Mend SCA Release Notes

Mend.io may modify this page retroactively from time to time.

• To stay informed about hotfixes, modifications, and additions to Mend SCA, check this page from time to time in between official releases.

• For release notes pertaining to the legacy SCA Core application, please visit this page.

• For all the release notes about the Mend Platform, visit this page.

• For release notes of all of Mend.io’s products, visit this page.

Version 24.11.1 (01-December-2024)

New Features and Updates

• Enhanced the user experience of the SCA tables in the AppSec Platform.

• Introducing the --dev parameter.
  This new parameter enables scanning of development tools and dependencies - those used during the development phase but usually not included in the final application build.
  Supported package managers: npm, Maven, Gradle, Go, Ruby and SBT.

Version 24.10.3 (18-November-2024)

New Features and Updates

• Introducing Risk Factors, grouping the Reachability, Exploitability and Maliciousness statuses of your dependencies and providing a Risk Factor icon representation for each of them throughout Mend SCA. The Risk Factors column is filterable, allowing users to prioritize findings and reduce alert fatigue.

• (Open Beta) Reachability for Python, introduced in version 24.10.2, now supports the Poetry package manager in the supported repo integrations.

Version 24.10.2 (04-November-2024)

New Features and Updates

• (Open Beta) Reachability for Python is now available for both the Mend CLI and the GitHub repo integrations, for both pip and Pipenv.

Note: Reachability for Python in the GitHub Enterprise integration can be enabled on demand, starting from version 24.10.1.1 of the integration.

Version 24.10.1 (20-October-2024)

New Features and Updates

• The SBOM Import feature is now generally available, allowing users to upload SBOM files to create new projects in the Mend AppSec Platform or update existing ones.

Version 24.9.2 (13-October-2024)

New Features and Updates

• The Unified Agent is now wrapped within the Mend CLI, allowing users to run SCA scans using the Unified Agent via the Mend CLI with the mend ua command.

• To indicate when a library is both a direct dependency and a transitive dependency, a "Direct/Transitive" parameter has been added to the Dependency column in the following tables:
  Security -> Dependencies -> Libraries
  Security -> Dependencies -> Findings
  Compliance -> SBOM -> OOS List

Version 24.8.2 (08-September-2024)

New Features and Updates

• Added Package Health information on the Recommended Fix tab of vulnerable packages, providing additional insight into the optimal upgrade path for your vulnerable package.

• Added a maintenance status on npm package versions, marking them as Deprecated or Maintained, helping you to decide whether it’s safe to upgrade to those versions or not.

• Added vulnerability data to the Dependencies SBOM report in the SPDX standard. Vulnerability data can be excluded from the report by toggling this option off in the ‘Create Report’ wizard.

Version 24.8.1 (25-August-2024)

New Features and Updates

• Improved support for Go Workspaces in the Mend CLI.

• Added a Package URL (Purl) column to the Dependencies Inventory report.

Resolved Issues

• Fixed an issue which led to scan failure in the Mend CLI when certain special characters were used in the project name.

Version 24.7.2 (11-August-2024)

New Features and Updates

• CycloneDX 1.5 has been added to the list of available SBOM standards in the Dependencies SBOM report.

Resolved Issues

• Fixed an issue in SCA Reachability for Java, which under certain conditions led to incorrect identification of reachable/unreachable elements.

Version 24.7.1 (28-July-2024)

New Features and Updates

• Added the option to exclude vulnerabilities from Dependencies SBOM reports in the CycloneDX standard, by toggling this option off in the ‘Create Report’ wizard.

• Improved the level of flexibility and control over attribution data, by adding a modal interface that allows users to override copyrights for a selected library.

• The SCA license coverage has been enhanced with additional licenses and further alignment with SPDX standards

• Labels are now supported in the Attribution Report.

Version 24.6.1 (30-June-2024)

New Features and Updates

• (Closed Alpha) A new project can now be created by importing a previously generated Dependencies SBOM report file.

• Mend SCA now allows users to define libraries as commercial and lists commercial libraries in a separate tab on the Libraries page.

• (Closed Beta) Added Package Health information on the Recommended Fix tab of vulnerable packages, providing additional insight into the optimal upgrade path for your vulnerable package.

• (Closed Alpha) Added a maintenance status on npm package versions, marking them as Deprecated or Maintained, helping you to decide whether it’s safe to upgrade to those versions or not.

Version 24.5.3 (17-June-2024)

New Features and Updates

• The Dependencies SBOM report now supports SPDX 2.3 (in addition to SPDX 2.2 and CycloneDX 1.4).

• The Dependencies SBOM report in the CycloneDX standard is now embedded with VEX data.

Version 24.4.1 (21-April-2024)

New Features and Updates

• SCA Reachability | Improvements have been made, to reduce memory used in reachability scans and enhance performance. Memory usage has been reduced by approximately 33%.

Version 24.3.2 (8-April-2024)

New Features and Updates - Q1, 2024

• Risk Data - CVSS 4, Exploitability, Reachability, Malicious Package

• ML BOM

• Historical Scans View 

• Automation Engine Support: Scan Complete Event 

  • Failed Build and Policy Violation Support 

  • Jira Ticket Creation 

  • Etc. (see Platform Section)

• On Demand Jira Ticket Creation  

• Reports: SBOM, Risk, Due diligence, Inventory, Attribution (Read only), Findings