2023
August
Highlights:
What's new
Security issues: preZero now displays security issues for every application you submit for analysis. These findings are instances of problematic code in applications that help you identify bad practices and potential problems that could result in vulnerabilities. These issues may not currently affect the security of your application, but they could become problematic in the future. preZero enables security issues for new accounts, but admins can enable this feature for existing users under org settings.
Support for ASP.NET Core apps: preZero is now compatible with apps using the ASP.NET Core framework.
Secrets detection: preZero has improved its secrets detection functionality; it no longer treats data structures as sensitive if one of the fields/members are deemed sensitive. Instead, preZero tracks the sensitive fields/member, resulting in fine-grained results and fewer false positives.
SBOM exports: For each application submitted to preZero, you can export the SBOM generated by preZero in various standards and formats, including CycloneDX and SPDX.
Updated preZero UI: We have released a new design for the preZero UI! You can now choose between the existing interface and the newly released one. Click Try our new design on the bottom-right of the UI to try out the new design. Return to the current version at any time by clicking Back to the classic design.
Qwiet the Noise: we've introduced a Qwiet the Noise button, which can help you focus on the most pressing issues. Toggling this button on applies the following filters:
- Vulnerabilities: filters for vulnerabilities of critical or high severity;
- OSS vulnerabilities: filters for OSS vulnerabilities of critical or high severity that are also reachable and exploitable.
You can find the Qwiet the Noise button by opening up your application and going to Findings > Vulnerabilities (or OSS Vulnerabilities). The toggle is next to the filters.
July
Highlights: CWE reports, new features for analysis of C# application
What's new
CWE report: preZero now generates a CWE report every time you submit an application for analysis. The CWE report displays a complete list of the CWEs present in your application and the associated findings that introduce the issue. In addition to viewing the report in the preZero dashboard, you can export it in PDF or HTML.
Identification of C# licenses: preZero's licensing detection feature now supports the detection of licenses used in NuGet packages to help you manage the legal risks regarding your OSS package/library usage.
Ignoring C# projects in scans: When submitting a C# application for analysis, you can use the --ignore-project flag to exclude one or more associated projects (e.g., test projects) from being scanned and improve the performance of preZero.
June
Highlights: new support for PHP, OSS licensing information and checks in build rules, and EPSS score and exploitability status filters
What's new
PHP: We are pleased to announce beta support for applications written using PHP.
OSS licensing information: preZero now includes detailed licensing information in the SBOM it generates to help you manage the legal risks regarding your OSS package/library usage. You can view the licensing information for the OSS packages leveraged by your application in the SBOM report or via API.
Licensing checks in build rules: We've updated our build rules features so that you can write build rules that check the licenses used; if a developer uses a package with a licensing model that introduces a conflict given how you bring your application to market, the build will fail.
Filtering by EPSS score: When reviewing scan results yielding OSS vulnerabilities in the Qwiet AI dashboard, you can filter based on a finding's EPSS score.
Filtering by exploitability status: You can filter OSS vulnerability findings using the exploitability filter; this allows you to identify findings with known exploits and those with no known exploits.
May
Highlights: new application reporting features, expanded support for Python applications, and the launch of Qwiet AI Services
What's new
Application Reporting: We have introduced a dedicated reporting section for each application you submit for analysis by Qwiet AI. This section allows you to view the software bill of materials (SBOM), view and download OWASP 2021 and OWASP 2017 information for your application, and download a report to check your application's compliance with PCI DSS requirements.
Python: We are pleased to announce beta support for applications written using Python 3.10 and later.
April
Highlights: Blacklight, OWASP reports via API, CVSS filtering, improvements
to the bestfix
script, and updates to our docs site
What's new
Blacklight: Qwiet AI's new Blacklight feature shows you up-to-date OSS vulnerability information, including those found in your containers. For each identified vulnerability, Qwiet AI displays the dates the vulnerability was reported, the source providing a proof of concept of the exploit, and the availability of the exploit (e.g., public, private, or commercial). The dashboard also shows the vulnerability's Exploit Prediction Score System (EPSS) score, helping you focus on findings with high EPSS and CVSS scores.
OWASP reports via API: You can now obtain a copy of your OWASP report (in either HTML or PDF format) via the Qwiet AI API.
CVSS filtering: When reviewing OSS vulnerabilities (including those for containers), you can filter for issues by setting the CVSS score range. The dashboard will then display all issues whose score falls into the set range. This feature is under Advanced Filters.
Update to the
bestfix
utility: We've updated ourbestfix
utility, which provides remediation and scan improvement suggestions for your application's key preZero findings, to print PDF reports for your convenience.Updated documentation: We have refreshed our docs site. In addition to updated styling, we have fixed and improved the search feature, fixed usage issues (including, but not limited to, those involving code blocks, navigation bars, and text displays), improved navigation markers, and launched a mobile-friendly version of the site.
February
Highlights: ShiftLeft CORE is now Qwiet AI preZero, updated support for applications written in C# and Python
What's new
ShiftLeft is now QwietAI: We are pleased to announce that ShiftLeft is now QwietAI, reflecting our product's ability to reduce noise for your AppSec and DevSecOps teams and allowing them to focus on the results that matter the most to your application's security. We've also changed the name of our platform to preZero. This name better reflects the preventative nature of the work we help you do: finding zero-day and pre-zero-day vulnerabilities.
AI learning: preZero now features AI-powered detection of vulnerabilities in your Java code. Our security researchers generate policy definitions, using knowledge from preZero's machine learning model to help define rules and dynamic policies. The model focuses especially on your in-house or custom third-party libraries. preZero then tags these vulnerabilities for review on the dashboard.
Updated C# support: We have updated our support for applications written in C# to include those written using C# 11.
Updated Python support: We have updated our Python support to include applications written using Python 3.9 and earlier.