Mend for GitHub Enterprise Release Notes
Mend.io may modify this page retroactively from time to time.
To stay informed about hotfixes, modifications, and additions to mend's products, check this page from time to time in between official releases.
The Mend for GitHub Enterprise integration is a self-hosted integration (not hosted by Mend.io).
Click here to view known issues in repo integrations.
Access all release notes for Mend’s products.
Version 24.10.1.1 (30-October-2024) (Hotfix)
Resolved Issues
Fixed a mismatch between the Vulnerability check run and the License check run: The License check run did not report a partial scan failure warning while the Vulnerability check run did.
Aligned the controller logs so that GET_REMEDIATE_FEED now uses repo name instead of repo id.
Version 24.10.1 (21-October-2024)
Unified Agent 24.10.1-191 | Renovate 38.115.1 | Remediate 24.10.1 | Pre-Scan Builder (PSB) 24.9.2
New Features and Updates
Logs generated with MEND_LOG_SCAN_RESULTS will now have additional values for
Malicious Packages: CVSS score, alert status, creation date, modified date.Upgraded the default Python version in the scanner to 3.8.12 and the default poetry version to 1.6.0.
Updated Remediate default node version from 18.20.4 to 20.17.0 (server and worker).
Remediate/Renovate configuration and architecture changes have been implemented.
Resolved Issues
Fixed an issue where the check run status was stuck in status "In progress" while retrying a failed scan.
Fixed an issue accessing public dependencies not available in private Gradle registries during the pre-scan build (PSB).
Fixed an issue where partial scan errors for Python/Gradle/Bower projects were not printed in the scanner log. Also fixed an issue where package managers not yet supported by the reporting tables were not being reported accordingly.
Rate limiting detailed logging will now be available in the controller log by default as INFO log level entries.
Fixed an issue when making changes to a pull request, if the latest commit did not contain a qualifying commit to trigger a Mend scan, the status checks on the pull request would show as "Neutral" even if the previous scan was a valid passing Mend scan.
Moving forward, the status will be inherited from previous scans results.(SAST) Implemented a logic that prevents user-created PR comments from erroneously being removed by a Code Security scan, in certain scenarios.
Version 24.9.1 (23-September-2024)
Unified Agent 24.9.1-180 | Renovate 37.440.7 | Remediate 24.8.2 | Pre-Scan Builder (PSB) 24.8.1
New Features and Updates
When a *.gemspec file is added or edited, a scan will be triggered automatically.
(SAST) [Controlled Release] To help developers reduce the security risk, Mend.io now offers automated remediation suggestions for Code findings in Java, JavaScript/TypeScript and C#.
Within the repository integration, an end-to-end remediation flow is offered, allowing developers to immediately update their feature branches with a click of a button to fix a newly introduced vulnerability before merging the code.
More details about the automatic remediation for Code Findings and how to enable it can be found here.
Resolved Issues
Fixed an issue where Mend projects were created in the default Mend organization instead of the specified Product/Application when using the
customPropertyProductMapping
feature, if the .whitesource file defined additional base branches beyond those in the global configuration.Fixed an issue where uppercase letters in the excludes statement in the whitesource.config file were being read as lowercase.
(SAST) Fixed an issue that led to failing Code scans in GitHub when they were manually triggered through the commit of a scan.json file.
Version 24.8.1.3 (02-September-2024)
Unified Agent 24.8.1-159 | Renovate 37.440.7 | Remediate 24.8.1 | Pre-Scan Builder (PSB) 24.8.1
Resolved Issues
Fixed an issue that was causing partial failure reports to exclude Unified Agent results while also failing to generate foldable sections. Also introduced a DETAILED_SCA_RESULTS_INFO environment variable in the scanner to disable this functionality by setting it to FALSE.
Version 24.8.1.2 (28-August-2024)
Unified Agent 24.8.1-159 | Renovate 37.440.7 | Remediate 24.8.1 | Pre-Scan Builder (PSB) 24.8.1
New Features and Updates
Implemented a throttling mechanism to prevent spikes in API calls during Issue syncs that could lead to rate limit failures and inconsistencies between GitHub issues and the Mend UI.
(SAST) The "Code Security Report" of a GitHub report now links to the corresponding Project in the Mend Platform, not to a specific scan.
Resolved Issues
Fixed an issue that led to incorrect Gradle versions being used by the scanner to resolve dependencies in projects that use Java 17 or above.
Fixed an issue where a non-primitive custom property (e.g. array) on a GitHub repository caused an exception in the controller.
Fixed an issue which led to NuGet hostRules being ignored by the integration.
Fixed an issue where manually triggered scans with
uploadScannerLogs
set to ‘true’ would fail
to upload scanner logs due to the whitesource-config/ws-logs repository not being found in the organization.(SAST) Triggering manual Code scans in GitHub through the commit of a scan.json file is now working correctly.
Version 24.7.1 (29-July-2024)
Unified Agent 24.7.1-148 | Renovate 37.438.0 | Remediate 24.7.1 | Pre-Scan Builder (PSB) 24.6.2
New Features and Updates
Remediate: Changed the default value of the environment variable RENOVATE_BINARY_SOURCE in the Remediate Dockerfile from install to global, to allow for container-base installs at runtime.
Remediate: Introducing a new env variable, CHECK_REDIS_ON_STARTUP, that performs a Redis connection check on startup. It will fail to start if it cannot establish a connection to Redis. Any value assigned to this variable will enable the feature.
Remediate: Starting from Renovate version 37.425.1, a new configuration option, cachePrivatePackages, is available for enabling the caching of private packages to improve performance.
Users can now set
configMode
to LOCAL in the global configuration, which repos will inherit. The global configuration can include a whitesource.config file, merged with local repo configurations. Repository-level configuration overrides global configuration. This behavior also applies to the use ofconfigExternalURL
.git-lfs can now be installed in the Scanner and Remediate when the corresponding code is uncommented.
Resolved Issues
Fixed an issue leading to the controller failing to process large IaC scan results.
Fixed an edge-case null pointer exception that caused the Scanner to fail.
Fixed an issue leading to a false partial result message in the scanner, for some .NET project scans.
Version 24.6.1 (01-July-2024)
Unified Agent 24.6.1-144 | Renovate 37.413.2 | Remediate 24.6.1.1 | Pre-Scan Builder (PSB) 24.6.1
New Features and Updates
Improved the logic for the scheduled issue sync to only sync projects with changes to CVE list, CVE scores or ignored alerts, instead of syncing all projects with any modification to the Alerts category (applicable for Mend SCA Core).
.NET versions in the scanner were updated to: 6.0.421, 7.0.408, 8.0.204.
Unified Agent parameters can now be set using environment variables with the
WS_
prefix, as an alternative to using custom configuration files.Partial failure reports controlled by the strictMode parameter were enhanced to include errors and warnings generated by the Unified Agent. The report structure was also updated to provide a better user experience.
The strictMode parameter now supports updated values:
none: No warnings or errors published in the Scan Details report.
warning: Warnings and errors published, but do not cause Security Check failures.
failure: Warnings and errors published, and errors cause Security Check failures.
failOnWarning: Warnings and errors published, and both cause Security Check failures.
Added a new parameter strictModeInfo to control the inclusion of INFO logs in the Scan Details report.
Node was updated to version 20.12.0 in the scanner
npm was updated to version 10.5.0 in the scanner
The releaseProjectsRegex parameter was created to automatically trigger Mend scans upon new releases with a dedicated project being created.
The integration, with Reachability enabled, can now be configured to access your organization’s S3 cache by using IAM role-based AWS credentials instead of secret token-based AWS credentials.
(Applicable for GitHub Enterprise Cloud only) Added support for custom product mapping using GitHub repository custom properties, controlled with the customPropertyProductMapping parameter.
Resolved Issues
Fixed an issue where the overrideConfigAllowList set in global-config.json did not work if the not allowed repository had the inheritsFrom property.
Fixed an issue where enabling both LOG_FORMAT_JSON and EXTERNAL_LOG_IN_CONSOLE caused duplicate log statements in JSON and plaintext formats.
(SAST) Commits without analysis-relevant files are now handled correctly.
Fixed an issue that caused a null pointer exception when handling GitHub check run timeout requests.
Fixed an issue where neutral checks after failures were incorrectly displayed as passed when using failOnVulnerabilityMinCvss in a feature branch.
Fixed an issue with PSB falsely warning about an invalid hostType (
hostType gradle)
when"hostType": "maven"
is configured in the hostRule.
Version 24.5.1.2 (20-May-2024)
Unified Agent 24.5.1-134 | Renovate 37.351.2 | Remediate 24.4.2 | Pre-Scan Builder (PSB) 24.5.1
New Features and Updates
Versions 3.10 and 3.12 of Python are now installed into the Scanner, for scanning projects using these versions.
A scan will now be triggered when changes are made to a Cargo.lock file.
Partial failure reports controlled by the strictMode parameter now have an updated markdown where all results are presented in collapsible sections.
overrideConfigAllowList can now be set in the global-config.json file. This new implementation fixes a known issue that caused repos that are not allowed to override global configuration to get a failed Configuration Update Check (in case of wrongly formatted .whitesource file).
Logs generated with MEND_LOG_SCAN_RESULTS will now have a structured format covering only the main information about the detected vulnerability.
Clicking the "Re-run" button in the GitHub interface will trigger a re-scan for the Check Run where it was clicked.
Resolved Issues
Fixed an issue that prevented Config Change check from failing when instead of the standard " U+0022 QUOTATION MARK, the “ U+201C LEFT DOUBLE QUOTATION MARK or ” U+201D RIGHT DOUBLE QUOTATION MARK were used.
Fixed an issue where the controller logs contained incorrect repository names and incorrect log messages during app re-installation events (Org name was used where Repo name should have been used).
Fixed an issue that could prevent issue publishing due to a null pointer exception.
Fixed: In some scenarios of npm resolution, unhandled exceptions during the parsing of package.json files led to scan failure. The previously unhandled exceptions will now be handled properly. Furthermore, a partial result warning will be reported by the Unified Agent, in case a package.json file couldn’t be parsed.
Fixed an issue that prevented proper scanning of git submodules if git shell cloning was enabled (WS_GIT_CONNECTOR=true).
Fixed an issue where GitHub API call optimization was not implemented in all required processes.
Fixed an issue where archived GitHub repositories were causing error messages in the controller logs during issue sync flows.
Version 24.4.1.2 (21-April-2024)
Unified Agent 24.4.1-132 | Renovate 37.261.0 | Remediate 24.4.1 | Pre-Scan Builder (PSB) 24.4.1
New Features and Updates
SCA Reachability | Improvements have been made, to reduce memory used in reachability scans and enhance performance. Memory usage has been reduced by approximately 33%.
Improved error and warning messages in strictMode for Nuget scans.
Improved reporting of Unified Agent failures in Gradle projects.
SPM Swift resolution is now supported by the Unified Agent, including error and warning messages in strictMode for Swift scans.
Resolved Issues
Fixed an issue where the strictMode setting was not correctly creating reports and failing the Security Check if there were no vulnerabilities meeting the CVSS threshold defined in failOnVulnerabilityMinCvss.
Previously, if lock files were found in the repo and the private registry was configured via host rules, the configuration via host rules was not used. Moving forward, host rules configuration will be used to define private registry credentials regardless of the presence of lock files in the repo.
Version 24.3.2 (09-April-2024)
Unified Agent 24.3.2-128 | Renovate 37.261.0 | Remediate 24.3.2 | Pre-Scan Builder (PSB) 24.3.1
New Features and Updates
Updated the messages for failed neutral security and license checks to reference the commit that originally caused the failure.
Added support for dynamic tool installation for Maven, Poetry, and Pipenv.
When using the
LOG_FORMAT_JSON
environment variable, the STDOUT/console logs will be in JSON format.The environment variable
MEND_SCAN_REMEDIATE_BRANCHES
is now available to disable scanning of branches created by Remediate and Renovate.The path and location of source code files where license policy violations were found will now be mentioned in the issues and checks. Previously, the path would only be displayed for the dependencies specified in package managers.
PSB - HTTP is now allowed in host rules.
The environment variable
MEND_LOG_SCAN_RESULTS
is now available to enable logging the whole data object of scan results.SCA Reachability is now available for both Core and Mend Platform organizations, helping security and development teams prioritize detected vulnerabilities based on reachability status.
The environment variable
MEND_ENABLE_ONBOARDING_PR
is now available to prevent Onboarding PRs creation with any used configuration.
Resolved Issues
In order to optimize GitHub API calls, smart manifest comparison is no longer used when the number of commits within a single event is greater than 3. In this case, the normal method of determining if a scan should be initiated will be used.
The controller log entry "Start creating Mend project…” was fixed to properly mention the id of the repo.
Fixed a null pointer exception when publishing issues for libraries with a CVSS score of 0.
The label "security vulnerability" is now available to use in the parameter
customLabels
, which controls the labels that will be added to the GitHub Issues created after the scan.When the repository that was perviously scanned is deleted and a new repository with the same name and another set of vulnerabilities is created the Security Check will not successfully run. Instead there will be an error indicating unsuccessful scan attempt.
In case the host is configured to work via proxy, the Security Check will not successfully run for projects containing a submodule. Instead there will be an error indicating unsuccessful repository clone attempt.
In case the host is configured to work via proxy, the scanner logs zip file will not be created in the ws-logs repository as part of manual scan trigger.
Version 24.1.2 (12-February-2024)
New Features and Updates
When a settings.gradle or libs.versions.toml file is added or edited, a scan will be triggered automatically.
The PSB version number was changed to match the standard Mend version, e.g. 24.1.2.
CVSSv4 is now supported for the repositories connected to the Mend Organizations where this feature was enabled (available only for Mend Platform users).
When Git shell commands are used for cloning the repository to a Scanner (WS_GIT_CONNECTOR=true), the blobless cloning will be performed to optimize the size of the transferred data.
Improved GitHub API rate limit handling by implementing a mechanism to verify the rate limit before each scan. If the limit is reached, web hooks and issue sync queue messages are delayed until a new rate limit window begins. This functionality is controlled by the
MEND_VALIDATE_SCM_RATE_LIMIT
environmental variable.An API endpoint is now exposed in the Controller to trigger scans.
(SAST) As an alternative to the existing GitHub Code Security Issue that reports about the security state of the whole repository, it is now also possible to create one GitHub Issue per finding.
Resolved Issues
Fixed an issue when Mend closed user-created pull requests if they contained labels reserved by Mend for issues and PRs.
Fixed an issue that caused an exception to be thrown when both of the conditions were met: IssueRepoName set to a non-existing repo via configuration and Issues are disabled on the repository in the GitHub Enterprise settings.
Fixed an issue that caused IaC results to not be presented in some cases.
The caching of the feed of scheduled Remediate jobs has been changed from 24 hours to 30 days, to prevent the feed calculation from taking place every 24 hours, potentially leading to Remediate activity spikes.