Kondukto Release v1.100 3rd March, 2025

New Features

  • Dependency Tree/View and Transitive/Direct Component Fields Additions is now available in SBOMs. The new view displays component relationships using the "depends on" structure from CycloneDX and SPDX standards, allowing better visualization of dependencies. Additionally, components can now be marked as transitive or direct, with flexibility to vary by project.
  • The new query parameter "Dependency File" Filter in Vulnerability Tables is now available on vulnerability tables, allowing filtering by Dependency File (SCA file name).
  • OpenAPI Spec (Swagger File) Parsing and "API Endpoints" Tab enable the display of HTTP endpoint details, such as method, path, and vulnerability count, by parsing a single Swagger file per project and presenting the data in a table under the project’s "API Endpoints" tab.
  • Severity Update and Auto Flagging tags enable condition-based actions to be applied to vulnerabilities immediately and automatically after each scan/import. Multiple flags can be selected, with all actions, severity changes, and flags logged in the Vulnerability Change Log and audit trail.
  • The integration with Blackduck and Coverity Seeker now includes advanced settings for user permissions. Team leads can be granted permission to either scan instances or create new instances.
  • Control API Endpoint Import for Non-Supported Files – Unsupported files are now supported and can be imported successfull.

Improvements

  • Trivy Operator Configuration Audit Support added for Trivy operator configuration audit-type findings, with results similar to the Kubescape tool output.
  • Team Restriction for Custom Roles introduces a new toggle, "Use teams to restrict accessible projects and users" for custom roles inherited from Admin. When enabled, it restricts users to view only the teams, projects, vulnerabilities, and users associated with their team memberships, and limits access across the Global Dashboard, Teams Section, Vulnerability DB Team Filter, Scans Team Filter, Reports Section, and Users Menu. This toggle cannot be used with the "Use Business Units" toggle.
  • In Trivy Operator Scanner now includes Fetch Exposed Secrets option in the integration.
  • TLS authentication for email integration now supports self-signed certificates.

Bug Fixes

  • The default item size for Infra profiles has been updated, and the pagination size is now fixed.
  • The issue with saving Checkmarx scan parameters during project creation has been fixed, and the tag selection endpoint now functions correctly.
  • The functionality to edit existing Trivy Operator integrations has been restored, ensuring smooth operation as expected.
  • The process of adding a new pentest has been updated to disable the End Date selection for 'In Progress' or 'Scheduled' statuses, with a warning message indicating the End Date is not required.
  • The issue with mismatched data displayed on the dashboard after relogging has been resolved.