Beginning July 2022, ShiftLeft CORE features changes to the product with regards to:
- Build rules
- Support for severity classifications based on CVSS 3.1
- Support for OWASP 2021
We've updated the build rules engine to support the ability to fail builds based on the finding of OSS vulnerabilities and to add templating functionality that you can use to customize the report ShiftLeft generates of your results.
The build rules that you defined using v1 should continue to work; however, we recommend migrating over to v2 as soon as possible. Currently, you can invoke the use of the build rules v2 engine by including
--v2 when running
sl check-analysis (e.g.,
sl check-analysis --v2 [command options]), though we will eventually update the CLI so that v2 is the default.
Previously, ShiftLeft CORE had classified the severity of findings as
critical. However, the severity levels with which the findings are tagged now are based on the CVSS 3.1 score associated with the finding:
|CVSS Score||Severity level|
|CVSS score between 0.1 and 4|
|CVSS score between 4.0 and 7|
|CVSS score between 7.0 and 9|
|CVSS score above 9.0|
If you use any of the following features, you can update your definitions to reflect the new severity rating system:
If you use
moderatein your existing build rules, you must change these to
ShiftLeft CORE now supports the finding of issues classified as the OWASP 2021 Top 10.
Previously, findings would be tagged with the
owasp_category parameter as follows:
With the introduction of support for the OWASP 2021 categories, ShiftLeft accepts the following tags with the
If you use any of the following features, you can update your definitions to reflect the OWASP parameters names available: