- enhancement - Added support for vulnerability analysis for Gradle build manifests.
- enhancement - Added support for vulnerability analysis on images in Dockerfiles.
- enhancement - Added new settings for the Python and Go ecosystems.
- enhancement - Added support for private GitHub Registries.
- fixes - Fixed an issue by removing a redundant
/at the beginning of Windows URI paths that was causing somemvncommands to fail. See PR#692 for details. - fixes - Fixed an issue with the Stack Analysis running on an open file, instead of running on an opened manifest file. See PR#692 for details.
- known issue - You can get an error by using the
Use Pip Dep TreeandUse Python Virtual Environmentoptions simultaneously. See the Known Issues section of the README for more information. - known issue - Red Hat Dependency Analytics has limitations for Maven and Gradle. See the Known Issues section of the README for more information.
- informational - Added a telemetry event to track Red Hat's recommended version acceptance.
- informational - Removing access to Snyk's Vulnerability Database.
- enhancement - Red Hat Dependency Analytics reporting has integrated the ONGuard service by using Open Source Vulnerability (OSV) and the National Vulnerability Database (NVD) data sources for additional vulnerability information.
- enhancement - Integrated VS Code's Secret Storage feature for securing the Snyk token. See PR#689 for details.
- fixes - Fixed an issue with displaying wrong data when triggering the event handler for Component Analysis on a unsaved manifest file. Component Analysis is no longer triggered on unsaved manifest files. See PR#239 for details.
- fixes - Fixed an issue where the diagnostic source name is being obscured in the View Problem panel from an inline analysis. See PR#239 for details.
- informational - The naming convention for VS Code commands has changed from
fabric8torhda. For example,fabric8.stackAnalysisis nowrhda.stackAnalysis.
- informational - The
redHatDependencyAnalyticsReportFilePathsetting name has changed toreportFilePath. If you had a custom file path set forredHatDependencyAnalyticsReportFilePath, then you need to add your custom file path to thereportFilePathsetting. - enhancement - Added a vulnerability severity alert level setting for the user to receive inline notifications for just errors or warnings. See PR#674 for details.
- fixes - Fixed an issue with the
codeActionsMapcall. When multiple manifest documents are open that have the same dependency, one of the document entries gets deleted. This gave a wrong result in the analysis. See PR#236 for details. - fixes - Fixed an issue in the Exhort Javascript API. This fix enables and supports analysis of
pom.xmlmanifests that include local modules, and a parent Project Object Model (POM). See the PR#237 for details. - fixes - Fixed an issue with the analysis report not displaying because of spaces in the manifest file path. See PR#100 for details.
- fixes - Resolved endpoint configuration issue by removing EXHORT_DEV_MODE environment configuration parameter. See PR#672 for details.
- informational - Service Preview release of Red Hat Dependency Analytics (RHDA) extension.
- informational - Configuration names for all supported executable paths in the extension settings have changed. These executable paths are only used for the analysis.
- enhancement - Added support for error observation by using Sentry.
- enhancement - Support for more complex SPDX SBOM relationships.
- enhancement - Added recommendations and remediations in the Quick Fix... tab.
- fixes - Fixed an issue where unique Snyk vulnerability information was not being displayed in the Dependency Analytics report. See PR#217 for details.
- fixes - Better valid and invalid token alert messages for the Snyk vulnerability information provider. See PR#218 for details.
- fixes - Fixed analysis report discrepancies between Red Hat Dependency Analytics and Snyk’s analytics. See PR#219 for details.
- fixes - Fixed the Go and Python package links so they point to their specific package manager website.
- enhancement - Support for Golang and Python ecosystems. See PR#656 for details.
- enhancement - A new setting for Python and Go environments to restrict package analysis when there is a package version mis-match between the environment and the manifest file. See the Features section of the README for more information.
- informational - Alpha release of the new Red Hat Dependency Analytics (RHDA) extension.
- informational - Code base refactoring from CRDA to RHDA alpha. See PR#636 for details.
- informational - Currently no support for Python and Go, but coming soon.
- fixes - Improved overall performance and stability with the analysis report.
- fixes - Extension breaks for Go version 1.17. See #608
- fixes - Retry failed stack analysis requests. See #609
- fixes - [ISSUE] letsencrypted issue by moving to selfhosted. See #542
- enhancement - Let language server know about the type of client and RedHat UUID. See #497
- enhancement - Use lsp 0.4.26 to pass more data to api-server.See #186
- enhancement - upgrade dev deps to fix vulns. See #514
- enhancement - add dev-dependency disclaimer. See #519
- fixes - [BUG] go run github.com/fabric8-analytics/cli-tools/gomanifest doesn't work, but gomanifest itself does, and the extension is trying for go run. See #504 #517
- fixes - [BUG] Message 'Unable to execute 'go list'' command, run 'go mod tidy' to know more' keeps appearing. See #506 #511
- fixes - [BUG] Analysis is triggered way too often (each keystroke). See #509 #516
- fixes - [BUG] Duplicate "Dependency Analytics Report..." commands in command palette. See #512 #517
- fixes - [BUG] Ignore unparseable files from telemetry reporting. See #513 #191
- enhancement - Get python path from ms-python extension. See #485
- enhancement - Usage data collection to enhance extension. For more details view privacy statement and usage data doc. See #489 #487 #488
- fixes - Use lsp 0.4.24 to fix bug with empty manifests. See #493 #494
- fixes - status bar icon tries to open a report for the currently opened file. See #478 #479
- fixes - LSP failure on vscode-insider and Che(node >= 12.16.0). See #481 #483
- enhancement - Support for Golang ecosystem. Plugin can now scan and identify vulnerability within module and package for golang software stacks. See #436
- Identify direct and transitive vulnerability for modules and packages
- Support for semver and pseudo version format
- Provide early access to vulnerability data for modules and packages
- Highlight and provide vulnerability details using alerts & messages
- Recommend a non vulnerable version (if available)
- enhancement - Use concise text for component analysis notification. See #472
- enhancement - Show status bar text based on component analysis status. See #459
- Notification will be shown only once per manifest in single session.
- Further changes will be updated only via status bar.
- enhancement - Updated fabric8-analytics-lsp-server to latest version (v0.4.19): See #469
- fixes - Propagate errors from lsp server to client. See #432
- fixes - Dependency UTM encoding issue. See #460
- fixes - VsCode Extension: Dependency Details card needs minor improvements. See #295
- fixes - Sort dependencies shown in stack report. See #260
- fixes - Stop showing notification if no security vulnerability found. See #434
- fixes - Extension overrides default keybinding for opening the debugger view. See #442
- fixes - Output log opens everytime requirements.txt is opened. See #458
- fixes - Diagnostics are not cleared when all vulnerabilities are removed. See #465
- fixes - Property based versions are ignored on LS for maven. See #258
- enhancement - Updated fabric8-analytics-lsp-server to latest version (v0.4.2): See #440
- Code-action to trigger Dependency Analytics Report. See #149
- fixes - Report generation fails with virtualenv enabled python. See #404
- fixes - Propagate errors from lsp server to client. See #432
- enhancement - Integration of user management to connect Snyk account with Dependency Analytics report, which enables advance vulnerability analysis for publicly known exploits and Snyk curated unique and pre-published security advisories.
- enhancement - Add shortcut icon for Dependency Analytics Report in editor groups. See #418
- enhancement - Use webpack to reduce extension loading time. See #359
- enhancement - Updated fabric8-analytics-lsp-server to latest version (v0.3.2): See #420
- enhancement - Upadated Stack Report UI:
- fixes - Can not navigate to Synk: Added postMessage to handle url click. See #403
- fixes - Rename notification button with 'Click here for Detailed Vulnerability Report'. See #423
- fixes - Update tags for extension to enable better prioritization in marketplace search. See #427
- enhancement - Integration with Snyk Intel Vulnerability DB, it is the most advanced and accurate open source vulnerability database in the industry. That adds value with the latest, fastest and more number of vulnerabilities derived from numerous sources and also includes Snyk curated unique and pre-published security advisories that come with early stage of vulnerability detection.
- enhancement - Updated fabric8-analytics-lsp-server to latest version (v0.2.1): See #381
- Different Underline color scheme for commonly known vulnerabilities and vulnerability unique to snyk. See #118
- Updated Diagnostic Message: See #118
- Number of Known Security Vulnerabilities and Security Advisories for each dependency.
- Highest Severity of vulnerabilities for each affected Dependency. (
Low/Medium/High/Critical) - Recommended version for dependencies having Known Security Vulnerabilities.
- Added Snyk attribution “Powered by Snyk” in the source of the Diagnostic. See #121
- Removed CVE-IDs from message.
- enhancement - Upadated Stack Report UI: See #142
- Updated Security Issue Card content: See #142
- New headers for Security Issue.
- Added Transitives as a sub-tab in the particular Direct Dependency.
- Separate tabs for Commonly Known Vulnerabilities and Vulnerabilities Unique to Snyk.
- Added Snyk Vulnerability ID in place of CVE-ID.
- Added Vulnerability Titles with Severity (
Low/Medium/High/Critical) and removed Tags. - Added hyperlink to package name, Snyk Vulnerability ID, and Vulnerability Titles.
- Dependency Details card rearranged in order of preference.
- Attribution to Snyk “Powered by Snyk” with a
Sign UP/Sign InHyperlink to Snyk Login page.
- Updated Security Issue Card content: See #142
- fixes - Upgraded typescript to fix tsc-watch misbehave. See #373
- fixes - Upgraded node version to 14.x LTS. See #377
- fixes - Quick fixes on hover don't show associated code actions however click on version does. See #297
- fixes - A direct dependency included in manifest should not be shown as transitive dependency. See #337
- fixes - CVE IDs should be hyperlinks to NVD. See #318
- fixes - Visual artifact seen after taking corrective action from lsp. See #357
- fixes - Opening manifest file does not show the scanned results. See #365
- enhancement - Add python support. See #308
- enhancement - Enable transitive(indirect) dependency report by default. See #330
- enhancement - Show welcome message after upgrading to latest version. See #334
- enhancement - Resolved dependencies are stored in target in workspace root. See #302
- fixes - Dependency Analytics Report not generated if triggered via file explorer. See #299
- fixes - Stop polling for stack-report if it takes any longer than 120 secs. See #304 #338 #352
- fixes - Issue with running manifest file without having a workspace. See #314
- enhancement - Replace priview-html with VSCode webView APIs. See #257
- enhancement - Shows error(STDOUT/ERR) in output channel. See #284
- enhancement - Support for Eclipse che/theia.
- enhancement - codeAction returns command which does seems to be supported by all LSP implementations. See #95
- fixes - Issue with Dependency analytics report, if triggered via file explorer. #279
- fixes - Unable to update dependency version. See #274
- fixes - Unable to generate stack report for Maven pom.xml. See #272
- fixes - Experiencing 504 Gateway Time-out for component-analyses. See #270
- fixes - Switching to report page is slow. See #89
- fixes - Generate application stack report for manifest file is throwing unable to parse error for package.json. See #216
- fixes - Recommended version shown in component analyses and stack analyses are not Same. See #292
- improvements - Improved latency numbers to analyze your application dependencies.
- improvements - Optimized resolving application dependencies.
- enhancement - add support for muti-root workspaces. See #4496
- fixes - removes usage of depreciated rootpath APIs.
- fixes - Show info status messge only first time manifest is open and then show if any CVEs are detected along with minor bug fixes and updates READMEs
- enhancement - add support for Quickfixes for any CVEs flagged with codeaction. See #4516
- enhancement - provide one to command to trigger Dependency Analytics Report for a particular manifest/Application level. See 4518
- enhancement - add support to show progress along with Info toast when lsp calls complete.