Skip to main content

2024

June

Highlights: AutoFix findings filter, SBOM VEX export

What's new

  • AutoFix findings filter: when viewing findings, a new filter can be applied to only show findings that have an AutoFix suggestion available. This filter is also applied by default when you click on available fixes on the dashboard or on the application scan summary.
  • SBOM VEX export: preZero now allows the creation of a Vulnerability Exploitability eXchange (VEX) document. A VEX document is a form of a security advisory that indicates whether a dependency or dependencies are affected by a known vulnerability or vulnerabilities. The export can be generated from the SBOM tab on the application details section of the preZero web console. See the SBOM documentation page for additional guidance.

May

Highlights: AutoFix enhancements, SCIM v2, SCA-only mode, API enhancements

What's new

  • AutoFix enhancements: AutoFix suggestions are now available side by side with data flows in the details view of findings. Added panels to dashboard and application details pages that show how many AutoFix suggestions are available. Super Admins and Owners can now request the AutoFix capability directly from the preZero web UI. AutoFix can be enabled/disabled at an organization and application level, giving administrators full and granular control over this capability.
  • SCIM v2: Qwiet preZero now supports SCIM v2 (System for Cross-domain Identity Management). This allows for seamless integration with Identity Providers (IdPs) and simpler user provisioning and management. Please refer to the SCIM documentation page to learn more about it.
  • SCA-only mode: Qwiet preZero now allows users to perform SCA analysis (including container SCA) without SAST or any other processing steps by specifying the --sca-only-upload CLI option. You can learn more about it on the SCA documentation page.
  • API enhancements: The ListTeams endpoint now includes the user email for the team members. Several improvements to documentation and Postman collection.

April

Highlights: AutoFix, Java (Source) - Beta, JavaScript (Source) - Beta, additional filters for organization reports, filter for sink user methods, audit logs, analysis of multilanguage applications - Beta

What's new

  • AutoFix: Qwiet AI AutoFix uses large language models (LLMs) to generate code fix suggestions for findings produced by preZero analyses. In addition to code changes, AutoFix also provides steps to address the vulnerability findings. This capability is in beta, and not generally available. Please contact Customer Success if you need assistance.
  • Java (Source) - Beta: In addition to Java bytecode, preZero can also analyze Java source code using the CLI option --javasrc (or by default when a language is not specified and language detection is in use). This capability is now in beta. Customers that can't or don't want to build their Java projects in order to analyze them can leverage this CPG frontend. Learn more about it here.
  • JavaScript (Source) - Beta: This new CPG frontend allows preZero to analyze JavaScript and TypeScript applications without building them first. Use the CLI option --jssrc (or by default when a language is not specified and language detection is in use). Learn more about it here.
  • Additional filters for organization reports: New filters available when exporting organization reports: OSS Reachability and OSS Exploitability.
  • Filter for sink user methods: In some cases, when a sink is in a third party library or in code that was not part of the analysis, the sink is marked as unknown or details are not available and therefore findings cannot be filtered by the sink. This new feature allows you to filter by the user call that flows into that unknown sink, allowing developers and security practitioners to quickly filter and fix related findings.
  • Audit logs: This new feature allows you to download a CSV file with a list of write operations (POST, PUT, PATCH or DELETE) that have been performed against resources in the organization, for a given year and month. API documentation is available at https://docs.shiftleft.io/api/. Please note that this capability is not enabled by default. Please contact Customer Success if you need assistance.
  • Analysis of multilanguage applications: preZero can now analyze multilanguage applications with a single CLI command. Languages present in the target path will be automatically detected, and the right CPG frontend will be used for each language. Results are aggregated and appear as part of a single application. Note that this feature is currently in beta and it's actively being improved. Please refer to our Multilanguage documentation to learn more about this feature.

March

Highlights: Support for PHP 8.3, support for Java 21, PCI DSS v4.0

What's new

  • Support for PHP 8.3: Added support for applications written in PHP 8.3. Supported versions are now 5.2-8.3.
  • Support for Java 21: Added support for applications written in Java 21. Supported versions are now 7-11, 14-15, 17, or 21.
  • PCI DSS v4.0: Updated the PCI compliance report to indicate that it's compatible with PCI DSS v4.0. Qwiet preZero focuses on 18 specific requirements across sections 3, 4, 6, and 10 of PCI DSS and reports whether each requirement is in compliance or not.

February

Highlights: Multi-select licenses for SBOM, support for Go 1.22, support for .NET 8.0

What's new

  • Multi-select licenses for SBOM: You can now select multiple licenses when filtering dependencies on the SBOM page.

  • Support for Go 1.22: We added support for applications written in Go 1.22.

  • Support for .NET 8.0: We also added support for C# applications that use the .NET 8.0 runtime.

January

Highlights: Ungrouped Apps tab in the Applications page, Team Manager role, OSS license data improvements, exclude options for Go packages

What's new

  • Ungrouped Apps tab on the Applications page: A new Ungrouped Apps tab in the Applications page let's quickly find apps that are not currently part of a group.

  • Team Manager role: A new Team Manager role has been added to the Team Roles. This new Team Manager role is similar to Team Admin but doesn't have permissions to delete applications.

  • OSS license data improvements: New data sources for Open Source licensing data have been added. Quality and availability of the data has improved. As a result, customers will see less Unknown licenses.

  • Exclude options for Go packages: When analyzing a Go application, you can now exclude packages by providing the full path or a regular expression. See the Go documentation for more details.