October 2024

We are excited to introduce the latest features and enhancements in Endor Labs.

New features

Find and evaluate AI models

You can now view AI models from Hugging Face on the Endor Labs platform. Search for AI models and review their Endor scores, including security, activity, popularity, and quality. These scores help you make informed decisions before integrating models into your organization. See Discover AI models for more information.

AI model list

Scan Java projects without pom.xml

You can now scan Java projects that do not have a pom.xml file. This feature enables Endor Labs to scan a non-Maven and non-Gradle Java artifact, and provide the list of unresolved dependencies, resolved dependencies, and dependency tree. You can set the environment variables ENDOR_JVM_USE_ARTIFACT_SCAN,ENDOR_JVM_USE_ARTIFACT_SCAN_CLASSPATH, and ENDOR_JVM_FIRST_PARTY_PACKAGE to facilitate the scan of projects that contain such artifacts. See Scan projects without pom.xml for more information.

Export multiple package versions in SBOM

You can now export multiple package versions in an SBOM through endorctl with the new command options --package-version-uuids, --project-uuid, and --project-name. This feature allows aggregating multiple package versions across one or many projects in a single SBOM file. See Export multiple package versions in SBOM for more information.

Enhancements

Enhanced user interface to view findings of a project

Endor Labs has a new user interface to view findings of a project.

  • Findings list: The new findings come in a tabular format with columns that include location, EPSS, tags, and more.
  • Preset filters: Preset filters help you to look for the category of findings you care about the most. For example, Prioritized Findings gives the list of critical vulnerability findings in the last 30 days that have either a reachable function or a reachable dependency, are not test dependencies, and have an available fix.
  • Detailed drawers: This side panel drawer provides detailed metadata inside the drawer that includes risk details, fix info, and call graphs when available.

The new updates are designed to enhance your experience by providing:

  • Modern look and feel: A refreshed, modern design that’s cleaner and more intuitive.
  • Enhanced navigation bar: Streamlined menus to help you find what you need faster.
  • Improved performance: Faster load times and smoother transitions for a more efficient workflow with default filters pre-loaded.

See View findings associated with a project for more information.

Project Findings

Manage build tools

The following enhancements are now available for specifying project build toolchains:

  • Auto detection of build tools - You can enable auto detection of build tools for their projects based on the manifest files present in the repository. Auto detection is supported for Long Term Support (LTS) versions of Java, Python, Go, and .NET (C#) projects. See Enable auto detection for more information.

  • Specify toolchains with scanprofile.yaml - You must now specify build toolchains in the scanprofile.yaml file, a multi-document yaml file with a structure similar to Kubernetes configuration files. Previously, build toolchains were defined in the profile.yaml file. See Manage build tools for more information.

Jira integration

When integrating Jira with Endor Labs, you can:

  • Specify an issue type from the custom Jira project such as Bug, Task, Epic, Story, or any other value when raising a Jira ticket. This enables efficient categorization and tracking of issues within the project.
  • Configure the integration to define custom fields with appropriate values, that align with your organization’s workflows. For instance, you can create key-value pairs like Source = Endor Labs to associate specific information with each Jira ticket raised from Endor Labs.

See Set up Jira integration with Endor Labs for more information.

Support for Bazel with Gazelle in vendored mode in Go projects

Endor Labs now supports scanning Go projects that use Bazel with Gazelle in vendored mode. See Scan Go projects using Bazel with Gazelle in vendored mode

Kotlin 2.0 Support

Endor Labs has extended Kotlin support to include version 2.0. With this enhancement, Endor Labs supports Kotlin projects from version 1.4 to 2.0.

Other enhancements

  • Archived repositories - The Endor Labs GitHub App no longer scans archived repositories by default. To include archived repositories in the scan, you can adjust the preferences during the GitHub App installation or by editing the integration settings afterwards.

  • Name change from SCPM to RSPM - Endor Labs now uses RSPM (Repository Security Posture Management) as the standard terminology for all SCPM (Source Code Posture Management) policies and findings across the user interface and documentation. Previously, both RSPM and SCPM were used interchangeably.

  • Removal of Dismiss Findings - You can no longer dismiss a finding from the Findings page on the Endor Labs user interface. Instead, you can apply an exception policy if you want the finding to not trigger any action policy. See Apply exception to findings.