February is a month of maintenance and CI/CD, complemented by a slightly bigger leap for the GitLab deployments. There are Atlassian goodies - Bitbucket and Jira - and all kinds of fun stuff already planned for March, which perhaps already could be considered a bit of a celebration of the inevitable change from winter to spring. More on that later, stay tuned!

This month, we will be rolling out fixes and enhancements in the form of:
  • Eficode Root Team Management and the release 1.8.4
  • GitLab’s leap to release 14.6
  • GitHub Enterprise bump to version 3.3.2
  • Jenkins’ fix-release 2.319.2 LTS plus a little something for the plugin side
  • SonarQube Current and LTS adjustments to 9.2.4 and 8.9.6 LTS, respectively
  • And last but not least, Sonatype Nexus IQ level-up to release 131

GitLab has vastly improved the seamlessness of a multi-site deployment, continued their work on SAST features, and a lot more.

Improved Geo for massively multi-site GitLab

Geo is the GitLab solution for a high-performance multi-site deployment for geographically distributed development teams, which can also serve as a part of an organization's disaster recovery strategy.

Up until GitLab 14.6, it was possible to set up Geo with a single, unified URL for all Git operations. But for web UI and API access, you would need to use the dedicated URL of each Geo replica. The web UI of a replica was also read-only – you would have to navigate to the URL of the primary site to make any changes.

Starting from this release, Geo replica sites transparently proxy write requests to the primary site while retaining the improved read performance of the local site. All of this can be seamlessly achieved by using a single, unified URL for all operations: Git, API and web. Users won’t need to memorize or worry about different URLs and read-only sites anymore.

SAST enhancements and updates

Microsoft announced the release of the new and improved .NET 6 framework late last year, and GitLab quickly followed suit with their SAST capabilities. The .NET SAST analyzer, Security Code Scan, has been updated to support the new .NET.

This release also delivers other SAST analyzer updates:

  • Flawfinder internal packages have been updated to version 2.14.7
  • Gosec has been updated to version 2.9.5
  • PMD-Apex has been updated to version 2.12.10 (with PMD v6.40.0)
  • Semgrep has been updated to version 0.76.2
  • Spotbugs to version 4.5.0
  • And, finally, sobelow internal packages have also been updated.

Improved Secret Detection patterns

Sometimes it just happens - as we all know - someone accidentally commits an API key or other secrets to their remote Git repository. The Secret Detection scanner in GitLab can help identifying such accidents at an early stage, where they haven’t yet become big headaches.

With this release, GitLab’s Secret Detection scanner has been updated to detect 47 new commonly used secret patterns, bringing the total number of built-in patterns to over 90. You can also customize the patterns to suit your own needs.

Check out the Secret Detection documentation at gitlab.com to learn more about this feature. It is, by the way, available on all tiers of GitLab, starting from the free Community version! 

Configurable SSH lifetime for GitLab Ultimate

GitLab already had the ability to enforce a maximum allowed lifetime for Personal Access Tokens (PATs). This release of GitLab Ultimate now offers the same feature for SSH keys as well. This can be useful for many organizations, where “static” access keys are required to be renewed with a certain interval for compliance reasons.

Maximum allowed lifetime

System Administrators can set up a global, enforced maximum allowed lifetime (in days) for SSH keys in the GitLab Admin Area.

And a lot more

For a complete overview of changes in GitLab 14.6 update, navigate to GitLab’s own extensive release notes for versions 14.5 and 14.6: 

Despite it being more of a maintenance release, there are some things we would like to highlight for the rest of the bunch as well.

Fresh Root Team Management

This release of Eficode Root Team Management (“RTM”) delivers even better usability through various improvements.

Group search functionality in nested group management now supports proper wildcard-based lookups.

Wildcard lookups

There are also new blue “badge” icons for users and groups to indicate whether the object is something that is synchronized from an external directory (such as AD or Azure AD) or if it’s a purely local account maintained in RTM.

REST API now implements a new “hard delete” endpoint for system administrators, which allows complete and irreversible removal of a user account in RTM. This can be useful with GDPR-related matters for example.

Complete release notes can be found at docs.eficode.io.

Fine tuning for GitHub Enterprise

Final nail to the Log4j CVE coffin (hopefully)

Whilst the mitigations in previous GHE were sufficient to address the impact of the CVEs everyone knows about, this release will update the component to version 2.17.1. It contains the latest security updates.

And some bug fixes to boot

This release fixes the problem where Actions was left in a sorry state after an update with maintenance mode on.

IOPS and Storage Traffic monitoring graphs are now updating correctly again.

Some minor fixing has also been done to logging of some webhook-related jobs, documentation page links returning 404 errors, and so forth.

Check out the GitHub Enterprise Server release notes at github.com for full disclosure.

Jenkins’ minor bump

The February patch level of Jenkins LTS Core delivers some remedy to not-that-critical security issues found in the earlier version. There are a host of plugin updates in store as well, which are mostly about fixing minor niggles here and there, small UI modernization adjustments (such as switching to SVG graphics) and so forth – no functional changes or new features this time around.

And as always: Jenkins instances can be configured with all kinds of wild plugin combinations, so please do reach out to your ROOT Support for a full list of changes applicable to your Jenkins.

Nexus IQ level-up
  • This month Sonatype’s Nexus IQ got upped from the current release 128 to 131. The new version brings some welcome additions to the table, such as:
    Dependency Tree data for Java and NPM components, using the Report-related REST APIs (ar sonatype.com).
  • Cran and Cargo data has been improved.

The Application PDF Report has been enhanced to include Effective, Declared and Observed licenses separately in the Licenses table.

There are also some minor bug fixes as well as security-related adjustments related to the Logback library.

Complete release notes can be found at Release Notes for Nexus IQ Server at sonatype.com.

Published: February 1, 2022

Eficode ROOT