Skip to main content
Skip table of contents

Mend SAST Cloud Release Notes

  • To stay informed about hotfixes, modifications, and additions to Mend's products, check this page from time to time in between official releases.

  • Mend CLI release notes are listed under the “Mend Developer Integrations Release Notes” page.

  • Access all release notes for Mend’s products.

Mend reserves the right to modify this page retroactively.

Version 24.10.2 (04-November-2024)

New Features and Updates

  • Improved the performance of incremental scans.

Resolved Issues

  • Reverted a rule change that was intended to reduce the number of false positives reported for Cross-Site Scripting in React, because it also affected the discovery of true positive findings.

  • Fixed an error in the generation of the Python AST.

Version 24.10.1 (21-October-2024)

New Features and Updates

  • Skipped minified JavaScript files are now reported in the scan summary of the Mend CLI and the Scan Log view of the Mend Platform.

Version 24.9.2 (14-October-2024)

New Features and Updates

  • Code analysis of ASP.NET projects now supports multi-core processing.

  • Several accuracy improvements for Java and C#.
    In detail, the following CWEs have been adjusted:
    Java:

    • CWE-79: Cross-site Scripting (XSS)

    • CWE-497: Sensitive System Information

    • CWE-918: Server-side Request Forgery (SSRF)

    C#:

    • CWE-78: Command Injection

    • CWE-89: SQL Injection

    • CWE-918: Server-side Request Forgery (SSRF)

Resolved Issues

  • Files that were skipped during the code analysis due to file size limitations are now correctly reported in the analysis summary.

Version 24.9.1 (23-September-2024)

New Features and Updates

  • [Controlled Release] Introducing a new generation of the Mend.io detection engines for Python: Compared to the first generation,
    the new generation has larger CWE coverage and will produce much less noise. For ease of transitioning
    to this new engine, the onboarding parameter has been made configurable so that you can decide when to make the switch.
    Specify which generation of the detection engine is used to perform scans via the new CLI parameter --python-engine-generation. Also, your current scan configuration
    will automatically be carried over when you update to the new generation.

Version 24.8.2 (09-September-2024)

New Features and Updates

  • Several small improvements to the analysis accuracy of the gen 2 JavaScript detection engine.

  • The gen 2 JavaScript detection engine now supports the analysis of JavaScript code in .html and .ejs files.

  • Added more patterns to the default exclusions for JavaScript, to prevent external libraries from being scanned as project code.

Resolved Issues

  • The Scan Log view now correctly reports if an incremental or a full scan was performed for any gen 1 detection engine.

Version 24.8.1 (26-August-2024)

New Features and Updates

  • The VB.net detection engine now also supports .vbproj files.

Resolved Issues

  • Frontend-specific files like JSP, CSHTML or ASPX are now correctly handled in the incremental scan of the gen 2 detection engine.

  • When multiple taint sources were located in the same file and their data flows were reaching the same sink, only a single representative was displayed. This has been corrected so all data flows are visible now.

Version 24.7.2 (12-August-2024)

New Features and Updates

  • To improve scan performance, SAST scan results will now be processed asynchronously. This introduces a new scan state: "Processing". When querying SAST findings via an API, it will be mandatory to verify that the scan status is neither "Running" nor "Processing".
    Note: This feature introduces a breaking change and is therefore rolled out in a phased approach, beginning with new deployments only. In the next phase, SAST customers who are expected to be impacted by the change will gradually be contacted by their CSM at Mend.io prior to enabling the feature, to ensure a smooth transition into the improved scan processing mode.

  • Resources of a scan are constantly monitored to gracefully fail a scan before it runs out of resources so that some scan results are always available.

  • The new engine generation for Java, C# and especially JavaScript/TypeScript is now handling imports more efficiently to further reduce scan times.

Resolved Issues

  • Fixed an issue where, under some rare conditions, scans with the new JavaScript engine were hanging.

  • Resolved an error in the PHP engine that could cause inconsistent scan results.

  • Files with the .aspx.cs extension are not scanned by the VB.net detection engine anymore.

Version 24.7.1 (29-July-2024)

New Features and Updates

  • The number of analysis steps of the type analysis for the gen 2 engines is configurable now.

  • Auto-generated files of an Angular application-build like runtime.js or polyfill.js are excluded by default when analyzing JavaScript/TypeScript code.

Version 24.6.2 (15-July-2024)

New Features and Updates

  • Mend Platform:

    • To prevent scans from remaining in a "Running" state indefinitely when the scan process is killed from the outside, a retention service will automatically set it to a "Failed" state after 24 hours of inactivity.

Version 24.6.1 (01-July-2024)

New Features and Updates

  • The Gen2 C# detection engine now supports entry points from Azure Service Bus.

  • Mend Platform:

    • If a Jira ticket is created from a finding, the status of the ticket can be monitored within the Code findings table. Each finding also provides a hyperlink to the corresponding ticket in Jira and provides further information about the ticket in the Code Finding Details drawer.

Version 24.5.3 (17-June-2024)

New Features and Updates

  • Added additional sanitizers to the Gen2 C# engine, to prevent false positives for SSRF and Open Redirect.

  • Support for Zip Slip detection was added to the Gen2 Java engine.

  • Mend Platform:

    • Global Scan Configuration: To allow the management of Code scans at scale, it is now possible to create Code scan configuration templates on an organization level. These configuration templates can be used as a default for all scanned projects or can be explicitly assigned to a specific set of applications / projects. When a template is modified (e.g. a certain CWE is disabled), this will immediately affect all projects using this template.

Resolved Issues

  • Fixed an issue where SAST scans using the Gen2 Java engine failed when log configuration files were also part of the scanned project.

Version 24.5.2 (03-June-2024)

New Features and Updates

  • Several small accuracy improvements for the new Gen2 JavaScript/TypeScript detection engine.

Resolved Issues

  • Fixed an issue of uploading results for large amounts of findings.

  • Duplicated code in a project is now handled in a deterministic way.

  • Mend Platform:

    • Jira issues created on demand for a specific finding are now using the "Mend" issue type instead of the "Whitesource" issue type.

Version 24.5.1 (19-May-2024)

New Features and Updates

  • Improved analysis accuracy for Ruby.

  • Mend Platform:

    • For suppressed findings, the Code findings table now also includes information about the suppression date and the user who performed the suppression.

    • Findings can now be suppressed even if a Jira issue was created before.

    • Jira issues created for Code findings are now using the Mend issue type.

Resolved Issues

  • Improved scanning of ASPX files with the new C# engine.

  • Mend Platform:

    • User permissions on Application level are now handled correctly.

    • Filtering suppressed Code findings now works correctly.

Hotfix to Version 24.5.1 (released on 22-May-2024)

Resolved Issues

  • Invalid regex patterns for path exclusions of a Code scan are now handled correctly in the Mend CLI.

Version 24.4.2 (05-May-2024)

New Features and Updates

  • Languages are not picked up for analysis anymore if all of their analysis-relevant files are located under an excluded directory.

  • A new language added to an already scanned project is now picked up automatically on the next consecutive scan.

  • Improved the detection accuracy of the new C# engine for multiple CWEs, including SQL Injection, SSRF, Weak Encryption and XSS.

  • Mend Platform:

    • Creating a combined Jira ticket for multiple findings is not supported anymore.

    • Editing the status of a finding (e.g. to suppress it) is now supported via API v3.

Resolved Issues

  • To make misconfigurations more obvious, if an invalid parameter is specified it will no longer be silently ignored. Instead, it will cause the scan to fail immediately.

  • Mend Platform:

    • Users with the role "Member" are not able to edit findings anymore.

Version 24.4.1 (21-April-2024)

New Features and Updates

  • The details of a finding suppression are now presented in a more prominent way.

  • The new C# detection engine now supports analysis of ASP.NET Web Forms (.aspx files) and Razor (.cshtml files).

Resolved Issues

  • Accuracy of hard-coded credentials detection within the new C# engine was improved.

  • In Java and JavaScript/TypeScript, the severity of CWE-312: Store Sensitive Information was incorrectly set to ‘Medium’. It has now been changed to ‘High’.

Version 24.3.2 (8-April-2024)

New Features and Updates

  • 14 new CWEs are now supported by the new JavaScript and TypeScript engine. In detail, the following CWEs were added:

    • CWE 134 Use of Externally-Controlled Format String

    • CWE 200 Exposure of Sensitive Information to an Unauthorized Actor

    • CWE 209 Generation of Error Message Containing Sensitive Information

    • CWE 295 Improper Certificate Validation

    • CWE 312 Cleartext Storage of Sensitive Information

    • CWE 319 Cleartext Transmission of Sensitive Information

    • CWE 327 Use of a Broken or Risky Cryptographic Algorithm

    • CWE 346 Origin Validation Error

    • CWE 347 Improper Verification of Cryptographic Signature

    • CWE 434 Unrestricted Upload of File with Dangerous Type

    • CWE 502 Deserialization of Untrusted Data

    • CWE 598 Use of GET Request Method With Sensitive Query Strings

    • CWE 643 XPath Injection

    • CWE 776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

Resolved Issues

  • Loading the dump data for incremental scanning is now more robust.

Version 24.3.1 (25-March-2024)

New Features and Updates

  • Improved the detection accuracy of the new C# engine. In detail, improvements for the following CWEs were added:

    • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

    • CWE-327: Use of a Broken or Risky Cryptographic Algorithm

Resolved Issues

  • The severity score of a finding is now correctly displayed in the tool tip.

  • Line positions in Python are now reported correctly.

Version 24.2.2 (11-March-2024)

New Features and Updates

  • Scans are not reported as partially successful anymore in case no entry points were detected for a certain language. The information about missing entry points is still visible in the Scan Log view.

  • Mend Platform:

    • Secure Code Warrior training solution is now integrated into the Code Finding Details view. For each finding, corresponding training resources will help developers to better understand the vulnerability, resolve it in a shorter amount of time, and increase their awareness to prevent similar issues in the future.

Version 24.2.1 (26-February-2024)

New Features and Updates

  • Introducing a new generation of the Mend.io detection engines for C#, JavaScript and TypeScript: Compared to the first generation, scan speed is improved by up to 50%, with much higher precision and recall rates. For ease of transitioning to this new engine, we’ve made the onboarding parameter configurable so that you can decide when to make the switch. Specify which generation of the detection engine is used to perform scans via the new CLI parameters, --js-engine-generation and --csharp-engine-generation. Also, your current scan configuration will automatically be carried over when you update to the new version.

  • Mend Platform:

    • The Scan Log view now displays a breakdown of scan duration per language and reports about the number of files that were analyzed during an incremental scan.

    • The Code Findings view has been redesigned, including additional capabilities like browsing through the findings from the Details view or generating a deep link for a finding.

Resolved Issues

  • Suppressed findings are now handled correctly in aggregation metrics of the Analytics dashboard and Analytics report.

Hotfix to Version 24.2.1 (released on 28-February-2024)

Resolved Issues

  • The new parameters for selecting the engine generation, --js-engine-generation and --csharp-engine-generation, are now part of the help command in the CLI.

Version 24.1.2 (12-February-2024)

New Features and Updates

  • The default timeout per file for the new Java engine was increased to 10 minutes.

Resolved Issues

  • Incremental scans will now always report the file and line count of the whole project, not just the differences in comparison to the last full scan.

Version 24.1.1 (29-January-2024)

New Features and Updates

  • The status of the Code analysis together with potential error messages is now reported individually for each language within the Scan Log view of each scan.

Resolved Issues

  • Checking if a code block is reachable based on the specified constants is now more robust.

  • Incremental scanning for Kotlin now correctly handles resolved findings.

  • Android Java analysis is not reporting findings in Kotlin files anymore.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close