Workbench Release Notes

Release notes - 25.1

Changelog (FossID 24.3.2 - 25.1)

• Toolbox (0.5.2) - Future replacement for fossid-cli, currently included as Beta release. It can be enabled from fossid.conf.

• CLI (3.5.8 - 3.5.11)
  • Bugfix: Fix issue related to response compression
• Shinobi (1.5.1 - 1.5.7)
  • Improvement: Add linux/arm64 support
  • Improvement: Remove parentheses from license IDs
  • Improvement: Better support extracting copyright and license from SVG files
  • Bugfix: Wrong copyright detected if using brackets and/or quotations
  • Bugfix: Notice generation includes path information
  • Bugfix: Separating copyright statements with comma does not work
• FDA (1.1.1 - 1.1.2)
  • New feature: Added support for module-info.json manifest from Soong package manager.
  • New feature: Added support for Android.bp manifest.
  • New feature: Added support for Soong dependency type.
  • Improvement: Changed ecosystem from Generic to Yocto for Yocto projects.
  • Improvement: Better gathering of the project version from setup.py manifests.
  • Improvement: Use npm/node manager versions to filter out dependencies that do not fit the scope.
  • Improvement: Improved data gathering from Android.bp manifests.
  • Improvement: Updated Global Check message from FDA in Workbench.
  • Improvement: Do not save cached_deps.json to logs folder.
  • Improvement: Improved the way SLE queries are handled for better performance.
  • Improvement: When resolving Soong dependencies check Conan database for relevant license info.
  • Bugfix: Fixed issue were in some cases multi-projects broke the Workbench dependency scan.
  • Bugfix: Fixed issue were __metadata section info is gathered in YarnLockParser.
  • Bugfix: Fixed issue with PyPI API info where != versions were not correctly gathered.
  • Bugfix: Fixed issue were not all dependencies from requirements.txt are being extracted.
  • Bugfix: Fixed issue where deep scan does not get all the copyrights from NuGet package.
  • Bugfix: Fixed issue where scopes are not correctly added to analyzer-result.json.
  • Documentation: Fix numbering issue for FDA in Workbench documentation.
  • Documentation: Updated documentation to include references about the npm and node versions settings in fossid.conf.
  • Documentation: Update documentation to include Soong support addition.
• Workbench
  • New feature: fossid-toolbox (beta)
  • New feature: New report for Notice file aggregating the file info at the component level - Excel and text format
  • New feature: New APIs: components -> get_usage, logs -> get_list, logs->get_actions_list (see API Changelog)
  • Improvement: Redesign scan progress popup
  • Improvement: Replace CPE information with vulnerabilities bar
  • Improvement: Filtering in Components and Licenses views by project and scan
  • Improvement: UI Merge COMPONENT and VERSION into one column
  • Improvement: Validate ignore rules which expect regex before saving them
  • Improvement: Delete files generate from System → Initiate after download
  • Improvement: Fill PURL and supplier_name during dep analysis and SBOM import for existing components
  • Improvement: Add the Component License Category in Project level Excel report for Dependency Analysis and Components tab
  • Improvement: Standalone Components page
  • Improvement: UI Update tables based on URL query string
  • Improvement: Support type ‘EXTRACT_ARCHIVES’ in API scans -> check_status
  • Improvement: Include dependencies paths in Excel report - Dependencies sheet
  • Improvement: Add failed files counter in “Scan is Completed” notification
  • Improvement: Keep track of Vulnerability Notifications sent using a new DB column ‘notification_sent’ in table ‘cpe_cve’
  • Improvement: Comment Reuse should use the original Comment Date/Time
  • Improvement: Increase PHP minimum version to 8.2
  • Bugfix: API call scans -> get_scan_comments returns only comments marked as ‘only_include_in_report’
  • Bugfix: API files_and_folders -> get_fossid_results return scan_id being “0”
  • Bugfix: Fix various E_WARNING messages
  • Bugfix: No internal and/or email notification when there is an error importing an SPDX report
  • Bugfix: Reuse VeX from scan should override empty VEX records
  • Changed behaviour: Use argon2id as password hashing algorithm. Password history will reset for WB instances having ‘webapp_password_prohibit_reuse’ enabled
  • Changed behaviour: Consolidate in one message component approval requests notifications generated at same time
  • Deprecation: Whitelisting and Score list features are no longer available for regular deployments (scanning against FossID scan servers)

Release notes - 24.3

Future Release Advisory

We want to inform you of important changes that will take place in future major releases (25.1 and beyond):

• Discontinuation of Support for Whitelisting and Score list features from CLI and Workbench

Changelog (FossID 24.3.1 - 24.3.2)

• CLI (3.5.6 - 3.5.8)
  • Improvement: Add size to signatures by default
  • Improvement: Do not report “skipping empty file” for empty files
• Shinobi (1.5.0 - 1.5.1)
  • Bugfix: Invalid copyright detected for obfuscated javascript file
  • Bugfix: Updated certain license categories to align with new license categorisation framework, replacing those previously classified under outdated categories to ensure better clarity and compliance.
• FDA (1.1.0 - 1.1.1)
  • Improvement: Better license gathering for PyPI dependencies (better GitHub license gathering)
  • Documentation: Updated documentation to include latest and missing changes
• Workbench
  • Improvement: Increase size for column ‘identifications’.’copyright_highlighting’
  • Bugfix: Improved permission checks in Component Approval interface
  • Bugfix: Fix error ‘There was an error retrieving the usage for this component’
  • Bugfix: Error when opening Approval Policy view
  • Bugfix: Internal notification for scan is completed sent only when enabled parameter webapp_enable_email_sending
  • Bugfix: Cannot specify file path in API scans->remove_uploaded_content
  • Bugfix: Basic report - components without vulnerabilities are displayed with vulnerability mark
  • Bugfix: Basic report - remove checkbox to include VEX information

Changelog (FossID 24.3 - 24.3.1)

• Shinobi (1.4.5 - 1.5.0)
  • Improvement: Add support for SPDX Licenses list v3.26
  • Improvement: Add T-License
• FossID DA (1.0.9 -> 1.1.0)
  • New feature: : Added support for Directory.Packages.props manifests
  • New feature: : Added support for licenses.manifest manifests found in Yocto builds
  • Improvement: Better use of fossid-cli for license gathering
  • Bugfix: Fixed issue with composer.json parser that breaks dependency analysis scan
  • Bugfix: Fixed issue where private dependencies are not being detected from package.json and package-lock.json
  • Bugfix: Fixed issue where not all dependencies are extracted from package-lock.json manifest (lockVersion 2 only)
• Workbench
  • Improvement: Improved error message in API when sending non-existing scan code in scans -> run, with reuse identification
  • Bugfix: Vulnerability Alarms notifications not containing full list of new CVEs
  • Bugfix: SPDX report: when no files were analyzed the tag spdx:hasFile with noassertion was included instead of removing entirely
  • Bugfix: Generating notice extract from scan list 3 dots menu not working
  • Bugfix: CLI results without match.noise.chars are not filtered as noise in Workbench
  • Bugfix: Font in the gear menu changes when accessing the Vulnerabilities page or Users
  • Bugfix: Login form requires clicking the button to submit the request, as pressing the Enter key does not work
  • Bugfix: Component form not displaying meaningful error message on duplicate name/version situation

Changelog (FossID 24.2.1 -> 24.3)

• CLI (3.5.3 - 3.5.6)
  • Improvement: Clarify in help that is displayed the oldest identified version of a component
  • Bugfix: Comma in CPE causes issues to CLI –cpe command
• Shinobi (1.3.10 - 1.4.5)
  • Improvement: Include SPDX 3.25 license list
  • Improvement: Update licenses to use the new license categories
  • Improvement: Add “isSpdx” flag to licenses reported to Workbench with -print
  • Improvement: Deprecate -omakase and -copyright (default on)
• Workbench
  • New feature: New Vulnerabilities page and API actions
  • New feature: Add support for VEX information in UI and API
  • New feature: Import and export VEX information from/to CycloneDX reports
  • New feature: New component level Notice file report
  • Improvement: Remove code and migrate data related to single component identification (used prior to the 20.1 release)
  • Improvement: Cleanup scan_component_comments using existing scheduled task scanDataCleanup
  • Improvement: API Upload - return a clear error message when the file size is too large
  • Improvement: New API actions to download the local file and matched file
  • Improvement: Include details about API call group and action in all errors
  • Improvement: SPDX report: update SPDX list version to 3.25
  • Improvement: Support for OAuth2 authentication with AD FS
  • Improvement: Add ‘tools’ to ‘metadata’ section in CycloneDX report
  • Improvement: Move identified files back to pending only when local matching snippets change
  • Improvement: Include in exported SPDX report scan specific component comments and scan related comments
  • Improvement: Add ‘processmanager.err’ to the log rotate configuration
  • Improvement: API Docs: mention optional param include_deactivated for in “users”->”get_all_users”
  • Improvement: Fallback to 7zip for cases when unzip throws warnings or errors
  • Improvement: Component and File License Categories not being included in project level Excel Report
  • Improvement: Change the color of “Non License” to differentiate it from “Uncategorized”
  • Improvement: Paginate API action “scans”->”get_marked_as_identified”
  • Improvement: Check for mandatory php extension “php-intl” after login
  • Bugfix: File name of the failed archive is not displayed in the error popup when circular symlinks are found
  • Bugfix: Error when extracting archive .bz2 found inside another .bz2 archive
  • Bugfix: Wrong datetime in the notification that Excel report was generated
  • Bugfix: No error when scan/project name(or code) are too long
  • Bugfix: String Match Report - Files tab - wrong File status
  • Bugfix: Component copyright not outputted in CycloneDX report
  • Bugfix: Wrong user displayed in “Generate approval requests” notification message
  • Bugfix: Issue with retrieving CVEs for CPE containing backslash character
  • Bugfix: Incorrect display of “POLICY WARNINGS” in projects list
  • Bugfix: Created date is changed when Updating Project Information
  • Bugfix: SPDX report tag rdfs:comment - validator error: Multiple values for unique value
  • Bugfix: SPDX validator error: License information from files must not be included when files not analyzed.
  • Bugfix: API action “component_approval”->”list_scans_with_component” returns numbered list
  • Bugfix: SPDX import - sometimes file tree not available even if files information is included
  • Bugfix: Cleanup the list of fields related to project information in Project level Excel report
  • Changed behaviour: FossID-DA is set as default dependency analysis tool. If you want to use ORT please set correct value for webapp_dependency_analysis_tool parameter in fossid.conf
  • Changed behaviour: in order to reduce manual work when rescanning changed files in same scan (file hash different at the moment of rescan compared with previous scan), the files will remain under “Identified” section if the local matching snippets are the same as in the previous scan. Previously those files were moved under “Pending” in order to be manually reviewed for relevant changes.
  • Changed behaviour: when importing SBOMs (SPDX/CycloneDX) without file tree information, the components will be displayed under dependencies section of a scan.
  • Renamed Preliminary Report to Signature Scan Report and make it clear that it does not include information about dependencies.

Release notes 24.2

Changelog (FossID 24.2 -> 24.2.1)

• CLI (3.5.1 - 3.5.3)
  • Improvement: Add support for ‘CURLSSLOPT_REVOKE_BEST_EFFORT’ for Windows users
• Shinobi (1.3.5 - 1.3.10)
  • Bugfix: Pattern classifier should use “Zlib” and not “zlib” as license identifier
  • Bugfix: Artistic-dist license is not detected
  • Bugfix: Minor fixes to LGPL licenses
• Workbench
  • Improvement: Display overlay in order to prevent user from further actions until ‘Apply folder identification’ finishes execution
  • Improvement: Reuse identification copies comments for non existing component in current scan
  • Improvement: Include copyright of Component from CLI result when creating a new component
  • Improvement: Add JVM params for running Shinobi (replacing former cli_jvm_parameters)
  • Bugfix: API - remove deprecated field ‘mirror’ in group files_and_folders
  • Bugfix: Issue in the Summary section of the Excel report
  • Bugfix: ‘Apply folder identification’ not working correctly for files under scan root directory
  • Bugfix: Warning license mismatch due to upper case
  • Bugfix: CycloneDX report validation error when supplier_name is null but a valid supplier_url is included
  • Bugfix: Issues importing SPDX 2.3 report obtained from transforming JSON report into RDF format using spdx/tools-python
  • Bugfix: Incorrect number of files mentioned in the message “Scan is Completed”
  • Bugfix: Fix invalid characters in license identifiers when exporting SPDX report
  • Bugfix: Users with is_deleted=0 in DB table are not being suggested as Project Owner
  • Bugfix: Unable to update the version of a component from lower case to uppercase

Changelog (FossID 24.1.1 - 24.2)

• CLI (3.4.16 - 3.5.1)

  Please note that from version 3.5.0 there will no longer be support for shinobi-related options in CLI. You cannot run notice generation, or collect license and copyright for signatures. Shinobi needs to be invoked separately.

  • Improvement: Allow controlling alfred scoring from the CLI
  • Deprecation: Disable Shinobi support in CLI (In favor of running Shinobi Standalone)
• Shinobi (1.3.3 - 1.3.5)
  • Improvement: Include Toppers licenses
  • Improvement: Use SPDX-compliant license identifiers
• Workbench
  • New feature: Intelligent match filtering
  • New feature: Advanced match scoring
  • Improvement: Include ‘URL’ field of a component in the Excel Report
  • Improvement: Improve performance for query retrieving users messages
  • Improvement: Support importing CycloneDX 1.6
  • Improvement: Delete older messages via scheduled task
  • Improvement: “Apply Folder Identification → Apply only to → string match rule” grayed out
  • Improvement: Add cleaning table ‘comments’ in scan delete action
  • Improvement: Take in consideration version in CPE suggestion
  • Improvement: Show full name of the scan in the scan list when is a long string
  • Improvement: Include more information in the message sent when scan is complete
  • Improvement: Refresh file tree after Look for changes in filesystem
  • Improvement: Improve information in dialog for the Look for changes in filesystem
  • Improvement: Add columns in Excel report: “Supplier/community name”, “Supplier URL”, “Download URL”
  • Improvement: Add index on column “directory_identification_id” in table “comments”
  • Improvement: Add option ‘Open in new window’ for projects in 3 dots menu
  • Improvement: Add details about ignored/filtered results in ‘No matches’ tab
  • Improvement: Replace apply folder distribution checkboxes with select box
  • Improvement: Include in SPDX report the field ‘License information in file’ - ref chapter 8.6 in SPDX 2.3.0 specification
  • Improvement: Include licenses from dependencies in the licenses tab of the Excel report
  • Improvement: Stop dependency analysis process on scan cancel
  • Bugfix: Incorrect “No KB matches” value in Excel report
  • Bugfix: Do not save the “reuse identification” setting
  • Bugfix: CycloneDX/SPDX import fails due to duplicate PURLs
  • Bugfix: Error when importing a CycloneDX report due to multiple supplier URLs
  • Bugfix: Fix variations in response structure between first and secondary calls to API scans->generate_report
  • Bugfix: Issue generating reports for scans with comments associated to deleted scans
  • Bugfix: Issues with how string match rules are displayed in tab and in folder identification
  • Bugfix: Workbench deletes unwanted files when doing cleanup after executing ORT by following symlink
  • Bugfix: When using a git repo and specific tag the download will not work without specifying depth value
  • Bugfix: Projects page - sorting not working for some columns
  • Bugfix: There are some users who do not receive broadcast messages
  • Bugfix: Licenses search bar and pagination is not loaded for users without admin license permission
  • Bugfix: Fix permission error when querying users->get_information
  • Bugfix: User with permission ‘Scans - Delete any scan’ cannot delete scan
  • Deprecation: Remove Noise reduction
  • Deprecation: Remove numeric keys in API responses as they duplicate text keys
  • Deprecation: Remove Full FossID HTML report

Release notes - 24.1

Future Release Advisory

We want to inform you of important changes that will take place in future major releases (24.2 and beyond):

• Discontinuation of Support for Match Format 1: Match format 1, which was deprecated back in 2020 following the introduction of format 2, may no longer be supported. Any customer still using match format 1 should prepare for a transition to the newer version.
• Full FossID report will be removed from 24.2 and all it’s features and more will be available in Excel report
• Experimental upper case “Components” API group which was visible only in API test but not in documentation will be removed in 24.2 and all those features are now available in “components” group.
• Removal of numbered keys in API responses in order to fix the issue of duplicating data in those API responses where both numbered and named keys were used.

Changelog (FossID 24.1 -> 24.1.1)

• Workbench
  • Bugfix: Excel report cannot be generated due to issue with drawing legend for chart
  • Bugfix: CycloneDX report not generated when there is a component without license assigned
  • Bugfix: Broken report filename because of character in scan name
  • Bugfix: Max length changed to 256 characters in API “scans->add_scan_specific_component_comment”

Changelog (FossID 23.3.1 -> 24.1)

• CLI (3.4.14 - 3.4.16)
  • Improvement: Improve error message for incompatible Shinobi
  • Bugfix: Handle JDK output “Picked up _JAVA_OPTIONS” when verifying Java installation
  • Bugfix: Fix error message “locale::facet::_S_create_c_locale name not valid”
  • Bugfix: Timeout bug on Ubuntu 23.10
• Shinobi (1.2.7 - 1.3.3)
  • Improvement: Implement a new text-only output for notice file generation
  • Bugfix: GPL-2.0 license displayed instead of GPL-2.0-only
  • Bugfix: Fix Kryo warnings when starting on java 11
• Workbench
  • Improvement: New API Documentation
  • Improvement: Left side menu in documentation
  • Improvement: Support importing CycloneDX 1.5 version
  • Improvement: Import additional component fields from CycloneDX: sha1, sha-256, md5
  • Improvement: Improved compatibility with SPDX 2.3, add new component field built date
  • Improvement: Import additional fields spdx:downloadLocation and spdx:supplier during SPDX import
  • Improvement: Generate component approval requests also for components discovered by dependency analysis
  • Improvement: Display components created during dependency analysis in the Project Components List
  • Improvement: Add additional columns in Excel report - dependency analysis sheet: Supplier URL, Download URL, Supplier/Community Name
  • Improvement: Paginate project components and equivalent API get_project_components
  • Improvement: Fallback to 7zip for some known errors thrown by unzip
  • Improvement: Display ignored due Noise reduction instead of ‘There is no client results’
  • Improvement: Export license policy information in JSON format
  • Improvement: Add missing fields to actions from “component” group API
  • Improvement: Add overview sheet with charts in Excel report equivalent to existing overview in HTML report
  • Improvement: After importing an SBOM without files information display info message
  • Improvement: Add match type column in Preliminary Report
  • Improvement: Increase PHP minimum version to 8.1
  • Improvement: Update various JS libraries
  • Improvement: Documentation - Add description of webapp_scan_path_prefixes
  • Improvement: Documentation - Describe columns in KB matches table
  • Bugfix: API scans -> archive not removing source files
  • Bugfix:Even if a file is ignored due to ignore rules matches from intaked component are displayed
  • Bugfix: Even if notice extract is canceled, the process will remain
  • Bugfix: CPE regex not validating correctly in certain situations
  • Bugfix: Throw Warning instead of Error “You are currently not authenticated in file XXX”
  • Bugfix: When deleting a scan records from table dependency_analysis_components are not removed
  • Bugfix: Quickly selecting files in file tree can make the wrong info to be loaded
  • Bugfix: Identifications licenses are not displayed in Reuse Identifications popup
  • Bugfix: Excel report: ”Without Matches” results should be adding 0 in column ”Number KB matches”
  • Bugfix: Cannot receive Vulnerability Alarm notifications when user.is_archived = 0
  • Bugfix: Full FossID Report: license category is output in the CPE column
  • Bugfix: Issue with the ascending/descending sort functionality in the component list
  • Bugfix: Error in Snippet search when the file license was not already in local database
  • Bugfix: Fix various API responses containing action and status inside data field, see API Changelog

Release notes - 23.3

Please note that with the next future major release (24.1), we will be discontinuing support for older Linux distributions including Debian 10, CentOS 7, and RHEL 7. This aligns with the approaching end-of-life (EOL) phase of these distributions in 2024.

Changelog (FossID 23.3 -> 23.3.1)

• Workbench
  • Improvement: Display identifications licenses in Reuse Identifications popup
  • Improvement: Documentation: List supported package managers to be activated in ORT installation section
  • Improvement: Display CVEs with no impact information in Workbench
  • Bugfix: Fix FOSS status for various licenses
  • Bugfix: Issue with importing package files from a SPDX 2.2 rdf with ‘contains’ dependency
  • Bugfix: Policy management: issue with searching for certain license identifier
  • Bugfix: Invalid XML structure of SPDX file if component purl link contains “<” or “>” symbols
  • Bugfix: Issue with importing reports containing # character in name
  • Bugfix: Project name with UTF-8 characters is garbled in New Scan form
  • Bugfix: Various small translation fixes
  • Bugfix: Empty component version in Dependency Analysis detailed information
  • Bugfix: CycloneDx export report error when empty component version in Dependency Analysis detailed information
  • Bugfix: Default port is not used when the param webapp_ldap_port is commented out resulting in error
  • Bugfix: Various issue when exporting into Excel from Full FossID Report
  • Bugfix: Setting parameter delete_identifications to false in API scans->delete not working correctly

Changelog (FossID 23.2 -> 23.3)

• CLI (3.4.9 - 3.4.14)
  • Improvement: Validate host and token for –stdin-file
  • Improvement: Add support for –stdin-file P (send file contents over stdin)
  • Improvement: Improvements in –help section
  • Bugfix: JSON exception when collecting fingerprints on Windows
• Shinobi (1.1.8 - 1.2.7)
  • Improvement: Add -stats for showing the statistics
  • Improvement: Add more runtime information at end of run
  • Improvement: Add Broadcom BSD-like license to License Extractor
  • Improvement: Logging what file shinobi-le is about to scan.
  • Improvement: Bundle data.bin in license-extractor jar
  • Bugfix: Shinobi does not obey the -threads parameter
  • Bugfix: Improve the Pattern for QNX license
• Workbench
  • New feature: Policy management
  • New feature: New OAuth2 authentication providers: Okta and Gitlab
  • Improvement: Add details about why a file is ignored in Excel report
  • Improvement: Export and import hierarchical structure of dependencies in SPDX reports
  • Improvement: Include scan component comments into SPDX report
  • Improvement: Allow using a custom temporary directory
  • Improvement: Do not add bullets in copyright text inside SPDX report
  • Improvement: Display statistics regarding imported components, licenses, dependencies after importing SPDX
  • Improvement: Add CPE and CVEs columns to Dependency Analysis spreadsheet in Excel report
  • Improvement: Enforce data integrity for identifications
  • Improvement: Update security and policy warnings icons in the Workbench
  • Improvement: Add logrotate configuration for rotating and compressing FossID Workbench logs
  • Improvement: Add API endpoint to retrieve process list
  • Bugfix: Issue loading matching block after first 1000 lines in VSF
  • Bugfix: Git repository URL not visible after clicking “Save”, closing window and opening it again
  • Bugfix: Decimal point in Excel exported from Full FossID report
  • Bugfix: “Copy to Clipboard” is not working for intaked component
  • Bugfix: API test interface: add group “download”
  • Bugfix: Set default value for licenses table category field to ‘UNCATEGORIZED’
  • Bugfix: Issues with Notifications/Messages when including HTML tags
  • Bugfix: License category is not returned in API: licenses -> list_licenses
  • Bugfix: Internal message at the end of the scan is not sent if the user has no email address
  • Bugfix: SPDX Lite report not downloaded correctly via API
  • Bugfix: After deleting a scan in a project you are redirected to All scans list
  • Deprecation: Renamed fossid.conf parameters webapp_microsoft_oauth2_login and webapp_microsoft_oauth2_fallback_local_login in order to support multiple OAuth2 providers
  • Deprecation: Please note that we will be discontinuing support for PHP 8.0 in next future major release (24.1)

Release notes - 23.2

Changelog (FossID 23.2.2 -> 23.2.3)

• Workbench
  • New feature: Add API endpoints aligned with SCIM standard
  • Improvement: Add optional param in API scans → get_identified_files in order to remove the license text field from result
  • Improvement: Determine component version from licenseComment field when importing SPDX 2.0 reports
  • Bugfix: An error causing ProcessManager to shut down is thrown when deleting a scan
  • Bugfix: Wrong Summary and Licenses tab/sheet in Project level Full FossID and Excel reports
  • Bugfix: Sometimes “Use as Identification” button cannot be used in single file view
  • Bugfix: Unable to generate SPDX due to invalid XML/unescaped character in copyright text
  • Bugfix: Extensions in folder bar not working properly in All files tab

Changelog (FossID 23.2.1 -> 23.2.2)

• Workbench
  • Bugfix: Fix Oauth2 authentication failing with error Firebase\JWT\JWT::decode(): Argument #3 ($headers) cannot be passed by reference
  • Bugfix: Allow empty string as valid value for selection_type and selection view params in scans->generate_report API action
  • Bugfix: Cannot delete scan from UI when scan code contains Unicode characters
  • Bugfix: Fill value for field 6.5 SPDX Document Namespace in SPDX Lite report
  • Bugfix: Unable to generate SPDX due to invalid XML/unescaped character in copyright text

Changelog (FossID 23.2 -> 23.2.1)

• Workbench
  • Improvement: Add License categorisation filtering on the Identification and Dependencies tabs from Full FossID report
  • Improvement: Updated description of the parameter async_generate_report_for_scans_with_more_than_x_files
  • Improvement: Git integration: more efficient fetch based on depth parameter
  • Improvement: Better handle wrong Download report URLs
  • Bugfix: Decimal point in Excel exported from Full FossID report
  • Bugfix: White spaces in non-SPDX license identifiers cause warnings when validating SPDX report generated from Workbench
  • Bugfix: Updating role description does not work in UI
  • Bugfix: SPDX report - fix how licenseText is included
  • Bugfix: Allow component version 0
  • Bugfix: Unable to delete the file license when a file has a filename which contains an apostrophe
  • Bugfix: Missing pagination in project components approval view
  • Bugfix: Issue in git integration when checking if branch exists
  • Bugfix: Avoid external call to retrieve icons from googleapis.com
  • Bugfix: Component reassignment issue
  • Bugfix: Error related to invalid UTF-8 characters in column ‘purl’
  • Bugfix: API component_approval - list_scan_with_component not returning correct values
  • Bugfix: API scans -> ignore_rules_add support rule type “Full file path” available in UI
  • Bugfix: Import SPDX fails when package version is empty
  • Bugfix: Component approval requests can be deleted by users who do not belong to the project

Changelog (FossID 23.1 -> 23.2)

• CLI (3.4.7 - 3.4.9)
  • Bugfix: A dot-slash (“./”) is stripped from signatures paths
  • Bugfix: Highlighting with -h/–highlight has issues with tab
• Workbench
  • New feature: Support for CycloneDX SBOM format (export and import)
  • New feature: Add support for exporting SPDX Lite format
  • New feature: Add command to sync local components created from KB to what is in the current KB.
  • New feature: Add API for create and update the project component approval comments
  • New feature: Add API endpoint to retrieve or generate(renew) API token
  • New feature: Implement Noise reduction in blind scans
  • Improvement: New SBOM menu and UI
  • Improvement: Include license category information in Excel reports
  • Improvement: Add “Supplier/Community Name” into the Components sheet of the Excel report
  • Improvement: Update all notifications to new design
  • Improvement: Update the design of the folder view identification pop up
  • Improvement: Change button location - “Identifications have been found for this item in other scans“
  • Improvement: Stricter permissions for assigning a scan to a project
  • Improvement: Add visual feedback when selecting components in list view
  • Improvement: Show the current working user as the user who makes identification after Reuse identifications instead of the “actual user” who identified the component earlier
  • Bugfix: Not possible to scan blind files which contains paths starting with “./”
  • Bugfix: No response trying to identify a component through Top matched components (All matches).
  • Bugfix: Context menu, CPE icon and vulnerabilities dialog stacked in strange way
  • Bugfix: Scan run is not displaying error when a tar file failed extracting
  • Bugfix: Assigned components do not appear when you click “Open file in a new tab” in “Marked as Identified” tab
  • Bugfix: Generate Report does not work when spaces and special characters are included in the scan name/project name
  • Bugfix: Confirmation messages are shown in the middle instead of bottom within “System Information” menu
  • Bugfix: Project component comments shows always “No comment added” even after adding a comment
  • Bugfix: Fix SPDX validation warning related to missing license text

Release notes - 23.1

Changelog (FossID 23.1 -> 23.1.1)

• Shinobi (1.1.6 - 1.1.8)
  • Updated licenses to SPDX Licenses list 3.20
  • Fixed issue regarding licenses with dividers in them, mainly LPPL
• Workbench
  • New feature: Fill supplier name with info from PURL namespace or author field found in KB component
  • New feature: Add possibility to remove component approval requests from UI and API
  • Improvement: Implement async scan delete in API also
  • Improvement: Add “Generate report” option to 3 dots menu on All scans view
  • Improvement: Larger text areas in components approval comments dialog
  • Improvement: Documentation - Add information about local fallback option for LDAP auth
  • Improvement: Documentation - Add webapp_base_url in the list of mandatory configuration parameters
  • Improvement: Documentation - Update CLI help information
  • Improvement: Documentation - Change menu “Using the Workbench” to “Documentation”
  • Bugfix: Do not allow importing SPDX for users without LICENSES_ADMINISTRATE and COMPONENTS_CREATE permissions
  • Bugfix: Not able to generate filename with Korean chars for reports
  • Bugfix: Process for updateCpeList fails with exit code 138
  • Bugfix: Fix dbupdate.php always showing updating unique key columns
  • Bugfix: Fix notification message after Scan deletion shows null
  • Bugfix: Missing scroll bars
  • Bugfix: After rescan Top match components interface displays ‘An error occurred’
  • Bugfix: Documentation - Remove PHP 7.4 from supported versions in Japanese version of the Documentation
  • Bugfix: Approval log is outside visible area
  • Bugfix: Cannot filter only the license categories on the Identifications tab of the FossID full report
  • Bugfix: ”Include in reports” checkbox of Dependency Analysis is not working correctly
  • Bugfix: API dropdown menu and description are not in sync for some APIs
  • Bugfix: User search results pop-up covers input fields in Project edit form
  • Bugfix: ‘Copy To Clipboard’ not working for local file
  • Bugfix: Values for CPE and PURL not imported in some SPDX reports
  • Bugfix: VSF scan requires permissions Scans -Access & Search any to see scan progress

Changelog (FossID 22.2 -> 23.1)

• CLI (3.4.6 - 3.4.7)
  • Improvement: Add support for more dependency manifests in fossid-cli ( –dependency-analysis option )
  • Bugfix: Wrong highlighting in some match results
• Workbench
  • New feature: Project level reports
  • New feature: License category
  • New feature: Ignore rules applied to full file path
  • New feature: Add PURL field to Components
  • New feature: Add new command to search components in KB and add PURL and CPE when no value is given locally.
  • New feature: Export/import PURL into SPDX & XSLS reports
  • New feature: Scan GIT URL from Workbench UI
  • New feature: Support delta scan for blind scans
  • Improvement: Improve description for parameter ‘webapp_default_admin_username’ in fossid.conf.dist
  • Improvement: Automatically add CPE for components created during dependency analysis, display dependency vulnerabilities in Excel and Full report
  • Improvement: Add async report generation for “Basic Report”
  • Improvement: Dependency Analysis - add the “Include in reports” setting to the Workbench API
  • Improvement: Display the component version on the “Top matched components” screen
  • Improvement: Split file_client_results table into one table per scan
  • Improvement: Scanning from git - performance improvement by using git fetch instead of git pull
  • Improvement: Make static HTML report identical to the one created from GUI when creating from API
  • Improvement: Display “lastModifiedDate” and “publishedDate” for CVEs in the VSF report
  • Improvement: Reuse identifications should optionally copy the file distribution status
  • Improvement: Show the full path of the archive that failed to decompress
  • Improvement: API test: replace username and key with current user logged in the application
  • Bugfix: XSS vulnerabilities
  • Bugfix: Fix deactivated users receiving FossID messages and emails
  • Bugfix: A user created using the LDAP integration cannot be added to a project
  • Bugfix: Language setting cannot be changed if the username is only numeric
  • Bugfix: Wrongly record errors in log even if the async reprt is correctly generated
  • Bugfix: Scan code containing character ‘&’ causes issues when generating download URL for async reports
  • Bugfix: Error when generating SPDX report which contains license id with special character ‘&’
  • Bugfix: Error related to SPDX report and exporting non SPDX licenses in components.
  • Bugfix: Issue with the API group: files_and_folders, action: remove_component_identification
  • Bugfix: Not able to change component from “Marked as Identified” tab
  • Bugfix: Fix is_copyleft status for several licenses
  • Bugfix: Assigned components do not appear when you click “Open file in a new tab” in “Marked as Identified”
  • Bugfix: VSF scan shows all files failed
  • Bugfix: Fill URL and download URL for components created during autoid same way as in Use as identification
  • Bugifx: Before starting scanning check if scan target path is readable in order to avoid losing identification information

Release Notes - 22.2

Release summary / highlights

• Noise reduction of license text, import statement and comment matches for Java and C
  • The purpose of this functionality is to remove irrelevant partial file matches which are either comments, import statements or license declaration. Based on the classification information returned by CLI the WebApp can filter out irrelevant snippet matches. Noise reduction is a new feature and is still in beta.
• Asynchronously generate large scan reports - Excel sheet, SPDX and Full FossID Report format
  • Generating reports for a large number of analyzed files takes long time resulting in timeout errors. Based on a configurable threshold reports can be generated async. When the report is ready a message is sent to the user with a download link. Also async reports generation can be used from API.
• Highlighting of automatically detected licenses and copyrights in local file
  • Automatically detected licenses and copyrights displayed in identification Pane will have a “Go to matching block” button which will highlight for several seconds the matching area from the local file.
• Enable changing owner of projects by replacing the “Creator” concept with “Owner”
  • Project owner has more flexibility, offering the possibility to be reassigned by Admin.
• Allow running dependency analysis by the scan option parameter
  • From the ‘Scan code’ popup it is possible to initiate regular scan and also schedule Dependency analysis to be executed after regular scanning.
• Generate SPDX reports using 2.2 version of the SPDX standard
  • Also include the list of dependencies in SPDX report when those are available and are marked with Include in report.
• Delete match results from Database table when archiving or deleting scans
  • Improvements related to cleaning records when archiving or deleting scans, also new button was added to trigger removing all user messages older than 90 days.
• Enforce data integrity and improvements in licenseupdate.php script
  • A new step was included in Upgrade instructions to fix certain types of duplicate data and to add new unique constraints at database level. Also the licenseupdate.php script will highlight better if there was any issue.

Changelog (FossID 22.2.3 -> 22.2.4)

• WebApp
  • Bugfix: Executing enforce_data_integrity command throws error
  • Bugfix: Automatic identification fails when intaked component is detected

Changelog (FossID 22.2.2 -> 22.2.3)

• WebApp
  • Improvement: View project components or API equivalent get_project_components is slow for large number of components
  • Improvement: Include scan name in notification message when report generation is finished
  • Bugfix: Identify duplicate files in a scan not working when empty file licenses or empty copyright
  • Bugfix: Not able to change component from “Marked as Identified” tab
  • Bugfix: Identification ‘source’ field is not filled when creating identifications from Top match components
  • Bugfix: SPDX: Dependencies found in reports cannot be imported into FossID
  • Bugfix: Jar Decompress error due to directory permissions
  • Bugfix: Columns related to source of identification in Excel report are empty when using webapp_autoid_mode=custom

Changelog (FossID 22.2.1 -> 22.2.2)

• WebApp
  • Improvement: Add new columns in Excel report - ‘Identifications’ sheet regarding match source and type
  • Improvement: Documentation: run enforce data integrity command with www-data user
  • Bugfix: Pending Items field has value zero in certain situations in All scans view
  • Bugfix: Avoid deleting from table ‘component_project_approval_comments’ when running ‘enforce_data_integrity’ command.
  • Bugfix: Use ‘Ver N/A’ for empty version when creating components during autoid
  • Bugfix: When creating a report of vulnerabilities the web app throws exceptions
  • Bugfix: Unable to generate Excel report from archived scan

Changelog (FossID 22.2 -> 22.2.1)

• WebApp
  • New feature: New autoid options
  • New feature: Allow exporting the Basic Report without identified files section
  • Improvement: Fixes in installation/update instructions
  • Improvement: New column in Excel report: Component license category
  • Improvement: Allow exporting the Excel report without the identifications tab.
  • Improvement: Better handling new license identifiers found during auto id
  • Bugfix: Issue generating the absolute URLs in emails/messages
  • Bugfix: Fix issue in enforce data integrity related to components which are also dependencies
  • Bugfix: Error when viewing on an archived scan

Changelog (FossID 22.1.1 -> 22.2)

• WebApp
  • New feature: Noise reduction of license text, import statement and comment matches for Java and C
  • New feature: Highlighting of automatically detected licenses and copyrights in local file
  • New feature: Async generation of reports via API: dynamic, xlsx and SPDX
  • New feature: Asynchronously generate large scan reports - Excel sheet, SPDX and Full FossID Report format
  • New feature: Add API endpoints to add and remove dependencies to scans
  • New feature: Send notification on scan finished
  • New feature: Enable changing owner of projects by replacing the “Creator” concept with “Owner”
  • Improvement: Add API action to remove uploaded content
  • Improvement: Add suport for extracting *.tbz2 files
  • Improvement: Allow local accounts to be edited even when LDAP is enabled
  • Improvement: Add comments per Component Approval
  • Improvement: Generate SPDX reports using 2.2 version of the SPDX standard
  • Improvement: Performance issue when doing folder Identification for huge number of files
  • Improvement: Display String Match Rule ID in UI and in Reports
  • Improvement: Add function to clean up all user messages older than 90 days
  • Improvement: Delete match results from table when archiving or deleting scans
  • Improvement: Allow changing name and version for components created from KB
  • Improvement: Add an option to give admin privileges to the first authenticated user
  • Improvement: Import and export dependencies in SPDX reports
  • Improvement: Allow running dependency analysis by the scan option parameter
  • Improvement: Add release date for each components result from KB in WebApp
  • Improvement: Re-use previous identifications improved to consider the path as well as the checksum of the file
  • Bugfix: Issue uploading on VSF scan when webapp_add_root_directory is enabled
  • Bugfix: Provide information about what data in “System Monitoring” represent
  • Bugfix: Issue regarding displaying certain icons when using ‘String Matches’
  • Bugfix: Performance issue with suggested components names in Add component form
  • Bugfix: Special characters are encoded when using API Pusher with API call scans:add_scan_specific_component_comment
  • Bugfix: Incorrect display of component comments.
  • Bugfix: Error in “Project component approval interface”
  • Bugfix: Uploaded code treated as a blind audit.
  • Bugfix: Wrong error message returned when calling API “scans - add scan specific component comment” with required param is missing
  • Bugfix: Apply Folder Identification dialog doesn’t preserve content of Copyright field
  • Bugfix: Incorrect date is shown for the identifications made to a file.
  • Bugfix: Issues with “licenseupdate.php” on PHP 8 and above
  • Bugfix: Error when deleting string match rule with API
  • Bugfix: Add minimal MySQL/MariaDB version in documentation
  • Bugfix: VSF UI - CVE list does not collapse
  • Bugfix: Using wrong username or key when calling API is not returning meaningful error message
  • Bugfix: Vulnerability notification messages do not break lines.
  • Bugfix: “Identify Duplicate Files → All Files” do not include the files within the tab “Marked as Identified → [Empty Identification]”
  • Bugfix: Display error before starting to scan when extracting archives failed
  • Bugfix: Folder identification dialog closes when clicking on selected license
  • Bugfix: Not meaningful message with API projects:assign_member when input project_code is not present in server
  • Bugfix: Wrong message when restoring a file backup
  • Bugfix: Set identification author to current user running automatically resolve pending identifications for existing identifications (created by other users)
  • Bugfix: Dependency analysis cleanup not working due to permission issues
  • Bugfix: API “group: Components, action: update” optional parameter is really mandatory
  • Bugfix: File licenses are not added when identifying from KB if multiple file license are detected
  • Bugfix: Scan log does not sort by date properly.
  • Bugfix: Comments not captured if text is inside symbols <> and text get lost.
  • Bugfix: Source display pane is not correctly resized in Scan interface
• Shinobi (1.1.3 -> 1.1.6)
  • Bugfix: Various small fixes

Release notes 22.1

Release summary / highlights

• String Match Report
  • There is a new report type for String Matches in the form of an excel file which lists each file matched as well as the lines of the files. The report can be generated from the Report interface in the Scan view as well as via API.
• Added Global Component Comments
  • Added the functionality of global comments on components. Any user with the new COMPONENT_COMMENT_ADD permission can add comments to components. This is not assigned to any of the user roles by default. The admin role has the permission COMPONENT_COMMENT_EDIT_ANY role by default and is allowed to edit and delete any comments.
• Multi login
  • You can now enable login with both Azure AD and local accounts in the WebApp or LDAP and local accounts. This way you can have for example end user accounts provisioned in LDAP and local accounts used for automation provisioned in the WebApplication only.
• New File Status in reports
  • In the HTML and Spreadsheet reports you can now see the file status in the report. If it is in pending identification, marked as identified or without matches.
• More Scan Metadata in reports
  • In the HTML and Spreadsheet reports you can now see the metadata regarding the scan from which the report was generated. This includes which versions of the FossID Audits and Compliance tools was used to generate the report as well as which dates the underlying Knowledge Base was last updated.
• Additional filtering options in folder identification
  • We are adding additional filtering options in folder identifications. You can now identify files based on their file license, copyright statements or string match rules.
• New API endpoints to add or remove roles and permissions from users
  • We have added new API endpoints to add or remove roles and permissions from users.
• Limits to User Data
  • The list of users in the system is now more limited and email addresses are hidden to unprivileged users. Similarly the get information query for users is now filtering user information unless you have a specific permission. This does not affect the data types returned in the API.
• PHP 7.3 no longer supprted
  • PHP 7.3 is no longer receiving security updates. We are clarifying that we will no longer support it either if used with the WebApplication.
• Database Collation
  • We are updating the table collation to utf8mb4 to all tables to better support international character encodings.
• Support for intake top matched components in Blind Scanning
  • Added support for intake components in Blind Audit Scanning.
• File distribution logging
  • Whenever file distribution state is changed, this is now logged in the system log
• Offline Release Wrapper Setup
  • If you are using the Offline Release (OnPrem) the new update to the Wrapper requires you to update the wrapper logging configuration. See the Offline release package for a default configuration file.

Changelog (FossID 22.1 -> 22.1.1)

• WebApp
  • Bugfix: Copyright field cleared on Folder Identification when deleting or adding a license.
  • Bugfix: Folder Identification option removes the existing Copyright text in a file
  • Bugfix: Full FossID report provides the current ORT and FossID version for very older scans
  • Bugfix: Folder Identification identifies all files under a folder irrespective of files with specific extension/copyright/license chosen.
  • Bugfix: Cannot “Apply Folder Identification” with distribution options enabled.
  • Bugfix: The API scans:generate_report does not work when choosing report_type = dynamic_top_matched_components

Changelog (FossID 21.2.4 -> 22.1)

• WebApp
  • New Feature: Record in log when “File Distributed” is changed
  • New Feature: API Action for String Match Report
  • New Feature: Protect other users data on the webapp
  • New Feature: Export string search results as a report.
  • Improvement: Display intake results in Top Match Components view in blind scans
  • Improvement: Add global component comments
  • Improvement: Allow login with both Azure AD and local account
  • Improvement: Protect data returned by users:get_information API.
  • Improvement: Allow login with both LDAP and local account
  • Improvement: Move ownership of dialog height and width from dialog to containing widget
  • Improvement: Separate identified files and pending files in reports
  • Improvement: Add more scan metadata to reports
  • Improvement: Request for additional filtering options in ‘apply only to’ drop-down in folder identification dialog.
  • Improvement: Add API actions to remove user roles and permissions
  • Improvement: Extended the list of supported package managers
  • Bugfix: Unable to login even if password is within expiration date
  • Bugfix: Webapp email not working
  • Bugfix: Pop-up on “Top Matched Components” screen is character corruption.
  • Bugfix: Blind Audit scan does not result in “Without Matches” when ignore rules are applied.
  • Bugfix: “Use As Identification” icon not available.
  • Bugfix: Issue updating from 21.1.1 to 21.2 in Debian 9
  • Bugfix: Scans crashes on non ASCII character
  • Bugfix: Git Download API Issue
  • Bugfix: Whitelist not working
  • Bugfix: Error when rescanning directory with root node/scan code selected
  • Bugfix: After upgrade to ver. 21.2.4-12142 FossID not work in Firefox browser
  • Bugfix: Vulnerability alarm notification emails are not sent to all users if there is a user with an empty email address.
  • Bugfix: The CVSS version displayed on the WebApp is not correct.
  • Bugfix: HTML tag is displayed when reusing identifications (finger print icon).
  • Bugfix: dashboard scan tooltip HTML tags visible
  • Bugfix: Component comments not retaining formatting and unable to save special characters.
  • Bugfix: Double percentage sign when scanning
  • Bugfix: SPDX import cant import list of homepages
  • Bugfix: Scan failure due to incorrect string value mysql exception.
  • Bugfix: CVSS is missing from the header of the Excel file output by Full FossID Report
  • Bugfix: No message is displayed when updating user successfully
  • Bugfix: “Top Matched Components” does not load after upgrading from 21.2.2 to 21.2.3
  • Bugfix: Setting my_scan_${BUILD_NUMBER} in Jenkins plugin is not working as expected.
  • Bugfix: Changes made to webapp_max_concurrent_scans are applied after killing processManager
  • Bugfix: Issue inserting long data into table: “SQLSTATE[22001]: String data, right truncated: 1406 Data too long for column ‘author’ at row 1”
  • Bugfix: Not able to change the copyleft flag on license with same name.
  • Bugfix: Importing reports, homepage data ending up in supplier_url instead of url.
  • Bugfix: Same component created multiple times when importing RDF/SPDX report.
  • Bugfix: Folders containing the substring “git” are ignored by directory ignore rule “.git”
  • Bugfix: Report cannot be generated when “Include components with known vulnerabilities only” option is selected
  • Bugfix: API “scans:import_report”: issue locating the code from report_import to find the uploaded file.
  • Bugfix: webapp_password_enforce_update parameter should be active only when using password authentication
  • Bugfix: Not able to delete scan when scan name has over 100 characters
  • Bugfix: Identifying from Top matched components times out
  • Bugfix: Error when previous identifications of current project are reused.
  • Bugfix: Error when scanning a file with Japanese name on Debian 9
  • Bugfix: Missing information in the System Log
  • Bugfix: Error when searching for a user that doesnt exist when sending a new message
  • Bugfix: Component Name and Version can be updated to blank via API query
  • Bugfix: Vulnerability Report formatting is broken
  • Bugfix: Unable to output Excel report
  • Bugfix: Number of files on tab ‘Marked as identified’ does not match with the ones listed on the same tab.
  • Bugfix: Login fails when two consecutive question marks used in the password
• Shinobi (1.1.1 -> 1.1.3)
• Bugfix: Time out handling improvements
• Bugfix: Copyright detection issue

• Improvement: Added Microsoft Distributed License

• Wrapper (3.6.4 -> 3.6.6)
  • Improvement: Move wrapper logging to logback
  • Bugfix: Fix deadlock on saturated stderr buffer
• CLI (3.4.5 -> 3.4.6)

• Bugfix: Time out handling improvements

• Alfred (4.1.0 -> 4.1.2)
• Improvement: Reintroduce support for old pfm hash format 1
• Improvement: Only print first 100 chars of invalid signatures

Release Notes - 21.2

Release summary / highlights

• Licence policy control
  • It is possible to set approval rules for licenses to either automatically approve or disapprove component use based on license.
• Automatic component identification
  • A scan option has been added to automatically use top matches as component identifications and to mark files as identified.
• Background tasks
  • No longer using crontab but rather handled by the WebApp directly. As a result it’s not necessary to do any configuration to enable vulnerability notifications or scan queuing.
• OAuth2 authentication for Azure AD
  • The WebApp now supports authentication using Azure Active Directory.
• Installation and update manual
  • The installation and update instructions have been consolidated and the old collection of text files has been replaced with a single manual.
• Component information
  • All information about components in the WebApp database is now accessed in one single dialog.
• CPE entry validation
  • When manually adding CPE identifiers to components the entry is confirmed against a list of valid CPEs. CPEs can also be suggested based on component name and version.
• System and UI update
  • Many changes to the user interface (including the main menu) as well as to underlying mechanisms to improve usability and to solve a number of existing issues.
• Good to know:
  • The release documentation, including installation and update instructions, is now provided as an HTML structure rather than as text files. Simply download the release documentation package from the download site and extract it to be able to read it with any web browser.

  • Updating a WebApp installation with a large database to 21.2 might take a very long time, so plan accordingly. During the update it is not possible to use the webapp.

    It is also possible to prepare for the update by connecting to the database and executing the following statement: ALTER TABLE `file_client_results` MODIFY `file_license` mediumtext NULL Once this is completed, which is the part that will take a long time, the update will not take longer than usual.

  • The default and recommended web server is now NginX
  • The recommended amount of RAM for a system running the FossID CLI Tools is 8GB or more.

Summary of minor release 21.2.4

• 21.2.4 primary fixes a number of different bugs introduced in previous versions

Summary of minor release 21.2.3.3

• 21.2.3.3 is an update for offline users containing an updated wrapper with a fix for CVE-2021-45105

Summary of minor release 21.2.3.2

• 21.2.3.2 is an update for offline users containing an updated wrapper with a fix for CVE-2021-45046

Summary of minor release 21.2.3.1

• 21.2.3.1 is an update for offline users containing an updated wrapper with a fix for CVE-2021-4428

Summary of minor release 21.2.3

• 21.2.3 fixes an issue with setting up dependency analysis, a bug related to notice extract creation and a few other issues.

Summary of minor release 21.2.2

• 21.2.2 primarly fixes a number of bugs that were introduced, along with the many other improvements added in 21.2 and 21.2.1.

Summary of minor release 21.2.1

• 21.2.1 primarly fixes a number of bugs that were introduced along with the many improvements added in 21.2.

Changelog (FossID 21.2.3 -> 21.2.4)

• Webapp
  • Improvement: WebApp API: scanning from git repo - allow scanning tags and commits, not only from branches
  • Bugfix: An error in Quick View Tool
  • Bugfix: Issue displaying info in Top matched components
  • Bugfix: Archives are not extracted in the QuickView Tool
  • Bugfix: Infinite loading screen after page reload
  • Bugfix: Intake not working
  • Bugfix: File license missing sometimes
  • Bugfix: Not possible to set up dependency management on 21.2.2 and earlier
  • Bugfix: Cannot make a scan with reuse identification from previous scans
  • Bugfix: Duplicate cookies set
  • Bugfix: HTTP Header Configuration
  • Bugfix: CSRF missing from headers
  • Bugfix: Escape input text strings
  • Bugfix: The “From” and “To” fields on the log screen do not work
  • Bugfix: Duplicate components can be created.
  • Bugfix: cveUpdate fails when a component with many vulnerabilities is added
  • Bugfix: When running the API “scans - run” on a RUNNING scan, the status remains QUEUED
  • Bugfix: Unable to create a new user during LDAP integration.
  • Bugfix: Unable to add global ignore rules in 21.2.3 release.
  • Bugfix: Upload the same archive two times is not working due to failing to remove directory created by decompressing the archive first time
  • Bugfix: File comments duplicating while reuse identification.
  • Bugfix: Scan getting stuck and unable to terminate from UI
  • Bugfix: WebApp API: licenses - update not working as expected
  • Bugfix: Scan failing when German/special characters are present in filename.
  • Bugfix: Change the API responses back to be identical to those of 21.2.2
  • Bugfix: check_status_download_content_from_git endlessly returns NOT_FINISHED when specifying a wrong branch name
  • Bugfix: Process queue allow duplicate the same scan.
  • Bugfix: Cannot migrate scan from [Competitor tool] to WebApp 21.2.*
  • Bugfix: Failed to execute API “notice_extract_download”
  • Bugfix: Duplicated files identification does not work correctly
  • Bugfix: The cveUpdate vulnerability notification is not sent by E-mail.
  • Bugfix: Jenkins plugin does not work after API change

Changelog (FossID 21.2.3 -> 21.2.3.1)

• Wrapper (3.4.5 -> 3.6.1)
  • Improvement: Fix for CVE-2021-4428

Changelog (FossID 21.2.2 -> 21.2.3)

• Webapp
  • Bugfix: Notice extract creation fails for some scans
  • Bugfix: Setting up dependency analysis in a new webapp installation fails
  • Bugfix: Scan failed due to SQL syntax error
  • Bugfix: No ‘Scan Delta’ button when ignored files due to the use of the option “cli_min_file_size=”
  • Bugfix: In VSF CVEs are missing url
  • Bugfix: First scan performed on a fresh db results in sql error
  • Bugfix: Button ‘Open file in a new tab’ from ‘Pending Identifications’ open but unable to see content.
  • Bugfix: Not clear message on webapp when file is ignored due to cli_min_file_size
  • Bugfix: cveUpdate failed with 414 error
  • Bugfix: ‘An error occurred’ message when selecting a match.
  • Bugfix: Can’t create a scan or a project containing a single quote in any of the required fields
  • Bugfix: Sorting projects doesn’t work on mysql (not mariadb)
  • Bugfix: File comments containing single quote characters are not copied during reuse identification
• CLI (3.4.5 -> 3.4.6)
  • Bugfix: An issue related to ignoring files based on size
• Shinobi (1.0.8 -> 1.1.1)
  • Bugfix: Notice extract fails for unsupported file types

Changelog (FossID 21.2.1 -> 21.2.2)

• WebApp
  • Improvement: Paginate API endpoint get_results
  • Bugfix: Unable to change the information of LDAP linked users.
  • Bugfix: Api keys are written into the errors.log
  • Bugfix: Field ‘filename’ should not be mandatory in API group: scans action: extract_archives
  • Bugfix: Failed to ‘Update the CPE List’
  • Bugfix: Error when Shinboi returns a license identifier containing a quote.
  • Bugfix: WebApp Azure OAuth Undefined index: sessionState
  • Bugfix: zip Files with uppercase extension (.ZIP) does not get extracted.

Changelog (FossID 21.2 -> 21.2.1)

• WebApp
  • New feature: Provide the same identification options for the root node as for any folder
  • Improvement: Document setting/updating CPE information with API
  • Improvement: Change displayed name for VSF_ACCESS permission
  • Improvement: Update FossID logo
  • Improvement: Update VSF description in docker-getting-started guide
  • Improvement: Installation instructions: Update “Allocating scans capacity” section
  • Improvement: Install/update instructions: Ubuntu 18.04 specific, mysql max_allowed_packet should be changed to 64M as the default is lower
  • Improvement: Documentation should explain that even with the VSF_ACCESS permission actually getting vsf results will require a VSF enabled token
  • Improvement: Installation/update instructions: RHEL/CentOS 7 mariadb settings correction
  • Bugfix: Cannot upload file by WebApp API
  • Bugfix: Error when creating a license using API
  • Bugfix: Ignore extensions feature does not work for “none” (files without extension)
  • Bugfix: Apply folder identification on the root does not allow selecting a component
  • Bugfix: Apply folder identification from root does not allow selecting a license from the list
  • Bugfix: Issue with updating on Debian 9
  • Bugfix: Files containing multibyte characters are not displayed in the scan interface screen.
  • Bugfix: Components not marked as kb_component when doing auto id
  • Bugfix: Deactivate/reactivate OAuth2 user account does not work as expected
  • Bugfix: Identify duplicated files dialog button does not work
  • Bugfix: Ignore extension functionality does not work
  • Bugfix: “Identified By” column does not show marked-by person correctly
  • Bugfix: File comparison is not possible.
  • Bugfix: Identification button is missing
  • Bugfix: LDAP Authentication issue
  • Bugfix: Loading Code Tree Issue
  • Bugfix: mis-translation: Edit Component Dialog
  • Bugfix: File tree does not load
  • Bugfix: Matched files content does not load
  • Bugfix: Eval getting started doc: Wrong login URL for WebApp
  • Bugfix: API: projects_list_projects returns max 10 projects
  • Bugfix: Rescan a single file is generating error
  • Bugfix: API Pusher: Users - update error
  • Bugfix: Add proper error message when using vsf scanner without a valid token
  • Bugfix: Wrong description in installation.md inside htmlhelp.zip
  • Bugfix: Installation instructions: Link to dependency analysis section broken

Changelog (FossID 21.1 -> 21.2)

• WebApp (2021.1.1 - 2021.2.1)
  • New feature: Allow viewing and modifying scheduled tasks
  • New feature: New API: scans - get_scan_comments
  • New feature: Add support for importing comments from Excel reports
  • New feature: License policy settings interface
  • New feature: Replace menu system
  • New feature: Webapp Azure AD Oauth 2 integration
  • New feature: Auto component identification scan option
  • Improvement: Scan interface: Allow expanding and collapsing an entire folder structure by double clicking
  • Improvement: Hide password fields when using oauth/ldap
  • Improvement: Improve how extensions are shown in scan page
  • Improvement: Reorder the webapp directory structure
  • Improvement: Show full path on mouseover of file name
  • Improvement: Include both license name and license identifier in reports
  • Improvement: Add proper GitHub links
  • Improvement: Allow right click => open in new tab for logo and menu buttons
  • Improvement: Include username and project_code in API response for scans / get_information
  • Improvement: Allow accessing component vulnerability information from the component list
  • Improvement: Add approval status to components list
  • Improvement: Add download link on intake view
  • Improvement: Remove component management button from scan interface
  • Improvement: Scan interface: Replace/remove the “add component” button
  • Improvement: Change use of SCANS_ACCESS permission to actually control the access to the scan interface
  • Improvement: Simplify the various component creation permissions
  • Improvement: Remove COMPONENTS_CREATE check when adding components as a result of applying an identification
  • Improvement: New Components API
  • Improvement: Ensure that dialogs stay on screen
  • Improvement: Items in menu should should be either enabled, disabled, or hidden depending on permissions + config param
  • Improvement: Rename “Daily tip” to “Tip of the day”
  • Improvement: Remove all LICENSES_ACCESS permission checks and retire the permission
  • Improvement: Link to release notes should open the release notes section of the help
  • Improvement: Add in config setting for CORS headers
  • Improvement: Replace bad redirects with no permission errors
  • Improvement: Automatically send notifications about new vulnerabilities in components
  • Improvement: Automatically update the vulnerability database
  • Improvement: Update effects of deleting a project
  • Improvement: Make the scan Status in the scan list more sensible
  • Improvement: Report creation: Remove the “custom disclaimer” input field for Preliminary reports.
  • Improvement: Archive upload improvements
  • Improvement: Consistent naming of archives vs packages
  • Improvement: Enable re-upload zip file for delta scan
  • Improvement: Dependency analysis: Change dependencies sort order to A-Z
  • Improvement: Component management - Search and suggest CPEs based on comp. name and version for manually added components
  • Improvement: Add fossid.conf option to report copyright in AS-IS format
  • Improvement: Disable Scans - New Scan menu option if user has not the correct permissions
  • Improvement: Clean up webapp/utils/importers
  • Improvement: WebApp API: scans - update should not require including the scan name
  • Improvement: Clean up webapp/utils/scripts
  • Improvement: Clean up Notice errors in server log
  • Improvement: Move language selection to the user profile
  • Improvement: WebApp API: scans - update should allow updating git_repo_url and git_branch
  • Improvement: Add failed login attempts and API authentication failures to the system log
  • Improvement: Quick view: “source code only filter” should be disabled by default
  • Improvement: Improved logging
  • Improvement: Increase the API token complexity
  • Improvement: Replace Hiawatha with Nginx as default web server
  • Improvement: Scan delta is scanning all the files when always extract .jar file is option is selected
  • Improvement: API: Add files_and_folders : remove_component_identification
  • Improvement: Improve navigation when using the back button on the browser
  • Bugfix: Do not print excessive info during db update
  • Bugfix: Fix incorrect parameters to htmlspecialchars
  • Bugfix: Approval requests are not deleted with the project
  • Bugfix: Dependency analysis is considering packages from different vendors the same if they have the same name
  • Bugfix: SQL error when reusing identification with comment having fileds is_important/include_in_report set to NULL
  • Bugfix: User without permission to create projects is able to create projects from dashboard.
  • Bugfix: Hashing process is not stopped with an error if packages become unavailable during hashing
  • Bugfix: Data too long for column “file_license” at row 1
  • Bugfix: API ‘Group: components, Action: delete’ does not delete even if the user has the right permissions.
  • Bugfix: Dependency analysis does not show error even after it is stopped by mysql error
  • Bugfix: Reuse identification not working properly on blind scans since introduction of new CLI hash format
  • Bugfix: Remove USERS_ACCESS permission
  • Bugfix: Data doesnt get deleted from component_files table when deleting a component
  • Bugfix: files_and_folders_get_matched_lines api fails
  • Bugfix: Long license text will partially break excel reports
  • Bugfix: Notifications for new messages in menu
  • Bugfix: Fix triple scroll bars when editing fossid conf with narrow window
  • Bugfix: Excessive permissions: SCAN_ACCESS + PROJECTS_ACCESS
  • Bugfix: Warnings thrown when VSF scanner finds a critical issue
  • Bugfix: License texts co-exist independently in both component and license metadata
  • Bugfix: Remove file count summary for finished scan
  • Bugfix: vsf - for every rescan vsf thinks there are one more vuln snippet in file
  • Bugfix: Preliminary report header says “Community URL”
  • Bugfix: Base64 encoded input problem
  • Bugfix: Report creation: base64 encoding input issue with “custom disclaimer” field
  • Bugfix: dbupdate.php needs to run twice to complete all schema updates
  • Bugfix: Files are processed even if the folder is ignored.
  • Bugfix: Files with extention ‘.xz’ without preceeding ‘.tar’ not getting extracted.
  • Bugfix: Scan interface match view bottom part looks strange
  • Bugfix: show_all parameter does not work as expected
  • Bugfix: Displayed scan sensitivity changes from 0 to 6
  • Bugfix: Dependency Analysis - clean up all files created by ORT during analysis
  • Bugfix: Error logged when setting a license to deprecated or not deprecated
  • Bugfix: Dependency analysis takes a really long time for nodejs projects
  • Bugfix: Foss vs non foss percentage in the pie is calculated for all files in the scan, disregarding report options
  • Bugfix: New folders created with dummy names when adding the same .bz2 file over the scan
  • Bugfix: Non-FOSS licenses are shown in the second pie chart of the report.
  • Bugfix: Log directory from config file is not used
  • Bugfix: Fossid report: license list truncated when there are many licenses
  • Bugfix: Folder identication is cancelled if component identification is removed
  • Bugfix: Pending Identifications report includes comments for files marked as identified
  • Bugfix: Dependency Analysis for node projects is sometimes very slow
  • Bugfix: WebApp API: match_type is sometimes “ignored” and sometimes “Ignored”
  • Bugfix: Cannot login via Active Directory if webapp_ldap_search_base is set to root of the domain
  • Bugfix: Unable to generate notice extract reports when a scan has ‘/’ character in scan_code.
  • Bugfix: Blind scan - Scan finished box says 0 files scaned
  • Bugfix: 404 when updating your user info as Licencing officer
  • Bugfix: Rescan of file is not working in blind scans created by remote path
  • Bugfix: Scan results: Remove github links for individual files
  • Bugfix: ‘License text’ not shown on the report when entered on component management.
• CLI (3.2.6 -> 3.4.5)
  • New feature: add cli_retry option
  • New feature: –timeout / cli_timeout now supports decimal value
  • New feature: add cli_timeout option
  • New feature: add –retry-wait and cli_retry_wait option
  • Improvement: Remove –kb flag
  • Improvement: Improve the documentation to explain how KB component version selection works
  • Improvement: Improve the highlighting help
• Alfred (3.4.6 -> 4.0.0)
  • New feature: Improved Component License support for JAR files
  • New feature: Volume Folder support
  • New feature: implement match.id
  • Improvement: Add alfred parse url rules for https://download.gnome.org
  • Improvement: show source of declared licenses
  • Improvement: component.license is now the first license of the aggregate licenses
  • Bugfix: Too many snippet results of false positives
• Wrapper (3.1.14 -> 3.4.5)
  • Improvement: Fix potential security vulnerabilities
• Shinobi (0.9.50 -> 1.0.8)
  • Improvement: improve performance of humongous shell scripts and other files
  • Bugfix: Generated notice text is lowercase
  • Bugfix: I want Shinobi to find LGPL-2.1 instead of LGPL for URL in MANIFEST.MF file
  • Bugfix: Wrong URL for “Proprietary License”
  • Bugfix: Shinobi not capturing copyrights with keywords ‘Group’ and ‘IS’ using auto-identification options.
  • Bugfix: Webapp captures incorrect copyrights using ‘Auto-identification options’
  • Bugfix: Incorrectly identified copyright statement

Changelog (FossID 20.2.2 -> 21.1)

• WebApp (2020.2.2 - 2021.1.1)
  • New feature: Dependency Analysis: Add Yarn support
  • New feature: New report creation interface
  • Improvement: Add report type “dynamic_top_matched_components” to API
  • Improvement: It should not be possible to start notice extaction for archvied scans
  • Improvement: Frame slightly too wide for a 1920x1080 display in the documentation
  • Improvement: Dependency analysis - Provide partial results if available
  • Improvement: VSF - update the CVE info every time a vsf scan is run
  • Improvement: More permissions checks added for WebApp APIs
  • Improvement: Use use –test-scan instead of –test-cal in system check
  • Improvement: “Top matched components” view should show intake components
  • Improvement: Webapp doc: add string match rules permissions to web-application/permissions.html
  • Improvement: Various smaller documentation content updates
  • Improvement: Update documentation for scans - generate_report to match new UI better
  • Improvement: API documentation not clear using ‘sensitivity’ and ‘full_file_only’ for scans - run
  • Improvement: Add CI/CD conceptual description and reference to example in the webapp doc
  • Improvement: Webapp documentation: Describe extraction options better
  • Improvement: Webapp doc: Describe report options
  • Improvement: Webapp doc: API documentation missing/incorrect
  • Bugfix: Quick view broken for files with more than 1000 lines
  • Bugfix: WebApp API: scans - run ‘full_file_only: 1’ and/or ‘sensitivity: 0’ does not work as expected
  • Bugfix: Identifying files from ‘Top matched components’ when scan root is selected does not work.
  • Bugfix: API pusher: string_match_rules_show example says ignore_rules_show
  • Bugfix: jars are always expanded even when they have a KB match when expand only if no full file match is chosen
  • Bugfix: Scanning from GitHub needs to work with master branches named ‘main’ instead of ‘master’
  • Bugfix: Uploads deleted from scan upload directory (/fossid/uploads/files)
  • Bugfix: Opening the scan log takes a long time
  • Bugfix: VSF not showing URLs - CVE information not always updated

Changelog (FossID 20.2.1 -> 20.2.2)

• WebApp (2020.2.1 - 2020.2.2)
  • Improvement: Update Dependency Analysis documentation
  • Bugfix: File license in match result only shows one license
  • Bugfix: Component license incorrectly displayed as n/a in some cases
  • Bugfix: Error 500 - Mark as identified, apply to duplicate files and match used as identification
  • Bugfix: LDAP - Handle anonymous binding case
  • Bugfix: VSF file result is displayed twice in the file result content box
  • Bugfix: HTTP status 500 error when trying to send email to the user with no email address

Changelog (FossID 20.2 -> 20.2.1)

• WebApp (2020.2.0 - 2020.2.1)
  • Bugfix: Opening the user manual from the dashboard will always open the English version

Changelog (FossID 20.1.3 -> 20.2)

• WebApp (2020.1.3 -> 2020.2.0)
  • New feature: Release notes in the webapp
  • New feature: String Matching
  • New feature: Dependency analysis - show dependency chain
  • New feature: Differentiate between dependencies needed for development and dependencies for deployment
  • New feature: Support highlighting using match format 2 data
  • Improvement: Directories for extracted file contents should be named after the archive file
  • Improvement: Remove API pusher example data indentation
  • Improvement: Remove old docs folder
  • Improvement: Only include the selected dependencies in the reports
  • Improvement: SPDX report import: implement importing file licenses from DisjunctiveLicenseSet
  • Improvement: Reduce logging of file deletion unless debug logging is enabled to improve performance
  • Improvement: Allow users with SCAN_UPDATE_ANY permission to delete component comments per scan
  • Improvement: Remove the “New project wizard”
  • Improvement: Mention dependency analysis in the installation instructions
  • Improvement: Documentation: Installation instructions clarification
  • Improvement: Documentation: Split installation instructions into two files, one for debian and one for redhat/centos
  • Improvement: Move the API pusher from the documentation to the “Tools” menu in the webapp
  • Improvement: Documentation updates for 20.2
  • Improvement: Documentation framework replacement
  • Improvement: Portable dynamic reports: Left pie chart should be based on component license as well as file license
  • Improvement: Remove whitelisting buttons from scan interface if whitelisting is not enabled
  • Bugfix: Error is logged whenever “Use as identification” is used
  • Bugfix: Users without ‘Ignore Rules - Set global ignore rules’ are able to delete the global rules created.
  • Bugfix: Performance regression in “top matched components”
  • Bugfix: No information is displayed by ‘View Scans’ in the component view
  • Bugfix: Error importing SPDX when contains an existing CPE in webapp
  • Bugfix: Reuse identification feature applying identifications to ignored files as well
  • Bugfix: Scan with reuse-identification can start without selecting project or scan code
  • Bugfix: API check_status_download_content_from_git never returns “FINISHED”
  • Bugfix: Unable to filter by the ‘BSD 3-Clause “New” or “Revised” License’ in the Portable Dymanic Report
  • Bugfix: API call to set component identification does not remove old component identifications
  • Bugfix: Importing an Excel report will generate duplicate entries in identification_component table
  • Bugfix: Logs: Date doesn’t fit in the date picker
  • Bugfix: Matched mirror code is not displayed for scan result with sensitivity 0
  • Bugfix: The value of is_spdx_standard field of licenses table are not correct
  • Bugfix: Duplicate local source lines when clicking the “Next File” or “Previous File”
  • Bugfix: Adding component comment in folder identification stops the identification process
  • Bugfix: WebApp is frozen when component is removed in folder identification
  • Bugfix: Fingerprint feature doesn’t seem to work anymore
  • Bugfix: Upload options (how to expand .jar files) in upload form are not updated with value set backend
  • Bugfix: Records from table identification_component are not removed when deleting a scan
  • Bugfix: Listing all projects takes a few tens of seconds
  • Bugfix: Multiple file licenses not being included in SPDX report
  • Bugfix: Duplicate components in “Marked as identified” list
  • Bugfix: There is no more N/A license in dbclean.sql (licenses table)
  • Bugfix: Uploading a compressed (non-jar) file into an existing scan doesn’t work if a file with the same name has been uploaded previously
  • Bugfix: Identifying a component from Top matched component list is not working when ‘All matches’ option is chosen
  • Bugfix: Folder identification without a component will add a null dummy component to files that cannot be removed from GUI
  • Bugfix: The date when using a KB component as identification is 1970-01-01
  • Bugfix: WebApp does not show correct component license for Linux Kernel
  • Bugfix: Folder ID no longer overwrites old component identifications
  • Bugfix: Creating new component when identifying from Top matched components redirects user to Apply folder identification pop-up
  • Bugfix: Identified file names not printed in HTML basic report when a file is identified to multiple components
  • Bugfix: The licenseupdate.php script does not add the t-prot license.
  • Bugfix: Component with no component license cannot be created and identified by bulk identification of metric view
  • Bugfix: Data too long for column ‘sid’ in table vsf_scan_file_vsf_results
  • Bugfix: Change component identification should replace the component, not append
  • Bugfix: Wrong NPM url in components created from KB - npm match
  • Bugfix: floating_background_disabler remains active after folder ID operation
  • Bugfix: API: scans - cancel_run not working
  • Bugfix: Update CLI help in WebApp 20.1 documentation
  • Bugfix: Documentation missing “–kb 1” information
  • Bugfix: Monitor Service Script crashes for recipient with no email address
  • Bugfix: CVSS2.0 “Attack Vector” and “Attack Complexity” are NOT populated in the report.
  • Bugfix: Package size field should only allow digits
  • Bugfix: The send message box is not closing when navigating to other tabs.
  • Bugfix: “Identify files matching..” icon/functionality not available when top root folder (the one generated as scan name) is selected
• CLI (3.1.16 -> 3.2.5)
  • New feature: Add match format 2 support
  • New feature: Support for get component details
  • New feature: Add shinobi-timeout parameter to CLI
  • New feature: Add –test-scan support
  • Improvement: reduce the size of the CLI
  • Improvement: wait (sleep) before retry
  • Improvement: lower default retries from 3 to 2
  • Improvement: add cli_shinobi_path parameter for fossid-cli
  • Improvement: Improve CLI error messages
  • Improvement: Change the default KB for VSF to 2
  • Improvement: Remove and hide some deprecated options
  • Improvement: Add Match Format Documentation
  • Improvement: Add SHA1 support for signatures (default OFF)
  • Bugfix: lower glibc dependency requirement
  • Bugfix: Support older Linux distributions
• Alfred (3.2.4 -> 3.4.6)
  • New feature: VSF2
  • New feature: cross-volume lookup support
  • New feature: ‘regular’ scanning support
  • New feature: New match format
  • New feature: Improved performance and memory footprint
  • New feature: Update volume support
  • New feature: License volume support
  • Improvement: configuration parameter to control shinobi timeout
  • Bugfix: Repository whitelisted using SCORELIST are still seen in the results
  • Bugfix: remove shinobi license type from file license field
  • Bugfix: Fix TY crashes related to scanning junk files
• Wrapper (2.10.1 -> 3.1.14)
  • New feature: Integrate embedded web server based on Jetty
  • New feature: High performance logging system (fully configurable)
  • New feature: New token system to enable/disable features per-token
  • New feature: High performance Fair Queue System
• Shinobi (0.9.7.6.6 -> 0.9.50)
  • Improvement: Optimize performance
  • Improvement: Shinobi not extracting licenses and copyrights from min.js files.
  • Improvement: Improve memory utilization
  • Improvement: Improve performance when dealing with larger files
  • Bugfix: Shinobi does not detect BSD-3-Clause license
  • Bugfix: Shinobi does not detect Apache-2.0 License
  • Bugfix: Shinobi does not detect BSD-2-Clause license
  • Bugfix: Shinobi detects GPL-3.0 on GPL-2.0 file
  • Bugfix: Shinobi fails to detect reference
  • Bugfix: Shinobi does not detect MIT License

Changelog (FossID 20.1.2 -> 20.1.3)

• WebApp (2020.1.2 -> 2020.1.3)
  • Bugfix: Upload source code issue of Intake Component
  • Bugfix: API: get_scan_log returns http error 500
  • Bugfix: API: get_folder_extensions_ranking returns http error 500
  • Bugfix: Mismatch between license in “Top matched components” list and license that will be used
  • Bugfix: View Project Components is not showing the expected data.
  • Bugfix: Component license incorrectly reported as n/a
  • Bugfix: API: get_marked_as_identified_files does not return component license
  • Bugfix: Reports: All files not included in report
  • Bugfix: Not all licenses appear in license search box
  • Bugfix: Reports: Only one file license exported to reports
  • Bugfix: Reports: Inconsistencies between HTML portable dynamic and Excel format

Changelog (FossID 20.1 -> 20.1.2)

• WebApp (2020.1.1 -> 2020.1.2)
  • Improvement: Directories for extracted file contents should be named after the archive file
  • Improvement: Optionally include shinobi-lib warnings and links in local file license information
  • Improvement: Allow users with SCAN_UPDATE_ANY permission to delete component comments per scan
  • Bugfix: Upload options (how to expand .jar files) in upload form are not updated with value set backend
  • Bugfix: Records from table identification_component are not removed when deleting a scan
  • Bugfix: Multiple file licenses not being included in SPDX report
  • Bugfix: Duplicate components in “Marked as identified” list
  • Bugfix: Uploading a compressed (non-jar) file into an existing scan doesn’t work if a file with the same name has been uploaded previously
  • Bugfix: Folder identification without a component will add a null dummy component to files that cannot be removed from GUI
  • Bugfix: The date when using a KB component as identification is 1970-01-01
  • Bugfix: WebApp does not show correct component license for Linux Kernel
  • Bugfix: Creating new component when identifying from Top matched components redirects user to Apply folder identification pop-up
  • Bugfix: Data too long for column ‘sid’ in table vsf_scan_file_vsf_results
  • Bugfix: Change component identification should replace the component, not append
  • Bugfix: floating_background_disabler remains active after folder ID operation
  • Bugfix: Update CLI help in WebApp 20.1 documentation
  • Bugfix: Documentation missing “–kb 1” information
  • Bugfix: CVSS2.0 “Attack Vector” and “Attack Complexity” are NOT populated in the report.

Changelog (FossID 1912 -> FossID 20.1)

• WebApp (1912.2 -> 2020.1.1)
  • New feature: Updated dashboard contents
  • New feature: Optional extraction of .jar files
  • New feature: Option to recursively extract archive files in scan upload code
  • New feature: Component comment feature to be available on per scan basis, proper solution
  • New feature: Notice text extraction
  • New feature: Initial dependency analysis reporting (Beta version)
  • New feature: Allow single file to be identified with multiple components
  • Improvement: Confirmation dialog when removing identifications from scan interface
  • Improvement: Fix some PHP Warning messages logged in Hiawatha/PHP-FPM logs
  • Improvement: Clarify documentation for uploading compressed files with API
  • Improvement: Scan Code dialog visual update
  • Improvement: Remove the pie-chart section of the scans view
  • Improvement: Scan button removal: Search Google
  • Improvement: Scan button removal: Manage whitelisting rules
  • Improvement: Scan button removal: Users
  • Improvement: Scan button removal: Delete scan
  • Improvement: Scan button removal: View failed and ignored files list
  • Improvement: Extensions listed in the “Marked as identified” and “Without matches” tabs should not look like buttons
  • Improvement: File- and component license on demand support in the webapp
  • Improvement: Use sensitivity 6 when invoking VSF from webapp
  • Improvement: Do not add shinobi-created links and warnings to the license field and local license db
  • Improvement: Improve system check by adding component version information
  • Improvement: Replace the out-of-the-box licenses db
  • Improvement: Directories for extracted file contents should be named after the archive file
  • Improvement: VSF documentation for Webapp missing
  • Improvement: New scan dialog - change the order of the fields
  • Improvement: Project creation dialog - switch places of project name and project code fields
  • Improvement: VSF UI - reverse order of the severity classification boxes
  • Improvement: Modify permission rules for editing own components created from KB id
  • Improvement: Add an API action to delete license identifications
  • Bugfix: User deactivated - User Deleted confusion
  • Bugfix: Component created with unknown license by Shinobi is causing a conflict when identifying
  • Bugfix: VSF wrong behavior generating false positive ?
  • Bugfix: Same action listed twice for scans in the API pusher
  • Bugfix: wrong link in documentation
  • Bugfix: Report generation from scans:generate_report API not working as expected for selection_view pending_identification and marked_as_identified
  • Bugfix: Add vertical scroll and set the size of license pop-up to a reasonable size for all screens
  • Bugfix: Cancel scan in VulnSnippet Finder not working
  • Bugfix: The “On” field of the approval function is not reflected immediately
  • Bugfix: Report generation from scans:generate_report API not working for pending_identified files or all files.
  • Bugfix: Comments multiplied when generating SPDX report
  • Bugfix: The Scan Parmeters label does not follow scrolling
  • Bugfix: Wrong warning for marking file without ID even when a component is assigned
  • Bugfix: API scan update: allow updating scans without target path
  • Bugfix: Add VulnSnippet Finder entry to “Tools” page
  • Bugfix: SQL error in logs
  • Bugfix: Scan interface - columns in matching results are not aligned with header when there are ignored results by whitelist rules
  • Bugfix: License text missing formatting in the report
  • Bugfix: inconsistency alert for mismatch license component
  • Bugfix: [Snippet Search] Source is not displayed more than 1000 lines
  • Bugfix: File upload animation is not synchronized with the real upload status
  • Bugfix: Opening a big scan log will crash the webapp
  • Bugfix: When in all files view - “Top matched components” > “all matches” list does not work
  • Bugfix: Confusing error message when file not found in mirror
  • Bugfix: Wrong alert for mismatch components with N/A license in kb vs local database
  • Bugfix: Scan Speed Issue in Regular and Blind Scan
  • Bugfix: Use new ldap_connect() function signature
  • Bugfix: Cannot import SPDX reports exported from BD Hub 4.7.1
  • Bugfix: ‘Pending Identification’ tab shows folders without pending files
  • Bugfix: ‘Information Mismatch’ dialog does not show license for the component in search result
  • Bugfix: ‘Information Mismatch’ message inconsistent
  • Bugfix: [Documentation] Use consistent permission name ‘Access component intake interface’
  • Bugfix: Extension is not correctly listed
  • Bugfix: “No, I want to start identifying from scratch” message misleading
• CLI (3.1.10 -> 3.1.16)
  • New feature: Support for getting mirror and local file in UTF-8
  • New feature: KB 2 support
  • New feature: Add User Contribution Scan (–uc)
  • New feature: set default kb version to 2
  • New feature: remove –signature-format option
  • New feature: support Shinobi notice file generation
  • Improvement: remove .patch support
  • Improvement: remove -h as shortcut to –help
  • Bugfix: Scan fails with “Too many levels of symbolic links” error regardless of the setting ‘cli_follow_symlinks = 0’
  • Bugfix: fix patch file transformation
  • Bugfix: Local file and matched file highlight content is different
  • Bugfix: scanning empty signatures reports invalid signature
  • Bugfix: permission errors trying to access the signature path
  • Bugfix: fix Shinobi timeout too low for some big files
  • Bugfix: fix error code when mirror fails
  • Bugfix: improve shinobi integration
  • Bugfix: workaround for invalid signature: invalid number of line hashes
• Alfred (3.1.9 -> 3.2.4)
  • New feature: remove support for signature format 1
  • New feature: mirror-based scanning pipeline in alfred to secure match quality
  • Improvement: Increase the weight of filename/path info when evaluating matches
  • Bugfix: fix: no highlight or junk highlighted for file
  • Bugfix: Fix snippet match not giving any highlighting
  • Bugfix: Fix snippet match not returning any highlighting
  • Bugfix: Fix cpe field missing depending on volume order
  • Bugfix: invalid cargo reported during scan
  • Bugfix: fix issue with score-list-ls and tokens with / in the name
  • Bugfix: Allow only specifying VSF volume(s) in configuration
• Wrapper (2.07 -> 2.10.1)
  • Bugfix: Various small fixes
• Shinobi (0.9.5 -> 0.9.7.6.6)
  • Bugfix: Shinobi detects AGPL for LGPL-2.1 header