Skip to main content

2022

6 December

Highlights: support for C/C++ apps, Go updates, secrets configuration updates, SCA for containers, and the bestfix utility

What's new

1 November

Highlights: experimental support for Razor Pages, changes to finding statuses in the dashboard

What's new

  • Support for Razor Pages: We're pleased to announce our experimental feature supporting Razor Pages submitted as part of your C# project. We currently support only *.cshtml files with @page directives, though full support for all *.cshtml files is forthcoming.

  • Findings status values: We've made several changes to how finding statuses work in the dashboard:

    • We've added an open status value, which indicates that you have not changed the status value of the finding. The statuses available are now: Open, Fixed, Ignored, 3rd Party.

    • By default, the dashboard's findings screens (e.g., Vulnerabilities, OSS Vulnerabilities, etc.) only show findings with a status of Open. Any findings with a different status (Fixed, Ignored, 3rd Party) will be hidden until you change the status value filter.

3 October

Highlights: required commenting, dashboard updates, JavaScript flags, C# analyses without .NET 5.0, and scan metadata

What's new

  • Comments when setting a finding status to ignored: We've added a check to Qwiet preZero so that anyone setting the status of a finding to ignored must also add a comment to the finding that includes an explanation (this requirement applies regardless of whether you update the finding via API or the dashboard).

  • Dashboard updates

  • JavaScript: By default, Qwiet preZero now includes HTML files in all JavaScript analyses; you can, however, disable this by including the --exclude-html flag when running sl analyze.

  • C# without .NET 5.0 runtime: We have added instructions on analyzing C# applications if you're running Qwiet preZero on a machine without the required runtimes installed.

  • Scan metadata: the Qwiet UI displays comprehensive metadata information regarding the composition of your application (if you're unfamiliar with how Qwiet defines certain concepts, please see our metadata definitions in the documentation).

1 August

Highlights: Go 1.18, updates to build rules v2, continuous SCA, dashboard updates

What's new

  • Go: we have updated Qwiet Core to support the analysis of applications written using Go 1.18.

  • Build rules v2: our build rules v2 feature now supports the use of OWASP Top 10 - 2021 tags and severity ratings based on CVSS 3.1 scores:

    • Low: 0.1-3.9
    • Medium: 4.0-6.9
    • High: 7.0-8.9
    • Critical: 9.0-10.0

  • Continuous SCA: the continuous SCA feature alerts you regarding new OSS vulnerabilities after you've scanned your application. Qwiet monitors for the discovery and inclusion of new issues; if there are, you'll see a notification indicating such under the dashboard's OSS Vulnerabilities tab. You should then rescan your application to populate the results to the dashboard.

  • Dashboard updates: we've updated the Qwiet dashboard with the following changes:

    • The applications overview page, which lists all of the applications associated with your org, now features graphical representations of the findings by type and severity
    • The new Organizations page allows you to see your user profile information and (if you're an admin) manage your org users and teams
    • The findings listed in the dashboard now support the use of CVSS 3.1 and OWASP Top 10 - 2021 tags.

12 July

Highlights: C# improvements, Kotlin improvements, dashboard updates, and updates to the VS Code extension.

What's new

  • Analyzing C# applications: we have updated csharp2cpg so that you are no longer required to build your C# application before submitting it to Qwiet for analysis, though we still recommend doing so.

  • Analyzing Kotlin applications: We have added the following flags, which you can use during the analysis of Kotlin applications:

    • --classpath <path>: adds a path to the classpath used by the compiler during analyses;
    • --gradle-project-name <name>: the Gradle configuration name to be used when downloading dependencies;
    • --gradle-configuration-name <name>: the Gradle project name to be used when downloading dependencies;
    • --ignore-path <path>: the path to add to the list of directories that Qwiet will ignore during analyses.

  • Dashboard updates: we have updated the dashboard with the following improvements:

    • The application summary view now includes additional visual displays (e.g., additional graphs alongside numeric indicators) to streamline the presentation of your data.;
    • The dashboard overview now features two additional tabs:
      • App Groups allow you to view and manage your app groups;
      • Teams enable you to manage the teams you've created, as well as the apps and users assigned to those teams.
    • Filtering by sources and sinks: When reviewing the data flow for individual findings, you can now select a specific source and sink to filter by; this allows you to triage vulnerabilities faster and determine which findings your code fixes would affect.

  • Updated VS Code extension: We've updated the VS Code extension, making UI updates and adding several options to the Command Palette.

6 June

Highlights: custom reports, API updates, JavaScript optimization, Qwiet preZero Extension for VS Code, and policy updates

What's new

  • Custom reports when running sl check-analysis: We've added support for templates to sl check-analysis, which allows you better control how the build rules reports this command generates appear.

  • API updates: We have added a series of endpoints to the Qwiet API, including:

    • A series of findings-related endpoints that allow users to:
      • Check a scan against a set of rules (using another scan as a reference)
      • Set the status of one or more findings
      • Set the assignee for a finding
      • Get scan information from a specific branch
    • An endpoint that returns a PCI-DSS report for a particular scan

  • JavaScript optimization: We've added a feature that allows JavaScript users to optimize project dependencies during transpilation (i.e., reduce dependencies to the minimal set that's required to transpile the JS/TS code), which may result in faster execution times.

  • Qwiet preZero Extension for VS Code: We are pleased to announce that our extension for VS Code is now available in the Visual Studio Marketplace. This extension allows you to run a pre-commit check to identify secrets in your code and analyze your application for security vulnerabilities, all within your IDE.

  • Policies: In addition to the existing default policies, we now offer one that includes the default policy, sensitive data dictionary, and best practice guidelines. With this policy, Qwiet will show findings that are violations of best practices violations and attacker-reachable findings.

1 May

Highlights: VS Code extension, a new ability for team admins to add apps, docs for SAML/SSO integration

What's new

  • Qwiet preZero Extension for VS Code: We are pleased to announce that our extension for VS Code is currently in beta. This extension allows you to run a pre-commit check to identify secrets in your code and analyze your application for security vulnerabilities, all within your IDE. If you're interested in this extension, please contact ShiftLeft.

  • Team admin rights: We have updated the rights assigned to those who are team admins. Team admins can now add applications to the teams to which they are assigned; they can also move apps among their teams.

  • SAML and SSO: If you're looking into configuring a SAML 2.0 integration so that users can log into Qwiet with single-sign on, we've documented the end-to-end process.

Reminder: ShiftLeft's domain name change

By 1 August 2022, we will have completed our migration from https://www.shiftleft.io to https://app.shiftleft.io. Please ensure that your scripts, SAML/SSO configuration, and other Qwiet integrations are using the new domain.

1 March

Highlights: Default branches, dependencies reports, and improved scan details

What's new

1 February

Highlights: SCA for Python and Go, updated build rules, additional Java support, refreshed API documentation, new access token types, Dashboard updates, and interactive remediation

What's new

  • Intelligent SCA for Python and Go: we are pleased to announce full SCA support for Python applications, as well as beta support for SCA for Go packages.

  • Build Rules v2: we have made many under-the-hood changes designed to improve the performance of our build rules functionality. However, you'll notice two things:

    • Build rules can now be used to fail builds with open-source vulnerabilities
    • You'll always see a report of the results printed whenever you execute build rules (previously, you had to pass in a --report flag when running sl check-analysis to view the report).

  • Java: we've expanded our support of Java applications to include those written using Java 14, 15, and 17.

  • API documentation: we've revamped our API documentation, expanding on the endpoint descriptions, adding sample values, and linking to Postman Collections that you can use to test the endpoints.

  • Service account and CI tokens: Qwiet now supports the creation of Service Account tokens, which can then, in turn, be used to create CI tokens. The CI tokens can then be used for automated pipelines in which Qwiet runs for additional security, since they do not grant the bearer any extraneous permissions.

  • Scan details: we've updated the dashboard to display extended metadata regarding the scan, which is useful for debugging and troubleshooting issues that may arise during the code scanning process.

  • Updated vulnerability descriptions: we've improved the vulnerability descriptions we display to include a detailed explanation of the root cause, show developers what not to do, and why the code as-is leads to a vulnerability. The new descriptions also include actionable steps that help developers implement best practices and language-specific code samples that will eliminate the issue.

  • General dashboard updates: we've released several improvements to the dashboard, including:

    • The ability to switch the specific branch for the application whose results you're viewing
    • Additional sorting parameters (e.g., scan time)
    • Quick links that make it easy to get in touch with our support team, talk to our sales representatives, and upgrade your Qwiet subscriptions

  • Interactive remediation: the interactive remediation feature allows developers to declare findings and patterns that preZero should account for when analyzing code, allowing them to customize the tool as needed.