New Features in TrustSource v2.5

We’ve put a lot in the feature box again!

Rejoice with us and try it out right away!

New Features:

New role Portfolio Manager and Portfolio Overview introduced:
In response to customer requests, a Portfolio Manager role has been introduced, which can always keep an eye on the totality of issues. For this purpose, an explicit portfolio overview was built, which allows to identify critical components from the portfolio overview within only three clicks.
New search options for Vulnerability Lake:
It is now also possible to search for CPEs or component identifiers and subscribe to them if suitable. This makes it easy to track different identifiers or sources.
Ability to display vulnerability descriptions directly (Get Details):
Allows the description of a vulnerability to be displayed directly so that the screen does not have to be changed. This allows decisions to be made directly in context.
Vulnerabilities for infrastructure components:
With the help of the vulnerability lake, it is now also possible to better resolve the known vulnerabilities for the infrastructure components and display them in detail in the application.
Automatic fixing of legal todos with the help of the notice file
It is now possible to generate the notice file as a pre-version without approval. TrustSource now automatically sets all obligations that are slain with the notice file to “completed” and refers to the notice file. This saves a lot of maintenance work.
Interoperability: Support for all CycloneDX SBOMs
We have included CycloneDX. Both in the core for manual uploads of modules or 3rd party software, and via API. This means that in addition to SPDX, CycloneDX is now also fully possible via both channels, which enables integration with almost all scanners. In the course of this, an import API for SPDX (v2.2+) was also created.
Dependencies are displayed using a SunBurst diagram for greater clarity.
CMake integration: With the help of this new scanner, C-Make built projects can be easily scanned and transferred to the platform for further analysis.
Improvements:

Attack vector representation has been equalised and made more readable.
Since the addition of additional sources, the deep link to the NVD was impractical, so we have provided an internal representation. This will also change slightly in the coming weeks.
Loading times of larger scans optimised and shortened
Vulnerability Alert mails now contain appropriate deep links so that the new information can be jumped to directly.
Internal optimisations in the area of Vulnerability Assignments.
Changes in the framework no longer only affect the analysis and the results, the notice file is now also adapted.
New intro for new users.
Improvements for the administration of components (Component Manager)
ts-node-client updated to work with newer node versions.
Tagging capabilities improved, especially for components, projects and modules, to simplify filtering.
Improved sorting capabilities in CompDB
Added chronicle of legal settings. This means that older states can also be retrieved.


TrustSource v1.9 updated

TrustSource v1.9.6 updated to minor update v.1.9.16

There will still be a few steps to take before we will be able to launch our long awaited v2.0.0. But we already had a cool set of enhancements and features available, that we did not want to hide longer. So we decided to provide them with this interim update.

New Features:

  • Deep-Links have been added to DeepScan results

The deep link allows you to jump directly to the file in the repository scanned, so that you may review the findings with you eyes

  • DeepScan Feedback loop

You may edit the findings of DeepScan in place. Thus you may enhance or modify the automatically identified stuff. We will use your input to add he cases to our learning model

  • New Approval-Screen for Compliance Managers

Compliance Managers get a new Screen “Approvals”, allowing them to manage all approval requests from one screen

  • Version age indicator introduced

As we have a great understanding of all existing versions, we have added an hourglass symbol in the module details view. It is getting into waring (yellow) and cirtical (red) states, if the delta between the used and the latest version is about to grow. You may define sensitivity of this measure in the module settings or mute this alarm, in case you require a specific version.

Improvements:

  • New legal questionnaire

As many users reported problems completing the legal questionnaire, we have simplified it. Out of seven questions, we were able to convert three into options to switch on or off (Want that protection? yes/no). The remainig questions are pretty simple to answer so that no more obstacles in completing the questions should remain. (Please let us know, if you think different!)

Fixes:

  • Treatment of “no-License” cases in Notice file amended
  • The license “no license” appeared to be handled as a regular license when generating a Notice File. We have changed the behavior that such a component will not appear in the Notice file and a warning will be issued.
  • Some spelling mistakes have been corrected.
  • Few layout-fixes where long names/vales broke design

Enjoy the improved version and feel free to comment / feedback your opinion.


TrustSource v1.9 release available!

We are happy to announce our latest release of TrustSource, version 1.9 to arrive Sept. 10th 2019!

With our v1.8 we have introduced a more detailed versioning schema allowing a closer matching between the code repos and the scan results by introducing support for branch and tag. In this release on of the major updates is the new approval, which allows to specify a combination of versions which shall be taken for an approval. But besides this, there is even more:

New Features:

  • Improved Approval Process:
    The new approval will be started as the former version. But a wizard will guide you through the steps. You will be able to give the approval a particular name, select the modules and analysis versions to apply. When you are confident with your selection and issue the approval request, TrustSource will generate all relevant documentations (Notice File, if required a SOUP file – see below – and  a new compliance report) and process the request towards the compliance manager(s).
    They will find the information in their inbox and can immediately dive into the new compliance report.
  • Compliance Report:
    The new compliance report will give a comprehensive summary of the project situation including legal and vulnerability status. Also it will the required documentation and unveil the degree of completion. Also the report will outline the changes in component status a project manager has made will be shown. Thus manual status changes will become immediately visible, comments on vulnerabilities having been muted will be available for review and more….
  • DeepScan:
    How often do you rely on the declared license? How many of us really dig deep to ensure that there is no little snippet of code containing another license? I probably better do not want to know. However, we proudly present DeepScan. This new service allows you to specify the URL of a component repository, which DeepScan then will assess for you in the background. It will search for all sort of data providing a relation to a license specification and present the findings to you. Give it a try! You might be surprised…
  • Support for Medical Device Directive Documentation:
    In 2020 the European Medical Device Directive will force developers of software related to medical devices to clearly outline all third party software and track these changes and require these to register each change (UDI-ID). We prepare to support this procedure and already offer automatically generated SOUP-lists as well ass COTS-component management. Further steps to follow, sty tuned with our newsletter.

Improvements:

  • Improved sorting and selections from lists
  • Multi-license cases will be marked as warning as long as no decision about the license to use has been made, even if both licenses would result in no obligations. Thus all required decisions will be easy to identify.
  • We were able to identify some inputs from scanners being misinterpreted, e.g. “>=”-version conditions, resulting in difficulties with the correct version matching. These cases will be properly resolved now.


New Release v1.6 available

We are happy to announce availability of v1.6! Also v1.6 comes with massive new features, focused on process improvements. Read more:

New Features

  • Vulnerability-alert -  It took us quiet a bit, to get the matching towards a reasonable quality, but we manged it after all. You will now get notified by TrustSource, if new vulnerabilities appear for components that you are using in your most recent build.
  • "Action required" items in inbox - Especially for our compliance managers we provide an in box on the dashboard listing all open approval requests. This allows you to immediately see, where action is required.
  • Dependency graph - The so called dependency list is a flat list of all components entering the project even through transitive dependencies. To allow a better understanding of the impact this component has, the graphical display allows to actually _see_ the position within the dependency graph. You may modify the appearance and expand or shrink single nodes for better visibility.

Improvements

  • Improve rule sets - Based on customer feedback and own research, we were able to improve the analysis results of several licenses.
  • Improved maven Plugin - The maven plugin has been extended to support the check functionality allowing to verify components on dev-desktop without the need to push a scan.
  • Improved Jenkins Plugin - Also the Jenkins plugin has been extended to use the transient version of the check-API.

Fixes

  • Add name in register form - Changing your name after having been invited while login in the first time is possible now.
  • Propagate deletion of all members - Changing members of a project respectively a all modules within a project at once has been introduced since a while. But it has not been recognized that the propagation of an empty list does not immediately take effect. This has been fixed now.

Our next version v1.7 will focus on security and extend the login capabilities. We will introduce alternative ways to authenticate and simplify corporate SSO. The given role model has been reviewed and will be tuned towards more flexibility.

If you want to get an overview or some insights in to our roadmap, feel free contacting our sales team! They will be happy presenting you the upcoming steps.

If you feel like there should be some features you do not see on the horizon, please let us know! Our business development or your engagement manager will be happy to hear about your ambitions.


Release v1.5 available

We are happy to announce our latest Update v1.5.16. With this release we further strengthen our capabilities in managing vulnerabilities and extend our documentation competencies.

New Features

  • PDF-your-Reports - It is now possible to download your reports as PDF. Timestamp and release number will always be included, so there is not chance for mixing up data.
  • New Bill of Materials Report - With this release we have provided a BoM-report allowing you to request a visual representation of the Bill of Materials of any of your projects.
  • New CVE-Impact Report - With this report you may select a CVE number and immediately see which components in what project are affected by this CVE. From the report you may jump directly to corresponding components and trigger further action.

Improvements

  • Branding changed to TrustSource - from now on we have moved to the new branding schema. Not only the visuals (logo, etc.) changed, but also the URLs. The base URL is no longer https://ecs-app.eacg.de but it is https://app.trustsource.io. The old URLs will remain working, but we suggest to use the new ones.
  • Preview changes in Bulk user upload - The bulk user upload for the corporate and enterprise accounts does have a preview now. So you may see which lines might cause unwanted impacts and dry-run your import before allowing it to take effect.
  • Jira-Status-Report - Jira tickets are now presented in a nicer way according to status. Also it is possible to have project specific reports.

TrustSource Version 1.4 released

We are proud to announce the release of v1.4!

It took some sweat, blood and a lot of testing, but now v 1.4 has been successfully released. There is a basket of new features available that will make your work much more efficient:

  • the new inbox will collect all communication so you will not miss anything anymore.
  • A vulnerability feed will alert you about latest changes or upcoming issues.
  • CVSS-Scores and attack vector information allow a faster identification of critical issues
  • Extended Obligations report - using the new obligation report it will be possible to jump directly to the associated component, so that you may work with it without switching between the two view. Also the report is now available from within the list views.
  • Suitability checks - to further support SHIFT LEFT, we have created a feature which allows you to verify the suitability of not yet built in licenses and/or components. This allows developers to verify the consequences of using a product even before it will be added to the code base. The functionality also is available over the API.
  • Private licenses - You are now able to create private license keys. So you may also manage your own licenses

Also we have added some improvements and Fixes. For example we were able to discover a matching problem in our vulnerability scanner.

Additional information can be found here.