Mend for GitLab Release Notes
Version 24.11.1 (02-December-2024)
Unified Agent 24.11.1-60 | Renovate 38.142.7 | Remediate 24.11.1 | Pre-Scan Builder (PSB) 24.9.2
New Features and Updates
Improved error and warning messages in strict mode for Pip, Poetry and Pipenv scans.
The following parameters can now configured to be either overridden or appended to:
"includes", "excludes", "archiveIncludes", and "archiveExcludes", by using the "uaConfigMergeSetting" parameter in the repo-config.json file.Remediate Workers can now perform periodic disk cleanup.
This is controlled with the following two new environment variables:
MEND_REMEDIATE_WORKER_CLEANUP and MEND_REMEDIATE_WORKER_CLEANUP_DIRSRemediate Worker will communicate with Server using a secret. The secret must be set as a `Bearer` field in API calls. Uses new environment variable `REMEDIATE_SERVER_SECRET`, which must be defined with the same value in the Server and Worker.
Log statements in JSON output will show "renovate" for CLI output, "remediate-work" for standalone Worker output, and "remediate" for all others (combine Server+Worker instances, and Server-only instances).
(SAST) Scans on feature branches are now always performed as incremental scans.
Resolved Issues
Fixed a mismatch issue where the License checkrun didn't show a partial scan failure warning while the Vulnerability checkrun did.
Fixed an issue using privateKey values for Renovate/Remediate.
Version 24.10.1.1 (30-October-2024) (Hotfix)
Resolved Issues
Fixed a mismatch between the Vulnerability check run and the License check run: The License check run did not report a partial scan failure warning while the Vulnerability check run did.
Aligned the controller logs so that GET_REMEDIATE_FEED now uses repo name instead of repo id.
Version 24.10.1 (21-October-2024)
Unified Agent 24.10.1-191 | Renovate 38.115.1 | Remediate 24.10.1 | Pre-Scan Builder (PSB) 24.9.2
New Features and Updates
Upgraded the default Python version in the scanner to 3.8.12 and the default poetry version to 1.6.0.
Updated Remediate default node version from 18.20.4 to 20.17.0 (server and worker).
Remediate/Renovate configuration and architecture changes have been implemented.
Resolved Issues
Fixed an issue where the check run status was stuck in status "In progress" while retrying a failed scan.
Fixed an issue accessing public dependencies not available in private Gradle registries during the pre-scan build (PSB).
Fixed an issue where partial scan errors for Python/Gradle/Bower projects were not printed in the scanner log. Also fixed an issue where package managers not yet supported by the reporting tables were not being reported accordingly.
Version 24.9.1 (23-September-2024)
Unified Agent 24.9.1-180 | Renovate 37.440.7 | Remediate 24.8.2 | Pre-Scan Builder (PSB) 24.8.1
New Features and Updates
When a *.gemspec file is added or edited, a scan will be triggered automatically.
Resolved Issues
Fixed an issue where Mend projects were created in the default Mend organization instead of the specified Product/Application when using the
customPropertyProductMapping
feature, if the .whitesource file defined additional base branches beyond those in the global configuration.Fixed an issue where uppercase letters in the excludes statement in the whitesource.config file were being read as lowercase.
Version 24.8.1.3 (02-September-2024)
Unified Agent 24.8.1-159 | Renovate 37.440.7 | Remediate 24.8.1 | Pre-Scan Builder (PSB) 24.8.1
Resolved Issues
Fixed an issue that was causing partial failure reports to exclude Unified Agent results while also failing to generate foldable sections. Also introduced a DETAILED_SCA_RESULTS_INFO environment variable in the scanner to disable this functionality by setting it to FALSE.
Version 24.8.1.2 (28-August-2024)
Unified Agent 24.8.1-159 | Renovate 37.440.7 | Remediate 24.8.1 | Pre-Scan Builder (PSB) 24.8.1
Resolved Issues
Fixed an issue that led to incorrect Gradle versions being used by the scanner to resolve dependencies in projects that use Java 17 or above.
Fixed an issue which led to NuGet hostRules being ignored by the integration.
Version 24.7.1 (29-July-2024)
Unified Agent 24.7.1-148 | Renovate 37.438.0 | Remediate 24.7.1 | Pre-Scan Builder (PSB) 24.6.2
New Features and Updates
Remediate: Changed the default value of the environment variable RENOVATE_BINARY_SOURCE in the Remediate Dockerfile from install to global, to allow for container-base installs at runtime.
Remediate: Introducing a new env variable, CHECK_REDIS_ON_STARTUP, that performs a Redis connection check on startup. It will fail to start if it cannot establish a connection to Redis. Any value assigned to this variable will enable the feature.
Remediate: Starting from Renovate version 37.425.1, a new configuration option, cachePrivatePackages, is available for enabling the caching of private packages to improve performance.
Users can now set
configMode
to LOCAL in the global configuration, which repos will inherit. The global configuration can include a whitesource.config file, merged with local repo configurations. Repository-level configuration overrides global configuration. This behavior also applies to the use ofconfigExternalURL
.git-lfs can now be installed in the Scanner and Remediate when the corresponding code is uncommented.
Resolved Issues
Fixed an issue leading to the controller failing to process large IaC scan results.
Fixed an edge-case null pointer exception that caused the Scanner to fail.
Fixed an issue leading to a false partial result message in the scanner, for some .NET project scans.
Version 24.6.1 (01-July-2024)
Unified Agent 24.6.1-144 | Renovate 37.413.2 | Remediate 24.6.1.1 | Pre-Scan Builder (PSB) 24.6.1
New Features and Updates
Improved the logic for the scheduled issue sync to only sync projects with changes to CVE list, CVE scores or ignored alerts, instead of syncing all projects with any modification to the Alerts category (applicable for Mend SCA Core).
.NET versions in the scanner were updated to: 6.0.421, 7.0.408, 8.0.204.
Unified Agent parameters can now be set using environment variables with the
WS_
prefix, as an alternative to using custom configuration files.Partial failure reports controlled by the strictMode parameter were enhanced to include errors and warnings generated by the Unified Agent. The report structure was also updated to provide a better user experience.
The strictMode parameter now supports updated values:
none: No warnings or errors published in the Scan Details report.
warning: Warnings and errors published, but do not cause Security Check failures.
failure: Warnings and errors published, and errors cause Security Check failures.
failOnWarning: Warnings and errors published, and both cause Security Check failures.
Added a new parameter strictModeInfo to control the inclusion of INFO logs in the Scan Details report.
Node was updated to version 20.12.0 in the scanner.
npm was updated to version 10.5.0 in the scanner.
Resolved Issues
Fixed an issue where enabling both LOG_FORMAT_JSON and EXTERNAL_LOG_IN_CONSOLE caused duplicate log statements in JSON and plaintext formats.
(SAST) Commits without analysis-relevant files are now handled correctly.
Fixed an issue with PSB falsely warning about an invalid hostType (
hostType gradle)
when"hostType": "maven"
is configured in the hostRule.
Version 24.5.1.2 (20-May-2024)
Unified Agent 24.5.1-134 | Renovate 37.351.2 | Remediate 24.4.2 | Pre-Scan Builder (PSB) 24.5.1
New Features and Updates
Versions 3.10 and 3.12 of Python are now installed into the Scanner, for scanning projects using these versions.
A scan will now be triggered when changes are made to a Cargo.lock file.
Resolved Issues
Fixed an issue that prevented Config Change check from failing when instead of the standard " U+0022 QUOTATION MARK, the “ U+201C LEFT DOUBLE QUOTATION MARK or ” U+201D RIGHT DOUBLE QUOTATION MARK were used.
Fixed an issue where the controller logs contained incorrect repository names and incorrect log messages during app re-installation events (Org name was used where Repo name should have been used).
Fixed an issue that could prevent issue publishing due to a null pointer exception.
Fixed: In some scenarios of npm resolution, unhandled exceptions during the parsing of package.json files led to scan failure. The previously unhandled exceptions will now be handled properly. Furthermore, a partial result warning will be reported by the Unified Agent, in case a package.json file couldn’t be parsed.
Version 24.4.1.2 (21-April-2024)
Unified Agent 24.4.1-132 | Renovate 37.261.0 | Remediate 24.4.1 | Pre-Scan Builder (PSB) 24.4.1
New Features and Updates
Improved error and warning messages in strictMode for Nuget scans.
Improved reporting of Unified Agent failures in Gradle projects.
SPM Swift resolution is now supported by the Unified Agent, including error and warning messages in strictMode for Swift scans.
Resolved Issues
Fixed an issue where the strictMode setting was not correctly creating reports and failing the Security Check if there were no vulnerabilities meeting the CVSS threshold defined in failOnVulnerabilityMinCvss.
Previously, if lock files were found in the repo and the private registry was configured via host rules, the configuration via host rules was not used. Moving forward, host rules configuration will be used to define private registry credentials regardless of the presence of lock files in the repo.
Version 24.3.2 (09-April-2024)
Unified Agent 24.3.2-128 | Renovate 37.261.0 | Remediate 24.3.2 | Pre-Scan Builder (PSB) 24.3.1
New Features and Updates
Updated the messages for failed neutral security and license checks to reference the commit that originally caused the failure.
Added support for dynamic tool installation for Maven, Poetry, and Pipenv.
When using the
LOG_FORMAT_JSON
environment variable, the STDOUT/console logs will be in JSON format.The environment variable
MEND_SCAN_REMEDIATE_BRANCHES
is now available to disable scanning of branches created by Remediate and Renovate.The path and location of source code files where license policy violations were found will now be mentioned in the issues and checks. Previously, the path would only be displayed for the dependencies specified in package managers.
PSB - HTTP is now allowed in host rules.
Resolved Issues
The controller log entry "Start creating Mend project…” was fixed to properly mention the id of the repo.
Fixed a null pointer exception when publishing issues for libraries with a CVSS score of 0.
The
createProjectHook
API was updated to prevent exposure of webhook tokens in logs in cases where the request to this API fails.The scanner logs zip file will not be created in the ws-logs repository as part of manual scan trigger.
Version 24.1.2 (12-February-2024)
New Features and Updates
When a settings.gradle or libs.versions.toml file is added or edited, a scan will be triggered automatically.
The PSB version number was changed to match the standard Mend version, e.g. 24.1.2.
CVSSv4 is now supported for the repositories connected to the Mend Organizations where this feature was enabled (available only for Mend Platform users).
When Git shell commands are used for cloning the repository to a Scanner (WS_GIT_CONNECTOR=true), the blobless cloning will be performed to optimize the size of the transferred data.
Resolved Issues
Fixed an issue that caused IaC results to not be presented in some cases.
Fixed an issue that prevented manual scans from being triggered with the scan.json file if createBuildStatus was set to false or vulnerableCommitStatus to "NONE".
The caching of the feed of scheduled Remediate jobs has been changed from 24 hours to 30 days, to prevent the feed calculation from taking place every 24 hours, potentially leading to Remediate activity spikes.