Mend SCA Cloud Release Notes
Mend.io reserves the right to modify this page retroactively.
To stay informed about hotfixes, modifications, and additions to Mend.io's products, check this page from time to time in between official releases.
Click here to view known issues.
Mend Unified Agent release notes are listed under the “Mend Unified Agent Release Notes” page.
Mend CLI release notes are listed under the “Mend CLI Release Notes” page.
Access all release notes for Mend.io’s products.
Version 26.3.2 (12-April-2026)
New Features and Updates
Improved license accuracy of Maven libraries. Updates include clearer license version specificity, removal of redundant entries, and detection of previously unknown licenses.
Resolved Issues
Fixed an issue where certain "software.amazon.awssdk" components displayed duplicated or incorrect copyright statements. All affected components now show accurate and consistent copyright information.
(25-March-2026)
New Features and Updates
Improved license detection for the following licenses:
GPL with linking exception
New Relic Agent
LGPL-2.1-only
LGPL-3.0-only
MPL-2.0
The following licenses are now identified as Proprietary:
GraalVM Free Terms and Condition
Sonar Source-Available License
The following licenses are now identified as Commercial:
PrimeFaces Commercial License
Version 26.3.1 (22-March-2026)
New Features and Updates
Improved the detection accuracy of Go libraries.
Added a risk score of 65 to the “LGPL 2.1 or later” license.
Resolved Issues
Fixed an issue where the package URL for NuGet packages in the Due Diligence report was incorrectly generated with an unnecessary “api.” prefix. The URL construction logic has been updated to ensure accurate links.
(01-March-2026)
New Features and Updates
The “Liquibase” license is now supported, with a risk score of 65.
Version 26.2.1 (22-February-2026)
New Features and Updates
“NVIDIA Proprietary Software License” is now automatically detected and classified as proprietary.
Added a risk score of 65 to the version-less “LGPL” and “Mozilla” licenses.
Resolved Issues
Fixed an issue where certain libraries were incorrectly flagged with CVE-2021-41248.
Fixed an issue where the Attribution Report did not display license texts for some licenses.
Fixed an issue where the SPDX SBOM report would erroneously display NOASSERTION or NONE for the licenseConcluded and licenseDeclared fields.
Fixed an issue where certain Intel MKL libraries were not properly assigned to the "Intel Simplified Software License". The license has now been added and these libraries are correctly associated with it.
Fixed an issue where generating a product-level SBOM report in Excel format resulted in an empty file.
(16-February-2026)
New Features and Updates
Increased the detection accuracy of malicious PyPI packages.
(10-February-2026)
New Features and Updates
Added automated detection of malicious packages in the PyPi repository, enhancing security by identifying and mitigating threats from compromised or harmful packages. This update provides users with stronger protection and more comprehensive threat coverage.
Version 26.1.2 (08-February-2026)
New Features and Updates
Improved detection and vulnerability analysis of R Language, Rust and PHP (composer) libraries.
Resolved Issues
Fixed an issue where certain libraries were incorrectly flagged with false positive GPL license violations due to misidentification of license exceptions. Improved license detection now ensures accurate reporting and prevents unnecessary compliance alerts.
Version 26.1.1 (25-January-2026)
Resolved Issues
Fixed an issue where remapping source files while running scans simultaneously could fail. The server now correctly handles concurrent remap and scan operations, ensuring all changes are properly saved.
Fixed an issue where duplicate vulnerability analysis results appeared in Prioritize scans, improving accuracy and reducing unnecessary load during scan result upload to the application.
Version 25.12.1 (28-December-2025)
New Features and Updates
Implemented a two-way SSO enforcement across the Mend AppSec Platform and Legacy SCA: SAML configuration in the Legacy SCA takes effect in the Mend AppSec Platform and vice versa.
Resolved Issues
Fixed an issue where Mend Advise for Visual Studio was not detecting CVEs. Vulnerabilities are now correctly identified for relevant projects.
Version 25.11.2 (14-December-2025)
Resolved Issues
Fixed an issue where users without admin privileges were unable to change their password in the Legacy SCA UI.
(01-December-2025) (Hotfix)
Updated the default configuration for
npm.ignoreScriptsto ‘true’ in the Azure DevOps Pipelines Integration, enhancing security by preventing the execution of npm scripts during builds and installations. This change mitigates exposure to potential threats such as the Shai Hulud zero-day attack.Fixed an issue where EPIPE errors during
getRequestStatecalls in the Azure DevOps Pipelines Integration were not retried, ensuring these errors now trigger the retry mechanism for improved reliability.
(24-November-2025) (Hotfix)
Added a dedicated workflow event condition for the Shai-Hulud zero-day vulnerability, enabling automated detection and response to impacted libraries and Mend Secure Components. This enhancement provides immediate visibility, dynamic updates as new components are discovered, and supports rapid remediation actions through Mend Platform workflows.
(14-November-2025) (Hotfix)
Fixed an issue where scanning large projects with the Azure DevOps Pipelines Integration could cause the build to fail due to a failure in retrieving the build report.
(10-November-2025) (Hotfix)
The Node.js version in the Azure DevOps Pipelines Integration has been upgraded from 10 to 20.1. This update fixes an issue that prevented users from scanning projects due to the end-of-life status of the older Node.js version.
Version 25.10.2 (02-November-2025)
Resolved Issues
Resolved an issue where the “originator” field in exported SBOM reports was incorrectly set to “NOASSERTION” even when valid author information was available for CDNJS packages.
Fixed an issue where users attempting to mark a library as Open Source in the Mend Platform, when that library had been previously defined as In-House in the Legacy SCA Platform, encountered only a generic “Error” message.
With this fix, a clear pop-up message now appears, explaining that the action is blocked due to existing In-House rules in the Legacy SCA Platform. The prompt also provides a direct link and guidance to update the In-House rules before reclassifying the library as Open Source.
Version 25.10.1 (19-October-2025)
New Features and Updates
The risk score of the "Microsoft .NET Library" license has been updated.
Version 25.9.1 (28-September-2025)
New Features and Updates
Introducing significant SBOM enhancements:
Users can now import Syft, DependencyTrack and self-generated SBOMs.
The CycloneDX 1.6 format is now supported, both import and export.
Improved error handling for SBOM imports.
Improved Maven matches when importing an SBOM.
Improved reliability and accuracy of npm package resolution.
Version 25.8.2 (07-September-2025)
Resolved Issues
A new version of the Artifactory plugin is now available, compatible with Artifactory versions 7.46.x and above.
Version 25.8.1 (24-August-2025)
New Features and Updates
The Due Diligence report has been enhanced by including libraries with a "Commercial" license type.
Product-level admins can now utilize the
getAsyncProcessStatusanddownloadAsyncReportAPI endpoints to check the status of their SBOM reports and download them.
Version 25.7.2 (10-August-2025)
New Features and Updates
The SBOM report, previously available at the application/project level only, can now be generated at the organization level.
Improved license alignment with the SPDX format. This improvement includes the following changes, where in each of the following bullets, all instances of the former license in the application have been replaced by the latter:
Eclipse 1.0 → BSD 3
Jaxen Werken → BSD 3
Cryptix General License → BSD 2
Cup Parser Generator License → Standard ML of New Jersey