What’s new in Eficode ROOT: March 2022

CI/CD deployment details in Bitbucket

Atlassian makes Integrated CI/CD even more integrated. You can now configure your Bamboo and Jenkins integrations to send deployment status events to Bitbucket for a more complete overview of the flow of your CI/CD pipeline right in Bitbucket UI. No need to log in to Jenkins anymore just to check up on the progress of your delivery.

Whilst Bamboo sends these events fully automatically, Jenkins requires some fine tuning for enabling the feature: Freestyle projects can conveniently send the status information using a Post-build action and Pipelines can employ the bbs_deploy function implemented by the Bitbucket Server Integration Plugin.

Check out View deployment information in Bitbucket page at atlassian.com for further instructions on setting it up.

HTTP access tokens for projects and repositories

A regular personal HTTP access token is tied to your account. This release of Bitbucket will add the possibility of creating non-personal, project or repository specific access tokens for those situations when you don’t need or want repository access to be fixed to user accounts. Creation of these tokens is limited to Admins only.

That being said, we do understand that this behavior might be undesirable in many enterprise grade environments. Because of this, we are switching this feature OFF by default, but will naturally enable it for you if you so wish.

Check out HTTP access tokens documentation at atlassian.com to learn more about the feature.

Enhancements to Data Pipeline

Data Pipeline is a feature, which allows you to export Bitbucket instance data in CSV format for analysis in your favorite BI tool.

With this release of Bitbucket, Atlassian has added the possibility of excluding projects from the data export by introducing a new “opt-out” list. This can be very useful, if you happen to have projects with sensitive data which you don’t want to send out to an external tool. Or if you simply have some projects that are irrelevant from a reporting perspective. You can now exclude all of them right from the get-go.

Git version bump

Server-side Git version on Bitbucket will be updated to version 2.35.1. This will introduce a new git merge strategy called ort, which replaces the old recursive strategy used before. The new strategy can offer significant merge performance improvements especially for large pull requests.

News from the Ecosystem

Awesome Graphs for Bitbucket

Plugin gets a bump up to version 5.11.1 which adds a capability for selecting multiple teams to include in the Reports using a multi-select filter. This conveniently allows you to get summarized statistics for multiple teams working with the same repository or project.

Post Webhooks for Bitbucket

Post Webhooks version 3.26.07 includes some neat improvements to its usability, such as:

• Possibility of configuring separate regex patterns for defining which branches to consider when filtering events:
  • From branches to consider
  • From branches to ignore
  • Destination branches to consider
  • Destination branches to ignore
• Addition of a new filter for repository slug on project and global level, which allows you to use a Java-style regular expression to filter repository slugs.

Check out the Bitbucket Post Webhook main guide at moveworkforward.com to learn more about these features.

Sonar for Bitbucket Server

Sonar integration plugin receives a major update to version 5.1.0 with a host of new features and enhancements, such as:

• Security hotspots are now shown in the statistics view.
• Lines of Code metric in statistics also shows programming languages.
• Merging in Bitbucket will be blocked when a SonarQube analysis task is ongoing.
• SonarQube server configuration has been simplified by new edition auto-detection logic.
• Plugin security has been enhanced by deprecating username/password authentication, you should use a token instead.

We’ve got some explaining to do

Our original intention - as you might have guessed - was to deliver a new feature release of Jira, if for nothing else but to celebrate, in our own way, the imminent arrival of spring that is often associated with the month of March.

Our anticipation for Jira release 8.22.x was perhaps a bit premature. It was released on the 16th of February, but unfortunately it was just a tiny bit too late for our quality assurance processes for the March release.

But at least we are giving annoying bugs a good beating

In March we will be rolling out a patch to Jira version 8.20.5 with its repertoire of fixes including hits like “Jira Dashboard gadgets failing to load on Chrome 97/98” (JRASERVER-73196) and “Adding attachment to issue resulting in a misleading error message” (JRASERVER-72822).

Please refer to the Jira Software 8.20.x release notes at atlassian.com for the full list of issues resolved in this release.

Artifactory highlights

Artifactory, being a more mature product already, isn’t quite as feature-packed this month as its security-scanning kin. That being said, it’s not exactly just “same old, same old” either.

There is a native Pub repository (beta) support for Dart packages, which are reusable libraries and packages for Flutter, Angular Dart and general Dart programs. You can now control your deployment and resolution of Pub packages using Artifactory, with the usual support for Local, Remote and Virtual repositories. Don’t hesitate to get in touch with your ROOT support team if you’d like to start using your Artifactory for Pub.

Artifactory 7.17 implemented a feature called JFrog Projects. Previous reserved to Enterprise subscription only, this release of Artifactory makes Projects available for all license tiers. The Projects are conceptually quite different from a typical Artifactory setup shared with the whole company, business unit or a team; a Project creates an organizational management entity inside Artifactory, where the resources (repositories, builds etc.) are no longer “global”, but all owned by the Project. Everything is more “sandboxed”, if you will.

There’s more in-depth detail about the concept in JFrog Projects documentation at jfrog.com if you are interested.

And, as always, the full overview of all changes in Artifactory can be found in Artifactory Release Notes at jfrog.com.

JFrog’s CVE research for REST APIs

Our November release of JFrog Xray introduced a new capability that provides additional CVE details from the JFrog security research team. This is called the JFrog Security CVE Research and Enrichment. This information was available through the JFrog Platform UI.



This release of Xray will bring the results of this valuable research work to the Xray REST APIs as well, allowing automation and integrations easy access to this information.

JFrog Security CVE Research and Enrichment data is now available on Artifact Summary, Build Summary, Get Violations, List Ignored Violations and Scan Build V2 REST APIs through the addition of five new parameters:

• JFrog Research Severity
• Summary markdown text
• Detailed description markdown text
• JFrog Research Severity Breakdown (list of reasons)
• Remediation (list of mitigation options)

On-demand binary scan for Docker!

This release of Xray ships with further additions to the Xray On-Demand Binary Scan feature.

It is now possible to perform local Xray scans of Docker images. With JFrog CLI version 2.11.0 or later, you can now run an ad-hoc scan of your Docker image right on your workstation without having to push the image to Artifactory for scanning.

It is also possible to view all ongoing On-Demand Scans and their results directly from the JFrog UI. Check out the On-Demand Binary Scan instructions at jfrog.com for more details on this one.

Software Bill of Materials report for the DevSecOps crowd

This release of Xray also introduces the capability to generate a Software Bill of Materials (SBOM) report in SPDX and CycloneDX standard formats. The SBOM report will provide DevSecOps engineers with a convenient inventory of the composition of your software -- Bill of Materials. The components your software project is built upon, including unidentified components and open source software.

With a SBOM report, you can easily understand components and code dependencies, gain more visibility into open source licenses in use, identify security vulnerabilities in the components in use and so forth.

Check out the comprehensive Xray SBOM report documentation at jfrog.com for more details on this one as well.

Jenkins’ monthly treatment

Jenkins will receive a usual round of updates in the month of March. There are some minor security patches coupled with other small improvements, fixes and enhancements here and there. No major or breaking changes this time around.

There are some under-the-hood changes in Jenkins’ weekly with a bit of an impact to many plugins. We’re expecting these changes to make LTS status by our April release, but more on the subject once it becomes reality.

As always, please reach out to your friendly ROOT support team if you have any questions regarding the updates specific to your ROOT Jenkins instance.

Root Team Management

The latest release of RTM, version 1.8.5, improves on some fairly minor niggles:

• UI previously could have given false hope by seemingly allowing you to change profile fields that were locked, when in fact the truth… it was out there. We merely displayed it in RTM.
• Starting with this release, bot accounts cannot be set to use an email address that is already associated with a personal account.

There are also some bug fixes to top it off. All of which is listed on our RTM 1.8.5 release notes at docs.eficode.io.

SonarQube Current

SonarQube Current gets updated to the latest release 9.3 with a bunch of new features. Be sure to check out the official SonarQube 9.3 announcement at sonarqube.org for more details. And there’s of course the 9.3 Release Notes at sonarsource.com for all the nitty-gritty details.

Bidirectional character detection

SonarQube analysis can now detect potentially malicious content (“Trojan Source” attack) hidden using bidirectional unicode characters which aren’t visible to the eye. There’s a new cross-language rule for detecting Bidi characters in all analyzed files.

Taint analysis for Android

Developer / Enterprise / Data Center Editions only

SonarQube series 9 has been focusing on helping Android developers write cleaner and safer code. This version adds Android taint analysis for catching cross-site-scripting, remote code execution, command, SQL and path injections in Java code.

Terraform SAST support expand with Azure coverage

This release of SonarQube will expand its IaC SAST support to cover Terraform files for Azure Cloud. Terraform for AWS is already supported and the GCP equivalent is in the works.

The domains for Azure Cloud Terraform analysis include security at rest and at transit, Azure AD, Resource Manager and public network access, whilst the AWS support in commercial editions have received improvements to taint analysis of AWS Python Lambdas.