This documentation space will be inaccessible starting January 9th, 2023.
All the pages will continue to be available in Mend's Knowledge Hub at https://docs.mend.io, which we encourage you to visit today.
To make the transition as easy as possible, until January 9th, 2023, deprecated pages will contain a direct link to the new Knowledge Hub.

Mend SAST Cloud Release Notes

These release notes are for the Mend Cloud solution, and do not apply to the on-premises solution that has its own release notes.

  • Click here to view known issues. Additionally, we suggest you stay informed by regularly checking the Notices page.

  • Release notes are subject to change until the actual release date. Note that Mend reserves the right to postpone the release of this page for up to and including 48 hours after the version’s actual release.

  • This page is "dynamic" and is subject to change between official releases. Mend reserves the right to modify this page retroactively. Check this page periodically between official releases to ensure you are up-to-date with all hotfixes, changes and additions to Mend's products.

 

Version 22.5.1 (15-May-2022)

Features and Updates

  • Added detection of weak hashing algorithms for PHP.

  • Support for second-order SQL injection is now included with Python.

  • Information from one scan now carries over to the next scan. This includes - Reviewed state, Comments, Detection Date, Severity Level, Issue Submission Date, Suppressions

  • If an invitation to SAST has expired, the user is instructed to request a new password in order to gain access.

  • The CLI has improved language and parameter names to make it easier to understand the use of snippets.

  • Logic for the severity thresholds in the CLI has been improved, so that so that more severe findings are also taken into account for lower severity thresholds.

Resolved Issues

  • Fixed an issue where log files were missing from the MacOS version of the CLI.

  • Improved the detection of hard-coded database passwords in PHP.

  • The Path Traversal CWE is now included in Kotlin with Micronaut framework.

  • Adapted sanitizer definitions for Java that could cause false negatives.

  • In the web app, when a sub-organization is disabled, users are automatically logged out of it and cannot perform any other action within it.

  • Fixed an issue with disabling SAML where the configuration is now saved and SAML is disabled correctly.

  • Fixed an issue with disabling SAML where the configuration is now saved and SAML is disabled correctly.

  • Fixed an issue with disabling SAML where the configuration is now saved and SAML is disabled correctly.

  • When a new application is created in the web UI, its language can now be selected by keyboard, and matching languages are displayed as you type.

Version 22.4.2 (1-May-2022)

Features and Updates

  • The SAST CLI has been renamed to wssastcli.

  • It is now possible to define multiple organizations. SAML configuration can be inherited from the main organization.

  • Scan names can now include any special character permitted by GitHub.

  • The CLI now supports automatic updates to new versions.

  • A new audit logs view has been added that allows admins to monitor all administrative changes (SAML, user invites, etc.).

Resolved Issues

  • Fixed an issue where a user whose access was disabled for one organization could not log in to other organizations as well.

  • Standard and advanced interactive CLI configurations are now uniform in their workflow and messaging.

  • Fixed an issue with saving Custom Rules to a file on Mac/Linux.

  • Application settings for engines and languages no longer override selections made in templates, environment or configuration files.

  • A CLI scan that finishes quickly and successfully no longer displays an erroneous warning message about not updating the scan.

  • If there is no language that supports remediation, the Scan > Details > Remediations tab will display a list of remediation recommendations.

Version 22.4.1 (17-April-2022)

Features and Updates

  • Scan speed and accuracy for Python, JavaScript, Ruby, and Go have been greatly improved.

  • For custom filters, it is now possible to specify the filtered parameter.

  • Users are now identified only by their email address. The user name field has been removed.

  • Mend SAST can now also be hosted on servers located in the EU.

  • Directly after a scan begins, its scanning state will be visible in the Scans tab of the Dashboard.

  • It is now possible to re-invite a user whose earlier invitation has expired.

  • It is now possible to specify the location of the baseline dump file using the --baselinestorage CLI parameter (or its JSON and environment variable alternatives).

  • The base Linux image for the Docker container required to run the CLI on macOS environments is now configurable.

Resolved Issues

  • Fixed a crash that occurs if the "noprogress" parameter was set to true.

  • Fixed an issue where admins were unable to edit standard users due to misconfiguration of the edit request.

  • On some systems, the CLI would not exit when a user pressed Ctrl+C during the interactive setup. It is now also possible to exit by pressing Esc and typing “exit”, or by pressing Ctrl+E.

  • An error message is created if “snippetsize” is set to a value less than 1 while “submitfiles” is set to true.

  • If a user attempted to login using SSO when SAML had not been configured, there was no error message indicating why the login failed.

Version 22.3.2 (3-April-2022)

Features and Updates

  • It is now possible to mark vulnerabilities that have already been reviewed.

  • In the Details tab, the Data Flow, Source Code, and Summary view have been combined in an improved Data Flow view.

  • In the Details tab of a scan, the information about a specific vulnerability type is no longer repeated for each finding of the same type, but is now displayed on the vulnerability type itself.

  • The Group Risk Level setting was removed from the single vulnerabilities and can now be set on the vulnerability type node.

  • In the Details tab of a scan, you can now filter by Reviewed Findings and Suppressed Findings.

  • The domain URL configuration was added to the SAML configuration. This corresponds to the Root URL that the SAST On-Prem previously had.

  • The CLI now supports macOS, and its output displays all actions/interactions with the Docker daemon, i.e., the downloading of a Linux image and creation of containers.

  • The CLI now informs when a new version is available.

  • The Details view of the Scans page now presents the most relevant information first.

  • The chart-based presentation of applications was replaced by a table-based view to present more data and improve editing.

  • It is now possible to create a non-human "Service User" for the purpose of integration into pipelines, repositories, etc. For example, integrating scanning into GitHub.

Resolved Issues

  • The SARIF report now passes both standard SARIF validation and GitHub integration rules.

  • Scans and incremental scans can now be run on directories containing white spaces in their names.

Version 22.3.1 (13-March-2022)

Features and Updates

  • Scan speed and accuracy for Python, JavaScript, Ruby, and Go have been greatly improved.

  • For custom filters, it is now possible to specify the filtered parameter.

  • Users are now identified only by their email address. The user name field has been removed.

  • Mend SAST can now also be hosted on servers located in the EU.

  • Directly after a scan begins, its scanning state will be visible in the Scans tab of the Dashboard.

  • It is now possible to re-invite a user whose earlier invitation has expired.

  • It is now possible to specify the location of the baseline dump file using the --baselinestorage CLI parameter (or its JSON and environment variable alternatives).

  • The base Linux image for the Docker container required to run the CLI on macOS environments is now configurable.

Resolved Issues

  • Fixed a crash that occurs if the "noprogress" parameter was set to true.

  • Fixed an issue where admins were unable to edit standard users due to misconfiguration of the edit request.

  • On some systems, the CLI would not exit when a user pressed Ctrl+C during the interactive setup. It is now also possible to exit by pressing Esc and typing “exit”, or by pressing Ctrl+E.

  • An error message is created if “snippetsize” is set to a value less than 1 while “submitfiles” is set to true.

  • If a user attempted to login using SSO when SAML had not been configured, there was no error message indicating why the login failed.

  • Some problems with freezing scans have been fixed.

©2022 White Source Ltd. | All rights reserved.