We are excited to introduce you to the latest version of Endor Labs and endorctl - v 1.5.171. This release includes new features.
Support for scanning secrets in code
Endor Labs scans your code files and repositories for secrets such as API keys, registration tokens, client secrets, client IDs, access tokens, bearer tokens, refresh tokens, or registration tokens of several popular services such as GitHub, Git Lab, AWS, Dropbox, Adobe, Atlassian, Bitbucket, Coinbase, Databricks, and many more services.
Using Endor Labs’ secrets scan, users can:
- View findings for secrets exposed in the code and take remedial actions based on their severity.
- Detect valid and active secrets in their code repositories and immediately secure them.
- Perform the endorctl scan to audit their codebase regularly for secrets and take necessary mitigation measures.
We are excited to introduce you to the latest version of Endor Labs and endorctl - v 1.5.159. This release includes new features and enhancements.
Support for PHP project scanning
Endor Labs scans PHP projects and resolves dependencies by analyzing both composer.json and composer.lock files. Users can view finding policy violations and dependency graphs.
Using Endor Labs, users can gain significant insights into the structure and relationships of their PHP project’s dependencies, aiding in managing dependencies effectively, identifying potential issues, and ensuring a well-organized and maintainable codebase.
Support for Ruby private registry
In addition to scanning public Ruby projects and repositories, Endor Labs provides the support to integrate with private Ruby registries that are not available publicly. Users can configure this integration from Manage > Integrations > RubyGems. Endor Labs will fetch the resources from the authenticated endpoints and perform the scan.
We are excited to introduce you to the latest version of Endor Labs and endorctl - v 1.5.131. This release includes new features.
Support for Scala language scan
Endor Labs scans Scala projects by executing sbt plugins and inspecting the build.sbt file to retrieve information about direct and transitive dependencies.
Using Endor Labs, users can gain significant insights into the structure and relationships of their Scala project’s dependencies, aiding in managing dependencies effectively, identifying potential issues, and ensuring a well-organized and maintainable codebase.
We are excited to introduce you to the latest version of Endor Labs and endorctl - v 1.5.117. This release includes new features and enhancements.
Support for .NET scan
Endor Labs leverages the packages.lock.json file to monitor the packages for dependencies and discovers unresolved, resolved, direct, and transitive dependencies. Users will also be able to view finding policy violations and dependency graphs.
Organizations can maintain secure .NET development and runtime environments while designing, coding, debugging, testing, and deploying complex C# projects and applications.
Endor Labs extension for Visual Studio Code
Developers can now use Endor Labs directly from their Visual Studio Code’s Integrated Development Environment (IDE). The Endor Labs extension scans your repositories and highlights issues that may exist in the open-source dependencies.
The extension helps developers fix code at its origin phase and during the early stages of development. They can successfully perform early security reviews and mitigate the need for expensive fixes during later stages.
Use Python call graphs for vulnerability prioritization
Users can now use call graphs in Endor Labs application to analyze the dependencies and relationships among various functions in Python projects.
- Endor Labs generates the call graphs for your python projects and identifies functions or methods with known vulnerabilities or potential security issues.
- Users can examine the call graph to identify the functions that directly or indirectly call the vulnerable functions by tracing the paths of execution.
- Users can prioritize the vulnerabilities based on their severity, threat levels, and application importance.
Call graphs assist users in comprehending the potential consequences and enable them to prioritize the resolution of vulnerabilities that are more likely to result in additional exploitation.
EPSS probability filter for findings
Users can now use the new Exploit Prediction Scoring System EPSS probability filter on the Findings page to refine their findings search results by the EPSS score range.
Users can now view the Jira tickets created for action policies in Manage > Notifications on the sidebar. Users have the ability to observe specific information such as the status of tickets (whether they are open or closed), the associated action policy, and other important details. This aids in seamless troubleshooting and identification of both unresolved and resolved issues.
We are excited to introduce you to the latest version of Endor Labs and endorctl - v 1.5.104. This release comes with the following new features.
Integrate Endor Labs with JIRA
Integrate Endor Labs with Jira and receive alert notifications for your action policies in your Jira accounts. With this integration, administrators can automate the process of generating Jira tickets within their organization’s existing security workflows.
Administrators can choose to raise bugs or create tasks in Jira and notify required people about any failures.
Set up SAML integration for Endor Labs
Set up SAML integration on Endor Labs, using an Identity Provider (IdP) that supports Security Assertion Markup Language (SAML), such as Okta, Microsoft Active Directory Federation Services (AD FS), Azure Active Directory (AD), Google, or OneLogin.
Administrators can use their existing Single Sign On (SSO) process in their organization and allow their users to seamlessly sign in to Endor Labs without providing credentials.
Support for Ruby language scan
Endor Labs monitors the packages for dependencies and discovers unresolved, resolved, direct, and transitive dependencies. Users will also be able to view finding policy violations and dependency graphs.
Endor Labs and endorctl version 1.5.43 includes:
- A portfolio level view of all findings across your repositories
- SARIF output format support for GitHub Integrations
- Custom identity provider claim requests to allow for custom attribute based access controls
- Support for Gradle version 8
- The ability to ask natural language questions of open source software via DriodGPT
- The ability to configure, enable and disable your organizations desired findings
A portfolio level view of all findings across your repositories
Organizations are now able to review all findings across their entire portfolio. Each project monitored by Endor Labs is aggregated into a global view of findings so that organizations can easily search for updates.
SARIF output format support for GitHub integrations
In CI pipelines developers can now upload their findings to GitHub via a SARIF output of their findings. This enables developers to not have to leave GitHub to review detailed results.
Organizations can now ask natural language questions about open source software using DroidGPT. As part of Endor Lab’s open source explorer organizations can now ask questions like “What is the most secure package for json to csv conversion?”
Endor Labs and endorctl version 0.5.126 includes:
- Support for policy actions in CI pipelines (Beta)
- Environmental configuration checks for scanning
- Significant performance improvements
- Improved sorting and filtering for findings
Support for policy actions in CI pipelines (Beta)
Endor Labs now enables users to configure policy that returns an error in CI pipelines. This can allow users to fail CI checks when a policy is violated to enforce organizational governance policy.
Endor Labs comes with out of the box policy templates to enable teams to configure policy on known vulnerabilities, outdated, unmaintained and unused software dependencies.
Environmental checks for scanning
Endor Labs now helps ensure that your machine is well setup for scanning by providing inline configuration checks on commands. If your host is not properly configured or does not have the required software to perform a given scan or command, the command line utility, endorctl will inform you.
Improved sorting and filtering for findings
Findings can now be filtered and displayed based on categories to help users better report on what they care about and focus their attention.
Supported categories include:
- Supply Chain Risk
- License Compliance
- Supply Chain Posture Management Risk
- General Security Risks
- General Operational Risks
Endor Labs and endorctl version 0.5.100 includes:
Endor Labs and endorctl version 0.5.80 includes:
- Support for GitLab and BitBucket source control repository scanning
- Support for Keyless Authentication in GCP with workload identity
- Previously, Endor Labs supported remote cloning of GitHub based repositories. This option has been removed. Only locally cloned repositories are supported.
Support for GitLab and BitBucket based
Endor Labs now supports the ability to scan source control repositories hosted in GitLab and BitBucket.
Keyless Authentication for GCP
Endor Labs now supports the ability to leverage keyless authentication for workload identity federation in Google Cloud.
Endor Labs and endorctl version 0.5.50 includes:
- Support for parallel language scanning
- Identification of potential typos in dependencies
- Support to export Vulnerability Exploitability eXchange (VEX) data for packages
- Dependency License Identification
- Support for user authorization roles
Parallel Language Scanning Support
Endor Labs now supports the ability to scan different languages in parallel to accelerate scan speed and performance.
Identification of potential typos in dependencies
Endor Labs now supports the ability to monitor and alert on dependencies imported as typos of much more widely used dependencies in your environment.
Export Vulnerability Exploitability eXchange (VEX) for packages
Endor Labs now enables software producers to export VEX documents with automated triage of unreachable vulnerable functions to support software consumer vulnerability triage efforts.
Dependency license identification support
Endor Labs now identifies the license associated with an associated software dependency for open source license management.
Endor Labs now comes with out of the box authorization roles for platform users. Authorization roles include:
- Policy Editor - The policy editor role allows users to edit policy.
- Code Scanner - The code scanner role allows users with this permission to scan code. This is the minimum role for a CI/CD based service account.
- Read-only - The read only permission gives users full read only access to Endor Labs.
- Admin - The Admin permission gives users full read and write access to Endor Labs.
Major Bug Fixes Resolved in version 0.5.50
- Previously, Endor Labs failed to scan a repository and identify packages within a repository if the repository was cloned with a shallow git clone. This has been addressed in 0.5.50.
Endor Labs and endorctl version 0.5.40 includes:
- Support for EAR and WAR File scanning for Maven
- Fat/Uber JAR support for Maven
- Vulnerable function reachability analysis
- Call path visualizations for findings
Enhanced Java Scanning Support
When scanning Java based web applications using EAR, WAR and Uber JAR files, Endor Labs now builds a bill of materials for these packages and is able to successfully perform static analysis for vulnerability prioritization.
Vulnerable function reachability analysis
Endor Labs now identifies if a vulnerable function associated with a known vulnerability is reachable through static analysis in a provided Java package.
Call Path Visualizations
Endor Labs will now display reachable function paths to dependencies and functions associated with known vulnerabilities.
Endor Labs and endorctl version 0.5.31 includes:
- The ability to export a Software Bill of Materials (SBOM) for a specified software package
- Windows support for endorctl
- Beta support for Gradle with Java
- Authorization Policies for enhanced access control with Endor Labs
Support for exporting SBOMs
SBOMs may now be generated for any supported software package that you create in CycloneDX format. Endor Labs supports XML and JSON formats for CycloneDX and by default exports in CycloneDX 1.4.
Windows Support for
Endor Labs now supports Windows for the endorctl binary. This allows windows users who previously were using the Endor Labs docker image to migrate to a supported binary on their native platform.
Support for Gradle
Endor Labs now supports Gradle 7 and above as a build tool for Java packages. Java packages using Gradle 7 or above can now successfully have their dependencies resolved and generate call graphs for their packages.
Endor Labs users can now set granular authorization policies for each supported identity provider. Users may now specify a unique user identity such as a GitHub handle or Gmail e-mail address to authorize users. Authorization rules may also be timeboxed to ensure that a user only has access to Endor Labs for a predefined time period.
Prior to this new users could only be authorized by requiring them to be sent an e-mail invitation to the platform.
Major Bug Fixes Resolved in version 0.5.31
Release date: 28 October, 2022
- Previously, some packages failed dependency resolution due to a nil pointer exception. This resolution error has been addressed.
- Previously, when filtering findings based on their attributes filters only respected the current page being searched on. This issue has now been addressed.
- Previously, some findings that had an upstream patch available were displayed as having a fix unavailable. This issue has been addressed.
Was this page helpful? Send your feedback to email@example.com