencies will be deprecated.

...

Version 21.4.1 (25-April-2021)

Resolved Issues

  • Users encountered errors logging in to mend.

  • Project name or project token were mandatory parameters for Docker scanning unnecessarily.

  • Users were unable to delete roles when there were no roles remaining.

  • When the Inventory Report was exported to MS Excel, there was extra whitespace between the project name and the Direct Dependency.

  • When password complexity validation was enabled, users were unable to reset their passwords.

  • NPM/Yarn downloaded artifacts were not always removed at the end of the Unified Agent scan.

  • In the Unified Agent, a null pointer exception occurred when scanning ANT-based projects with an empty zip file.

...

Version 21.3.2.2 (19-April-2021)

Resolved Issues

  • Resolved a security issue in the Jira Server plugin.

Version 21.3.2.1 (13-April-2021)

Resolved Issues

  • Resolved an issue where running the Unified Agent with “-v” resulted in its version printed with a console log message header.

Version 21.3.2 (11-April-2021)

New Features and Updates

Web UI

  • Customers can now configure SAML integration for multiple global organizations with the same Identity Provider (IDP).

  • Product and Library Priority Scoring Reports: New reports provide information on the priority of a library or product, taking different threat and impact factors into account. See here for details.

  • Starting this version, SmartMatch is the default algorithm used for source files matching when a new Mend Organization is created.

  • The name of the Sun license was changed to Sun Public License.

...

  • The following documentation changes were implemented:

    • The Deprecated Features topic was deprecated and the content was moved to the Notices page.

    • The Setting the Home Page topic was deprecated and the content was moved to the Mend Home Page topic.

    • The High Severity Bugs Report topic was deprecated.

    • The File Systemtopic was deprecated.

  • Structural modifications were implemented to the opening documentation sections, beginning with the login/homepage documentation. As a result, the following pages were deprecated:

    • Getting Started

    • Setup Projects

    • Automate the Process by Using the Unified Agent

  • In the next version, the R Integration page will be deprecated.

Resolved Issues

  • Archive extraction of the Zstandard format RPM file failed.

  • A problem with missing shields occurred during Prioritize scans with NPM due to incorrect handling of duplicate dependencies.

  • Some Unified Agent's log messages were not taken into account when setting the logLevel parameter.

  • Running the Generating the Due Diligence Report resulted in a blank report.

  • When Jira Server was connected to PostgreSQL, an exception occurred in Jira Plugin when trying to add a new row to the table.

...

Version 21.3.1 (4-April-2021)

New Features and Updates

Azure DevOps Services Integration:

...

The Jira Server Plugin is now available in the Atlassian marketplace. Please note that the Jira Server Plugin is currently in beta.

Resolved Issues

  • Using the Unified Agent’s Archive Extractor when trying to scan the root of the operating system resulted in a null pointer exception.

  • In AVM, a timeout occurred when fetching vulnerabilities information from Fortify.

...

Version 21.2.2 (14-March-2021)

New Features and Updates

Unified Agent

  • This version introduces support for NPM 7.

  • A new parameter, fileSystemScan, replaces the soon-to-be-deprecated ignoreSourceFiles.

...

  • A new API is now available for unmarking manually-assigned in-house libraries - unmarkManualInHouseLibrary.

Resolved Issues

  • In some cases, information regarding source libraries was not displayed correctly; for example, empty projects were still displayed in some source libraries, or some source libraries appeared as empty.

  • Running the gcloud auth command failed during Docker scan on Mac computers.

  • Users with different roles than admins or alert ignorers were able to ignore alerts in VBA mode.

  • Exceptions occurred when trying to assign licenses as part of update policy alerts.

  • In the Unified Agent, when scanning NPM, NPM dependencies were not resolved when package.json did not contain name/version attributes.

  • When downloading a missing jar file, the Unified Agent incorrectly generated success messages.

  • Added indication for missing copyright references in the Attribution report summary.

  • When excluding inner modules (projects) in Gradle, the scan would return the wrong dependencies tree.

  • Azure DevOps Services Integration: In some cases, adding npm.resolveMainPackageJsonOnly=true to the Mend Configuration task parameter led to a scan failing.

...

Version 21.2.1 (28-February-2021)

New Features and Updates

Unified Agent

  • Scala dependencies detection was improved, by supporting the sbt-dependency-graph plugin when applicable.

Resolved Issues

  • When working in vulnerability-based alerting mode, user roles were not being validated when ignoring/reactivating alerts.

...

Version 21.1.2 (14-February-2021)

Resolved Issues

  • Azure DevOps Services Integration: Running a pipeline build from a self-hosted agent resulted in a mend-generated .encrypted file not being deleted at the end of each Mend build task run.
    NOTE: Self-hosted agent builds triggered before 14 February may still contain traces of mend-generated .encrypted files. These files must be manually removed from the self-hosted agent work folder.

  • On rare occasions, library alerts were not created after the vulnerability sync.

  • Duplicate hashed source files caused the second one to be considered as unmatched.

  • In Linux, Python scans failed due to a missing space in the execution of one of the commands used for resolution.

  • In the Unified Agent, there were exceptions when parsing specific pipfile formats.

...

Version 21.1.1 (31-January-2021)

New Features and Updates

Web UI

  • Beginning in this version, the Auditor role for service users can be assigned to users from the UI.

...

  • Updated the Mend task version from 20 to 21. In order to use the new version(s) of the extension, you will need to update the task from mend@20 to mend@21 inside your pipeline definition.

  • Added ability to map an Azure Project to an existing Mend Product in addition to creating a new Mend Product) via the Project Settings > Extensions > mend page.

Resolved Issues

  • Several issues have been resolved regarding Docker Layers:

    • Layers with the same SHA1 were represented as one resource.

    • Layers with a SHA1 already created as “unknown” from previous scans were recognized as that resource, and therefore the display name did not reflect the layer

    • Layers with SHA1 were unnecessarily looked up in the index 

  • Discrepancies were found between the Alerts Widget and the Library Page.

  • Vulnerability-based alerting: In the 'Vulnerable Libraries' section on the 'Security Vulnerability' page, the libraries were not filtered by the specific CVE. As a result, the CVEs were ignored and the filter returned all the vulnerable libraries in the organization.

...

Version 20.12.3 (17-January-2021)

New Features and Updates

  • The Unified Agent now supports scanning Google Distroless images.

  • The optimized NPM resolution method, controlled by the npm.resolveLockFile flag, is now the default dependency detection for NPM.

Resolved Issues

  • Azure DevOps Services Integration: When opening the Security vulnerabilities tab in the Open Source Risk report, the data was not sorted by severity.

  • Azure DevOps Services Integration: Adding the Mend task to a YAML-based pipeline without setting any of its parameters resulted in an error. As part of this fix, a default value was added for the cwd parameter.

  • Fixed failures of inventory update if artifactVersion exceeded the valid length.

  • The Unified Agent failed to parse a non-lowercase configuration value.

  • The Unified Agent failed to resolve NuGet dependencies when the project.assets.json file was not found in its standard location.

  • A Python direct dependency, which was also used as a transitive dependency by another library, was not listed as a direct dependency by the Unified Agent.

  • RPM packages installed or deleted without using yum were not identified correctly by the Unified Agent.

Version 20.12.2 (3-January-2021)

New Features and Updates

Web UI

...

  • A new parameter, python.includePipenvDevDependencies, has been added to provide the ability to manage the dev dependencies. The default value is true.

Resolved Issues

  • When searching for a library via global search, then searching for a vulnerability via the same search, the page redirects to the library search page.

  • When resolving several requirments.txt files, the cache of the dependencies was not cleared between the different resolutions.

  • When running the Unified Agent, the ArchiveExtractor failed to extract files ending with an empty space.

  • In the “Source File Inventory” report, if users selected to change the library for files they had no permissions to, the Change Library action had no effect and no message was displayed. Now, this action can only be done by selecting the desired files, then Actions > Change Library menu. The users' permissions are validated and a proper message is displayed.

  • After repeatedly using "Assign Yourself", the pop-up window appears blank and users need to click "Add License Reference" or "Override All” in order to see the mandatory fields.

  • When running SBT Coursier, the Unified Agent did not run pre-step commands even though pre-step flags were activated.

  • Changes to licenses being updated either in the index (libraryDataSync API) or in the Admin Console did not trigger alerts calculation.

  • The Unified Agent did not support the packages.db RPM database

...

Version 20.12.1 (20-December-2020)

New Features and Updates

Web UI

  • Resetting forgotten passwords is now validated with a CAPTCHA test.

  • A disclaimer has been added to the Library Details page for temporary matches on Go dependencies.

Resolved Issues

  • For some libraries, the Impact Analysis page did not display results.

  • Filtering by library in the Attribution Report did not display all results.

  • In the Web UI, there was no indication when a library contained no licenses. NOTE: Beginning in this version, an indication that review is required is displayed.

  • In Azure environments, when saving/updating a SAML integration (Domain and Global Account level), an HTTP error 500 was displayed.

  • In the Vulnerabilities Report, the screen’s legend was unclear.

...

Version 20.11.2 (6-December-2020)

New Features and Updates

Web UI

  • The Product Page and the Project Page now feature filtering and improved pagination in the Libraries panel, thereby improving performance and user experience for projects with over 1000 libraries.

...

  • Attribution Report: It is now possible to exclude versions from an exported Attribution Report via API

Resolved Issues

  • Exceptions occurred when saving Global Account policies.

  • In the Unified Agent’s scan log, certain Gradle configurations were missing.

  • Azure DevOps Services Integration: In some cases, build artifacts over 200MB resulted in one of the following errors:

    • ##[error]RangeError: Maximum call stack size exceeded

    • ##[error]Error: "toString()" failed

  • Azure DevOps Services Integration: In some cases, scanning a project containing an npm project resulted in the following error:
    ##[error]Error: ENOTDIR: not a directory, scandir '/home/....../node_modules/.bin/acorn'

...

Version 20.11.1 (22-November-2020)

New Features and Updates

Unified Agent

  • The maximal extraction depth, configured in archiveExtractionDepth, has been increased to 10.

...

  • Read-only Permissions: A new auditing role can now be assigned to service users through the setOrganizationAssignments API to give them read-only permissions in the scope of a specific organization. 

Resolved Issues

  • An unexcepted output received from the SBT sbtVersion command caused the Unified Agent to throw an exception.

  • The Unified Agent didn't handle correctly a possible output of the SBT organization command.

  • The Unified Agent failed to extract .tar files created with special characters on Linux.

  • When executing update inventory requests which create a new project, the getProjectVitals/getProductProjectVitals API requests did not display the Unified Agent's version.

  • When trying to add a new admin from the global admins page, the users list was empty.

  • When configuring SCM via JSON files, the Unified Agent scanned the current directory.

  • Project Association: Limitation on the number of items in the products list was removed. 

Version 20.10.2 (8-November-2020)

New Features and Updates

Prioritize

  • Added support for C# in Prioritize.

  • Added Fast Scan Analysis mode for Java in Prioritize.

...

A modified Policies page will be launched, with the intent to update existing content, fill in missing gaps, and create a linear flow. This page merges the two existing policies topics - Automated Policies and Managing Policies Throughout Your SDLC. The latter has been archived and is therefore no longer in use.

Resolved Issues

  • The Unified Agent’s Artifactory scanner failed to build a URL from strings that contained non-alphanumeric characters.

  • Dependencies defined in the gemfile.lock file with an exclamation mark suffix were wrongly resolved.

  • Policies where Action was defined as Issue failed to create Work Items issues.

  • Under certain conditions, when working with policies of the Issue type, exceptions occurred while loading Work Items data.

...

Version 20.10.1 (25-October-2020)

New Features and Updates

Mend Core

  • In order to comply with industry standards, Mend has decided to remove the option of searching a library via drag and drop. Library searching can now only be done by entering the library’s name (added November 1, 2020).

...

Beginning in version 20.10.2 (approximate release - November 8), a modified Policies page will be launched, with the intent to update existing content, fill in missing gaps, and create a linear flow. This page merges the two existing policies topics - Automated Policies and Managing Policies Throughout Your SDLC. The latter will be archived and therefore no longer be in use.

Resolved Issues

  • When the project information object did not have a version in its coordinates, the Unified Agent failed to run.

  • The Unified Agent failed when trying to resolve a large PHP project.

  • Azure DevOps Services Integration: A pipeline build with the Mend task failed to scan GitHub repositories when using a Linux build agent.

  • The optimized NPM resolution method, controlled by the npm.resolveLockFile parameter, did not handle duplicate dependencies correctly. This caused an increase in the size of requests sent by the Unified Agent.

  • When applying Create Issue policies, issues were created incorrectly for all projects in the organization (added November 1, 2020).

  • When updating group assignments, SAML incorrectly removed users from the domain (added November 1, 2020).

  • When entering multiple values for either groupAssignments or userAssignments in the setProductAssignments and setOrganizationAssignments API calls, these values were ignored. The fix - from now on, the first value is assigned (added November 1, 2020).

  • Users were unable to change a source file library if there was already an existing mapping with a comment (added November 1, 2020).

...

  • The license name of Oracle Development License (as it previously appeared in the application) will now appear according to its official name, Oracle Technology Network License Agreement.

Resolved Issues

  • During Kubernetes agent scanning, when the scanned component included the same image multiple times, irregularities occurred causing an exception.

  • In the Attribution report, GPL 2.0 with exception licenses was mistakenly displayed as insert GPL v2 license text here.

  • When scanning PHP, the Unified Agent threw an exception if one (or more) of the packages did not have a "source" element in the lock file.

Version 20.9.1 (4-October-2020)

New Features and Updates

Mend Core

  • Currently, when accessing the Custom Attributes report, the report’s data is fetched automatically. This can be time-consuming if the organization has many libraries and many custom attributes defined. Beginning in this version, an Apply button has been added, enabling users to query the data on demand only.

...

  • Beginning in this version, the strict requirement of running the Unified Agent with the configuration file has been removed. If the mandatory parameters are passed to the Unified Agent, in any of the supported methods, the Unified Agent can be run without failing even if the configuration file is missing.

  • Beginning in this version, if the Yarn lock file (yarn.lock) is found during the scan, it will be used for the dependencies detection, without the need to explicitly set the npm.yarnProject flag.

Resolved Issues

  • When applying policies to existing inventory from the organizational policies page, the product and project policies were ignored.

  • When reassigning all of a user’s pending tasks of a user, the inventory request approver was not properly updated.

  • When two Maven projects were defined with the same name, both projects were created however with partial data. The introduced fix will now add a suffix (_1, _2) to a project name in case there is more than one project with the same name.

Version 20.8.2 (13-September-2020)

New Features and Updates

  • Helm version 3 support is officially introduced for the Kubernetes integration.

Resolved Issues

  • If hex.ignoreSourceFiles was set to true, the Unified Agent did not ignore .erl source files.

  • When groups were created via SAML integration and were then deleted manually from the dashboard, an exception occurred.

...

Version 20.8.1 (30-August-2020)

New Features and Updates

Unified Agent

A new format of Docker project name is now supported - repositoryName - which is based on the Docker repository name only. This format can be applied by setting the docker.projectNameFormat parameter to repositoryName.

...

  • In the Project Association page, the Product column was changed from a selection column to a text column. The project association is now only available by checking the desired project(s) and choosing “Assign to Product”, then choosing the desired product from the drop-down list.

  • When using “APPEND” update requests, in the rare case where only a TRANSITIVE dependency has been added - the new transitive dependency will be added as a direct dependency, so all of the application's mechanisms such as alerts and policies will be applied on it. This is a change to the current behavior. In order to have the new dependency added as transitive, users can then run another “OVERRIDE” Update Request after the append request.

Resolved Issues

  • When running the Gradle resolver, if the dependency is missing the Unified Agent will try to download .jar dependencies only.

  • In the rare use case of a change in the GAV coordinates of an artifact, Gradle scans didn't produce the correct signature for this artifact.

  • The Request Resolution Status Report displayed the wrong path on the top of the report.

  • In the Vulnerability Report, the Locations column was missing from the JSON format.

  • When scanning the plan.json file in a Haskell project, a nullPointerException would occur when building hierarchies where one child did not have dependencies.

  • In the application’s home screen, some bulk actions of approval/rejection of pending tasks were timed out. This caused the UI to hang and requests were not marked as reviewed.

  • When scanning a Docker image with source libraries, the “hierarchy” tree included duplications of the source library matched with those source files.

  • Layer information was missing when detecting FOSS components in Docker .tar files.

...

Version 20.7.3 (16-August-2020)

New Features and Updates

Web UI

  • Beginning in this version, when creating/editing a policy based on a Jira project with a mandatory field from a type which isn't currently supported, but has a default value defined for it in Jira, the operation will succeed.

...

  • When a scan for a project is requested while there is already a scan for the same project being executed simultaneously, the new scan is being skipped. Starting in this version, the JSON file returned for the scan will specify the status SKIPPED instead of FINISHED.

Resolved Issues

  • In cases of empty status files in Debian Docker images, the scan resulted in zero dependencies.

  • In the Policies screens, a popup indicating that changes will not be saved was displayed even though all changes were properly saved.

  • A TimeoutException was thrown when calling the method updateNodesParentAndMr in the DependencyNodeRepositoryImpl class.

  • Priority and Assignee fields appeared in Jira-based policy creation, even when those fields were not defined in the Jira project itself.

  • Following a change in Jfrog Artifactory version 7 whereby the property name haAwareEtcDir was changed to etcDir, exceptions were thrown in the Mend artifactory plugin.

...

Version 20.7.2 (2-August-2020)

New Features and Updates

Mend Core

  • SAML session token duration (the time between the IDP authentication and the Mend login) was changed from 10 minutes to 5 minutes.

...

  • Improvements were made to the Docker scanning of the Linux RPM-based images.

  • Users can now configure Unified Agent parameters using environment variables.

  • The Bazel support for Go projects was extended to Windows. The Unified Agent can now scan on both Linux and Windows Go projects using the go_repository rules generated by Bazel Gazelle (see here).

Resolved Issues

  • When organizations were deleted, data was removed, specifically alerts. This caused timeout exceptions if the table was locked.

  • Under certain scenarios, a null pointer exception occurred when loading the product assignment.

  • Under certain conditions, there were problems with dependency resolving from yarn.lock

  • Under certain conditions in Unified Agent Docker scans, exceptions occurred when there were similar file names but different content or formats.

  • Kubernetes deployment procedure didn't take into consideration initial configured delays.

  • When running the Prioritize Multi-Module Analyzer for Gradle, modules that did not have build.gradle were not handled correctly.

  • Under certain conditions, there were issues with the format of the link field within the policyRejectionSummary file.

  • Under certain conditions, the Project Associations page loaded slowly and resulted in a 404 error.

...

Version 20.7.1 (19-July-2020)

New Features and Updates

Unified Agent

  • Users scanning docker images can now receive information regarding packages in layer granularity. The new functionality can be enabled by setting the docker.layers parameter to true. The layer granularity can be viewed in the UI under the hierarchical display (Show as Hierarchy).

  • Improvements to the optimized NPM resolution method controlled by the npm.resolveLockFile flag are introduced. The improvements include a reduction in the scan time, in addition to enhanced accuracy. This functionality can be enabled by setting the npm.resolveLockFile to True.

  • A new flag, npm.ignoreDirectoryPatterns, enables users to determine the list of ignored directories.

  • The Bazel support was extended to Go projects. The Unified Agent can now scan on Linux machines Go projects using the go_repository rules generated by Bazel Gazelle (see here).

...

  • The "Resolution Request Status" report can now be accessed through the Reports menu.

Resolved Issues

  • Under certain conditions, the Unified Agent returns no dependencies after failing to parse the packages database when scanning docker images.

  • In the Source Files widget, after refreshing the page the Change Library column was not displayed.

  • Under certain conditions, there were inaccuracies in the Effective Usage Analysis Summary Report.

  • Under certain conditions, the Unified Agent had an issue following a redirect when trying to download a Gradle dependency.

Version 20.6.2 (5-July-2020)

New Features and Updates

Mend Core

Unified Agent

  • The Unified Agent’s checkPolicies-json.txt file now includes the system path and manifest file path for each of the components, when this information is available.

  • A new parameter, python.localPackagePathsToInstall, enables users to configure a list of local package paths that will be installed during the pre-step, if required.

...

  • Upgraded the following:

    • WildFly to version 10.1.0 

    • JQuery to version 3.5.0

  • The Unified Agent’s version is now displayed in the Web Application’s Project Vitals.

  • The docker image retrieval mechanism was improved resulting in a reduction of the UA scanning time.

Resolved Issues

  • In the Risk Report, in the General Overview panel, when selecting a product, an incorrect title and link were displayed.

  • While handling getOrganizationInHouseLibraries requests, a Null Pointer Exception occurred.

  • In situations where Requires review is the least common license in organization/product/project, the License dashboard ceases to function.

  • The Attribution Report had issues with a misplaced header.

  • There were issues with proxy settings in the HTML dependency resolution.

  • The TeamCity plugin always failed as a result of a check policy request. 

  • Under certain conditions, scanning SBT dependencies resulted with errors.

  • Local libraries used by a Python project were not detected. This ability was introduced in this release, controlled by the python.localPackagePathsToInstall flag.

...

Version 20.6.1.1 (30-June-2020)

Resolved Issues

  • Under certain circumstances, the NuGet dependency detection of csproj files resulted in an inaccurate version of the dependency.

Version 20.6.1 (21-June-2020)

New Features and Updates

Mend Core

Web UI

  • The Attribution Report has undergone several enhancements, including the following:

    • select which fields to include/exclude from the report

    • apply filters to the report

    • include a custom attribute in the report

    • export the report to a JSON format

    • hide fields containing empty values 

  • Beginning in this version, an indication on the vulnerability page displays which vulnerabilities were modified in the previous month.

  • Beginning in this version, the Mend Expert Fix is the first solution recommended to customers in the list of suggested fixes.

...

  • This version introduces a Dockerized Unified Agent. More information can be found here.

  • Bazel resolution is now enabled by default. The UA now supports Bazel for Java projects. The following two rules are supported: maven_install, maven_jar.

  • This version introduces support for OpenSUSE leap images via the Unified Agent Docker scan.

Resolved Issues

  • Artifactory Docker Virtual Repository scans failed when containing a remote repository.

  • Under certain conditions, the UA will exit without appropriate log messages.

  • Under certain circumstances, there was an issue with C# package identification.

  • In the Library Details page, Only library with effective vulnerability was not displayed.

  • When trying to create a Jira issue when defining a policy based on vulnerability effectiveness, an exception occurred.

  • In the Web Application, in the Alerts Report, the EUA “shields” were not displayed.

  • Jira server issues were not created due to wrong assignee parameters.

  • During NuGet scans, exceptions were caused following references to missing files.

...

  • For customers where Prioritize is installed: An “effectiveVulnerabilitiesOnly” flag was added to VULNERABILITY_SEVERITY in Policies API.

Resolved Issues

  • Under certain circumstances, a specific format of package version in the nuspec file caused a failure in NuGet resolution.

  • Under certain circumstances, a wrong command was run in NuGet resolution when packages.config is present.

  • There was no option to provide a full path in a csproj file when referencing other csproj files.

  • Jira API parameter "query" (which replaced “username”) did not work for all customers.

  • In the wss_resourceVulnerabilities table, security alerts aren't calculated when there' was no sourceFileHashes mapping.

  • Under certain circumstances, Ruby scans failed.

  • In the Unified Agent, when dependencies in Yarn scans had two versions, the scans failed.

...

Version 20.5.1 (24-May-2020)

New Features and Updates

Mend Core

Web UI

  • In the ADD/EDIT policy function, mandatory fields of types string, string array, user, number are now also supported. When choosing the issue type in the project, the mandatory fields as displayed and you must fill them in.

  • In certain reports, the following was added to all panels with multiple selections

    • A count indicator for the number of selected rows that appear when selecting rows of a data grid panel. This counter updates automatically when selecting/deselecting rows.

    • Next to the counter, a 'clear selection' button clears all selected rows when clicked.

...

  • Beginning this release, the Nuget resolution will be improved and aligned to the other resolvers by excluding the system packages from the scan results by default.

  • Beginning in this version, the .coffee source files will not be taken into consideration when npm.ignoreSourceFiles is set.

Resolved Issues

  • Missing proxy support in one of the HTTP calls of the lambda serverless implementation.

  • Under certain circumstances in Gradle resolution, a hash was calculated on an empty file.

  • License links that didn’t contain a protocol were considered relative resources in the site, therefore the base URL were added to the href.

  • After executing actions in the Inventory Report, the selection wasn’t cleared.

  • When trying to sync a source library which has a duplicate in the database, it tried to remove the existing source library.

  • Some reports with multiple selection (such as checkboxes) didn’t have any actions to execute on selected items.

  • When an assignee existed but didn’t appear in the Unified Agent’s initial list, users were unable to create an issue type policy.

  • Under certain conditions, the Artifactory Plugin would send product parameters as Repository Name in check policy compliance requests.

...

  • Currently, when entering an invalid role in the setProductAssignments API call, the response is "Successfully set product assignments". Beginning in this version, the response is changed to include the assignments that were successfully set by the API call. Also included is an additional list named “warningMessages” (available from API version 1.3 and up), that includes various warning messages.

  • In the next Unified Agent release, the NuGet resolution will be improved and aligned to the other resolvers by excluding the system packages from the scan results by default. 

Resolved Issues

  • The License Compatibility report did not recognize licenses that were manually overridden.

  • Uninstalled OS packages were included in the scan.

  • Under certain circumstances, the Alert ignorers role was missing from the setProductAssignments API.

  • The security severity calculations of the "policyStatistics" and "vulnerabilityStatistics" sections of the scan report are not aligned.

  • Issue with scanned projects including circular symbolic links in Linux.

  • Unnecessary information printed to the Unified Agent’s log when Azure registry images are scanned

...

  • Beginning in this version, ignoreSourceFiles is taken into account in the top folder for all cases.

  • Beginning in this version, Maven resolver will not ignore .jar,.war,.ear,.zip files when ignoreSourceFiles is set.

  • When setting a Reporter for issues that require one, the reporter will now be chosen from a list (same as selecting an assignee) instead of the previous way where there were text boxes for inserting a Reporter name and display name.

  • The Unified Agent setting maven.ignoredScopes=NONE is no longer a pre-condition for running Prioritize on Maven projects, but remains as the default setting. Regardless of the Unified Agent configuration file parameter setting, Prioritize analysis will ignore test scope dependencies.

Resolved Issues

  • Under certain conditions, when the MultiModuleAnalyzer ran on large Gradle multiModule projects, it ignored certain modules.

  • In Prioritize, the Maven pre-conditions incorrectly used mavenIgnoredScopes.

  • Under certain conditions, the Unified Agent sent empty dependencies values in offline requests.

  • Jira projects were not taken into consideration when fetching the mandatory fields to open a Jira issue.

  • Under certain conditions, some docker image packages (centos) had the same hash value key.

  • In cases involving the R manager packager, when the match library flag is ON and there is no sha1 for the package, the additional sha1 of this package was ignored.

  • When fetching the last RVI sync attempt, an OptimisticLockException (AbstractSyncServiceImpl:78) is thrown because another process is updating the same object; hence the version is changed.

  • When an RVI sync task was created for the first time, it was created without a task name.

  • Under certain conditions, RedHat libraries were missing from customer databases.

  • Under certain conditions, after the Docker image (Centos:8) rpm scan ran, there were over 110 items remaining to resolve.

  • In Jira, under certain conditions, the following occurred due to Jira API changes:

    • Issues were created without an assignee

    • When a reporter was defined as mandatory, issues were not created

    • Adding issue policies via the API failed

    This fix applies automatically for new policies. For existing policies, if customers defined a reporter or assignee, they must edit those policies and re-enter the assignee and reporter, and then save.

...

  • In the Attribution Report, the license text is no longer displayed in the Copyrights section.

  • In the Plugin Request History report, "fs-agent"  has been changed to "unified-agent".

Resolved Issues

  • A permissions issue existed where the Source File Inventory Report did not filter projects according to user privileges, i.e. users who weren't members of project A were still able to view source files and libraries of that project.

  • The All Products drop-down list was not sorted alphabetically.

  • Under certain conditions on large-scale NPM projects, running two scans led to a StackOverflowError.

  • Under certain conditions, there were parsing irregularities in the modules.txt file.

  • Under certain conditions, when parsing a “paket.lock” file, an exception occurred.

  • Under certain conditions, Paket scan results displayed information regarding NuGet.

  • Under certain conditions, in the Unified Agent, Gradle failed due to the merging of impactAnalysis with failErrorLevel.

  • In AVM’s Fortify Client, there was an error parsing clients with URLs that contained “ssc”.

  • Under certain conditions, the maven.ignoredScopes flag did not work as expected.

  • Maven scans resulted in missing Maven dependencies.

  • The License Compatibility Report displayed multiple licenses even after using the override function.

  • The ignoreSourceFiles affected the "includes/excludes" scan results

  • The default paket.exe path was mistakenly assigned a wrong path.

  • Under certain conditions, the NuGet resolver contained the wrong version.

...

  • Previously, in the Library Location Report, when a library had no path it was displayed in the UI as "N/A". This has been changed to an empty string.

  • Within the next two sprints, Mend will be improving the Unified Agent scan results, mostly regarding Maven resolution. Binaries such as .jar,.war,.ear,.zip will be included in the scan when ignoreSourceFiles is set.

  • In addition, ignoreSourceFiles will be taken into account in the top folder when packaging appears in the pom file.

Resolved Issues

  • In some nupkg libraries, libraries which didn’t have a dash ('-') in the display name as the version separator, were not recognized as the same library and therefore did not generate the Multiple Library Versions.

  • When generated to a .PDF, the Use of Different Versions of Same Library section in the Risk Report had a different title.

  • Under certain situations, goGradle scans failed with a null pointer exception.

  • An overlap in the resolvers' bom files resulted in the order of the resolvers being changed.

  • The Effective Usage Analysis dashboard displayed 0% coverage although vulnerabilities existed.

  • Under certain conditions, a NoSuchElementException occurred when getting a product approver during update requests.

  • Under certain conditions, the parsing functionality in Go 1.14 did not work correctly.

  • Under certain conditions, scans of Docker images resulted in exceptions.

  • Under certain conditions, new version alerts weren't created.

...

  • A new API request "getProjectLicensesTextZip" enables project-level scope for the getLicensesTextZip API, providing more granular results for legal business needs.

  • A new API request "getProjectCopyrightsTextFile" enables project-level scope for the getCopyrightsTextFile API, providing more granular results for legal business needs.

Resolved Issues

  • When the Multi-Module Analyzer scanned at least a dozen projects, it sometimes randomly failed on some of them; although when scanning a single project, no such problem existed.

...

  • The Library Details page has been redesigned whereby the information is now organized into four separate tabs.

  • The Unified Agent now supports SBT 1.3.x and above.

Resolved Issues

  • In Prioritize, in the Vulnerability Analysis pane, the Analysis Coverage exceeded 100%.

  • The Unified Agent failed to resolve python dependencies using the virtualenv command.

  • There were incorrect descriptions for some of the Python libraries.

  • The Debian importer was unable to download files without release dates.

  • Under certain situations, CVEs still appeared in the web application even after blacklisting all vulnerable source files.

  • In Effective Usage Analysis, when the multi-module-analyzer scanned several projects, it sometimes randomly failed some of them, although when it scanned a single project no problem occurred.

  • "Base directory" was different between the old Unified Agent to the new, thereby causing wrong results to customers.

...

  • For customers who want to have sources files with associated vulnerabilities identified in Mend when possible, a new optional parameter for getProjectAlertsByType API enables the response to include vulnerable source files.

Resolved Issues

  • In Prioritize, the Analysis Coverage exceeded 100% in the Effective Vulnerability widget.

  • Under certain conditions, Scala project scans failed on SBT dependencies.

  • Under certain conditions, in the Unified Agent, when the 'gradle' commands failed, the Unified Agent did not execute 'gradlew' commands.

  • Under certain conditions, library folders appeared in the wrong module.

  • In the Attribution report, the provided license reference was not necessarily the license text itself.

  • Under certain conditions, after a customer removed an organization, it remained in the customer’s system.

  • Alerts for new NPM versions included pre-release versions.

...

  • This version introduces support for the DNF Package manager for CentOS.

Resolved Issues

  • [Fixed] Under certain conditions, problems occurred when logging in to to the Mend application via Microsoft Azure.

...

  • A License column has been added to the Attribution Report, enabling users to filter libraries by license in the preview screen.

  • Added report flexibility: The Attribution Report now enables users to select multiple projects for inclusion in the report’s output.

Resolved Issues

  • [Fixed] New alerts emails were sent to customers that disabled email notifications.

  • [Fixed] Under certain circumstances, the License Compatibility Report did not display results.

...

  • Attribution Report data improvement - When there is no license reference in the library, a generic license will be presented.

Resolved Issues

Under certain conditions, library names were truncated and thus displayed incorrectly in the interface.

...

  • Attribution Report data improvement - In various cases, a valid license text will be displayed in the report instead of the previously-used JSON/XML.

Resolved Issues

Under certain conditions, library names were truncated and thus displayed incorrectly in the interface.

...

  • A new screen option, Nested Licenses, provides added granularity for complex cases where nested licenses are being used in a library's repository, such as 3rd party licenses.

  • In the Due Diligence report, the range of years for the library's copyright (in from-to format) is now displayed in the Copyright column. Additionally, in the By Copyrights filter, it is now possible to filter according to the from-to values.

Resolved Issues

  • [Fixed] Under certain conditions, newly-imported JavaScript libraries were included in Gitta lookups.

  • [Fixed] After closing a request for a Source Library, a new request was opened again after scanning.

  • [Fixed] Under certain conditions, Null Pointer Exceptions occurred when the CVSS 3 extraData field was null.

  • [Fixed] When passing float values to the client, these values changed their original value, causing incorrect data to be presented.

  • [Fixed] Due to the system path of the Gradle dependencies, the EUA analysis coverage was inaccurate.

  • [Fixed] When inserting a copyright date range in the Due Diligence report, the report did not filter properly and the results were therefore inaccurate.

  • [Fixed] When the Unified Agent .jar file was extracted while running, the Unified Agent would cease to function.

...

Beginning in this version, Mend Developer Integrations will have its own release notes. Please refer here.

Resolved Issues

  • [Fixed] Under certain conditions in app.whitesourcesoftware.com, some libraries were missing although the update request contained them.

  • [Fixed] Servers received imported licenses that have license names but no license types, resulting in no license creation.

  • [Fixed] Under certain conditions, the Unified Agent did not collect all the dependencies in yarn projects.

  • [Fixed] Under certain conditions, it was impossible to create sub-task issues using Jira integration.

  • [Fixed] When trying to create a new copyright template without years, an error was displayed.

  • [Fixed] When exporting HTML attribution report by project in partial data organization, an error was displayed.

  • [Fixed] Under certain conditions, the Unified Agent Docker Hub scan returned no results.

  • [Fixed] An out-of-memory issue occurred for Yarn.

  • [Fixed] Detect configurations did not work correctly for GO projects.

  • Release Unified Agent version 19.11.1

...

  • The Unified Agent now runs Effective Usage Analysis even if npm.includeDevDependencies is set to false.

Resolved Issues

  • [Fixed] After creating an issue, when trying to parse the JSON response from Jira, an exception occurred, resulting in Jira issues created several times for the same libraries in the same projects.

  • [Fixed] In the Attribution Report, XML was not displayed properly (for example, XML tags were removed).

  • [Fixed] In specific circumstances, the Gradle resolver did not create a full dependency tree, resulting in missing libraries from Docker image scans.

  • [Fixed] When trying to upload an offline request with a specific Gradle dependency, the dependency was not found in the inventory.

  • [Fixed] Uploading a metadata file to the Mend application resulted in errors.

  • [Fixed] In Mend for Bitbucket Server, Mend for GitHub Enterprise, and Mend for GitHub.com, when an issue for multiple components was created, the Automatic Remediation information was displayed.

  • Release Unified Agent version 19.10.1

...

  • The GPL 2.0, MPL 1.0, MPL 1.1, and MPL 2.0 licenses now have a copyright risk score of 65.

  • Risk analysis information was added for the GPL 1.0 and OpenSSL licenses.

Resolved Issues

  • [Fixed] An error in the RVI sync process caused the alert creation to fail.

  • [Fixed] A null pointer exception occurred while calculating the check policy hash.

  • [Fixed] In the Risk Report, when a project had duplicate dependencies in the hierarchy, negative values were displayed.

  • [Fixed] Mend for GitHub Enterprise, Mend for GitHub.com - Duplicate GitHub Issues were generated for the same library and CVE when multiple scans were triggered in parallel for a commit.

  • Release Unified Agent version 19.9.2

...

  • An indicator has been added to Mend for GitHub Enterprise, Mend for GitHub.com and Mend for BitBucket Server indicating when automatic remediation is available for the specific vulnerability.

  • Mend is launching the Mend for GitLab Core beta version, enabling GitLab users to access Mend security alerts within GitLab’s native environment.

Resolved Issues

  • [Fixed] The getChangesReport API request was disregarding the time specified in the "startDateTime" field, fetching results from 00:00 on the specified date.

  • [Fixed] In an EUA-enabled organization, under certain conditions in 'Library Security Vulnerabilities' view, projects referencing the vulnerability were not filtered by the projects to which the user has privileges, resulting in errors.

  • [Fixed] In some cases, the Containers dashboard did not display any results.

  • [Fixed] Mend for GitHub Enterprise - When upgrading to image version 19.8.1, a Java error in the wss-ghe-app logs is displayed.

...

  • The API requests getProductLicenses, getOrganizationLicenses, and getProjectLicenses have an optional new field, excludeProjectOccurrences (default value = false) which enables getting product/domain licenses without project occurrences.

Resolved Issues

  • [Fixed] In the Risk Report PDF, in the Policy Name field, Chinese characters were omitted.

  • [Fixed] In selected instances when Prioritize’s multi-module setup failed, the log reported it as successful.

  • [Fixed] The response of the "getAllOrganizations" API request yields a "Success" message in scenarios where it should fail.

  • [Fixed] When resolving Yarn dependencies, the wrong line was printed in the log.

  • [Fixed] The Unified Agent did not identify all SBT dependencies in the *compile.xml file.

...

  • Mend Advise for Chrome now detects licensing and vulnerabilities information on Rust packages found in Rust-related websites.

  • Mend Advise for Chrome now detects licensing and vulnerabilities information on Haskell packages found in Haskell-related websites.

  • Mend Advise for Chrome now detects licensing and vulnerabilities information on OCaml packages found in OCaml-related websites.

Resolved Issues

  • [Fixed] If SAML has been configured, under certain conditions login failed with a NullPointerException.

  • [Fixed] On a Go project using the Godep dependency manager, the Unified Agent did not find all GO dependencies.

...

  • The new Configuration Recommendation mode identifies the environment that the user wants to scan and creates the configuration file automatically.

  • Added flexibility in Gradle projects scanning: New configuration parameter 'gradle.includedScopes' enables defining which scopes will be included in the scan.

  • This version provides support for Serverless Framework via a dedicated plugin.

Resolved Issues

  • [Fixed] Users were unable to create a policy with an 'Issue' action linking to their 'Work Items' tracker type.

  • [Fixed] Under certain conditions, after a project was updated, a server failure message was displayed.

  • [Fixed] In the Security section in the Risk Report, large numbers did not display correctly.

  • [Fixed] When a request was assigned to a group, conditions did not appear in Pending Tasks.

  • [Fixed] Under certain conditions, the Unified Agent failed to retrieve projects from Artifactory.Releases.

...

  • For customers using Application Vulnerability Management platforms such as ThreadFix or Fortify, this version introduces the synchronization of Open Source Software scanning results from Mend to the aforementioned platforms.

Resolved Issues

  • [Fixed] In the Users page, the names do not sort correctly in alphabetical order.

  • [Fixed] In the Risk Report, in the Security area, when displaying data with a large number of libraries, the last digit was displayed in a line of its own.

  • [Fixed] Users received errors when trying to approve their library requests.

  • [Fixed] The Library Details page was stuck indefinitely with a “Loading Data” message.

  • [Fixed] When trying to approve tasks from the Pending Tasks screen, users received a message stating insufficient permissions.

  • [Fixed] Using the Unified Agent on Windows 10 via command line led to “illegal operations” warnings.

  • [Fixed] When configuring ‘excludeDependenciesFromNodes’, the wrong dependency was excluded.  

  • [Fixed] File paths with special characters caused the Unified Agent to crash.

  • [Fixed] When activating Mend Advise, using the wrong regular expression in the URL caused the activation process to fail.

...

  • A new CLI parameter, detect, automatically creates a configuration file based on your scanned libraries and files (relevant for all package managers). NOTE: This is the first step in new configuration recommendations. Future versions will contain additional features.

  • Added flexibility by supporting custom build environments: The Unified Agent now has the ability to pass arguments to the gradlew and gradle ‘dependencies’ command. A new configuration parameter was added for this purpose, gradle.additionalArguments.

  • This version adds support for scanning Go 1.11 projects without the need for a dependency manager.

Resolved Issues

  • [Fixed] Projects were limited to exporting 32766 lines.

  • [Fixed] In the Users page, when the page was reduced, the column names were hidden.

  • [Fixed] When generating a Risk Report with a large number of libraries, the last digit was displayed in its own line.

  • [Fixed] Under certain conditions, failures occurred when trying to resolve Python dependencies.

  • [Fixed] The Unified Agent took an excessively long time to run.

  • [Fixed] When trying to approve requests and clicking Override and Approve, administrators were sent back to the Home page with a message notifying insufficient permissions.

  • [Fixed] When an API request for the getProjectAlertsReport was sent, the output was an .xlsx file in which the last title, Library Type, and the entries underneath it were not in the same column.

...

  • New streamlined multi-module process - In the multi-module Prioritize, a new command-line parameter, overrideExistingSetup = true, enables users to remove the pause between multi-module steps.

Resolved Issues

  • [Fixed] In the Inventory report, when match by filename was not selected, a filename match still occurred.

  • [Fixed] Under certain conditions, alerts weren't removed for deleted vulnerabilities.

  • [Fixed] Handling changed paths and vulnerability traces tasks took over 10 hours to complete.

  • [Fixed] After performing the Apply to Pending Requests action on product-level policies, a “server error” message was displayed.

  • [Fixed] Several identical licenses were assigned to the same library.

  • [Fixed] The API call getProductRiskReport took an excessively long time to run.

  • [Fixed] In the Dashboard, in License Analysis, clicking Facebook BSD + Patents displayed an empty report even though the relevant license exists.

  • [Fixed] When retrieving Gitta cached results under certain conditions, a NullPointerException was displayed.

  • [Fixed] When handling update requests, an exception occurred.

  • [Fixed] The Unified Agent experienced memory issues.

  • [Fixed] When scanning a GitLab repository using Source Control Management (SCM) configuration, an error message was received.

  • [Fixed] Mend Bolt for Azure report was not available in the Azure DevOps multi-stage pipelines preview.

  • [Fixed] When integrating Prioritize with Gradle, the log analysis process failed for sub-modules.

  • [Fixed] Under certain conditions, the config file mistakenly created a new Mend directory instead of including all configuration settings in the build directory.

  • [Fixed] R resolvers-library name is not according to DESCRIPTION dependency file package.

  • [Fixed] Docker scans would hang when retrieving images.

  • [Fixed] In the Unified Agent, in the log, different parameters had the same name.

  • [Fixed] The Library WhiteList did not block Reject policy violations.

  • [Fixed] After the Unified Agent scanned .js files, some of the files were replaced by other versions with a different SHA-1 version.

  • [Fixed] Under certain conditions, the Mend Application did not identify NuGet packages.

  • [Fixed] Under certain conditions, when the Unified Agent ran on NuGet, it did not clear the packages directory and failed on a second run.

  • [Fixed] The Unified Agent log displayed thousands of attempts to access irrelevant URLs.

  • [Fixed] A proper error message for the Python errors in the debug log level was not generated.

  • [Fixed] Python dependencies were not resolved in hierarchical mode.

...

  • Extended JFrog Artifactory Integration -

  • Support updating JFrog Artifactory “properties” tab of an artifact with vulnerabilities and licensing information from Mend scan.

  • Support accessing JFrog Artifactory repository using a token for enhanced security. The following configuration parameters were added: ‘artifactory.accessToken’, ‘artifactory.url’. 

  • Support more informative summary statistics at the end of a scan - displaying different language extensions for which binary/source files were found and for each extension how many source/binary files were scanned. 

Resolved Issues

  • [Fixed] In certain scenarios in alerts report when using a filter on the report the screen was hanging with “Loading Data” message.
    [Fixed] JIRA integration - An error was returned while trying to create a JIRA ticket as part of a policy action due to missing JIRA credentials set.

  • [Fixed] In certain scenarios request processing time of the application was very long in Azure EU system.

  • [Fixed] In certain scenarios when manually changing the origin library of two different libraries consecutively the "Show me some options" results of the second library are refreshed only after few seconds.

  • [Fixed] HTML resolver - In certain scenarios an error occurred when resolving HTML dependencies.

  • [Fixed] In some cases when scanning Android projects there were created duplicated entries in the inventory.

  • [Fixed] Mend Bolt activation for Azure DevOps Server 2019 failed due to registration phase error.

  • [Fixed] In certain scenarios archive extraction didn’t work correctly for some jar & war files.

  • [Fixed] Mend For Containers - Docker image which was configured in the ‘docker.includes’ parameter wasn’t scanned.

  • [Fixed] When running a scan using UA with debug mode the reported path in the log was the executable path instead of file path.

  • [Fixed] When running UA with command line parameters which include “.” in their names using PowerShell a parsing error was returned.

  • [Fixed] In certain scenarios when a proxy is configured in the UA configuration file an error was returned from a scan.

...

  • Maven Plugin: Support creating empty projects in Mend for maven projects with multi-modules when some of the modules are empty by using a new configuration parameter ‘updateEmptyProject’.

Resolved Issues

  • [Fixed] In certain scenarios when the request with source files to match is very large (over 1M source files) there was an error from Gitta lookup.

  • [Fixed] In certain scenarios there were several issues with libraries incorrectly identified with security vulnerabilities or ignore comments were deleted.

  • [Fixed] Attribution Report - extra separation lines added when adding Header text.

  • [Fixed] Informative text on Alert Ignorers is missing in the Admin → Assignments page in Product level.

  • [Fixed] In certain scenarios when applying in house rules on pending requests the process took a long time. Performance improvement was done. 

  • [Fixed] UA fails to resolve Ant dependencies due to external Ant parameters. New configuration parameter was added: ‘ant.external.parameters’ which should contain comma separated list of <key=value> pairs.

...

  • GitHub integration: Added the ability to enable/disable the creation of open issues after the scan has been completed.

Resolved Issues

  • [Fixed] In certain scenarios the number of libraries displayed on the ‘Top 10 Products’ panel may be different than the number of libraries displayed on the specific product page.

  • [Fixed] Ignored Alerts report: Comments are not displayed after the project is filtered. 

  • [Fixed] Unified Agent: In certain scenarios when the configuration parameter ‘npm.includeDevDependencies’ is set to ‘true’, the scan ignores this setting.

  • [Fixed] Unified Agent Go code with Gogradle environment: Issue may occur when passing information to the Unified Agent while using a custom build file ('build-inner.gradle') and settings file ('settings-inner.gradle') 

  • [Fixed] Informative text on Alert Ignorers is missing in the Admin → Assignments page. 

...

  • Release management automation: Added the ability to obtain an attribution report via the API requests ‘getProductAttributionReport’ and ‘getProjectAttributionReport’.

  • The ‘getProjectComparisonReport’ API provides a project comparison report in an Excel format.

Resolved Issues

  • [Fixed] Alerts report may not always be updated after the source files are moved to a new source library.

  • [Fixed] Classification of specific Microsoft ASP.NET libraries may be erroneous.

  • [Fixed] Library Details page: Library type column of Alerts table is not always populated.

  • [Fixed] Requests may occasionally pause when a JIRA issue is created during a request update.

  • [Fixed] When the 'go.dependencyManager' parameter is not defined, the Unified Agent may not go through all the supported resolvers.

...

Note: The ability as a 'Product Default Approver' or 'Product Administrator' to assign licenses/copyrights has been removed.

Resolved Issues

  • [Fixed] In specific settings the ‘getVulnerabilitiesBetweenDates’ API call may not function properly.

  • [Fixed] Attribution report: In certain browsers, the 'Library' column may not be properly displayed.

  • [Fixed] 'Set as Home Page' option does not work with SAML.

  • [Fixed] Project Page: The Library pane size may change when switching between ‘Flat list’ and ‘Hierarchy’ views.

  • [Fixed] Attribution report: Occasionally, issues may occur while exporting the report as a  ‘.txt’ file.

  • [Fixed] Gradle based projects: Issues may occur during the scan in specific cases when no source files are in the project.

...

  • Enhanced service user automation: The new API call 'createServiceUser' enables adding a service user.

  • The following API calls enable fetching a list of all custom attributes along with their set of values for each library on a Project/Product/Organization level: ‘getOrganizationCustomAttributeValues’, ‘getProductCustomAttributeValues’, ‘getProjectCustomAttributeValues’.

  • Improved automation for granular policy enforcement: Added API calls to manage policies on a Project level. These API calls include ‘getProjectPolicies’, ‘addProjectPolicy’, ‘updateProjectPolicy’, ‘removeProjectPolicies’,  ‘reorderProjectPolicyPriorities’.

Resolved Issues

  • [Fixed] Library Version Comparison page: An error in loading the page may occur for specific libraries.

  • [Fixed] In specific libraries, the alert on a library is marked as ‘ignored’, but the scan still fails.

  • [Fixed] Inventory report: Sorting by license may not always display the report in the desired order.

  • Unified Agent:

    • [Fixed] An error related to the stopwatch class has been fixed. 

    • [Fixed] In certain cases, the temporary Mend directory names may be too long and their paths may exceed 260 characters.

...

  • The ‘productName’ parameter is now supported in the CLI when running the xModuleAnalyzer. See also related documentation.

Resolved Issues

  • [Fixed] Ignored Alerts report: Manual comments may not be displayed properly.

  • [Fixed] Attribution report: Issues may occur when exporting a report with the ‘Reference generic license’ option selected.

  • [Fixed] Security Trends Dashboard: The entire organizational data is displayed for all users, including the users who do not have permissions to view all of the Products.

  • [Fixed] Effective Usage Analysis (EUA): A Java exception may occur when running the Unified Agent with both Gradle and Maven related parameters enabled.

...

  • The new Containers vulnerabilities report displays the vulnerabilities per pod, namespace, and cluster. It enables the user to filter specific resources according to their context in the cluster. See also related documentation

  • Attribution report: Missing copyright references are now marked with an asterisk (‘*’) character. 

  • It is possible to export the following reports in JSON format via the GUI or via an API request: Alerts report, and Vulnerabilities report.

  • Due Diligence report: Added option to view the report data only for a specific project, in addition to a particular product.

Resolved Issues

  • [Fixed] Unified Agent: Microsoft TFS Integration: An ‘Invalid diff JSON structure’ error may be displayed in specific configuration settings.

  • [Fixed] An error message is not displayed when trying to create a user via the 'Create User' functionality, and providing an email address of a user that already exists with the same email address.

  • Inventory report:

    • [Fixed] The ‘Primary Attribute’ is not included in the export output of the report.

    • [Fixed] A number of options in the search dropdown menu are not displayed when searching by product name.

    • [Fixed] In certain scenarios the ‘Suspected unspecified license’ filter erroneously displays no records in the results.

  • [Fixed] Risk report: PDF output may include issues when exporting the report for a selected product.

  • [Fixed] Occasional pauses may occur while submitting new libraries via the Drag and Drop UI.

  • [Fixed] ‘Admin’ → ‘Users’ page → ‘Invite Users’ button: Email addresses that include a  space as the last character of the address are not processed, and an error message is displayed.

  • [Fixed] The process of renaming a project may occasionally require a relatively long interval, and no indication is displayed on when the process will be completed.

  • [Fixed] SAML: Single Sign On (SSO) may not work properly after a certificate update.

  • [Fixed] In specific configurations a source library may be uploaded without its source files after the scan.

  • [Fixed] Security Trends Dashboard: Issues may occur in the output when selecting 3 months and 6 months time frames.

  • [Fixed] In certain configurations libraries may be matched by their name although the ‘Match libraries by filename’ checkbox is cleared.

...

  • It is possible to export the following reports in JSON format via the GUI or via an API request: Inventory report, Source File Inventory report, and Due Diligence report. The following API requests include a new optional parameter called 'format'. The format is 'xlsx' by default, and valid options include 'json' and 'xlsx': ‘getOrganizationInventoryReport’, ‘getProductInventoryReport’, ‘‘getProjectInventoryReport’, ‘getOrganizationSourceFileInventoryReport’, ‘getProductSourceFileInventoryReport’, ‘getProjectSourceFileInventoryReport’, ‘getOrganizationDueDiligenceReport’, ‘getProductDueDiligenceReport’.

  • Risk Report: Added an ‘Apply’ button for the selected scope (Organizational or Product) that generates the report only after it is pressed.

  • Attribution Report: A new option enables the user to select one of the following outputs in cases where the license reference cannot be obtained:

    • Leave license blank

    • Reference a generic license

Resolved Issues

  • Jira Integration:

    • [Fixed] Unclear error message is displayed when the Issue Tracker URL is invalid.

    • [Fixed] In certain scenarios, exceptions may occur when fetching Jira mandatory fields.

  • [Fixed] Manual Comments: The ‘&’ and ‘%’ characters are classified as illegal characters, and therefore, some URLs cannot be entered.

  • [Fixed] The Attribution report does not fully support foreign language characters in Unicode.

  • [Fixed] The ’getOrganizationProjectVitals’ API request may require a relatively long time to complete.

  • Unified Agent:

    • [Fixed] When scanning a remote repository (using SCM settings), the Unified Agent also scans the directory where the Unified Agent was executed.  

    • [Fixed] In certain Yarn based projects, dev dependencies are resolved even though the parameter ‘npm.includeDevDependencies’ is set to ‘false’.

    • [Fixed] The ‘productToken’ parameter is always ignored when running the Unified Agent with the ‘-requestFiles’ CLI parameter.

    • [Fixed] A returned output message is out of context when the Unified Agent runs on an SBT project without a defined target folder. 

...

  • Checks API support for GitHub Integration: Added support for the Completed with 'Neutral' conclusion. See also related documentation. This conclusion is displayed when a 'push' command is not valid. See also related documentation.

  • Attribution Report: Added custom attributes specified for the component in the summary report for both HTML and Text export formats.

  • Risk report: Added the ‘How Do We Compare?’ section to the PDF export of this report. 

  • License compatibility report: Added an option to export the report in Excel and XML formats.

  • Unified Agent:

    • The following updates were made as part of the overall plan to move to a single scanning interface:

      • JAR file changed to ‘wss-unified-agent-<x.x.x>.jar’

      • Configuration file changed to ‘wss-unified-agent-<x.x.x>.config’

      • License changed from Open Source (Apache) to a Mend Commercial license.

      • New distribution repo on GitHub (unified-agent-distribution)

      • Backwards compatible (fs-agent-distribution and fs-agent repositories are still available for previous open source versions of the Unified Agent)

    • The checkbox ‘Add project to default product when only project name is provided’ has been added to the ‘Integrate’ tab.
      If only 'projectName' is provided in the configuration file (‘projectToken’, ‘productName’, ‘productToken’ are left empty), and the checkbox is not selected (default), then the first found project with the identical name is overridden. If the checkbox is selected in the same scenario, then the project is added by default to the product named 'My Product'.

    • Added the configuration parameter 'failErrorLevel', which sets additional scenarios to 'error' instead of 'success'.

Resolved Issues

  • Unified Agent:

    • [Fixed] Issues may occur while scanning a multi-module SBT project.

    • [Fixed] Issues may occur while scanning multiple projects on Bamboo.

  • Effective Usage Analysis (EUA):

    • [Fixed] While using the multi-module feature, sub modules are being overridden due to identical names. See also related documentation on updates to the setup file.

    • [Fixed] The summary of the Effective and non Effective libraries may not always match when comparing them on a Product vs. Project level.

  • [Fixed] High Severity Bugs report: An error may occur in the generation of the report in specific scenarios.

  • [Fixed] Attribution report: HTML export of report does not support Chinese characters.

  • API:

    • [Fixed] It is not possible to create a product with a name that includes non-Latin characters.

    • [Fixed] A fetched Due Diligence report in Excel format may not be properly formatted.

...