2024
November
Highlights: Check Analysis maximum findings, AutoFix improvements, JetBrains plugin now generally available, SCIM improvements
- Check Analysis maximum findings:
sl check-analysis
now accepts a--max-findings
option that specifies the maximum number of findings to return when--no-build-rules
is set. Check the CLI reference documentation for this and other options. - AutoFix improvements: when an error occurs, Qwiet AI AutoFix can now provide more granular messages (e.g. bad GitHub credentials, unable to generate patch). The feedback form is now available even when a fix suggestion isn't. We also improved cases where the Mechanic agent was not formatting code correctly.
- JetBrains plugin now generally available: The Qwiet AI plugin for JetBrains IDEs is now generally available in the JetBrains Marketplace. The plugin is compatible with the latest version (
2024.243
) IntelliJ IDEA Ultimate, GoLand, PhpStorm, PyCharm, and several other JetBrains products. - SCIM improvements: performance and response times have been improved for several SCIM v2 endpoints. A new integration token role called SCIM Integration Token is now available.
October
Highlights: C# enhancements, support for C/C++ compilation databases, support for compressed files, disable multilanguage, REST API enhancements
- C# enhancements: preZero's CLI (
sl
) now allows using a signed, self-contained binary for analyzing C# applications on macOS with an opt-in flag:--csharp2cpg-signed-binary
. All users running preZero's CLI on macOS will eventually be switched to using this signed, self-contained binary by default. In the meantime, see the documentation for analyzing C# applications to try it out. - Support for C/C++ compilation databases: When analyzing C/C++ applications, preZero can now extract compiler options, source files, and other build information from a compilation database. For more details, see the Using a compilation database section of the C/C++ documentation.
- Support for compressed files: preZero's CLI (
sl
) can now analyze source code in compressed files. The following formats are supported:.zip
,.tar
,.gz
(gzip
), and.bz2
(bzip2
). - Disable multilanguage: Multilanguage can now be disabled for a particular analysis using the option
--disable-multilanguage-analysis
. The most prevalent language will be detected and used for analysis. For additional information, check out the documentation for analyzing multilanguage applications. - REST API enhancements: A new endpoint has been added to allow API clients to remove a user from the organization:
DELETE /orgs/{orgID}/rbac/users/{userIDv2}
. TheGET /orgs/{orgID}/rbac/teams
operation now supports a query parameter calledno_members
. When this parameter is set to1
, the response will not include the members for each team. For additional details, review the API documentation.
September
Highlights: Saved Searches, AutoFix enhancements, IntelliJ IDEA Ultimate plugin (alpha), Support for Go 1.23, Secrets-only mode
What's new
- Saved Searches: preZero now offers the ability to save and recall searches in both the Organization Findings and Application Findings pages. Each user can save up to 10 searches. Once a search is recalled, it can also be edited and deleted as needed.
- AutoFix enhancements: When AutoFix PR is configured in manual mode (as opposed to the default automatic), users can now selectively add AutoFix suggestions to a pull request. Pull requests now include additional information about findings, and links that allow the user to go back to the preZero web UI.
- IntelliJ IDEA Ultimate plugin (alpha): preZero now offers a plugin for JetBrains IntelliJ IDEA Ultimate IDE. This plugin is in an alpha state and not yet available in the JetBrains Marketplace. Customers who are willing to try it and work with Qwiet AI to provide feedback, please reach out to your Customer Success Manager.
- Support for Go 1.23: preZero can now analyze applications written in Go 1.23 and earlier versions.
- Secrets-only mode: preZero's CLI (
sl
) now allows you to analyze applications in secrets-only mode. Simply use the CLI option--secrets-only
to skip all other analyze steps except secrets. Note that bytecode applications (e.g. compiled.jar
files) do not support this option.
August
Highlights: CLI structured output, Secrets v2, C# enhancements, AutoFix enhancements
What's new
- CLI structured output: The
sl analyze
command can now write scan details in a structured format to a file. You can specify the format (JSON or YAML) and the location of the file. Additionally, you can choose to include additional VCS and CI information. Review the documentation for additional details. - Secrets v2: In this release, preZero can now detect secrets, hard-coded values, sensitive information, etc., in all files that are part of the repository or directory being analyzed, not just code. You can learn more about this feature in the Secrets V2 documentation page.
- C# enhancements: The C# module has been enhanced and simplified to be consistent across all architectures. Additional parameters are now available:
--exclude
,--exclude-regex
, and--cpg-root-dir
. - AutoFix enhancements: AutoFix suggestions now include code line numbers and improved syntax highlighting.
July
Highlights: AutoFix enhancements, Organization Findings, Multilanguage support enhancements, SCIM enhancements
What's new
- AutoFix enhancements: Qwiet AI AutoFix can now automatically or manually create pull requests on GitHub repositories. Organizations can configure this new feature in the Organization Settings page.
- Organization Findings: The new Findings tab in the Reporting section, also known as Organization Findings, allows to view findings for all applications in the organization for the selected time period, all on the same page. There are more than 20 filters to choose from, and the results can be exported as a Comma-separated values (CSV) file. Note that clicking the nodes in the Dashboard's sankey chart now takes the user to a filtered view in this new Organization Findings page. Additionally, by refactoring the way that data is loaded, we have greatly improved the performance of the Dashboard.
- Multilanguage support enhancements: When analyzing multilanguage applications, now entire languages can be excluded with the option
--exclude-languages
. Also, additional parameters can now be provided to specific languages using the option--<language>.<option>=<value>
. - SCIM enhancements: The SCIM integration can now map users to groups instead of teams. Enable this option in the Organization Settings page. SCIM is now generally available for users that have the SAML integration enabled.
June
Highlights: AutoFix findings filter, SBOM VEX export
What's new
- AutoFix findings filter: when viewing findings, a new filter can be applied to only show findings that have an AutoFix suggestion available. This filter is also applied by default when you click on available fixes on the dashboard or on the application scan summary.
- SBOM VEX export: preZero now allows the creation of a Vulnerability Exploitability eXchange (VEX) document. A VEX document is a form of a security advisory that indicates whether a dependency or dependencies are affected by a known vulnerability or vulnerabilities. The export can be generated from the SBOM tab on the application details section of the preZero web console. See the SBOM documentation page for additional guidance.
May
Highlights: AutoFix enhancements, SCIM v2, SCA-only mode, API enhancements
What's new
- AutoFix enhancements: AutoFix suggestions are now available side by side with data flows in the details view of findings. Added panels to dashboard and application details pages that show how many AutoFix suggestions are available. Super Admins and Owners can now request the AutoFix capability directly from the preZero web UI. AutoFix can be enabled/disabled at an organization and application level, giving administrators full and granular control over this capability.
- SCIM v2: Qwiet preZero now supports SCIM v2 (System for Cross-domain Identity Management). This allows for seamless integration with Identity Providers (IdPs) and simpler user provisioning and management. Please refer to the SCIM documentation page to learn more about it.
- SCA-only mode: Qwiet preZero now allows users to perform SCA analysis (including container SCA) without SAST or any other processing steps by specifying the
--sca-only-upload
CLI option. You can learn more about it on the SCA documentation page. - API enhancements: The ListTeams endpoint now includes the user email for the team members. Several improvements to documentation and Postman collection.
April
Highlights: AutoFix, Java (Source) - Beta, JavaScript (Source) - Beta, additional filters for organization reports, filter for sink user methods, audit logs, analysis of multilanguage applications - Beta
What's new
- AutoFix: Qwiet AI AutoFix uses large language models (LLMs) to generate code fix suggestions for findings produced by preZero analyses. In addition to code changes, AutoFix also provides steps to address the vulnerability findings. This capability is in beta, and not generally available. Please contact Customer Success if you need assistance.
- Java (Source) - Beta: In addition to Java bytecode, preZero can also analyze Java source code using the CLI option
--javasrc
(or by default when a language is not specified and language detection is in use). This capability is now in beta. Customers that can't or don't want to build their Java projects in order to analyze them can leverage this CPG frontend. Learn more about it here. - JavaScript (Source) - Beta: This new CPG frontend allows preZero to analyze JavaScript and TypeScript applications without building them first. Use the CLI option
--jssrc
(or by default when a language is not specified and language detection is in use). Learn more about it here. - Additional filters for organization reports: New filters available when exporting organization reports: OSS Reachability and OSS Exploitability.
- Filter for sink user methods: In some cases, when a sink is in a third party library or in code that was not part of the analysis, the sink is marked as unknown or details are not available and therefore findings cannot be filtered by the sink. This new feature allows you to filter by the user call that flows into that unknown sink, allowing developers and security practitioners to quickly filter and fix related findings.
- Audit logs: This new feature allows you to download a CSV file with a list of write operations (
POST
,PUT
,PATCH
orDELETE
) that have been performed against resources in the organization, for a given year and month. API documentation is available at https://docs.shiftleft.io/api/. Please note that this capability is not enabled by default. Please contact Customer Success if you need assistance. - Analysis of multilanguage applications: preZero can now analyze multilanguage applications with a single CLI command. Languages present in the target path will be automatically detected, and the right CPG frontend will be used for each language. Results are aggregated and appear as part of a single application. Note that this feature is currently in beta and it's actively being improved. Please refer to our Multilanguage documentation to learn more about this feature.
March
Highlights: Support for PHP 8.3, support for Java 21, PCI DSS v4.0
What's new
- Support for PHP 8.3: Added support for applications written in PHP 8.3. Supported versions are now 5.2-8.3.
- Support for Java 21: Added support for applications written in Java 21. Supported versions are now 7-11, 14-15, 17, or 21.
- PCI DSS v4.0: Updated the PCI compliance report to indicate that it's compatible with PCI DSS v4.0. Qwiet preZero focuses on 18 specific requirements across sections 3, 4, 6, and 10 of PCI DSS and reports whether each requirement is in compliance or not.
February
Highlights: Multi-select licenses for SBOM, support for Go 1.22, support for .NET 8.0
What's new
-
Multi-select licenses for SBOM: You can now select multiple licenses when filtering dependencies on the SBOM page.
-
Support for Go 1.22: We added support for applications written in Go 1.22.
-
Support for .NET 8.0: We also added support for C# applications that use the .NET 8.0 runtime.
January
Highlights: Ungrouped Apps tab in the Applications page, Team Manager role, OSS license data improvements, exclude options for Go packages
What's new
-
Ungrouped Apps tab on the Applications page: A new Ungrouped Apps tab in the Applications page let's quickly find apps that are not currently part of a group.
-
Team Manager role: A new Team Manager role has been added to the Team Roles. This new Team Manager role is similar to Team Admin but doesn't have permissions to delete applications.
-
OSS license data improvements: New data sources for Open Source licensing data have been added. Quality and availability of the data has improved. As a result, customers will see less Unknown licenses.
-
Exclude options for Go packages: When analyzing a Go application, you can now exclude packages by providing the full path or a regular expression. See the Go documentation for more details.