Highlights: general availability for Python 3.10 and later, severity for OSS findings on the applications list page
- General availability for Python 3.10 and later: Support for applications written in Python 3.10 or later is now generally available. Use the
--pythonsrccommand-line flag. See this article for additional details.
- OSS findings severities on the applications list page: OSS findings on the applications list page now include a breakdown by severity, allowing the user to grasp the overall severity of applications findings without the need to dive deeper into the application details page.
Highlights: new preZero dashboard, exclude option for PHP, and syntax highlighting for code examples
preZero dashboard: The new dashboard and landing page provides a beautiful, filterable, and interactive sankey chart that shows findings across teams, applications, and severity. It also includes a findings over time graph, and several other data points.
PHP exclusions: When analyzing a PHP application, you can now exclude files and directories. Use the
Syntax highlighting for code examples: Code examples found in findings descriptions and other parts of the preZero web console now include syntax highlighting. This makes the code easier to read and follow, in order to understand the finding and possible solutions faster.
Highlights: updates to C#, auto-language detection and project name inferences, and resetting personal access tokens
C#: preZero now supports using full and relative file paths when users submit the --ignore-project flag to exclude projects from the scan.
Auto-language detection and project name inference: When using the
sl analyzecommand, you no longer have to include the project name or language; preZero will auto-detect both pieces of information from your project. That is,
sl analyze --app AppName --python <path/to/code>becomes
sl analyze <path/to/code>. See Your first code analysis for additional information.
Reset personal access tokens: Users can now reset their personal access tokens.
Highlights: updates to Go, Python, SBOM export, Docker image, and UI
Go: preZero now supports the analysis of applications written in Go 1.21.
Python: Users submitting applications written in Python 3.10 (or later) can have preZero ignore specific file paths and directories during code analysis.
SBOM export: We have updated the SBOM that preZero generates for your application to include the number of exploitable CVEs.
Docker image for preZero integration: We have released a Docker image compatible with machines built on ARM64 architecture.
preZero UI: Our updated UI is now generally available; at this time, all users will be migrated to the UI, and the classic UI is no longer available.
Highlights: security issues, support for ASP.NET apps, improved secrets detection, SBOM exports, updated preZero UI, Qwiet the Noise
Security issues: preZero now displays security issues for every application you submit for analysis. These findings are instances of problematic code in applications that help you identify bad practices and potential problems that could result in vulnerabilities. These issues may not currently affect the security of your application, but they could become problematic in the future. preZero enables security issues for new accounts, but admins can enable this feature for existing users under org settings.
Support for ASP.NET Core apps: preZero is now compatible with apps using the ASP.NET Core framework.
Secrets detection: preZero has improved its secrets detection functionality; it no longer treats data structures as sensitive if one of the fields/members are deemed sensitive. Instead, preZero tracks the sensitive fields/member, resulting in fine-grained results and fewer false positives.
SBOM exports: For each application submitted to preZero, you can export the SBOM generated by preZero in various standards and formats, including CycloneDX and SPDX.
Updated preZero UI: We have released a new design for the preZero UI! You can now choose between the existing interface and the newly released one. Click Try our new design on the bottom-right of the UI to try out the new design. Return to the current version at any time by clicking Back to the classic design.
Qwiet the Noise: we've introduced a Qwiet the Noise button, which can help you focus on the most pressing issues. Toggling this button on applies the following filters:
- Vulnerabilities: filters for vulnerabilities of critical or high severity;
- OSS vulnerabilities: filters for OSS vulnerabilities of critical or high severity that are also reachable and exploitable.
You can find the Qwiet the Noise button by opening up your application and going to Findings > Vulnerabilities (or OSS Vulnerabilities). The toggle is next to the filters.
Highlights: CWE reports, new features for analysis of C# application
CWE report: preZero now generates a CWE report every time you submit an application for analysis. The CWE report displays a complete list of the CWEs present in your application and the associated findings that introduce the issue. In addition to viewing the report in the preZero dashboard, you can export it in PDF or HTML.
Identification of C# licenses: preZero's licensing detection feature now supports the detection of licenses used in NuGet packages to help you manage the legal risks regarding your OSS package/library usage.
Ignoring C# projects in scans: When submitting a C# application for analysis, you can use the --ignore-project flag to exclude one or more associated projects (e.g., test projects) from being scanned and improve the performance of preZero.
Highlights: new support for PHP, OSS licensing information and checks in build rules, and EPSS score and exploitability status filters
PHP: We are pleased to announce beta support for applications written using PHP.
OSS licensing information: preZero now includes detailed licensing information in the SBOM it generates to help you manage the legal risks regarding your OSS package/library usage. You can view the licensing information for the OSS packages leveraged by your application in the SBOM report or via API.
Licensing checks in build rules: We've updated our build rules features so that you can write build rules that check the licenses used; if a developer uses a package with a licensing model that introduces a conflict given how you bring your application to market, the build will fail.
Filtering by EPSS score: When reviewing scan results yielding OSS vulnerabilities in the Qwiet AI dashboard, you can filter based on a finding's EPSS score.
Filtering by exploitability status: You can filter OSS vulnerability findings using the exploitability filter; this allows you to identify findings with known exploits and those with no known exploits.
Highlights: new application reporting features, expanded support for Python applications, and the launch of Qwiet AI Services
Application Reporting: We have introduced a dedicated reporting section for each application you submit for analysis by Qwiet AI. This section allows you to view the software bill of materials (SBOM), view and download OWASP 2021 and OWASP 2017 information for your application, and download a report to check your application's compliance with PCI DSS requirements.
Python: We are pleased to announce beta support for applications written using Python 3.10 and later.
Highlights: Blacklight, OWASP reports via API, CVSS filtering, improvements
bestfix script, and updates to our docs site
Blacklight: Qwiet AI's new Blacklight feature shows you up-to-date OSS vulnerability information, including those found in your containers. For each identified vulnerability, Qwiet AI displays the dates the vulnerability was reported, the source providing a proof of concept of the exploit, and the availability of the exploit (e.g., public, private, or commercial). The dashboard also shows the vulnerability's Exploit Prediction Score System (EPSS) score, helping you focus on findings with high EPSS and CVSS scores.
OWASP reports via API: You can now obtain a copy of your OWASP report (in either HTML or PDF format) via the Qwiet AI API.
CVSS filtering: When reviewing OSS vulnerabilities (including those for containers), you can filter for issues by setting the CVSS score range. The dashboard will then display all issues whose score falls into the set range. This feature is under Advanced Filters.
Update to the
bestfixutility: We've updated our
bestfixutility, which provides remediation and scan improvement suggestions for your application's key preZero findings, to print PDF reports for your convenience.
Updated documentation: We have refreshed our docs site. In addition to updated styling, we have fixed and improved the search feature, fixed usage issues (including, but not limited to, those involving code blocks, navigation bars, and text displays), improved navigation markers, and launched a mobile-friendly version of the site.
Highlights: ShiftLeft CORE is now Qwiet AI preZero, updated support for applications written in C# and Python
ShiftLeft is now QwietAI: We are pleased to announce that ShiftLeft is now QwietAI, reflecting our product's ability to reduce noise for your AppSec and DevSecOps teams and allowing them to focus on the results that matter the most to your application's security. We've also changed the name of our platform to preZero. This name better reflects the preventative nature of the work we help you do: finding zero-day and pre-zero-day vulnerabilities.
AI learning: preZero now features AI-powered detection of vulnerabilities in your Java code. Our security researchers generate policy definitions, using knowledge from preZero's machine learning model to help define rules and dynamic policies. The model focuses especially on your in-house or custom third-party libraries. preZero then tags these vulnerabilities for review on the dashboard.
Updated C# support: We have updated our support for applications written in C# to include those written using C# 11.
Updated Python support: We have updated our Python support to include applications written using Python 3.9 and earlier.