Mend SAST Release Notes
Mend.io may modify this page retroactively from time to time.
Version 24.11.1 (02-December-2024)
New Features and Updates
For the Python gen 2 detection engine, “CWE-20: Improper Input Validation” is split up into two new vulnerability types: “CWE-20: Mail Relay” and “CWE-20: Memcache Injection Vulnerability”. This change allows for a more fine-grained analysis.
Updated the layout of the Code Findings table and the Code Finding Details panel to improve the usability.
Resolved Issues
On Windows, path exclusions are now handled correctly when detecting the programming languages of a project.
Version 24.10.3 (18-November-2024)
New Features and Updates
Introduced a new control to the Code Scan Configuration that allows to choose between fast, balanced, and deep scans for any of the gen 2 detection engines. Fast scans are optimized for performance while deep scans are optimized for the most expansive detection of findings.
Project-specific Code Scan Configurations can now also be stored before the project is scanned for the first time.
Resolved Issues
Several minor fixes related to data consistency in incremental scans.
Version 24.10.2 (04-November-2024)
New Features and Updates
Improved the performance of incremental scans.
Resolved Issues
Reverted a rule change that was intended to reduce the number of false positives reported for Cross-Site Scripting in React, because it also affected the discovery of true positive findings.
Fixed an error in the generation of the Python AST.
Special characters in organization names, that could prevent the report creation, are now handled correctly.
Version 24.10.1 (21-October-2024)
New Features and Updates
Skipped minified JavaScript files are now reported in the scan summary of the Mend CLI and the Scan Log view of the Mend Platform.
Version 24.9.2 (14-October-2024)
New Features and Updates
Mend Code results can now be integrated into Invicti, our partner for dynamic application security testing (DAST), to get a holistic view of SAST and DAST code findings.
Code analysis of ASP.NET projects now supports multi-core processing.
Several accuracy improvements for Java and C#.
In detail, the following CWEs have been adjusted:
Java:CWE-79: Cross-site Scripting (XSS)
CWE-497: Sensitive System Information
CWE-918: Server-side Request Forgery (SSRF)
C#:
CWE-78: Command Injection
CWE-89: SQL Injection
CWE-918: Server-side Request Forgery (SSRF)
Resolved Issues
Files that were skipped during the code analysis due to file size limitations are now correctly reported in the analysis summary.
Version 24.9.1 (23-September-2024)
New Features and Updates
[Controlled Release] Introducing a new generation of the Mend.io detection engines for Python: Compared to the first generation,
the new generation has larger CWE coverage and will produce much less noise. For ease of transitioning
to this new engine, the onboarding parameter has been made configurable so that you can decide when to make the switch.
Specify which generation of the detection engine is used to perform scans via the new CLI parameter--python-engine-generation. Also, your current scan configuration
will automatically be carried over when you update to the new generation.The specific exclusion patterns configured for a single scan are now visible in the configuration view of the scan.
Version 24.8.2 (09-September-2024)
New Features and Updates
[Controlled Release] To help developers reduce the security risk, Mend.io now offers automated remediation suggestions for Code findings in Java, JavaScript/TypeScript and C#.
The suggestions are presented in the web UI of the Mend Platform and integrated into Jira tickets generated for Code findings.
Within the repository (GitHub.com and GitHub Enterprise) an end-to-end remediation flow is offered,
which allows developers to immediately update their feature branches with a click of a button to fix a newly introduced vulnerability before merging the code.
More details about the automatic remediation for Code Findings and how to enable it can be found here.Several small improvements to the analysis accuracy of the gen 2 JavaScript detection engine.
The gen 2 JavaScript detection engine now supports the analysis of JavaScript code in .html and .ejs files.
Added more patterns to the default exclusions for JavaScript to prevent external libraries from being scanned as project code.
Resolved Issues
The Scan Log view now correctly reports if an incremental or a full scan was performed for any gen 1 detection engine.
Version 24.8.1 (26-August-2024)
New Features and Updates
The VB.net detection engine now also supports .vbproj files.
Resolved Issues
Frontend-specific files like JSP, CSHTML or ASPX are now correctly handled in the incremental scan of the gen 2 detection engine.
When a Jira ticket is created from a Code finding, it now correctly displays the Project, Application and Organization name instead of an ID.
When multiple taint sources were located in the same file and their data flows were reaching the same sink, only a single representative was displayed. This has been corrected so all data flows are visible now.
Version 24.7.2 (12-August-2024)
New Features and Updates
To improve scan performance, SAST scan results will now be processed asynchronously. This introduces a new scan state: "Processing". When querying SAST findings via an API, it will be mandatory to verify that the scan status is neither "Running" nor "Processing".
Note: This feature introduces a breaking change and is therefore rolled out in a phased approach, beginning with new deployments only. In the next phase, SAST customers who are expected to be impacted by the change will gradually be contacted by their CSM at Mend.io prior to enabling the feature, to ensure a smooth transition into the improved scan processing mode.Resources of a scan are constantly monitored to gracefully fail a scan before it runs out of resources so that some scan results are always available.
The new engine generation for Java, C# and especially JavaScript/TypeScript is now handling imports more efficiently to further reduce scan times.
Resolved Issues
Fixed an issue where, under some rare conditions, scans with the new JavaScript engine were hanging.
Resolved an error in the PHP engine that could cause inconsistent scan results.
Files with the .aspx.cs extension are not scanned by the VB.net detection engine anymore.
Version 24.7.1 (28-July-2024)
New Features and Updates
The number of analysis steps of the type analysis for the gen 2 engines is configurable now.
Auto-generated files of an Angular application-build like runtime.js or polyfill.js are excluded by default when analyzing JavaScript/TypeScript code.
Version 24.6.1 (30-June-2024)
New Features and Updates
If a Jira ticket is created from a finding, the status of the ticket can be monitored within the Code findings table. Each finding also provides a hyperlink to the corresponding ticket in Jira and provides further information about the ticket in the Code Finding Details drawer.
The Gen2 C# detection engine now supports entry points from Azure Service Bus.
Version 24.5.3 (17-June-2024)
New Features and Updates
Global Scan Configuration: To allow the management of Code scans at scale, it is now possible to create Code scan configuration templates on an organization level. These configuration templates can be used as a default for all scanned projects or can be explicitly assigned to a specific set of Applications / Projects. When a template is modified (e.g. a certain CWE is disabled), this will immediately affect all projects using this template.
Version 24.5.2 (03-June-2024)
Resolved Issues
Jira issues created on demand for a specific finding are now using the "Mend" issue type instead of the "Whitesource" issue type.
Version 24.5.1 (19-May-2024)
New Features and Updates
Improved analysis accuracy for Ruby.
For suppressed findings, the Code findings table now also includes information about the suppression date and the user who performed the suppression.
Findings can now be suppressed even if a Jira issue was created before.
Jira issues created for Code findings are now using the Mend issue type.
Resolved Issues
Improved scanning of ASPX files with the new C# engine.
User permissions on Application level are now handled correctly.
Filtering suppressed Code findings now works correctly.
Version 24.3.2 (08-April-2024)
New Features and Updates - Q1, 2024
Improved the detection accuracy of the new C# engine. In detail, improvements for the following CWEs were added:
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-327: Use of a Broken or Risky Cryptographic Algorithm
Scans are not reported as partially successful anymore in case no entry points were detected for a certain language. The information about missing entry points is still visible in the Scan Log view.
Secure Code Warrior training solution is now integrated into the Code Finding Details view. For each finding, corresponding training resources will help developers to better understand the vulnerability, resolve it in a shorter amount of time, and increase their awareness to prevent similar issues in the future.
Introducing a new generation of Mend.io’s detection engines for C#, JavaScript and TypeScript: Compared to the first generation, scan speed is improved by up to 50%, with much higher precision and recall rates. For ease of transitioning to this new engine, we’ve made the onboarding parameter configurable so that you can decide when to make the switch. Specify which generation of the detection engine is used to perform scans via the new CLI parameters,
--js-engine-generationand--csharp-engine-generation. Also, your current scan configuration will automatically be carried over when you update to the new version.The Scan Log view now displays a breakdown of scan duration per language and reports about the number of files that were analyzed during an incremental scan.
The Code Findings view has been redesigned, including additional capabilities like browsing through the findings from the Details view or generating a deep link for a finding.
The default timeout per file for the new Java engine was increased to 10 minutes.
The status of the Code analysis together with potential error messages is now reported individually for each language within the Scan Log view of each scan.