Highlights: support for C/C++ apps, Go updates, secrets configuration updates, SCA for containers, and the
C/C++: We have added beta support for the analysis of applications written in C/C++.
Go: We've updated Qwiet preZero to now support the use of Go 1.19.
Secrets: We have added granular control over how Qwiet preZero scans for and identifies secrets. You can now enable/disable the identification of secrets and set your entropy at the: Application level; Organization level -- you can set these values by updating your organization's configuration as a whole or modifying just the code analysis configuration settings.
Software composition analysis (SCA) for containers: SCA for containers is now out of beta and is generally available.
bestfixutility: We've added a tutorial on using the bestfix script, which provides remediation and scan improvement suggestions for your application's key Qwiet preZero findings.
Highlights: experimental support for Razor Pages, changes to finding statuses in the dashboard
Support for Razor Pages: We're pleased to announce our experimental feature supporting Razor Pages submitted as part of your C# project. We currently support only
@pagedirectives, though full support for all
*.cshtmlfiles is forthcoming.
Findings status values: We've made several changes to how finding statuses work in the dashboard:
We've added an open status value, which indicates that you have not changed the status value of the finding. The statuses available are now: Open, Fixed, Ignored, 3rd Party.
By default, the dashboard's findings screens (e.g., Vulnerabilities, OSS Vulnerabilities, etc.) only show findings with a status of Open. Any findings with a different status (Fixed, Ignored, 3rd Party) will be hidden until you change the status value filter.
Comments when setting a finding status to ignored: We've added a check to Qwiet preZero so that anyone setting the status of a finding to ignored must also add a comment to the finding that includes an explanation (this requirement applies regardless of whether you update the finding via API or the dashboard).
Last login timestamp: We have updated the Organization > Manage Users page in the dashboard to display each user's Last Login information.
New 3rd party finding status: In the dashboard, you can now set the status of findings to 3rd party. This allows you to indicate that the finding is in a third-party library, not your source code.
Containers SCA: The application summary and application overview on the Qwiet dashboard now display in-depth OSS information for container vulnerabilities.
C# without .NET 5.0 runtime: We have added instructions on analyzing C# applications if you're running Qwiet preZero on a machine without the required runtimes installed.
Scan metadata: the Qwiet UI displays comprehensive metadata information regarding the composition of your application (if you're unfamiliar with how Qwiet defines certain concepts, please see our metadata definitions in the documentation).
Highlights: Go 1.18, updates to build rules v2, continuous SCA, dashboard updates
Go: we have updated Qwiet Core to support the analysis of applications written using Go 1.18.
Build rules v2: our build rules v2 feature now supports the use of OWASP Top 10 - 2021 tags and severity ratings based on CVSS 3.1 scores:
- Low: 0.1-3.9
- Medium: 4.0-6.9
- High: 7.0-8.9
- Critical: 9.0-10.0
Continuous SCA: the continuous SCA feature alerts you regarding new OSS vulnerabilities after you've scanned your application. Qwiet monitors for the discovery and inclusion of new issues; if there are, you'll see a notification indicating such under the dashboard's OSS Vulnerabilities tab. You should then rescan your application to populate the results to the dashboard.
Dashboard updates: we've updated the Qwiet dashboard with the following changes:
- The applications overview page, which lists all of the applications associated with your org, now features graphical representations of the findings by type and severity
- The new Organizations page allows you to see your user profile information and (if you're an admin) manage your org users and teams
- The findings listed in the dashboard now support the use of CVSS 3.1 and OWASP Top 10 - 2021 tags.
Highlights: C# improvements, Kotlin improvements, dashboard updates, and updates to the VS Code extension.
Analyzing C# applications: we have updated
csharp2cpgso that you are no longer required to build your C# application before submitting it to Qwiet for analysis, though we still recommend doing so.
Analyzing Kotlin applications: We have added the following flags, which you can use during the analysis of Kotlin applications:
--classpath <path>: adds a path to the classpath used by the compiler during analyses;
--gradle-project-name <name>: the Gradle configuration name to be used when downloading dependencies;
--gradle-configuration-name <name>: the Gradle project name to be used when downloading dependencies;
--ignore-path <path>: the path to add to the list of directories that Qwiet will ignore during analyses.
Dashboard updates: we have updated the dashboard with the following improvements:
- The application summary view now includes additional visual displays (e.g., additional graphs alongside numeric indicators) to streamline the presentation of your data.;
- The dashboard overview now features two additional tabs:
- Filtering by sources and sinks: When reviewing the data flow for individual findings, you can now select a specific source and sink to filter by; this allows you to triage vulnerabilities faster and determine which findings your code fixes would affect.
Updated VS Code extension: We've updated the VS Code extension, making UI updates and adding several options to the Command Palette.
API updates: We have added a series of endpoints to the Qwiet API, including:
- A series of findings-related endpoints that allow users to:
- Check a scan against a set of rules (using another scan as a reference)
- Set the status of one or more findings
- Set the assignee for a finding
- Get scan information from a specific branch
- An endpoint that returns a PCI-DSS report for a particular scan
- A series of findings-related endpoints that allow users to:
Qwiet preZero Extension for VS Code: We are pleased to announce that our extension for VS Code is now available in the Visual Studio Marketplace. This extension allows you to run a pre-commit check to identify secrets in your code and analyze your application for security vulnerabilities, all within your IDE.
Policies: In addition to the existing default policies, we now offer one that includes the default policy, sensitive data dictionary, and best practice guidelines. With this policy, Qwiet will show findings that are violations of best practices violations and attacker-reachable findings.
Highlights: VS Code extension, a new ability for team admins to add apps, docs for SAML/SSO integration
Qwiet preZero Extension for VS Code: We are pleased to announce that our extension for VS Code is currently in beta. This extension allows you to run a pre-commit check to identify secrets in your code and analyze your application for security vulnerabilities, all within your IDE. If you're interested in this extension, please contact ShiftLeft.
Team admin rights: We have updated the rights assigned to those who are team admins. Team admins can now add applications to the teams to which they are assigned; they can also move apps among their teams.
SAML and SSO: If you're looking into configuring a SAML 2.0 integration so that users can log into Qwiet with single-sign on, we've documented the end-to-end process.
Reminder: ShiftLeft's domain name change
By 1 August 2022, we will have completed our migration from https://www.shiftleft.io to https://app.shiftleft.io. Please ensure that your scripts, SAML/SSO configuration, and other Qwiet integrations are using the new domain.
Highlights: Default branches, dependencies reports, and improved scan details
Default branches: we have added the ability to set a default branch in the Qwiet Dashboard. Once a user selects a default branch, Qwiet will automatically show the user scan results from that branch instead of results from the latest scan.
Dependencies reporting: with the Qwiet Dashboard, you can now obtain a list of the libraries, packages, and external tooling used by your org's apps, as well as CVE IDs to help you find information about security issues that can result from the use of the dependency.
Scan details: the scan details section of the dashboard provides information about the scan that's useful for auditing and troubleshooting/support. We've updated this portion of the dashboard to display additional information.
Documentation updates: we've added several tutorials, including:
Highlights: SCA for Python and Go, updated build rules, additional Java support, refreshed API documentation, new access token types, Dashboard updates, and interactive remediation
Intelligent SCA for Python and Go: we are pleased to announce full SCA support for Python applications, as well as beta support for SCA for Go packages.
Build Rules v2: we have made many under-the-hood changes designed to improve the performance of our build rules functionality. However, you'll notice two things:
- Build rules can now be used to fail builds with open-source vulnerabilities
- You'll always see a report of the results printed whenever you execute build rules (previously, you had to pass in a
--reportflag when running sl check-analysis to view the report).
Java: we've expanded our support of Java applications to include those written using Java 14, 15, and 17.
API documentation: we've revamped our API documentation, expanding on the endpoint descriptions, adding sample values, and linking to Postman Collections that you can use to test the endpoints.
Service account and CI tokens: Qwiet now supports the creation of Service Account tokens, which can then, in turn, be used to create CI tokens. The CI tokens can then be used for automated pipelines in which Qwiet runs for additional security, since they do not grant the bearer any extraneous permissions.
Scan details: we've updated the dashboard to display extended metadata regarding the scan, which is useful for debugging and troubleshooting issues that may arise during the code scanning process.
Updated vulnerability descriptions: we've improved the vulnerability descriptions we display to include a detailed explanation of the root cause, show developers what not to do, and why the code as-is leads to a vulnerability. The new descriptions also include actionable steps that help developers implement best practices and language-specific code samples that will eliminate the issue.
General dashboard updates: we've released several improvements to the dashboard, including:
- The ability to switch the specific branch for the application whose results you're viewing
- Additional sorting parameters (e.g., scan time)
- Quick links that make it easy to get in touch with our support team, talk to our sales representatives, and upgrade your Qwiet subscriptions
Interactive remediation: the interactive remediation feature allows developers to declare findings and patterns that preZero should account for when analyzing code, allowing them to customize the tool as needed.