Latest vulnerability data (August 2022)

Latest vulnerability data (August 2022)

Pushes / PR's / and the "security report" page were causing a NPE on repositories that had older cached MergeBase scans (from previous versions of Code Green).

Also, the branch-selector on the security report now sorted alphabetically, and always includes the default branch.

Updated with latest vulnerability data

Significant performance improvement (scans are faster)

Also added a branch-selector to the main MergeBase report screen (to make it easier to scan additional branches beyond the default branch).

Improve performance by caching scan results based on changes to build-files

NPM and Yarn files were causing CodeGreen to blow up. Fixed !

Also, we now only consider "dependencies" from the Yarn and NPM ecosystems. "devDependencies" are ignored.

• Fixed 401 error on MergeBase Global Settings Page

Brought in latest vulnerability data (2021 December) including log4j

Brought in latest vulnerability data (2021 December) including log4j

One small improvement:

• CVE's in "Full Vulnerability Report" now link to nvd.nist.gov's page for them.

Also:

• The "Full Vulnerability Report" (for a given repository) now requires a valid license. Expired or missing licenses will no longer allow this feature to operate.

One small improvement:

• CVE's in "Full Vulnerability Report" now link to nvd.nist.gov's page for them.

Also:

• The "Full Vulnerability Report" (for a given repository) now requires a valid license. Expired or missing licenses will no longer allow this feature to operate.

Introduced diagnostic/tracing screen to help us troubleshoot weird/slow scan behaviour.

Introduced diagnostic/tracing screen to help us troubleshoot weird/slow scan behaviour.

• Some customers are reporting an NPE after "git push". Fixed.
• Updated vulnerability data to latest.

• Some customers are reporting an NPE after "git push". Fixed.
• Updated vulnerability data to latest.

• Branch name in scan report shows actual branch that was scanned (was hard-coded to "master" even though it actually scanned default branch).
• Admins can specify a banner message that is showed to users whenever a PR or Push is blocked by CodeGreen.
• Admins can configure CodeGreen so that service-accounts skip the hook.
• The "block net-new" feature now includes a much more useful "push rejected" message that contains the actual library names and versions causing the push to be rejected.
• We've made a number of additional minor bugfixes.

Enjoy !

Version v2021.06.01 of MergeBase CodeGreen contains a number of important improvements to the plugin:

• Branch name in scan report shows actual branch that was scanned (was hard-coded to "master" even though it actually scanned default branch).
• Admins can specify a banner message that is showed to users whenever a PR or Push is blocked by CodeGreen.
• Admins can configure CodeGreen so that service-accounts skip the hook.
• The "block net-new" feature now includes a much more useful "push rejected" message that contains the actual library names and versions causing the push to be rejected.
• We've made a number of additional minor bugfixes.

Enjoy !

Additional language support (php and go)

Additional language support (php and go)

Bugfix:

• <exclude> entries inside <dependencyManagement> section of Maven pom.xml were not being respected by our parser.

Enhancement

• Our summary-report and full-report can be toggled into a JSON mode by adding "&json=yes" to the URL.

Bugfix:

• entries inside section of Maven pom.xml were not being respected by our parser.

Enhancement

• Our summary-report and full-report can be toggled into a JSON mode by adding "&json=yes" to the URL.

Enhancement: detect vulnerable versions in the pom.xml "<dependencyManagement>" section (including transitives). This is especially useful in situations where a central "BOM" style pom is used that specifies all sanctioned versions for other projects to import. Now the central "BOM" will also be subject to CodeGreen scanning and push/merge policy! :-D

This release also includes a small bugfix for a NullPointerException that was happening with CVE's that were missing CVSS scores.

Enhancement: detect vulnerable versions in the pom.xml "<dependencyManagement>" section (including transitives). This is especially useful in situations where a central "BOM" style pom is used that specifies all sanctioned versions for other projects to import. Now the central "BOM" will also be subject to CodeGreen scanning and push/merge policy! :-D

This release also includes a small bugfix for a NullPointerException that was happening with CVE's that were missing CVSS scores.

v2020.09.14 improves the "Full Vulnerability Report" so that it looks much better, and also fixes several misc. bugs, including:

• security-risk column on repositories list not displaying properly
• new pushes to master fail to update cached vulnerability totals in the vulnerability report
• the "full report" path locations were sometimes blank

v2020.09.14 improves the "Full Vulnerability Report" so that it looks much better, and also fixes several misc. bugs, including:

• security-risk column on repositories list not displaying properly
• new pushes to master fail to update cached vulnerability totals in the vulnerability report
• the "full report" path locations were sometimes blank

v2020.09.12 fixes several misc. bugs, including:

• security-risk column on repositories list not displaying properly
• new pushes to master fail to update cached vulnerability totals in the vulnerability report
• the "full report" path locations were sometimes blank

v2020.09.12 fixes several misc. bugs, including:

• security-risk column on repositories list not displaying properly
• new pushes to master fail to update cached vulnerability totals in the vulnerability report
• the "full report" path locations were sometimes blank

Now able to scan .NET projects for vulnerabilities.

Now supports scanning .NET projects for known-vulnerabilities.

Fixed a bug (NullPointerException) that was happening under certain situations during git push.

Fixed a bug (NullPointerException) that was happening under certain situations during git push.

One new feature:

• New Feature: Vulnerability reports are now accessible directly through the Bitbucket Web UI.

One new feature:

• New Feature: Vulnerability reports are now accessible directly through the Bitbucket Web UI.

Two bugfixes:

• Invalid dependency files (e.g., a malformed pom.xml) would blow up entire pre-receive, causing push to get rejected, even if no vulnerabilities were present.
• If a "multi" push included at least one branch-delete or tag-delete the entire push would skip Code Green.

Some UI improvements:

• Zero vulnerability pushes now report "Good job! Keep up the good work!".
• Double-pushes now report "Vulnerabilities still present. Double-push completed." (Whereas before the push would go through with no message at all, potentially causing confusion.)

Two bugfixes:

• Invalid dependency files (e.g., a malformed pom.xml) would blow up entire pre-receive, causing push to get rejected, even if no vulnerabilities were present.
• If a "multi" push included at least one branch-delete or tag-delete the entire push would skip Code Green.

Some UI improvements:

• Zero vulnerability pushes now report "Good job! Keep up the good work!".
• Double-pushes now report "Vulnerabilities still present. Double-push completed." (Whereas before the push would go through with no message at all, potentially causing confusion.)

Introduced ability to parse yarn.lock files. Also improved some aspects of the "git push origin HEAD:refs/mergebase/full" report.

Introduced ability to parse yarn.lock files. Also improved some aspects of the "git push origin HEAD:refs/mergebase/full" report.