What’s new in Eficode ROOT in April 2022?

Keeping Dependencies Up-to-date with Dependabot Public Beta

The web software of today is built on top of bits and pieces from all over. Libraries, functions, and features, all from multiple different third-party supplied packages. The dependencies of the software you’re building

Keeping the dependencies up-to-date is as important as maintaining your own code. Oftentimes humans do not find these chores all too appealing. Which, of course, is why we’ve come up with all sorts of machines to do the things we want to avoid ourselves.

As a result, GitHub Enterprise 3.4 ships with a beta version of Dependabot. It can provide automated dependency updates for .NET, Go, Elixir, Elm, Java, JavaScript, PHP, Python, Ruby and Rust. It can also update git submodules, Docker and Terraform files. A machine that updates your dependencies for you!

Dependabot runs on GitHub Actions and requires a pool of self-hosted runners configured for it. Check out the Dependabot instructions on github.com for details or reach out to your friendly ROOT support for setting it up for you. 

GitHub Advanced Security Enhancements

This release also delivers enhancements for the Advanced Security features.

There’s a new REST API endpoint, which can be used to retrieve commit details of secrets detected in private repository scans. This endpoint returns details of a secret’s first detection in a file, including the location and commit SHA of the detected secret. Secret scanning documentation at github.com has more intel on the REST API in question.

It is also possible for enterprise and organization owners to export their GitHub Advanced Security license usage data to a CSV file. This data can be used to analyze the usage of Advanced Security features – which users are consuming a license seat, how license usage is distributed across organizations, and so forth. Check out the github.blog entry for more details on this one. 

And there’s more

You can now reuse entire workflows in GitHub Actions. Instead of copying and pasting from one workflow to another, you can now set workflows reusable. Anyone with access to the reusable workflow can now call it from another workflow with a single line of configuration. This allows you to avoid duplicating workflow code, when you have to perform similar tasks in multiple workflows. Refer to Reusing workflows at github.com for instructions on how to set it up.

A new “Manage Access” section has been added to the “Collaborators and teams” page in your repository settings. This allows repository administrators to easily see and manage who has access to their repository and which level of access is granted to each user.

There are also improvements to Releases UI, such as auto-generated release notes which display a summary of all PRs related to the release.

Actions has an updated UI for managing runner groups and viewing the status of your self-hosted runners. New Runners and Runner groups management pages provide a summary view of your runners and the possibility to edit a specific runner or see what job it is currently executing.And the story continues on the GitHub Enterprise Server 3.4 Release Notes at github.com. Do check it out for full disclosure.

Group Access Tokens

This release of GitLab will ship with management UI and API for Group Access Tokens. With a Group Access Token, you can use a single token to perform actions for groups, manage projects within the group. You can also use the token to authenticate to GitLab API and to Git over HTTPS.

Group access tokens are similar to project access tokens and personal access tokens, except they are associated with a group rather than a project or user. Check out the Group access tokens at GitLab.com for more details on using this feature.

Streaming audit events

GitLab will now allow owners of top-level groups to configure a HTTP endpoint for receiving all audit events regarding the group, its subgroups and projects. This can be very useful in supporting SIEM processes in your organization, allowing you to use a separate tool for analyzing and monitoring audit events from GitLab and maintaining a backup copy of all the auditing data.

More information and configuration instructions can be found on Audit event streaming documentation at gitlab.com. 

Users Can Recover Projects Pending Deletion

Starting with GitLab 14.9, the Pending deletion tab for projects is now available to all users, not only Administrators. Project and group owners can view and recover projects that are pending deletion but have not yet been permanently removed from the disk. This allows users to revert accidental deletion of their own projects without having to contact GitLab Administrators.

Project pending deletion can be found by navigating to Menu > Projects > Pending deletion.

Integrated Security Training

GitLab provides a suite of security scanning tools with extensive coverage on all sorts of security aspects, including SAST, DAST, IaC, dependencies, secrets and many many more. GitLab security scanners will provide developers with recommended solutions to an identified problem whenever they are available. However, this is not possible for all findings.

The new integrated security training in GitLab can help in resolving these vulnerability issues. GitLab can provide context-aware security training options from Kontra and Secure Code Warrior. By simply enabling the feature in your project, you’ll receive direct links to security training that most closely matches a particular security issue you’re working on.

And much more

With nearly 100 improvements in total, our highlights here are just the tip of the iceberg. All details for this version bump can be found in the official GitLab Release publications for version 14.7, version 14.8 and version 14.9, all on GitLab.com.

Updates to User Interface

The User Interface modernization effort continues with a new table design, updated CSS, and improvements to the visualization and usability of various functions, such as the ‘Environment Variables’ page in Jenkins project view.

Typical Multibranch Pipeline UI with Jenkins 2.332.1 LTS modernizations

Major Upgrade for the Guava Library

There’s also a major update for the internal Guava library (JEP-233). Guava is a set of core Java libraries from Google, that includes various new collection types, utilities and such like. Jenkins Core and many plugins depend on these libraries in their implementation.

Up to this point Jenkins has been using a now decade-old version 11.0.1 (released January 9th 2012). Updating to a newer version 31.0.1 has required changes not only in Jenkins Core, but also in various plugin implementations. Plugins shipped via the official Jenkins plugin “store” have been updated to reflect the changes, but this might cause issues with other 3rd party proprietary or self-managed custom plugins. You may want to check out the Guava Upgrade blog post at jenkins.io if you’ve built your own Jenkins plugins. 

Reduced Ambiguity Leads to Increased Security

In our April release, we’ll be bumping the Matrix Authorization Strategy plugin to the new 3.x release. This is the plugin that implements the user and group-based permission management scheme in your Jenkins Folder or Project configuration.

Previously the permissions assigned with Matrix Authorization Strategy were ambiguous, meaning that a name specified in the permission entry did not distinguish between user names and group names. Thus a permission assigned to “exampleUser” would apply to, not only a user by the name of “exampleUser”, but also to anyone in a group named “exampleUser”.

Matrix Authorization Strategy configuration UI with a warning about ambiguous entries

All permissions configured with the new version of the plugin will automatically be unambiguous. For UI based configuration, there will be a warning regarding whenever older ambiguous entries are detected in configuration.

Other changes in Jenkins

As always, there’s also the usual monthly treatment stuff for both Jenkins Core and plugin ecosystem alike; bug fixes, minor feature enhancements and other improvements.

Check out the Jenkins LTS changelog at jenkins.io for the full list of changes in Jenkins Core. Please reach out to your friendly ROOT support team if you have any questions regarding the plugin updates specific to your ROOT Jenkins instance.

Artifactory Receives an Update to Version 7.35.2

The Artifactory release this month is more of a maintenance release with focus on bugs and other such issues. There are some enhancements, such as the improved AQL Query Performance as a result of internal optimizations, but nothing all that drastic.

You can refer to the Artifactory Release Notes at jfrog.com for complete details on this release. 

Highlights of the Xray 3.45.1

A Fix for NPM Audit

This release of Xray will provide a remedy for the annoying npm audit failure, which was caused by a breaking change in the NPM registry itself.

Exclude Violations with No Available Fixed Version

This version of Xray introduces a new capability in Xray Policies, which allows you to configure a policy rule to not generate violations for security issues that don’t contain a fixed version. If and when a fixed version becomes available, a violation will be generated as usual. Check out Triggering Violations Using Policy Rules at jfrog.com for more details on this one.

Path to a vulnerable component

The best kind of a search is one you don’t have to make at all; Xray will now display the physical path (or location) of a vulnerable component within an artifact, saving you the trouble. Ah, how convenient.

And naturally there are other enhancements and fixes too, all of which you can find via the Xray Release Notes at jfrog.com. 

Nexus IQ Release 135

Our April release of Nexus IQ improves on SBOM functionality, with CycloneDX features extended to support CycloneDX schema version 1.4 for XML and JSON formats. Also, CycloneDX SBOM file scans with dependency-graph data will now display direct and transitive dependencies for BOM components. Check the CycloneDX Application Analysis and InnerSource Insight documentation at sonatype.com for more details on this.

There’s also a new Dependency Tree page, which displays the direct and transitive component dependencies in - as the name would suggest - a tree-like view, sorted by the threat level of each component. More on the dependency tree at Dependency Tree at sonatype.com.

Please refer to Release Notes - Nexus IQ Server at sonatype.com for the full list of changes in Nexus IQ Release 135.

Rancher

With Rancher 2.6 having matured over the past couple of months, we’re rolling out the current stable version 2.6.3-patch2 to the ROOT Platform.

Rancher 2.6 ships with all kinds of new features and enhancements, the most obvious being the redesigned user experience, with a brand new Cluster Explorer navigation for both new and advanced users, new default landing page, new global navigation, and a new cluster managed navigation.

Cluster dashboard view in Rancher 2.6.3-patch2

There are also enhancements to host Kubernetes Clusters.

AKS (Azure Kubernetes Service) provisioning has been enhanced to support the full lifecycle management of the cluster, with capabilities for provisioning private AKS endpoints and multiple node pools, while leveraging Rancher cloud credentials for authentication. Existing AKS clusters provisioned with other tools can now be registered into Rancher, to allow management of Kubernetes upgrades and configuration.

GKE (Google Kubernetes Engine) provisioning has been enhanced with support for shared VPCs and multiple node pools within Google Cloud Platform. GKE node pools can now also be configured with the native autoscaling capabilities.

There’s also a host of enhancements to RKE Cluster functionality, tech preview of RKE2 Cluster Provisioning and Windows node support, bug fixes and other improvements.

Check out the Rancher Release v2.6.0 Announcement at rancher.com and Rancher Release v2.6.3 Announcement at rancher.com for full disclosure on what’s new and changing.  

Eficode Root Team Management

This months’ release of our Root Team Management delivers a welcome improvement for the “Add Nested Groups” search engine, pagination fixes for retrieval of Bot Users and Active Directory nested group support for the RTM Synchronizer.

Official release notes can be found in docs.eficode.io. 

SonarQube LTS

SonarQube will get a minor bump to version 8.9.7 LTS in April. This contains fixes to some issues that affected the previous releases of the LTS variety.

Release notes for this one can be found on Release Notes at sonarsource.com, as always.