Latest vulnerability data (August 2022)
Version history
2022.08.02Bitbucket Data Center 7.6.0 - 8.8.22022-08-02Latest vulnerability data (August 2022) Version 2022.08.02 • Released 2022-08-02 • Supported By MergeBase • Paid via Atlassian • Commercial - no charge2022.08.02Bitbucket Server 7.6.0 - 8.8.22022-08-02Latest vulnerability data (August 2022) Version 2022.08.02 • Released 2022-08-02 • Supported By MergeBase • Paid via Atlassian • Commercial - no chargeLatest vulnerability data (August 2022)
2022.06.16Bitbucket Server 7.6.0 - 8.8.22022-06-16Bitbucket 8.x compatibility Version 2022.06.16 • Released 2022-06-16 • Supported By MergeBase • Paid via Atlassian • Commercial - no chargeNo release notes.2022.05.30Bitbucket Server 5.8.0 - 7.21.42022-05-30Fix: NPE in MergeBaseScanner Version 2022.05.30 • Released 2022-05-30 • Supported By MergeBase • Paid via Atlassian • Commercial - no chargePushes / PR's / and the "security report" page were causing a NPE on repositories that had older cached MergeBase scans (from previous versions of Code Green).
Also, the branch-selector on the security report now sorted alphabetically, and always includes the default branch.
2022.05.24Bitbucket Server 5.8.0 - 7.21.42022-05-24Updated with latest vulnerability data Version 2022.05.24 • Released 2022-05-24 • Supported By MergeBase • Paid via Atlassian • Commercial - no chargeUpdated with latest vulnerability data
2022.05.16Bitbucket Server 5.8.0 - 7.21.42022-05-18Significant performance improvement (scans are faster) Version 2022.05.16 • Released 2022-05-18 • Supported By MergeBase • Paid via Atlassian • Commercial - no chargeSignificant performance improvement (scans are faster)
Also added a branch-selector to the main MergeBase report screen (to make it easier to scan additional branches beyond the default branch).
2022.03.17Bitbucket Server 5.8.0 - 7.21.42022-03-17Fix to report caching logic (only update report cache POST merge) Version 2022.03.17 • Released 2022-03-17 • Supported By MergeBase • Paid via Atlassian • Commercial - no chargeNo release notes.2022.03.15Bitbucket Server 5.8.0 - 7.21.42022-03-15Improve performance by caching scan results based on changes to build-files Version 2022.03.15 • Released 2022-03-15 • Supported By MergeBase • Paid via Atlassian • Commercial - no chargeImprove performance by caching scan results based on changes to build-files
2022.02.08Bitbucket Server 5.8.0 - 7.21.42022-02-09Fix NPM and Yarn parsing Version 2022.02.08 • Released 2022-02-09 • Supported By MergeBase • Paid via Atlassian • Commercial - no chargeNPM and Yarn files were causing CodeGreen to blow up. Fixed !
Also, we now only consider "dependencies" from the Yarn and NPM ecosystems. "devDependencies" are ignored.
2022.02.07Bitbucket Server 5.8.0 - 7.21.42022-02-08Fixed 401 error on MergeBase Global Settings Page Version 2022.02.07 • Released 2022-02-08 • Supported By MergeBase • Paid via Atlassian • Commercial - no chargeThis release updates the internal vulnerability database to include the latest vulnerabilities, and also includes one bugfix:- Fixed 401 error on MergeBase Global Settings Page
2021.12.28Bitbucket Data Center 5.8.0 - 7.21.42021-12-29Brought in latest vulnerability data (2021 December) including log4j Version 2021.12.28 • Released 2021-12-29 • Supported By MergeBase • Paid via Atlassian • Commercial - no chargeBrought in latest vulnerability data (2021 December) including log4j
2021.12.28Bitbucket Server 5.8.0 - 7.21.42021-12-29Brought in latest vulnerability data (2021 December) including log4j Version 2021.12.28 • Released 2021-12-29 • Supported By MergeBase • Paid via Atlassian • Commercial - no chargeBrought in latest vulnerability data (2021 December) including log4j
2021.07.06Bitbucket Data Center 5.8.0 - 7.21.42021-07-06CVE's link to nvd.nist.gov; Full Vulnerability Report requires a valid license Version 2021.07.06 • Released 2021-07-06 • Supported By MergeBase • Paid via Atlassian • Commercial - no chargeOne small improvement:
- CVE's in "Full Vulnerability Report" now link to nvd.nist.gov's page for them.
Also:
- The "Full Vulnerability Report" (for a given repository) now requires a valid license. Expired or missing licenses will no longer allow this feature to operate.
2021.07.06Bitbucket Server 5.8.0 - 7.21.42021-07-06CVE's link to nvd.nist.gov; Full Vulnerability Report requires a valid license Version 2021.07.06 • Released 2021-07-06 • Supported By MergeBase • Paid via Atlassian • Commercial - no chargeOne small improvement:
- CVE's in "Full Vulnerability Report" now link to nvd.nist.gov's page for them.
Also:
- The "Full Vulnerability Report" (for a given repository) now requires a valid license. Expired or missing licenses will no longer allow this feature to operate.
2021.06.18Bitbucket Data Center 5.8.0 - 7.21.42021-06-18Introduced diagnostic/tracing screen Version 2021.06.18 • Released 2021-06-18 • Supported By MergeBase • Paid via Atlassian • Commercial - no chargeIntroduced diagnostic/tracing screen to help us troubleshoot weird/slow scan behaviour.
2021.06.18Bitbucket Server 5.8.0 - 7.21.42021-06-18Introduced diagnostic/tracing screen Version 2021.06.18 • Released 2021-06-18 • Supported By MergeBase • Paid via Atlassian • Commercial - no chargeIntroduced diagnostic/tracing screen to help us troubleshoot weird/slow scan behaviour.
2021.06.08Bitbucket Data Center 5.8.0 - 7.21.42021-06-09Fixed NPE Version 2021.06.08 • Released 2021-06-09 • Supported By MergeBase • Paid via Atlassian • Commercial - no charge- Some customers are reporting an NPE after "git push". Fixed.
- Updated vulnerability data to latest.
2021.06.08Bitbucket Server 5.8.0 - 7.21.42021-06-09Fixed NPE Version 2021.06.08 • Released 2021-06-09 • Supported By MergeBase • Paid via Atlassian • Commercial - no charge- Some customers are reporting an NPE after "git push". Fixed.
- Updated vulnerability data to latest.
2021.06.01Bitbucket Data Center 5.8.0 - 7.21.42021-05-31A number of improvements Version 2021.06.01 • Released 2021-05-31 • Supported By MergeBase • Paid via Atlassian • Commercial - no chargeVersion v2021.06.01 of MergeBase CodeGreen contains a number of important improvements to the plugin:- Branch name in scan report shows actual branch that was scanned (was hard-coded to "master" even though it actually scanned default branch).
- Admins can specify a banner message that is showed to users whenever a PR or Push is blocked by CodeGreen.
- Admins can configure CodeGreen so that service-accounts skip the hook.
- The "block net-new" feature now includes a much more useful "push rejected" message that contains the actual library names and versions causing the push to be rejected.
- We've made a number of additional minor bugfixes.
Enjoy !
2021.06.01Bitbucket Server 5.8.0 - 7.21.42021-05-31A number of improvements Version 2021.06.01 • Released 2021-05-31 • Supported By MergeBase • Paid via Atlassian • Commercial - no chargeVersion v2021.06.01 of MergeBase CodeGreen contains a number of important improvements to the plugin:
- Branch name in scan report shows actual branch that was scanned (was hard-coded to "master" even though it actually scanned default branch).
- Admins can specify a banner message that is showed to users whenever a PR or Push is blocked by CodeGreen.
- Admins can configure CodeGreen so that service-accounts skip the hook.
- The "block net-new" feature now includes a much more useful "push rejected" message that contains the actual library names and versions causing the push to be rejected.
- We've made a number of additional minor bugfixes.
Enjoy !
2021.05.18Bitbucket Data Center 5.8.0 - 7.21.42021-05-18Additional language support (php and go) Version 2021.05.18 • Released 2021-05-18 • Supported By MergeBase • Paid via Atlassian • Commercial - no chargeAdditional language support (php and go)
2021.05.18Bitbucket Server 5.8.0 - 7.21.42021-05-18Additional language support (php and go) Version 2021.05.18 • Released 2021-05-18 • Supported By MergeBase • Paid via Atlassian • Commercial - no chargeAdditional language support (php and go)
2020.11.24Bitbucket Data Center 5.8.0 - 7.21.42020-11-25Bugfix for parsing Maven <dependencyManagement> and new JSON report mode! Version 2020.11.24 • Released 2020-11-25 • Supported By MergeBase • Paid via Atlassian • Commercial - no chargeBugfix:
- <exclude> entries inside <dependencyManagement> section of Maven pom.xml were not being respected by our parser.
Enhancement
- Our summary-report and full-report can be toggled into a JSON mode by adding "&json=yes" to the URL.
2020.11.24Bitbucket Server 5.8.0 - 7.21.42020-11-25Bugfix for parsing Maven <dependencyManagement> and new JSON report mode! Version 2020.11.24 • Released 2020-11-25 • Supported By MergeBase • Paid via Atlassian • Commercial - no chargeBugfix:
- entries inside section of Maven pom.xml were not being respected by our parser.
Enhancement
- Our summary-report and full-report can be toggled into a JSON mode by adding "&json=yes" to the URL.
2020.11.02Bitbucket Data Center 5.8.0 - 7.21.42020-11-02Enhancement: detect vulnerable versions in pom.xml <dependencyManagement> Version 2020.11.02 • Released 2020-11-02 • Supported By MergeBase • Paid via Atlassian • Commercial - no chargeEnhancement: detect vulnerable versions in the pom.xml "<dependencyManagement>" section (including transitives). This is especially useful in situations where a central "BOM" style pom is used that specifies all sanctioned versions for other projects to import. Now the central "BOM" will also be subject to CodeGreen scanning and push/merge policy! :-D
This release also includes a small bugfix for a NullPointerException that was happening with CVE's that were missing CVSS scores.
2020.11.02Bitbucket Server 5.8.0 - 7.21.42020-11-02Enhancement: detect vulnerable versions in pom.xml <dependencyManagement> Version 2020.11.02 • Released 2020-11-02 • Supported By MergeBase • Paid via Atlassian • Commercial - no chargeEnhancement: detect vulnerable versions in the pom.xml "<dependencyManagement>" section (including transitives). This is especially useful in situations where a central "BOM" style pom is used that specifies all sanctioned versions for other projects to import. Now the central "BOM" will also be subject to CodeGreen scanning and push/merge policy! :-D
This release also includes a small bugfix for a NullPointerException that was happening with CVE's that were missing CVSS scores.
2020.10.20Bitbucket Data Center 5.8.0 - 7.21.42020-10-19Accuracy improvements and support for Maven BOM imports Version 2020.10.20 • Released 2020-10-19 • Supported By MergeBase • Paid via Atlassian • Commercial - no chargeNo release notes.2020.10.20Bitbucket Server 5.8.0 - 7.21.42020-10-19Accuracy improvements and support for Maven BOM imports Version 2020.10.20 • Released 2020-10-19 • Supported By MergeBase • Paid via Atlassian • Commercial - no chargeNo release notes.2020.09.14Bitbucket Data Center 5.8.0 - 7.21.42020-09-15Several bugfixes and improved "Full Vulnerability Report" look & feel Version 2020.09.14 • Released 2020-09-15 • Supported By MergeBase • Paid via Atlassian • Commercial - no chargev2020.09.14 improves the "Full Vulnerability Report" so that it looks much better, and also fixes several misc. bugs, including:
- security-risk column on repositories list not displaying properly
- new pushes to master fail to update cached vulnerability totals in the vulnerability report
- the "full report" path locations were sometimes blank
2020.09.14Bitbucket Server 5.8.0 - 7.21.42020-09-15Several bugfixes and improved "Full Vulnerability Report" look & feel Version 2020.09.14 • Released 2020-09-15 • Supported By MergeBase • Paid via Atlassian • Commercial - no chargev2020.09.14 improves the "Full Vulnerability Report" so that it looks much better, and also fixes several misc. bugs, including:
- security-risk column on repositories list not displaying properly
- new pushes to master fail to update cached vulnerability totals in the vulnerability report
- the "full report" path locations were sometimes blank
2020.09.12Bitbucket Data Center 5.8.0 - 7.21.42020-09-12Several bugfixes Version 2020.09.12 • Released 2020-09-12 • Supported By MergeBase • Paid via Atlassian • Commercial - no chargev2020.09.12 fixes several misc. bugs, including:
- security-risk column on repositories list not displaying properly
- new pushes to master fail to update cached vulnerability totals in the vulnerability report
- the "full report" path locations were sometimes blank
2020.09.12Bitbucket Server 5.8.0 - 7.21.42020-09-12Several bugfixes Version 2020.09.12 • Released 2020-09-12 • Supported By MergeBase • Paid via Atlassian • Commercial - no chargev2020.09.12 fixes several misc. bugs, including:
- security-risk column on repositories list not displaying properly
- new pushes to master fail to update cached vulnerability totals in the vulnerability report
- the "full report" path locations were sometimes blank
2020.08.27Bitbucket Data Center 5.8.0 - 7.21.42020-09-04Support for .NET and misc bugfixes Version 2020.08.27 • Released 2020-09-04 • Supported By MergeBase • Paid via Atlassian • Commercial - no chargeNow able to scan .NET projects for vulnerabilities.
2020.08.27Bitbucket Server 5.8.0 - 7.21.42020-09-04Support for .NET and misc bugfixes Version 2020.08.27 • Released 2020-09-04 • Supported By MergeBase • Paid via Atlassian • Commercial - no chargeNow supports scanning .NET projects for known-vulnerabilities.
2020.05.11Bitbucket Data Center 5.8.0 - 7.21.42020-05-11Fixed bug (NPE) on push Version 2020.05.11 • Released 2020-05-11 • Supported By MergeBase • Paid via Atlassian • Commercial - no chargeFixed a bug (NullPointerException) that was happening under certain situations during git push.
2020.05.11Bitbucket Server 5.8.0 - 7.21.42020-05-11Fixed bug (NPE) on push Version 2020.05.11 • Released 2020-05-11 • Supported By MergeBase • Paid via Atlassian • Commercial - no charge2020.04.17Bitbucket Data Center 5.8.0 - 7.21.42020-04-17New Feature: Vulnerability reports directly in Bitbucket Web UI Version 2020.04.17 • Released 2020-04-17 • Supported By MergeBase • Paid via Atlassian • Commercial - no chargeOne new feature:
- New Feature: Vulnerability reports are now accessible directly through the Bitbucket Web UI.
2020.04.17Bitbucket Server 5.8.0 - 7.21.42020-04-17New feature: Vulnerability reports now accessible directly through the Web UI Version 2020.04.17 • Released 2020-04-17 • Supported By MergeBase • Paid via Atlassian • Commercial - no chargeOne new feature:
- New Feature: Vulnerability reports are now accessible directly through the Bitbucket Web UI.
2020.02.08Bitbucket Data Center 5.8.0 - 7.21.42020-02-08Two bugfixes and some UI improvements Version 2020.02.08 • Released 2020-02-08 • Supported By MergeBase • Paid via Atlassian • Commercial - no chargeTwo bugfixes:
- Invalid dependency files (e.g., a malformed pom.xml) would blow up entire pre-receive, causing push to get rejected, even if no vulnerabilities were present.
- If a "multi" push included at least one branch-delete or tag-delete the entire push would skip Code Green.
Some UI improvements:
- Zero vulnerability pushes now report "Good job! Keep up the good work!".
- Double-pushes now report "Vulnerabilities still present. Double-push completed." (Whereas before the push would go through with no message at all, potentially causing confusion.)
2020.02.08Bitbucket Server 5.8.0 - 7.21.42020-02-09Two bugfixes and some UI improvements Version 2020.02.08 • Released 2020-02-09 • Supported By MergeBase • Paid via Atlassian • Commercial - no chargeTwo bugfixes:
- Invalid dependency files (e.g., a malformed pom.xml) would blow up entire pre-receive, causing push to get rejected, even if no vulnerabilities were present.
- If a "multi" push included at least one branch-delete or tag-delete the entire push would skip Code Green.
Some UI improvements:
- Zero vulnerability pushes now report "Good job! Keep up the good work!".
- Double-pushes now report "Vulnerabilities still present. Double-push completed." (Whereas before the push would go through with no message at all, potentially causing confusion.)
2019.12.13Bitbucket Data Center 5.8.0 - 6.10.172020-01-15Switching plugin from free to paid Version 2019.12.13 • Released 2020-01-15 • Supported By MergeBase • Paid via Atlassian • Commercial - no chargeNo release notes.2019.12.13Bitbucket Server 5.8.0 - 6.10.172020-02-09Switching plugin from free to paid Version 2019.12.13 • Released 2020-02-09 • Supported By MergeBase • Paid via Atlassian • Commercial - no chargeNo release notes.2019.12.12Bitbucket Data Center 5.8.0 - 6.10.172019-12-13Ability to parse yarn.lock files Introduced ability to parse yarn.lock files. Also improved some aspects of the "git push origin HEAD:refs/mergebase/full" report.
2019.12.12Bitbucket Server 5.8.0 - 6.10.172019-12-13Ability to parse yarn.lock files Introduced ability to parse yarn.lock files. Also improved some aspects of the "git push origin HEAD:refs/mergebase/full" report.