Skip to main content

Product Updates

December 2024

New Features

Added a new unified “Risk” view that combines findings across all scan types into a single view. This new view provides a more comprehensive view of the risk associated with a product. The new view also introduces many new filters and sorting options to help you better understand the risk associated with your products.
September 2024

New Features

Container Scanning

Added support for scanning container images for vulnerabilities, ensuring that containerized applications are secure before they are deployed. The scan will also perform Software Composition Analysis (SCA) to enumerate open-source dependencies and associated risk and the ability to generate an SBOM report. Currently supports integration with Azure Container Registry and Docker Hub.

Additional Enhancements

  • Redesigned the Asset view for code repositories and container images. Added new filters for asset type and status as well as a Asset Scan History section to provide better visibility into past scans.
  • Improved the detailed view for both cognition and policy based findings as well as the ability to create work item tickets for resolution.
  • SonarQube project mapping improvements.

Bug Fixes

  • Fixed an issue with some cognitions not triggering appropriately under certain conditions.
June 2024

New Features

SAST Scanner Enhancements

Added additional rule coverage for C/C++

SCA Pipeline scan improvement

Simplified the configuration and secrets required when running a SCA pipeline scan.

Workflow

Added a new option when Accepting Risk to mark the finding as a False Positive and optionally provide a comment or reason for accepting the risk.

Ability to create a single work item ticket for vulnerabilities with multiple instances.

When creating the work item, the data for all instances selected will be included in the ticket description.

Bug Fixes

  • Fixed an issue that caused a scan to fail when runnning language detection on the repository.
  • Fixed an issue on the product Dashboard that did not show the SAST Scanner Data Source as mapped.
  • Corrected the icon displayed for the SAST Scanner.
May 2024

New Features

Policies

Organizations can now create Policies allowing them to check their portfolios or products for violations based on dependencies, licenses, and languages that either are or are not present. Users can also create rules based on their product score falling below a certain threshold, or an asset not being scanned in a specified number of days.There are five types of policy violations:
  • Dependency
  • License
  • Language
  • Score
  • Last Scanned
If any rule is broken, a violation will be created against the product. Policy violations are like other risk items in that they are a part of your product score and must be resolved to improve the score.

Convert Semgrep to External Data Source

Semgrep, our internal SAST scanner, is now being converted into an external data source. This allows the client more control over this tool and whether or not it is active.
Note: When a client connects the platform with their SonarQube account, Semgrep will be turned off. They may re-enable Semgrep if desired.

SAST Pipeline scan support

Users can seamlessly integrate static code analysis into their CI/CD pipeline, allowing for early detection of potential vulnerabilities. This enhancement empowers clients to take proactive measures in addressing security concerns prior to deployment.

Schematic: Data Sync

Accounts in the platform will now be synced with accounts in Schematic, allowing us to start developing and implementing various features from Schematic such as feature flags, entitlements, and more.

Feature Enhancements

Managed Assets Now Show Mapped Products

The details of Managed assets now show the products that the assets are mapped to, each one with a link to their product dashboard.

Code Vulnerability Instance Updates

When viewing a Semgrep reported code vulnerability from within a product, we now display the entire URL including the base URL of the code repo.

Updated SonarQube Vulnerabilities

For SonarQube vulnerabilities the user will now only see one risk item per vulnerability and the details will show the aggregated list of occurrences.

Bug Fixes

  • Fixed an issue that occurred when a product was Edited, the traceability and notifications showed a new member had joined the team
  • Onboarding now handles Browser-Based “Back”/“Forward” Buttons
  • Onboarding - Would not allow you to change the datasource after you picked one
  • Fixed a duplicated data source issue
  • Fixed a SonarQube Display UI issue
  • Fixed an issue with Product Dependencies Search
  • Fixed a performance issue identified in product vulnerability details page
  • Asset type icons with wrong colors in the Asset Discovery page
  • The Last Scan Date showed “a month ago” when it was null
March 2024

New Features

Onboarding – Initial Release

  • Added the first phase of the Onboarding flow for new clients.
  • Initial support for connecting to Azure Devops and GitHub, creating a product, and mapping repositories to that product.
  • Support for connecting to Bitbucket and GitLab will be added in future iterations

SSO Integration and Configuration

  • Clients can now configure a connection between their SSO/IdP and our platform to allow their users a better login experience.

SAST SARIF Report Manual Upload

  • Ability to upload a SAST SARIF report, have results digested into system, and view risks and other results on the UI

Linguistics

  • Tool for language detection and analysis within code repositories. It automatically identifies the programming languages used in a codebase by analyzing file content.
  • This detection aids in understanding the composition of projects, managing dependencies, and ensuring accurate language statistics.

Vulnerability Details Page Updates

  • Added Training Links to the Vulnerability Details page, where previously the links were only on the List view.
  • Upgraded File Path to contain full URL when reported from Semgrep, allowing user to directly link to the URL in a new tab/window

SBOM Dependency Searching

  • Added the ability for a user to search across dependencies in an SBOM report.

Refactored

  • Refactored Synapse Logic App
  • Upgraded .NET Version/Libraries/Dependencies
  • Implemented post-scan cleanup service
  • Improve Scanner Timeline Events/Statuses

Bug Fixes

  • Critical Risk Cards – Portfolio number was not updating correctly
  • Recon was not running daily
  • GitHub was not available as a Data Source when using the Source Repo filter
  • Product Dashboard was not updating Scan History and Security Controls correctly
  • Scanning already managed assets was resulting in an error
  • All Work Tracking issue types were being returned instead of only those valid for the associated project
  • Long names for Work Tracking items were not being allowed
  • CVE-IDs were being duplicated in the Product SBOM report
  • Trying to modify a data source that requires a Personal Access Token was resulting in an error
  • Product Name change was not updating properly
  • Fixed various git clone errors relating to tokens
January 2024

New Features

New UI look and feel

  • New Company Dashboard.
  • New Product Dashboard.

Scanner Redesign

  • Git Clone Service.
  • SCA Refactor.
  • Scan Analysis Refactor.
  • Scanner Status Handler Job.

SAST Scanner

  • Semgrep Integration.
  • Build Semgrep Scan Analysis Job.

Work Items

  • Linear Integration.
  • Improvement to Work Item Reconciliation.

Data Sync Jobs for New Dashboard

  • Company Data Sync.
  • Product Dashboard Data Sync.
  • Create Synapse Pipelines and Data Sync.
  • Synapse Pipeline Data Read Issue.

API Updates

  • Company Dashboard Endpoint.
  • Product Dashboard Endpoint.
  • Service Bus Integration.
  • Refactor Request Scanner Endpoint.