2019

The following is a list of additions and bug fixes to ShiftLeft made in 2019.

December

  • The Check Environment Flag: ShiftLeft's sl check-environment command can be run to make sure that your ShiftLeft configuration exists, that your network connection is functional, and see the artifacts currently installed on your machine. You can add an additional flag (e.g., --jvm or --dotnet) to check your language-specific options.

  • GitHub Authentication: You can now register and log in to ShiftLeft using your GitHub credentials.

  • Self-Serve Portal: The self-serve portal allows you to use ShiftLeft Inspect without first reaching out to the ShiftLeft team to request access. This version of Inspect, which is available for free, allows up to five users to perform 300 scans annually on 200,000 lines of code or less. It supports applications written in Java, C#, Golang and Scala, and allows developers to run two scans concurrently and analyze an infinite number of dependencies and frameworks.

Bug Fixes

  • The Dashboard now displays line numbers correctly when presenting data regarding vulnerabilities found in .NET applications.

November

Ability to be a Member of Multiple Organizations. ShiftLeft users can now be a member of multiple ShiftLeft organizations.

Ocular

License, Install and Update via the ShiftLeft Command Line Interface (CLI) (Beta). You can now run ShiftLeft Ocular via the CLI, making it easier to add new users to, and update, ShiftLeft Ocular.

New Language Support. ShiftLeft Ocular now supports the examination and investigation of applications written in the following languages:

Inspect

Golang Support (Early Preview). ShiftLeft Inspect now supports the analysis of applications written in Golang.

Integration with CircleCI. ShiftLeft Inspect can now be integrated with your CircleCI project to automate code analysis.

October

Ability to Group Applications in the ShiftLeft Dashboard. Application groups are useful for viewing vulnerabilities across multiple associated microservices in a single Dashboard view. Each microservice is still analyzed individually, and vulnerabilities are identified by individual microservice.

Improved ShiftLeft Documentation. ShiftLeft documentation has been expanded and improved on the following topics:

September

Ocular

New Tutorial on Identifying Incorrect or Zero Memory Allocation Bugs in C. Arithmetic operations can lead to integer overflow or the arithmetic operation computes to zero. These conditions may lead to exploitable vulnerabilities. This tutorial uses ShiftLeft Ocular to determine if such a condition exists.

Dashboard

  • Improved UI. The ShiftLeft Dashboard has a new and improved UI that makes it easier to find, view and understand your application's vulnerabilities as found by ShiftLeft Inspect and ShiftLeft Protect.

  • Filter Analysis Results. Instead of scrolling through a list of results, you can quickly find vulnerabilities of interest by filtering. Filters can also be saved and reused as a build rule to automatically tag a build in your CI-CD pipeline based on ShiftLeft Inspect's results.

Inspect

  • Failing a Build Based on ShiftLeft Inspect Results. A build in your CI-CD pipeline can now be automatically failed based on ShiftLeft Inspect's code analysis results.

  • Identifying Branch Names in ShiftLeft Inspect. You can include branch names in the analysis results of ShiftLeft Inspect. Doing so ensures that the automated analysis by ShiftLeft Inspect of these branches does not get mixed up with the analysis of the main branch. It also allows you to view analysis results of individual branches separately.

  • Improved Analysis Results Notification. When you submit an application referencing a part of a library ShiftLeft has not seen before, it may take ShiftLeft Inspect additional time to complete a full analysis. In those situations, ShiftLeft Inspect initially displays the partial analysis results, which is indicated by a message in the UI. From this message, you can specify that you want to receive notification when the full analysis results are available.

Protect

August

Policies

Exclude Vulnerabilities with a Sanitization Function You can now create a custom policy to exclude vulnerabilities with a sanitization function when using ShiftLeft to analyze and examine your code.

ShiftLeft Documentation has been expanded to include information on:

Ocular

Inspect

Protect

July

Ocular

  • Scala Support (Early Access). You can now use ShiftLeft Ocular to examine your Scala applications for vulnerabilities and data leakage. As part of this early access, Scala version 2.12+ support is available.

  • Additional Documentation. ShiftLeft Ocular documentation has been expanded! There is now background and getting started information to help you understand and use ShiftLeft Ocular successfully, content on the most commonly used queries, explanations on how to use ShiftLeft Ocular for diverse use cases, and language-specific tutorials.

  • Ability to Automatically Provision Your Servers. You can now automate the provision of your servers to ensure that you have the required amount of memory to run ShiftLeft Ocular without impacting performance.

Inspect

  • Scala Support (Early Access). You can now use ShiftLeft Inspect to analyze your Scala applications for vulnerabilities and data leakage. As part of this early access, Scala version 2.12+ support is available.

  • Analysis Results Notification. When you submit an application referencing a part of a library ShiftLeft has not seen before, it may take ShiftLeft Inspect additional time to complete a full analysis. In those situations, ShiftLeft Inspect initially displays the partial analysis results, which is indicated by a message in the UI. From this message, you can specify that you want to receive notification when the full analysis results are available.

  • Vulnerability Detection Improvements. The detection rules for vulnerabilities have been improved. Rules that resulted in too many or unclear results have been removed, especially around handling sensitive data storage and cache handling.

June

Ocular

  • On-Disk Code Property Graph (CPG) Support. (Introduced in ShiftLeft Ocular version 0.3.38) Disk overflow is automatically enabled for CPGs. Disk overflow moves parts of the CPG to disk only when the number of entries in memory reach 80% of the maximum memory allocation. Based on the query, ShiftLeft Ocular automatically identifies the parts of the CPG needed, which are loaded into RAM. The following (example) information is displayed by ShiftLeft Ocular when disk overflow is enabled

    INFO heap usage (after GC) was 0.87 -> scheduled to clear 100000 references (asynchronously)
    INFO attempting to clear 100000 references

    The result is that larger CPGs are now supported, though at a performance cost.

  • Recommendations on Memory Size. (Introduced in ShiftLeft Ocular version 0.3.41) ShiftLeft Ocular now displays information on the amount of memory needed to create or load a CPG, allowing you to optimize performance for large applications, instead of defaulting to disk overflow. For example

    ocular> createCpg("someBigApp.jar")
    ocular> The cpg.bin.zip you are loading is 63MB on disk and requires approximately 12712MB heap,
    but the current maximum heap size is 455MB. It is suggested that you provide a larger
    `-J-Xmx` setting, e.g. `ocular.sh `-J-Xmx14g` to ensure that your machine has sufficient
    free physical memory available. Otherwise, disk overflow is automatically enabled,
    slowing performance.
  • Common Queries. The ShiftLeft Ocular documentation has been improved with information on the most common queries:

Protect

  • ShiftLeft Protect Event Viewer. From the Vulnerabilities Dashboard, you can now view details on a sampling of security events for a vulnerability. This includes information on an event's headers, payloads, request origin, and whether the event was blocked by ShiftLeft Protect. Such information can help you in remediation, to make precise code fixes and to determine the extent of an attack.

    Note that by default the Event Viewer only displays an event count summary. In order to include the full payloads of attack events, you must turn on the Protect configuration item sec.collect.attack.info. User opt-in is required because collected event information collected potentially sensitive, and consumes more network resources to transmit that data to the ShiftLeft infrastructure.

May

  • Support for Java 11. All ShiftLeft products now support Java 11.

Ocular

  • Windows Operating System Support. ShiftLeft Ocular now supports the Windows operating system.

  • Added JSP Support. You can now use ShiftLeft Ocular to examine the software elements and flows in your JSP to identify complex business logic vulnerabilities that can't be scanned for automatically. Note that this support does not include JSP Expression Language.

  • Support for MISRA C. MISRA C is now supported by ShiftLeft Ocular. MISRA C is a set of software development guidelines for the C programming language developed by the Motor Industry Software Reliability Association (MISRA). Its aims are to facilitate code safety, security, portability and reliability in the context of embedded systems.

  • New Control Dependence Graph. A new Control Dependence Graph has been added to the Code Property Graph (CPG). This graph is used to check for validation criteria in data flows. It enables the filtering of data flows based on control flow influence from certain sources.

  • New Tutorial on using ShiftLeft Ocular with JavaServer Pages (JSP). The ShiftLeft Ocular documentation now includes a tutorial on using ShiftLeft Ocular to examine the software elements and flows in your JSP to identify complex business logic vulnerabilities that can't be scanned for automatically.

Inspect and Protect

  • SOC 2 Type 1 Compliance. ShiftLeft Inspect now analyzes, and ShiftLeft Protect secures, data through SOC 2 compliance. By providing specific visibility into how you are handling data, your customers have additional assurance that you have the right controls in place to protect against the exploitation of vulnerabilities. The Type 1 report assesses the design of security processes at a specific point in time.

  • Universal Access Token for ShiftLeft Inspect and ShiftLeft Protect The uploadToken and license properties have been deprecated as a non-breaking change. These two properties are replaced by a single property that can be used for both uploading a token and licensing, thereby simplifying integration in CI/CD and runtime environments. The single property is accessToken in shiftleft.json and SHIFTLEFT_ACCESS_TOKEN in environment variables.

  • Custom Policies Available with ShiftLeft Inspect. ShiftLeft provides a database of default Policies. You can also create your own custom Policy for ShiftLeft Inspect. Documentation explains how to create and use a custom Policy, illustrated by the common use case of providing application- or organization-specific rules that more accurately reflect the state of sensitive data variables.

  • New Vulnerability API for ShiftLeft Inspect. The new ShiftLeft Inspect Vulnerability API is used to analyze your organization’s applications to identify and provide data on the code's vulnerabilities. The API returns a list of vulnerabilities with all the necessary information for you to take action on a code exploitable area. See the Vulnerability API documentation for specifics.

  • ShiftLeft Protect Improved .Net Installer. The installer for ShiftLeft Protect has been improved so that all dependencies are now bundled into a single downloadable file. This improvement enables the installer to run offline (without connecting to the Internet).

  • JSP Support Added for ShiftLeft Protect. You can now use ShiftLeft Protect to secure your JSP pages for vulnerabilities and data leakage. Note that this support does not include JSP Expression Language.

April

  • Update to ShiftLeft's Terms of Service. The ShiftLeft Terms of Service have been updated for post-termination obligations (4d).

Ocular

  • Overlays API. The Security Profile is now part of the CPG, as an layer. This new feature unifies the Ocular Query Language (OQL) for the CPG and Security Profile and removes the need for using cpg2sp.sh to create a Security Profile. This means that all Security Profile functionality is now part of the CPG.

  • Integrated CPG and Security Profile Generation. CPG and Security Profile generation can now be performed from inside ShiftLeft Ocular, with both CPGs and their overlays managed in a workspace. This new feature allows you to effectively work with multiple CPGs at once. Refer to the API for additional information. Older APIs and functionality (e.g. loadCpg and loadSp) are now backwards compatible.

  • Workspaces. ShiftLeft Ocular now includes workspaces for easy management of CPGs and overlays. Refer to the API for additional information.

  • Load Multiple CPG Queries. You can now load more than one CPG in a given workspace and then combine queries. Refer to the API for additional information.

  • Deprecated sp Object. The functionality of the deprecated sp object has been transferred to cpg object.

  • Dependency List Outputs Complete Dependencies. The Dependency List has been fixed to now output complete dependencies.

  • Renamed newLocation Step. The newLocation step has been renamed to location.

  • .flows Behavior Shows Single Flow. .flows behavior has been fixed to show only a single flow, thereby resolving printing issues. Use .allFlows to show the complete flows list.

Inspect and Protect

  • Enhancements to ShiftLeft Inspect for .NET. The current version of ShiftLeft Inspect for .NET includes significant performance improvements in both processing time and memory consumption. In addition, numerous bug fixes have been made.

  • JSP Support Added for ShiftLeft Inspect. You can now use ShiftLeft Inspect to analyze your JSP pages for vulnerabilities and data leakage. Note that this support does not include JSP Expression Language.

  • Stability Improvements to ShiftLeft Protect. Stability improvements have been made in the ShiftLeft Protect for Java Microagent.

  • Automatic Updates for the ShiftLeft Command Line Interface (CLI). The ShiftLeft CLI now automatically updates so that you don't have to reinstall the CLI whenever there are new features or fixes. Refer to CLI Reference for more information.

March

  • Vulnerabilities Dashboard. The new Vulnerabilities Dashboard provides a singular view of application security quality metrics, including a list of vulnerabilities based on static/runtime analysis of applications. You can use these metrics to measure progress of your security improvement over time. See Measuring Security Quality of Releases over Time for more information.

  • Jira Integration. You can now integrate ShiftLeft with Jira to automatically generate Jira tickets for the vulnerabilities in your ShiftLeft Dashboard. Refer to the article Integrating with Jira for details.