Mend for Azure Repos Release Notes

Mend.io may modify this page retroactively from time to time.
This integration is hosted by Mend.io. New major versions are traditionally released every two weeks.
Click here to view known issues in repo integrations.
Access all release notes for Mend.io’s products.

Version 24.10.3 (17-November-2024)

Unified Agent 24.10.3-199 | Renovate 38.142.7 | Remediate 24.10.3 | Pre-Scan Builder (PSB) 24.9.2

New Features and Updates

The following parameters can now configured to be either overridden or appended to:
"includes", "excludes", "archiveIncludes", and "archiveExcludes", by using the "uaConfigMergeSetting" parameter in the repo-config.json file.

Version 24.10.2 (03-November-2024)

Unified Agent 24.10.2-198 | Renovate 38.115.1 | Remediate 24.10.2 | Pre-Scan Builder (PSB) 24.9.2

Resolved Issues

Fixed a mismatch issue where the License checkrun didn't show a partial scan failure warning while the Vulnerability checkrun did.

Version 24.9.2 (13-October-2024)

Unified Agent 24.9.1.2-185 | Renovate 38.59.2 | Remediate 24.9.2 | Pre-Scan Builder (PSB) 24.9.1-1

New Features and Updates

Upgraded the default Python version in the scanner to 3.8.12 and the default poetry version to 1.6.0.

Resolved Issues

Fixed an issue where the check run status was stuck in status "In progress" while retrying a failed scan.
Fixed an issue accessing public dependencies not available in private Gradle registries during the pre-scan build (PSB).

Version 24.9.1 (22-September-2024)

Unified Agent 24.9.1-180 | Renovate 37.440.7 | Remediate 24.8.2 | Pre-Scan Builder (PSB) 24.8.1

New Features and Updates

Secrets encrypted on the dedicated encryption page can now be scoped to the whole organization (previously this was only possible for repos or projects).
You can now set the "Organization/Group" field in the encryption form to the format of "organization_name/*" for this to work.
When a *.gemspec file is added or edited, a scan will be triggered automatically.

Resolved Issues

Fixed an issue where Mend projects were created in the default Mend organization instead of the specified Product/Application when using the customPropertyProductMapping feature, if the .whitesource file defined additional base branches beyond those in the global configuration.

Version 24.8.2 (09-September-2024)

Unified Agent 24.8.1-159 | Renovate 37.440.7 | Remediate 24.8.2 | Pre-Scan Builder (PSB) 24.8.1

Resolved Issues

Fixed an issue where uppercase letters in the excludes statement in the whitesource.config file were being read as lowercase.

Version 24.8.1.2 (28-August-2024)

Unified Agent 24.8.1-159 | Renovate 37.440.7 | Remediate 24.8.1 | Pre-Scan Builder (PSB) 24.8.1

Resolved Issues

Fixed an issue which led to NuGet hostRules being ignored by the integration.

Version 24.7.2 (11-August-2024)

Unified Agent 24.7.2-155 | Renovate 37.440.7 | Remediate 24.7.2 | Pre-Scan Builder (PSB) 24.7.2

Resolved Issues

Fixed an issue that led to incorrect Gradle versions being used by the scanner to resolve dependencies in projects that use Java 17 or above.

Version 24.7.1 (28-July-2024)

Unified Agent 24.7.1-148 | Renovate 37.438.0 | Remediate 24.7.1 | Pre-Scan Builder (PSB) 24.6.2

New Features and Updates

Users can now set configMode to LOCAL in the global configuration, which repos will inherit. The global configuration can include a whitesource.config file, merged with local repo configurations. Repository-level configuration overrides global configuration. This behavior also applies to the use of configExternalURL.

Resolved Issues

Fixed an issue leading to the controller failing to process large IaC scan results.
Fixed an edge-case null pointer exception that caused the Scanner to fail.
Fixed an issue that caused rate limit errors in Azure DevOps by improving API performance through improved caching, retry logic, and reducing unnecessary API calls.

Version 24.6.2 (15-July-2024)

Unified Agent 24.6.2-146 | Renovate 37.425.1 | Remediate 24.6.2 | Pre-Scan Builder (PSB) 24.6.2

New Features and Updates

git-lfs is now installed in the Scanner and Remediate, for successful scanning of repositories that require this technology, to be properly cloned.

Resolved Issues

Fixed an issue leading to a false partial result message in the scanner, for some .NET project scans.

Version 24.6.1 (01-July-2024)

Unified Agent 24.6.1-144 | Renovate 37.413.2 | Remediate 24.6.1.1 | Pre-Scan Builder (PSB) 24.6.1

New Features and Updates

Improved the logic for the scheduled issue sync to only sync projects with changes to CVE list, CVE scores or ignored alerts, instead of syncing all projects with any modification to the Alerts category (applicable for Mend SCA Core).
.NET versions in the scanner were updated to: 6.0.421, 7.0.408, 8.0.204.

Resolved Issues

Fixed an issue that prevented automatic Renovate pull requests in repositories with no commits.
Fixed an issue that caused a null pointer exception when Mend was trying to create a work item in the project where the work item description was disabled (no System.Description field).
Fixed an issue where the 'ignoreSpecificVulnerabilities' setting did not function correctly when global configuration for this parameter is set in both 'whitesource-config' project and 'whitesource-config' repository of a regular project.
Fixed an issue where neutral checks after failures were incorrectly displayed as passed when using failOnVulnerabilityMinCvss in a feature branch.
Fixed an issue with PSB falsely warning about an invalid hostType (hostType gradle) when "hostType": "maven" is configured in the hostRule.

Version 24.5.3 (16-June-2024)

Unified Agent 24.5.3-137 | Renovate 37.368.10 | Remediate 24.5.3 | Pre-Scan Builder (PSB) 24.5.3

New Features and Updates

Partial failure reports controlled by the strictMode parameter were enhanced to include errors and warnings generated by the Unified Agent. The report structure was also updated to provide a better user experience.

Resolved Issues

Fixed an issue where enabling both LOG_FORMAT_JSON and EXTERNAL_LOG_IN_CONSOLE caused duplicate log statements in JSON and plaintext formats.

Version 24.5.2 (02-June-2024)

Unified Agent 24.5.1-134 | Renovate 37.368.10 | Remediate 24.5.2 | Pre-Scan Builder (PSB) 24.5.2

New Features and Updates

The strictMode parameter now supports updated values:
- none: No warnings or errors published in the Scan Details report.
- warning: Warnings and errors published, but do not cause Security Check failures.
- failure: Warnings and errors published, and errors cause Security Check failures.
- failOnWarning: Warnings and errors published, and both cause Security Check failures.
Added a new parameter strictModeInfo to control the inclusion of INFO logs in the Scan Details report.
Node was updated to version 20.12.0 in the scanner
npm was updated to version 10.5.0 in the scanner

Resolved Issues

Fixed a null pointer exception when Mend was trying to create a work item in a project where work item description is disabled (no System.Description field).
Fixed an issue where work item descriptions exceeding 1 million characters would cause the Azure DevOps API to report a 500 error. Moving forward, such descriptions will be truncated.
Private registries hosted in Azure require encryption for a successful connection. Encryption was added to the host rules implementation, to allow a successful connection.
(SAST) Commits without analysis-relevant files are now handled correctly.

Version 24.5.1.2 (20-May-2024)

Unified Agent 24.5.1-134 | Renovate 37.351.2 | Remediate 24.4.2 | Pre-Scan Builder (PSB) 24.5.1

New Features and Updates

Versions 3.10 and 3.12 of Python are now installed into the Scanner, for scanning projects using these versions.
A scan will now be triggered when changes are made to a Cargo.lock file.

Resolved Issues

Fixed an issue that prevented Config Change check from failing when instead of the standard " U+0022 QUOTATION MARK, the “ U+201C LEFT DOUBLE QUOTATION MARK or ” U+201D RIGHT DOUBLE QUOTATION MARK were used.
Fixed an issue where the controller logs contained incorrect repository names and incorrect log messages during app re-installation events (Org name was used where Repo name should have been used).
Fixed an issue that could prevent issue publishing due to a null pointer exception.
Fixed: In some scenarios of npm resolution, unhandled exceptions during the parsing of package.json files led to scan failure. The previously unhandled exceptions will now be handled properly. Furthermore, a partial result warning will be reported by the Unified Agent, in case a package.json file couldn’t be parsed.

Version 24.4.1.2 (21-April-2024)

Unified Agent 24.4.1-132 | Renovate 37.261.0 | Remediate 24.4.1 | Pre-Scan Builder (PSB) 24.4.1

New Features and Updates

Improved error and warning messages in strictMode for Nuget scans.
Improved reporting of Unified Agent failures in Gradle projects.
SPM Swift resolution is now supported by the Unified Agent, including error and warning messages in strictMode for Swift scans.

Resolved Issues

Fixed an issue where the strictMode setting was not correctly creating reports and failing the Security Check if there were no vulnerabilities meeting the CVSS threshold defined in failOnVulnerabilityMinCvss.
Previously, if lock files were found in the repo and the private registry was configured via host rules, the configuration via host rules was not used. Moving forward, host rules configuration will be used to define private registry credentials regardless of the presence of lock files in the repo.

Version 24.3.2 (09-April-2024)

Unified Agent 24.3.2-128 | Renovate 37.261.0 | Remediate 24.3.2 | Pre-Scan Builder (PSB) 24.3.1

New Features and Updates

Partial failure reports controlled by the strictMode parameter were enhanced to include errors and warnings generated by the Unified Agent.
The report structure was also updated to provide a better user experience.
Added support for dynamic tool installation for Maven, Poetry, and Pipenv.

Resolved Issues

Fixed a null pointer exception when publishing issues for libraries with a CVSS score of 0.

Version 24.3.1 (25-March-2024)

Unified Agent 24.3.1-127 | Renovate 37.239.0 | Remediate 24.3.1 | Pre-Scan Builder (PSB) 24.3.1

New Features and Updates

The path and location of source code files where license policy violations were found will now be mentioned in the issues and checks. Previously, the path would only be displayed for the dependencies specified in package managers.
PSB - HTTP is now allowed in host rules.
Custom fields of work items will not be reset to the values that were specified in the .whitesource configuration file when the work item is being updated by Mend. Values that were manually updated by the user will be preserved.

Version 24.2.2 (11-March-2024)

Unified Agent 24.2.2-126 | Renovate 37.191.0 | Remediate 24.2.1 | Pre-Scan Builder (PSB) 24.2.2

Resolved Issues

PSB - If the Gradle or Maven wrappers were found in the project, they were not always provided permission to run, leading to partial scans. Wrappers will be provided permissions from now on.

Version 24.2.1 (26-February-2024)

Unified Agent 24.2.1-123 | Renovate 37.191.0 | Remediate 24.2.1 | Pre-Scan Builder (PSB) 24.2.1

New Features and Updates

Updated versions of .NET in the Scanner to: 6.0.418, 7.0.405, 8.0.101.
PSB - When the "package-lock=false" configuration is set in an .npmrc file, npm resolution will ignore the existing lock file and switch to node_modules-based resolution.

Resolved Issues

When deleting a Mend Organization in which an Azure Repo integration is used, the webhooks created for the integration in AZDO and the PAT of the bot-user will be deleted from the database.

Version 24.1.2 (12-February-2024)

New Features and Updates

When a settings.gradle or libs.versions.toml file is added or edited, a scan will be triggered automatically.
The PSB version number was changed to match the standard Mend version, e.g. 24.1.2.

Resolved Issues

The caching of the feed of scheduled Remediate jobs has been changed from 24 hours to 30 days, to prevent the feed calculation from taking place every 24 hours, potentially leading to Remediate activity spikes.