These release notes are for the Mend Cloud solution, and do not apply to the on-premises solution that has its own release notes.

Version 22.5.1 (15-May-2022)

Features and Updates

• Added detection of weak hashing algorithms for PHP.

• Support for second-order SQL injection is now included with Python.

• Information from one scan now carries over to the next scan. This includes - Reviewed state, Comments, Detection Date, Severity Level, Issue Submission Date, Suppressions

• If an invitation to SAST has expired, the user is instructed to request a new password in order to gain access.

• The CLI has improved language and parameter names to make it easier to understand the use of snippets.

• Logic for the severity thresholds in the CLI has been improved, so that so that more severe findings are also taken into account for lower severity thresholds.

Resolved Issues

• Fixed an issue where log files were missing from the MacOS version of the CLI.

• Improved the detection of hard-coded database passwords in PHP.

• The Path Traversal CWE is now included in Kotlin with Micronaut framework.

• Adapted sanitizer definitions for Java that could cause false negatives.

• In the web app, when a sub-organization is disabled, users are automatically logged out of it and cannot perform any other action within it.

• Fixed an issue with disabling SAML where the configuration is now saved and SAML is disabled correctly.

• Fixed an issue with disabling SAML where the configuration is now saved and SAML is disabled correctly.

• Fixed an issue with disabling SAML where the configuration is now saved and SAML is disabled correctly.

• When a new application is created in the web UI, its language can now be selected by keyboard, and matching languages are displayed as you type.

Version 22.4.2 (1-May-2022)

Features and Updates

• The SAST CLI has been renamed to wssastcli.

• It is now possible to define multiple organizations. SAML configuration can be inherited from the main organization.

• Scan names can now include any special character permitted by GitHub.

• The CLI now supports automatic updates to new versions.

• A new audit logs view has been added that allows admins to monitor all administrative changes (SAML, user invites, etc.).

Resolved Issues

• Fixed an issue where a user whose access was disabled for one organization could not log in to other organizations as well.

• Standard and advanced interactive CLI configurations are now uniform in their workflow and messaging.

• Fixed an issue with saving Custom Rules to a file on Mac/Linux.

• Application settings for engines and languages no longer override selections made in templates, environment or configuration files.

• A CLI scan that finishes quickly and successfully no longer displays an erroneous warning message about not updating the scan.

• If there is no language that supports remediation, the Scan > Details > Remediations tab will display a list of remediation recommendations.

Version 22.4.1 (17-April-2022)

Features and Updates

• Scan speed and accuracy for Python, JavaScript, Ruby, and Go have been greatly improved.

• For custom filters, it is now possible to specify the filtered parameter.

• Users are now identified only by their email address. The user name field has been removed.

• Mend SAST can now also be hosted on servers located in the EU.

• Directly after a scan begins, its scanning state will be visible in the Scans tab of the Dashboard.

• It is now possible to re-invite a user whose earlier invitation has expired.

• It is now possible to specify the location of the baseline dump file using the --baselinestorage CLI parameter (or its JSON and environment variable alternatives).

• The base Linux image for the Docker container required to run the CLI on macOS environments is now configurable.

Resolved Issues

• Fixed a crash that occurs if the "noprogress" parameter was set to true.

• Fixed an issue where admins were unable to edit standard users due to misconfiguration of the edit request.

• On some systems, the CLI would not exit when a user pressed Ctrl+C during the interactive setup. It is now also possible to exit by pressing Esc and typing “exit”, or by pressing Ctrl+E.

• An error message is created if “snippetsize” is set to a value less than 1 while “submitfiles” is set to true.

• If a user attempted to login using SSO when SAML had not been configured, there was no error message indicating why the login failed.

Version 22.3.2 (3-April-2022)

Features and Updates

• It is now possible to mark vulnerabilities that have already been reviewed.

• In the Details tab, the Data Flow, Source Code, and Summary view have been combined in an improved Data Flow view.

• In the Details tab of a scan, the information about a specific vulnerability type is no longer repeated for each finding of the same type, but is now displayed on the vulnerability type itself.

• The Group Risk Level setting was removed from the single vulnerabilities and can now be set on the vulnerability type node.

• In the Details tab of a scan, you can now filter by Reviewed Findings and Suppressed Findings.

• The domain URL configuration was added to the SAML configuration. This corresponds to the Root URL that the SAST On-Prem previously had.

• The CLI now supports macOS, and its output displays all actions/interactions with the Docker daemon, i.e., the downloading of a Linux image and creation of containers.

• The CLI now informs when a new version is available.

• The Details view of the Scans page now presents the most relevant information first.

• The chart-based presentation of applications was replaced by a table-based view to present more data and improve editing.

• It is now possible to create a non-human "Service User" for the purpose of integration into pipelines, repositories, etc. For example, integrating scanning into GitHub.

Resolved Issues

• The SARIF report now passes both standard SARIF validation and GitHub integration rules.

• Scans and incremental scans can now be run on directories containing white spaces in their names.

Version 22.3.1 (13-March-2022)

Features and Updates

• Scan speed and accuracy for Python, JavaScript, Ruby, and Go have been greatly improved.

• For custom filters, it is now possible to specify the filtered parameter.

• Users are now identified only by their email address. The user name field has been removed.

• Mend SAST can now also be hosted on servers located in the EU.

• Directly after a scan begins, its scanning state will be visible in the Scans tab of the Dashboard.

• It is now possible to re-invite a user whose earlier invitation has expired.

• It is now possible to specify the location of the baseline dump file using the --baselinestorage CLI parameter (or its JSON and environment variable alternatives).

• The base Linux image for the Docker container required to run the CLI on macOS environments is now configurable.

Resolved Issues

• Fixed a crash that occurs if the "noprogress" parameter was set to true.

• Fixed an issue where admins were unable to edit standard users due to misconfiguration of the edit request.

• On some systems, the CLI would not exit when a user pressed Ctrl+C during the interactive setup. It is now also possible to exit by pressing Esc and typing “exit”, or by pressing Ctrl+E.

• An error message is created if “snippetsize” is set to a value less than 1 while “submitfiles” is set to true.

• If a user attempted to login using SSO when SAML had not been configured, there was no error message indicating why the login failed.

• Some problems with freezing scans have been fixed.