Mend Unified Agent Release Notes
Mend.io reserves the right to modify this page retroactively.
To stay informed about hotfixes, modifications, and additions to Mend.io's products, check this page from time to time in between official releases.
Click here to view known issues.
Access all release notes for Mend.io’s products.
Earlier versions are available in the archive.
Version 24.10.2 (04-November-2024)
New Features and Updates
Documentation update: The supported languages and package managers are now arranged in an easy-to-consume structure in the support matrix document.
Resolved Issues
Improved retrieval of package data from the snapshots section in pnpm lock files, accommodating edge cases for increased accuracy.
Fixed a scenario in which the Pipfile.lock file would be overridden during the resolution of pipenv projects, leading to inaccurate results.
Version 24.10.1.1 (22-October-2024)
Resolved Issues
Hotfix: Fixed an issue where some Docker images failed to be scanned by the Unified Agent under certain conditions, manifested as null pointer exceptions in the log.
Version 24.10.1 (21-October-2024)
Resolved Issues
Fixed a StackOverFlow error leading to scan failure, that occurred during the detection of circular dependencies in lockfile-based npm resolution.
Version 24.9.2.1 (16-October-2024)
Resolved Issues
Hotfix: Fixed a null pointer exception in version 24.9.2 which led to failing Maven scans, in some scenarios.
Version 24.9.2 (14-October-2024)
New Features and Updates
The Unified Agent is now wrapped within the Mend CLI, allowing users to run SCA scans using the Unified Agent via the Mend CLI with the
mend ua
command.
Resolved Issues
In cases where the retrieval of scan results fails due to simultaneous requests, instead of timing out the Unified Agent will now fail immediately.
The detection of erroring Maven modules has been improved, potentially leading to fewer dependencies being displayed when
maven.allowPartialTree=false
, since more modules may now be flagged as ‘partial’.The Unified Agent now correctly identifies independent Maven projects located under a root folder. In case of an additional independent project, the number of dependencies reported at the end of the scan may increase, as well as the overall scan time.
When setting
npm.includeDevDependencies=false
, dev dependencies will now be correctly ignored with pnpm lock file version 9.0.
Version 24.9.1.1 (24-September-2024)
Resolved Issues
Hotfix: Fixed an issue introduced in version 24.9.1, where using the
-v
parameter would result in an exception.
Version 24.9.1 (23-September-2024)
Resolved Issues
Fixed an issue where, under certain conditions, the Unified Agent would fail a pip scan and report a NoSuchMethodError exception.
Version 24.8.1 (27-August-2024)
New Features and Updates
Added support for GO workspaces.
Resolved Issues
Fixed an issue in Gradle resolution where if a settings.gradle file was found in a sub-project but not in the root project, only the root directory was scanned.
Version 24.7.2 (12-August-2024)
New Features and Updates
Added support for lockfile v9 in the pnpm resolver.
Resolved Issues
Fixed an issue in pip resolution where empty requirements.txt files would cause the Unified Agent to fail, under certain conditions.
Version 24.6.2 (15-July-2024)
Resolved Issues
Fixed an issue which led to a failure to resolve transitive dependencies in Python projects when ‘python’ was not configured as a PATH environment variable in the operating system.
Fixed an issue where the the hierarchy tree of the dependencies in the setup.py file of a Python project wasn’t resolved, when python.resolveHierarchyTree was set to true.
Fixed an issue of failing to identify yarn/pnpm subprojects (workspaces), leading to partial scans of some yarn/pnpm projects.
Version 24.6.1 (01-July-2024)
New Features and Updates
Various SCM-related improvements. Visit the Developer Integrations Release Notes page for more details.
Resolved Issues
Fixed a null pointer exception which led to the failure of the xModuleAnalyzer (Prioritize).
Version 24.5.3 (16-June-2024)
New Features and Updates
A new resolution algorithm for sbt 1.x projects, improving the detection of dependencies, can now be enabled using the sbt.newSbtResolution parameter.
Version 24.5.2 (02-June-2024)
Resolved Issues
Fixed an issue where npm private dependencies with no version would fail the project update.
Version 24.5.1 (19-May-2024)
Resolved Issues
Fixed null pointer exception in Prioritize scans when maven.projectNameFromDependencyFile=true.
In some cases, Swift artifacts' SHA-1 values were not calculated properly, leading to a failure to upload the scan results to the application.
Version 24.4.1 (21-April-2024)
New Features and Updates
SPM Swift resolution support has been added.
Resolved Issues
Fixed an issue where some pipenv transitive dependencies would show up as direct dependencies.
Version 24.3.1 (24-March-2024)
Resolved Issues
When the pom file definition: <outputType>dot</outputType> was used, some modules were ignored, and the scan was considered a successful scan. The scan will now attempt to use a fallback and provide a failure if the fallback was unsuccessful.
Version 24.2.2 (10-March-2024)
Resolved Issues
Fixed an issue where an image scan would fail after upgrading the Docker Engine to version 25.0.1
Fixed an issue where invalid pyproject.toml files would be treated as valid poetry bom files, leading to failures and incomplete scans
Version 24.2.1 (25-February-2024)
When the "package-lock=false" configuration is set in an .npmrc file, npm resolution will ignore the existing lock file and switch to node_modules-based resolution.
Version 24.1.1 (28-January-2024)
New Features and Updates
Added support for npm-shrinkwrap.json as a part of npm resolution.
Version 23.12.1 (31-December-2023)
Resolved Issues
Fixed a bug where scan results were compromised when Maven "-fae" flag was in use.
Fixed an edge case in which the
generateScanReport
output turned up empty without a corresponding error message.
Version 23.11.3 (18-December-2023)
New Features and Updates
The Unified Agent now supports disabling the resolution of editable packages for Poetry projects (similar to pip).
Resolved Issues
Fixed a bug when scanning Poetry (python) code - pre-step failed when interhooks and build-system were missing.
Version 23.11.2 (03-December-2023, 04-December-2023)
New Features and Updates
In our ongoing efforts to increase result quality, we have introduced an update that will deliver more GO library results and relevant CVE data.
Maven dependency plugin version 3.6.0 is used by default.
Resolved Issues
Added systemPath to Go modules dependencies.
Version 23.11.1 (20-November-2023)
Resolved Issues
npm lock v2 resolution is now based on new v3-style package objects.
Added quotes to the tarball field in pnpm-lock.yaml, as pnpm yaml parser may fail when an unquoted string contains special characters.
Version 23.10.2 (06-November-2023)
New Features and Updates
Added maven.allowPartialTree flag, allowing scans to finish when maven dependency resolution is partial.
Version 23.10.1 (22-October-2023)
New Features and Updates
Support for npm non-versioned packages of non-registry origin (lock file v2 and v3) is available.
Version 23.9.1 (03-October-2023)
New Features and Updates
Target/directory is now part of the exclusion list of fileSystemScan for java projects.
Version 23.7.2.2 (21-Aug-2023)
New Features and Updates
Added support for npm lockfile version 3. Moving forward, you can either upgrade specifically to the included Unified Agent version 23.7.2.1 or the latest Unified Agent version thereafter to apply the update.
Version 23.7.1 (30-July-2023)
New Features and Updates
The Unified Agent, in collaboration with Prioritize multi-module analyzer, now supports
-appPath
files in the "out" folder for Maven.
Resolved Issues
Fixed an issue regarding the Unified Agent Maven resolution not identifying transitive dependencies under scope-excludes dependencies.
Version 23.6.2.8 (26-Jul-2023)
Resolved Issues
Hotfix: The Unified Agent's signature file size was reduced to align with the maxSignatureFileSize
parameter included in the latest Java releases.
Moving forward, you can either upgrade specifically to the included Unified Agent version 23.6.2.1 introduced in this Mend Server release, or the latest Unified Agent version thereafter to apply the update. You can also verify the integrity of the Unified Agent JAR file.
The related Java versions and their release note item regarding the maxSignatureFileSize
parameter are listed below:
Version 23.6.2 (16-July-2023)
Resolved Issues
Prioritize Python scan failed due to the wrong configuration setting of python.resolveHierarchyTree.
Version 23.6.1 (03-July-2023)
Resolved Issues
Fixed an issue where the Unified Agent did not resolve yarn dependencies when the package-lock.json appeared in a parent folder
Fixed an issue in which the Unified Agent incorrectly resolved files with pom.xml suffix
The resolution of Bazel Maven projects was not successful in several cases.
Version 23.5.2.1 (07-June-2023)
Resolved Issues
The Unified Agent now supports the resolution of pnpm lock file version 6.
Version 23.5.2 (04-June-2023)
Resolved Issues
In certain instances when a Maven scan has a parent pom that was calling an unreachable repo, the command reached timeout and failed but no error msg appeared in the Unified Agent log.
The support token printed in the Unified Agent was different from the support token appearing in the Mend application.
Earlier versions of the Release Notes are available in Mend SCA Cloud RN Archive.