This is an update regarding Qwiet preZero and CVE-2021-44228, the critical vulnerability in the Log4j 2 library that allows unauthenticated remote code execution.
Shortly after the announcement of this vulnerability, we added CVE-2021-44228 to our database. Additionally, our engineering and operations teams have audited and patched up all vulnerable code and systems within our infrastructure. We began this process on Friday and completed the work over the weekend.
We have not detected any attempts to exploit this vulnerability against our systems. We continue to monitor the situation closely.
Highlights: Kotlin support, scan details for applications, and automatic detection of Git branch names
Kotlin: We are pleased to announce beta support for Android applications written in Kotlin.
Scan details for applications: As part of your scan results, Qwiet now displays detailed information about the analysis, including the version ID, size of your application/lines of code, the token used to authenticate with Qwiet and begin the scan, and the specific parameters provided.
Automatic detection of Git branch names: When running
sl analyze, you can provide the name of your branch so that your results are easily identifiable. However, if you’re working with Git, Qwiet now detects the name of your Git branch automatically and uses it.
Highlights: updates to
sl analyze, adding
sl remediation, and Dashboard and application summary refresh
Modifying the severity of findings: We have deprecated the
sl modify-findingscommand, which had been used by administrators to change the severity of findings after code analysis based on pre-defined rules. Now, Qwiet automatically performs this action as part of the
sl analyzeinvocation if you have modification rules defined.
Suppressing findings: Our
sl remediationfeature allow you to suppress findings identified by Qwiet based on patterns you define.
Dashboard: We are pleased to announce that we have released a refresh of the Qwiet Dashboard. In addition to new styling, you will see:
- Scan details, including the name of the Git branch and timestamps
- The ability to create an app group via the Dashboard (previously, you could only do so using the Qwiet CLI)
Application summary view: In addition to refreshing the Dashboard, we have revamped the application summary view.
AWS Marketplace: Qwiet preZero is now available on the AWS Marketplace. AWS users now have an additional option for procuring Qwiet.
Send build rule information to Jira: The check-analysis command now accepts the
--create-jira-issuesflag. When using this flag, Qwiet will send findings that fail your build rules to Jira, where Jira will create issues for those findings.
Org Owner role: We've added the org owner role to Qwiet. The org owner is presumed to be the person creating the Qwiet org, but you can change this if desired. Org owners are automatically assigned super user privileges.
Highlights: RBAC and C# updates
C#: We’re pleased to announce that our C# analysis engine now supports the use of lambda and local functions.
RBAC: We’ve added detailed tables to our RBAC documentation that clarify the specific rights and privileges granted to each of the roles available.
Highlights: C# 9/.NET 5, access tokens for CI integrations
C# 9/.NET 5: We’re pleased to announce that we now support apps written in C# 9 and the .NET 5 runtime environment.
CI Access Tokens: We’ve added the ability to create access tokens with the role of CI for use with your Qwiet integrations, such as Jenkins, CircleCI, etc. Super admins can create these tokens, which belong to the organization (not the super admin), and invalidate and regenerate the tokens as needed.
Highlights: role-based access control (RBAC), updated C# support
Role-Based Access Control (RBAC): Qwiet now features role-based access control, which allows you to assign permissions to users based on their role within an organization or a team, instead of individually. This approach is more straightforward and less error-prone.
C# Applications Support: We have updated Qwiet to support more recent versions of the .NET Framework and .NET Core in your runtime and build environments.
Highlights: new Python deep analyzer in preZero and addition of the Qwiet plugin for Jira to the Atlassian Marketplace
Python deep analyzer for preZero: We’ve updated preZero to use the CPG deep analyzer to analyze applications written in Python. See our blog announcement for under-the-hood information, and review our documentation on scanning your Python applications.
Qwiet Plugin for Jira: Our plugin, which allows you to use Jira to help manage vulnerabilities identified, is now available on the Atlassian Marketplace.
Highlights: Qwiet preZero (including Intelligent SCA and developer education tools), added support for apps using Vue.js, and GitLab tutorial updates
Qwiet preZero: You’ll notice a bit of new terminology on our website, specifically Qwiet preZero, which is our code security platform leveraging our Code Property Graph to offer you next-generation SAST, secrets detection, insights, Intelligent SCA, and developer education! Read more about each aspect of our platform on our blog.
Intelligent SCA: We’ve released Intelligent SCA, which allows you to identify vulnerabilities introduced into your application via third-party libraries, SDKs, APIs, and so on, then prioritize them based on whether they can be easily exploited or not.
Developer Education: We are pleased to announce two new learning resources. The first is Qwiet Learn, where you can go to learn about OWASP vulnerabilities and how you can go about mitigating them using preZero. In addition to free learning modules, you’ll find tips and tricks for managing your AppSec process, an invitation to our Discord community, and webinars (both recorded and live) focusing on advanced concepts.
The second is a built-in Security Training feature, where you can access a training module. Whenever you open up the Vulnerability Detail panel, you’ll see a link that takes you to a tutorial that’s relevant to the finding (for example, the command injection vulnerability leads you to a module on what a command injection is and how you might handle this type of vulnerability).
GitLab Tutorial Update: We’ve updated and simplified the configuration files required to integrate preZero into your GitLab integration.
Highlights: Updates to the Qwiet CLI tool, new documentation, and security tutorials fresh on the blog
We’ve added two commands to the Qwiet CLI tool:
sl subscriptioncommand allows you to return information about your Qwiet subscriptions, including when they’re valid, as well as what your current usage and maximum usage levels are
sl count-linescommand command allows you to count the number of lines in a directory, which helps you determine if the workstation on which you’re running preZero has sufficient resources to support the scan
We’ve made a series of updates to our Documentation that you may find helpful:
Policies are powerful tools that allow you to describe the data and methods in your application, as well as how they relate to each other. This information enhances the code property graph generated, which is helpful to preZero for returning higher-level conclusions and relevant security findings. To help you get started, we have added several tutorials on working with custom policies.
We’ve added a troubleshooting guide that you may find helpful if you ever run into any issues working with preZero.