In this section we will give an overview of the changes we deliver with each new update / version we provide. If available, we will also link to the corresponding sources. However, we will cover the releases to production only.
PLEASE NOTE: We publish updates as rolling updates. Thus it may happen that single instances of former versions remain for a while. In general this window should not be longer than 10 mins from start to end. So do not get worried, if you see an older version still being active shortly after the announcement of a change.
TS-Core v2.5.61
Improved:
- performance improvements in Core
- updated ts-analysis to v1.6.9 including some performance improvements
Fixed:
- updated nuget crawler to v1.0.1 including a patch not to fail on illegal characters anymore
TS-Core v2.5.59
Added:
-
- Re-structured views and added structural representation
Since many of you requested to see the structural representation also in the analysis not only in the scan, we restructured the possible representations in the dependency view. Already with v2.5.48 we introduced the root component (see below). We now support 4 different views: - Flat List Dependency View:
this list contains all components alphabetically ordered. This is the work view. Use this to find components, filter the list and manage details. It is the fastest representation. - Structural View:
In this view you can see the dependency structure in list form. Each level of dependency lets the component move a step to the right. That is why it is not possible to filter. But you may browse through the complete list to gain an understanding of the structure. - Sunburst Dependency Graph View:
This is a sunburst representation of the dependency structure for drilldown. The sunburst allows better to understand where a vulnerability or a legal violation impacts. Is it at a core component or a more leaf-like component? Maybe you may cut the dependency to get rid of the issue? The answer may be easily given with the sunburst diagram. - Legal View:
See the structure of your module from a license perspective. How many different licenses do you have? How many components are under this license?
- Re-structured views and added structural representation
Improved:
- Infrastructure Modules representation improved
Infrastructure modules are components such as Wildfly or MySQL, wich may be part of a solution but do not necessarily appear in a scan. So far it has been possible to add them as a module to include them in the notice file etc. Now they are treated the same way as all other modules. So you may analyse them, mute vulnerabilities or obligations.
- Deep-Links in Vulnerabilities Alert
The link given in a Vulnerability Alert email now directly jumps to the corresponding CVE. In the past it just took you to the Vulnerability Lake. - Compliance Status now includes a Ratio
Since its introduction the solution already verified how many users saw the policy and confirmations were tracked. Now we have added a ratio in the report, of how many of the "known" users did confirm having read the policy. "Known" is a user after having logged in the first time.
Fixed:
- ts-node-client updated
A handful of vulnerabilities in the node client have been fixed. In addition v.1.8.3 contains a fix allowing to build without a dependency into old eacg repo. - Fixed Dashboard license count
In some circumstances the License count report ran into a loop coming to incredibly high counts of license or component appearances. The condition has been isolated and the issue is fixed now. - Fixed Module not loading
Together with the new speed up dependency list view we were able to fix the "did not load" issue, that might appear sometimes in very large analysis. - Fixed some issues in C#/.Net/Xamarin scanner
In some constellations under MacOS the scanner was not able to completely process the scan and failed due to "missing libraries", which actually were available. - Fixed an issue with CVE impact report
Since the introduction of the Vulnerability Lake the CVE-Impact Report did not find recently assigned vulnerabilities in old scans anymore. Only recently analysed scans were completely respected. This has been discovered and fixed.
TS-Core v2.5.48
Added:
- Visual separation of the root element
Over the last months we did recognize that many of our customers expressed their surprise to find the root element of a scanned package or module as an element in the list of components. Since this element often is private and thus does not get automatically a license associated, it often appears as a warning.
Besides the option to assign a public or private license this caused irritation.To prevent this, we changed the representation of this module by adding a folder symbol and bringing it to the top of the dependency list.
- Accept package-URLs as scan-input
So far TrustSource required a component key as input for scans. This is a png-url compatible format helping to identify a component and its origin, e.g. mvn:org.eacg.int:somepkg:1.0.2 . This has been the choice since TrustSource has been introduced. Meanwhile the purl spec has gained acceptance as a unique component identifier across the industry. Now we also allow scans to provide purls as valid input. - Allow SCA-scanners to write SPDX (and CyDX) outputs
Starting with our NPM scanner, we will provide all our SCA tools with the ability to write SPDX and CycloneDX SBOMs. This allows to use the scanners not only to transfer data to TrustSource but make them a valuable asset for every CI/CD chain. Check them out at GitHub
Improved:
- Version jump alert improved
Since the world understood that software supply chains could be potential attack surfaces, we were thinking about options to reduce this attack surface. An immediate idea has been the "version jump control". We improved the alerts and made them more visible. They also get a notification email now. - Vulnerability Alerts and other notification now contain deeplinks
We changed notification mails to contain deeplinks. We call deeplinks links to a particular instance, e.g. the component, scan or vulnerability, which is referred to. - Allow to redirect Trainings-Link to private LMS
Within the TrustSource solution we provide a link to online trainings. Many of our Enterprise Customers own their own training platforms. If desired, we provide them with the trainings as SCORM files so that they can provider our trainings through their LMS, allowing to integrate with their HR system etc. without any externalization or additional work. To direct learners to their local LMS,it is now possible to configure the Trainings-link. - Display of aggregated information for infrastructure components
The representation of infrastructure components has been improved. Vulnerabilities associated are displayed whenever the component is displayed. The mechanism to treat and resolve the associated issues has been adjusted with the known procedure for components.
Fixed:
- Fixed vulnerabilities in npm Client
Given you are using v1.8.x of the node client, please update to v1.8.3 - Fixed an error preventing Vulnerability Alerts being sent by mail
In some cases vulnerability alerts were not actively sent due to a problem with associating scans with module responsible. This covered only modules having been created between Nov. 2020 and Mar 2021. This has been fixed.
TS-Core v2.5.21
Added:
- DeepScan knows "queued" status
We added the status "queued" to the list of possible states a DeepScan request may have. Thus a successfully accepted request may have the status "queued" before it is being processed. This became necessary to since the number of requests keeps growing.
Improved:
- CVE impact import changed
CVE impact report now also uses the new vulnerability lake data. This improves quality and speed. - Case insensitive search in Vulnerability Lake
Starting with v1.6.8 in Vulnerability Lake search is not case-sensitive anymore.
Fixed:
- Fixed vulnerabilities in Core
A handful of dependency vulnerabilities have been fixed through updates.
Comments
0 comments
Article is closed for comments.