Skip to main content
Skip table of contents

Mend CLI Release Notes

  • Mend.io reserves the right to modify this page retroactively.

  • To stay informed about hotfixes, modifications, and additions to Mend.io's products, check this page from time to time in between official releases.

  • Click here to view known issues.

  • Access all release notes for Mend.io’s products.

Earlier versions are available in the archive.  

Version 24.10.3.1 (19-November-2024)

Resolved Issues

  • Hotfix: Fixed an issue where some larger CLI scans would time out, indicated by the following error message in the log: "message: failed waiting for fail build: scan status is not FINISHED after 20 minutes".

Version 24.10.3 (18-November-2024)

New Features and Updates

  • The https://saas-il.mend.io environment can now be selected in the interactive setup of the mend auth login command.

  • (Open Beta) Reachability for Python is now available for organizations hosted on dedicated instances. Both pip and Pipenv are supported.

Resolved Issues

  • (SCA) Fixed an issue where a user-enabled Gradle configuration cache would prevent the scan from running.

Version 24.10.2 (04-November-2024)

New Features and Updates

  • Previously, a full scan was triggered instead of an incremental scan when there was a difference between the engine version of the baseline and the current scan.
    Moving forward, if a difference is detected, a full scan will only be required for creating a new baseline.

  • (SCA) Documentation update: The supported languages and package managers are now arranged in an easy-to-consume structure in the support matrix document.

  • (Open Beta) Reachability for Python is now available for organizations hosted on shared instances. Both pip and pipenv are supported.

Resolved Issues

  • Resolved an issue where downloads through a proxy failed during Reachability runs. Downloads are now successfully supported via proxy in Reachability.

Version 24.9.2.7 (15-October-2024)

Resolved Issues

  • Hotfix: The mend help command now contains information about the mend ua command, introduced in 24.9.2. You can find out more in this article.

Version 24.9.2 (14-October-2024)

New Features and Updates

  • The Unified Agent is now wrapped within the Mend CLI, allowing users to run SCA scans using the Unified Agent via the Mend CLI with the mend ua command.

Version 24.8.2 (09-September-2024)

New Features and Updates

  • A new command, mend connectivity, is introduced.
    This command checks if all external resources needed during the scan are accessible with the current network / proxy settings.
    For more information, refer to the relevant Mend CLI Authentication article (Mend Platform / Legacy).

  • (SAST) [Controlled Release] To help developers reduce the security risk, Mend.io now offers automated remediation suggestions for Code findings in Java, JavaScript/TypeScript and C#.
    More details about the automatic remediation for Code Findings in the Mend CLI and how to enable it can be found here.

Version 24.8.1 (26-August-2024)

New Features and Updates

  • For authentication in the Mend CLI, environment variables will now always take precedence over the settings configured in the interactive setup.

  • (SCA)

    • Improved support for Go Workspaces.

Resolved Issues

  • Fixed an issue which led to a successful authentication erroneously expiring, leading to a Configuration Error message in the terminal, in some scenarios.

  • (SCA)

    • Fixed an issue which led to scan failure when certain special characters were used in the project name.

Version 24.7.2 (12-August-2024)

New Features and Updates

  • New CLI outputs for Workflow Violations have been added. The CLI now includes two tables: One for detected violations and another for the workflows that triggered them. These tables appear only if violations are found, providing details such as Finding, Origin, Violations, and Workflows.

Version 24.6.2 (15-July-2024)

Resolved Issues

  • (SCA)

    • Fixed an issue with the Mend CLI occasionally misidentifying the parent pom of a Maven dependency, leading to an edge case where an infinite loop would eventually fail the scan.

Version 24.5.3 (16-June-2024)

New Features and Updates

  • (Container Images)

    • Updated the Containers layer detection view to show the latest fixed packages from top layers.

    • Introducing SBOM export for Container Image scans in SPDX and CycloneDX formats.

Version 24.5.1.2 (20-May-2024)

New Features and Updates

  • (SCA, Container Images)

    • Full self-contained mode with no API calls to the Mend servers is now available. This mode will enable you to run scans without connecting to the Mend sever and to upload the results post scan.

  • (SAST)

Version 24.4.1.2 (21-April-2024)

New Features and Updates

  • Proxy support in the Mend CLI is now more robust.

  • (SCA)

    • Reachability improvements have been made, to reduce memory used in reachability scans and enhance performance. Memory usage has been reduced by approximately 33%.

Version 24.3.2 (09-April-2024)

New Features and Updates

  • (SCA)

    • Added a new upload parameter, --local, which enables you to save the scan output to a local file without updating your project in the application.

    • Script block commands in package.json files are now supported in Reachability for JavaScript.

Version 24.3.1 (25-March-2024)

New Features and Updates

  • (SCA)

    • Reachability is now available for both Core and Mend Platform organizations, helping security and development teams prioritize detected vulnerabilities based on reachability status.

    • Scala SBT scans are now supported in the Mend SCA CLI.

    • SCA CLI log contains the Mend CLI version for easier debugging and support.

Version 24.2.2 (11-March-2024)

New Features and Updates

Resolved Issues

  • (SCA)

    • The CLI will resolve the parent module in a Gradle project before the sub-module that is inheriting the dependency version, thus preventing occasional failures in the resolution of dependency versions.

Version 24.2.1 (26-February-2024)

New Features and Updates

  • (SCA)

    • npm-shrinkwrap files are now supported for npm resolution.

Version 24.1.2 (12-February-2024)

New Features and Updates

  • (SCA)

    • You can now assign labels (applicable for Mend Platform only) to projects or applications directly as part of mend dependencies scan using --label-proj and --label-app flags.

Version 24.1.1 (29-January-2024)

New Features and Updates

  • (Container Images)

    • If CVSSv4 is configured as the score used by the customer in the Mend Platform, the CLI will use this score to calculate severity and display it in the CLI output reports.

    • Introducing a local docker scan flag, to enable users to perform container image scans directly from their local systems.

Version 23.12.2 (15-January-2024)

New Features and Updates

  • (Container Images)

    • Users with the Product Administrators or Product Integrators role assignments in the core application can now scan images (added Jan-18-2024).

Version 23.12.1 (01-January-2024)

Resolved Issues

  • (Container Images)

    • Fixed a bug where the .txt format of exported ‘mend dep’ scan results (--export-results) did not include the line containing the pointer to the scan results in the platform.

Version 23.11.3 (18-December-2023)

New Features and Updates

  • (SCA)

    • You can now assign labels (applicable for unified platform only) to projects or applications directly as part of mend dependencies scan using --label-proj and --label-app flags.

    • Change in path exclusions behavior: Use of MEND_SCA_PATH_EXCLUSIONS appends the default list of excluded paths, and does not overwrite it. To disable the default excluded paths list use --no-default-exclusions CLI flag, or MEND_DEP_NO_DEFAULT_EXCLUSIONS env variable.

Version 23.11.2 (04-December-2023)

New Features and Updates

  • (SCA, SAST, Container Images)

    • Added a flag '--non-interactive', to suppress all graphic UI elements in STDOUT (colors, progress bars, etc)

Resolved Issues

  • (SAST)

    • Environment variables are not overwriting the values from the interactive setup of the Mend CLI anymore.

Version 23.10.2.5 (06-November-2023)

New Features and Updates

  • (SCA)

    • Added dependencyFile property to packages listed in Mend CLI dependencies scan results in json format, pointing to the manifest file generating the call to the package.

  • (SAST)

    • Mend CLI now also supports code scans with Podman Desktop on macOS.

Version 23.10.1.2 (23-October-2023)

New Features and Updates

  • (SCA)

    • A correction to the recognition of scoped-packages of NPM in lock file v3.

    • Support for npm unversioned packages of non registry origin (lock file v2 and v3) is available.

  • (SAST)

    • For multi-language projects, the scan order of the languages is now always deterministic.

    • In the CLI output, the order of entries in the findings summary table at the end of a scan is now always deterministic.

Version 23.9.1.1 (03-October-2023)

Resolved Issues

  • (SCA)

    • Mend CLI now takes into consideration ignored alerts set in the platform and excludes them from scan results.

Version 23.8.2 (10-September-2023)

New Features and Updates

  • (Container Images)

    • Introducing policy violation support in the CLI, enforcing compliance and security policies directly in your command-line interface for container image scans, including a fail flag option for pipeline scans (released September 20, 2023).

Version 23.8.1.1 (28-August-2023)

New Features and Updates

Version 23.8.1 (27-August-2023, 28-August-2023)

New Features and Updates

August 28th, 2023:

  • (SCA, SAST, Container Images)

    • The Mend CLI scan commands' names have changed.

      • Run mend dependencies or mend dep for the SCA scan. The previous command was mend sca.

      • Run mend code for the SAST scan. The previous command was mend sast.

      • Run mend image for the Container Image scan. There is no change from the prior command.

Note: Backward compatibility is preserved, meaning you can still use mend sca and mend sast. However, we recommend switching to the updated commands at your earliest availability.

  • (SAST)

    • Improved recognition of hard-coded secrets in Python projects.

    • To create better visibility, the new Java engine now flags scans as partial successful in case no entry points were detected for a project.

    • Major improvements of the accuracy of C# detection in general and especially for MVC framework handling. To prevent unwanted impact on the existing findings and trend data, these improvements have to be enabled through a feature flag. Please contact your CSM if you want to update.

    • In detail, adjustments to the following vulnerability types were done:

      • CWE-22 - Path/Directory Traversal

      • CWE-209 - Log Messages Information Leak

      • CWE-472 - Hidden HTML Input

      • CWE-601 - Unvalidated/Open Redirect

      • CWE-798 - Hardcoded Password/Credentials

    • The following vulnerability types were completely removed:

      • CWE-244 - Heap Inspection

      • CWE-434 - File Upload in HTML

Resolved Issues

August 27th, 2023:

  • (SCA, SAST, Container Images)

    • Fixed an issue where CLI authentication via environment variables had impact outside of original shell.
      Please run the ‘mend update’ for your next Mend dependencies scan.

August 28th, 2023:

  • (SAST)

    • Incremental scanning of PL/SQL projects now works correctly.

    • File patterns for detecting http://ASP.net files are now more precise.

    • Var Args are now handled correctly by the new Java engine.

  • (SCA)

    • Fixed an issue where CLI authentication via environment variables for SCA scans (mend dependencies) had an impact outside of the original CLI shell.
      Note: You will be required to run mend update before your next mend dependencies scan to apply the update.

Version 23.7.1 (30-July-2023)

New Features and Updates

  • (SAST)

    • Struts support of the new Java engine was improved by starting analysis also for subclasses of the class that defines an entry point method.

    • The new Java engine now supports scanning of JSP projects.

    • The new Java engine now can be used on Alpine Linux. This requires the installation of an additional library 'libc6-compat' in the Alpine container.

    • Added support for the detection of hard-coded AWS Access Keys in Python projects.

Resolved Issues

  • (SAST)

    • Solved a memory issue that could occur when parsing TypeScript projects.

    • Set correct default values in case a configuration parameter is not present in the JSON scan configuration file.

    • SQL Injection detection for PLSQL now treats the EXECUTE method correctly to prevent false positives.

Version 23.6.2.1 (16-July-2023)

New Features and Updates

  • In the Project Vitals section of the application, the CLI plugin name and version have been corrected.

  • Viewing scan results of application layers only, by excluding base layer findings via the CLI.
    This enhancement supports viewing only in the CLI output, and will be later be supported in the UI.

  • (Container Images)

    • Introducing base directory change for image scanning; an option recommended for scanning large images, allowing users to specify a custom scan directory for a more flexible and optimized scanning process.

Version 23.6.1.3 (03-July-2023)

New Features and Updates

  • Mend CLI now supports proxy settings configuration through environment variables. See Mend CLI documentation for details.

  • (SCA)

    • The Mend CLI sca scan now enables users to control the log level by setting the MEND_LOG_LEVEL environment variable.

Version 23.5.2.1 (04-June-2023)

New Features and Updates

  • (Container Images)

    • Non-admin users can now scan their container images using the Unified CLI.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close