We are proud to announce our latest Update v1.2.15. With this release we focus on the daily work and provide two new, heavy features that aim to simplify and improve the work with componenst
- Dependency View - So far we have provided two views one to work on the legal side and one to work on the components themselves. Now we offer third view, we named "Dependency View". It is a kind of integrated view, based on the components but aggregating all information in one view.
While the left contains the list of components, the right side allows to see all details of the selected component. The selectors in the middle console allow a direct scrolling to the section, whether it is Component details, viability, vulnerability or legal information, external task management (Jira/TFS), Comments, state management or activity log.
- Manual Component State - Until now, you were dependent on the state our analysis derived for a particular component. If you would not skip or remove a component from the module or project, the state will remain violated resp. warning. This might be good for compliance but is bad for daily work, because your overall state always will look like flawed. To allow an overall green - which allows to recognize new issues much faster - we introduced a manual state allowing to overwrite the analysis status. To achieve this, system will force you to leave a comment, which will be available to the auditor later. But you may work through a module and achieve a green state, while the threats remain visible. This is especially interesting for handling irrelevant vulnerabilities. E.g. imagine, you have used a component which contains a CSS-vulnerability. If the module is a server-side backend, never exposed to anything else than a locked zone in your private VPC, you might consider this a non-vulnerability in your case. With the manual state feature, you may comment this and change the overall state to green.
- Viablity-Switch - During the last months we have spent a lot of effort on developing a reasonable schema to measure the viability of an open source project. This should help the risk management. But we did not derive a reliable concept which is not providing false positives. We do have a lot parameters, but the number of components without any reliable parameters still is pretty high. Thus we decided to remove viability in the default situation. But we leave the functionality allowing the user to switch it on for an analysis on demand. You may switch on & off by module in the module settings.
- In some multi-license cases the picked license was not properly displayed, thus leading to irritations in legal license view (State and displayed license did not seem to match)
- During the move TFS Integration was disabled for enterprise accounts, this is open again.
- Some slowly reacting pages were discovered and improved