Español

Release Notes

DigitSec Help
  • Updated

April 2025 Patch Release Update

Release April 21, 2025 v19.3.23.ga

We have released a patch that addresses some issues that were identified subsequent to the launch of the last release. These issues have been resolved in this patch update.

  • A parser error was discovered that caused certain combinations of files to not be scanned completely.
  • A bug was discovered in the way our algorithm traced certain paths within CRUD analysis following refinements that improved discoverability and performance. This was causing certain issues to not be identified properly.
  • An error in our build sequence caused our new rule related to Sharing Violations - Exposed Methods to not be able to record issues identified during scanning. 
  • We resolved an issue where the Scheduler system did not receive the update successfully during the push to production.

All of these issues have been resolved with this patch.

April 2025 Release Updates

Release April 11, 2025 v 19.3.23.g

New and Refined Rules for Salesforce "Core" Scans

SOQL Injection (Updated & Refined; Severity: High) - We have refined and improved our algorithm to provide greater sophistication to our rule. These will address specific scenarios where a query is run with AS USER; where we address a potential false negative when the query is run with WITH SYSTEM MODE; and addressing a potential false positive when string concatenation is used with BIND variables; and we are also addressing when the inputs are strongly typed to IDs.

 

Sharing Violation Exposed Methods (New; Severity: High) - Each object in the Lighting Platform has permissions and may have sharing settings for which users can read, create, edit, and delete. By default, Apex classes can read and update all data within the organization. This presents security issues since not all users have the same permissions in most Salesforce orgs. When defining an Apex class, if the keyword without sharing is used or no sharing is specified at all, that class is now vulnerable to authorization bypass. Authorization bypass means that someone who doesn't have permissions to access everything in your Salesforce org could potentially see and use data not authorized to them. Authorization Bypass occurs when an Apex class is defined as without sharing or not specifying any sharing. By default, all classes are defined as without sharing. This setting does not enforce user permissions when the class is invoked by an Apex Class or client side code. Exposed functions (Callable, @RemoteAction, @InvocableMethod, implements VlocityOpenInterface, implements VlocityOpenInterface2, @AuraEnabled, @RestResource, @HttpDelete, @HttpGet, @HttpPatch, @HttpPost, @HttpPut, @ReadOnly, @RemoteAction) can easily be exploited by making a call from any client side code.

 

Up-To-Date Issue Detail Screens

We have made an improvement to the way our system displays information related to an Issue on the Issue detail screen. Our system will now show the most up-to-date information, such as latest remediation guidelines, relating to an issue or rule regardless of when the issue was initially identified.

 

Minor Bug Fixes and Improvements

We have made several changes that will improve the experience of the user interface, including: updating the JIRA integration to utilize a new domain; modifying our alert dialogs when changing a user's role; modifying the time elapsed indicator for scans that were completed less than 2 minutes ago; closing a modal dialog after adding or editing a B2C Workspace; removing line numbers from the vulnerable function field if it is null; updating Copado Integration links on the UI Help page; fixing a bug that indicated an Invalid Date on the Issue Detail screen; updating the Team Member Addition Dialog to use a type-ahead select field; updating the navigation after a successful Two Factor Authentication login.

March 2025 Patch Release Update

Release March 27, 2025 v 19.3.23.ff

We have released a new patch to address an issue where certain scans were getting stuck and not failing properly. This error would occur when running CONFIG scans and certain elements of the response from Salesforce were unexpectedly NULL.

 

Release March 23, 2025 v 19.3.23.fe

We have released a new patch to address an issue where certain scans were getting stuck and not failing properly. This error would occur when running CONFIG scans and certain elements of the response from Salesforce were unexpectedly NULL.

 

Release March 18, 2025 v 19.3.23.fd

We have responded to a number of small issues that were causing some problems with scanning on Commerce Cloud sites, issues where certain user accounts flagged for inactivity were being flagged as users with no activity, and we have updated the remediation guidance for the Potential Data Exposure rule. 

February 2025 Feature Release Update

Release February 25, 2025 v19.3.23.f

Major Commerce Cloud Rule Expansion

We have previewed these changes with many of our Commerce Cloud customers. This expanded functionality now provides analysis for:

  • Access Management - Identify stale accounts across multiple SFCC tenants.
  • Massive Downloads - Identify massive download events across SFCC tenants.
  • Auditing Permission Assignments - Identify overly permissive roles assigned to users who have risky permissions such as WebDAV, payment processing, order management, and user management given to non-admin users.
  • Fraud Detection - Identify suspiciously generous coupons created across SFCC tenants.

There are 42 new rules. To highlight a few:

  • Cross Site Scripting
  • Cross Site Request Forgery
  • Massive Download Event
  • Commerce Cloud Risky Promotion
  • Low Risk Commerce Cloud Promotion

B2C/Commerce Cloud customers that wish to take advantage of the new rules, should refer to our Docs Site at How to Connect Salesforce Commerce Cloud – S4 Help to note some updates to our documentation, particularly in reference to the Permissions JSON and the establishment of a Security Job on Salesforce.

New scans initiated from our web interface will take advantage of new rules as long as the connection has been updated. Users initiating scans using the API must specify v302 in the request URL. Please contact me for more details.

Updates to SFDC Rules

We have also updated two rules on the Salesforce core side and have added a new rule.

Action

Rule Title

Updated  

Cross Site Scripting

Updated

Password Manipulation

New

Potential Data Exposure Detected

 

February 2025 Patch Release Update

Release February 21, 2025 v19.3.23.ef

We are responding to a problem with a small number of customer workspaces not being able to complete a scan due to an issue related to the size of the function stack and some corrupted archives. This patch resolves those issues and provides for greater error logging.

January 2025 Release Notes

Release January 6, 2025 v 19.2.23.ea

This release contains mostly behind the scenes updates and some minor UI fixes.

Mongoose Driver Update

We devoted substantial resources since our November release to update our Mongoose Driver, which connects our web application to our MongoDB database. This is a critical component of our software and therefore required robust and exhaustive testing of every function.

GitHub Repository File Size Issue

We resolved an issue in our network routing that was preventing GitHub repositories of greater than 150 MB from being scanned properly.

Vulnerable Function Expansion

In our November release we improved upon the Code Snippet functionality by providing a means to view the entire function. We've made a slight change to our User Interface to only display this icon when data is present in that field. For some vulnerabilities, we either do not or we have not captured the entire function and therefore will not display the expand function icon.

November 2024 Release Notes

Release November 7, 2024 v19.3.23 d

While this release does not come with an expansive set of notes, it contains substantial "behind the scenes" updates that ensure long-term stability and performance.

Scanner Algorithm Updates


We have made a number of refinements to our algorithm to address a number of use cases with SOQL injection. These improvements include cases where the statement runs AS USER; addressing False Negatives when running WITH SYSTEM MODE; improving analysis when evaluating string concatenation when using BIND variables; and excluding ID types as vulnerable to SOQL Injection.

More Vulnerability Detail

In our last release, we introduced more detail for Code Snippet vulnerability by adding a clickable control that would display the entire function that contained the line of code that was causing an Issue. We are adding "Category" as a column choice in the CSV/Excel spreadsheet. This datapoint refers to the type of scan that was used to identify the issue (SAST / SCA / CONFIG /IAST / 3RDPARTY / QUALITY).

We are also removing "Vulnerable Function" as a column choice in the CSV/Excel spreadsheet. Unfortunately, the formatting of the code snippet breaks the structure of the export file and renders it unusable. This data is still available via the JSON export.

Tighter Workspace Management

We have addressed an issue where certain Two Factor Authentication configurations interfered with the Workspace creation workflow preventing other Admins from being able to access the new workspace. The expected behavior should be that Admins have access to all Workspaces. We have also modified our UI experience for managing Workspace Assignments in the Setup→ Users screens. We now display the last four characters of the Workspace ID that will help differentiate Workspaces with similar names.

Minor Bug Fixes and Improvements

We have restored the display of the data visualization for Last Scan details in the Workspace Dashboard; we have updated our GitHub webhook responses to avoid having GitHub register a timeout error; we have added an exception handler for when our scans encounter a corrupted zip file, now allowing the scan to continue while also logging the issue; resolved an issue that would display a blank screen after authentication at login; we have added some string validation to the Workspace creation dialog to enforce a *.my.salesforce.com pattern.

 

September 2024 Release Notes

Release September 18, 2024 v 19.3.23c

Tag Library

We have made a substantial upgrade to our Tag management system. Users that have been active with DigitSec will recall that we have been actively expanding the scope of the Tag system, starting with Issues and moving on to Scans and Workspaces. We are now capitalizing on that foundation and are transitioning to a centralized management system. While this may appear to be a rather subtle change, there are many facets of complexity that are important to note.

Primarily, Admins will now be able to access a new system under the Configure menu that allows them to Create and Inactivate tags from a central location. This addresses a common complaint that our older system allowed for too much potential variation on assignment. This will also be an assignable permission for lower level Environment Users, Managers or Custom Roles.

Next, Tags are now also typed by whether they are applied to an Issue, Scan or Workspace. When Creating a Tag, it is possible to choose to automatically add to all types, or it can be limited to a single type. In addition to types, we are now also tracking a Tag's state of "Active" or "Inactive". In the Active State, tags will appear in menus as a valid option for Linking (or assigning). In the Inactive State, tags will no longer be available for Linking, but existing linkages are not removed. In this way, a Tag assignment could be valid for a time and then inactivated, but still be searchable at a later time. We're interested in your feedback on this feature. Our centralized Tag Library tracks Inactive tags and it is possible to Restore them to Active status.

Tag Creation and Tag Linkage/Delinkage are also assignable permissions at the Workspace level, so it is possible to restrict who can do these actions for your Custom Roles.

Users of our API will be familiar with the fact that we had previously stored tags for Issue/Scan records in a Custom Fields array as a complex object with Key:Value:URL properties. We are now introducing a specific Tag field that will store an array of IDs. On the front-end and through our CSV exports, we will include the related record information. However, on the back-end, users will need to interpret the ID values.

API Versioning 

We are now introducing Version 3.0.2 of our API. This is a minor update to our existing 3.0.1, but it introduces several new endpoints to help with Tags.

More importantly, users are advised that we have reconfigured our services to allow for a separation between different versions of the API. This will allow API users to test new features, changes in input parameters or response data for some time after release and not be forced to change on an uncertain schedule.

The standard pattern for addressing the API is https://s4.digitsec.com/<endpoint>. This will always point to the "oldest" version of the API. To specify a specific version, you would add the version stub between the <domain> and the <endpoint>. We are currently supporting two versions: v301 and v302.

  • https://s4.digitsec.com/v301/<endpoint>
  • https://s4.digitsec.com/v302/<endpoint>

Transition

One final note about both API Versioning and the Tag Library. We are automatically transferring the old Tag information contained in the Custom Fields array into the new Tag Management system. Each unique Key:Value pair becomes a new Tag and then we create the associated Item:Tag linkages. While we are deprecating the use of Custom Fields through our App, we are not removing any of the data that is currently stored in the Custom Fields array. If there are any questions or concerns about Tag updates, we will be able to refer back to the existing data. API users will still be capable of accessing and modifying the data in the Custom Fields array (using v301 only). We do not have plans at this time to remove that functionality, however we would like to caution our customers not to rely on those fields for long term management or tracking.

Code Snippet Visibility

Our Issue Details pages have highlighted the single line of code that triggers an Issue creation. Users have always appreciated having that displayed along with the filename and line number. However, we've also heard great feedback that it would be helpful to have a bit more context. The code snippet section now has a page control that will expand to show the complete final function so it is easier to understand if there are potential mitigating factors that might indicate a false-positive finding. Users that rely on the JSON export or retrieving data via the API will also notice that we've added two fields: vulnerablefunction and vulnerabilefunctionline. Respectively, these fields will contain the entire function from the code and the starting line number that the function appears.

Scheduler System

We have resolved a longstanding issue with our Scheduling System. Some users had reported seeing discrepancies between the number of issues identified in a Scheduled Scan versus the number of issues identified in an On-Demand Scan. We had advised several of our customers that actively used this feature of the issue. The issue has now been resolved and we advise customers that they should see consistent results between On-Demand and Scheduled scans. However, we do want to highlight that we have disabled the ability to link tags to scheduled scans prior to execution. Tags can be linked to scans once they have been completed.

Minor Fixes and Additions

Several of our patch release in the past few weeks have included small tweaks to our remediation guidance bullets. We have also made some progress in the removal of small typos and errors in some of our text. In our API, we have modified a number of endpoints to pre-validate the input prior to executing the request. For the /bulkfinding endpoint, we've also added acceptance for both _scanID and for scanId to accommodate some Apex variable name requirements. Some users have also mentioned needing to refresh their browsers after login to have the Workspaces Dashboard display; that issue has been resolved. Users should note that when switching between a scan's issue index and an issue detail page, using the browser refresh button will drop the active query and users will be returned to the first page of scan results. We've resolved an issue in the User Management system where longer-term customers might have encountered an error accessing Inactive users. We have also updated the Update Workspace flow for Connected Apps to work as expected. Finally, we have added a new value, "By-Design" to the Status Assignment control that should give teams a bit more flexibility in how they track Issues.

This is version 19.3.23c

July 2024 Release Notes

Response to Polyfill.io Threat

Recent news has highlighted a malware threat from code that relies on the Content Delivery Network (CDN) polyfill.io. This patch update modifies our Software Configuration Analysis (SCA), Config and Static Application Security Testing (SAST) scans to identify any code that relies on this CDN or a compromised polyfill.io.

Protection against Polyfill.io

As we know there is an active advisory from Salesforce and detected by numerous sources that polyfill.io should not be considered safe. There are some reports of malware being propagated through the library.

We are protecting our customer against the polyfill exploit as follows:

  1. Our SCA engine is checking for all libraries which match the polyfill library type and functions, even an altered version of polyfill will be flagged if the same function signatures exist.
  2. While scanning Lightning Web Components (LWC) and VisualForce pages we are looking for any remote references to polyfill either directly by referencing polyfill.io or indirectly from a CDN.
  3. When running a scan against a Salesforce environment, we are checking Content Security Policies (CSP) to ensure that polyfill.io is not being allowed.
  4. When running a scan against a Salesforce environment we are checking Cross Origin Request Sharing (CORS) setting to ensure polyfill.io is not enabled in a Salesforce environment.
  5. When checking Remote Sites we are checking that Apex connections are not made to polyfill.io.
  6. Any 3rd party packages whether downloaded from AppExchange or other sources can be checked to see if they reference or use polyfill

This is the most comprehensive approach to protecting our customer's Salesforce environment and users against this supply chain malware attack.

We are continuing to monitor this issue and will share any updates as needed.

Please feel free to reach out to us if you have any questions or concerns.

You can take advantage of this update by simply running a new scan on your connected Salesforce orgs or code repositories. Please ensure, Static Analysis, SCA, and Config are turned on in your settings. Any polyfill.io related issues will be flagged as Critical.

This is version 2023.19.3.21m

Update: Supplemental Advisory

It has been observed that several other hosts are exhibiting similar malicious activities for hosted polyfills. These additional hosts include:

  1. googie-anaiytics.com
  2. polyfill.com
  3. polyfill.site
  4. polyfillcache.com
  5. bootcdn.net
  6. bootcss.com
  7. staticfile.net
  8. staticfile.org
  9. unionadjs.com
  10. xhsbpza.com
  11. union.macoms.la
  12. newcrbpc.com


These hosts have been identified as malicious and are tagged within the DigitSec platform as critical vulnerabilities. Our team is also analyzing the behavior of files in the Salesforce environment during runtime testing.

 

June 2024 Release Notes

Bulk Issue Modification

Users that need to make the same modification to the User Assignment, Tags, Comments, or Status of many different Issues will now be able to do so quickly and easily without having to rely on the API. It will now be possible to select up to 100 (or just a few) of the Issues that appear on a Workspace's Issue Page and then apply the same modification to all of them at once.

This new feature also respects the expanded permission control over each one of those Issue inputs (Status, Assignment, Tags, Comments) as well as the Required Comment control that have been introduced in recent patches.

Furthermore, for teams that want to make these changes via the API, we've created a new endpoint that will be able to handle 10,000 record modifications in a single request. Contact your Customer Success representative to get early access to the documentation updates.

Code Snippet Contextualization

One of the ways that our scanning engine is built to be fast and efficient relies upon the way we identify findings across workspaces and scans. In this release, we've made a critical update so that the line numbers of existing findings are updated to reflect the most recent scan results. Previously, once the issue had been identified we did not update the line numbers within the function call tree as long as that tree remained the same.

Salesforce Connection Authorization

We have added a new method for connecting your DigitSec environment to Salesforce. You can now set up a Connected App in Salesforce and connect to a DigitSec workspace by providing the Custom URL and the Connected App Client ID. 

Minor Fixes and Resolution of Known Issues

This release sees the resolution of a number of Known Issues and a large number of minor fixes.

  • Resolved: New Issue Feature only works with Workspace Setting Feature
  • Resolved: Workspace Assignments for New Team Members Not Saving Properly
  • Resolved: Commerce Cloud Workspaces do not have isNew control
  • Resolved: Export from Scan Issues Page using isNew filter
  • Added a Reset Password button to User Profile screen
  • Fixed an issue where page would blank when using certain query filters
  • Updated CRUD Rule remediation guidance to fix a typo and show WITH_USER_MODE
  • Fixed a Permission issue related to downloading a CSV report
  • Fixed a Permission issue related to Workspace Managers not being able to add comments
  • Fixed a display issue to accurately reflect workspace assignments for Admin level users
  • Added a new control for Security Gates and scan settings to make it more clear when a Workspace is governed by local or environmental settings.
  • Resolved an issue where our rules related to Profile Security were evaluating inactive profiles

This is version 19.3.21 - Release Date: 2024-06-04

March 2024 Patch 2

Bulk File Ignore

Expanding the functionality of our Ignore Rule, users can now simply upload a file that contains many filename entries for files they wish to exclude from their scans.

Improved Environment-Workspace Settings Management 

We have improved the user interface associated with managing the Scan Settings and Security Gate Settings at the Environment and Workspace levels. Administrators should have their default settings active at the Environment level. Workspace Managers have always been able to override these settings, but now they have the control to also revert back to the Environment Settings. In the case of Security Gates, Workspace Managers can also toggle the Security Gates off and on, while preserving the values they had previously entered.

We think this will make it much more clear to every team which settings are active within a Workspace.

Updated Security Rules

We've updated our security rules to include support for WITH_USER_MODE for code that might have potential CRUD Issues. This change should allow more up-to-date code to pass without being flagged as a potential Issue.

Minor Bugs and Fixes, Disabled API Endpoint

This release contains a number of small bug fixes and changes that may not have a direct impact on user experience. Most notably, we have removed a legacy endpoint from our API:

/dashboard/trendingscans

If you attempt to access this endpoint, you will now receive an error.

This is version 19.3.19 - Release Date: 2024-03-27

March 2024 Patch 1

Enhanced Permission Granularity on Issue Data

For Teams that require more robust control over which team members can make modifications to Issue Data, we have now put READ/WRITE controls on Issue Comments, Issue Status, Issue Severity, Issue Tags, and Issue User Assignment. (WRITE permissions are inclusive of READ permissions).

When a Custom Role is created and the Issue object permission is set to WRITE, these five Child Permissions are displayed and can each be set as either READ or WRITE. When the Issue object permission is set to READ, all of these child permissions are also set to READ.

Edit Custom Roles

We have added added the capability to edit and delete established Custom Roles and to browse existing Custom Roles in a new tab underneath the Configure Main Navigation. 

Required Comments 

On an environment wide basis, we have added a new capability to require a comment when a user makes a change to an Issue Status. To use this feature, use the Configure Main Navigation, under the Advanced Tab, activate the switch for Required Comments. 

When this feature is active, a user modifying the Status on the Issue Detail screen will be prompted to enter a comment. If they cancel the modal dialog, the status change will be discarded. If they submit the comment, the comment and status change will be captured to the Issue Detail history.

Updated VS Code Extension

We have updated our VS Code Extension (v2.1.1) to now rely on a User's API Key found under Workspace → Integrations rather than authenticating with User Name and Password. We believe this is ultimately more convenient to users and follows best practice.

This is version v.19.3.17 - Release Date: 2024-03-18

February 2024 Patch 4

Minor Fixes

We've made a number of small fixes and changes in this release to resolve some issues. In particular, we've modified some of the alignment of text in the interface as the window changes size; we've corrected word-wrapping within the Users → Roles column; we've modified the behavior of some of the internal navigation buttons on the Issues Detail Screen when that screen is launched as child tab to the Issues Index Query page; New Issue control now works for Commerce Cloud; New Issue Scan option is available for Scheduled Scans

Notification Management 

We've introduced a new feature for Administrators that will allow them to disable notification messages for Scan Activity, Schedule Activity and Issue Detail updates on an environment wide basis. For teams that are making many changes to Issues via the API, this toggle can be used to spare your team members' email inbox from being flooded with messages.

We've also simplified and clarified the Disable Notification control for individuals. This control can be found by editing their Profile.

Notifications related to user access such as Forgot/Reset Password are never disabled and are exempt from this control.

OWASP Mappings

We have mapped all of our security rules to the OWASP Top 10. Users can now rely on these mappings to organize and prioritize their Issues. With this release, these mappings will only be available for new scans on newly created Workspaces. Existing Issue information generated from older scans will not include this information. New Scans on existing workspaces will not include the information. Our goal is to apply this data retroactively to older scan information in the coming weeks, but do not yet have a timeframe to share.

This is version v.19.3.15 - Release Date: 2024-02-20

February 2024 Patch 3

We've made a number of small changes.

  1. The Scheduler system has been revised to require a 2 day advance window to schedule scans. This is in place to make sure that future scans are properly queued.
  2. The Reset button that appears on the Issues Index Query Builder now works as expected to clear all query inputs and reset the page to the default query.
  3. The New Tab link for Issue Detail pages now loads properly. 
  4. Paging through issue detail pages that jump between pages of results (ie Issue 100 on page 1 and Issue 101 on page 2) now works as expected.
  5. The isNew finding count on Issue Index pages should now work properly.

This version is v.19.3.13 - Release Date: 2024-02-09

February 2024 Patch 2

We made some small changes to some of the query filter controls and the minor fixes to the scheduler system.

This version is 2023.19.3.11 - Release Date: 2024-02-07

February 2024 Patch

Resolving Known Issues

We have resolved a couple of known issues from some of our previous releases including a double refresh problem that prevented the display of Issue Detail screens; improving the performance of Query Filters with the New Issue control.

Issue Query Page

We have added a Query Reset button to the Issues Index page to provide more flexibility to end-users when results don't populate as expected.

Scheduler Change

We now initiate the creation of the scheduler queue at exactly midnight UTC (+00:00). This resolves an error where queued scans that might have gotten scheduled in the early morning but before our queue creation were not executing properly. Customers are advised to schedule their automated scans with a 24 hour cycle keyed to the UTC time in mind.

This version is 2023.19.3.7 - Release Date: 2024-02-06

January 2024 Patch

We launched a patch update that introduced a new feature and made some improvements to existing features.

  • New Findings Feature
    In Workspaces --> Advanced, please find a new setting that will allow users to specify that scans should return new findings only. This does not impact existing scan records, but will only show vulnerabilities that had not been identified previously. Please note there are some Known Issues with some of this feature.
    The New Findings toggle that now appears at the top of a scan's Findings Index reflects the setting at the time the scan was run. If the setting was enabled when the scan was initiated, the toggle will appear enabled when viewing the scan results.

  • Minor Fixes
    We've removed the Trash Can icon from the cards that appear on the Workspaces--> Reports tab. We've resolved issues where non-admins could not create workspaces. We've resolved an issue where vulnerability details pages did not display properly.

This version is 2023.19.3.5 - Release Date: 2024-01-30

 

Winter 2023 Update

We launched a minor update that includes several new features and improvements.

  • Scan Scheduler
    Admin Users can now schedule scans to be run in the future on a one-time or recurring basis. All scan settings can be set for specific scans separate from the Workspace defaults.
  • Vulnerability Findings Query Modification
    Display and export of results is now more intuitive and query results are persistent between the detail findings and the index review.
  • Multi-Factor Authentication
    Users can now choose between Email, SMS or Device-based multi-factor authentication
  • User Reports
    Admins can now pull exports of Authorized and Deleted Users
  • Workspace Dashboard
    Scan Index screen now displays more information about a scan at a glance. We have also added a query tool allowing users to search for specific scans by date, initiator, tag, or scan type.
  • GitHub Improvements
    We've provided some additional configuration options that can limit the type of Pull Requests that activate scans.
  • Minor Fixes
    We've added a password confirmation to the Reset Password sequence, added more data to our CSV export, improved performance across scalability and speed, and we've added Scan Title to the top of the Vulnerability Findings index.

This version is 2023.19.3.1 - Release Date: 2024-01-23

October 2023 Patch Update

We made a patch update to correct issues and improve performance.

  • We created more efficiencies in our code for users accessing vulnerability finding details from Saved URLs.
  • We resolved an issue where Security Gates were not working properly.
  • We have improved load management across our infrastructure to improve communication between component systems and to improve scan performance.

This is version 19.1.17 - Release Date: 2023-10-17

September 2023 Patch Update

We made a patch update to resolve a minor issue.

On the Dashboard for a Workspace, the two visualizations and the top-line severity counts were reflecting the total number of issues found rather than only showing counts of issues with an ACTIVE status. This has been fixed.

This is version 19.1.5 - Release Date: 2023-09-29

September 2023 Update

We made a minor update that included a couple of small feature releases.

  • Updated Reports
    We added a "Lite Report" option that displays PDF reports with minimal formatting to reduce file sizes and enhance the ability to share and email.
  • Updated API
    We have updated our API documentation to reflect a greater range of request methods to allow for greater functionality.
  • Log Viewer v1
    Under the Setup-->Logging Main Navigation it is now possible to view log data associated with an environment. You can use different criteria to review the activity for a particular scan or a Workspace.

This is version 19.1.3 - Release Date: 2023-09-27

Minor Update - August

We made a patch update to resolve a minor issue.

  • Email Notifications for 2 Factor Authentication were not being sent promptly. Small code change to accommodate better reliability.

This is version 19.0.89

Minor Update - July

We made a patch update to resolve a number of minor issues.

  • Resolved bug that would crash the user session when navigating between a newly opened tab to review a finding and the Findings Index screen in the previous tab.
  • Resolved an issue related to using Single Sign-On with Azure AD
  • Resolved an issue where scans would get stuck in pending status
  • Resolved an issue where HTML encoded characters needed for spacing were appearing in Vulnerability Stack Tracing
  • Resolved an issue with query parameters not working with screen pagination in Findings Detail screen
  • Resolved an issue with the "Quick Export" button not working
  • Resolved an issue with the formatting of long filenames and filepaths in printable report feature
  • Resolved an issue with Google Auth SSO

This is version 19.0.87

Spring 2023 Update 1

We've made a number of follow-on bug fixes, and both feature and performance enhancements. 

  • Improvements/Bug Fixes for GitHub Integration:
    We have been working to improve the experience using DigitSec to scan GitHub repositories. We have reduced the number of scans that we run on a repository to only the target branch. We've also improved the way issues are communicated to GitHub so that there is greater alignment between the findings presented in our system and the findings that are presented in the SARIF file. GitHub does have certain limitations to the number of issues they can accommodate and we have noted that in our documentation. Also, GitHub deems some vulnerabilities as duplicates thus causing a slight variance in the top-line number of vulnerabilities reported.

  • Algorithm Update:
    We have made some updates to our Algorithm that will improve recognition of certain bugs such as SOQL injection vulnerabilities.

  • User Permission Editing:
    We have resolved a bug that prevented certain users that had been assigned a particular permission from being edited.

  • Saved URLs:
    We have updated our system to properly handle authentication and redirection of inbound links. In some cases, Users relying on saved links were getting an error after authenticating.

  • Modifying Scan Settings on Multiple Workspaces:
    For users that utilized the Switch Workspace pull-down menu to quickly make changes to Scan Settings, there was a bug with the UI not properly reflecting new changes even though the system recorded them. This has been fixed.

  • Vulnerability Bookmark interfering with Working Issues Export:
    In our Summer 23 Release, we introduced a new feature that would visually highlight the previously viewed Vulnerability when moving from a Vulnerability Detail screen to a Vulnerability Index screen. This introduced an issue where there was not a way to "de-select" the highlighted vulnerability. This caused a further impact in that the "Working Issues Export" would now only include the highlighted vulnerability and not reflect the current page of the Active Working Query. We have temporarily rolled back this feature in this version to accommodate a more substantive resolution to this problem that will include new working exports reflecting an active query from the findings database.

  • Improved Formatting on View Report:
    We are making some minor changes to the View Report functionality to resolve some of the extraneous spacing between some of the report elements and to fix the way some of the long file paths do not wrap properly on the page. This is in advance of additional working this summer to deploy "lighter weight" reports and to allow for more customized reports.

This is version 19.0.81

Spring 2023

  • Improved User Interface
    We have updated the underlying front-end design framework from Bootstrap/Angular to use React. This component-based design is much more nimble and responsive. We are also integrating cards and tabs much more consistently across screens. You will also notice improved data visualizations for each Workspace.
  • Meta-Data for Scans
    We have improved the amount of data we are presenting to users on the Scan Statistics screen as well as on the data cards for each Scan. Users can now see at a glance which scan types were run and for management purposes, they can modify the title or assign tags to Scans.
  • Updated User Model
    We have upgraded our user management model to now allow admins to strictly control access on a per Workspace basis. The system includes two tiers of management: Environment and Workspace; there are also Admins, Managers, Users, and Read-Only roles that are pre-established. Admins can create custom roles by assigning Read or Read/Write permissions on any major object.

Spring 2022

  • Web Upload Zip File
    Running SAST and SCA scans on zipped code packages got a lot easier when we added the capability to upload a file via browser Drag and Drop or File Picker to the S4 site. This capability has always been a part of the S4 Command Line Interface utility, but we extended it to the web as well.
  • Common Weakness Enumeration
    Software Developers from across different backgrounds and experiences can now reference DigitSec S4 findings against a standard reference for the Software Development Lifecycle. Each vulnerability displays the CWE ID and the Findings Index page includes a pull-down menu for filtering results.
  • Commerce Cloud
    DigitSec expands the capabilities of S4 under a new licensing program that can target security vulnerabilities under Salesforce Commerce Cloud. Allowing public access to Salesforce CRM data can unleash amazing potential for business and organizations, but it can also expose massive vulnerabilities. Give your team the tools they need to confidently secure your Commerce Cloud environment.

Winter22

  • Single Sign On / Third Party Authentication
    Integrate S4 with your Single Sign On provider and streamline your S4 onboarding process to include all the users in your organization. They’ll no longer be required to login directly to S4.
    • OneLogin
    • OKTA
    • Azure Active Directory
    • Dynamic SAML
    • SAML Integrations
      Leveraging the power of Security Assertion Markup Language allows you to integrate S4 with some of the most popular SSO providers. You can also leverage other SSO providers that are SAML compatible.
    • Two Factor Authentication
      Increase the security of your accounts by adding 2 Factor Authentication to every S4 user account. Users will receive a random string via email that will be used to verify access.
    • Google OAuth
      If you signed up for S4 with your Google Account, you can leverage that identity to authorize your access to S4.
  • VS Code Plug-in
    DigitSec has developed a robust plug-in for VS Code. You can find it in the VS Code Extensions Library by clicking on the Extensions icon and using the Search Tool to find "DigitSec s4". Now, Developers can run S4 scans on single files or entire projects directly from the IDE immediately after clicking Save. Vulnerability finding reports now allow you to click and go directly to that line of code.
  • SARIF Support with GIT
    Connecting S4 to a GitHub repository now allows Developers to quickly run scans against their source and target branches simultaneously to speed the process of identifying new vulnerabilities and fixes. This is a very powerful tool that makes it easy to keep track of potential problems. Bring the S4 Vulnerability Findings Detail report directly into your source code repository to empower your entire team to resolve issues across source and feature branches.
  • Scan Type filtering on Finding Reports
    We are expanding the slice and dice capabilities of our findings detail pages for each scan, now allowing you to filter vulnerabilities by the type of scan that identifies the issue: Configuration Scans (CONFIG), Runtime/Interactive Scans (IAST), Code Composition  (SCA), Static Code Analysis (SAST) .
  • Expansion of Trial Account Functionality
    Our free trial accounts have always been a great way to get a sense of S4 and how easy it is to get started with scanning S4. Many potential customers have been amazed to see the dashboard results showing the number of vulnerabilities that have grouped by severity. In the past, we've limited access to vulnerability findings reports to potential customers that are willing to schedule a meeting with us. In an effort to be more efficient and build more momentum with customers earlier in the sales cycle, we've modified the trial to show one example finding from each severity type. Customers can now see a real world example of how S4 interacts with their own code and config to highlight critical problems.
  • Copado Essentials Integration
    In our Summer21 release, we added S4 integration with Copado. In this release, we expand on that integration by bringing S4 to the Copado Essentials Continuous Integration tool. You can access the S4 Scan results by jumping directly into S4.
  • Compliance Reporting Overlays
    DigitSec Vulnerability Reports now include features that allow you to prioritize or filter findings based upon certain compliance regimes like HIPAA, SOX, APPI, ISO-27001, GDPR, and  PCI-DSS.
  • UX/UI Improvements
    With every release we make minor bug fixes and improvements. In this release, we've added the ability to add custom fields and values to S4 Findings results and have improved the filter selection tools for reports to include custom fields as well as the scan types, error types, severity level, task assignments, and compliance priorities.

Summer21

  • CI/CD Pipeline Integration
    • Copado Integration
      Adding to our existing CI/CD tools, we’ve integrated with Copado, an industry
      leading DevOps Platform Manager. S4 can be called to scan your code during
      every build and test phase. You can manage Flow Parameters to set critical
      thresholds for gating your flows. Severity Summaries are entered into the
      Description of the Step Results with a link back to the S4 Dashboard Vulnerability
      Findings Report.
  • Code Repository / Version Control
    • Integrate S4 with one of these code repositories and you will be able to run SAST and SCA scans directly on your code, instead of pulling from Salesforce. This functionality gives developers more control over scanning their code prior to deployment. Developers can initiate these scans from the S4 Dashboard, using the S4 CLI in their favorite IDE, or as a trigger in their CI/CD pipeline. Comments can be added to your commit or pull request with the severity summary findings of the scan.
      • Bitbucket
      • GitHub
      • Gitlab
      • Azure DevOps
  • Salesforce OAuth Workflow for S4 Authorization
    • Connecting to S4 and Salesforce is now even easier! Instead of needing to generate a specific key on Salesforce and then pass that key over to S4, Salesforce Administrators can add a Salesforce Org to S4 by simply logging into Salesforce with their credentials and clicking a confirmation button.
  • Expanded User Access Controls
    • S4 Administrators now have a wider array of granular permissions that can be assigned to S4 users. Specific Users can be limited to scanning only certain Salesforce Orgs.
  • Expanded Scan Granularity on a per Org basis
    • Users now have more flexibility on being able to control which scans run on a per Org basis when they initiate the scan via the S4 Dashboard. For example, your sandbox org may only need SAST/SCA scans while your production org would have SAST/IAST/SCA/CONFIG. These changes will be effective for all users in your S4 account.
  • UX/UI Improvement
    • With every release we make minor bug fixes and improvements. In this release, we have made changes to the dashboard that improves the readability of the data visualizations. We’ve also improved the multi-select dropdown menus for easier de/selection of orgs included in the visualization. Also, you can now use our dashboard to schedule scans on a per org basis. Finally, page display and HTML redirects now provide a better UX experience.

Spring21

  • Jenkins Integration
    • Connect S4 to one of the popular CI/CD automation tools and have S4 run a scan on
      your code after kicking off a commit.
  • S4 CLI
    • Harness the power of the S4 Cloud by using this utility that integrates with your favorite
      Command Lite interface.
  • IDE Plugin Integration
    • Developers live in the Integrated Development Environments. They can now include S4 information directly into their source code and issue commands to run scans from local files directly from their IDE Terminal Command line.
      • IntelliJ
      • VS Code

Winter21

  • Jira Integration
    • S4 now allows you to synchronize your Vulnerability Findings Report with JIRA allowing
      you to manage the remediation of bugs inside your existing Software Development
      Lifecycle Management tools and processes.
  • Software Composition Analysis Scan 2.0
    • S4 integrates a new scan to the platform which analyzes bundled and remotelyreferenced code libraries to check whether they are appearing in Common Vulnerability
      and Exploit databases, giving you confidence in your software supply chain.
  • Improved UX/UI Elements
    • With every release we make minor bug fixes and improvements. In this release, we have
      integrated powerful data visualizations into the S4 dashboard that gives users a fulsome
      understanding of the distribution of potential attack vectors.