3.1.1

Bug fixes:

• Introduced with 3.1.0: Project-internal dependencies in multi-module Maven projects resulted in inconsistent JSON that got rejected by the backend, which led to the problem that the entire project (application) could not be uploaded.

3.1.0

Features:

• Dependency trail: The Maven plugin collects the entire trail of application dependencies, which is displayed in the dependency details view. The depth of the dependency trail is shown in the dependencies overview table.
• The JarAnalyzer extracts information from embedded pom.xml files (where present). This information is used to detect vulnerable code even if the package of the respective Java classes have been changed during the rebundling (e.g., from com.google.common to avro.shaded.com.google.common). Note: Vulnerabilities in rebundled classes whose package did not change were already detected in the past.
• A first version of a SlicingInstrumentor can be used to disable all non-reachable constructs (according to static and dyanamic analyses) of application dependencies, which has as goal to reduce the overall attack surface of Web applications.

Improvements:

• The average age of dependencies is displayed in months.
• The columns for static and dynamic analysis results in the vulnerabilities overview table are hidden by default.

3.0.19

Improvements:

• New REST endpoint to update metadata of archives known to PyPI or Maven Central.

Bug fixes:

• Non-vulnerable archives on the mitigation tab were displayed in the wrong table row (or not at all), due to a bug related to the caching of the related requests (introduced with 3.0.18).

3.0.18

Features:

• First version of a slicing instrumentor, which allows to disable library constructs that have not been traced beforehand, and which were not part of the call graph (#173).

Improvements:

• The Soot module has been moved from a profile to the main section of the Vulas pom.xml, thus, the Soot reachability analysis can be used by all scan clients (#176, #177).
• Extended caching of frontend requests.

Bug fixes:

• Maven plugin, goal prepare-vulas-agent: If not configured explicitly with vulas.core.appContext.group, vulas.core.appContext.artifact and vulas.core.appContext.version, the coordinates used for identifying an application in the backend is read from its pom.xml (#190).
• Maven plugin, goal report: If the application coordinates are explicitly configured and differ from the ones in the pom.xml, the report of multi-module Maven projects was wrongly created using the coordinates of the pom.xml (#191).
• Web frontend: Fixed the search for constructs in application dependencies (#188).
• Trace upload: The lastChanged timestamp of applications was not updated upon trace upload. As a result, the Web frontend only showed the old, cached results. The traces were only visible when reloading w/o using the cache.

3.0.17

Features:

• Collect release dates of dependencies from Maven Central and PyPi in order to compute average age of dependencies (shown on dependencies tab)

Improvements:

• Fields added to instrumented classes are transient
• New configuration option to add arbitrary Java annotations to fields added to instrumented classes
• Loading of configuration files embedded in JARs does not depend any longer on the presence of the URLClassLoader

Bug fixes:

• Fixed bug in application export that resulted in malformed JSON (caused by the partition size)
• Fixed bug in application export that resulted in an IllegalStateExceptions and missing applications (caused by the multi-threaded use of a static field of type SimpleDateFormat)

3.0.16

Features:

• New REST API to get all applications of a given workspace (incl. bugs and exemptions) (#129)

Improvements:

• Improved handling of default workspaces in resp. REST controller (com.sap.psr.vulas.backend.rest.SpaceController)
• Significantly reduced amount of JSON data uploaded during APP goal execution

Bug fixes:

• Custom Maven scopes do not result in Java IllegalArgumentExceptions any longer

3.0.15

Features:

• Display of CVSS v3 base scores (where available)
• Search API for workspaces
• Possibility to make workspaces read-only (no REST API yet)

Improvements:

Bug fixes:

• Web frontend: Fixed link to ExploitDB in vulnerability details page, fixed link to NVD in call graph page
• Maven plugin: Dependency scopes other than the 6 defined by Maven 3 are treated as RUNTIME

3.0.14

Features:

• Integration and documentation of the Soot static analysis framework into the reachability analysis (cf. reachable from app) (thank you @anddann)
• New Maven goal prepare-vulas-agent, which results in a much smaller Maven profile (cf. setup and dynamic instrumentation) (thank you @anddann )
• Links to application analysis results now include the workspace token, hence, can be shared much more easily

Improvements:

• Support of Maven parallelization (#85)
• Verification of the workspace token (#92)

Bug fixes:

• System properties are properly reset between Junit test case executions (#88)
• Fixed a bug in the Web frontend: When two applications with the same GAV existed in different workspaces, the analysis data was not reloaded when switching from one workspace to the other

3.0.13

Improvements:

• Added additional information to vulndeps export from HubIntegration endpoint (e.g., reachable, clientVersion)
• Frontend-apps: The size of the list of applications is now configurable from the settings popup

Bug fixes:

• Corrected POST/PUT of vulnerabilities without construct changes (issue affecting release 3.0.12)

3.0.12

Improvements:

• Inform about unnecessary exemptions in Html report and console log (WARN)
• Show total number of applications in workspace plus the number of search hits (X displayed out of Y)

Bug fixes:

• Corrected links to non-NVD vulnerabilities in Html report