It took us quiet a while to cope with all the requirements we are receiving. The overall process remains complex and we always have to distinguish between individual desires and general purpose. There are many great ideas, some fancy ideas and some simple practical advances. We always try to keep a balance. Also we try to cope with our long term goals, which in this case also included the upgrades of infrastructure and code base to more modern versions (since we introduced the version feature, we are able to see, that some parts of the product needed renovation, e.g. removing Python 2.7, upgradiong node versions etc.). See the preview section below to get an overview of the upcoming changes.
PLEASE NOTE: During the last weeks we often updated minor changes. Thus some new features you might have experienced already throughout the last weeks. For example the muting of vulnerabilities already appeared in v1.9.40.
However, we are always happy to receive your feedback, comments and ideas at firstname.lastname@example.org. And we will for sure react to whatever you will throw at us.
- We introduced legal settings templates:
Legal settings templates shall ease the life of developers. Instead of completing the legal questionnaire to cope with the legal circumstances, it is now possible for the Compliance Manager to setup templates for specific cases like "internal SaaS" or "Appliance for sales and distribution". Read here how it works.
- Allow CVE muting:
Since the goal is to get the display green, the requirement occured to "mute" known vulnerabilities. With this feature you may "mute" a vulnerability after it has been identified. This requires a comment by the analyst muting it, e.g. "network AV not relevant in current use case". From that moment, the vulnerability will not count into the warnings or violations anymore, but the information about the vulnerability will still be shown - including the comments - in compliance reports. See here for more details.
- Allow to add vunerabilities manually:
Many of you are using different sources for vulnerability scanning. As we claim to support the documentation for compliance reasons, we want to give a sound picture of the software status to the Comopliance officer. So we allow to add known vulnerabilities manually now. In case the vulnerability is not identifed by our solutions automatically you may add it manually. See here, how this works.
- Link modules capability
Probably the most powerful change since the introduction of infrastructure components, this feature allows to use approved modules or projects to be linked as a module into another project. This will bring the structure and dependencies of a particular version into the project and include it there. Thus it can be assessed using the legal settings of the new project and becomes part of the compliance approval of the integrating project. See "How to link modules" for more information. We included a first report to allow identifying dependent projects. This is perfect to apply the open source principles also for "Inner Source".
- New DeepScan modes "file" and "copyright":
DeepScan received new operational modes, allowing to decide during the start of the scan whether to scan a single file or a complete repository, whether to search for copyright statements or not. See the DeepScan howto for more details.
- "Contact Admin"-feature:
Requested by several corporate and enterprise customers it is now possible to set an "internal" address for inquiries. Thus not all requests e.g. related to the own role adjustments, need to be directed towards our support but could directly be driven to a local administrator.
- "Analysis required"-inidicator:
Many of the support cases have been related to the fact that we do not automatically run an analysis after every change that happens. Reason for this are time and effort required to execute such an analysis. Especially for larger modules this could lead to a row of parallel or even overtaking analysis operations. Thus we decided to leave the trigger for analysis manual. Unfortunately this sometimes gets lost, so people are missing to trigger and hence do not see changes on their work. Whever you now see a "refresh" symbol on the "Analysis" button, you will know that it is time to request a new anaysis to receive the most recent picture.
- Added deep links into vulnerability reports:
Meanwhile almost all reports contain deep links so that any report reader may directly jump to the particular component in the corresponding module for further analysis.
- Settings will be remembered:
It could have been cumbersome when working in a specifically set up view, e.g. paging, filter, etc., due to the new load of the page, which returned to former position. To improve this, we new keep the settings for paging, flters, etc. for module projects and other list pages.
- Links to Trainig videos in the upper right corner of the dashboard:
We introduced a video collection from our academy, which will be displayed in the upper right corner of the dashboard. This allows direct links to the row of learning materials on OSS Compliance we will provide over the coming weeks and months.
- Associate binary links to Compliance reports
To allow the binidng of a binary and a Compliance report we introduced the option associate an array of SHA-values of the binaries or some IDs from binary repositoreis. This information will alsways be available within the compliance report. Thus your report and the corresponding approval always may be associated with a particular binary artifcat. After freezing or approving the report, this information may not be changed anymore.
- Provide Appoval API
We provided a set of API functions so that it will be possible to initiate the approvals as well as the assignment of binaries automatically from within the CI/CD flow. The initiate approval call will return a set of key indicators so that you may decide on whether to continue or break further deployments.
- Speed up and simplify DeepScan as well as the loading of DeepScan results
- Introduce a tree navigation for DeepScan results
- It is possible to filter the DeepScan results for particular filenames or licenses.
- Representation of missing Github-data beautified
- Textes in sidebar menue
- Presentation of legal settings and templates
- Simplified Approval flow
- Enhanced reject Approval comments
- Versioning report now links Vulnerability report
- Enhance Compliance report
- Speed up loading of larger modules and scans
- Remove-button in Notice-File report fixed
- New vulnerabilities will become visible in total score even if components are whitelisted
- Extend module identifier
- Stabilize footer
- Complete approval notifications
- Added missing rights to Compliance Manager Role
Preview / coming Updates:
In our next step, we plan to open the different capabilities as separate transactional services. During the last weeks, we have recognized that there are many sophisticated tools and components out there that do parts of the compliance work in a fascinating quality. But we did not find any solution that provides such an integrated compliance procedure including logging and auditing as well as the complete approval structures.
So we decided to separate our capabilities to allow our customers making their choice an what to use where. In a forst step, we will imrpove the Im- and export of SPDX files, which allows to exchange data with particular tools, but despite being a good idea, SPDX is not imlemented well across the tools. Thus TERN comes acorund with a tagged names file, while FOSSOLOGY just knows RDF v2.1 but without structures. SCANCODE alos skips structures to a flat collection... We aim to extend our im- and export service to translate between these different structures.
To cope with this limitation, we joined forces with other tools such as Fossology, SW360, etc. to provide under the OpenChain project a capability map.
In a further step we decided to make our Vulnerability information available as a "Vulnerability Lake". Stay tuned to hear more in a few weeks.