In this section we will give an overview of the changes we deliver with each new update / version we provide. If available, we will also link to the corresponding sources. However, we will cover the releases to production only.
PLEASE NOTE: We publish updates as rolling updates. Thus it may happen that single instances of former versions remain for a while. In general this window should not be longer than 10 mins from start to end. So do not get worried, if you see an older version still being active shortly after the announcement of a change.
TS-Core v2.10.66
Improved:
- Efficieny of queries to improve loading speed in UI
- Interactions for remote role assignments through 3rd party IDMs
- Loading incdicator for for component event history
Fixed:
- Display issue in Vuln Lake with broken CVE data
TS-Core v2.10.60
Added:
- Verification dialogue on API-Key delete
- New contracts for the use of Security Manager role
- A new UI for Security Manager role to assess and handle Vulnerability entries on company level
- Capability for Security Manager to add/remove Vulnerabilities on company level
Improved:
- Provided 920px screen resolution for common and detail pages
- VEX converter will not fail anymore, if tags are missing
- Titles and scales for charts received min. font sizes to improve display on screens with large resolutions
Fixed:
- Revived lost Company-Filed in FOSS liaison address
- API-key set to "optional" for public documents
- Error in accessing authentication properties
- Upgraded several dependencies
TS-Core v2.10.48
Added:
- Corporate Security Manager Role to allow Management of Vulnerabilities
- QR code and url preview for Release keys
- We allow to differentiate between applications and libraries as package types
- Added report on users with no login for >60days (also available as API)
- Introduced the capability to display deprecation header information in APIv1 requests
- Added usage statistics for private licenses
- Introduced an update page, allowing to alert users of latest changes
- New descriptions of Vulnerability & DeepScan APIs
- Logging vulnerability activity
Improved:
- Company Component Manager & Company Legal Manager with new roles
- Added Link to Knowledge base articles in APIKey Management
- Integrations have been moved into separate integrations section
- Scan details switching between diagram and list views
- Display of integrations on a separate page
- Improved description for managing private licenses
- Data flow and lookup for new components
- Trainings page now configurable from inside the app
- Support for 920px screens for common pages
Fixed:
- APIKey usage modal did not open correctly
- APIKey preview is more accurate now
- Rendering issue when displaying and assigning roles
- Minor bugfixes and patches on 3rd party components
TS-Core v2.10.11
Added:
- DeepScan results can now also be linked to COTS and infrastructure components
- Links to results from ts-scan created SBOMs will be created automatically
- purl-support has been extended throughout the app (replacing internal key)
Improved:
- Loading indicator will not hang anymore under specific circumstances
- Unassigned modules will not be automatically hidden to make them accessible for correction
- API key management picture has been improved
Fixed:
- An issue preventing imported scans from being displayed after upload
- An issue preventing the creation of issues in github repositories
- Upgrade several dependencies to latest stage
TS-Core v2.9.64
Added:
- Webhooks and Alerts: It is now possible to push Messages and alerts from TrustSource into your favourite Teams or Slack channels. Read this article to learn how to set it up.(())
- Export Controls Management: TrustSource added support for the identification of encryption and allows the management of export controls concerning encryption. Read this article to learn more.(()) This is also represented in the Approval flow.
- Bulk DeepScan Service: We introduced the "Bulk DepeScan Service". This Service is able to execute DeepScans for a complete SBOM, e.g. to verify that you grabed all copyrights across the complete solution you plan to distribute. Thus, it will resolve all dependencies - including transitive - pull the sources and scan them for copyrights, licenses and/or encryption. This may comprise several thousands of repositories. Its fully scalable. This service is not made to be part of your CI/CD chain, but it will take your organisation to the next level of compliance. Never be surprised anymore of what you have shipped! Whenever you are ready for a test, reach out to our support or sales team. They will help you find the right way of applying this feature. To learn more, read this article (()).
- Signed Releases: TrustSource is able to sign and verify your SBOMs and Notice Files to protect them from manipulation. You may add these signatures and verify documents against TrustSource API. Learn how to apply in this article (())
- New API documentation for API v2 added.
- New section on Dashboard to allow displaying of TrustSource updates and new features
- SBOM editor now received a ToDo navigator as knonw from Notice Files.
- Added log details to support discovery of outbound mail errors
Improved:
DeepScan:
- load indicator, based on queued jobs, indicates processing time to expect
- representation of of "no findings" has been improved
- works now also with purls as input
- direct jumps into linked (git) submodules from within DeepScan results
- repo scan type is recorded for DeepScans, so that repetition and changes will be possible to identify. This prevents duplicate scanning of same repos (branch/tag)
Analysis:
- CVE impact report request will support lowercase entries like cve-2021-43138
- CVE impact details popover in module dependencies
API:
- requests for DELETE methods now will return status code 204 without content
- usage statistics has been extended and directed to API v2
- Acceptance of scans sent without moduleIdentifier (will be created autoatically now)
- added function to auto delete the demo-project (could be used for remote testing)
Core:
- Register form presents password requirements more prominent than before
- Component details page has now version pagination to prevent endless loading/pages
- Access to infrastructure components had been improved.
- Create Component now supports Infrastructure and COTS components
- Dashboard - Statistics improved Details View:
- added root element for improved navigation experience
- improved filtering capabilities, allowing better paging
- Release Management:
- Green approval label will now have white text to improve component in low contrast devices
- Release documents and Release Key automatically generated. Read this article for more details
Import/Export:
- CyDX and SPDX validations logic has been improved, to accept minor issues and prevent upload of faulty documents
- SPDX is now possible to be exported in JSON format as well
- CSAF format verification tests added
SBOM:
- extended with additional fields, see our article on SBOM (())
Technical updates
- underlying base and OS images renewed
- upgraded application frameworks
- prepared DB migration
- strongly improved analysis function
- prepared LegalCheck upgrade
Fixed:
- LinkedIn login got credential update and will be working again
- Fixed page link from component details page for Component Manager Role
- Component Impact Report does not accept empty requests anymore
- Notice file will require only "Changes URL" or "modification notice" but not both
Removed:
- We removed gitter integration due update requirements an low usage
TS-Vulnerability Lake UI v1.7.1
Added:
- We now have added CWE details. Wherever a CWE information is displayed, you may click on the ID and all details to the weakness will be displayed. This also includes a detailed description and counter measures. All that data is taken from the MITRE feed. It also is possible to search for CWE Ids from the FIND CWE menu.
TS-API v2
Added:
- New API comprises a wide amount of new reporting and interaction capabilities. Find a more detailed description here
- Besides the core functionality, the API also covers the branches ```/deepscan``` and ```/vdb``` , the vulnerability database.
TS-Core v2.8.48
Added:
- Company Component Manager Role has been added as a replacement for the Component Manager Role. This role allows Corporate and Enterprise subscribers to modify meta-data for components. This Knowledge base article provides more details on what the role can achieve and how to assign it.
- Typescript as selectable language added for filters and descriptions
- Muted vulnerabilities are now reported in /api/vul statistics
- It is now possible to filter reported vulnerabilities by confidence level
Improved:
- Further logic has been included to automate proper handling of "OR" declarations in license definitions.
- Extended security logging
- The "Add new Component" flow, allowing to add components manually, has been improved in usability and clarity.
- Updated underlying technical libraries and frameworks
- Added / Updated charts for API usage statistics
- Naming on on table columns to improve usability of filtering and sorting
- Some views had different principles to report license statistics. This has now been harmonised to prevent irritations.
- CWE details page has been polished
Fixed:
- Added missing 404 return codes to some API functions
- Misleading figures in CVE impact report
- Some representation issues in Safari browser
TS-Core v2.8.24
Added:
- TrustSource allows now to push tickets directly into GitHub issues. When a module is linked with Github a secure access can be configured and issues, such as change requests or bump hints could be pushed to the git hub issues list as it is known from Jira.
- We added a filter to our TODO-Navigator for finalising the notice file. Especially in larger notice files it has been difficult to find the remaining tasks. With the new filtering you may limit the navigator contents to the unresolved issues.
Improved:
- SBOM-exports have been adjusted to the NTIA minimal standards. We allow to export SPDX 2.2 and CycloneDX 1.4 formated JSON as well as PDF SBOMs from every module or project.
- ts-node-client has been upgraded to v3.0. Thus it now uses a different approach to discover what has been built, which allows to skip the transport of complete node. This simplifies and slims the scanner drastically. It also gained some speed. In addition the same scanner can now be used to scan several JS package managers.
- The Approval-Flow has been slightly improved with more hints and explanations. In addition selecting "dry-run" for an approval flow directly assigns the initiator as the reviewer. Thus, the compliance report will directly show up in the requestor's list.
- Speed - by removing some old data and adding improved index structures, we improved loading times in heavy loaded environments. This comprises several collections as well as the search function.
Fixed:
- Python-meta-data is now available again. Due to an unrecognized deployment issue, the Python lookup lambda was not updated properly during the last deployment, leading to issues with Python meta data.
- Vulnerability statistics are now consistent with the selected confidence level. Especially in the details view but also the compliance report som constellations did not pull the suitable statistics according to the selected confidence level.
- Allow/deny-representation in module details view fixed. There were constellations where the allow-deny settings were not properly represented. This was a remains from the removal of meteor subscriptions.
TS-Scan v1.0.1
Our aim is to simplify the compliance work for every developer. This is why we keep developing tools top simplify use and integration. As one of these efforts we are now releasing TS-Scan. This is a Python based SCA CLI which combines several tools. The idea is to have only one tool, like the swiss army knife, capable of handling all different ecosystems and the different tasks covered by the plethora of tools available out there. This will simplify setup for all users and combine the strength of the different tools. Integrating them, will allow to speed up processing and free users mind from integration challenges. Find more details and the source code at https://github.com/trustsource/ts-scan. Looking forward for your feedback.
TS-Core v2.8.4
Added:
- We have added the analysis for crypto-algorithms to deepscan. Thus it is now possible to use deepscan to search a repository for the existence of crypto algos using SCANOSS's minr from the command line. The results will list the dientifed algorithms as well as the position where they are found. We will later add capabilities in TrustSource to als manage export control regulations based on this information.
- In the scan details view it is now possible to show or hide linked modules. Linked modules will be properly hashed now, to ensure detection of changes.
- It is now possible to add a git URL for each module in the module settings. This is in preparation of further git related services. As a first service an automated DeepScan for each linked repository is added.
Improved:
- ts-node-client has been upgraded to v3.0. Thus it now uses a different approach to discover what has been built, which allows to skip the transport of complete node. This simplifies and slims the scanner drastically. It also gained some speed. In addition the same scanner can now be used to scan several JS package managers.
- Processing of AND and OR combinations in license information will now be processed properly. So far we were outlining these combinations as "unmatched licenses"
- Scan details view has been improved. The view has been polished a bot to look more straight and streamlined. clicking on item will display data in the same page now and side content will move with cursor, which is pretty useful for larger scans. Also additional inks are available now, to simplify the jumping to the corresponding analysis, releases or the component lake. Linked releases will now be identified along scanning history.
- Text area in Mute vulnerability dialogue has been increased to give more comfort in adding reasons for muting.
- Icons were updated
- Internal restructuring to prepare more secure release version of core
- Further checks and logging on the APIs importing scans and CycloneDX documents
Fixed:
- We skipped text search for licenses inside scans
- Fixed a mixup of linked releases
- Workaround to overcome a high latency behaviour of the project filter for very large project lists
- Minor UI fixes
TS-Core v2.7.32
Added:
- The count of releases is added to the project list. A link allows to jump directly to the corresponding releases.
- It is now possible to generate public VEX keys, allowing to publish a static keys with a particular release, just like it is possible for Notice Files and SBOMs.
- We have extended the release API. It is now possible to retrieve SBOMs, Notice Files, VEX-documents and VEX-Changes. This also leads to the deprecation of the former public Notice-file and the public-SBOM APIs. They will remain valid for a while, but are marked as deprecated. All changes can be found on the API page.
- It is now possible to add custom components to SBOMs. CycloneDX and SPDX exports also do support relations now.
- We added a COPYRIGHT & TRADEMARK section, where we outline the use of libraries and frameworks that we applied to provide the TrustSource solution.
Improved:
- Added "Critical components" filter for pypi
- Improved Component Role to better support component meta data fixes
- VEX documents will receive protected, unique ID to allow publication, generation of documents moved from frontend (pure download) into backend to prepare API capability. IDs are now human readable
- VEX documents can be filtered by confidence score
- SBOMs will be pre-generated upon approval
- Token support for Github authentication improved
- More results are displayed automatically when querying Vulnerability Lake
- CycloneDX results now support relationships
- Another couple of upgrades of the frontend framework
- Infrastructure modules will be processed faster upon new creation
- Index improvements to speed up component lookup
Fixed:
- Fixed an error caused by requesting API with unavailable VEX-IDs
- A fix to Module view has been provided, preventing a broken display for specific character sets
- The handling of dependencies has been made insensitive to capital spelling in component keys
- An error in processing scan meta data has been fixed, which lead to analysis failure, given a special character was present
- Fixed a DB error when internally created documents are getting larger than acceptable
- A security flaw has been removed allowing to see old demo accounts from another demo account
- Fixed a security bug in handling redirect URLs using oOAuth
TS-Core v2.7.0
Added:
- Under INTERNAL > RELEASES we added an overview of all existing Releases. This will help Compliance and Portfolio Managers to keep an overview of what is existing and the most current version of an app or a module.
From this position it is also possible to pull the associated API key to retrieve corresponding documentations, if they were already published, find associated binary links or directly jump into the details views of the release.
Also quiet comfortable is the vulnerability view, that allows you to see the vulnerabilities known at the time of release as well as the vulnerabilities that became known after the release.
- We added a link on module level to directly jump into the Vulnerability Report for this particular analysis. From tis report you have a more focussed way to manage vulnerabilities. This report has been added in the 2.6.9 release. See here for a detailed description.
- Vulnerability Exploitability Exchange export (VEX) added to Vulnerability Report. This allows to auto-create a CSAF 2.0 compliant VEX document and download it from the current status of your Vulnerability handling.
- New index structures were added to speed up crawler processing
Improved:
- The figures at the top of the Vulnerability report adjust according to your progress. Thus you will always see the current status, not the status as of the moment when the report has been generated.
- Added a pre-loader for vulnerability details in all Vulnerability report pages to allow smoother working
- API to import SBOMs has been improved and strengthened to prevent upload of misconfigured SBOMs
- OSSF score is available in more pages now (infrastructure, COTS listings, etc.)
- OSSF score picture has been changed to official one
- Bump hints now also work properly when requested for groups of components
- Bump hints are are now provided according to the confidence level selected
- Component lake filter settings will be visible while scrolling the result list
- Module list in project view is automatically updated whenever a module is added or removed
- Improved PyPi crawler to supply better and more meta data
Fixed:
- Failing SBOM generation for missing component data has been fixed
- NPM Crawler overwriting manual component fixes
- Internal technical upgrades of the underlying frontend framework
- A fix to better prevent component duplicates upon scan assessment
- Upgraded database connectivity
TS-Core v2.6.30
The latest update contains new features in the treatment of vulnerabilities and component handling.
Added:
- In the Knowledgebase we added further information about the projects by adding the OpenSSF Scorecard. Wherever you will see the OpenSSF Duck, a score is presented. This score summarises the efforts of the component provider concerning project security. The higher the score, the less you will need to worry about the security of the component. By hovering the component, you will get details on how the score constitutes.
See this article on OpenSSF Scorecard to learn more.
- We also added Bump hints. This hint helps you to identify the next suitable version to look for. Sometimes there are several CVEs assigned to a particular component. Each of the CVEs may have a different version range it affects. The Bump hint is calculated across all the version ranges giving an idea where to find the next option of a non-vulnerable version.
This may be useful for project supporting the semantic versioning scheme, since we try to identify non breaking upgrades.
Read more about how this works here.
PLEASE NOTE: Bump hints are calculated frequently. It is not guaranteed that we may provide such a hint. In this case, you will not see a hint.
Improved:
- Key figures in vulnerability report now adjust according the settings of filtering
Fixed:
- Tree view for large lists is will not fail anymore
- Chart view will display an error message instead of silently failing when there too many level one components to allow proper display
- Fixes on component crawlers preventing component update failures on special characters, misleading repo-urls and other unexpected crawling results.
TS-Core v2.6.9
The v2.6 comes with more attention to Vulnerability Management. Throughout the next few releases, we will improve the quality of vulnerability matching and focus on improved handling
Added:
- In the Legal View we added a deep link to the Detail View. The link allows you to jump from the Legal View directly to the component coming with that license. This will allow for further investigation.
- We extended the Vulnerability Report to improve the handling of vulnerabilities. Now the report does not only show the vulnerability findings, it also provides detailed information on all matched vulnerabilities and allows to resolve them directly from within the report. The report can be accessed from the ANALYSIS topic in the INTERNAL (MANAGE) section.
Improved:
- "Black & Whitelists" have been renamed to "Allow-" and "Ignore-lists".
- Scope for Vulnerability alerts on existing analysis has been reduced to most recent SBOM (analysis) as well as approved / released SBOMs. (see Online help for more details)
- When issuing a DeepScan request, TrustSource queues the request and processes it asynchronously. This queueing request might take a few seconds, before the commit from the queue manager is returned. This might have been irritating to the user, since it left him without confirmation, that the request is processed by the system. The current form gives this feedback and thus does not lead to several requests of the same.
- User feedback for companies not yet having activated IDM integration, so that users will better understand what the situation is and how to resolve it.
- Sunburst Diagram in the Details View has received some handlers allowing to give hints when a diagram hass too many root elements so that the inner circle will be so large, that it cannot be displayed anymore.
TS-Core v2.5.128
Improved:
- The display of legal and vulnerability status in the project view has been improved. Instead displaying the percentages we now use a bar, displaying the relations. This helps to faster understand the general situation of particular project on the first view.
Please note, there is a tool tip to get information on smaller figures.
Fixed:
- An issue limiting performance of dashboard and module details page has been removed. Especially the analysis selector is loading without any delay now.
- In one of our latest updates the binding of tags within the project list has been lost. This lead to empty columns and therefor the filter "by tags" did not work anymore. The binding has been restored, the filter works again.
TS-Core v2.5.118
Added:
- Added a new internal capability to guess CPE definitions applying AI based natural language processing. Thus it will be possible to assign CPEs before NVD has assigned them, based on the natural language description. Currently we will still not fully use this but monitor accuracy. The last tests have shown a 92% accuracy. But we plan to review training progress further before releasing it into production. If you are interested in the results, feel free to reach out out NLP-team.
Improved:
- Improved Component appearance report. The report, which is able to list all appearances of a particular component across the complete portfolio has been improved to run faster. The report is available to Compliance and Portfolio Manager roles.
- Legal view has been improved. Some fixes were applied to shorten loading time and status data has been updated to legal status. Thus component status is not visible anymore in legal view.
Fixed:
- Issue during account creation leading to two companies being created per each registration has been fixed.
- Some illegal character handlings were added to the component crawlers, preventing failures in crawling components leading to more and better matches, thus improving the component metadata supply.
TS-Core v2.5.113
Added:
- logging capability extended, adding new log events to improve internal metering.
Improved:
- The SPDX export function for modules has been updated to support SPDX v2.2 instead of v2.1.
- Upgraded all node runtimes to v16 min.
Removed:
- Support for SPDX export in CSV and XLSX formats has been removed. We only support the RDF. The decision has been made due to usage statistics not showing significant usage of the two formats. Thus we decided to focus on RDF only.
Fixed:
- Issues with enforced IDM login leading to actually no-login option.
TS-Core v2.5.109
Added:
-
Default level of confidence
It is now possible to set the selection of the default confidence level for vulnerabilities on project and module level. The priority scheme is: local beats module beats project selection. Thus you may have a project wide selection, but overrule it in a specific module by changing the setting there.
-
New export functions
We have added export functionality to allow export of SBOMs into CycloneDX or SPDX formats (currently only JSON) from within the UI. The former txt-export has been extended to provide markup extensions to allow beautification.
-
New sorting and filtering capabilities
Our support is the first to test a new table control allowing for extensive, flexible filtering of very large datasets. This will allow them to find specific transactions much faster and therefor improve support speed.
Improved:
-
Performance improvements
We have split the backend for the UI and the API. Actually UI and API use the same functionality in the background. However intensity of use is different. While the UI slowly changes amount of active users/requests API is highly volatile. While in one moment only a few requests per second appear, the next moment (maybe 30-45 seconds) we experience 500 or more requests per second. This lead to difficulties in scale out, which in return lead to a bad experience in the UI. Splitting the requests into different clusters removed this negative experience.
-
TS-docker scan format
pURLs and versions are fully supported now. In addition errors from some UTF-8 characters are properly handled preventing failures of during the import of strange symbols.
Removed:
-
Misleading Swagger URl
We have removed the file information from the Swagger page. In the headline of the swagger file, where you may enter the test API-key, a URL has been given. This URL has been the URL to the particular swagger file itself, e.g. https://app.trustsource.io/api-v1/swagger.json!
However, some customers expected this to be the URL of the API and were unhappy that it did not turn out to work.
The TrustSource API v1 is and remains available at https://app.trustsource.io/api/v1/RESOURCE
TS-Core v2.5.103
Added:
-
Additional API transaction statistics
Statistics for PostScan and ExecuteAnalysis transactions were added to the API monitoring pages. This gives you a better overview of the overall system usage.
Improved:
-
Performance improvements
We reviewed and redesigned data supply for several views. The new request structure reduces the amount of data transferred between server and clients. Some requests were even skipped to reduce the number of requests issued when entering a particular view.
TS-Core v2.5.99
Improved:
-
Vulnerability assignments improved
To improve the accuracy of Vulnerability assignments and further reduce the number of False Positives, further analysis and cross-checks have been added, paying more respect to platform information and references. -
Compliance Report restructured
After requesting an Approval, a compliance report is generated. This report is the aggregation of all critical aspects of a project or module, depending on whatever is the scope of the approval. In the new layout, you will not have an endless page anymore but several sections you may directly navigate to.
The KPIs directly indicate how much of the entries have been prepared respectively remain to do and the different sections have more details also on other aspects like viability or versioning - given the analysis has been provided.
Fixed:
-
Issue with initiation of approvals
We had reports about environments und Windows together with an older IE-Version, that had issues starting approvals. A workaround has been provided, so that it should be possible to initiate approvals using every browser.
TS-Core v2.5.96
Added:
-
CISA exploit alerts:
The American Cybersecurity and Infrastructure Security Agency (CISA) also analyses attacks and attack patterns used by adversaries. Since a while now they also review the observed attacks for the Known Vulnerabilities used in the attacks and publish this as a feed.
We have added the feed to our vulnerability lake. So if you see a spy symbol next to a CVE, you know, that it is actively attacked.
CISA Exploitation Alert Indicator
PLEASE NOTE: CISA exploitation alert is just a hint that exploitation of this vulnerability already has been observed. It means, the vulnerability is not a theoretical threat but a real risk. Most of these alerts indicate actively exploited software solutions by 3rd party vendors, only few address components directly. However, you might find these in your infrastructure components. And please DO NOT INTERPRET the absence of this indicator as an indication, that the current vulnerability is or will NOT be exploited!
Improved:
-
Deeplinks in Vulnerability Report
The Deeplinks in the vulnerability report now allow to jump into the detail view of that particular vulnerability, so that it is simpler to collect the data.
-
Analysis Function upgraded
The analysis has been improved and enhanced, to allow a better handling of muted vulnerabilities. In addition several statistics will be pre-calculated now, which reduces processing needs and therefor improves display performance on client machines.
-
Filtering in System logs
It is now also possible to use date filter or search for a particular event type
Fixed:
-
Flaw in create license
The License Manager role has the option to create new licenses. During the last update the entering of new licenses has been prohibited due to a broken JavaScript routine. This has been fixed and works now as intended.
-
Broken Statistics in Compliance Report
Since we changed the way Statistics were calculated in v2.5.90, the re-use of these statistics lead to some inconsistencies for particular constellations in the compliance report. These constellations were not part of our automated tests. We took this occasion to re-work the compliance report and the statistics calculation. This will not only improve the information presentation but also the speed .
-
Updated ts-deepscan to v1.0.3
v1.0.2 used a mutli-processing approach (fork) that has truned out not to be valid on Microsoft windows OS. Therefor v1.0.3 fixes this (using spawn). This is less performant, since spawn will require each process to initialise again, which is why we recommend to process larger repositories on linux machines.
TS-Vulnerability Lake v1.6.12
Improved:
-
Entry screen search allows to search for CVEs directly
So far it was required to click on "by CVE ID" to search for CVE-Ids. Now you may enter the ID directly in the start screen to receive either a list of close CVEs or the details of the particular CVE.
-
CISA Alerts
CISA alerts are now also displayed in the public Vulnerability Lake UI (see above for more details)
TS-Core v2.5.90
The coming update (released end of calendar week 26) will contain a few significant changes on how you will work with TrustSource Vulnerability Management.:
Added:
-
Confidence Score:
It is possible to select the confidence level for vulnerabilities. You may select between high, medium and low. This has been introduced to cope with the matching challenge. While some vulnerabilities can be matched very precisely, others are not that clear. The less restrictive the matching criteria, the more options for false positives. Now you may switch between the different levels of confidence, allowing to get a better understanding of potential impacts but not getting spammed with false positives. Read here more about the new feature.- Confidence Level HIGH
- Confidence Level set to MEDIUM
PLEASE NOTE: There are several confidence level filters: One on top of the components list and one in the details pane. While the first manages the general setting for the current module, the one in the details pane manages the filter for the particular component. This allows you to dig into more details for a specific components only. Please recognise the hint, if there is a lower level vulnerability, that is filtered:
- Confidence Level HIGH
-
DeepScan results now integrated with Compliance flow
So far we had deepscan results only for review purposes. Now we have changed this in a way that you may add deepscan results to a project/module and thus push them into an approval flow as well. This allows for a better analysis and management of C/C# and C++ projects that do not use package managers.
-
Vulnerability details contain references
In the vulnerabilities details you now have access to references from other sources, so that you may jump directly to the source of information. This is useful for Security Researchers that want to learn more about the details of a component.
Improved:
-
Mute vulnerabilities:
Ist is now possible to select between the following default comments while muting vulnerabilities. This allows you to just select one of the options as comment and proceed. If you do not feel happy with any of the default answers, you may choose "other" and define your text / explanation by yourself, just as of today:-
- false positive, not applicable to us
- vulnerable code not in use
- risk is tolerable, won't fix
- fix is about to be implemented
- fix has been provided
- other...
-
-
Updated ts-deepscan to v1.0.2
ts-deepscan is now able to split the scanning and the upload functionality. This allows to execute scans locally and put the result into a file. In addition we dropped the upload limit. It is possible to upload even scans with sizes of up to hundreds of megabyte. They will still be properly processed. -
Updated ts-VulnerabilityLake-UI to v1.6.12
With the changes in the vulnerability matching we needed to change the vulnerability API. This required an update on the corresponding UI service. As a positive side effect, the vulnerabilities details now also contain references to further information sources.
TS-Core v2.5.61
Improved:
- performance improvements in Core
- updated ts-analysis to v1.6.9 including some performance improvements
Fixed:
- updated nuget crawler to v1.0.1 including a patch not to fail on illegal characters anymore
TS-Core v2.5.59
Added:
-
-
Re-structured views and added structural representation
Since many of you requested to see the structural representation also in the analysis not only in the scan, we restructured the possible representations in the dependency view. Already with v2.5.48 we introduced the root component (see below). We now support 4 different views: -
Flat List Dependency View:
this list contains all components alphabetically ordered. This is the work view. Use this to find components, filter the list and manage details. It is the fastest representation. -
Structural View:
In this view you can see the dependency structure in list form. Each level of dependency lets the component move a step to the right. That is why it is not possible to filter. But you may browse through the complete list to gain an understanding of the structure. -
Sunburst Dependency Graph View:
This is a sunburst representation of the dependency structure for drilldown. The sunburst allows better to understand where a vulnerability or a legal violation impacts. Is it at a core component or a more leaf-like component? Maybe you may cut the dependency to get rid of the issue? The answer may be easily given with the sunburst diagram. -
Legal View:
See the structure of your module from a license perspective. How many different licenses do you have? How many components are under this license?
-
Re-structured views and added structural representation
Improved:
-
Infrastructure Modules representation improved
Infrastructure modules are components such as Wildfly or MySQL, wich may be part of a solution but do not necessarily appear in a scan. So far it has been possible to add them as a module to include them in the notice file etc. Now they are treated the same way as all other modules. So you may analyse them, mute vulnerabilities or obligations.
-
Deep-Links in Vulnerabilities Alert
The link given in a Vulnerability Alert email now directly jumps to the corresponding CVE. In the past it just took you to the Vulnerability Lake.
-
Compliance Status now includes a Ratio
Since its introduction the solution already verified how many users saw the policy and confirmations were tracked. Now we have added a ratio in the report, of how many of the "known" users did confirm having read the policy. "Known" is a user after having logged in the first time.
Fixed:
-
ts-node-client updated
A handful of vulnerabilities in the node client have been fixed. In addition v.1.8.3 contains a fix allowing to build without a dependency into old eacg repo.
-
Fixed Dashboard license count
In some circumstances the License count report ran into a loop coming to incredibly high counts of license or component appearances. The condition has been isolated and the issue is fixed now.
-
Fixed Module not loading
Together with the new speed up dependency list view we were able to fix the "did not load" issue, that might appear sometimes in very large analysis.
-
Fixed some issues in C#/.Net/Xamarin scanner
In some constellations under MacOS the scanner was not able to completely process the scan and failed due to "missing libraries", which actually were available.
-
Fixed an issue with CVE impact report
Since the introduction of the Vulnerability Lake the CVE-Impact Report did not find recently assigned vulnerabilities in old scans anymore. Only recently analysed scans were completely respected. This has been discovered and fixed.
TS-Core v2.5.48
Added:
-
Container Scanning
With this version it is also possible to display and manage the results of docker container scans using TrustSource tooling. To not re-invent the wheel, we seelcted Syft scanner developed by anchore and wrapped it to transform its output into our format and transfer it to the platform. You will find the tooling on Github at https://github.com/trustsource/ts-docker
This way of import you actually may use for all sort of scanners. If the scanner is able to deliver SPDX or CycloneDX format, you may use the corresponding upload function either through UI or API to push the document into TrustSource for further processing.
-
Visual separation of the root element
Over the last months we did recognize that many of our customers expressed their surprise to find the root element of a scanned package or module as an element in the list of components. Since this element often is private and thus does not get automatically a license associated, it often appears as a warning.
Besides the option to assign a public or private license this caused irritation.To prevent this, we changed the representation of this module by adding a folder symbol and bringing it to the top of the dependency list.
-
Accept package-URLs as scan-input
So far TrustSource required a component key as input for scans. This is a png-url compatible format helping to identify a component and its origin, e.g. mvn:org.eacg.int:somepkg:1.0.2 . This has been the choice since TrustSource has been introduced. Meanwhile the purl spec has gained acceptance as a unique component identifier across the industry. Now we also allow scans to provide purls as valid input.
-
Allow SCA-scanners to write SPDX (and CyDX) outputs
Starting with our NPM scanner, we will provide all our SCA tools with the ability to write SPDX and CycloneDX SBOMs. This allows to use the scanners not only to transfer data to TrustSource but make them a valuable asset for every CI/CD chain. Check them out at GitHub
Improved:
-
Version jump alert improved
Since the world understood that software supply chains could be potential attack surfaces, we were thinking about options to reduce this attack surface. An immediate idea has been the "version jump control". We improved the alerts and made them more visible. They also get a notification email now.
-
Vulnerability Alerts and other notification now contain deeplinks
We changed notification mails to contain deeplinks. We call deeplinks links to a particular instance, e.g. the component, scan or vulnerability, which is referred to.
-
Allow to redirect Trainings-Link to private LMS
Within the TrustSource solution we provide a link to online trainings. Many of our Enterprise Customers own their own training platforms. If desired, we provide them with the trainings as SCORM files so that they can provider our trainings through their LMS, allowing to integrate with their HR system etc. without any externalization or additional work. To direct learners to their local LMS,it is now possible to configure the Trainings-link.
-
Display of aggregated information for infrastructure components
The representation of infrastructure components has been improved. Vulnerabilities associated are displayed whenever the component is displayed. The mechanism to treat and resolve the associated issues has been adjusted with the known procedure for components.
Fixed:
-
Fixed vulnerabilities in npm Client
Given you are using v1.8.x of the node client, please update to v1.8.3
-
Fixed an error preventing Vulnerability Alerts being sent by mail
In some cases vulnerability alerts were not actively sent due to a problem with associating scans with module responsible. This covered only modules having been created between Nov. 2020 and Mar 2021. This has been fixed.
TS-Core v2.5.21
Added:
-
DeepScan knows "queued" status
We added the status "queued" to the list of possible states a DeepScan request may have. Thus a successfully accepted request may have the status "queued" before it is being processed. This became necessary to since the number of requests keeps growing.
Improved:
-
CVE impact import changed
CVE impact report now also uses the new vulnerability lake data. This improves quality and speed. -
Case insensitive search in Vulnerability Lake
Starting with v1.6.8 in Vulnerability Lake search is not case-sensitive anymore.
Fixed:
-
Fixed vulnerabilities in Core
A handful of dependency vulnerabilities have been fixed through updates.
Comments
0 comments
Article is closed for comments.