In this section we will give an overview of the changes we deliver with each new update / version we provide. If available, we will also link to the corresponding sources. However, we will cover the releases to production only.
PLEASE NOTE: We publish updates as rolling updates. Thus it may happen that single instances of former versions remain for a while. In general this window should not be longer than 10 mins from start to end. So do not get worried, if you see an older version still being active shortly after the announcement of a change.
The latest update contains new features in the treatment of vulnerabilities and component handling.
- In the Knowledgebase we added further information about the projects by adding the OpenSSF Scorecard. Wherever you will see the OpenSSF Duck, a score is presented. This score summarises the efforts of the component provider concerning project security. The higher the score, the less you will need to worry about the security of the component. By hovering the component, you will get details on how the score constitutes.
See this article on OpenSSF Scorecard to learn more.
- We also added Bump hints. This hint helps you to identify the next suitable version to look for. Sometimes there are several CVEs assigned to a particular component. Each of the CVEs may have a different version range it affects. The Bump hint is calculated across all the version ranges giving an idea where to find the next option of a non-vulnerable version.
This may be useful for project supporting the semantic versioning scheme, since we try to identify non breaking upgrades.
Read more about how this works here.
PLEASE NOTE: Bump hints are calculated frequently. It is not guaranteed that we may provide such a hint. In this case, you will not see a hint.
- Key figures in vulnerability report now adjust according the settings of filtering
- Tree view for large lists is will not fail anymore
- Chart view will display an error message instead of silently failing when there too many level one components to allow proper display
- Fixes on component crawlers preventing component update failures on special characters, misleading repo-urls and other unexpected crawling results.
The v2.6 comes with more attention to Vulnerability Management. Throughout the next few releases, we will improve the quality of vulnerability matching and focus on improved handling
- In the Legal View we added a deep link to the Detail View. The link allows you to jump from the Legal View directly to the component coming with that license. This will allow for further investigation.
- We extended the Vulnerability Report to improve the handling of vulnerabilities. Now the report does not only show the vulnerability findings, it also provides detailed information on all matched vulnerabilities and allows to resolve them directly from within the report. The report can be accessed from the ANALYSIS topic in the INTERNAL (MANAGE) section.
- "Black & Whitelists" have been renamed to "Allow-" and "Ignore-lists".
- Scope for Vulnerability alerts on existing analysis has been reduced to most recent SBOM (analysis) as well as approved / released SBOMs. (see Online help for more details)
- When issuing a DeepScan request, TrustSource queues the request and processes it asynchronously. This queueing request might take a few seconds, before the commit from the queue manager is returned. This might have been irritating to the user, since it left him without confirmation, that the request is processed by the system. The current form gives this feedback and thus does not lead to several requests of the same.
- User feedback for companies not yet having activated IDM integration, so that users will better understand what the situation is and how to resolve it.
- Sunburst Diagram in the Details View has received some handlers allowing to give hints when a diagram hass too many root elements so that the inner circle will be so large, that it cannot be displayed anymore.
- The display of legal and vulnerability status in the project view has been improved. Instead displaying the percentages we now use a bar, displaying the relations. This helps to faster understand the general situation of particular project on the first view.
Please note, there is a tool tip to get information on smaller figures.
- An issue limiting performance of dashboard and module details page has been removed. Especially the analysis selector is loading without any delay now.
- In one of our latest updates the binding of tags within the project list has been lost. This lead to empty columns and therefor the filter "by tags" did not work anymore. The binding has been restored, the filter works again.
- Added a new internal capability to guess CPE definitions applying AI based natural language processing. Thus it will be possible to assign CPEs before NVD has assigned them, based on the natural language description. Currently we will still not fully use this but monitor accuracy. The last tests have shown a 92% accuracy. But we plan to review training progress further before releasing it into production. If you are interested in the results, feel free to reach out out NLP-team.
- Improved Component appearance report. The report, which is able to list all appearances of a particular component across the complete portfolio has been improved to run faster. The report is available to Compliance and Portfolio Manager roles.
- Legal view has been improved. Some fixes were applied to shorten loading time and status data has been updated to legal status. Thus component status is not visible anymore in legal view.
- Issue during account creation leading to two companies being created per each registration has been fixed.
- Some illegal character handlings were added to the component crawlers, preventing failures in crawling components leading to more and better matches, thus improving the component metadata supply.
- logging capability extended, adding new log events to improve internal metering.
- The SPDX export function for modules has been updated to support SPDX v2.2 instead of v2.1.
- Upgraded all node runtimes to v16 min.
- Support for SPDX export in CSV and XLSX formats has been removed. We only support the RDF. The decision has been made due to usage statistics not showing significant usage of the two formats. Thus we decided to focus on RDF only.
- Issues with enforced IDM login leading to actually no-login option.
- Default level of confidence
It is now possible to set the selection of the default confidence level for vulnerabilities on project and module level. The priority scheme is: local beats module beats project selection. Thus you may have a project wide selection, but overrule it in a specific module by changing the setting there.
- New export functions
We have added export functionality to allow export of SBOMs into CycloneDX or SPDX formats (currently only JSON) from within the UI. The former txt-export has been extended to provide markup extensions to allow beautification.
- New sorting and filtering capabilities
Our support is the first to test a new table control allowing for extensive, flexible filtering of very large datasets. This will allow them to find specific transactions much faster and therefor improve support speed.
- Performance improvements
We have split the backend for the UI and the API. Actually UI and API use the same functionality in the background. However intensity of use is different. While the UI slowly changes amount of active users/requests API is highly volatile. While in one moment only a few requests per second appear, the next moment (maybe 30-45 seconds) we experience 500 or more requests per second. This lead to difficulties in scale out, which in return lead to a bad experience in the UI. Splitting the requests into different clusters removed this negative experience.
- TS-docker scan format
pURLs and versions are fully supported now. In addition errors from some UTF-8 characters are properly handled preventing failures of during the import of strange symbols.
- Misleading Swagger URl
We have removed the file information from the Swagger page. In the headline of the swagger file, where you may enter the test API-key, a URL has been given. This URL has been the URL to the particular swagger file itself, e.g. https://app.trustsource.io/api-v1/swagger.json!
However, some customers expected this to be the URL of the API and were unhappy that it did not turn out to work.
The TrustSource API v1 is and remains available at https://app.trustsource.io/api/v1/RESOURCE
- Additional API transaction statistics
Statistics for PostScan and ExecuteAnalysis transactions were added to the API monitoring pages. This gives you a better overview of the overall system usage.
- Performance improvements
We reviewed and redesigned data supply for several views. The new request structure reduces the amount of data transferred between server and clients. Some requests were even skipped to reduce the number of requests issued when entering a particular view.
- Vulnerability assignments improved
To improve the accuracy of Vulnerability assignments and further reduce the number of False Positives, further analysis and cross-checks have been added, paying more respect to platform information and references.
- Compliance Report restructured
After requesting an Approval, a compliance report is generated. This report is the aggregation of all critical aspects of a project or module, depending on whatever is the scope of the approval. In the new layout, you will not have an endless page anymore but several sections you may directly navigate to.
The KPIs directly indicate how much of the entries have been prepared respectively remain to do and the different sections have more details also on other aspects like viability or versioning - given the analysis has been provided.
- Issue with initiation of approvals
We had reports about environments und Windows together with an older IE-Version, that had issues starting approvals. A workaround has been provided, so that it should be possible to initiate approvals using every browser.
- CISA exploit alerts:
The American Cybersecurity and Infrastructure Security Agency (CISA) also analyses attacks and attack patterns used by adversaries. Since a while now they also review the observed attacks for the Known Vulnerabilities used in the attacks and publish this as a feed.
We have added the feed to our vulnerability lake. So if you see a spy symbol next to a CVE, you know, that it is actively attacked.
CISA Exploitation Alert Indicator
PLEASE NOTE: CISA exploitation alert is just a hint that exploitation of this vulnerability already has been observed. It means, the vulnerability is not a theoretical threat but a real risk. Most of these alerts indicate actively exploited software solutions by 3rd party vendors, only few address components directly. However, you might find these in your infrastructure components. And please DO NOT INTERPRET the absence of this indicator as an indication, that the current vulnerability is or will NOT be exploited!
- Deeplinks in Vulnerability Report
The Deeplinks in the vulnerability report now allow to jump into the detail view of that particular vulnerability, so that it is simpler to collect the data.
- Analysis Function upgraded
The analysis has been improved and enhanced, to allow a better handling of muted vulnerabilities. In addition several statistics will be pre-calculated now, which reduces processing needs and therefor improves display performance on client machines.
- Filtering in System logs
It is now also possible to use date filter or search for a particular event type
- Flaw in create license
- Broken Statistics in Compliance Report
Since we changed the way Statistics were calculated in v2.5.90, the re-use of these statistics lead to some inconsistencies for particular constellations in the compliance report. These constellations were not part of our automated tests. We took this occasion to re-work the compliance report and the statistics calculation. This will not only improve the information presentation but also the speed .
- Updated ts-deepscan to v1.0.3
v1.0.2 used a mutli-processing approach (fork) that has truned out not to be valid on Microsoft windows OS. Therefor v1.0.3 fixes this (using spawn). This is less performant, since spawn will require each process to initialise again, which is why we recommend to process larger repositories on linux machines.
TS-Vulnerability Lake v1.6.12
- Entry screen search allows to search for CVEs directly
So far it was required to click on "by CVE ID" to search for CVE-Ids. Now you may enter the ID directly in the start screen to receive either a list of close CVEs or the details of the particular CVE.
- CISA Alerts
CISA alerts are now also displayed in the public Vulnerability Lake UI (see above for more details)
The coming update (released end of calendar week 26) will contain a few significant changes on how you will work with TrustSource Vulnerability Management.:
- Confidence Score:
It is possible to select the confidence level for vulnerabilities. You may select between high, medium and low. This has been introduced to cope with the matching challenge. While some vulnerabilities can be matched very precisely, others are not that clear. The less restrictive the matching criteria, the more options for false positives. Now you may switch between the different levels of confidence, allowing to get a better understanding of potential impacts but not getting spammed with false positives. Read here more about the new feature.
- Confidence Level HIGH
- Confidence Level set to MEDIUM
PLEASE NOTE: There are several confidence level filters: One on top of the components list and one in the details pane. While the first manages the general setting for the current module, the one in the details pane manages the filter for the particular component. This allows you to dig into more details for a specific components only. Please recognise the hint, if there is a lower level vulnerability, that is filtered:
- Confidence Level HIGH
- DeepScan results now integrated with Compliance flow
So far we had deepscan results only for review purposes. Now we have changed this in a way that you may add deepscan results to a project/module and thus push them into an approval flow as well. This allows for a better analysis and management of C/C# and C++ projects that do not use package managers.
- Vulnerability details contain references
In the vulnerabilities details you now have access to references from other sources, so that you may jump directly to the source of information. This is useful for Security Researchers that want to learn more about the details of a component.
- Mute vulnerabilities:
Ist is now possible to select between the following default comments while muting vulnerabilities. This allows you to just select one of the options as comment and proceed. If you do not feel happy with any of the default answers, you may choose "other" and define your text / explanation by yourself, just as of today:
- false positive, not applicable to us
- vulnerable code not in use
- risk is tolerable, won't fix
- fix is about to be implemented
- fix has been provided
- Updated ts-deepscan to v1.0.2
ts-deepscan is now able to split the scanning and the upload functionality. This allows to execute scans locally and put the result into a file. In addition we dropped the upload limit. It is possible to upload even scans with sizes of up to hundreds of megabyte. They will still be properly processed.
- Updated ts-VulnerabilityLake-UI to v1.6.12
With the changes in the vulnerability matching we needed to change the vulnerability API. This required an update on the corresponding UI service. As a positive side effect, the vulnerabilities details now also contain references to further information sources.
- performance improvements in Core
- updated ts-analysis to v1.6.9 including some performance improvements
- updated nuget crawler to v1.0.1 including a patch not to fail on illegal characters anymore
- Re-structured views and added structural representation
Since many of you requested to see the structural representation also in the analysis not only in the scan, we restructured the possible representations in the dependency view. Already with v2.5.48 we introduced the root component (see below). We now support 4 different views:
- Flat List Dependency View:
this list contains all components alphabetically ordered. This is the work view. Use this to find components, filter the list and manage details. It is the fastest representation.
- Structural View:
In this view you can see the dependency structure in list form. Each level of dependency lets the component move a step to the right. That is why it is not possible to filter. But you may browse through the complete list to gain an understanding of the structure.
- Sunburst Dependency Graph View:
This is a sunburst representation of the dependency structure for drilldown. The sunburst allows better to understand where a vulnerability or a legal violation impacts. Is it at a core component or a more leaf-like component? Maybe you may cut the dependency to get rid of the issue? The answer may be easily given with the sunburst diagram.
- Legal View:
See the structure of your module from a license perspective. How many different licenses do you have? How many components are under this license?
- Re-structured views and added structural representation
- Infrastructure Modules representation improved
Infrastructure modules are components such as Wildfly or MySQL, wich may be part of a solution but do not necessarily appear in a scan. So far it has been possible to add them as a module to include them in the notice file etc. Now they are treated the same way as all other modules. So you may analyse them, mute vulnerabilities or obligations.
- Deep-Links in Vulnerabilities Alert
The link given in a Vulnerability Alert email now directly jumps to the corresponding CVE. In the past it just took you to the Vulnerability Lake.
- Compliance Status now includes a Ratio
Since its introduction the solution already verified how many users saw the policy and confirmations were tracked. Now we have added a ratio in the report, of how many of the "known" users did confirm having read the policy. "Known" is a user after having logged in the first time.
- ts-node-client updated
A handful of vulnerabilities in the node client have been fixed. In addition v.1.8.3 contains a fix allowing to build without a dependency into old eacg repo.
- Fixed Dashboard license count
In some circumstances the License count report ran into a loop coming to incredibly high counts of license or component appearances. The condition has been isolated and the issue is fixed now.
- Fixed Module not loading
Together with the new speed up dependency list view we were able to fix the "did not load" issue, that might appear sometimes in very large analysis.
- Fixed some issues in C#/.Net/Xamarin scanner
In some constellations under MacOS the scanner was not able to completely process the scan and failed due to "missing libraries", which actually were available.
- Fixed an issue with CVE impact report
Since the introduction of the Vulnerability Lake the CVE-Impact Report did not find recently assigned vulnerabilities in old scans anymore. Only recently analysed scans were completely respected. This has been discovered and fixed.
- Container Scanning
With this version it is also possible to display and manage the results of docker container scans using TrustSource tooling. To not re-invent the wheel, we seelcted Syft scanner developed by anchore and wrapped it to transform its output into our format and transfer it to the platform. You will find the tooling on Github at https://github.com/trustsource/ts-docker
This way of import you actually may use for all sort of scanners. If the scanner is able to deliver SPDX or CycloneDX format, you may use the corresponding upload function either through UI or API to push the document into TrustSource for further processing.
- Visual separation of the root element
Over the last months we did recognize that many of our customers expressed their surprise to find the root element of a scanned package or module as an element in the list of components. Since this element often is private and thus does not get automatically a license associated, it often appears as a warning.
Besides the option to assign a public or private license this caused irritation.To prevent this, we changed the representation of this module by adding a folder symbol and bringing it to the top of the dependency list.
- Accept package-URLs as scan-input
So far TrustSource required a component key as input for scans. This is a png-url compatible format helping to identify a component and its origin, e.g. mvn:org.eacg.int:somepkg:1.0.2 . This has been the choice since TrustSource has been introduced. Meanwhile the purl spec has gained acceptance as a unique component identifier across the industry. Now we also allow scans to provide purls as valid input.
- Allow SCA-scanners to write SPDX (and CyDX) outputs
Starting with our NPM scanner, we will provide all our SCA tools with the ability to write SPDX and CycloneDX SBOMs. This allows to use the scanners not only to transfer data to TrustSource but make them a valuable asset for every CI/CD chain. Check them out at GitHub
- Version jump alert improved
Since the world understood that software supply chains could be potential attack surfaces, we were thinking about options to reduce this attack surface. An immediate idea has been the "version jump control". We improved the alerts and made them more visible. They also get a notification email now.
- Vulnerability Alerts and other notification now contain deeplinks
We changed notification mails to contain deeplinks. We call deeplinks links to a particular instance, e.g. the component, scan or vulnerability, which is referred to.
- Allow to redirect Trainings-Link to private LMS
Within the TrustSource solution we provide a link to online trainings. Many of our Enterprise Customers own their own training platforms. If desired, we provide them with the trainings as SCORM files so that they can provider our trainings through their LMS, allowing to integrate with their HR system etc. without any externalization or additional work. To direct learners to their local LMS,it is now possible to configure the Trainings-link.
- Display of aggregated information for infrastructure components
The representation of infrastructure components has been improved. Vulnerabilities associated are displayed whenever the component is displayed. The mechanism to treat and resolve the associated issues has been adjusted with the known procedure for components.
- Fixed vulnerabilities in npm Client
Given you are using v1.8.x of the node client, please update to v1.8.3
- Fixed an error preventing Vulnerability Alerts being sent by mail
In some cases vulnerability alerts were not actively sent due to a problem with associating scans with module responsible. This covered only modules having been created between Nov. 2020 and Mar 2021. This has been fixed.
- DeepScan knows "queued" status
We added the status "queued" to the list of possible states a DeepScan request may have. Thus a successfully accepted request may have the status "queued" before it is being processed. This became necessary to since the number of requests keeps growing.
- CVE impact import changed
CVE impact report now also uses the new vulnerability lake data. This improves quality and speed.
- Case insensitive search in Vulnerability Lake
Starting with v1.6.8 in Vulnerability Lake search is not case-sensitive anymore.
- Fixed vulnerabilities in Core
A handful of dependency vulnerabilities have been fixed through updates.