Mend Container Release Notes

• Mend.io might modify this page retroactively from time to time.

• To stay informed about hotfixes, modifications, and additions to Mend.io's products, check this page from time to time in between official releases.

• Mend CLI release notes are listed under the “Mend Developer Integrations Release Notes” page.

• Access all release notes for Mend.io’s products.

Version 25.3.1 (23-March-2025)

New Features and Updates

• Introducing the ability to scan local filesystems with the Mend CLI, allowing organizations to run scans on their VMs locally. This feature expands the mend image flexibility, offering users comprehensive OS and language coverage. Results are seamlessly integrated into existing scan flows, supporting SBOM and export formats.

• We've enhanced container image security with automatic and asynchronous CVE and package data updates, eliminating the need for rescans to get the latest data. Allowing you to stay up to date with the latest vulnerability insights without extra effort.

• The Container findings layer view is now more accessible, using the navigation tabs.

Version 25.2.2 (09-March-2025)

New Features and Updates

• Introducing enhanced Package and License side-panels, improving user experience with package visibility and license violation tracking. Users can now toggle the Legal view from the Packages tab and view license details seamlessly.

• Exposing the layer SHA into the layer view of container findings, to allow cross-referencing results with live images.

Version 25.2.1 (23-February-2025)

New Features and Updates

• A license side panel is now visible in the Mend AppSec Platform, for each license detected for container images, with general information about the license compliance data and sources.
  More information about Container findings, including licenses, is available here.

• Now supporting excluding security checks in Container scans using the --skip-security-checks CLI parameter, to allow flexibility and performance improvement for lean scans (without secret scanning, and without Reachability analysis).

Resolved Issues

• Resolved an issue in K8s native integration to support input files in YAML format.

Version 25.1.2 (09-February-2025)

Resolved Issues

• The Hide base layer filter was adjusted to filter the automated layers detected as a base, when the base image algorithm is not applied.

• Resolved an issue where the API incorrectly retrieved a library's lower version in layer 3, despite a higher version being present in layer 4. Now, the higher version is prioritized, and the lower one is ignored.

Version 25.1.1 (26-January-2025)

New Features and Updates

• Introducing Global CVE and package search for Container Findings on the Mend Platform, enabling you to search for vulnerabilities and packages across your organization for enhanced visibility and faster blast-radius analysis for high-profile security vulnerabilities, by providing risk context and detailed insights into container findings.

• Supporting scan tags for Container image scans by seamlessly adding tags to your container image scans for improved scan management and traceability.

Resolved Issues

• Fixed an issue where the Mend CLI would erroneously identify a mismatch between the Installed version and the Fixed Version of a package, when the latter was preceded by a 0: epoch, leading to false-positives.

Version 24.12.1 (06-January-2025)

Resolved Issues

• Fixed Golang version parsing for devel versions.

• Improved detection of RedHat and CentOS vulnerabilities.

Version 24.11.2 (15-December-2024)

New Features and Updates

• Enhancing your visibility into container images by identifying base images in image scans, to enable effective focus on what can be fixed. This feature is complemented by the ability to filter issues coming from base images.

Version 24.11.1 (01-December-2024)

New Features and Updates

• Reassigning a project which includes container scans to another application in the platform will now move all of the project’s container-related findings and package data to the new application.

Version 24.10.3 (17-November-2024)

New Features and Updates

• Added support for Access Token authentication in the Jfrog Artifactory (Cloud) registry integration.

• Added support for the following distributions:
  openSUSE Tumbleweed, SLE Micro 5.0-5.4 and Azure Linux 3.0

(10-November-2024) - Hotfix

Resolved Issues

• Fixed an issue where license changes did not persist across subsequent container image scans.

Version 24.10.1 (20-October-2024)

New Features and Updates

• Added support for the SPDX 2.3 and CycloneDX 1.5 SBOM standards in the Container Image SBOM report.

• Added support for PAT token authentication in the Docker Hub registry integration.

Resolved Issues

• (Legacy SCA) Fixed an issue which led to incorrect Get Image Vulnerabilities API results being returned for page 0.

Version 24.9.1 (22-September-2024)

New Features and Updates

• Changed the EPSS filter for Containers to be an open range.

Resolved Issues

• Fixed some RPM license detection gaps in Container Images.

Version 24.8.2 (09-September-2024)

Resolved Issues

• Updated backward compatibility fixes for the json output of container image scans that were introduced in 24.7.1.

Version 24.8.1-4 (02-September-2024)

New Features and Updates

• Added copyright text data to the Container Image SBOM report.

Version 24.8.1-1 (27-August-2024)

New Features and Updates

• Added support for detecting vulnerabilities in the Golang “stdlib” package.

Resolved Issues

• Enhanced NuGet detection capabilities by adding support for analyzing packages defined in 'deps.json'. This update addresses false negative (FN) issues and improves detection accuracy, now correctly identifying the 'Newtonsoft.Json' package.

Version 24.8.1 (25-August-2024)

New Features and Updates

• Jira ticket details for Container findings are now available in the Mend Platform UI.

• Fixed the json output of container image scans (backward compatibility) to changes that were introduced in 24.7.2.

Version 24.7.2 (11-August-2024)

New Features and Updates

• Added the ability to suppress container image scan findings from the Mend Platform UI.

• Added C# support for static container reachability, allowing you to find unused packages in .NET-based images and reduce security noise.

• Introducing a major improvement for the container image scanner, including detection improvements for the following languages: Go, Java, C#, Rust, and Python, as well as license support in the SPDX format.

• Added SPDX 2.3 and CycloneDX 1.5 to the list of available SBOM standards in the Container Image SBOM export via the Mend CLI.

• Introducing .NET (C#) support for container image scans with vulnerability detection for .dll files.

• (Closed Beta) Introducing Infrastructure-as-Code (IaC) scanning, available in the Mend CLI, that focuses on configuration file analysis to detect misconfigurations and provides resolution information to help resolve them.

Version 24.7.1 (28-July-2024)

New Features and Updates

• Added support for configurable schedule settings for Registry Integration and static scheduling for the Sysdig Integration, to allow automated image scan flow with the various Mend.io integrations.

Resolved Issues

• Modification to the json and sarif outputs of the Container scans: The layer number and CVSS vendor type were added to the json output. Licenses were removed from the sarif output (a security-only format).

Version 24.6.1 (01-July-2024)

New Features and Updates

• Adding security support for Azure Linux (Mariner) distribution.

Version 24.5.3 (16-June-2024)

New Features and Updates

• Introducing SBOM export for Container Image scans in SPDX and CycloneDX formats. Available in the Mend CLI as well as the Mend Platform UI.

  • Supported for scans executed using Mend CLI version 24.5.3 (released June 2024) and above.

• Mend CLI: Updated the Containers layer detection view to show the latest fixed packages from top layers.

Version 24.5.1 (22-May-2024)

New Features and Updates

• Introducing Java dependencies detection improvement with transitive JAR detection.

Version 24.3.2 (05-May-2024)

New Features and Updates

• Announcing Python support for our Static Container Reachability Analysis. Now you can enjoy reducing the risk in Python-based cloud-native applications early in the SDLC, with thorough evidence for reachable paths.

14-March-2024

New Features and Updates

• Introducing Mend.io’s unique static Container Reachability, empowering teams to know which vulnerabilities and packages are reachable before runtime, revolutionizing the way vulnerabilities are prioritized and analyzed in containerized environments, and reducing the security noise by 60% on average. Available out of the box in our CLI scanner for Container Images. Contact your Account Executive or Customer Success Manager for additional information about Mend Container and how to enable it for you.