July 2024 Release Notes
Response to Polyfill.io Threat
Recent news has highlighted a malware threat from code that relies on the Content Delivery Network (CDN) polyfill.io. This patch update modifies our Software Configuration Analysis (SCA), Config and Static Application Security Testing (SAST) scans to identify any code that relies on this CDN or a compromised polyfill.io.
Protection against Polyfill.io
As we know there is an active advisory from Salesforce and detected by numerous sources that polyfill.io should not be considered safe. There are some reports of malware being propagated through the library.
We are protecting our customer against the polyfill exploit as follows:
- Our SCA engine is checking for all libraries which match the polyfill library type and functions, even an altered version of polyfill will be flagged if the same function signatures exist.
- While scanning Lightning Web Components (LWC) and VisualForce pages we are looking for any remote references to polyfill either directly by referencing polyfill.io or indirectly from a CDN.
- When running a scan against a Salesforce environment, we are checking Content Security Policies (CSP) to ensure that polyfill.io is not being allowed.
- When running a scan against a Salesforce environment we are checking Cross Origin Request Sharing (CORS) setting to ensure polyfill.io is not enabled in a Salesforce environment.
- When checking Remote Sites we are checking that Apex connections are not made to polyfill.io.
- Any 3rd party packages whether downloaded from AppExchange or other sources can be checked to see if they reference or use polyfill
This is the most comprehensive approach to protecting our customer's Salesforce environment and users against this supply chain malware attack.
We are continuing to monitor this issue and will share any updates as needed.
Please feel free to reach out to us if you have any questions or concerns.
You can take advantage of this update by simply running a new scan on your connected Salesforce orgs or code repositories. Please ensure, Static Analysis, SCA, and Config are turned on in your settings. Any polyfill.io related issues will be flagged as Critical.
This is version 2023.19.3.21m
Update: Supplemental Advisory
It has been observed that several other hosts are exhibiting similar malicious activities for hosted polyfills. These additional hosts include:
- googie-anaiytics.com
- polyfill.com
- polyfill.site
- polyfillcache.com
- bootcdn.net
- bootcss.com
- staticfile.net
- staticfile.org
- unionadjs.com
- xhsbpza.com
- union.macoms.la
- newcrbpc.com
These hosts have been identified as malicious and are tagged within the DigitSec platform as critical vulnerabilities. Our team is also analyzing the behavior of files in the Salesforce environment during runtime testing.
June 2024 Release Notes
Bulk Issue Modification
Users that need to make the same modification to the User Assignment, Tags, Comments, or Status of many different Issues will now be able to do so quickly and easily without having to rely on the API. It will now be possible to select up to 100 (or just a few) of the Issues that appear on a Workspace's Issue Page and then apply the same modification to all of them at once.
This new feature also respects the expanded permission control over each one of those Issue inputs (Status, Assignment, Tags, Comments) as well as the Required Comment control that have been introduced in recent patches.
Furthermore, for teams that want to make these changes via the API, we've created a new endpoint that will be able to handle 10,000 record modifications in a single request. Contact your Customer Success representative to get early access to the documentation updates.
Code Snippet Contextualization
One of the ways that our scanning engine is built to be fast and efficient relies upon the way we identify findings across workspaces and scans. In this release, we've made a critical update so that the line numbers of existing findings are updated to reflect the most recent scan results. Previously, once the issue had been identified we did not update the line numbers within the function call tree as long as that tree remained the same.
Salesforce Connection Authorization
We have added a new method for connecting your DigitSec environment to Salesforce. You can now set up a Connected App in Salesforce and connect to a DigitSec workspace by providing the Custom URL and the Connected App Client ID.
Minor Fixes and Resolution of Known Issues
This release sees the resolution of a number of Known Issues and a large number of minor fixes.
- Resolved: New Issue Feature only works with Workspace Setting Feature
- Resolved: Workspace Assignments for New Team Members Not Saving Properly
- Resolved: Commerce Cloud Workspaces do not have isNew control
- Resolved: Export from Scan Issues Page using isNew filter
- Added a Reset Password button to User Profile screen
- Fixed an issue where page would blank when using certain query filters
- Updated CRUD Rule remediation guidance to fix a typo and show WITH_USER_MODE
- Fixed a Permission issue related to downloading a CSV report
- Fixed a Permission issue related to Workspace Managers not being able to add comments
- Fixed a display issue to accurately reflect workspace assignments for Admin level users
- Added a new control for Security Gates and scan settings to make it more clear when a Workspace is governed by local or environmental settings.
- Resolved an issue where our rules related to Profile Security were evaluating inactive profiles
This is version 19.3.21 - Release Date: 2024-06-04
March 2024 Patch 2
Bulk File Ignore
Expanding the functionality of our Ignore Rule, users can now simply upload a file that contains many filename entries for files they wish to exclude from their scans.
Improved Environment-Workspace Settings Management
We have improved the user interface associated with managing the Scan Settings and Security Gate Settings at the Environment and Workspace levels. Administrators should have their default settings active at the Environment level. Workspace Managers have always been able to override these settings, but now they have the control to also revert back to the Environment Settings. In the case of Security Gates, Workspace Managers can also toggle the Security Gates off and on, while preserving the values they had previously entered.
We think this will make it much more clear to every team which settings are active within a Workspace.
Updated Security Rules
We've updated our security rules to include support for WITH_USER_MODE for code that might have potential CRUD Issues. This change should allow more up-to-date code to pass without being flagged as a potential Issue.
Minor Bugs and Fixes, Disabled API Endpoint
This release contains a number of small bug fixes and changes that may not have a direct impact on user experience. Most notably, we have removed a legacy endpoint from our API:
/dashboard/trendingscans
If you attempt to access this endpoint, you will now receive an error.
This is version 19.3.19 - Release Date: 2024-03-27
March 2024 Patch 1
Enhanced Permission Granularity on Issue Data
For Teams that require more robust control over which team members can make modifications to Issue Data, we have now put READ/WRITE controls on Issue Comments, Issue Status, Issue Severity, Issue Tags, and Issue User Assignment. (WRITE permissions are inclusive of READ permissions).
When a Custom Role is created and the Issue object permission is set to WRITE, these five Child Permissions are displayed and can each be set as either READ or WRITE. When the Issue object permission is set to READ, all of these child permissions are also set to READ.
Edit Custom Roles
We have added added the capability to edit and delete established Custom Roles and to browse existing Custom Roles in a new tab underneath the Configure Main Navigation.
Required Comments
On an environment wide basis, we have added a new capability to require a comment when a user makes a change to an Issue Status. To use this feature, use the Configure Main Navigation, under the Advanced Tab, activate the switch for Required Comments.
When this feature is active, a user modifying the Status on the Issue Detail screen will be prompted to enter a comment. If they cancel the modal dialog, the status change will be discarded. If they submit the comment, the comment and status change will be captured to the Issue Detail history.
Updated VS Code Extension
We have updated our VS Code Extension (v2.1.1) to now rely on a User's API Key found under Workspace → Integrations rather than authenticating with User Name and Password. We believe this is ultimately more convenient to users and follows best practice.
This is version v.19.3.17 - Release Date: 2024-03-18
February 2024 Patch 4
Minor Fixes
We've made a number of small fixes and changes in this release to resolve some issues. In particular, we've modified some of the alignment of text in the interface as the window changes size; we've corrected word-wrapping within the Users → Roles column; we've modified the behavior of some of the internal navigation buttons on the Issues Detail Screen when that screen is launched as child tab to the Issues Index Query page; New Issue control now works for Commerce Cloud; New Issue Scan option is available for Scheduled Scans
Notification Management
We've introduced a new feature for Administrators that will allow them to disable notification messages for Scan Activity, Schedule Activity and Issue Detail updates on an environment wide basis. For teams that are making many changes to Issues via the API, this toggle can be used to spare your team members' email inbox from being flooded with messages.
We've also simplified and clarified the Disable Notification control for individuals. This control can be found by editing their Profile.
Notifications related to user access such as Forgot/Reset Password are never disabled and are exempt from this control.
OWASP Mappings
We have mapped all of our security rules to the OWASP Top 10. Users can now rely on these mappings to organize and prioritize their Issues. With this release, these mappings will only be available for new scans on newly created Workspaces. Existing Issue information generated from older scans will not include this information. New Scans on existing workspaces will not include the information. Our goal is to apply this data retroactively to older scan information in the coming weeks, but do not yet have a timeframe to share.
This is version v.19.3.15 - Release Date: 2024-02-20
February 2024 Patch 3
We've made a number of small changes.
- The Scheduler system has been revised to require a 2 day advance window to schedule scans. This is in place to make sure that future scans are properly queued.
- The Reset button that appears on the Issues Index Query Builder now works as expected to clear all query inputs and reset the page to the default query.
- The New Tab link for Issue Detail pages now loads properly.
- Paging through issue detail pages that jump between pages of results (ie Issue 100 on page 1 and Issue 101 on page 2) now works as expected.
- The isNew finding count on Issue Index pages should now work properly.
This version is v.19.3.13 - Release Date: 2024-02-09
February 2024 Patch 2
We made some small changes to some of the query filter controls and the minor fixes to the scheduler system.
This version is 2023.19.3.11 - Release Date: 2024-02-07
February 2024 Patch
Resolving Known Issues
We have resolved a couple of known issues from some of our previous releases including a double refresh problem that prevented the display of Issue Detail screens; improving the performance of Query Filters with the New Issue control.
Issue Query Page
We have added a Query Reset button to the Issues Index page to provide more flexibility to end-users when results don't populate as expected.
Scheduler Change
We now initiate the creation of the scheduler queue at exactly midnight UTC (+00:00). This resolves an error where queued scans that might have gotten scheduled in the early morning but before our queue creation were not executing properly. Customers are advised to schedule their automated scans with a 24 hour cycle keyed to the UTC time in mind.
This version is 2023.19.3.7 - Release Date: 2024-02-06
January 2024 Patch
We launched a patch update that introduced a new feature and made some improvements to existing features.
- New Findings Feature
In Workspaces --> Advanced, please find a new setting that will allow users to specify that scans should return new findings only. This does not impact existing scan records, but will only show vulnerabilities that had not been identified previously. Please note there are some Known Issues with some of this feature.
The New Findings toggle that now appears at the top of a scan's Findings Index reflects the setting at the time the scan was run. If the setting was enabled when the scan was initiated, the toggle will appear enabled when viewing the scan results.
- Minor Fixes
We've removed the Trash Can icon from the cards that appear on the Workspaces--> Reports tab. We've resolved issues where non-admins could not create workspaces. We've resolved an issue where vulnerability details pages did not display properly.
This version is 2023.19.3.5 - Release Date: 2024-01-30
Winter 2023 Update
We launched a minor update that includes several new features and improvements.
-
Scan Scheduler
Admin Users can now schedule scans to be run in the future on a one-time or recurring basis. All scan settings can be set for specific scans separate from the Workspace defaults. - Vulnerability Findings Query Modification
Display and export of results is now more intuitive and query results are persistent between the detail findings and the index review. - Multi-Factor Authentication
Users can now choose between Email, SMS or Device-based multi-factor authentication - User Reports
Admins can now pull exports of Authorized and Deleted Users - Workspace Dashboard
Scan Index screen now displays more information about a scan at a glance. We have also added a query tool allowing users to search for specific scans by date, initiator, tag, or scan type. - GitHub Improvements
We've provided some additional configuration options that can limit the type of Pull Requests that activate scans. - Minor Fixes
We've added a password confirmation to the Reset Password sequence, added more data to our CSV export, improved performance across scalability and speed, and we've added Scan Title to the top of the Vulnerability Findings index.
This version is 2023.19.3.1 - Release Date: 2024-01-23
October 2023 Patch Update
We made a patch update to correct issues and improve performance.
- We created more efficiencies in our code for users accessing vulnerability finding details from Saved URLs.
- We resolved an issue where Security Gates were not working properly.
- We have improved load management across our infrastructure to improve communication between component systems and to improve scan performance.
This is version 19.1.17 - Release Date: 2023-10-17
September 2023 Patch Update
We made a patch update to resolve a minor issue.
On the Dashboard for a Workspace, the two visualizations and the top-line severity counts were reflecting the total number of issues found rather than only showing counts of issues with an ACTIVE status. This has been fixed.
This is version 19.1.5 - Release Date: 2023-09-29
September 2023 Update
We made a minor update that included a couple of small feature releases.
- Updated Reports
We added a "Lite Report" option that displays PDF reports with minimal formatting to reduce file sizes and enhance the ability to share and email. - Updated API
We have updated our API documentation to reflect a greater range of request methods to allow for greater functionality. - Log Viewer v1
Under the Setup-->Logging Main Navigation it is now possible to view log data associated with an environment. You can use different criteria to review the activity for a particular scan or a Workspace.
This is version 19.1.3 - Release Date: 2023-09-27
Minor Update - August
We made a patch update to resolve a minor issue.
- Email Notifications for 2 Factor Authentication were not being sent promptly. Small code change to accommodate better reliability.
This is version 19.0.89
Minor Update - July
We made a patch update to resolve a number of minor issues.
- Resolved bug that would crash the user session when navigating between a newly opened tab to review a finding and the Findings Index screen in the previous tab.
- Resolved an issue related to using Single Sign-On with Azure AD
- Resolved an issue where scans would get stuck in pending status
- Resolved an issue where HTML encoded characters needed for spacing were appearing in Vulnerability Stack Tracing
- Resolved an issue with query parameters not working with screen pagination in Findings Detail screen
- Resolved an issue with the "Quick Export" button not working
- Resolved an issue with the formatting of long filenames and filepaths in printable report feature
- Resolved an issue with Google Auth SSO
This is version 19.0.87
Spring 2023 Update 1
We've made a number of follow-on bug fixes, and both feature and performance enhancements.
-
Improvements/Bug Fixes for GitHub Integration:
We have been working to improve the experience using DigitSec to scan GitHub repositories. We have reduced the number of scans that we run on a repository to only the target branch. We've also improved the way issues are communicated to GitHub so that there is greater alignment between the findings presented in our system and the findings that are presented in the SARIF file. GitHub does have certain limitations to the number of issues they can accommodate and we have noted that in our documentation. Also, GitHub deems some vulnerabilities as duplicates thus causing a slight variance in the top-line number of vulnerabilities reported. -
Algorithm Update:
We have made some updates to our Algorithm that will improve recognition of certain bugs such as SOQL injection vulnerabilities. -
User Permission Editing:
We have resolved a bug that prevented certain users that had been assigned a particular permission from being edited. -
Saved URLs:
We have updated our system to properly handle authentication and redirection of inbound links. In some cases, Users relying on saved links were getting an error after authenticating. -
Modifying Scan Settings on Multiple Workspaces:
For users that utilized the Switch Workspace pull-down menu to quickly make changes to Scan Settings, there was a bug with the UI not properly reflecting new changes even though the system recorded them. This has been fixed. -
Vulnerability Bookmark interfering with Working Issues Export:
In our Summer 23 Release, we introduced a new feature that would visually highlight the previously viewed Vulnerability when moving from a Vulnerability Detail screen to a Vulnerability Index screen. This introduced an issue where there was not a way to "de-select" the highlighted vulnerability. This caused a further impact in that the "Working Issues Export" would now only include the highlighted vulnerability and not reflect the current page of the Active Working Query. We have temporarily rolled back this feature in this version to accommodate a more substantive resolution to this problem that will include new working exports reflecting an active query from the findings database. -
Improved Formatting on View Report:
We are making some minor changes to the View Report functionality to resolve some of the extraneous spacing between some of the report elements and to fix the way some of the long file paths do not wrap properly on the page. This is in advance of additional working this summer to deploy "lighter weight" reports and to allow for more customized reports.
This is version 19.0.81
Spring 2023
-
Improved User Interface
We have updated the underlying front-end design framework from Bootstrap/Angular to use React. This component-based design is much more nimble and responsive. We are also integrating cards and tabs much more consistently across screens. You will also notice improved data visualizations for each Workspace. -
Meta-Data for Scans
We have improved the amount of data we are presenting to users on the Scan Statistics screen as well as on the data cards for each Scan. Users can now see at a glance which scan types were run and for management purposes, they can modify the title or assign tags to Scans. -
Updated User Model
We have upgraded our user management model to now allow admins to strictly control access on a per Workspace basis. The system includes two tiers of management: Environment and Workspace; there are also Admins, Managers, Users, and Read-Only roles that are pre-established. Admins can create custom roles by assigning Read or Read/Write permissions on any major object.
Spring 2022
-
Web Upload Zip File
Running SAST and SCA scans on zipped code packages got a lot easier when we added the capability to upload a file via browser Drag and Drop or File Picker to the S4 site. This capability has always been a part of the S4 Command Line Interface utility, but we extended it to the web as well. -
Common Weakness Enumeration
Software Developers from across different backgrounds and experiences can now reference DigitSec S4 findings against a standard reference for the Software Development Lifecycle. Each vulnerability displays the CWE ID and the Findings Index page includes a pull-down menu for filtering results. -
Commerce Cloud
DigitSec expands the capabilities of S4 under a new licensing program that can target security vulnerabilities under Salesforce Commerce Cloud. Allowing public access to Salesforce CRM data can unleash amazing potential for business and organizations, but it can also expose massive vulnerabilities. Give your team the tools they need to confidently secure your Commerce Cloud environment.
Winter22
-
Single Sign On / Third Party Authentication
Integrate S4 with your Single Sign On provider and streamline your S4 onboarding process to include all the users in your organization. They’ll no longer be required to login directly to S4.- OneLogin
- OKTA
- Azure Active Directory
- Dynamic SAML
-
SAML Integrations
Leveraging the power of Security Assertion Markup Language allows you to integrate S4 with some of the most popular SSO providers. You can also leverage other SSO providers that are SAML compatible. -
Two Factor Authentication
Increase the security of your accounts by adding 2 Factor Authentication to every S4 user account. Users will receive a random string via email that will be used to verify access. -
Google OAuth
If you signed up for S4 with your Google Account, you can leverage that identity to authorize your access to S4. -
VS Code Plug-in
DigitSec has developed a robust plug-in for VS Code. You can find it in the VS Code Extensions Library by clicking on the Extensions icon and using the Search Tool to find "DigitSec s4". Now, Developers can run S4 scans on single files or entire projects directly from the IDE immediately after clicking Save. Vulnerability finding reports now allow you to click and go directly to that line of code. -
SARIF Support with GIT
Connecting S4 to a GitHub repository now allows Developers to quickly run scans against their source and target branches simultaneously to speed the process of identifying new vulnerabilities and fixes. This is a very powerful tool that makes it easy to keep track of potential problems. Bring the S4 Vulnerability Findings Detail report directly into your source code repository to empower your entire team to resolve issues across source and feature branches. -
Scan Type filtering on Finding Reports
We are expanding the slice and dice capabilities of our findings detail pages for each scan, now allowing you to filter vulnerabilities by the type of scan that identifies the issue: Configuration Scans (CONFIG), Runtime/Interactive Scans (IAST), Code Composition (SCA), Static Code Analysis (SAST) . -
Expansion of Trial Account Functionality
Our free trial accounts have always been a great way to get a sense of S4 and how easy it is to get started with scanning S4. Many potential customers have been amazed to see the dashboard results showing the number of vulnerabilities that have grouped by severity. In the past, we've limited access to vulnerability findings reports to potential customers that are willing to schedule a meeting with us. In an effort to be more efficient and build more momentum with customers earlier in the sales cycle, we've modified the trial to show one example finding from each severity type. Customers can now see a real world example of how S4 interacts with their own code and config to highlight critical problems. -
Copado Essentials Integration
In our Summer21 release, we added S4 integration with Copado. In this release, we expand on that integration by bringing S4 to the Copado Essentials Continuous Integration tool. You can access the S4 Scan results by jumping directly into S4. -
Compliance Reporting Overlays
DigitSec Vulnerability Reports now include features that allow you to prioritize or filter findings based upon certain compliance regimes like HIPAA, SOX, APPI, ISO-27001, GDPR, and PCI-DSS. -
UX/UI Improvements
With every release we make minor bug fixes and improvements. In this release, we've added the ability to add custom fields and values to S4 Findings results and have improved the filter selection tools for reports to include custom fields as well as the scan types, error types, severity level, task assignments, and compliance priorities.
Summer21
-
CI/CD Pipeline Integration
- Copado Integration
Adding to our existing CI/CD tools, we’ve integrated with Copado, an industry
leading DevOps Platform Manager. S4 can be called to scan your code during
every build and test phase. You can manage Flow Parameters to set critical
thresholds for gating your flows. Severity Summaries are entered into the
Description of the Step Results with a link back to the S4 Dashboard Vulnerability
Findings Report.
- Copado Integration
-
Code Repository / Version Control
- Integrate S4 with one of these code repositories and you will be able to run SAST and SCA scans directly on your code, instead of pulling from Salesforce. This functionality gives developers more control over scanning their code prior to deployment. Developers can initiate these scans from the S4 Dashboard, using the S4 CLI in their favorite IDE, or as a trigger in their CI/CD pipeline. Comments can be added to your commit or pull request with the severity summary findings of the scan.
- Bitbucket
- GitHub
- Gitlab
- Azure DevOps
- Integrate S4 with one of these code repositories and you will be able to run SAST and SCA scans directly on your code, instead of pulling from Salesforce. This functionality gives developers more control over scanning their code prior to deployment. Developers can initiate these scans from the S4 Dashboard, using the S4 CLI in their favorite IDE, or as a trigger in their CI/CD pipeline. Comments can be added to your commit or pull request with the severity summary findings of the scan.
-
Salesforce OAuth Workflow for S4 Authorization
- Connecting to S4 and Salesforce is now even easier! Instead of needing to generate a specific key on Salesforce and then pass that key over to S4, Salesforce Administrators can add a Salesforce Org to S4 by simply logging into Salesforce with their credentials and clicking a confirmation button.
-
Expanded User Access Controls
- S4 Administrators now have a wider array of granular permissions that can be assigned to S4 users. Specific Users can be limited to scanning only certain Salesforce Orgs.
-
Expanded Scan Granularity on a per Org basis
- Users now have more flexibility on being able to control which scans run on a per Org basis when they initiate the scan via the S4 Dashboard. For example, your sandbox org may only need SAST/SCA scans while your production org would have SAST/IAST/SCA/CONFIG. These changes will be effective for all users in your S4 account.
-
UX/UI Improvement
- With every release we make minor bug fixes and improvements. In this release, we have made changes to the dashboard that improves the readability of the data visualizations. We’ve also improved the multi-select dropdown menus for easier de/selection of orgs included in the visualization. Also, you can now use our dashboard to schedule scans on a per org basis. Finally, page display and HTML redirects now provide a better UX experience.
Spring21
-
Jenkins Integration
- Connect S4 to one of the popular CI/CD automation tools and have S4 run a scan on
your code after kicking off a commit.
- Connect S4 to one of the popular CI/CD automation tools and have S4 run a scan on
-
S4 CLI
- Harness the power of the S4 Cloud by using this utility that integrates with your favorite
Command Lite interface.
- Harness the power of the S4 Cloud by using this utility that integrates with your favorite
-
IDE Plugin Integration
- Developers live in the Integrated Development Environments. They can now include S4 information directly into their source code and issue commands to run scans from local files directly from their IDE Terminal Command line.
- IntelliJ
- VS Code
- Developers live in the Integrated Development Environments. They can now include S4 information directly into their source code and issue commands to run scans from local files directly from their IDE Terminal Command line.
Winter21
-
Jira Integration
- S4 now allows you to synchronize your Vulnerability Findings Report with JIRA allowing
you to manage the remediation of bugs inside your existing Software Development
Lifecycle Management tools and processes.
- S4 now allows you to synchronize your Vulnerability Findings Report with JIRA allowing
-
Software Composition Analysis Scan 2.0
- S4 integrates a new scan to the platform which analyzes bundled and remotelyreferenced code libraries to check whether they are appearing in Common Vulnerability
and Exploit databases, giving you confidence in your software supply chain.
- S4 integrates a new scan to the platform which analyzes bundled and remotelyreferenced code libraries to check whether they are appearing in Common Vulnerability
-
Improved UX/UI Elements
- With every release we make minor bug fixes and improvements. In this release, we have
integrated powerful data visualizations into the S4 dashboard that gives users a fulsome
understanding of the distribution of potential attack vectors.
- With every release we make minor bug fixes and improvements. In this release, we have