What’s new in Eficode ROOT: September 2023

Keep signed commits in check

Git commit signing has been a thing for quite some time now, but using this information within the Bitbucket UI could always be more intuitive.

That all changes with this new release of Bitbucket, which introduces a new commit signature status indicator on the Commits page. Not only does it allow you to differentiate signed and unsigned commits, but it also shows if a signed commit has successfully passed the optional signature verification.

There are three possible states for each commit:

• The icon, which indicates the commit, is both signed and verified.
• The icon indicates the commit being signed, but Bitbucket is unable to pass the verification of its signature.
• No icon means there is no signature on that particular commit.

2FA for Git over SSH with security keys

This release of Bitbucket introduces support for the ED25519-SK and ECDSA-SK SSH keys designed to work with FIDO2 or U2F hardware authenticators like YubiKey.

Security keys can be used to implement proper multifactor authentication for Git operations, which offers a modern, safer alternative for your typical password or traditional SSH key-based authentication.

Check out the documentation for generating a security key-based SSH key here to learn more about using security keys with Bitbucket.

Manage your licenses

Have you ever seen the long list of users in Bitbucket (synchronized from another directory) and wondered how many contribute to your license's consumed seats?

Bitbucket 8.13 takes away this joy of wondering and pondering by including a new Licensed column on that very list–and it means what it says on the tin (Licensed or not–Yes or no). Some things in this world remain comfortably binary.

It’s also possible to filter the userlist based on the license status, providing you convenient access to conduct further scrutiny en masse towards the user accounts in both categories.

Add strictness

The previous Bitbucket release on Eficode ROOT introduced new compliance controls for project permissions, SSH keys, and HTTP access tokens.

This release builds more on top of that foundation, with new controls available for hooks, merge checks, merge strategies, and branch settings to ensure your organization's compliance requirements are met.

Check out the documentation for restricting changes to repository settings here for more information on the available controls. 

Let’s get down to the brass tacks

Most importantly, this release of Bitbucket also includes a new built-in video player that supports streaming videos within the Bitbucket UI itself.

^{Embedded video in a Pull Request description in Bitbucket 8.13.}

Simply add your video in mp4, mov, or webm format as an attachment in your comment and let Bitbucket take care of the rest.

How did we ever manage without this?

What’s new in the Bitbucket ecosystem?

In addition to minor fixes and adjustments, some noteworthy updates have also appeared in the Eficode ROOT’s Bitbucket App-O-Sphere.

Awesome Graphs for Bitbucket gets a Cycle Time breakdown

In our September version of the Awesome Graphs for Bitbucket app, we are treated with a new capability of displaying a breakdown of the Cycle Time on an individual pull request level.

Using this functionality, you can quickly examine how much time a pull request has spent in each phase of its lifecycle, from Time to Open through Pickup Time and Review Time to the final Time to Resolve.

Full release notes from the vendor can be found on Awesome Graphs for Bitbucket version history here. 

Enhancements in security for Bitbucket

Our September release for the app, Security for Bitbucket: Enhanced Secret Scanner by Soteri, delivers some useful enhancements, including:

• New Audit Log events for when the Security Hook warns about or blocks any commits and when a scan is triggered.
• Line offsets are now shown in push rejection messages.
• More precise CSV exports of findings. Exports will now include new columns to locate text more precisely and contain all data required to mark findings reviewed. The enhancements are detailed in the Security Scan Report documentation on soteri.io.

Value Streams Dashboard gets new velocity metrics

The Value Streams Dashboard - generally available since GitLab 16.0 - has been enhanced with new metrics:

Merge request (MR) throughput for counting the number of merge requests merged per month, and Total closed issues (or Velocity) is the number of flow items closed at a given time.

These metrics allow you to identify productivity patterns and the efficiency of your merge request and code review process. Over time, these metrics accumulate historical data from MRs and issues, enabling teams to see if everything was better in the good old days.

If you are not yet reaping the benefits of Value Streams Dashboards, check out the documentation here to get started.

Security findings in VS Code

Through the magic of the GitLab Workflow extension for Visual Studio Code (VS Code), you can now get the results of GitLab security scanning for your merge request delivered right into your IDE.

Previously, it was already possible to monitor your CI/CD pipeline, watch its job logs, and move through the development workflow. Now, after creating a merge request for your branch, you’ll also see the list of security findings that weren’t previously found on the default branch. That’s one small step closer to VS Code taking over the world.

See the documentation for GitLab Workflow here for more on the new features. 

Needs keyword with parallel matrix jobs

You could have already used the needs keyword to define dependency relationships between your jobs. GitLab 16.3 enhances the functionality of needs by enabling the keyword to be used with parallel matrix jobs, which was impossible in earlier versions.

Support for Azure Key Vault

Using the new GitLab integration, you can now easily retrieve secrets from your Azure Key Vault, making interacting with Azure Key Vault through GitLab CI/CD a breeze.

See the Azure Key Vault secrets in GitLab CI/CD docs here for details. 

Auditable application settings changes

GitLab will now record an audit log event for all application setting changes at an instance, project, and group level, along with the name of the user who made the change.

CODEOWNERS validation

Previously, it could’ve been perhaps a bit too easy to accidentally decouple the CODEOWNERS content from reality.

With this release of GitLab, you can now see possible syntax or formatting errors in your CODEOWNERS right in the UI. The new validation can identify the following errors:

• Entries with spaces.
• Unparsable sections.
• Malformed, inaccessible, or nonexistent owners.
• Fewer than one required approvals.

Scratching the surface

In addition to the load of new features and enhancements, this release includes some removals and potentially breaking changes. Removal of the bundled Grafana was deprecated and disabled by default in GitLab 16.0. Now, this release does away with the bundled Grafana completely.

There’s also a potentially breaking change in the form of a hard limit for RSA key length. Due to the limitations imposed by the Go programming language used in GitLab, RSA keys longer than 8192 bits will not work with GitLab. Any key longer than this must be regenerated at a smaller size. More on this topic can be found on the associated Epic here.

And as usual, we’re just scratching the surface here. Complete and exhaustive release coverage can be found on GitLab 16.3, released with new velocity metrics in the Value Streams Dashboard. 

Sonatype Nexus Repository

Level-up on Repository now brings some nifty enhancements with it.

Outbound request log for troubleshooting excellence

Nexus Repository is often used to access many external URLs and resources. When things start going wrong, the failure modes are typically more nuanced than the traditional side cutter-based loss of communication.

This release of Nexus Repository comes with a new logging facility to record outbound communications towards these external resources. It includes information such as authenticated user ID, HTTP method, URL, response status code, bytes sent and received, and the response time. All of which can be of great help when identifying those nuances.

Improved user experience

It’s been possible to configure the default privilege level for all authenticated users using the Default Role capability. Since it wasn’t always clear if and when the default privileges were applied, there’s now a new alert on the Roles screen whenever a default role has been set.

The Manage repositories table now includes a new Blob Store column, making it easier to identify which blob store each repository is stored on.

Sonatype has also added a Last Updated column to the Search Results table, with the benefits of this improvement being self-explanatory.

It doesn’t end there, either. There are also better error messages when configuring Content Replication, and the UI React conversion effort started in the 3.46.0 release also continues with this one.

Check out the Sonatype Nexus Repository release notes for 2023 here for a full disclosure of all the fixes and enhancements.

Sonatype IQ Server

With Sonatype’s recent revision of their product naming (found in this blog), it’s about time we here on Eficode ROOT start using some proper naming conventions, too. The Nexus IQ is dead–long live Sonatype IQ Server.

Support for organization hierarchy

This release of Sonatype IQ Server implements a multi-level hierarchical model for Orgs and Policies. You now have the flexibility of mimicking your company’s organizational structure and business units in the IQ Server organization model, allowing you to create context-sensitive policies and remediation steps appropriate for different organizational domains.

Generate SBOMs in SPDX format

To promote open standards for communicating SBOM information, this release of Sonatype IQ Server ships with support for generating SBOMs compliant switch SPDX 2.3 standards. The new SPDX REST API returns SBOMs in both XML and JSON formats.

Check out the SPDX REST API - v2 documentation here for more details. 

Improved identification of Conan dependencies

Analysis of the conaninfo.txt file is improved with this release of Sonatype IQ Server. Gone are the duplicate dependencies referenced in the requires and full_requires sections. Dependencies in the full_requires section now take precedence over those in requires, allowing them to be excluded to avoid duplication.

Other noteworthy improvements and enhancements

The application and component evaluation have been updated with support for Java 19 and Java 20 bytecode.

The Vulnerability Details REST API now includes an additional response field, customData, for retrieving user-customized vulnerability attributes.

There’s also some added flexibility for the namespace confusion protection feature: it’s now possible to disable certain namespaces to unblock components of specific public repositories. This can be useful when the protection is causing unwanted blockers for development work.

See the Sonatype IQ Server release notes here for a complete overview of changes in this release.

UI modernization part n+1

The gradual polishing of the UI has been a theme in Jenkins LTS releases lately. The new Jenkins Core 2.414.1 LTS we have in store for September continues the tradition. The story continues with updates to various menus, buttons, and other UI features to align with the general, new look and feel of the thing.

^{Login screen in Jenkins 2.414.1 LTS}

On top of that, we also have some UI updates that are perhaps a bit more obvious, like the new radiant sign-in page. Additionally, those confirmation pages for mundane actions, such as deleting or renaming a job, have been replaced by far more sensible confirmation dialogs.

Potentially breaking changes looming

Are you configuring Jenkins permissions with Configuration as Code, Job DSL, or Pipeline plugins? Then this one's for you.

The recently released Matrix Authorization Strategy plugin version 3.2 introduces a syntax change for managing Jenkins permissions programmatically. The change is slightly different depending on which of the three plugins you are using. 

In all use cases, the previous permissions element has been replaced with a new entries list, which provides a more elaborate element syntax decoupled from the serialized XML configuration format of Jenkins. Please refer to the Matrix Authorization Strategy release notes here for examples. 

This new version of Matrix Authorization Strategy will roll out to Eficode ROOT Jenkins instances in October.

That concludes our update. We hope you find this information useful.

Additional notes

It’s the same story as every month: In addition to the Jenkins Core release, we also ship out various updates to plugins and add-ons. Unless otherwise noted, these are mainly “minor” enhancements, fixes, and small new features.

Due to the uniqueness of Jenkins deployments, we can only cover some specifics here. A complete list of changes and updates for your special Jenkins snowflake is available via your friendly Eficode ROOT support team.