We’ve got a present for you this week. This is the biggest release of SourceClear since we launched, and we can’t wait for you to dive in. Thanks to everyone who’s ideas and feedback have helped shape this release, and a special thank you to all of our beta testers who have shown us how crucial SourceClear is in helping teams build secure software.
If you’re not using SourceClear yet, today is a great day to sign up. Here is a rundown of all the new features being released today:
One of the first things people notice when they use SourceClear is that they’re using many more libraries than they thought. Node applications have 350+ dependencies on average and it may not be obvious how a particular library found its way into your project.
To help you see what dependencies exist for a project or library, we’ve introduced the Dependency Visualizer. You can see how all dependencies are pulled in and navigate the tree to identify vulnerabilities, upgradability and licensing issues.
In addition to the vulnerabilities, out-of-date-libraries, and license reports, we have added an “Issues” consolidated view to help you triage issues that are discovered by SourceClear scans. For every issue that appears in this report you’ll be able to open an issue to track remediation with JIRA or GitHub issues. You can also suppress issues that don’t need any action. When an issue is suppressed, it will not return to the issues tab unless new information is discovered.
We have enabled scanning of the sub “Projects” within a single repository. These are denoted as subpaths of the repo in the new Projects views. By default, a single repository is identified as a single Project.
Selecting which Projects to focus on can be a challenge. We’ve replaced filtering with the ability to star your favorite projects. If you’ve used filters before, all your existing filters are still available to you.
Users can now delete Projects and all scan data will be removed from the system.
SourceClear provides specific instructions on how to upgrade a library when a fix is available. This fix info is available on its own URL so it is easier to share with your team.
You can view all project specific issues on a single page:
Sometimes you’ll want to check the results from a specific scan, not just the latest results. We’ve got links to all previous scans by project now:
We now calculate a Change Index score that identifies the amount of change between different versions of a Java library. This score can be used as a factor in deciding if you want to upgrade to the latest version of a library.
When new Issues are discovered, like out-of-date libraries or new vulnerabilities, you can now opt to receive a notification by email.
You can also enable a weekly summary email that includes all new releases and vulnerabilities that are relevant to your projects.
This new and much anticipated feature lets SourceClear Pro customers to export any report to CSV. Now, in addition to exporting report data via JSON using the command-line agent, you can hit that “Export to CSV” button to download a report as a spreadsheet.
In addition to Maven and Gradle, the latest SourceClear agent and CI integrations now support scanning projects built with Apache Ant. Projects using Apache Ivy for dependency management are not yet supported.
The ability to fail builds based on SourceClear’s vulnerability scan results is now supported by configuring a srcclr.json file to control when the agent return’s non-zero values after successful scans. Check out our docs for more details on exit codes and how to use them.
Whew, that’s a lot of goodies! Get a free 14-day trial of SourceClear Pro today to test all these features out yourself. Drop us a line if you have any questions or feedback. Here’s to shipping fast, safely.