Skip to main content Search

What’s new in Eficode ROOT: March 2026

March is officially here, and while the weather might still be deciding if it’s spring or winter, our dev stack has definitely committed to a fresh new look. We’ve successfully vaulted Bitbucket to 9.4.17 and leveled up the Jira and Jira Service Management twins to 10.3.16, a move that includes updating every single plugin to its shiny newest version—because nobody likes a "compatibility error" party. Not to be outdone, GitLab 18.8 and Jenkins 2.541.2 are now running smoother than a well-oiled CI/CD pipeline, with Sonatype Nexus Repository 3.88 standing guard. To top it all off, we’ve given our code quality a triple-shot of adrenaline with SonarQube Community Built 26.1.0, LTA 2025.4.4, and the futuristic standard 2026.1. It’s a lot of version numbers to digest, but think of it as a spring cleaning where we actually threw away the bugs instead of just hiding them in a junk drawer.

This update transitions your core collaboration and delivery tools to Confluence 9.2.15, GitHub Enterprise 3.18.5, and Bamboo 12.1.2 to fortify your environment against recently identified vulnerabilities.

Important heads up!

As part of our upcoming March maintenance window (MMB), we will be upgrading the Jenkins Java version to Java 21. This update is necessary to ensure continued support and security ahead of the upcoming End of Life (EOL) for older versions.

How this affects you:

  • Customer-managed agents: If you manage your own Jenkins agents, please ensure they support Java 21 and make any necessary updates after the March maintenance window.
  • Eficode-managed agents: No action is required on your part. Eficode will handle the updates for all agents under our management.

This won't affect your ability to build older distributions of Java (such as 8, 11 or 17), as this change only concerns the default Java of your agents. As such, if you are managing your own agents, you will have to change the default Java version you're using on your agents. After this you can select the other JDK versions from within your jobs. 

Bitbucket

This update for Bitbucket 9.4.13 through 9.4.16 is a critical security maintenance release for the 9.4 Long Term Support (LTS) branch. It primarily serves to patch vulnerabilities in two core internal libraries: Apache Tomcat, which handles the web server operations, and Apache Tika, which parses uploaded files and metadata.

Since this is a maintenance-only update, it contains no developer-visible changes, new features, or UI alterations. Instead, it focuses on backend stability and hardening the system against "Denial of Service" (DoS) attacks and other exploits. Upgrading to 9.4.16 is highly recommended to ensure your instance remains secure and compliant without disrupting existing developer workflows.

Jira

This update for Jira 10.3.12 through 10.3.16 is a maintenance release for the 10.3 Long Term Support (LTS) branch. It combines essential backend security hardening with targeted administrative and usability improvements.

This update resolves critical vulnerabilities in the Apache Tika and Apache Tomcat libraries, protecting the instance against remote exploits and "Denial of Service" attacks. Additionally, it includes performance patches for stability issues that previously affected specific high-load environments.

Custom Field Optimizer: Administrators gain better control with a new "cut-off limit" for global context fields. The interface now allows for more flexible sorting of items based on custom factors rather than just severity.

User Picker Reliability: A significant fix ensures that user picker fields filtered by groups now correctly display all members, removing the previous technical limitation that capped visibility at 100 users.

Advanced Roadmaps Portability: The update introduces the ability to migrate full Advanced Roadmaps plans between Jira instances. This replaces the old CSV-only export with a robust import/export system that preserves planning data, teams, and cross-project configurations.

GitLab

The update transitions the platform to GitLab 18.8 to ensure your development environment stays at the cutting edge of performance and security. By integrating advanced automation and real-time compliance reporting, this version removes manual overhead and simplifies complex oversight tasks. You will experience a more responsive interface and greater autonomy over your self-hosted AI and agent infrastructure. Performance is significantly boosted by new caching for deployment projects, meaning your team spends less time waiting for environments to load. Furthermore, the new static compliance reports and automated agent management provide peace of mind by proactively securing your workflow without constant manual intervention.

Turn the GitLab Duo Agent Platform on or off (Premium, Ultimate)

You now have the capability to enable or disable the GitLab Duo Agent Platform—which includes GitLab Duo Chat (Agentic), agents, and flows—at the top-level group or the entire instance. When this setting is disabled, these features will be unavailable. Learn more here.

Turn on and off GitLab Duo agent.

GitLab Duo Agent Platform for GitLab Duo Self-Hosted (offline licensing) now generally available (Premium, Ultimate)

GitLab Duo Agent Platform is now generally available for customers using Duo Self-Hosted.

This feature is available to GitLab Self-Managed customers who have an offline license and utilizes seat-based pricing.

Self-Managed administrators can now configure compatible models for use with the GitLab Duo Agent Platform. This includes the ability for administrators utilizing AWS Bedrock or Azure OpenAI to configure models from Anthropic (Claude) or OpenAI (GPT). Learn more here.

Group access control for GitLab Duo features (Premium, Ultimate)

The new ability to define group access rules for GitLab Duo features offers enhanced governance and control. This allows organizations to manage feature adoption flexibly, whether through immediate, organization-wide deployment or phased rollouts, ensuring compliance and security are maintained while scaling at the desired pace.

GitLab Duo Planner Agent now generally available (Premium, Ultimate)

This agent revolutionizes how you manage GitLab work items, enabling you to create, edit, and analyze them with ease. Instead of spending time on manual tasks like tracking updates, setting priorities, or summarizing planning data, the Planner Agent proactively supports your workflow. It can analyze backlogs, automatically apply prioritization frameworks such as RICE or MoSCoW, and highlight the items that truly demand your focus. Think of it as an efficient, proactive teammate who deeply understands your planning process and collaborates with you to drive faster, better decisions.

 

Duo Planner in action!

GitLab Duo Agent Platform now generally available

The GitLab Duo Agent Platform has achieved general availability, fundamentally changing how AI is integrated into the software development lifecycle. This platform moves beyond AI tools that merely accelerate individual tasks in isolation. Instead, it provides coordinated AI orchestration across the entire development process—planning, building, securing, and shipping software. This capability bridges the gap between faster individual work and the complex, collaborative, multi-stage reality of modern software delivery. Learn more here.

Key Features and Capabilities:

  • Central AI Catalog: Teams can easily discover, manage, and share agents and automated flows across the organization using a centralized catalog.
  • Foundational Agents: The platform includes built-in foundational agents, such as Planner, Security Analyst, and Data Analyst, designed to manage structured work and assist at critical decision points.
  • Customizable Automation Flows: Automate multi-step tasks and agents in core development workflows, including transitioning from issue to merge request, CI/CD migration, pipeline troubleshooting, and complex code reviews.

Enterprise Readiness and Governance:

With robust governance controls, detailed usage visibility, and flexible deployment options (including self-hosted models for offline environments), organizations gain the necessary transparency and control to confidently adopt and scale AI across their enterprise. Learn more here.

 

GitLab duo agent in action!

C/C++ support in Advanced SAST now generally available

Cross-file, cross-function scanning support for C/C++ is now generally available in GitLab Advanced SAST. Learn more here.

Multiple Container Scanning

Users are now able to pass in an array of images to be scanned as part of many Container Scanning jobs. Learn more here.

Auto-dismiss irrelevant vulnerabilities with vulnerability management policies

Security teams can now significantly reduce noise and enhance focus by automatically dismissing irrelevant vulnerabilities using new vulnerability management policies. This feature ensures that developers concentrate only on vulnerabilities that present an actual risk to the organization.

 

Policies for auto-dismissal can be configured based on the following criteria:

  • File path
  • Directory
  • Identifier (CVE, CWE, or OWASP)

For audit and tracking purposes, auto-dismissed vulnerabilities are clearly marked in the merge request's security widget with an "Auto-dismissed" label. The vulnerability report activity logs the dismissal reason. Learn more here.

GitLab Duo Security Analyst Agent now generally available

The new Security Analyst Agent streamlines vulnerability management for engineers. Using natural language commands within GitLab Duo Agentic Chat, security teams can now triage, assess, and offer guidance on vulnerabilities. This eliminates the need for manual navigation of vulnerability dashboards or creating custom scripts for bulk actions.

 

As a core agent, the Security Analyst Agent is included by default in GitLab Duo Agentic Chat and requires no extra setup. Learn more here.



Security analyst agent summary.

Jenkins

This update transitions the platform to Jenkins 2.541.1 to strengthen the core infrastructure through essential maintenance and refined administrative tools. By prioritizing backend stability and security, this version ensures a more resilient automation environment that scales seamlessly with your workloads. You will benefit from a more polished interface and optimized dashboard responsiveness that significantly reduces background browser load. These quality-of-life improvements provide a smoother navigation experience while new health-check diagnostics proactively alert administrators to potential system bottlenecks.

SonarQube LTS

This update transitions the platform to SonarQube 2025.4.4 to deliver a more responsive and efficient code analysis experience. By eliminating critical bottlenecks, this version ensures your development teams maintain high velocity without administrative delays. You will benefit from near-instant project creation and optimized report processing that delivers analysis results faster than ever. These performance gains mean your quality gates are updated in real-time, allowing for a smoother and more focused coding workflow. Furthermore, the corrected dependency tracking provides absolute confidence that your security posture is always based on the most current data.

SonarQube Community Build

This update transitions the platform to SonarQube Community Build 26.1 to modernize the entry point and strengthen your global development integrations. By refining the login experience and enabling direct navigation from projects to their bound repositories, this version removes friction from your daily security and quality audits. You will benefit from a more intuitive interface that allows for seamless transitions between analysis results and your source code on GitHub. These enhancements mean your team can verify code health and navigate complex project structures with significantly less effort, boosting overall development velocity. Furthermore, the newly added support for GitHub Enterprise Cloud with Data Residency ensures you can maintain high security standards while meeting strict regional data compliance requirements.

The "quality gate fudge factor" serves to bypass strict enforcement of duplication and coverage requirements, typically for small changes where minor issues could unfairly trigger a failure in the overall quality gate status.


In the updated version, the criteria for ignoring these conditions have been clarified:

  • Duplication: Conditions on duplication are still ignored until there are at least 20 new lines (no change from the previous version).
Coverage: Conditions on coverage are now ignored until there are at least 20 new lines that require coverage.

This update transitions the platform to the latest Community Build to integrate advanced accessibility standards and comprehensive language support for modern development stacks. By introducing specialized rules for Python 3.14, Go 1.25, and AWS Lambda, this version ensures your code remains compliant and secure across diverse cloud environments. You will benefit from a more inclusive user experience with new CSS accessibility rules and significantly faster analysis through optimized secret detection and JavaScript quick fixes. These enhancements empower your team to resolve vulnerabilities instantly within the IDE while maintaining high performance during complex report processing. Furthermore, the direct navigation between projects and repositories creates a more cohesive workflow, reducing the time spent switching between your analysis and source code.

This update transitions the platform to the latest Community Build to bridge the gap between your analysis results and your primary development workflows. By introducing native support for PHP 8.5 and specialized Python analysis build tools, this version ensures your environment is fully compatible with the most recent language standards. You will benefit from a more cohesive experience with the ability to navigate directly from a project dashboard to its bound GitHub repository with a single click. These navigation shortcuts and expanded platform support eliminate manual searching, allowing your team to move effortlessly between identifying issues and implementing fixes. Furthermore, the new support for GitHub Enterprise Cloud with Data Residency ensures that your global teams can maintain peak performance while meeting strict regional compliance requirements.

SonarQube provides deep, specialized support for the newest versions of Java and Kotlin. By incorporating dedicated rules for Java 24 and full compatibility with Kotlin 2.2, this version ensures your high-performance codebases are analyzed with the highest level of precision. You will benefit from a more sophisticated analysis engine that now identifies complex performance bottlenecks within Python coroutines and comprehensions. These improvements mean your developers receive more accurate feedback on modern language features, preventing technical debt before it reaches production. Furthermore, the refined Java analyzer proactively catches subtle logic errors, ensuring your applications remain stable and efficient as you adopt the latest industry standards.

SonarQube can detect secret leaks in files located within directories or hidden files that begin with a dot.

SonarQube standard

This update transitions the platform to SonarQube 2026.1 to unify your code quality standards with the latest advancements in AI and mobile security, while deprecating Automatic AI Code Detection in favor of more specialized analysis. By introducing dedicated compliance reporting for AI and mobile applications, this version ensures your most innovative projects meet rigorous global safety benchmarks. You will benefit from an automated "chain of trust" through the new JFrog Evidence Collection, which links verified analysis results directly to your software packages. These enhancements eliminate manual data reconciliation, providing an unbroken audit trail for your security and quality governance. Furthermore, the centralized attestation transforms complex audit preparation into a seamless, high-velocity experience for your entire team.

The Enterprise edition and higher now include enhanced regulatory coverage for crucial AI and Mobile security standards. This expansion incorporates security reports based on standards such as the OWASP Top 10 for Large Language Models (LLMs) and the OWASP Mobile Application Security Verification Standard (MASVS). Learn more here.

For users of SonarQube and JFrog with strict compliance needs, this new integration offers a single, verifiable audit trail. SonarQube analysis results are now automatically signed and attached directly to your JFrog packages, establishing a unified source of truth. This eliminates the need to switch between tools to demonstrate that your code meets security standards. All necessary information for a rigorous audit is conveniently accessible within the JFrog Evidence Collection interface. This functionality is included in the Enterprise edition and higher. Learn more here.

To avoid overly strict enforcement of small changes, the quality gate ignores coverage and duplication conditions for very small sets of new code. Learn more here.

This update transitions the platform to the latest version to provide immediate, deep support for the industry’s newest language standards and cloud architectures. By incorporating dedicated analysis for .NET 10 and C# 14, this version ensures your high-performance enterprise applications are analyzed with absolute accuracy from day one. You will benefit from significant improvements across several core languages, including COBOL and PHP, where refined parsing reduces false positives and focuses on critical logic errors. These enhancements mean your developers spend less time triaging results and more time writing clean code in their preferred environments. Furthermore, the strengthened Infrastructure as Code (IaC) analysis—covering Terraform, Kubernetes, and GitHub Actions—proactively secures your deployment pipelines against hard-coded credentials and insecure command configurations.

Key Language Updates:

  • .NET 10 & C# 14: Immediate support for the latest LTS release with zero-day accuracy.

  • Infrastructure as Code: Improved evaluation of Helm templates and new security rules for GitHub Actions.

  • COBOL & VB6: Enhanced parsing and reliability for legacy systems, including specific fixes for line counts and unused data items.

  • PHP & Scala: Streamlined dependency infrastructure and reduced false positives for unit testing and logic rules.

Secret Detection: New rules protecting sensitive credentials, including xAI API keys and SMTP information.

____________________________________________________________________________

That’s all for March! See you in April!

Published:

Eficode ROOTrelease notes