### v26.5.11 (2026-05-11) #### New Functionality - **Analysis** - Extended AUTOSAR component enumeration to raw binaries. (#4378) #### Fixes - **Components** - Updated alias for GTK. (#4902) - **Extraction** - Fixed extraction errors for newer Dahua firmware images. (#4800) ### v26.5.6 (2026-05-06) #### New Functionality - **UI** - Added User CVE DB for creating and managing custom CVEs. Use this to extend vulnerability coverage with regional databases (such as CNVD or EUVD) or with proprietary findings from internal security research. (#4347) - **Analysis** - Added file categorization for DL2 archives. (#4792) - **Docs** - Added documentation for User CVE DB. (#4821) #### Fixes - **API** - Fixed API returning 403 Forbidden instead of 404 Not Found for inaccessible resources. (#2358) - Fixed API returning 500 Internal Server Error for malformed requests. (#4581) - **Components** - Fixed false positive WolfSSL and MbedTLS detections. (#4856) - Fixed incorrect Mozilla NSS component detection rule. (#4867) - Added missing CPE for libxml2. (#4863) - Fixed incorrect version detection for libidn2. (#4873) - **Extraction** - Fixed extraction error for Rockchip RKAF firmware images. (#4861) - **UI** - Fixed long filter names pushing the delete button out of view. (#4850) - VEX import now correctly shows pending assessment overrides as OLD data → NEW data. (#4866) - Moved the vulnerability assessment edit button closer to the form content. (#4678) - Expert review request popups no longer show up automatically. (#4691) - Fixed password reset emails containing a link that had already expired when opened. (#4891) - Fixed typo in error message for firmware with too many files. ### v26.4.27 (2026-04-27) #### New Functionality - **Components** - Added Package URLs (purls) for AUTOSAR components for more accurate vulnerability matching. - **Extraction** - Added support for: (#4849) - Intel Code Partition Directory ($CPD) - Intel PSE (Programmable Services Engine) firmware #### Fixes - **Analysis** - Fixed analysis failures caused by component override conflicts. (#4782) - **Extraction** - Fixed S-Record extraction for files missing the optional header. (#4793) ### v26.4.23 (2026-04-23) #### New Functionality - **Analysis** - Added Automated Impact Assessment rules for Zephyr OS, reducing false positive CVEs for unused modules. (#4815) - **Extraction** - Added support for: (#4656, #4627) - QNX FileSystem for Safety (QTD, QSAFEFS, QCFS) #### Fixes - **Analysis** - Fixed analysis failures on VxWorks ELF files. (#4790) - Fixed analysis failures triggered by high memory consumption during extraction stage. (#4859) - Reduced false positive RTOS component detections by improving duplicate component filtering. (#4721, #4815) - **Components** - Fixed incorrect CPEs for pyyaml and libyaml. (#4824) - Fixed false positive Linux Kernel detections in firmware compiled with Intel C++. (#4861) ### v26.4.20 (2026-04-20) #### New Functionality - **Analysis** - Extended binary static code analysis to cover RTOS ELF files. (#4162) - **API** - Added `cve.cwe` OQL field for querying CWE information. (#4836) - **Components** - Added component detection for: (#4817, #4758, #4830) - MCUboot - nRF Connect SDK - STM32Cube - Qualcomm SoCs (for example: SA8155P, SA8295P) #### Fixes - **Analysis** - Reduced the number of hardcoded credential false positives by lowering severity for template placeholder values (for example, `{{password}}`, `${variable}`). (#4670) - Fixed analysis failures on firmware with non-standard device tree node structures. (#4832) - **Components** - Improved component detection for BlueZ. (#4823) - Fixed X.Org Server version detection by separating xinput into its own component. (#4802) - **Extraction** - Fixed extraction error when processing firmware images with empty file entries. (#4834) - Fixed analysis failures triggered by high memory consumption during extraction stage. (#4762) - **UI** - Fixed links not working for some alternative CVE IDs. (#4789) ### v26.4.6 (2026-04-06) #### Fixes - **Analysis** - Fixed duplicate component detections for ESP firmware. (#4719) - Reduced false positive cryptographic library detections on RTOS firmware. (#4721) - **API** - Fixed manual severity overrides being reset to the default calculated value on reanalysis. (#4715) - **Components** - Fixed incorrect Zephyr OS version detection. (#4805) - **Extraction** - Fixed extraction size limit errors on Android firmware with dynamic partitions. (#4812) ### v26.3.30 (2026-03-30) #### Fixes - **Extraction** - Fixed extraction error when processing Xilinx FSBL images with no valid entries. (#4784) ### v26.3.26 (2026-03-26) #### New Functionality - **Analysis** - Added the Open Source Vulnerabilities (OSV) database for vulnerability matching, expanding coverage for open source components. (#4349) - Added file categorization for QNX IFS4, IFS6, and QSAFEFS filesystem types. (#4780) - **Reporting** - Report configurations now support OQL mode, letting you use [OQL queries](https://docs.onekey.com/oql/) to precisely filter which issues and CVEs appear in a report using the full [CVEMatch](https://docs.onekey.com/oql/fields/#cvematch) and [Issue](https://docs.onekey.com/oql/fields/#issue) field sets. (#3991) #### Fixes - **Analysis** - Reduced the number of binary static code analysis false positives by recognizing `docker images` output as non-controlled input. (#4761) - Fixed analysis getting stuck during scheduled monitoring. (#4677) - **Components** - Improved version detection for: (#4766, #4805) - QNX - QNXHypervisor - Zephyr OS - Added alias and CPE for CMSIS-RTOS RTX. (#4756) ### v26.3.23 (2026-03-23) #### Fixes - **Analysis** - Improved extended component detection rules to reduce wrong version matches. (#4690) - Reduced the number of binary static code analysis false positives by extending the list of recognized memory allocation functions. - Fixed Android version detection when property files contain non-UTF-8 characters. (#4723) - Reduced the number of binary static code analysis false positives by extending the list of non-controlled environment variables. (#4765) - **Extraction** - Fixed QNX IFS4 extraction for images with ELF startup code. (#4772) - Fixed analysis failures caused by image extraction errors. (#4788) - **UI** - Improved the handling of vulnerability aliases: (#4789) - Renamed **Aliases** to **Ids** in CVE details. - Each **Ids** entry now links to the correct external database page for that identifier. - CVE ID column search now also matches against alternative identifiers. - Copy assessment and VEX import now match vulnerabilities against all alternative identifiers. - Fixed an error when saving a new analysis configuration with fields left at their default values. (#4791) - Added a warning when selecting the Loose extended component detection level about its high false positive rate. (#4778) - Fixed custom issue names not displaying correctly in drawer titles, dialog titles, and issue tables. (#4777) ### v26.3.11 (2026-03-11) #### New Functionality - **API** - Added `/logout` endpoint for token revocation. (#4573) - **Components** - Added support for Apache NuttX RTOS. (#4589) - **Docs** - Added "What's new" page to the documentation. - **UI** - CVE details now include the following additional fields (where available), also exposed as table columns and in exports: (#4345) - CVSS 4.0 scores - Disputed and withdrawn status (with dates) - Exploited since date - Alias, upstream, and related vulnerability IDs - Summary - You can now click the component name in the CVE details header to open the Component Details panel. (#4345) #### Fixes - **Analysis** - Fixed false positive component version detection for Apparmor and libzmq. (#4732) - **API** - Fixed `CertificateRSAPublicExponentIssue.exponent` field to support large values. (#4724) - **Extraction** - Fixed extraction error when extracting multi-file VMDK images. (#4698) - Fixed QNX IFS4 extraction for images without a startup header. (#4767) - **UI** - Fixed Analysis Profile form appearing unsaved after setting partial CVSS values. (#4743) - Fixed automatic Analysis Profile rule creation for issues with credential type parameter. (#4747) - Fixed OQL editor suggestions to show appropriate operators based on field type. (#4763) - Fixes for the analysis configuration tooltip: - The tooltip on the Firmware Info page no longer shows stale data after saving a configuration change. (#4729) - Some locations were missing the **Intelligent deletion** field. - The success popup no longer blocks the CVE ID when saving a vulnerability assessment. (#4679) ### v26.3.3 (2026-03-03) #### New Functionality - **Docs** - Expanded [CI/CD integration](https://docs.onekey.com/integration-guide/ci-cd-integration/) and [REST and GraphQL APIs](https://docs.onekey.com/integration-guide/api-guides/) guides with detailed examples and best practices; created a separate page for the [ONEKEY Python Client](https://docs.onekey.com/integration-guide/python-client/). (#4602) - **Extraction** - Added support for multi-file VMDK images. (#4698) - **UI** - You can now download public keys and PEM certificates from the issue details panel. (#4660) - Added **Intelligent Deletion** to Analysis Configurations (**Configuration** → **Analysis Configurations**). When enabled (on by default), intermediate container files are deleted after extraction to reduce disk usage. Files removed by this setting show a disabled download button with a tooltip explaining how to reconfigure. (#659) #### Fixes - **Analysis** - Fixed component version detection for ELF files with non-zero load addresses. (#4726) - Reduced the number of binary static code analysis false positives by recognizing `ip`, `wl`, and `tracert_start` output as non-controlled input. (#4671) - **UI** - Fixed missing Extended Component Detection settings on the Analysis Configuration page for users without the 'Edit analysis configuration' permission. (#4730) - Fixed private keys not loading in the file details panel. (#4608) - Updated privacy policy with current company info. (#4674) ### v26.2.16 (2026-02-16) #### New functionality - **Docs** - Extended the [Use filters](https://docs.onekey.com/platform-guide/how-to/filter-cves/) guide (formally called "Filter out non-relevant CVEs") with additional examples and techniques. (#4605) - **UI** - You can now use [OQL](https://docs.onekey.com/oql/) search on the Issues page (Firmware analysis view). (#4389) - The automatic Analysis Profile rule creation window – which appears after a bulk vulnerability assessment update – now includes severity, justification, vendor response, SSVC, and CVSS3 environmental score fields. (#4600) #### Fixes - **Analysis** - Reduced the number of binary static code analysis false positives by recognizing `uuidgen` output as non-controlled input. (#4626) - **API** - Fixed product lookup during firmware upload to include `vendor`, preventing incorrect product matching when products share names. (#4667) - **UI** - Fixed crash in the static code viewer when stepping between issues with different statement counts. - Fixed crash on user, user group, and product group creation forms when data was not yet loaded. - Fixed report configuration changes not appearing immediately after editing. (#4694) - Fixed delete confirmation dialogs allowing multiple clicks, which caused false error messages. (#4645) - Added human-readable labels for hardcoded issues in the issue details view. (#4610) - Issue and Component details drawers now remember the selected tab when navigating between items. (#4650) - Updated Legal Notice with current company info. (#4674) ### v26.2.4 (2026-02-04) #### New functionality - **Analysis** - Added file categorization for QNX QFS filesystems. (#4642) - Added architecture detection for Xtensa and Tricore. (#4594, #4642) - **UI** - You can now extend component detection with fuzzy matching rules. Enable extended rules under **Configuration** → **Analysis Configurations**. (#4637) #### Fixes - **Analysis** - Fixed incorrect security hardening detection for QNX executables. The NX (No Execute) protection status is now correctly identified. (#4647) - Fixed dangerous service launch issues reporting different severities depending on detection method. All detections now report MEDIUM severity. (#4618) - **API** - Improved OQL error messages when using incorrect field syntax. Error messages now suggest the correct field names to use. (#4338) - **Component** - Improved component detection for QNX. (#4642) - **Compliance** - Updated EU Cyber Resilience Act provisions to align with the final version published in October 2024. - **Extraction** - Fixed ESP-IDF chunk end offset calculation during extraction. (#4594) - **UI** - Added reset button when CVE table encounters an error, allowing you to recover from invalid queries without reloading the entire page. (#4388) - Fixed OQL help dropdown not fitting on small screens. (#4388) ### v26.1.28 (2026-01-28) #### New functionality - **Compliance** - Updated ETSI compliance guideline to version 3.1.3. (#3903) - **Components** - Added component detection for: (#4632) - TINET (TOPPERS RTOS) - ASP (TOPPERS RTOS) - **Docs** - Added a comprehensive guide on [writing GraphQL queries](https://docs.onekey.com/platform-guide/how-to/write-graphql-queries/) with real-life examples. (#4446) - **Extraction** - Added support for: (#4590, #561) - ESP-IDF - F2FS - Multi-volume Android sparse files - **UI** - You can now use [OQL](https://docs.onekey.com/oql/) search on the CVEs page (Firmware analysis view). (#4388) - The Compliance Overview page now uses a drawer-style panel to display CVE and issue tables. (#4596) #### Fixes - **Analysis** - Fixed SBOM import to include components with nested hierarchy; subcomponents are now added as standalone components. (#4498) - Extended Android version detection and Automated Impact Assessment to support Quarterly Platform Releases (QPR). (#4593) - Reduced the number of hardcoded QNX hash false positives by strengthening salt validation. (#4607) - Fixed OpenSSL CVE detection to exclude documentation files. (#4569) - Fixed yescrypt hash being detected as plaintext hash. (#4628) - Reduced the number of binary static code analysis false positives by: (#4626) - Improving handling of Union data types in decompilation. - Fixing pipe command pattern matching in non-controlled command detection. - Adding syscfg and configuration files to controlled paths. - Improving detection of commands passed through string copy functions. - Extending filters for file stream handling functions. - **API** - The `fixes` field (`CVEMatch` type) is now calculated during analysis and stored in the database for improved performance. Firmware analyzed before this release has empty `fixes` data; reanalyze the firmware to generate it (if needed). (#4344) - Firmware deletion can no longer block other operations, such as uploading firmware. (#4274, #3607, #4266) - Fixed expired monitoring cleanup preventing other modifications on the tenant. (#4651) - **Components** - Improved component detection for U-Boot. (#4635) - **Extraction** - Improved Motorola S-Record pattern recognition. (#4632) - **Reporting** - Fixed report generation failures caused by invalid HTML content. (#4565) - **UI** - Issue details panel updates: (#4551) - Added Documentation tab showing issue descriptions, mitigation steps, and CWE information. - Added code viewer for issues with line numbers. - Certificate issues now show additional fields (key type, key length, exponent, version, signature details) and include OpenSSL Output and PEM Format tabs. - Private key issues now show key type and key size, and include Private Key and Public Key tabs. - ELF issues now display ELF file information. - Fixed ONEKEY logo not displaying correctly in ETSI compliance bundle reports and the GraphQL documentation. - Fixed VEX import to correctly handle component data in both relaxed and strict modes. (#4648) ### v26.1.12 (2026-01-12) #### New functionality - **Analysis Profile** - You can now update all vulnerability fields using Analysis Profile, including severity, justification, vendor response, SSVC, and CVSS3 environmental scores. (#4327) - **Components** - Added component detection for: (#4542) - jpegtoavi - jquery-blockui - jquery-migrate - jquery-translate - **UI** - Added support for CycloneDX 1.7 SBOM exports (both `.xml` and `.json`). (#4532) - The vulnerability management form now displays the original severity for CVEs and issues, so you can see if severity has been overridden. This information is also available through the API. (#4400) #### Fixes - **Analysis** - Improved blob extraction for large firmware images, reducing extraction time. - Improved architecture detection of AVR8 (8-bit AVR microcontroller) RTOS firmware. (#4552) - Improved the detection of hardcoded QNX hashes. (#4416) - Improved error handling for failed AXML (Android XML) unpacks. (#4553) - Improved detection of Debian packages by correctly handling multi-arch settings. (#4584) - Fixed duplicate CPE detection for the **libyaml** and **pyyaml** components. (#4597) - Reduced the number of command injection false positives by recognizing type casts as input sanitization in PHP code. (#4592) - Improved ARM 32-bit architecture detection in RTOS firmware. (#4433) - **Components** - Improved component detection for: (#4542) - OpenSSL - stunnel - OpenLDAP - bootstrap - **UI** - Fixed OQL auto-completion treating trailing operators as partial words, which caused incorrect suggestions after typing operators like `=`. (#4586) - Added tooltips to the vulnerability assessment form explaining **Impact Assessment**, **Severity override**, **Environmental CVSS**, and **SSVC**. (#4561) - You can now find additional resources (such as documentation, what's new, changelog) in the header section, under the help icon (?). (#4496) - Fixed tooltips in the **SSVC** and **Environmental CVSS** assessment forms going off-screen and getting clipped in the vulnerability assessment panel. (#4562) - Fixed VEX import crash for CycloneDX files missing the `vulnerabilities` field. (#4609) ### v25.12.15 (2025-12-15) #### New functionality - **Components** - Added component detection for: (#4542) - tree - sblim-sfcb - nss-mdns - jquery-ui - libuv - cracklib - cJSON - bootstrap CSS/JS library - **Extraction** - Added support for JAR pack200. (#4542) #### Fixes - **Analysis** - The platform now detects and reports WiFi passwords in your network configuration files as hardcoded account password issues. (#4544) - Improved Zephyr OS RTOS detection. (#4517) - **API** - Fixed email sending to work with stricter SMTP servers. (#4255) - **Components** - Improved component detection for fuse and U-boot. (#4542, #4516, #4585) - Updated aliases for: - Python (python standard library, python3.10, python3.9) - coreutils (gnu coreutils) - **Extraction** - Improved MBR/GPT extraction so that bootloader segment hidden in 'EFI PART' is now carved out next to the partitions. (#4585) - **Reporting** - Replaced old logo with the current one in the generated reports. (#4431) - **UI** - Fixed inconsistent timestamps for last analyzed time across the platform. The analysis start time is now displayed everywhere; filtering by time range also uses the analysis start time. (#4518) - Selecting a CVE to open its details panel no longer clears other selected CVEs in the table view. Selections now remain active while viewing CVE details. (#4560) ### v25.12.8 (2025-12-08) #### New functionality - **Analysis** - The platform now detects and reports Linux plaintext passwords as hardcoded account password issues – for example, those found in `/etc/passwd`. (#4543) #### Fixes - **API** - Fixed certificate-related OQL fields not being queried in security issues involving certificates. Analysis Profile rules are now correctly applied to these cases as well. (#4479) - Reworked how the platform queues analyses to reduce the wait time before analyses start. (#4282) - **Component** - Improved component detection for: - jQuery (#4537) - Ncurses (#4566) - libnetsnmp (#4539) - json-c (#4538) - **UI** - Added the missing **RTOS** and **QNX** tags in component editing. (#4567) - Fixed the platform displaying incorrect information when it found multiple components with the same name but with different possible versions. The correct information is now shown for each entry. (#4568) - Fixed search result highlighting not working in OQL mode on the Files → Folder Structure page. (#4511) - Fixed the Component dependencies graph crashing when component contained a `:`. (#4582) ### v25.12.1 (2025-12-01) #### Fixes - **Analysis** - Fixed analysis failure during peripheral enumeration. (#4506) - **UI** - The platform now remembers manually set sizes for details panels (e.g., CVE details) and vulnerability assessment forms. (#4464) - Improved behavior for closing details panels by clicking outside. (#4399) - Fixed tooltip rendering errors within details panels. (#4399) - Component names now display correctly during loading. (#4399) - **Reporting** - Fixed CycloneDX SBOM extraction failures by including possible component versions. (#4541) ### v25.11.26 (2025-11-26) #### New functionality - **VEX Import** - You can now import a VEX file and automatically update multiple CVE assessments at once. Supported formats: CycloneDX JSON, OpenVEX JSON, CSAF JSON. (#2592) #### Fixes - **Analysis** - Reduced the number of false positives for format string issues and fixed analysis results unexpectedly varying between repeated runs. (#4482) - **Components** - Renamed components: (#3825) - libsemanage-common to libsemanage - jquery to js:jquery - inflect to python:inflect - rdflib to python:rdflib - wheel to python:wheel - libaudit-common to audit - Merged components: (#3825) - dirmngr into gpg - dmsetup into lvm2 - xxd into vim - bootlogd into sysvinit - Updated aliases for: (#3825) - GNU libiconv - GNU Midnight Commander - GNU Zebra - Updated CPEs and license information for a large number of components. (#3825) - **UI** - You can now search on the Files → ELF Dependencies page (in both Basic and OQL search modes). (#4511) - Fixed search result highlighting not working on the Files → Folder Structure page. (#4511) ### v25.11.20 (2025-11-20) #### New functionality - **Components** - Added component detection for: (#4499) - iputils - libsamplerate - libsndfile - libsolv - sysfsutils - **UI** - You can now use [OQL](https://docs.onekey.com/oql/) search in the global CVEs page (Search in → CVE). (#4333) #### Fixes - **Analysis** - Improved CVE reduction rules for Android firmware. (#4462) - Fixed static code analysis of shell scripts resulting in partial analysis results. (#4521) - Fixed analysis failure during the executable enumeration step. (#4530) - Improved detection of stack buffer overflow security issues (binary static code analysis). (#3768) - Improved Zephyr OS RTOS detection. (#4517) - Fixed analysis getting stuck during the component enumeration step. (#4509) - Improved JAR package enumeration. (#4481) - **API** - Fixed overridden severity scores not being considered when using the `issueCount` or `cveMatchCount` functions. (#4425) - **Components** - Improved component detection for QNX and GNU binutils. (#4416, 4515) - Updated CPEs for: (#4499) - unzip/zip - setserial - libavformat - Updated aliases for: (#4499) - Qt - aseqdump - bluez5 - glibc-locale - gstreamer1.0 - libinput - libogg - libpam - libusb1 - libx11-compose-data - opkg-arch-config - orc - shadow-securetty - u-boot-ktn - can-utils - unzip/zip - ntpstat - dbus - Updated license information for: (#4499) - dbus - Merged components: - libgcc and libstdc++ (#4499) - dhcpd and dhclient - squashfs and squashfs-tools - dtc and Device Tree Compiler - acl and getfacl/setfacl - xz-utils and liblzma - **Extraction** - Fixed extraction failure for QNX IFS6 firmware images. (#4417) - **Reports** - Fixed issue severities missing from the "4.1.2 Issue Summary" section of generated reports. - **UI** - CVE and security issue counters (for example, on the Analysis Overview page) now take overridden severity scores into account. (#4425) - Removed the **Audit history** button from CVE/Issue tables. To view the audit history, click a CVE or Issue to open its details panel, then select the **Audit trail** tab. (The Audit trail tab appears only for vulnerabilities with previous status, comment, or assessment changes.) - Introduced a display limit of **150,000 files** on the Extraction page. If the firmware contains more files than the limit, the platform now shows an error message. (#4394) - Fixed the CVE details panel not opening when accessed from the Compliance Overview page. (#4536) ### v25.11.12 (2025-11-12) #### New functionality - **Reports** - Generated SPDX SBOM exports now include component dependencies. (#4487) - **UI** - Most popups now appear in the new drawer style. (#4399) #### Fixes - **API** - Fixed overridden severity scores not being applied when querying security issues or CVEs. (#4425) ### v25.11.10 (2025-11-10) #### New functionality - **Components** - Added component detection for: (#4420, #4471) - bacnet - libbpf - libasyncns - LibOpenCL - lerc (Limited Error Raster Compression) - lcms2 - LAME (Ain’t an MP3 Encoder) - keyd (keyboard remapping daemon) - libJudy - jpeg-xl - jemalloc - libhwy - **Reports** - Generated CycloneDX SBOM exports now include component dependencies. (#4487) #### Fixes - **Analysis** - Improved CVE detection in Go packages. (#4289) - Improved component version detection for stripped functions. (#4420) - Fixed components with multi-partitioned Debian based images not being detected due to a package enumerator filtering issue. (#4477) - Improved component and version detection for ESP-IDF RTOS firmware images. (#4497) - Fixed unexpected component analysis failures. (#4489) - **Components** - Improved component detection for: (#4420) - EtherCAT Master Stack - OpenSC - NSS - Less - Kerbereos - JsonGlib - Jq - Libjbig - Jack2 - Iptables - Iproute2 - Inotifytools - Info-Zip - Libharfbuzz - GNUGzip - Libgtk - libgrpc - Gstreamer - **UI** - After changing the status of a vulnerability from open to closed, the CVE overview table in the relevant Details panels (e.g., File Details, Component Details) now refreshes automatically. (#4467) - Fixed embedded table filters causing drawer-style panels to close unexpectedly. (#4504) ### v25.11.5 (2025-11-05) #### New functionality - **Analysis** - Automated Impact Assessment now assigns negative scores to CVEs that are already fixed through Debian backports. - **Extraction** - Added support for [Open Container Initiative (OCI)](https://github.com/opencontainers/image-spec). - **UI** - The global _Issues_ page has been moved under the **Search in** dropdown. The table is now empty by default and populates based on your search criteria. You can also switch between Basic and [OQL](https://docs.onekey.com/oql/) search modes. (#4332) #### Fixes - **Analysis** - Fixed analysis failure during the component enumeration step. - **Reporting** - Analysis summary (XLSX) exports now include all assessment data available on the platform, including: - CVSS v3 and v4 scores for security issues. - Overall score. - Editable assessment fields: notes, justification, SSVC decision, and vendor response. ### v25.11.3 (2025-11-03) #### New functionality - **Components** - Added component detection for: (#4420, #4419) - quota - rt-tests - x11-utils - opensc - openipmi - MikroTik RouterOS (and several RouterOS-specific components: gosh, login, shell, catlog, mkexfatfs, pakp, and sshfs) #### Fixes - **Analysis** - Fixed import failures caused by SBOM validation errors when importing CycloneDX files with compositions. (#4376) - **Components** - Improved component detection for: (#4420) - u-boot - sysstat - libxcb - v4linux - shadow - ncurses - kerberos - man-db - util-linux - weston - pam - gensio - systemd - mesa ### v25.10.29 (2025-10-29) #### New functionality - **Components** - Added component detection for: (#4420) - openH264 - OpenIPMI - pillow - libwacom - opensc - OPTEE #### Fixes - **Components** - Improved component detection for: (#4420, #4475) - freerdp - NSPR - OpenLDAP - perl - libpcsclite - can-utils - Advanced Package Tool (APT) - nmap - NSS - OpenSSH - linux pam - Updated CPEs and licenses for: (#4475) - cffi - attrs - glib - zt-zip - zlib-ng - wheel - wavpack - urllib3 - ubi_reader - subversion - sqlalchemy - slf4j - setuptools - serf - scikit-learn - requests - rdflib - radare2 - qrencode - pyopenssl - pygments - pydantic - protobuf-java - postgresql - partclone - parso - p11-kit - numpy - markdown-it-py - mako - lzo - lz4 - lxml - lief - libzip - libxkbcommon - libtpms - libtool - libselinux - libpwquality - libmicrohttpd - libbpf - libXtst - libxrandr - libxrender - libXinerama - libXi - libXfixes - libXext - libXdmcp - libXcursor - libX11 - keyutils - kexec-tools - jsonpointer - jruby-openssl - joblib - jmespath - jefferson - ipython - idna - inflect - httpx - httpclient - h2 - h11 - guava - groovy - graphite2 - glazedlists - giflib - gnutar - gnused - gnugrep - fonttools - dtc - dnspython - decorator - commons-compress - brotli - aws-c-io - arrow - apr-util - acl - Java-WebSocket - Jython - ghidra - cryptography - click - certifi - btrfs-progs - capstone - **Reporting** - Generated reports now include all vulnerability assessment data available on the platform (new data: notes, justification, SSVC decision, CVSS overall score, and vendor response). (#4265) - **UI** - Fixed CVSS3 and CVSS4-related columns not loading in when selected from the columns dropdown. - Details panels no longer close unexpectedly when: (#4365) - Selecting the export format in the CVEs tab. - Clicking a notification while a panel is open. - Setting CVSS or SSVC assessments for multiple CVEs in the CVEs tab (Component Details panel only). ### v25.10.20 (2025-10-20) #### New functionality - **SBOM Export improvements** (#1767) - CycloneDX SBOM exports have been extended with [VEX](https://cyclonedx.org/capabilities/vex/) (Vulnerability Exploitability eXchange) data, meaning they can now include details about detected **CVEs** and **security issues**. In the Firmware Analysis view, click **Download SBOM**, then use the checkboxes to choose which details to include. - **Components** - Added component detection for Thunar File manager. (#4449) #### Fixes - **Components** - Improved component detection for: (#4449) - Libnssckbi - Libpcre - Libpcre2 - shadow-utils - coreutils ### v25.10.15 (2025-10-15) #### New functionality - **Components** - Added component detection for: (#4404) - TI-PDK FreeRTOS - tl-expected - drv-ethll-tienet - EtherCAT Master Stack #### Fixes - **Analysis** - Fixed Android CVEs not being reported. (#4453) ### v25.10.13 (2025-10-13) #### New functionality - **UI** - Updated the Component details window in Firmware Analysis view → Components, aligning its style with the Issue/CVE details panel. - A matrix-style graph has been added that displays the severity of all security issues and CVEs grouped by vulnerability status (both open and closed). Click on the **Graph icon** next to the total number of vulnerabilities to open it. The new graph is available in **Firmware Analysis view** under: - Analyisis Overview - Files (details panel) - Components (details panel). (#4331) - You can now see all previous vulnerability assessment changes in the **Audit Trail page**. For affected vulnerabilities, past changes also appear in the **Audit Trail tab** within the CVE/Issue details panel. This information is also available through the API. (#4264) #### Fixes - **Analysis** - Fixed analysis failures caused by executable enumeration on go binaries. (#4396) - The security patch level is now displayed next to the version (in the **Update field**) for Android firmware. - Improved CVE reduction rules for Android firmware. (#4203, #4204, #4224) - **Components** - Improved component detection for OpenSSL. (#4384) - **UI** - Implemented various fixes for the new drawer-style Issue/Component/CVE details: (#4301) - You can now close the panel by clicking outside of it or pressing the ESC key. - When switching between vulnerabilities using `Previous` and `Next`, the panel now stays on the same tab. - Added a **Copy to clipboard** option for the CVE ID and CVSS vector. - Resizing the panel is now more responsive. ### v25.9.29 (2025-09-29) #### Fixes - **Analysis** - Fixed analysis failures caused by malformed ELF files. (#4393) - Fixed text files being wrongly categorized as unknown binaries. (#4392) - Reduced the number of Stack Overflow and Hardcoded Credential false positives. (#4377, #4379) - **API** - Fixed API failure when querying for files in firmware containing a large number of files. (#4394) - **Components** - Improved component detection for OpenSSL. (#4384) - **UI** - **Copy assessment** feature improvements: (#4387) - The "Target" firmware has been renamed to "Current". - The "Copy selected statuses" button has been renamed to "Copy selected assessments" to better reflect its function. - CVE/Issue matches where all fields are identical (and copying would result in no changes) are no longer displayed. - Fixed the feature mistakenly copying severity for CVEs with only a CVSS2 score. - Custom issues now display their actual names in data tables instead of the generic "Custom User Defined" label, making it easier to distinguish between different custom issue types. (#4358) - Fixed "Product history" not updating in the Analysis Overview page after an assessment change. ### v25.9.22 (2025-09-22) #### New functionality - **Component** - Added support for the QNX Software Development Platform. (#2283) - The platform can now identify and enumerate QNX pacakages. (#2283) #### Fixes - **Docs** - Documented improvements in [vulnerability management](https://docs.onekey.com/platform-guide/features/vulnerability-management/#assess-a-vulnerability). (#4337) - **UI** - Fixed the Audit trail tab incorrectly showing "Issue History" instead of "CVE History" in the CVE details window. (#4381) - You can now select `Product group` from the displayed columns dropdown in the global Firmwares page. (#4385) - OQL auto-suggestions no longer remove the last character after accepting a suggestion that's in parentheses. (#4259) ### v25.9.17 (2025-09-17) #### Fixes - **UI** - On the Product History page, firmware currently under analysis now displays a 'processing' icon, instead of the previous misleading 'analysis failure' indicator. (#4341) - You can now see when a CVE was last modified in all CVE table exports (single firmware, global, and firmware comparison). (#4286) - Improved auto-suggestions for OQL rule generation. (#4259) ### v25.9.15 (2025-09-15) #### New functionality - **Components** - Added component detection for: (#2870) - SMIBIOS - Tianocore EDK2 - **Extraction** - Added support for: - UEFI PCI Expansion ROMs (#2870) - NetSilicon images (#4320) #### Fixes - **Analysis** - Reduced the number of Hardcoded Password false positives by filtering out commented lines and passwords that include the characters `$`,` `` `,`%s` or `"%s"`. (#4335) - **API** - Deprecated some GraphQL operations (the deprecated versions will remain available until **2025-12-31**): (#4325) - `updateIssueStatus`, `bulkUpdateIssueStatus` replaced by `updateIssues` (mutation) - `updateCVEStatus`, `bulkUpdateCVEStatus` replaced by `updateCVEs` (mutation) - `isManualStatus` replaced by `isManual` (field) - To generate a new report, users must now have one of the following roles (as they include the new `Generate reports` permission): (#4298) - Admin - Editor - Analyst - Manager - **UI** - Fixed infinite loading error when saving updates to the vulnerability assessment for CVEs that don't have a base CVSS score. (#4363) - **Analysis Profile**, **Custom Issues**, and **Analysis Configurations** are now accessible from the top menu bar, under the **Configuration** dropdown. ### v25.9.8 (2025-09-08) #### New functionality - **Components** - Added component detection for: - YAFFS (#4312) - Green Hills Threadx (#4312) - NetOS (#4312) - OpenSSL (in RTOS firmware images) (#3870) #### Fixes - **Analysis** - Fixed analysis errors by skipping parsing invalid typescript files. - **Components** - Improved component detection for Threadx. (#4312) - **UI** - Improved loading speed of the CVE/Issue tables following a vulnerability update. (#4301) ### v25.9.2 (2025-09-02) #### New functionality - **Improved vulnerability management** (#4192) - Comprehensive vulnerability triage and evaluation can be performed using CVSS Environmental scores and the [VEX cybersecurity standard](https://cyclonedx.org/capabilities/vex/). It is also possible to perform and record [SSVC assessment](https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc) as well. - You can edit CVSS Environmental metrics directly, provide SSVC data, add notes and override the platform's decision on severity in the issue/CVE details panel. - Automatic impact assessment details are recorded in notes, listing evidences from the analyzed firmware for better traceability. - The Copy status feature has been extended, so you can now copy each evaluation field, not just the statuses, using the 'Copy evaluation' button. - **Components** - Added component detection for: (#4247) - libestr - fastjson - xerces-c - emweb/wt - screen #### Fixes - **Analysis** - Reduced the number of stack buffer overflow false positives. (#4141, #4306) - Improved file categorization rules: - Non-RTOS firmware files are no longer incorrectly categorized as RTOS. (#4211) - Introduced a new file category for markdown files: `FILE:TEXT:MARKDOWN`. (#4279) - **Components** - Improved component detection for: - strace (#4247) - tar (#4247) - eCOS (#3807) - **Extraction** - Improved ELF file extraction out of QNX firmware filesystems (IFSv4, IFSv6). (#4248) - **UI** - Data tables and exports now contain temporal, environmental, and overall CVSS 3 scores. (#4192) - The text now shows the correct timeframe on the successful report generation popup. (#4254) - The new ONEKEY logo is now displayed across the platform. (#4334) - Fixed auto-complete overriding user-defined values in firmware names in the upload popup. (#2004) - Fixed manual edits in the Analysis Profile being discarded if the edits were between two automatically generated rules. (#4267) - Added specific processing states (`Waiting`, `Analyzing`) that display across Analysis overview, the Firmwares page, and the progress indicator during firmware analysis. (#4268) ### v25.8.13 (2025-08-13) #### Fixes - **Component** - Improved component detection for: - libmodbus (#4260) - Python (#4253) - GNU Binutils (#4246) ### v25.8.11 (2025-08-11) #### New functionality - **Component** - Added support for eCOS RTOS. (#3807) #### Fixes - **Analysis** - Improved file categorization rules for Android firmware, so some APK files are no longer miscategorized as JAR. (#4238) - Improved JAR package enumeration. (#4238) - SBOM validation now occurs at the start of analysis, providing immediate feedback on file validity before running the full analysis. (#4200) - **API** - "Triage" is now an open status. (#4271) ### v25.8.4 (2025-08-04) #### New functionality - **Analysis** - Introduce "Not affected" and "Triage" statuses for CVEs and Issues. The new statuses allow more finegrained tracking of vulnerabilities. - Automatically assign "Not affected" status to CVEs based on automatic impact assessment. The status can be changed manually later or adjusted using Analysis profile rules. - **UI** - Introduce new CVE and Issue details design using "drawer" style instead of popup modal. The new design allows easier navigation and overview of vulnerabilities - Replaced "Show only confirmed matching CVEs" with status based filtering #### Fixes - **Analysis** - Improved ARM based RTOS firmware architecture detection (#4240) - **Reporting** - Fix report title and logo alignment on the front page (#3948) - **UI** - Only show CVEs tab on file popup if the file has any related CVE entry (#4210) - Fixed Analysis Overview page update after analysis is finished (#4219) - Fixed OQL completion to handler `component.tag` fields (#4258) - Fixed API timeout handling to display proper error message (#4215) ### v25.7.23 (2025-07-23) #### New functionality - **Analysis** - Add custom security issue definitions to identify specific threats and allow customizing security checkers (#3974) - **UI** - Introduced collapsable firmware side menu to save space on the firmware details pages (#4181) #### Fixes - **Component** - Fixed too verbose error message when uploading an invalid SBOM file by omitting the whole SBOM content (#4129) - **UI** - Add missing RTOS and Android tags to the Components page (#4234) - Fixed flickering code block view in static analysis issue details modal (#4130) - Fixed error when displaying empty file in the files modal (#3993) ### v25.7.16 (2025-07-16) #### New functionality - **Analysis** - Added CVE reduction rules for VxWorks-based firmware images. (#4206) - **API** - Added new `File` and `Issue` type [OQL fields](https://docs.onekey.com/oql/fields/), primarily related to ELF information, components, and strings. (#4294) - **Component** - Added component detection for: (#4241) - Keil MDK - VisualDSP++ #### Fixes - **Component** - Improved µC/OS II component detection. (#4241) - **UI** - Fixed folder structure tab indicator overlapping the firmware navigation sidebar in the Folder structure visualization. (#4178) ### v25.7.14 (2025-07-14) #### New functionality - **Docs** - Added new pages: [Filter out non-relevant CVEs](https://docs.onekey.com/platform-guide/how-to/filter-cves/) and [Fix common errors](https://docs.onekey.com/platform-guide/how-to/fix-errors/). (#4156) #### Fixes - **API** - Fixed duplicate information (such as SPDX ID) appearing in generated SPDX SBOM files. (#4217) - **UI** - Fixed upload type not appearing for empty binary files. (#4233) ### v25.7.9 (2025-07-09) #### Breaking change - **Simplified querying collections with OQL** (#3945) - Plural [OQL fields](https://docs.onekey.com/oql/fields/#list-of-fields) got renamed to singular (for example, `cve.references.tags` → `cve.reference.tag`). - You can now use standard OQL operators like `=` and `!=` directly on fields that correspond to collections (e.g., `cve.reference.tag`) instead of requiring the `CONTAINS` and `NOT CONTAINS` operators. For example, `cve.reference.tag = "Exploit"` returns all entries where any of the CVE references has the `Exploit` tag. - The `CONTAINS` and `NOT CONTAINS` OQL operators now only work with string values. #### New functionality - **SBOM-only uploads** (#4152) - You can now upload just an SBOM file without a firmware image. - The upload type is now visible on the dashboard (`Binary only`, `SBOM only`, `Binary with SBOM`). - In Firmware analysis view, firmware image specific results are hidden or grayed out for SBOM-only uploads. - **Components** - The platform now detects Android APK applications as components. Note that no license or CPE information is available yet, so no CVE matching is performed for these components. (#2877) - **Extraction** - Added support for Android Manifest XML. (#2877) #### Fixes - **Analysis** - Fixed analysis failure during CVE matching on Android firmware. - **UI** - Fixed incorrect file name when exporting URIs in CSV or JSON format. (#4161) ### v25.7.2 (2025-07-02) #### New functionality - **Extraction** - Added support to handle AES encrypted firmware images when key is available (#3730) #### Fixes - **API** - Fixed OQL parsing issues with prefixed fields that could cause incorrect results. (#4216) ### v25.7.1 (2025-07-01) #### Fixes - **API** - Generated SPDX SBOMs now include required package verification codes, resolving validation warnings from online SPDX validators. (#4105) - Added `latestCount` parameter to `analyses` GraphQL query on `Firmware`, so you can limit results to the n most recent analyses. - **Analysis** - Fixed analysis failure when processing x509 certificates with non-UTF-8 character encodings. (#4185) ### v25.6.25 (2025-06-25) #### New functionality - **UI** - Security issues now display detailed CVSS 3.0 and CVSS 4.0 information in the issue details popup. (#4137) #### Fixes - **UI** - Fixed announcement banner incorrectly hiding the changelog banner. (#4144) - The "Upload Firmware" button is now hidden for users without upload permissions. (#4154) - Fixed incorrect highlight behavior when hovering over dropdown arrows in the Compliance Wizard sidebar. (#4139) ### v25.6.23 (2025-06-23) #### New functionality - **Analysis** - Improved RTOS detection for VxWorks-based firmware images to identify symbols. (#2270) - **API** - CVE entries now include more detailed CVSS 2.0 and 3.0 information. (#3364) - CVSS fields can now be easily filtered using OQL queries. (#3364) #### Fixes - **Analysis** - Improved RTOS component detection by eliminating false-positive cryptographic libraries. (#4175) - Improved file categorization of large files. (#4183) - **API** - Fixed handling of long GraphQL queries by limiting request processing to 5 minutes. - **UI** - Fixed inconsistent label sorting in grouped data table headers. (#4149) - The "What's new" popup now displays new features sorted by date instead of release version. (#4132) ### v25.6.18 (2025-06-18) #### Breaking change - **CVSS-based issue severity calculation** (#2888) - Security issue severities are now calculated based on CVSS 3.1 and 4.0 scores, providing more accurate and industry-standard severity assessment. This will result in an updated severity rating for some existing issues. #### Fixes **Analysis** - Improved automated impact assessment rules for Android-specific Linux kernel vulnerabilities and vendor-specific Android vulnerabilities. (#1862) **Component** - Improved JavaScript component detection. (#4153) ### v25.6.16 (2025-06-16) #### Breaking change - **Audit records visibility** (#4068) - Accessing audit records now requires a dedicated "Audit Trail" permission. Users lacking this permission cannot view audit records in the UI or API. - Two new roles have been added: **Manager** and **Auditor**. The Manager role has the same permissions as Admin except for Audit Trail access. Auditor has only the Audit Trail permission. - The Observer role now includes the Audit Trail permission by default. For all other roles, the Auditor role must be added to grant audit record access. See [Permissions and actions](https://docs.onekey.com/administration/permissions/) for more details. #### Fixes - **Components** - Improved JavaScript component detection (#4153) - **UI** - The extraction error message now shows the maximum and current extraction/path sizes and file counts. (#4052) ### v25.6.9 (2025-06-09) #### New functionality - **Docs** - You can now check all the file formats ONEKEY supports in the documentation: [Supported Formats](https://docs.onekey.com/platform-guide/how-analyze/formats/). #### Fixes - **Analysis** - Reduced the number of Command Injection false positives. (#4064) - Improved filtering to reduce Hardcoded account password false positives in image files. (#4122) - Reduced the number of false positive CVEs by improving CPE matching. (#4136) - **API** - Fixed certificate-related fields not being queried with OQL. - **Component** - Improved µC/OS-II version detection. (#4115) - **UI** - Fixed CVE evidences not loading from the correct analysis in certain edge cases. - Fixed Category filters not displaying on the Folder details popup (Firmware analyis view → Files → Details button next to a folder). (#4140) - Firmware labels now appear in separate lines in the tooltip to make them easier to distinguish. (#4131) ### v25.6.2 (2025-06-02) #### New functionality - **UI** - A banner now appears at the top of the page when a new version of the platform is released. Click on it to access the latest changelog. #### Fixes - **Analysis** - Reduced the number of 0-day binary static false positives by improving filters for temporary files and command injection issues. (#4064) - **API** - The `isOutdated` field for components has been removed. (#4123) - **UI** - When viewing a page in full-screen mode, popups are no longer stuck behind the full-screen. (#4127) - Fixed the table misalignment error when grouping by provisions on the Global compliance page. (#4107) - You can now see in the Compliance Wizard if an analysis is outdated or not. (#4123) - Introduced better sorting for nodes in Compliance overview, resulting in fewer overlaps. (#4127) - Fixed firmware labels not displaying correctly when they contain a comma (,). (#4131) - When viewing ELF/Component dependencies in the corresponding popups, if a side of the visualization is empty, it is now collapsed by default. (#4109) - Fixed file and description not showing for ELF related security issues. (#4128) - Compliance overview fixes: (#4092) - ELF security issues now show up correctly. - You can now export issues/CVE evidences from the node popup. - Evidence details can now be opened for all nodes. - The number of unique CVE matches or security issues is now displayed on the popup. ### v25.5.26 (2025-05-26) #### New functionality - **Component dependency graphs** (#4077, 4076) - Explore component relationships to better understand your firmware structure. View all component dependencies in the firmware through the **Component dependencies tab** in Firmware analysis view --> Components. For individual component dependencies, select any component and click **Dependency graph** on the popup. #### Fixes - **Components**: - Improved component detection for fastcgi libraries and TCG TPM2 Software Stack. (#4061) - **Reporting** - The ONEKEY logo on the PDF reports is now centered. (#3948) - **UI** - Improved the loading speed of CVE tables. (#4025) ### v25.5.19 (2025-05-19) #### Fixes - **UI** - The Binary Hardening graph now displays the correct percentage for the Fortify protection. (#4108) - **Analysis** - Improved the accuracy of Linux kernel automated impact assessment rules to avoid false matches. (#4060) ### v25.5.14 (2025-05-14) #### New functionality - **Analysis** - ONEKEY now checks for the 'Fortify' ELF binary hardening feature. See the updated diagram on the **Binary Hardening page** under Artifacts, or check individual ELF files in the **File details popup**. (#3266) - **Components** - Added component detection for: (#4066) - crun - foot - grim - ifplugd - kbd - libdisplay-info - libedit - libevdev - libfcft - libgudev - libliftoff - libtasn1 - libtpm2tss - parted - seatd - slurp - sway - swaybg - tzdata - upower - utf8proc - wayland - weston - wlr-randr - wlroots #### Fixes - **Analysis** - Improved 64-bit ELF enumeration. (#2261) - The maximum extraction size error now shows limits in human-readable format instead of bytes. (#4052) - **Components** - Improved component detection for: (#4061, #4047, #4066) - Abseil Cpp - alsa-utils - Dropbear - fastcgi - GNU Awk - GNU fribidi - host, dig, and nslookup.bind - ISCBind - libattr - libcairo - libdbus - libexpat - libgdk pixbuf - libharfbuzz - libinput-bin - liblzma - libmodbus - libnl - libpixman - libxflt - Linux Kernel - lspci - lsusb - ntp - pcre2 - PHP - podman - python - rsync - rsync - sqlite3 - VxWorks - wpa supplicant - zstd - Reduced false positives by improving PHP component version extraction rule. (#4065) - **Extraction** - Fixed extraction failures on malformed Android OTA files. (#4075) - **UI** - Fixed CVE auto-rule generation in Analysis profile. ### v25.5.5 (2025-05-05) #### New functionality - **Analysis** - You can now run RTOS analysis on ELF file uploads. (#3907) ### v25.4.28 (2025-04-28) #### New functionality - **Compliance Overview page** (#3935) - View violations across multiple cybersecurity guidelines for a single firmware in one convenient diagram. - Customize displayed information using the **Guidelines** and **Columns** dropdowns. - Click on a node to displays the relevant security issues/CVEs. - Highlight node connections by hovering over specific nodes. - Access this feature under **Firmware Analysis view** --> **Compliance** --> **Overview**. - **Analysis** - ONEKEY now checks for the 'Immediate binding' ELF binary hardening feature. See the **Binary Hardening page** (under Artifacts) in Firmware analysis view for the updated web diagram. (#3266) - **Extraction** - Added support for QNX IFS6. (#2261) #### Fixes - **API** - Mitigated false positive hits when using the `CONTAINS` OQL operator. (#2810) - **Analysis** - Improved file detection so private key and certificate files are categorized more accurately. Note that existing status settings or analysis profile rules based on previous file categories may need to be adjusted. (#4035) - Improved device-tree decoding. - Reduced the number of 'Command Injection' false positives by expanding the list of trusted sources. (#4022) - Older RTOS versions are no longer misidentified as their newer counterparts. (#3904) - **Docs** - Expanded the [security issue descriptions](https://docs.onekey.com/platform-guide/how-analyze/sec-issues/). The new descriptions also appear on the UI when you click on the **Open issue description** info button next to an issue. (#2060) - **UI** - Fixed Management Reports page to correctly display information for the user-selected time range. (#4027) - Fixed file type incorrectly displaying as `Unknown` for symlinks and directories in **Search in** --> **Files & Strings**. (#4024) ### v25.4.14 (2025-04-14) #### New functionality - **Compliance** - Added RED II (EN 18031-1:2024) guideline to the compliance wizard. - **UI** - Introduced various improvements to the Compliance Wizard: (#3951, #4020) - The provision dependencies (if any) are now displayed in the compliance form. - The inherited rules (evidences and rules from provision dependencies) are now displayed when clicking on 'Supporting materials'. The platform traverses up to 10 levels to gather all rules affecting the opened provision. Click on an inherited rule to open it. - Added a **Save button** to the bottom of Analysis profile, so you no longer have to scroll back to the top to save newly added rules. (#3934) #### Fixes - **Analysis** - Fixed a failed analysis being mistakenly marked as successful, causing an API failure and UI errors for the affected firmware. (#3995) - Improved architecture detection accuracy for ARM binaries. (#4033) - Fixed metadata, such as Licences, Tags, and CPEs, not appearing for some RTOS components (picolibc, littlefs, polarssl, wolfssl). (#4015) - **Extraction** - Improved the public key extraction enumeration step. (#4013) - Improved the QNX IFS handler by adding UCL decompression. (#3912) - **UI** - The management report now correctly displays the number of non-applicable CVEs. (#4001) - Fixed unused white area appearing in the Global compliance table. (#3978) ### v25.4.2 (2025-04-2) #### Fixes - **Analysis** - RTOS analysis now covers firmware images with embedded filesystems or other extracted data chunks. (#4005) ### v25.3.31 (2025-03-31) #### Fixes - **Analysis** - Reduced the number of static code analysis false positives by improving the decompilation of array data types. (#3857) - Improved symbol detection for the Linux kernel. (#2779) - **UI** - In Firmware Analysis view, the Binary hardening graph now updates automatically when the status of a related issue is changed. (#3926) - Added various improvements for the Copy status function: (#3970) - Renamed the button from 'Copy statuses from' to 'Copy status'. - Introduced tooltips for both Strict and Relaxed mode. - Adjusted the popup layout to improve usability. - Improved the error message when a firmware was not found in the product line. - In the File details popup, when you click on the Content tab of a large firmware, an error is now displayed instead of the page crashing. (#3918) ### v25.3.26 (2025-03-26) #### New functionality - **API** - You can now use the 'cve.references' OQL field to query for a CVE name ('cve.references.name'), URL ('cve.references.url'), source ('cve.references.source'), or tags ('cve.references.tags'). (#3945) - **Component** - Extended component detection to Java applications; JAR files are identified. (#2251) - Added support for the following RTOS: - ThreadX (#3805) - Azure RTOS (#3805) - Zephyr (#3804) - µC/OS-II (#3808) - µC/OS-III (#3809) - **Docs** - Added a new feature page for the **Automated Impact Assessment** function: [https://docs.onekey.com/platform-guide/features/automated-impact-assessment/](https://docs.onekey.com/platform-guide/features/automated-impact-assessment/) (#3942) - **Extraction** - Added support for Flashrom files. (#557, #3908) - **UI** - The firmware IDs are now displayed on the firmware info page. You can use these IDs when working with the ONEKEY API or when reporting firmware-related errors. (#3933) #### Fixes - **Analysis** - Fixed analysis failures caused by incorrect identification of AARCH64 binaries. (#3898) - **Extraction** - Fixed extraction failure on empty Android super partitions. (#3940) - **UI** - Fixed unused white area appearing when switching to full screen mode in the global ELF dependency graph. (#3901) - In the Compliance Wizard, the 'Success' popup no longer prevents you from closing the status change popup. (#3950) ### v25.3.17 (2025-03-17) #### New functionality - **Copy firmware status** - You can now copy the manually set status or comments of a selected firmware to another. This feature can be useful when uploading a new version of the same firmware. - To copy a firmware status/comment, navigate to the Firmware analysis view of the target firmware. Select either the Issues or CVEs pages and click the **Copy statuses from** button. Choose a source firmware in the popup and follow the on-screen instructions. #### Fixes - **Analysis** - Improved the detection of Hardcoded Credential issues so that invalid passwords no longer lead to a decoding error. ### v25.3.10 (2025-03-10) #### New functionality - **Docs** - New guide added for integrating ONEKEY API tokens into your own application: [API tokens](https://docs.onekey.com/integration-guide/tokens-integration/) (#3874) - **UI** - In Firmware analysis view --> Files, you can now learn more about directories by clicking on the **Details button**. (#3867) - In Search in --> Files & Strings, you can now click on directories to find out more about them, similar to how you would with files. (#3867) - You can now view the ELF dependency graph (under Firmware analysis view --> Files) in full screen mode. (#3901) - **Components** - Added component detection for picolibc and WolfSSL (#3810) #### Fixes - **API** - To ensure successful report generation, reports can no longer be generated for firmware with more than 2,000 issues or 5,000 CVEs. (#3882) - **Analysis** - Fixed false-positive static code analysis error in netcat. (#3405) - Reduced hardcoded account password false positives by ignoring bash auto-completion. (#3762) - Reduced hardcoded credential false positives by ignoring the example Authorization header in oauthlib (#3909) - Improved static code analysis to identify command injections originating from HTTP cookies. (#3716) - Reduced stack-overflow false positives in 0-day binary analysis. (#3287) - **UI** - Fixed firmware- and tenant-level component exports not showing version information, including possible and unknown versions. (#3899) ### v25.3.3 (2025-03-03) #### New functionality - **UI** - Allow filtering files using OQL queries on both Firmware -> Files and Search in Files page (#3869) #### Fixes - **UI** - Improved the User page to be able to display users with many user groups properly (#3864) - Fixed global Compliance page filtering error (#3830) - Fixed displaying file category on the global ELF dependency page (#3900) - **Components** - Fix RTOS based component version detection logic, this could result in a few false possible version information, but reduced the chance of missing the correct version (#3800) ### v25.2.24 (2025-02-24) #### New functionality - **UI** - On ELF info page of the File details popup, you can now access a dependency graph for ELF files. (#3734) #### Fixes - **Analysis** - Reduced the number of static code analysis false positives by improving Python rules and by fixing the shell variable definition. (#3888, #3887) - **API** - The analysis no longer fails with longer file names. (#3638) ### v25.2.19 (2025-02-19) #### New functionality - **Docs** - A new, prettier, more detailed documentation is now available for the platform. You can access it by clicking on the **Documentation** button at the bottom of the page, or by following this link: [https://docs.onekey.com/](https://docs.onekey.com/). #### Fixes - **UI** - Introduced various improvements to the ELF dependency visualization: (#3873) - faster loading speed - fixed duplicated nodes - fixed the search by component function ### v25.2.17 (2025-02-17) #### New functionality - **UI** - You can now bulk delete generated reports on the Reports and Configuration page. (#677) #### Fixes - **Analysis** - Improved support for Dahua non-encrypted firmware. (#3849) - Improved architecture and load address detection for RTOS analysis. (#3683) - **Components** - Added missing CPE for the musl component. (#3859) ### v25.2.12 (2025-02-12) #### New functionality - **ELF dependency visualization** (#3815) - On the Files page in Analysis view, you can now click on a new tab called **ELF dependencies**. - The visualization here shows all the links between the ELF files of a firmware. - Hover over a node to highlight its dependencies. - Click on a node to open the File details popup. - Click on the Hidden links button to display elements that are not included in the visualization. - **Analysis** - The platform can now perform static code analysis on CGI shell scripts to identify potential command injection vulnerabilities. (#3716) - **Components** - Added component detection for: liblinphone, embOS (emCrypt, emFile, emNet, emSSL, emUSBH, emWin), Hilscher EtherNet/IP, and musl libc. (#3457, #3565, #3859) #### Fixes - **Analysis** - Updated a signature name for Certificate Signature Issues from 'RSASSA-PSS' to 'rsassaPss'. Monitored firmware images that are affected by this will appear as changed. - Fixed analysis error when CVE matching identified two components that match the same CVE and differ only in their possible versions. (#3845) - Reduced the number of 0-day binary false positives by expanding the filter for the Stack Overflow issue rule. (#3795) - **Components** - Improved component detection for: mbedtls, eCos, lwip. (#3457) - **UI** - Fixed load address being displayed as N/A when the actual load address is 0. (#3860) - If a report generation fails, the progress bar on the UI no longer remains stuck. (#3070) - Previously used filters are no longer auto applied when opening a data table. (#3442) ### v25.2.3 (2025-02-03) #### Fixes - **Analysis** - Merged component names tiff and libtiff. (#3838) - Reduced the number of 0-day binary false positives by sorting paths based on the elements of their code. (#3850) ### v25.1.27 (2025-01-27) #### New functionality - **Components** - Added component detection for: x264 lib, ICU, SELinux, libva, and libxcb. (#3732) #### Fixes - **Components** - Improved component detection for: ThreadX OS, Zephyr OS, and merged the components Qt and libQtCore. (#2859, #3732, #3804) - **Analysis** - Reduced the number of false positives by improving PHP script analysis to handle numeric inputs. (#3799, #3797) - Fixed Privilege escalation issue details changing during monitoring runs. This bug manifested in the UI as the same issues appearing as both ‘Added’ and ‘Removed’ when comparing two analyses.” (#3608) - **API** - Fixed the Extraction --> Firmware structure loading error, due to an API error returning Directories. (#3832) ### v25.1.20 (2025-01-20) #### New functionality - **Component** - Added component detection for: openJPEG, mpg123, libzeromq. (#3732) #### Fixes - **Analysis** - Fixed load address detection for FreeRTOS firmware images. (#2975) - Reduced the number of false positives for carved ELF files. - Reduced the number of 0-day binary static false positives by expanding allocation checks and fixing 'tc_printf' calls. (#3481, #3497) - **UI** - Improved loading speed of the file browser on the ‘Files’ page. - Removed unnecessary data from the compiled unit names in the 'Compiled units' table (Files --> File details popup --> ELF info) (#3802) - Removed duplicated lines from the 'Symbols' and 'Compiled units' tables (Files --> File details popup --> ELF info) (#3802) - **Component** - Improved component detection for: apparmor, Qt5. (#3732) ### v25.1.13 (2025-01-13) #### New functionality - **FreeRTOS detection** (_Enterprise subscribers only_) - The platform can now detect components in FreeRTOS firmware. - You can enable FreeRTOS detection in the **Analysis Configuration** page. - Note that FreeRTOS detection uses reverse engineering technology. - We can identify the following components: - coreHTTP (FreeRTOS) - coreMQTT (FreeRTOS) - FreeRTOS kernel - littlefs - lwIP - mbedTLS - musl - newlib - picoTCP - PolarSSL - uIP - Once the components are identified, the platform lists the corresponding CVEs. - **Component** - Added component detection for: gstreamer, libdrm, liborc, osg, libtomcrypt, libdlt, AzureIOTMiddleware. (#3517) - **Extraction** - Added support for MediaTek image format. (#1375) #### Fixes - **Component** - Improved component detection for: PCRE, iptables, libffi, libcheck, Newlib, ESP-IDF, RoaringPenguinrpPppoe, libpcre, libpcre2. (#3517, #3779, #3780) - **UI** - The CVE audit history popup now correctly displays 'CVE History' instead of 'Issue History'. (#3789) - On the Components page, possible versions are now in numeric order in the 'versions' tooltip. (#3784) - The 'Version' and 'Update' fields are no longer mandatory when editing or adding a component. (#3711) - In the component details popup, if a component has multiple possible versions these are listed instead of the 'Version' and 'Update' fields. Editing still brings up 'Version' and 'Update'. (#3801) - You can now see possible versions in the 'Component' column of CVE tables. (#3801) - **Analysis** - Following the CPE name matching specification, CVE matching is now case-insensitive. (#3699) ### v24.12.18 (2024-12-18) #### Fixes - **UI** - The request ID is now visible in error messages. You can include the it in a support request to speed up troubleshooting (#3755) - In Analysis view --> Files, you can now select which columns should appear in the data table by clicking the **table icon**. (#3079) - In Analysis view --> Files, added filters for the 'File size' and 'Tags' columns. (#3079) - **API** - When calling the 'updateFirmwareComponent' mutation, you now have to update both 'vendor' and 'product' if you want to edit any of those fields. (#3741, #3711) ### v24.12.09 (2024-12-09) #### Fixes - **UI** - Fixed flickering in the File details popup. (#3079) ### v24.12.04 (2024-12-04) #### New functionality - **UI** - Added a ‘Tags’ column to the Files tables, which indicates if the file contains a dangerous function call that could lead to a vulnerability if not used properly. See the info icon next to the column name for more details. (#3079) - In the File details popup, added the Errors tab which shows analysis and extraction problems (if any). (#3079) #### Fixes - **UI** - You can now see the linked libraries in the ELF Info tab of the Component Details popup. ### v24.12.02 (2024-12-02) #### New functionality - **Showing identified URIs** (#3733) - You can now check the URIs found in your firmware in Analysis view --> Artifacts --> URIs. URIs can show what external services the firmware might be communicating with. Click on a URI to bring up the File details popup. - Added the URI tab to the File details popup. - To see the number of found URIs only, go to Analysis overview or check the Overview tab of the File details popup. #### Fixes - **SBOM Export** (#3591) - If the platform does not find the version of a component, now the 'version' field is omitted from the export, and the CPE string contains a '*' to indicate any possible versions. - If the platform identifies multiple possible versions, now the 'version' field is omitted from the export. For SPDX exports, an external reference is generated for each possible version. For CycloneDX exports, the CPE string includes a '*' to indicate any possible versions. - **UI** - Now you need to confirm exiting from the component creation popup, so no work is lost accidentally. (#3740) - Fixed size and positioning issues for the Component details popup. (#3745) - The 'Analysis outdated' warning no longer appears when a newly added component is deleted. (#3744) - In Compliance Wizard, fixed the 'Supporting materials' window crashing in some edge cases. - If a firmware is outdated, meaning the component list has been edited, you can now reanalyze the firmware directly from the 'Analysis outdated' warning message. (#3738) - **API** - In OQL queries, using the 'NULL' value with operators other than "=" (equals) and "!=" (not equals) now returns a graphql error. (#3620) ### v24.11.25 (2024-11-25) #### Fixes - **UI** - Fixed platform crashes when deleting a component from the Component details popup (#3743) - **Analysis** - Fixed several 0-day binary analysis failures on large or complex files (#3508, #3398, #3339, #3432, #3392, #3110) ### v24.11.18 (2024-11-18) #### New functionality - **Component editing** You can now add, delete, and edit components manually. By correcting misidentified components and adding missing ones you get a more complete SBOM, and improve the accuracy of CVE matching. To edit a component, click on the **Edit** button in the Overview menu. In most fields you can enter any text without restrictions, but for **Tags** you can only choose from the items in the dropdown menu. For the **Licenses** field, you can select an item from the dropdown menu, but you can also enter your own text. The **Name**, **Version**, and **Update** fields cannot be left empty. To add a new component, click the **Create component** button. The **Name**, **Version**, and **Update** fields cannot be left empty. To delete components, check the boxes next to the components you want to delete and click the **Delete components** button. After editing, adding, or deleting a component, **rerun the analysis** for the changes to take effect and to update CVE matching.(#3575) - **UI** - You can now see the latest comment for CVEs and issues in the .xlsx and .csv exports. This update is also available via the public API (#3598) - Added the **Evidences** tab to the Component details popup. Here you can see a list of items that indicate the methods and sources used in identifying the selected component. (#3698) #### Fixes - **UI** - Implemented several fixes for the binary visualization in the File details Content tab, such as fixing the Content symbol tooltip placement (#3693) - On the Compliance page and in the Compliance Wizard, the 'Download latest bundle' button no longer gets stuck in the 'No generated bundles' state (#3445) - **Analysis** - Fixed ELF processing failure causing analysis error (#3671) ### v24.11.6 (2024-11-6) #### Fixes - **UI** - In the firmware upload popup, fixed the **Release date** field displaying an ‘Invalid date’ error in certain edge cases (#3682) - **Analysis** - Fixed 0-day binary analysis failure on large functions (#3398) - Implemented kernel symbol detection for Linux kernels with special kallsyms tables, as typically found in versions 6.1 and 6.2 (#2898) ### v24.11.4 (2024-11-4) #### Fixes - **Analysis** - Reduced the number of 0-day binary static false positives by adding a number of standard system API semantic definitions (#3644) - **UI** - In the Components page, when clicking on the **View** button in the **CVE count** column, now only the relevant CVEs are shown (#3670) - Resolved the issues causing the **Analysis History** page to crash in certain edge cases. (#3674, #3673) ### v24.10.28 (2024-10-28) #### Fixes - **Component** - Fixed component detection for GNU sed and BusyBox sed (#3647) #### New functionality - **UI** - You can now see the file names of the compiled units in the 'File details' popup (#3586) ### v24.10.21 (2024-10-21) #### Fixes - **Analysis** - Reduced the number of hardcoded account password false positives by ignoring some additional common words in the hashes, such as hash, config, controller, etc. (#3486) - **UI** - Getting a validation error in the Firmware upload popup (for example, 'The name of the firmware must be unique') no longer resets the window (#3485) ### v24.10.16 (2024-10-16) #### Fixes - **UI** - On the 'File details' popup, errors when loading the binary graphics are now handled gracefully (#3512) - In the 'Content' tab of the 'File details' popup, fixed "The HEX content is truncated..." error message showing up incorrectly for unrelated files (#3662) - The reason for a past failed analysis now shows up correctly in the Analysis History page (#3626) - When using the 'Global search' function, fixed CVEs with negative score appearing despite the 'Show only confirmed CVEs' checkbox being enabled (#3623) - You can now search with decimal numbers in the EPSS column of the CVE tables (#3625) - **Report** - In the general ONEKEY report, fixed user updates not showing up for compliance items where the default states is "Manual check required" (#3606) ### v24.10.14 (2024-10-14) #### New functionality - **UI** - In the 'File details' popup, moved the 'Content' menu from the 'Overview' page to the left sidebar. For executable files, this tab also contains a binary graphic where you can see the representation of the binary details (#3512) - Clicking on a component in the 'Components' page now brings up the 'Component details' popup, where you can see some basic information about the component (Overview tab), the files it contains (Files tab), and the CVEs found in the component (CVEs tab) (#3575) #### Fixes - **UI** - Changing the user group now automatically updates the product groups available in the upload popup without the need to refresh the platform (#3628) ### v24.10.9 (2024-10-9) #### New functionality - **UI** - Added new notifications for the successful creation of product groups, user groups, and users (#3543) - **API** - You can now export the SBOM of an analyzed firmware in SPDX format. Supported versions are XML v2.3 and JSON v2.3. See the API documentation for more details. This function is also available in the UI (#483) #### Fixes - **UI** - Fixed 'Processing Error' message showing up incorrectly for invalid SBOM failures (#3496) - **Analysis** - Fixed 0-day binary analysis of malformed ELF files (#3328) ### v24.10.7 (2024-10-7) #### Fixes - **Analysis** - Reduced the number of 0-day binary static false-positives by improving the sscanf sink filters and by ignoring calls where the format argument is a constant in the data segment (#3397, #3488) - Reduced the number of hardcoded account password false positives by ignoring some common words in the hashes, such as begin, upload, using etc. (#3486) - **UI** - Removed possible duplicates from the 'Compiled units' table in the 'File details' popup window - Improved the look of the 'File details' popup, especially for smaller screens (#3562) ### v24.9.30 (2024-09-30) #### New functionality - **File details popup**: The file details popup on the 'Files' page (in Firmware analysis view) has been redesigned. Click on a file to go to the new 'Overview' page. Here you can see details such as certificates, private keys and mini-entropy. In the left sidebar, you can see menus for context-specific information that only applies to the selected file. Click on a menu item to see more details. For ELF files, for example, you will see the ELF info menu. Click here to see details such as 'Compile Time Mitigation' or 'Symbols'. If a file contains artifacts such as certificates or passwords, click on 'Artifacts' to find out more. If we have found issues or CVEs in the file, these too will be listed in the corresponding menu items. (#3562) - **Docs** - The GraphQL schema documentation now has a new look; the content is unchanged #### Fixes - **API** - Fixed initial validation for CycloneDX XML SBOM uploads (#3624) - **Analysis** - Reduced the number of 0-day binary static false-positives by filtering out non-user-controlled command and environment variable sources (#3479) - Fixed invalid 0-day binary static issues with invalid propagator file names (#3242) - **UI** - When comparing two analyses, the 'Previous' and 'Next' buttons in the issue details popup window now work as expected (#3564) ### v24.9.20 (2024-09-20) #### Fixes - **Analysis** - Fixed missing 0-day binary static issues for binaries that have been analyzed before (#3418) - Fixed CVE matching when component version contains ':' character (#3418) - **Extraction** - Fixed YAFFS2 extraction error (#3595) ### v24.9.16 (2024-09-16) #### New functionality - **UI**: - If an analysis returns a partial result, the reason for this can now also be viewed on the Product History and Analysis History pages #3459 - Added a side panel to the File details pop-up window in File browser to make it easier to find the right information and to simplify navigation. The first option is always 'Overview', the second can be either 'ELF info' or 'Executable info' depending on the file type #3512 - When a component version is ambiguous, the platform now tries to provide possible versions instead of showing 'unknown' #3511 #### Fixes - **UI**: - If the platform encounters a query error, the page is no longer stuck in an infinite load state. An error message is now displayed #3510 - Fixed the 'Reset table' function on the Files page (Analysis view) and on the Files & Strings page (Global Search). In both cases, clicking the button now reverts the tables back to their default state #3502, #3520 - **Component** - Fixed component detection for PHP #3545 - **Analysis** - Reduced the number of false-positives by updating the deduplication logic of joern elements #3489 - Reduced the confidence level of hardcoded credential issues found in 'locale' files #3480 ### v24.9.3 (2024-09-3) #### New functionality - **Docs**: - Reworded and restructured the Quick Start Guide. Documented new functionalities like SBOM upload #### Fixes - **API**: - Resolved the “permission denied” error encountered by users with the uploader role when uploading new firmware - **UI**: - Fixed crashes when visualizing folders for firmware images containing a large number of folders and files on the Folder structure page - **Analysis**: - Reduced the confidence level of a privilege escalation issue to LOW for sudoers configuration files outside of standard configuration directories - Fixed false-negative CVE impact analysis score for "score" architecture detection - Reduced the number of false positives in 0-day binary analysis by extending the filter for non-user-controlled source files, commands and environment variables - Fixed false-positive certificate - private key pairing - Fixed 0-day binary analysis error handling to continue analyzing all vulnerable candidates even if analysis is not possible for any of the files - Fixed false-positive Buffer Overflow issue when the untrusted data size is static and smaller than the destination buffer size - **Compliance**: - Added missing 0-day binary issues to consider in compliance wizard automatic assessment ### v24.8.26 (2024-08-26) #### Fixes - **UI**: - Changes on the Firmware Info page are now displayed immediately after saving. Refreshing the page is no longer needed - **Analysis**: - Fixed SBOM import failure when the component properties list was missing a value field ### v24.8.21 (2024-08-21) #### New functionality - **Docs**: - Added a new section titled Keywords to the OQL documentation #### Fixes - **Components**: - Fixed version detection for sqlite3 - **Analysis**: - Updating an issue/CVE status no longer causes other operations, such as analysis profile updates, to fail - **Docs**: - Improved wording of the OQL documentation ### v24.8.12 (2024-08-12) #### New functionality - **Component**: - Added component detection for SWupdate - **Extraction**: - Added support for SquashFS v1 format #### Fixes - **UI**: - Fixed tags not displaying for components with multiple tags on the Components page - Fixed OQL rules not displaying in the Compliance Wizard - On the Firmwares tab, once you have generated a report or applied an analysis profile, the affected firmware images are now automatically deselected - **Component**: - Fixed component detection for Oracle Berkley DB - Fixed LibQmi CPE information - Added license info for Mpicalc - Added CPE and license info for Apache Commons Net ### v24.8.5 (2024-08-5) #### Fixes - **Analysis**: - An error message is now displayed if the analysis encounters an invalid JSON SBOM - Lowered confidence level for issues that come from documentation or test code - **Extraction**: - Improved zip64 detection ### v24.7.29 (2024-07-29) #### Fixes - **Analysis**: - Improved 0-day binary static analysis speed by deduplicating analysis on identical files - **UI**: - Improved the loading speed of file browser on the Files page - Fixed a bug with error messages that override each other. If multiple errors occur, all are now displayed ### v24.7.22 (2024-07-22) #### New functionality - **Component**: - Added license information for scanelf and Libnssckbi (mozilla NSS) - Added component detection for docker-ce and shttpd #### Fixes - **UI**: - Fixed crashes when uploading large firmware files - **Component**: - Merged arp, netstat, slattach, ifconfig, into net-tools - Updated license information for Ischroot, RunParts, and x11-common ### v24.7.15 (2024-07-15) #### New functionality - **UI**: - Added 'Object' column to the Audit Trail table highlighting the reference CVE/issue for the listed record - **Component**: - Added component detection for: mesa3d, Dicom DCMTK, libfido2, rabbitmq-c, Cavium Inc. OCTEON SDK, OpenvSwitch, and Alpine apk-tools #### Fixes - **Component**: - Updated component detection rule for mtd-utils ### v24.7.10 (2024-07-11) #### Fixes - **Analysis**: - Fixed false-positive Plaintext Communication and Missing Peer Verification issues identified in documentation HTML files - Fixed invalid CVE impact analysis rules to avoid matching on non-visible and non-exported Linux kernel symbols - **UI**: - Improved grouping by provison on the Global Compliance page - Fixed infinite loading screen when switching tenants. Now if the tenant is unavailable, an error message is displayed - **Component**: - Fixed license information for Xkbdata, bsdutils, and liblocal-gettext-perl - Fixed invalid jQuery components detected in non-javascript files ### v24.7.3 (2024-07-03) #### New functionality - **SBOM Import**: Added the ability to import an SBOM file to augment detected components. Plain CycloneDX XML and JSON files can be imported as SBOM files. Components from the SBOM file are added to the detected list of components and displayed together. CVE matching is done automatically for components with CPE information available and resulting CVEs are displayed on the CVEs page. SBOM file has to be uploaded with the firmware image it is NOT possible to upload the SBOM file at a later point. It possible to upload an empty firmware image with an SBOM file in which case only the SBOM components are considered. Components can be compared between firmware images to see the differences on the Firmware Comparison page. - **UI**: Added the ability to automatically generate Analysis Profile rules when setting status manually on CVEs or issues. The new wizard suggests rules that could be customized to cover the matching CVEs and issues in other firmware images automatically. #### Fixes - **Analysis**: - Fixed Hardcoded Credential issue to lower the confidence level when it is likely that the identified credential is actually not used (e.g.: credential is in a comment or documentation) - **UI**: - Fixed a page crash when switching between tenants - **API**: - Fixed failing firmware download - Fixed handling invalid UUID in OQL queries and provide a detailed error message - **Extraction**: - Fixed zstd extraction problem - **Component**: - Fixed failing component detection using package manager meta-data when meta files are corrupt or invalid ### v24.6.24 (2024-06-24) #### New functionality - **API**: - Add componentCount field on Firmware object to speed up component count queries #### Fixes - **Analysis**: - Fixed analysis failure in case of broken ELF files - Fixed Binary Hardening descriptions and documentation on stack canary detection - Fixed failing sudo based Privileged Escalation detection when sudo aliases are used - **UI**: - Fixed Firmware and Analyses Comparison page Added/Removed CVE match filtering - Fixed Analysis Profile CSV import to handle mixed DOS/UNIX line ending (`\r` vs. `\r\n`) - Fixed Binary 0-day Issue details page crash - Fixed modal popup closing buttons - Fixed missing confirmation when deleting user - Fixed Firmware pages when firmware analysis has failed or still in-progress - Fixed Dashboard and Firmware Overview page loading time for big firmware images - **API**: - Fixed Blob object extractedSize field calculation speed - **Extraction**: - Fixed Yealink ROM extraction error and report unsupported encryption schemes - **Component**: - Fixed ppp, ptpp and pppd components by merging all into ppp - Fixed pppoe-discovery component by splitting detection into ppp and Roaring Penguin rp-pppoe - Fixed jsonc version detection ### v24.6.17 (2024-06-17) #### Breaking change - The GraphQL API Firmware object has a breaking change in this release. The firmware binary related fields are moved into a "binary" field on the firmware in OQL queries. (md5, sha1, sha256, originalFilename, uploadSize) #### New functionality - **Extraction**: - Add support for MIBIB format - **Component**: - Add component detection for - libjpeg - adduser - base-passwd - cpio - dmidecode - dmsetup - hostname - pinentry-curses - sensible-utils - tasksel - whiptail - mawk - diffutils #### Fixes - **Analysis**: - Fixed false-positive Missing Peer verification issue detected in curl example files - Fixed false-positive 0-day binary static issue when input file is in `/etc/` directory - Fixed ELF file enumeration failures for files without program headers - **API**: - Fixed failing OQL query which queried on two file fields in the same query (e.g.: "file.category = ... AND file.path =...") - **Extraction**: - Fixed Android BootImg extraction error - Fixed UBI & UBIFS extraction error - Fixed ZIP64 extraction error - **Component**: - Fixed sqlite3 version detection - Fixed embOS version detection - Fixed license information for DejaVu TTF, GNU findutils, gpg, libvpx, xxd ### v24.6.5 (2024-06-05) #### Fixes - **Analysis**: - Fixed failing binary zero-day detection on complex and large files - **Component**: - Fixed ez-ipupdate CPE information - Fixed version detection rules for Android, iproute2 and gcc ### v24.6.3 (2024-06-03) #### New functionality - **API**: - Add support for CycloneDX 1.5 & 1.6 SBOM export. Also dropped support for version 1.0 export. - **Extraction**: - Add support for encrypted Yealink UBIFS format #### Fixes - **Analysis**: - Fixed false-positive Plaintext Communication issue detected in curl documentation files - Fixed applying analysis profile rules post-analysis and notification & comparison on new issues & CVEs - Fixed failing binary zero-day detection on complex and large files ### v24.5.13 (2024-05-13) #### New functionality - **UI**: - Add History -> Audit History page to list all audit records for a given firmware - Add Apply analysis profile function to Firmwares page to immediately apply Analysis Profile rules on a selected firmware without the need to re-analyze the firmware - **API**: - Add auditTrail list to the Firmware object to query all audit records - Add applyGlobalAnalysisProfile mutation to apply Analysis Profile rules on a selected firmware without re-analysis - **Extraction**: - Add support for encrypted Yealink YAFFS, squashfs formats #### Fixes - **Analysis**: - Fixed false-positive Hardcoded Password issue detected in ansible plugins - Fixed false-positive Communication security related issues in git log messages - **UI**: - Fixed monitored firmware number on Dashboard - Fixed dark mode glitches on various pages - **Component**: - Fixed ifupdown component by splitting it from net-tools - Fixed Linux distribution version detection false-positives - **Report**: - Fixed missing CVE EPSS information in custom and compliance reports ### v24.5.6 (2024-05-06) #### Fixes - **UI**: - Fixed data-tables by displaying a warning when empty data-tables has filter set to reset filter settings - Fixed missing export button on Analyses Compare page - **API**: - Fixed failing mutations when other in progress mutation or operation take long time to finish ### v24.4.29 (2024-04-29) #### New functionality - **API**: - Extend OQL to be able to search issues & CVEs using stableKey property. Stable keys are guaranteed to be stable across different analyses of the same firmware and can be used to uniquely identify issues and CVEs. #### Fixes - **Analysis**: - Fixed failing analyses in case a post analysis step fails (eg: analysis profile or compliance checker) - Fixed missing CRYPTOGRAPHY component tag on crypto related software components - **UI**: - Fixed OQL editor on Analysis Profile page in case of read-only access - Fixed downloaded report name to have a readable timestamp - Fixed displaying Firmware Info release date not to consider browser timezone adjustments - Fixed missing export buttons on Firmware and Analyses comparison page ### v24.4.22 (2024-04-22) #### New functionality - **Analysis**: - Add Privileged Escalation security checker to identify sudo misconfigurations that could led to unwanted privilege escalation vulnerabilities. #### Fixes - **Analysis**: - Fixed missing Hardcoded Credential issue detection - Fixed zero-day binary static analysis false-positives in case of variadic variable handling - Fixed failed zero-day binary static analysis due to processing timeout - **UI**: - Fixed Analyses History page missing CVE matches summary - Fixed Analysis Profile page with read-only access - Fixed downloaded report name to include name and date - Fixed missing CVEs only past analysis details page - Fixed Components page to show N/A as a CVE counts in case missing CPE information - Fixed Product History page date range filtering - Fixed Firmwares page line folding - Fixed Product & Analyses History pages to consider CVEMatches and Component differences when showing changes only - **Extraction**: - Fixed zlib format extraction - Fixed zip64 format extraction - Fixed extraction error with absolute symlinks ### v24.4.8 (2024-04-08) #### Fixes - **Analysis**: - Fixed zero-day binary static analysis to only analyze duplicate files once - **UI**: - Fixed notification in case data-table saved configuration was invalid - Fixed reporting partial analysis properly, so skipped zero-day binary analysis does not hide real processing error - **Extraction**: - Fixed Advenica format support ### v24.4.3 (2024-04-03) #### New functionality - **UI**: - Extend Firmware -> Analyses & Product History pages with display component changes, this would show the added and removed components - Extend Analyses & Product Compare pages to show changed components, also added besides changed CVE entries the changed CVE matches. (CVE matches are specific to components, while CVE entries are just the union of all CVEs) - **Analysis**: - Extend Hardcoded Password detection to identify passwords in HTTP Basic authorization headers in applications #### Fixes - **Analysis**: - Fixed false-positive Hardcoded Passwords identified in JSON files where username or password is empty - Fixed ELF file enumeration to properly handle symbols extraction and identify imported/exported symbols - Fixed false-positive Format String issue when input is not controlled by the user - Fixed missing potential Format String issues by extending dangerous sinks list - **UI**: - Fixed Analyses & Product Compare pages to only display Open status CVEs and Issues - Fixed Analyses & Product Compare pages to properly display CVSS2/3 details - Fixed Search in CVEs page filtering on CVE counts - Fixed data-table filter storage to handle invalid save states - Fixed Firmware Binary Hardening page to refresh numbers on status changes - Fixed Firmware header to show up-to-date monitoring status when monitoring is enabled/disabled and changed button to a switch - Fixed ONEKEY logo to be clickable and open the dashboard - Fixed CVE match evidences table to be more dense - Fixed firmware upload dialog for upload only users - Fixed buttons on all pages to unify look and feel - **Component**: - Fixed MBedTLS component detection in case of package managers - Fixed CPE for liblzma - **API**: - Fixed analysis XLSX export to include CVE exploit information and EPSS score - Fixed analysis XLSX export to properly format numbers (e.g.: decimal, floating points) - **Extraction**: - Fixed CPIO extraction problem with duplicate entries ### v24.3.25 (2024-03-25) #### New functionality - **UI**: - Add analysis XLSX download button in the firmware page headers - Add CVE severity distribution chart to - Firmware -> CVEs page when grouped by components - Firmware -> Components page when showing CVE counts - Search in Components page #### Fixes - **Analysis**: - Fixed binary analysis backdoor launch detection to cover busybox based backdoors - Fixed PHP scripts based insecure communication detection to handle properly when peer verification is disabled - **UI**: - Fixed data-table saved filter deletion by asking confirmation before actually deleting the filter - Fixed displaying the Analysis Configuration details for read-only roles - **Component**: - Fixed MBedTLS component detection ### v24.3.18 (2024-03-18) #### Fixes - **Analysis**: - Fixed false-positive empty Hardcoded Password in JSON files - Fixed missing zero-day binary analysis results due to too long propagator list - Fixed false-positive invalid Hardcoded Password detected in python scripts - **UI**: - Fixed Compliance Wizard page crash when generating Compliance Bundle - Fixed Analysis Profile OQL editor cursor positioning when editing large query - Fixed Report Configuration error message to indicate if the name is already used - Fixed Firmware -> Components CSV export error - Fixed data-table filter handling, when a filter is selected the input field gets automatically in focus - Fixed CVEs page exploit maturity filter to order by risk - Fixed Report generation to list Report Configurations ordered alphabetically - Fixed Firmware -> Components page to have a short-cut to open CVEs page related to a component - Fixed data-table to remember filter settings for a given page - Fixed missing Set Status button on Artifacts -> Binary Hardening page - Fixed Analysis Profile dry run results to show all CVEs regardless of current status or match score - **Component**: - Fixed perl component detection rules - Fixed OpenSSL 3.0.11 version detection rules - Fixed MbedTLS detection rules to handle non ELF binaries - **Extraction**: - Fixed skipped extraction on Microsoft OOXML files ### v24.3.11 (2024-03-11) #### New functionality Add **binary zero-day vulnerability detection** to identify command injection, buffer overflow, format string and potential backdoor launch in ELF binaries. Similar to the existing zero-day detection in PHP, Python, LUA scripts this functionality could detect potential vulnerabilities in compiled binary code. This function utilizes binary decompilation techniques to handle ELF binaries, this is rather a resource intensive operation which could significantly extend the firmware analysis time. To enable binary zero-day analysis this functionality needs to be enabled in the Analysis Configuration. The binary zero-day vulnerability detection is only available for Binary Zero-Day subscribers. (During the trial period the feature is available for all subscribers until 2024.06.31.) Please contact support for further details. - **API**: - Extend exported XLSX files with auto-filters - **Analysis**: - Add Open Platform Communications United Architecture (OPC-UA) management protocol detection - Add Analysis Configuration to configure how to execute a firmware analysis. The Analysis Configuration objects can be assigned to a firmware either during upload or any time later. If no Analysis Configuration is selected during upload the Default configuration would automatically be selected. Analysis Configuration can only be edited by user with Admin role. - **Component**: - Add component detection for: - TivaWare - OpenJDK - OracleJDK #### Fixes - **Analysis**: - Fixed false-positive Hardcoded Password Issue detected in translation JSON files - **UI**: - Fixed displaying CVE references on firmware and analyses comparison pages - Fixed firmware history and comparison pages to only count open status issues - Fixed data-table crash when user clicks away from the table - Fixed Artifacts -> Certificates page to show all details on certificates - **API**: - Fixed Expert review permission to only disable for observer role - **Component**: - Fixed CODESYS component version detection ### v24.3.4 (2024-03-04) #### Fixes - **Analysis**: - Fixed false-positive Hardcoded Password issues in JSON files - Fixed false-positive Plaintext Communication issues in XML config files - Fixed severity level for OpenSSH Configuration issue found in alternative SSH config files - **UI**: - Fixed Compliance Wizard unsaved changes notification and added Save and Cancel button - Fixed incorrect and misleading missing evidences message in cve comparison details - Fixed CVE match score overflow in dense datatable mode - Fixed Firmware Info page crash when server returned any error - Fixed displaying XPM images in Artifacts -> Images - Fixed issue status setting on ELF hardening related issue on Artifacts -> Binary Hardening page - **Extraction**: - Fixed handling empty files in multi-volume gzip & sevenzip formats - **Component**: - Fixed CPE for Zend Engine & PHP, Simple SCEP client for Unix, Tinylogin, libpcre2, dhclient, axhttpd, alsa-lib, - Merged squashfs and squashfs-tools components - Merged pptp related utils into a single pptp component - Merged libpolarssl into polarssl component - Merged OpenLDAP slapd into OpenLDAP component - Merged NSS Builtin Trusted RootCAs into NSS component - Merged OpenWRT utils into OpenWRT component - Merged libmagic into file component - Merged libfribidi into Gnu Fribidi component - Merged libbz2 and bzip2recover into bzip2 component - Merged gdbserver into gdb component - Merged sysvinit related utils into sysvinit component - Merged Host APD CLI into HostAPD component - Merged Freeradius Radclient and radclient into freeradius component - Merged ELFutils libraries into elfutils component - Merged Samba libctdb into samba component - Merged redis cli and server into redis component - Merged MiniIGD into RealTek SDK component - Merged ReadyMedia MiniDLNA into MiniDLNA component - Merged Qualcomm utils into a single Qualcomm component - Merged Portable SDK for UPnP Devices into Pupnp component - Merged GNUTLS client, OSCP tool, server into GNUTLS component - Merged Simple Network Time Protocol Client into Network Time Foundation Ntp component ### v24.2.26 (2024-02-26) #### New functionality - **UI**: - Add CVE ID easy copy&paste to Firmware -> CVEs and Search in CVEs pages #### Fixes - **Analysis**: - Fixed failing analysis with Analysis Profile rules including many items in `IN` statement - **UI**: - Fixed Search in -> CVEs page when copy&pasting CVE ID by trimming extra white-spaces - Fixed Analysis Profile dry run page crash - Fixed Firmware -> Issues page crash when setting status on an issue without proper permission - Fixed displaying rules in Compliance Supporting Materials when compliance item opened from global compliance page - Fixed blocked firmware upload dialog if upload fails with permission error - **Extraction**: - Fixed dropped relative symlinks in tar extraction - **Component**: - Fixed CPE for BridgeUtils, DirectFB, ebtables, mtd-utils - Fixed mtd-utils version detection ### v24.2.19 (2024-02-19) #### Fixes - **UI**: - Fixed Search in -> CVEs page to show CVEs with non-confirmed impact matching score - Fixed Firmware -> CVEs page not to wrap lines and align labels properly - Fixed Firmware -> CVEs page impact match score filter to be set limits manually - Fixed Analysis Profile CVE rules import and export column naming - Fixed delete icons across the page to use a single unified icon - **Extraction**: - Fixed squashfs extraction to handle overflown end of data segment - Fixed dangling symlinks in multi-file gzip handler ### v24.2.14 (2024-02-14) #### New functionality - **Compliance**: - Add argument to automatic assessment suggestion describing the reasoning behind the suggestion - Add automatic assessment rules to the Support Materials to display what checks and tests were done for the given provision - Add relevant ETSI 303 645 IXIT information to the Supporting Materials - **Component**: - Add detection for Linux Distribution, distributions are reported as a component with the special DISTRIBUTION tag - Add component detection for - NetXDUO - Cypres WicedSoftware - GNU coreutils #### Fixes - **UI**: - Fixed Firmware -> Analyses History date filtering - Fixed XLSX download from Analyses History - Fixed Compliance Wizard scrolling and popups - **Compliance**: - Fixed calculating compliance item status for filled, but unchanged cases - **Component**: - Fixed ThreadX version detection - Fixed mbedtls detection rules - **Extraction**: - Fixed DMG extraction problems with overlapping internal compressed content ### v24.2.5 (2024-02-05) #### Fixes - **Component**: - Fixed component detection with package manager with opkg, python, OpenSSH, - Fixed OpenLDAP and OpenLDAP-utils components by merging them ### v24.1.31 (2024-01-31) #### New functionality - **Compliance**: - Extend compliance suggestion with argument to provide reasoning about the automatic assessment suggestion - Add ETSI specific Implementation eXtra Information for Testing (IXIT) chapter to the Compliance Wizard - Add ETSI 303 645 specific custom reports to compliance bundle - **API**: - Extend ComplianceProvision object with rules parameter to display automatic assessment OQL queries #### Fixes - **UI**: - Fixed firmware upload dialog by adding an indication before the upload starts - Fixed issue CSV export by adding missing file and details fields - Fixed displaying affected compliance provisions when updating compliance claim - **Analysis**: - Fixed duplicate Hardcoded Password issues reported on the same password detected in the same file - Fixed false-positive Plaintext Communication issue reported on wget documentation examples - Fixed skipped firmware monitoring when previous analysis result was cleaned up - **Extraction**: - Fixed extraction error on invalid Cisco CBS & SGZ formats ### v24.1.24 (2024-01-24) #### New functionality - **Compliance**: - Add Compliance Bundle to export all compliance related data from the Compliance Wizard, reports and supporting files. The bundle can be generated for a selected firmware on a selected guideline. Generated bundles are stored on the platform and can be downloaded at any later time. - Add Product Overview section and ETSI 303 645 specific condition questions to the Compliance Wizard. Overview questions can simplify answering requirements by automatically setting certain requirements to Not Applicable based on condition answers. - **API**: - Extend OQL language to make Component.tags searchable - **UI**: - Display in Analyses History page cleaned up analyses and add raw analysis data download as XLSX #### Fixes - **Analysis**: - Fixed duplicate cryptographic artifacts (private keys, certificates) reported in both extracted and container files - Fixed false-positive test keys reported as Hardcoded Private Keys in python hazmat library - Fixed false-positive Dropbear CLI issues detected in documentation samples - Fixed false-positive Hardcoded Credentials by ignoring test passwords from cloud-init - **Component**: - Fixed invalid util-linux detection rules - Fixed package manager based detection for sysvinit, vsftpd, cups - Fixed duplicate signtool and signtools components by merging them - Fixed ncurses component version detection rules - Fixed sysvinit component version detection rules - **Reporting**: - Fixed broken compliance related sections in custom reports - **Extraction**: - Fixed ExtFs detection in case of non-typical state flag - Fixed UBI handling with PEB sizes ### v24.1.15 (2024-01-15) #### New functionality - **API**: - Extend Analysis object with cveMatches so matching CVEs can be queried for past analyses - Add Compliance role which can be used to edit only compliance wizard items, but nothing else #### Fixes - **UI**: - Fixed compliance wizard to remember the latest selected guideline - Fixed compliance wizard supporting materials view scrolling - Fixed Firmware - CVEs page empty dataset when the page is loaded while a pending analysis finished - **Analysis**: - Fixed false-positive Hardcoded PrivateKey issues by ignoring test private keys - Fixed Static Code analysis by extending PHP assert based code injection detection ### v24.1.8 (2024-01-08) #### New functionality - **Analysis**: - Extend Hardcoded Credential checker to find passwords in JSON configuration files - **Extraction**: - Add padding detection in unknown chunks during extraction - Add support for multipart gzip formats #### Fixes - **UI**: - Fixed expert review popup not to show while analysis is in progress - Fixed compliance claim display layout - **Analysis**: - Fixed git log & commit file categorization - Fixed kernel symbols detection logic on some special kernel builds - Fixed false-positive Static Code issues in case of sanitized input in PHP scripts - **Component**: - Fixed jquery detection rule - **Reporting**: - Fixed missing compliance chapters ### v24.1.1 (2024-01-01) This is a technical release without any changes. Happy New Year! :) ### v23.12.19 (2023-12-19) #### New functionality - **Component**: - Add component detection for cryptopp - **UI**: - Add custom properties and labels to firmware, labels can be used in OQL queries - Add supporting files to firmware, files can be attached, stored and used in compliance views - Add easy navigation between issues in issue pop-ups #### Fixes - **UI**: - Fixed Static Code issue code viewer in dark mode - Fixed scrolling issue in full-screen modals - **Analysis**: - Fixed false-positive AWS secret key HardcodedCredential issue - Fixed categorization for Intel Flashrom files - Fixed false CVE impact analysis on kernel CVEs with `driver_name` symbol - Fixed false-positive PathTraversal issue in sanitized PHP code - Fixed analysis failure on JQ component detection - **Component**: - Fixed OPC UA detection rules - Fixed perl version detection rules - Fixed jq version detection - **Compliance**: - Fixed ETSI 303 645 provision ordering - Fixed Compliance Wizard latest suggestion - **Extraction**: - Fixed partition extraction in MBR images - Fixed sparse TAR file extraction ### v23.12.11 (2023-12-11) #### New functionality - **Compliance**: - Add Compliance Wizard to allow overriding and manual tracking of compliance provision results. The automated checks still provide suggestion, but those could be overriden manually to track compliance. Manually checked provision results can be recorded and tracked as well. The compliance wizard can also track if any of the automatically checked issue or CVE evidences change and mark the provision results as outdated. The Compliance Wizard is only available for Compliance subscribers. (During the trial period the feature is available for all subscribers until 2024.01.31.) Please contact support for further details. - **Component**: - Add component detection for: - StormShield OS - LantimeOS - **API**: - Extended OQL to query on CVE CVSS2 and CVSS3 details - Extended ComplianceGuideline with ComplianceChapter and ComplianceSections are moved there as well #### Fixes - **UI**: - Fixed CVEs page crash when opening CVE details - Fixed Static Code analysis details popup code highlighting in full-screen mode - Fixed CVE match score indicator to handle very high & low values - Fixed missing firmware link on Search in CVEs page - **Analysis**: - Fixed false-positive HardcodedAccountPassword detection while detecting DES based hashes - Fixed file categorization for HP BDL & HP IPKG files - **Component**: - Fixed CPE information for iw, smartmontools, libusb, - Fixed version detection rule for sqlite, Apache Thrift, Utils Linux, libgpiod, cyassl, i2c-tools, mstpcap, Unified Automation OPC UA ### v23.11.27 (2023-11-27) #### New functionality - **Component**: - Add component detection for: - Sensor-Technik Wiedemann OBS - OpenSSL in bare-metal and raw binaries - GNU patch - GNU Pspp - ntpsec - mpv - msmtp - mysql - sslh - rtl_433 - suricata - upx - varnish - zsh - yasm - minicom - nmap - nghttp2 - pigz - mariadb - motion - gpsd - kexectools - shadowsocks_libev - Reprise License Manager - Juniper JunOS - **UI**: - Restructured Compliance details page and introduce new Compliance workbench page - Add management page to create and manage API tokens. Tokens can be created and assigned to a specific tenant with defined permissions and can be used to access the API. Tokens have pre-defined validity period and can be revoked as well. API tokens are only available for Enterprise subscribers. (During the trial period the feature is available for all subscribers until 2023.12.31.) Please contact support for further details. - **API**: - Restructure Compliance related GraphQL API objects: - Renamed ComplianceViolation to ComplianceItem - Renamed ComplianceGuidelineCriteria to ComplianceProvision - Renamed ComplianceCheckStatus to ComplianceItemSuggestion - Add ComplianceItemData details on ComplianceItem - Add updateComplianceItem mutation to record claims on ComplianceItem - Extend analyses and firmware comparison to consider Components and CVEMatches as well - Extend API to show mitigation information for CVEs regarding relevant components - Add REST API endpoint to download analysis results in XLSX format - **Extraction**: - Add Rockwell Automation archives format support #### Fixes - **UI**: - Fixed flashing "No results" sign in data tables when searching - Fixed resetting saved filter setting in data tables - Fixed missing "Show only confirmed CVEs" toggle on Search in CVEs page - Fixed Issue & CVE Set status button while status is being updated to prevent accidental double-click - Fixed CVE details expander vertical sizing - Fixed password reset modal close behavior - Fixed scrolling when switching between full-screen and normal view - Fixed file download crashes in case of slow network connection - Fixed dark mode pages: Search in, bulk firmware delete modal & firmware upload modal - Fixed blob and file entropy information in case entropy is 0 - **API**: - Fixed Analyses and Firmware comparison by considering only Open status issues and CVEs - **Analysis**: - Fixed Raw Binary File categorization - Fixed SRAM object file categorization - Fixed UBOOT bootloader file categorization - Fixed IHEX file categorization - Fixed false-positive PrivateKey detection by ignoring test keys from saml, libcryptopp, cryptography, - Fixed false-positive HardcodedCredential detection in fail2ban test samples and AWS code calls - Fixed false-positive PlaintextCommunicationIssue detected in Alsa & VIM documentation - **Component**: - Fixed license information for iptables, nasm, mtr, libtiff, QEMU, Qt, rsyslogd, openswan, p7zip, minidlna, systemd, apparmor - Fixed CPE information for iptables, eCos, eCos Server, nasm, mtr, liblz4, libpng, procps, python, QEMU, Qt, rsync, Snort, sysstat, openswan, p7zip, pango, pcsc-lite, quagga, minidlna, miniupnpd, systemd, trousers, util-linux, GNU Wget, apparmor - Fixed component detection for - Expat XML Parser - RAUC - Skopeo - Embedthis Go Ahead - libmagic - Python - jquery - Fixed lttng component detection by splitting into subcomponents: lttng-modules, lttng-tools, lttng-ust - **Extraction**: - Fixed invalid docker manifest.json parsing - Fixed docker layer extraction without file handling, in case whiteout points to a directory symlink - Fixed MBR partition extraction with same name - Fixed unsupported incremental Android OTA partition extraction - Fixed CPIO checksum calculation to handle 4 byte overflows - Fixed EXTFS extraction error ### v23.10.30 (2023-10-30) #### New functionality - **Component**: - Add component detection for: - asn1c - atftp - GNU bison - bluez - capnproto - ceph - chrony - clamav - darkhttpd - faad2 - fastd - frr (FFRouting) - haproxy - i2pd - icecast - iucode_tool - jack2 - janus - lftp - libebml - libgit2 - libical - libksba - libmemcached - wireshark - Enhanced component detection for: - sqlite3 in non ELF executables - **UI**: - Add ability to export and import Analysis Profile rules to and from CSV - **API**: - Add API Token based authentication support. Tokens can be created and assigned to a specific tenant with defined permissions and can be used to access the API. Tokens have pre-defined validity period and can be revoked as well. API tokens are only available for Enterprise license subscribers. (During the trial period the feature is available for all subscribers until 2023.12.31.) Please contact support for further details. - Add human-readable formatting to SBOM JSON export - **Extraction**: - Add Alcatel-Lucent encrypted ramdisk image format support - Add Unix-compatible (v7) tar format support #### Fixes - **UI**: - Fixed analyses and firmware comparison page to display only CVEs with the right confirmation score - Fixed CVEs page to display cve matches outside -100 - +100 match score range - Fixed Compliance page crash on missing compliance violation information - Fixed Files page crash when opening certain directories - **Analysis**: - Fixed CVE confirmation logic to ignore CAP_ symbols as functions - **Component**: - Fixed Linux kernel module packaged manager based version detection - Fixed tcpdump version detection - Fixed false-positive libgcrypt component detection - Fixed missing CPE information for acpid, Bird, c-ares, bubblewrap, collectd, CUPS Print server, dhclient, dhcpcd, dnsmasq, file, libflac, git, libgpgme, keepalived, libarchive, libjpeg-turbo - Fixed misssing license information for cryptsetup, libarchive - **Extraction**: - Fixed Motorola S-Record handling with missing new line at the end ### v23.10.16 (2023-10-16) #### New functionality - **Component**: - Add component detection for - newlib - websocketpp (Websocket++) - json3 - **Analysis**: - Extended Static Code analysis to detect command injection in lua/luci scripts - **API**: - Add ExtractionProblem details on Firmware, RegularFile and Blob to provide further details on any extraction problem - **Extraction**: - Add Bosch Surveillance Camera firmware format support #### Fixes - **UI**: - Fixed Quick Start Guide permission description - Fixed status drop-down on Set status popup - Fixed Issue CSV export to include Status field - Fixed long file path on Issue details popup - **Analysis**: - Fixed false-positive Trusted CA Mismatch on cross-certificate trust chains - Fixed Malware detection errors on large firmware images - **Component**: - Fixed and merged pupnp and libupnp component detection rules - Fixed LwIP component detection rules - Fixed lua component detection rules - Fixed curl component detection rules - **Extraction**: - Fixed CPIO extraction error handling on non UTF8 filename ### v23.10.9 (2023-10-09) #### New functionality - **Component**: - Add component detection for: - GNU libiconv - inotify-tools - libnetfilter_conntrack - libpeafowl - libplist - libnflog - libscew - libupnp - Soft At Home: libmtk, lpcb - prpl: libnetmodel, libsahtrace, libswlc, tr181 modules #### Fixes - **UI**: - Fixed obsolete and relocated reference URLs - Fixed analysis progress bar so browser URL hover will not obscure it - **Analysis**: - Fixed false-positive Hardcoded Credential in ansible modules - **Component**: - Fixed component detection rules for: - libwebsockets - libnfnetlink - libusb - ntfs-3g ### v23.10.4 (2023-10-04) #### New functionality - **UI**: - Add entropy chart to regular file modal - **Component**: - Add component detection for: - libwebp - hiredis - libcoap - uriparser - libimobiledevice - ambiorix libraries: libamxa, libamxb, libamxc, libamxd, libamxj, libamxm, libamxo, libamxp, libamxrt, libamxs, libamxt, libamxtui - prpl: libfiletransfer, libipat - soft at home: libdhcpoption, libimtp, libusp, libuspi, libuspprotobuf, nemo #### Fixes - **UI**: - Fixed refreshing dashboard after switching tenants - Fixed firmware upload dialog to only show product groups where the user has upload permission - Fixed data table save filter to active on Enter - Fixed browser code caching between new releases - **Analysis**: - Fixed false-positive sample private keys and certificates detected in Apache2 documentation - **Extraction**: - Fixed extracting extfs from files with space in the name - **Component**: - Fixed Linux kernel detection rules on kernels wit /proc/partitions disabled - Fixed component detection rules for: - jq - yajl ### v23.9.28 (2023-09-28) #### New functionality - **UI**: - Improved Files, Extraction and Binary Hardening page load speed - **API**: - Add Observer role with permission to view all tenant specific settings, like users, groups, product groups, analysis profile - Add one-time download link to generated reports. One time links can be created using the createReportLink mutation - **Extraction**: - Add support for UF2 format #### Fixes - **UI**: - Fixed password change to notify when old and new passwords are the same - Fixed Compliance page to show latest compliance results after issue or cve status have been updated - Fixed status setting dialog to highlight Open and Closed statuses - Fixed Static Code analysis model code highlighter to handle long lines and improve code highlighting - Fixed firmware upload error handling in case of an invalid response - **Analysis**: - Fixed false-positive HardcodedCredential issue in Cisco confd - **Extraction**: - Fixed CPIO extraction of special files (eg: block devices, nodes) ### v23.9.19 (2023-09-19) #### New functionality - **Component**: - Add component detection for Grafana - **Analysis**: - Extended HardcodedAccountPassword checker to detect password/hash in useradd commands #### Fixes - **UI**: - Fixed password change dialog for SSO users as local password or password change is not available when SSO is used - Fixed Components page to use the full height of the page - Fixed Issues page load time - Fixed Issue & CVE counts on Dashboard, Analysis Overview, Issues, CVEs pages to be consistent and always show the open status and confirmed count by default and update the count if filtering changes - **Analysis**: - Fixed false-positive communication security issue in documentation samples - Fixed AuthorizedKeys issue detection in case of commented out keys - Fixed false-positive HardcodedCredential issue in apache documentation - Fixed false-positive HardcodedCredential issue in pure-pw test vectors - **Component**: - Fixed duplicate component detection when version update and no version update are both detected - Fixed Dropbear component detection rule - Fixed license information for bridge-utility, dqtool, fatlabel, fsck.fat, GDBus, getfacl/setfacl, getfattr/setfattr, ISC Cron, libdecnumber, libglib, libgpgme, libnss_myhostname, lspci, lsusb, mksquashfs, Native POSIX Threads Library, rngtest, rwarray, Secret Labs Regular Expression Engine, setpci, udev, unsquashfs, usbhid-dump, yat2m - Fixed CPE infromation for bridge-utility, fatlabel, fsck.fat, getfacl/setfacl, mksquashfs, Native POSIX Threads Library, unsquashfs, cni, cronie, ethtool, eeprog, htop, ISC Cron, kmod, libgmp, libgpg-error, libgpgme, libmnl, libnfnetlink, libnl, libpopt, libstdc++, libyaml, lttng, mkfs.fat, rngd, rngtest, shadow, sudo, yajl - Fixed udev/eudev component detection and merged udev, udevd, udevadm - Fixed GNU libc & ucLibc-NG component detection overlaps and merged GNU libc and Native POSIX Threads Library - Fixed and merged curl & libcurl component detection rules - Fixed and merged wpa-cli and wpa-supplicant component detection rules - Fixed and merged sudo and Sudo Audit Server, Logsrvd, Sendlog, sudoers component detection rules - Fixed and merged rngs, rngtest, rng-tools component detection rules - Fixed and merged dosfstools, fatlabel, fsck.fat, mkfs.fat component detection rules - Fixed bridge-utility detection rules and merged into iproute2 component - Fixed and merged rpc.statd, rpc.mountd, showmount, sm-notify and nfs-utils component detection rules - Fixed and merged fdisk, libblkid, libuuid and util-linux component detection rules ### v23.9.11 (2023-09-11) #### New functionality - **UI**: - Add global Analysis Profile that can be used to automatically assign Status to detected vulnerabilities (issues & CVEs) based on pre-defined rules. Rules are automatically applied after the analysis is successfully finished for a given firmware. This enables to automatically flag false-positive findings, ignore findings with accepted risk or flag interesting focused findings. Analysis Profile is tool to customize analysis results and focus on the relevant problems. OQL (ONEKEY Query Language) can be used to specify in a powerful and flexible way the rules in the Analysis Profile. - This feature is only available for Enterprise license subscribers. (During the trial period the feature is available for all subscribers until 2023.12.31.) Please contact support for further details. - See the [Quickstart Guide](https://docs.onekey.com/platform-guide/features/vulnerability-management/#analysis-profile) for more details. - Introduce new Issue and CVE summary on the Dashboard, Analysis Overview and History pages. These new views help to easily overview analysis results concerning both identified CVEs and detected Issues. - Add CPE information and optional matching CVE count on the Components page and also extended csv and json export - **API**: - Add OQL (ONEKEY Query Language) as the most powerful and flexible way to search support on Firmware, File, Issue and CVEMatch. OQL can be used to specify criteria that cannot be defined in the basic filters. OQL can be used both on the UI and over the GraphQL API. For example: AND & OR clauses can be used in a OQL query to search using compound filters. [OQL documentation](https://docs.onekey.com/oql/) is available online. - Renamed `cveEntries` and `cveEntriesCount` to `cveMatches` and `cveMatchCount` fields on Component object and add proper filtering on both #### Fixes - **UI**: - Fixed global Firmware page grouping by Monitoring enabled status - Fixed missing release date field on global Firmware list page - Fixed CVEs page to allow grouping by CVSS3 Attack Vector - Fixed Search in CVEs page to allow grouping by Firmware - Fixed stuck login error on expired ID token - Fixed Static Code Issue details page to highlight properly long lines - Fixed component dropdowns to handle components with long names - **Extraction**: - Fixed files with potential path-traversal path during extraction, instead of skipping move the files to a lost+found directory and enable further processing - Fixed Android Super format to handle multi-slot images - Fixed handling of truncated FAT filesystems - **Analysis**: - Fixed false-positive Private keys detected from libdns test vectors - Fixed false-positive Static Code Issues detected in unwcheck plugins - Fixed and refreshed built-in outdated trusted CA list which is used in Certificate validation - **API**: - Fixed firmware delete errors in case of a missing report pdf ### v23.8.23 (2023-08-23) #### New functionality - **Extraction**: - Add support for Hirschmann format - **Analysis**: - Add support for handling some special elliptic curve keys (eg: sect113r1, secp224r1) - **Component**: - Add component detection for: - CMSIS-RTOS RTX - Mbed OS - rpcbind #### Fixes - **UI**: - Fixed expired ID token handling - Fixed password reset dialog - Fixed Component filter to be able to filter on components without tag - **Component**: - Fixed CPE for components: nfs-utils, rpc.statd, rpc.mountd, showmount, sm-notify, trousers, udev, udevd, Unified Automation OPC UA, util-linux, wpa-cli - Fixed git component detection to cover all git subcommands - Fixed overlapping Paho mqtt components and extended detection rules - Fixed curl component detection to cover special libcurl binaries - **API**: - Fixed ReportConfiguration exclude/include status setting ### v23.8.16 (2023-08-16) #### New functionality - **Extraction**: - Add support for Espressif ESP image format - **Component**: - Add component detection for: - embOS - embOS/IP - ThreadX - Zephyr OS - Nucleus OS - Treck TCP/IP stack #### Fixes - **Component**: - Fixed OPKG component enumeration to handle latest list file format - **Extraction**: - Improved yaffs, hdr, ipkg, romfs formats with reporting capability when discarding path traversals during extraction - **API**: - Fixed FirmwareTimelineItem query speed when previousComparison field is not included in the query - Fixed Issue/CVE status field query to prevent set statuses leaking to others firmware with the same item within the tenant ### v23.8.7 (2023-08-07) #### New functionality - **Extraction**: - Add support for encrypted Dahua firmware format (CAM-IP) - **Component**: - Add component detection for Espressif VFS #### Fixes - **UI**: - Fixed closing filter popup on data-tables when clicking outside the filter - Fixed Dashboard and Analysis Overview pages to display only the open Issue and CVE counts - **Analysis**: - Fixed analysis failure with complex Javascript file categorization - Fixed false-positive Hardcoded Password issues in python base package - Fixed false-positive Hardcoded Password and Plaintext Communication issues in W3AF plugins - Fixed false-positive Static Code Analysis issues in python base packages and W3AF plugins - **Component**: - Fixed license information for: acpid, busybox, ca-certificates, cgroup-lite, cyrus-sasl, file, hdparm, iproute2, iptables, json-glib, Libassuan, libidn2, libstdc++, MQTT, nano, numactl, openssl, rauc, rocksdb, cni,conmon cronie, gflags, git, libcap, libcap-ng, logrotate, lttng, net-tools, nfs-utils, resolvconf, rngd, sed squashfs, strace, sudo, syslog-ng, tar, vim, watchdog - Fixed mqtt version detection - Fixed libstdc++ version detection - **Extraction**: - Fixed Android OTA format support to handle partially compressed content - Fixed extraction failure with truncated ZSTD compression format ### v23.7.31 (2023-07-31) #### New functionality - **Extraction**: - Add LittleFS format support - **UI**: - Extend Firmware Info page with product group details - Extend Firmware -> Components & Search in -> Components pages to include tags and let components filtered by a tag - **Component**: - Add component detection for lwip #### Fixes - **UI**: - Fixed firmware upload popup to only make product groups available where user has upload permission - Fixed how Dropbaer CLI argument issue details are show and mitigation advise - Fixed Firmware -> Files page crash - Fixed data-table page crash when column order was updated too frequently - Fixed status audit history page to fit long comments well - **Analysis**: - Fixed HardcodedAccountPassword and CommunicationSecurity issues confidence level in case the problem is detected in well-known system files - Fixed Linux kernel related CVE matching rules scoring to make sure that architecture mismatch always results in a negative score. Also adjusted the source filename rule scoring to eliminate false-positives. - Fixed lua script categorization to handle different lua version - Fixed markup and script file categorization to avoid categorization errors - **Component**: - Fixed go binary component detection when binary used vendored dependencies - Fixed Espressif IDF component version detection rule - Fixed OpenVPN component version detection rule - Fixed VxWorks component detection rule - **Extraction**: - Fixed failed docker image extraction that caused directories with invalid manifest files to be ignored - Fixed extraction failure when directory based format handler failed unexpectedly ### v23.7.14 (2023-07-14) #### New functionality - **Extraction**: - Add QNX IFS v4 format support - **Analysis**: - Extend Private key information to display key details (key type, size, public-key information) - **UI**: - Add bulk firmware delete function to Firmwares page - **API**: - Extend allFirmwares, issues, latestIssues and CveMatch fields with query parameter. Query can be used to filter objects using a complete boolean logic filter expression on all object fields. - **Component**: - Add component detection rule for ESP Websocket Client #### Fixes - **UI**: - Fixed Dashboard data fetching to speed-up page load time - Fixed global Compliance page crash when compliance guidelines load slowly - Fixed GQL console to support latest GraphQL standards - Fixed saving GQL console enabled status between user logins - Fixed Firmware upload Release Date field handling - Fixed Compliance page Firmware links, now firmware page can be opened - Fixed data-table filters in modal popups - Fixed Static Code issue details popup scrolling and enable full-screen mode to browse code - Fixed Issue export to include issue summary - Fixed Firmware page data-table to enable column ordering - Fixed Components page to display long component names properly - Fixed Analysis Overview page to align boxes - Fixed login page to pre-fill email address from previous expired ID token - Fixed Search in CVEs page loading indicator - Fixed Components page to display version update field as well - Fixed status update message popup to cause less friction - **Analysis**: - Fixed compliance checker to only consider issues and CVEs with Open status when calculating compliance violations ### v23.7.3 (2023-07-03) #### New functionality - **UI**: - Add global Search-in CVE page. This page allows to search across all analyzed firmware images by a CVE ID or by a component name. This is useful to quickly check what firmware images are impacted by a given CVE. To identify the latest CVEs we recommend enabling monitoring for relevant firmware images. (Please contact support for further insights on monitoring if required.) - **API**: - Extended CVEFilter to match on CVE ID and component name #### Fixes - **Component**: - Fixed missing CPE for libexpat, ffmpeg, iptables, curl, libflac, libid3tag, libvorbis, logrotate, privoxy, stunnel, zlib - Fixed component licensing for ca-certificates, ethtool, ffmpeg, i2c-tools, igmpproxy, kmod, libblkid, libffi, libgpg-error, libnfnetlink, libnftnl, libpaho, libvorbis, updatedd - Fixed file/libmagic component detection rule - Fixed hdparm component detection rule - **UI**: - Fixed CVE counts to use same score threshold as in the data-table - Fixed Management Report CVE statistics and monitored firmware info - Fixed tenant selector position and automatic closing when selecting a tenant - **API**: - Fixed report generation subscription updates - Fixed querying elf details on a RegularFile, when queried inside an issue - **Analysis**: - Fixed false-positive Path Traversal issue detected in PHP `$_FILES[...][name]` - Fixed script language file categorization rules ### v23.6.26 (2023-06-26) #### New functionality - **Component**: - Add component detection for: - libffi - numactl #### Fixes - **Component**: - Fixed missing CPE for grub, syslog-ng, vim, git, nginx, sudo - Fixed libgrpc detection rule - **UI**: - Fixed SSO login identity provider communication timeouts and errors - Fixed data-table size filters initial value - Fixed tenant selector position in the header - Fixed charts and input fields in dark-mode - **Extraction**: - Fixed extracting PE32 files which could contain firmware images ### v23.6.21 (2023-06-21) #### New functionality - **Authentication**: - Add single sign-on login integration to external Identity Providers using OpenID Connect. This enables federated login, multi-factor authentication and centralized password management for organizations. This functionality is only available for Enterprise license tenants. Please contact support for further details. - **UI**: - Add Management report page to provide an overview report on the platform usage and analyzed firmware images - **API**: - Extend Blob interface with size and extractedSize parameter - **Component**: - Add component detection for: - fmt (cppformat) - libnetfilter-queue - libnftnl - cgroup-lite - hwlatdetect - ca-certificates - Realtek MSDK #### Fixes - **Analysis**: - Fixed false-positive Hardcoded credential detection in htpasswd files - **Component**: - Fixed go module detection performance on large binaries - **UI**: - Fixed labels and buttons in dark mode - Fixed Firmware list missing hashes - Fixed Certificate and Private key popup layouts - Fixed Compliance page result alignments - Fixed displaying issues and CVEs in case of a partial analysis to notify on potentially incomplete results - Fixed missing size and extractedSize columns on Extraction -> Blob page - Fixed Firmware list CSV export - **Extraction**: - Fixed jffs extraction errors ### v23.6.13 (2023-06-13) #### New functionality - **UI**: - Add Firmware Extraction page to show extracted firmware structure - Display identified blobs (chunks and multi-files) with details - Display entropy information and chart for unknown chunks - Display firmware structure as heatmap - Add convenient tenant selector into the header and always display current tenant name - **Extraction**: - Add Advenica format support - Add Cisco ADSM & SGZ format support - Add Cisco CSB (Tesla) format support - Add Dahua encrypted SecrityImg format support - Add Android dynamic partitions format support - **Component**: - Add automatic component detection for installed python wheel packages - Add automatic component detection for go binaries and built-in dependencies - Add component detection for: - MIT krb5 - libseccomp - libidn2 - liblzo2 - libnfnetlink - libnss_myhostname - libslirp - libyaml - openssl-tpm-engine - re2 - rocksdb - podman - opencontainer-runc - resolvconf - slirp4netns - strace - tcp-wrappers - safec library - skopeo - zstd - yajl - abseil-cpp - cni - conmon - cyrus-sasl - file (libmagic) - gflags - hdparm - libattr #### Fixes - **Analysis**: - Fixed kernel image detection for certain ARM images - Fixed false-positive Hardcoded credential detection in openssl command - **Component**: - Fixed openldap component detection rules - Fixed lttng component detection rules - Fixed Trousers component detection rules - Fixed procps version detection - Fixed protobuf version detection - Fixed tcpdump version detection - **UI**: - Fixed User group information to reflect recent group changes - Fixed user list in Groups management to sort by name - Fixed compliance guideline summary formatting on Compliance page - Fixed clear filter button on data tables to reset back to default state, also renamed buttons to "Reset filter" - Fixed dark mode problems - Fixed misaligned checkboxes - Fixed potential data-table crash with 0 items - **Extraction**: - Fixed IHEX extraction when handling multiple IHEX content in one file - Fixed tar extraction to handle duplicate entries - Fixed tar extraction to handle absolute symlinks - Fixed squashfs v2 extraction error in some non-standard cases - **Reporting**: - Fixed compliance guideline title formatting in PDF reports - Fixed summary and count formatting in PDF reports - **API**: - Fixed firmware progress subscription to show properly in-progress analysis cases ### v23.5.31 (2023-05-31) #### New functionality - **Extraction**: - Add Docker image format support (docker save) - Add Android sparse data format support - Add multi-volume SevenZip format support - **API**: - Extended Chunk API to support MultiFile and Blob types #### Fixes - **Analysis**: - Fixed false-positive malware report on busybox - Fixed false-positive Static code analysis (Insecure communication) issues reported in standard python libraries - Fixed false-positive invalid Dropbear command line issue report in package meta files - **Component**: - Fixed dnsmasq version detection - Fixed mosquitto detection rules - **UI**: - Fixed data-table "Reset table" button to reset table to default settings & filters - Fixed User group information after a user update to reflect the latest changes - Fixed refreshing Dashboard and Firmware list once firmware processing is done - Fixed global Compliance page crash on slow connection case - Fixed Firmware comparison csv export to include references firmware names - **Extraction**: - Fixed Yealink BIG endian format support - Fixed SquashFS format support for Netgear firmware images with invalid endianness ### v23.5.23 (2023-05-23) #### New functionality - **Reporting**: - Extend report configuration with Status selector - Extend reporting with status and audit history information - **API**: - Extend Component with fileCount to speed up queries - Extend ComponentFilter with name so Components can be filtered by name - Extend firmwareTimeline to restrict results specified number of latest firmware images - Extend firmwareTimeline so firmware images can be filtered using FirmwareFilter - Extend allFirmwares to restrict results specified number of latest firmware images #### Fixes - **Component**: - Fixed strongswan component missing CPE information - **UI**: - Fixed Artifacts -> Images page loading speed and cache download images - Fixed displaying empty results set on Firmware -> Files page when search is used - Fixed CVEs page score column alignment in dense mode - Fixed firmware analysis progress indicator to link finished result to firmware page - Fixed Reports page data-table to enable full-screen mode - Fixed Compliance page title alignment - Fixed Search in Files page saved filters - Fixed displayed Issue & CVE audit history to include latest status changes - Fixed Issue details page to hide audit history in an accordion - Fixed Firmware pages crash in case of an error reported over the API - Fixed Issue details page for static code analysis to properly highlight long rows - Fixed Firmware -> Components page loading time with high number of components & files - Fixed Analysis Overview page Product History loading time - Fixed Firmware -> Product History page loading time - **Extraction**: - Fixed uImage format support - **API**: - Fixed firmware processing subscription error on failed analysis ### v23.5.10 (2023-05-10) #### New functionality - **UI**: - Add compliance section summary to Firmware->Compliance page - Extend Issue details page with status information and audit trail on status changes. Also status can be update from the details popup. - **Extraction**: - Add Qualcomm FBPK format support - Add Qualcomm FBPT format support - Add Android bootloader format support - **API**: - Add firmware analysis error & warning details to Analysis object - Add entropy information to Chunk and RegularFile objects #### Fixes - **Component**: - Fixed component license information: - alsa-lib, alsa-utils - curl - ebtables - libdbus - fuse - gpg libgcrypt - libflac - libid3tag - liblzma - libnl - libreadline - libusb - libuuid - libwebsockets - logrotate - luasec - luasocket - mkdosfs - net-snmp - nftables - OpenWRT UCI - privoxy - px5g - qmicli - quagga - sqldiff3 - sqlite3 - strongswan - stunnel - udhcpd - WoflSSL - xz-utils - Fixed ntp component detection rules - **Analysis**: - Fixed file cateogry of PCX files - Fixed false-positive private key detected in python hazmat test-vectors - Fixed false-positive HardcodedCredential issue detection in python script - Fixed Firmware list page performance with higher firmware number - Fixed datatable clear filter button on all pages - **UI**: - Fixed File details popup hex viewer - Fixed Static code issues details popup with extra long lines - Fixed Firmware -> Files page filtering by file name - **Extraction**: - Fixed extraction problem with long file names - Fixed extraction problem with long symlink target names - Fixed invalid YAFFS detection to handle empty trees ### v23.5.2 (2023-05-02) #### Fixes - **Analysis**: - Fixed handling of some invalid CPP demangled symbol name - **UI**: - Fixed dropdown wider to fit long tenant name - Fixed documentation links in the footer by adding GraphQL documentation link as well - Fixed analyses history page to sort and display analyses by finish time instead of start time - Fixed displaying issue details on analyses comparison page - Fixed Search in Components page and make Firmware name clickable to open the Firmware details page - Fixed dark mode inconsistencies - Fixed page crash during report generation - Fixed Files -> Directory structure visualization when chart is optimized due to high number of files - Fixed Analysis Overview page load time by optimizing the query - Fixed Firmwares page load time by optimizing the query - **Extraction**: - Fixed handling non-Posix path during extraction ### v23.4.26 (2023-04-26) #### New functionality - **UI**: - Add directory tree visualization using heatmaps to the Firmware -> Files page besides the current tree view - Add quick component filtering to Firmware -> Files page to highlight component files or files without associated component - **API**: - Extended GraphQL Analysis type with cveMatchCount to query CVEMatch by Severity count - Extended CVEMatchFilter to be able to filter on match score - **Extraction**: - Add Android DTBO format support - Add INSTAR HD format support - **Component**: - Add component detection for: - open62541 - SystemCORP IEC 61850 PIS10 - libba-web - libctemplate - libattr - libfastcgi - libmnl - libpci - oopslog - poco - protobuf - libsodium - Apache Thrift #### Fixes - **Analysis**: - Fixed false-positive hardcoded AWS credential picked up in python scripts - Fixed false-positive insecure communication issue to loopback addresses picked up in python scripts - **UI**: - Fixed password reset dialog to warn about expired password reset token - Fixed displayed time and standardized timezone calculation - Fixed displaying added Issues on firmware and analysis comparison page - **API**: - Fixed Analysis -> issueCount calculation speed - **Components**: - Fixed uC/OS-II component detection - Fixed OpenSSH component detection - Fixed libssh2 component detection - Fixed brctl component detection - Fixed 7zip component detection - Fixed iptables component detection ### v23.4.19 (2023-04-19) #### New functionality - **UI**: - Add the ability to manually flag Issues and CVEs with a status and comment. This enables to flag false-positive findings, ignore findings with accepted risk or flag interesting focused findings. All status updates are recorded and the audit-trail with user comments is available as well. Issues and CVEs could be filtered by status and only findings with open status are displayed by default. - **API**: - Add file chunk information to provide insights into the firmware structure and extraction process - Add Issue & CVE status, audit-trail fields and mutation queries - **Extraction**: - Add HP IPK & BDL format support #### Fixes - **Analysis**: - Fixed image and video file categorization - Fixed duplicate issues reported for the same problem - **UI**: - Fixed product history page to display a loading indicator instead of an empty list while data is fetched - Fixed CVEs page sorting for CVE IDs and for match scores - Fixed dashboard to display issue count properly - Disable analysis details pages for failed analysis - Fixed Components page to sort components alphabetically - Fixed Firmware page to show N/A as firmware size while firmware is being analyzed - **Components**: - Fixed component detection rule for Expat XML parser - **Extraction**: - Fixed duplicate file extraction error in tar files - Fixed YAFFS format support to handling and extraction ### v23.4.11 (2023-04-11) #### New functionality - **Analysis**: - Detect insecure communication code using telnetlib and unverified TLS connections in Python applications - Added LUA support for static code analysis - **UI**: - A new [Quickstart Guide](https://docs.onekey.com/platform-guide/getting-started/) is added. It is accessible from the Docs menu on the footer section together with the existing *API docs* and the *How do we analyze?* documentations - Improved syntax highlight of code blocks shown for static code analysis issues #### Fixes - **Analysis**: - Fixed analysis errors in case of the firmware contained a symbolic link pointing to a non-Unicode path - Improved LUA file categorization - **UI**: - Fixed Issues page crash in case of certain private key related issues - Fixed Firmware -> CVEs page containing irrelevant match evidences - Fixed path columns in data-tables missing slashes (/) in certain places - **Extraction**: - Fixed regression in extraction of SquashFS file systems using LZMA adaptive compression. Detection of the following vulnerabilities have been disabled for the time being, due to excessive false positive detection rate: - Linksys getstinfo.cgi WPA Key Disclosure - Broadcom SDK UPnP Stack Buffer Overflow (SSDP ST field) - Broadcom SDK UPnP Heap Buffer Overflow (UPnP Portmap Add) ### v23.4.4 (2023-04-04) #### Incompatible monitoring & firmware comparison change You may find, that some firmwares under continuous monitoring or firmware/analysis comparison have unusual findings: some issues appear to be removed only to be replaced with an almost identical one. This is caused by a change in the way ONEKEY extracts the firmware: the extraction path of some files might change which affects the identified issues and hence reported as changed. This is a necessary technical change to standardize extracted file structure in order to reliably identifying issues across different versions of a firmware. This change doesn't necessarily affect all files and all issues. Some firmwares have all there issues removed and re-added, some only a couple, and for some, nothing changes at all, depending on the actual firmware. #### New functionality - **Components**: - Add component detection for: - µC/OS II - git - jansson - json-glib - libgrpc - log4cplus - dpkg - htop - iproute2 - minizip (split from zlib) - nano - nftables - rauc - tpm-tools - trousers (tcsd) - Espressif ESP-IDF - **Extraction**: - Add INSTAR BNEG format support - **Analysis**: - Add detection on plaintext insecure communication code in python applications - **API**: - Introduced stable issue and CVE comparison to reliably compare analyses results between different firmware images #### Fixes - **Components**: - Fixed component and version detection for: - rsync - sed - tar - tcpdump - watchdog - mbedTLS - WolfSSL - tmdns - Fixed YOCTO package based component name & version detection to avoid reporting duplicate components - Fixed Debian package based component name & version detection to avoid reporting duplicate components - Unified OpenLDAP utility components into one OpenLDAP component - **UI**: - Fixed displaying empty folders on Firmware -> Files page - Fixed data table sorting on columns with missing or empty values - Fixed Product Groups page to sort products alphabetically when assigning to product groups - Fixed Issue details view on static code related issue to display the whole source file with problem highlighting - Fixed Global Compliance page data-table header when grouped by a column - Fixed firmware and analyses comparison page to directly link to the firmware page from the firmware name - Fixed firmware and analyses comparison page error when opening details popup for dropped issues - Fixed product history page to display new & dropped issue and CVE count between different versions - Fixed product history page to properly sort firmware images by upload time - Fixed data table density handling by remembering the user preference across the application - Fixed CVE details page formatting in dark mode - Fixed displayed tenant name size - Fixed Firmware -> Analysis Overview page crash when opening non-existent firmware - Fixed CVE data-table when expanding and collapsing CVE details - Fixed Firmware -> Binary hardening page to always display total binary ELF file count - Fixed Expert Review popup extra gap in the layout - Fixed HTML injection vulnerability on Swagger API documentation page (thanks Abir Khan for reporting it) - **Analysis**: - Fixed false-positive issues reported in magic files - Fixed command injection detection to cover PHP special wrappers - Fixed false-positive private key and certificate detection by ignoring OpenSSL & Android key-master test vectors - Fixed false-positive insecure Dropbear command detection - Fixed component and issue detection in the uploaded firmware image directly when image is not extracted - Fixed file category for Targa image files - Fixed false-positives and improved Hardcoded Credential issue detection in python code - Fixed certificate issue detection to handle firmware with high certificate count - Fixed certificate - private key pairing to handle firmware with high certificate/private key count - **Extraction**: - Fixed extraction path to omit offset information from extracted filenames. This enables to have stable filenames and paths even between slightly different firmware images. ### v23.3.20 (2023-03-20) #### New functionality - **Extraction**: - Add support for SquashFS v2 format - Add support for QNAP NAS image format #### Fixes - **Components**: - Fixed Router Advertisement Daemon (radvd) version detection - Dropped duplicate iptables & ebtables extension components - Simplified sqlite3 and libsqlite3 components into sqlite3 - Fixed libuuid version detection - Fixed libsnl version detection - Fixed linux kernel module component detection to assign kernel module to the specific Linux Kernel component - **UI**: - Fix UI caching & loading issue problem after a new release - Fix SBOM download on failed analysis by disabling it - Fix monitoring status label after monitoring has been enabled/disabled - Fixed Search in Files content search page crash when searching for invalid regex pattern - Fixed error handling and presentation when UI get an HTML error page during maintenance - Fixed displaying large source file in static analysis issue details - Fixed missing match column on Firmware -> Files page when searching in file content - Fixed product history page to display new & dropped issue and cve counts - Fixed Firmware Info page to enable release date update - Fixed Firmware -> Files page crash - Fixed firmware/analysis comparison page missing full screen mode & CVE details section - Fixed restoring column grouping from data-table shared URL - Fixed displaying issue details in analysis comparison page for "dropped" issues - **Analysis**: - Extract kernel symbols (kallsyms) from ELF kernel images as well, though symbols are non-standard ELF symbols - **Extraction**: - Fixed initramfs extraction from Linux kernel images, where kernel was not a standalone object ### v23.3.13 (2023-03-13) #### New functionality - **Compliance**: - Add new guidelines to compliance checker: - IEC 62443-4-2 - UN Regulation No 155 - IoT Security Foundation Assurance Framework - UK Product Security and Telecommunications Infrastructure Act 2022 - NIST IR 8259A: IoT Device Cybersecurity Capability Core Baseline - ioXt: 2020 Base Profile - **Analysis**: - Add Insecure Plaintext Communication issue detection in python application - Add Hardcoded Credential issue detection in python application - **Extraction**: - Add Wind River MemFS format support - Add XIAOMI HDR1 format support #### Fixes - **Compliance**: - Fixed OWASP IoT Top 10 compliance guideline criteria order & description - Fixed BITAG compliance guideline criteria title & description - Fixed GOV.UK Consumer IoT Guideline criteria title & description - Removed obsolete DIN 27072 & ETSI 103 645 guidelines as those are superseded by ETSI 303 645 - **UI**: - Fixed file download in Search in files results - Fixed binary hardening chart - Fixed expand button on Firmware -> Compliance page - Fixed Product History page to show loading indicator - Fixed CVEs page to include CVE matching score filter in share & filter save/restore/clear - **Analysis**: - Fixed hardcoded password detection in shadow files - Fixed package manager based component version extraction & CVE matching for Debian based systems NOTE: In order to get compliance checker results for the new or modified guidelines, the firmware need to be reanalyzed. ### v23.3.6 (2023-03-06) #### New functionality - **Components**: - Extended component detection to use package manager metadata to collect component information. OPKG, IPKG and DEB package manager status information is used to identify components. This new data source improves the accuracy and the package coverage to provide an accurate component list and SBOM. - Extended component detection to detect Javascript and Typescript packages installed on the firmware. - **Extraction**: - Add support for Engenius encrypted firmware format #### Fixes - **Components**: - Fixed duplicate components detected in a file with a known and unknown version - Fixed component CPE and license information: - Bridge utils - DNSCrypt Proxy - Dropbear SSH - FDISK - HostAPD - HostAPD CLI - IW utils - LibBlkID - LibGMP - LipPThread - LibTIFF - LibTinyXML - LibUBOX - LibUSB - LibUUID - MmAdm - NodogSplash - Stubby - PPP - UBUS - USBMuxD - Fixed zlib component detection rules - **UI**: - Fixed crash when opening an issues from the analyses/firmware comparison page - Fixed binary hardening page when no binary has any missing hardening - **Extraction**: - Fixed ELF file extraction to keep ELF content embedded in firmware image - Fixed initramfs padding calculation and extraction from Linux kernel images ### v23.3.1 (2023-03-01) #### New functionality - **UI**: - Introduced a new Firmware Files page with similar functionality like other data-tables. The new files browser supports advanced search, full-screen mode and density setting. The page also works faster for firmware images with high number of files. - **Components**: - Add component detection for ThroughTek Kalay P2P SDK - **Extraction**: - Add support for DLINK encrypted image format - Add support for DLINK SHRS format #### Fixes - **Extraction**: - Fixed extraction error caused by extracting an archive which contains an already extracted firmware ### v23.2.22 (2023-02-22) #### New functionality - **Analysis**: - Added automatic CVE reduction to eliminate irrelevant CVEs to save time on triaging and let analysts focus on true relevant positive vulnerabilities. Every CVE is analyzed in the context of the firmware to determine if the given vulnerability is present and affects the product. Evidences are collected and attached to CVE matches which could be used in further triaging or to document why certain vulnerabilities are not relevant. - Reporting is extended to include match score for each CVE and eliminated CVEs are listed with the corresponding evidences. - Compliance checkers have been extended to ignore eliminated CVE entries when calculating violated - non violated status. - Firmware and analyses comparison have been extended to ignore eliminated CVE entries. Monitoring is not reporting on ignored CVE entries. - NOTE: Monitoring and firmware comparison will report all ignored CVE entries as dropped, because previous analyses did not have this functionality hence all newly ignored CVE entries are considered as dropped. This is a one-time thing happening only at this upgrade. - Added exploitability information to CVEs. Each CVE entry is extended with Exploit Maturity & Exploit Prediction Scoring System data. CVE list can be filtered by exploitability data. - Added "well-known" name references to CVE entries. - For more insights on CVE reduction, check out the [online seminar](https://app.livestorm.co/onekey/how-to-save-significant-time-and-resources-through-intelligent-automated-cve-reduction?utm_source=changelog) on "How to save significant time and resources through intelligent, automated CVE reduction" - **UI**: - Reworked the CVE entry details to display all references, exploit information, CVSS details and CVE match evidences. - **API**: - Extend CVEMatch API with match score and evidences - Extend CVEEntry with exploitability data #### Fixes - **UI**: - Fixed group count on data-table when grouping is enabled and a group is opened - **Analysis**: - Fixed ELF file compiler information in case multiple compiler record is present ### v23.2.16 (2023-02-16) #### New functionality - **Extraction**: - Added Microchip MPFS2 format support - Added Netgear CHK format support - **Components**: - Add component detection for: - Microchip Demo HTTP - Microchip TCP/IP stack - Microchip USB stack - WolfSSH - AxTLS - cpulimit - libcwebui - lua-cjson - liblz4 - libyang - schedtool - sysrepo - protobuf-c - libredblack - libunwind - lxc - penlight - netopeer #### Fixes - **UI**: - Fixed image artifact page to display detected images and report proper image count on Analysis Overview page - Fixed new release changelog invalid alert when changelog was not available - Fixed Firmwares page crash when filtering on non-existent value - Fixed data tables to enable density switch everywhere - Fixed a severity name typo and changed Informal severity to Informational - Fixed data-tables to make firmware name clickable to open the firmware details page - **Components**: - Fixed VxWorks component detection to handle non-ELF images - Fixed Samba component detection - Fixed curl component detection - Fixed iptables component detection and license & cpe data - Fixed dhcp component detection and license & cpe data - Fixed libarchive component detection and license & cpe data - Fixed python component detection and license & cpe data - Fixed Router Advertisement Daemon component version detection - Fixed CRYPTOGRAPHY tag on crypto related components - **API**: - Extend files query filter (FilesFilter) with category - Extend fileCount query with filtering (FilesFilter) - Limit the number of firmware to 10 that could be included in a single report - Fixed a severity name typo and changed Informal severity to Informational - **Analysis**: - Fixed false-positive hardcoded password detection to avoid detecting DES hash looking texts - Fixed failing analysis for empty and un-extractable firmware images - Fixed private key enumeration false-positive to ignore test vectors from Google JWT library - **Extraction**: - Fixed false-positive LZMA chunk detection to avoid invalid extraction ### v23.2.8 (2023-02-08) #### New functionality - **Analysis**: - Add automatic malware checker. All extracted files are scanned for viruses and malware and findings are reported as MaliciousSoftwareIssue. - **UI**: - Add dense mode selections to data-tables. Dense mode allows much more data to be displayed on the screen to help analyst oversee results. - Display group count in data-tables when table is groupped by a column - Extend data-table filtering with select all and invert selection quick actions #### Fixes - **UI**: - Fixed full-screen mode for Binary hardening data table - Fixed user, user group, product group lists to be sorted alphabetically in the tenant admin section - Fixed add / modify user group functionality to permit groups without any assigned user - Fixed opening the Compliance page from the Analysis Overview page to automatically select the same guideline - Fixed Analyses comparison page to prevent comparing failed analyses - Fixed latest monitoring findings count on the Dashboard and Firmware Overview pages - Fixed dropbear insecure configuration checker to ignore ssh-keygen arguments - **Components**: - Fixed sqlite3 version detection - **Analysis**: - Fixed ELF hardening issue false-positives to exclude Linux kernel module files - Fixed Xiongmai insecure management protocol detection false-positive - Fixed hardcoded account password false-positive in documentation and other misc files - Fixed hardcoded account password false-positive in commented lines - Fixed miss-categorized image files - Fixed private key detection false-positives to ignore openvpn sample keys - **Extraction**: - Fixed IHEX format handling for multi-chunk cases ### v23.1.30 (2023-01-30) #### New functionality - **API**: - Increased upload file size limit to 10GB (In case this limit is not sufficient, please contact support) - **Extraction**: - Introduced firmware extraction limit to stop processing firmware over 20GB extracted size and 100k files (In case this limit is not sufficient, please contact support) - Add extraction handler for Hirschman NEWH archive #### Fixes - **UI**: - Fixed crash when opening file details from global Issues page - Fixed error message when deleting firmware fails - Fixed Analyses History page to always display initial analysis - Fixed CSS caching errors, which caused problem on new version deployment and required full page refresh - Fixed missing component version and CVSS fields in CVE export - Fixed displaying original file sizes to use proper K/M/G calculation - Fixed error messages when adding user, user group, product group with already existing name - **API**: - Fixed product name checking to allow names with `/` - Fixed report configuration name checking to allow names with `/` - **Components**: - Fixed VxWorks component detection - **Analysis**: - Fixed private key detection false-positive by ignoring test vector keys from cherrypy, gevent, httpslcient - Fixed insecure communication plain text false-positive in setuptools code - Fixed false-positive in static code analysis, to exclude certain PHP global variables which are not user supplied - Fixed false-positive in static code analysis, to consider SQL string escaping when checkin for SQL injections - Fixed analysis error caused by invalid C++ symbol during demangle - **Extraction**: - Fixed multi-file extraction error in PCK format - Fixed empty _extraction directory when file is not extracted ### v23.1.24 (2023-01-24) #### New functionality - **Components**: - Add component detection for M5T SIP Client Engine - Add component detection for UMSD - Add component detection for Bootastic - Add component detection for linux-ptp - Add component detection for memleak-tools - Add component & OS detection for Teltonika RutOS - Add component & OS detection for devolo DelOS - **UI**: - Extended data tables to be able to open a row in a new tab #### Fixes - **UI**: - Fixed page crash when opening on ELF Hardening page the details popup - Fixed invalid error message when clearing filter on Search in Files page - Fixed grouped table headers and scroll bar colors in dark mode - Fixed User group management to allow saving groups without description - Fixed comparison page issue count to exclude ELF hardening related issue count - Fixed Firmwares table to properly display 0 byte firmware images - Fixed File details popup ELF Info section to properly populate CPU and endian fields - Fixed stored filters, groupping on Passwords, Certificates and Private Keys artifact pages - Fixed CSV/JSON export on CVEs page to include Component field - **API**: - Re-enabled email notification on finished analyses - Re-enabled email notification on monitoring findings - **Components**: - Fixed dhclient license information - Fixed sqlite license information - Fixed ethtool license information - Fixed gnu awk license information - Fixed sshpass license information - Fixed sudo license information - Fixed libpng license and CPE information - Fixed libubox license information - Fixed libuuid license information and component detection - Fixed libnl license information and component detection - Fixed libstdc++ component detection - Fixed fbShot component detection - Fixed gzip component detection - Fixed glib component detection to cover micro version as well - Fixed libpng component detection - Merged ALSA components into one general ALSA component - Merged PAM components into one PAM component - Fixed and split detection for U-Boot and libubootenv - Fixed libpixman component detection - Fixed pango component detection - Fixed imagemagick component detection - Fixed libgcc component detection - Fixed libwvhidl component detection - Fixed android component detection - Fixed readline component detection - **Analysis**: - Fixed false-positives issues detected in nmap script engine (NSE) files - Fixed false-positive Tenda Backdoor detection in IPS rules files ### v23.1.17 (2023-01-17) #### New functionality - **UI**: - New data-table introduced for all tables. The new data table provides faster scrolling, easy result sharing, full-screen view mode, general grouping, sorting on all columns #### Fixes - **UI**: - Add confirmation to expert review form, when message is empty to avoid accidental review requests - Fixed references to directories in Issues - Fixed new changelog model window to be displayed after every login, will be shown only after new releases once - Display descriptions for detected management protocols - Fixed CSV export to use CRLF line ending - Fixed Firmware->Issues page default sorting to sort issues by Severity - Fixed Firmware -> Product History page to display firmwares with changes only by default - Fixed displaying multiline user notes on Firmware Info page - Fixed dark mode & GraphQL console user settings to keep between logins on the same browser - Fixed Dashboard to avoid infinite query loop when a firmware analysis fails - **API**: - Fixed authentication and user management issues caused by case-sensitive email addresses - Fixed email validation to allow plus (+) sign in email addresses - **Components**: - Fixed net-snmp component detection - Fixed OpenSWAN component detection - Fixed FreeRADIUS component detection - **Analysis**: - Fixed potential false-positive in AWS secret key detection - Demangle C++ symbols to show full readable name ### v23.1.10 (2023-01-10) #### Fixes - **UI**: - Fixed CVE entry link to the NVD website - **Components**: - Fixed false positive OS component identified in nmap service probes - Fixed libgcc license - Fixed false-positive DAG component detection - **Analysis**: - Fixed false-positive hardcoded password detection in ftpasswd command - Fixed false-positive DES hardcoded passwords in passwd/shadow files - Fixed false-positive insecure communication results detected in documentation files ### v23.1.3 (2023-01-03) #### New functionality - **UI**: - New data-table introduced for Firmware -> CVEs page (faster scrolling, full-screen view mode, easy result sharing) - Audio files can be played in the file details popup #### Fixes - **UI**: - Fixed screen layout for small screen sized (less than 1060px width) - Fixed file dialog size to avoid double scrolling - Fixed global issues page to open referenced files in a popup - When downloading firmware image use the original filename to save the file instead of the firmware name - Fixed updating report download link once report generation is finished, so reports can be downloaded without reloading the page - Fixed Reports page to display reports where report configuration has been deleted - Sort tenants alphabetically in tenant selectors - Fixed opening directories from issue details to avoid unknown file type errors - Automatically select report configuration when only one config is available - Display symlink target information in file details popup - Display warning when compliance checker has no result over a given compliance guideline instead of displaying non-violated everywhere - **API**: - Properly handle cases when user is removed then re-added to a tenant - Extend initial invite's password reset token validity to 1 day - Fixed downloading image, font, html and css files - Fixed firmware comparison error to treat files as same when parent chunk offset is different - Allow hyphen (`-`) characters in email addresses when registering new account - **Analysis**: - Fixed insecure dropbear & openssh checker to avoid picking up false-positives from documentation examples - Fixed insecure communication security checker to avoid picking up false-positives from documentation examples - Fixed false-positive passwords picked up from glibc & beam test vectors as well as from HTML documents & aug files - Fixed false-positive in private key detection to ignore openssl, cherrypy, gevent, httpsclient test keys - Fixed static code analysis checker failures - **Extraction**: - Fixed extraction errors caused by non-posix compliant file paths - Fixed extraction errors caused by false-positive zlib matches - Fixed lzop extract problems - **General**: - Re-enabled monitoring support to continuously re-analyze firmware images to identify new vulnerabilities ### v22.12.12 (2022-12-12) #### Fixes - **UI**: - Re-added missing CWE column to the CVE list page - Fixed report page to handle reports where report configuration has been deleted for a given report - **Components**: - Fixed potential OpenSSL false-positive component cases - **Analysis**: - Add more details to failed certificate verification issue - **Extraction**: - Fixed CPIO extraction with sticky bit permissions - Fixed extraction errors for files over 4GB in size ### v22.12.5 (2022-12-05) #### New functionality - **Compliance**: - Added EU Cyber Resilience Act to the compliance checker (note that firmware need to be reanalyzed to have compliance checker results) #### Fixes - **UI**: - Fixed analysis history page, showing past analysis results - Fixed severity label on the issues page when issues are grouped by type - Fixed firmware upload form to show only unique vendor suggestions - Fixed password table when file path was too long - Fixed file category search on Files page is case-insensitive - Fixed last version filter on global Firmware and Issues page - Fixed product history chart order on Analysis Overview page - Fixed compliance details view to display ELF binary hardening related issues - Fixed error reporting when managing Users, User Groups and Product Groups - Fixed CVE chart to include all CVE severities on Analysis Overview page - Fixed analysis and product history page to show number of new/dropped CVEs - Fixed Binary Hardening page radar chart counts - Fixed sort order when sorting by Severity in tables - Fixed global compliance page to properly show all criteria for a given guideline - **Components**: - Fixed perl version detection - Fixed freetype version detection - Fixed FreeRTOS component detection - Fixed mtd-utils false-positive cases - Fixed net-snmp version detection - Fixed lldpd version detection - Fixed libglib false-positive cases - **Reporting**: - Extended chapter title with numbering - Fixed table of contents linking for reports with multiple firmware images - Fixed component table overflows - **Analysis**: - Ignore communication security false-positives picked up from documentation examples - **Extraction**: - Increased extraction depth to support firmware images with high number of layers ### v22.11.28 (2022-11-28) #### New functionality - **Components**: - Add Samba detection - Add Mathopd detection - **Extraction**: - Add MTS format support - Add PCK format support - Add WebROM format support #### Fixes - **UI**: - Add references and descriptions to Unwanted Software & Vulnerability Pattern issues - Refresh analysis overview page once the analysis finishes - Fixed issue severity filter on Issues page - Fixed dashboard error when switching between tenants - Extend "How do we analyze" page with external references - Added private keys list to the certificate details popup - Fixed report generation update handling & refresh Reports page once report is generated - Speed up Files page and handle API timeouts & errors properly - Display proper error messages on User, UserGroup and Product Group management pages - Display proper error messages when updating Firmware information or changing Reporting configuration - Fixed compliance details page crash - Fixed CVE page filtering - **Components**: - Fixed curl & GNU binutils version detection by removing an extra dot from the version - Fixed wget version detection - Fixed Cisco IOS XR detection - Fixed false-positive WolfSSL component & version detection - Fixed iproute2 version detection - **Extraction**: - Fixed JFFS extraction error of files with size greater than one erase block ### v22.11.23 (2022-11-23) This is a major release which contains significant improvements and changes in the platform: - Added **0-day vulnerability detection** to identify command injection, code execution, SQL injection, file inclusion, header injection, path traversal, object initialization, insecure communication and crypto usages in PHP and Python code - Extended software **component detection coverage to 1000+ identified components**. Also improved detection accuracy by analyzing binary symbols. - Improved firmware extraction & enumeration to **handle firmware images beyond 5GB** - Extended private key detection to **cover OpenSSH & Dropbear private key formats and elliptic curve keys** - CVEs reported for each component & version separately instead of all versions of a given component merged - The issue structure has been reworked to each issue represent a single occurrence of the given problem. The API has been updated to reflect the change - Severity scale has been extended to include Critical and Informational levels to better represent identified issues - Firmware and analyses comparison results are split into issues and CVEs to increase change description accuracy - Refreshed PDF report to include a CVE & issues summaries, compact CVE & Issue views and component list - Moved SaaS platform to **onekey.com** domain Monitoring is temporarily disabled on the platform and will be re-enabled in the upcoming release. ### v22.9.20 (2022-09-20) #### Fixes - **UI**: - Fixed issue count on Analysis Overview page - Fixed displaying binary files in file preview with only zero bytes - Fixed column picker to disappear when clicked outside the popup - Only display total size and file count on the Firmware info page when firmware analysis is done - Fixed new CVE entries description on the Dashboard - Fixed firmware upload to display recently added vendors and products to the dropdown - Fixed report generation progress bar to show the status of pending reports - Fixed occasional backend service not available errors - Fixed SBOM download on non Chrome browser - **Reporting**: - Updated report templates with ONEKEY design - **False positives**: - Built-in test passwords in grub are ignored - Example passwords from man pages are ignored ### v22.09.12 (2022-09-12) #### New functionality - **Extraction**: - Added zlib compression support - Added support for handling truncated CPIO archive #### Fixes - **UI**: - Cleaned up CVE labels on the dashboard to improve clarity - Fixed popover closing issue on User and Notification menu - Fixed CVE table crash on firmware comparison page - Fixed Expert Review dialog button layout - **Extraction**: - Fixed SquashFS DDWRT detection - Fixed firmware processing with embedded special files (eg: block/character device, fifo, sockets) ### v22.09.05 (2022-09-05) #### Fixes - **UI**: - Fixed missing compliance guideline link to publisher website - Fixed mitigation technique filter on Files page, filters can be removed now - Fixed file download error handling on non Chrome browsers - Fixed CVE view to include line breaks when displaying long summaries - **API**: - Fixed firmware upload for large firmware images and slow connections - **Extraction**: - Fixed Android OTA image extraction errors ### v22.08.29 (2022-08-29) #### New functionality - **UI**: - Add CylonDX SBOM export of components and related files - **Extraction**: - Added FreeRTOS OTA partition format support #### Fixes - **UI**: - Fixed detecting binary files and displaying them properly in the file details view - Fixed firmware page not loading with empty custom filters - Unified error dialogs - Fixed tooltips in firmware upload dialog - **Extraction**: - Fixed Rockchip's RKAF format unpacking with non UTF-8 headers - **False positives**: - Fixed Insecure Dropbear SSH Server false positive identified in package metadata - Fixed Hardcoded Password by ignoring examples from openssl pkey man page ### v22.08.17 (2022-08-17) - **UI**: - Add new CVEs page to provide an overview of all CVEs across all components. CVE matches are no longer reported in issues, but through this new page. - **API**: - Add CylonDX SBOM export of components and related files (UI integration will come later) - CVEs are exposed and through the cveMatches Firmware query in GraphQL. - **Bugfixes**: - Fixed permission error for users with uploader or reporting roles only - Fixed CVE comparison page between two firmware images - Fixed forgot password dialog to provide feedback when used ### v22.08.08 (2022-08-08) - **False Positives**: Fixed potential false positive analysis results: - Hardcoded password detected in passwd man page - Insecure communication matches from wget man page - Management protocols detected in network filtering database rules - OpenSSH's configuration detected in deb package scripts - **Extraction**: - Fixed FFWU format to support multiple application within one file - **Bugfixes**: - Do not display firmware size during processing, zero size might be misleading - Fixed total file count on Files page ### v22.08.01 (2022-08-01) - **Bugfixes**: - Use browser specific timezone to display date & time - Fixed crash on Reports page when report generation was in progress - Fixed total labels on datagrids - Fixed enable monitoring function on firmware info page ### v22.07.25 (2022-07-25) - **Bugfixes**: - Fixed Dashboard, Analysis Overview and firmware analysis errors caused by CVE entries without CVSS2 score - Fixed CVE table range slider and filters - Fixed search in artifacts table miss-alignment - Fixed firmware list category column - Fixed Expert Review popup to only show once after opening a firmware ### v22.07.18 (2022-07-18) - **UI**: - Add option to request *Expert Review* of a firmware - **Bugfixes**: - Fixed Files content search - Fixed checkbox toggle to work correctly with label clicks - Allow extending existing names in firmware upload - Fixed virtual scroll on some tables ### v22.07.08 (2022-07-08) - **API**: - Speed up CVE issue query - **UI**: - Add confirm button for firmware deletion view - Default user- and product groups are now editable - Add style improvements to product history view - Product Timeline is now ordered by upload time - Firmware Comparison now also shows the analysis against which the change was detected, when "Show changes only" option is set - **Bugfixes**: - Fixed links to files in Firmware Comparison page - Fixed Firmware Compliance page when there are no findings - Fixed filtering on Product History page - Fixed screen jumping to the top when an issue detail is closed - Fixed correctly takeing Report Classification into account when "Include analysis technique description" option is set - Fixed "Backend service is temporary unavailable" error during firmware upload ### v22.06.28 (2022-06-28) - Infrastructure update - **Bugfixes**: - Fixed static assets caching ### v22.06.17 (2022-06-17) - **Extraction**: - Add support for ZSTD compression - Add support for DOS/MBR format - **UI**: - Fixed file details popup for symlink files ### v22.06.10 (2022-06-10) - **Extraction**: - Add support for Android OTA format - Add support for Intel HEX format - Add support for eCOS RomFS format - Add support for Festo ffwu firmware format - Fixed ELF extraction without sections and cases where program segment is stored at the end of the file - Improved cramfs CRC checking to handle endianess swapped cases - **UI**: - Add support for comparing the latest analyses of different firmwares - Add timeline visualization on how different firmware versions of the same product changed - Fixed ELF details RELRO representation - **False Positives**: Fixed potential false positive analysis results: - Fixed Mutt email client component & version detection - Fixed OpenWRT & toolchain component & version detection - **Bugfixes**: - Fixed interrupted & restarted analysis handling ### v22.06.01 (2022-06-01) - **False Positives**: Fixed potential false positive analysis results: - Fixed false hardcoded password detection in OPKG package files - **UI**: - Fixed ELF details RELRO representation ### v22.05.30 (2022-05-30) - **False Positives**: Fixed potential false positive analysis results: - Communication security checks ignore minified JS code - **API**: - Fixed firmware/file downloading Content-Disposition header - **UI**: - Fixed release date handling on the upload page - Fixed typo in ELF file details page - Updated company name and address ### v22.05.20 (2022-05-20) - **False Positives**: Fixed potential false positive analysis results: - Ignore additional OpenSSL & GnuTLS test vector certificates & private keys - **Extraction**: - Improved Xilinx FSBL handling - Improved JFFS2 handling to eliminate miss-detected chunks - Improved ARC handling to eliminate miss-detected chunks - Improved XZ compression handling to support concatenated XZ streams - Improved UBI support to simplify extraction directory structure - **UI**: - Updated the file details page: - Display ELF file details - Display image file inline, instead of just showing a binary hexdump - Link parent directories so those can be opened in the file browser with 1-click - Fixed firmware issues page search functionality ### v22.05.17 (2022-05-17) - Infrastructure update ### v22.05.13 (2022-05-13) - **UI & API Bugfixes**: - Fix file content view for binary files - Fixed displaying long firmware names on firmware comparison page - Fixed GraphQL error handling on the UI and display specific errors - Speed up CVE issue download on the API - **Extraction**: - Add support for VMWare VMDK format - Add support for Rockchip firmware formats - Add support ELF file extraction - Add support for dm-verity chunks - Add support for extracting Flattened Image Tree images from binary device tree files - Fixed extraction of init ramfs from Linux kernel image - Fixed compress decompression false-positive errors - Fixed tar & cpio padding calculation - Fixed .deb package extraction - Fixed ubi-fs extraction to skip unused extra directory - Fixed LZ4 legacy extraction used in old ARM Linux kernel images ### v22.04.29 (2022-04-29) - **Bugfixes**: - Fix SREC extraction ### v22.04.25 (2022-04-25) - **Analysis improvements**: - Detect components in BFLT executables - Added component detection rules for: - botan - boringSSL - cyassl - PolarSSL - mbedTLS - woflSSL - gnuTLS - bouncycastle - LibreSSL - MatrixSSL - NSS - ELF utils - GNU gettext - Linux device tree compiler - procps - Pulse Audio - RPM library - Busybox library - Oracle Berkeley DB - libdbus (freedesktop) - mandb - Mozilla Firefox library - MiniDLNA - funjsq - Netatalk - **Bugfixes**: - Improved Issues page load performance - Fixed Monitoring findings UI caching issue - **False Positives**: Fixed potential false positive analysis results: - Ignore test vector certificates & private keys from well-know crypto libraries: - OpenSSL - mbedTLS (aka PolarSSL) - gnuTLS - wolfSSL - boringSSL - NSS - LibreSSL - Dropbear configuration check for OPKG based firmwares ### v22.04.06 (2022-04-06) - **Analysis improvements**: - Add support for BFLT (binary flat) file types - **Bugfixes**: - Improved file content search speed and limited result to 100 matches - Fixed extraction errors related to malformed IHEX and SREC files - Various usability fixes on the new user interface - **False Positives**: Fixed potential false positive analysis results: - Insecure Communication - Component Detection ### v22.03.30 (2022-03-30) - **Bugfixes**: - Fixed issue in sign-up workflow - Analysis history now shows changed issues properly - Improved Firmware / Files page load performance - Various usability fixes on the new user interface - Fixed certificate signing algorithm check in CertificateChecker plugin - **False Positives**: Got rid of various false positive analysis results: - Insecure Communication - Hardcoded Password Detection - **ComponentDetection**: - Improved VxWorks version detection - Fixed netcat showing up twice - Fixed fw_printenv binary misidentified as U-Boot - **FileCategorization**: improve ELF identification when suid binary - **HardcodedPasswordDetection**: Added cracked passwords to the list of plaintext candidates ### v22.02.23 (2022-02-23) - **New UI**: - Dashboard loads much faster now - Analysis overview loads much faster now - **Bugfixes**: - Fixed issue with file download not working in certain cases - Fixed an issue with new user registration ### v22.02.15 (2022-02-15) - **ComponentDetection**: Adding license information to components - **New UI**: - Delete firmware button - Improved file browser page ### v22.01.18 (2022-01-18) - **New UI** improve dashboard load time. ### v22.01.17 (2022-01-17) - **New UI** performance improvements and major bug-fixes. ### v21.10.29 (2021-11-25) - **New UI** performance improvements ### v21.10.29 (2021-10-29) - **New UI** preview release - Internal code reorganization ### v21.10.05 (2021-10-05) - **VulnerabilityPattern** Added Broadcom SDK ### v21.09.27 (2021-09-27) - Internal code reorganization ### v21.9.1 (2021-09-09) - **FileCategorization** Added new rules for: - Node.js script files - Java class files - Protobuf files - Common linux files types - Improved XML file detection - Support ZIP compressed firmware archives containing more than 1000 files. - **Bugfixes**: - Improved the reliability of Realtek SDK vulnerability mitigation detection. ### v21.8.3 (2021-08-25) - **FileCategorization** Added new rules for: - AWK script files - Android backup files - Android sparse image filesystem - Erlang files - IHEX files - Improved UBI, ROMFS, EXTFS detection - Java source code - Linux man pages - Lisp/Scheme scripts - Perl POD markup files - Pixmap image files - Rust source code - SELinux policy definitions - Structured CSV files - Typescript files - Vimscript files - WAV files - Windows PE files - YAML files - Zlib compressed data files - **Bugfixes**: - Report generation stability improved when very long commands are detected ### v21.8.2 (2021-08-13) - **VulnerabilityPattern** Added Realtek SDK - **ComponentDetection** Added new rules for: - Realtek SDK - Realtek RLX-Linux - Realtek WiFi Simple-Config Daemon - ARM Sarian Bios booloader - **FileCategorization** Added new rules for: - ZSTD archives - Java Keystore - DSA/EC/ECDSA private key types - DER formatted private keys - Putty private and public keys - Improved identification of LUA files - **HardcodedPasswordDetection** Reduce the number of false positives reported ### v21.8.1 (2021-08-02) - **ComponentDetection** Added new component detection rules: - OpenWRT - Google Android - Detect FreeRTOS - **UnwantedSoftwarePattern** Added new rules for: - tshark - nmap - strace - ltrace - netcat - File category recognition has been reworked, will be much faster, and we can recognize much more file types now. - **API (beta)** - The file category field will be release to the public API soon. ### v21.7.1 (2021-07-07) - **VulnerabilityPattern** Added ThroughTek P2P - **ComponentDetection** Added new components and improved detection rules: - Dinkumware C++ library - µLinux - Barebox - Cisco IOS - Broadcom tools - **FeatureExtraction** Extrended bootloader and OS detection - Redboot - Barebox - Cisco IOS - **API (beta)** Extended the GraphQL API - New API functionality: - Add Notifications - Add Reporting and Reporting Configuration - Extend Firmware with cveEntries - The API is beta as graphql schema and REST endpoints might change before the stable release - Authentication API documentation is available at: /api/docs - GraphQL playground is available at: /api/graphql - Python SDK is available at: - Javascript/Typescript SDK is available at: - Bugfixes and performance improvements. ### v21.6.1 (2021-06-14) - **ComponentDetection** Added new component: axhttpd/axtls - **VulnerabilityPattern** Fine-tuned detection patterns to recognize vendor fixes - **API (beta)** Extended the GraphQL API - New API functionality: - User password change & reset REST API endpoint - Analysis extended with issue count by severity - Analysis extended with comparison with previous analysis for monitoring runs - Added query on firmwares to compare any two analyses - Added User/UserGroup/ProductGroup management mutations - Added documentation on Issues and analysis information - Added mutation to update User notification settings - Added mutation to update firmware metadata - Bugfixes and performance improvements. ### v21.5.2 (2021-05-26) - **ComponentDetection** Added new components and improved detection rules: - Apache HTTP Server - GNU binutils - GnuTLS - OpenLDAP tools & server - OpenVPN - OpenWRT opkg - OpenWRT uci - ProFTPD - Pure-FTPD - Qualcomm QCMAP - Redis - SHaT - Sitelboot - U-Boot - adbd - alsactl - apt-get - bind - bootlogd - hostapd - htpdate - iperf - ipsec-tools - iw - iwconfig - libgcrypt - libqmi qmicli - lldpd - logrotate - mDNSResponder - mailsend - ministun - ndpppd - nettle - nginx - perl - ppp - pptp - qdiscman - rp-l2tpd & rp-pppoe - rsyslogd - snort - sntp - spawn-fcgi - sqlite3 - syslogd - tinyproxy - ubi\* tools - vsftpd - wget - wpa_cli - xl2tpd - **HardcodedPasswordDetection**: extend word-list to test for well-known passwords - **API (beta)** Extended the GraphQL API - New API functionality: - Analyses can be filtered by start time and type - Information on logged-in user & tenant - Subscription to receive firmware processing updates over websocket - Firmware extended with extraction information - Expose public keys over the API to simplify token validation on the client side - Expose CVE details on CVEMatching issues - Firmware extended with spritesheets - New analysis can be triggered for firmware - The API is beta as graphql schema and REST endpoints might change before the stable release - Bugfixes and performance improvements. ### v21.5.1 (2021-05-04) - **API (beta)** Extended the GraphQL API - New API functionality: - ELF file details (symbols, imported & exported functions, dependencies) can be retrieved - Files can be searched by content (textual content, ELF symbols, imported & exported functions) - Firmware extended with detected components and management protocols - Detected hardcoded passwords in firmware can be retrieved - Compliance guidelines can be retrieved and firmware extended with compliance violations - UserGroups, Users can be retrieved - Files, firmware images, extracted directories can be downloaded - Mutations to manage firmware monitoring settings - The API is beta as graphql schema and REST endpoints might change before the stable release - Bugfixes and performance improvements. ### v21.4.1 (2021-04-13) - **ElfAnalysis**: Extended ELF binary analysis plugin: - Inspect imported library dependencies - Categorize ELF files based on imported functions, labeling dangerous or insecure function usage - Explicitly report files missing any compile time mitigation technique - NOTE: monitoring or new analysis is required for existing firmware images to report new ELF related findings - NOTE: monitoring reports ELF analaysis result a changed - **API (beta)** Extended the GraphQL API - New API functionality: - Firmware images can be uploaded automatically which trigger automatic analysis - Firmware extended with detected certificates and private keys - File information extended with ELF attributes and ELF based categories - The API is beta as graphql schema and REST endpoints might change before the stable release - Bugfixes and performance improvements. ### v21.3.1 (2021-03-17) - **API (beta)** New GraphQL based API to retrieve firmware analysis results: - The API is beta as graphql schema and REST endpoints might change before the stable release - Authentication API documentation is available at: /api/docs - GraphQL playground is available at: /api/graphql - Currently available data: - Firmware metadata - Analyses history - Identified issues & details - File information - Bugfixes and performance improvements. ### v21.2.1 (2021-02-23) - Bugfixes and performance improvements. ### v21.2.0 (2021-02-08) - **HardcodedPasswords** Extended credential detection capabilities: - credentials in `curl`, `wget`, `openssl`, `chpasswd`, `sshpass` calls - credentials in `wgetrc` files - detect AWS secret keys - **VersionVulnerability** Added DNSpooq vulnerabilities detection - Added CWE categorization & mitigation information to the Plugins page - Bugfixes and performance improvements. ### v1.23.7 (2021-01-07) - Bugfixes and performance improvements. ### v1.23.5 (2020-12-29) - Bugfixes and performance improvements. ### v1.23.4 (2020-12-14) - Fixed broken signup page ### v1.23.3 (2020-12-11) - **ConfigCheck** Added OpenSSH configuration checks to detect insecure configuration options - **ConfigCheck** Added Dropbear SSH server launch checks to detect insecure options - **CommunicationSecurity**: Added plugin to detect insecure external communication: - improper peer verification - weak crypto cipher usage - obsolete protocol usage - plaintext communication - **CertificateChecker** Added plugin to detect insecure X509 certificates: - insecure keys (key length, key type, key material) check - certificate validity & trust chain check - insecure algorithm & version check - **ComponentDetection** Added Codesys Control component detection - **InformationLeakageDetection**: Added DS_Store (MacOS X Finder) detection - **ElfAnalysis:** Fixed bug that caused timeout during analysis of some binaries - Bugfixes and performance improvements. ### v1.22.2 (2020-11-05) - **ElfAnalysis:** Fixed a bug that caused monitoring to report findings as modified without any actual change - **Monitoring:** Small usability and label improvements ### v1.22.1 (2020-10-29) - **Monitoring:** Improved diff inspector usability and fixed notification logic ### v1.22.0 (2020-10-20) - **Monitoring:** Added firmware monitoring to continuously re-analyze firmwares and notify when analysis results change - Bugfixes and performance improvements. ### v1.21.0 (2020-09-21) - **ComplianceChecker:** Added ETSI EN 303 645 (Cyber Security for Consumer Internet of Things: Baseline Requirements) - Bugfixes and performance improvements. ### v1.20.3 (2020-07-29) - **UI:** Fixed issue with file browser for creation of partial firmware - **UI:** Small usability and design improvements ### v1.20.2 (2020-07-23) - Bugfixes and performance improvements. ### v1.20.1 (2020-07-20) - **Plugins:** `HardcodedPasswords`: Improved accuracy of search logic to reduce number of false positives. - **UI:** Added possibility to filter analysis results - Bugfixes and performance improvements. ### v1.20.0 (2020-03-27) - **Plugin:** Added `ComplianceChecker` plugin. Enables users of the analysis platform to examine IoT firmware for compliance with international security standards. - **ComplianceChecker:** Following security standards supported: - BITAG - Internet of Things (IoT) Security and Privacy Recommendations - DIN - SPEC 27072 - ENISA - Baseline Security Recommendations for IoT - ETSI - TS 103 645 - GOV UK - Code of Practice for consumer IoT security - LEGINFO CA.GOV - SB-327 - OWASP - TOP 10 IoT 2018 - **Plugins:** CVEMatching: Improved accuracy of reported results, reducing number of false positives. - **Analysis:** When converting Intel IHEX or Motorla SREC files to binary files, IoT Inspector now omits large Null-byte chunks. This enables analyzing firmwares with such files without hitting imposed file size limits. - **UI:** Report generation page automatically reloads when report generation is finished. - Bugfixes and performance improvements. ### v1.19.0 (2019-12-09) - **Plugins:** Added FeatureExtraction plugin. More CPU architectures, operating systems and bootloader signatures have been implemented - accuracy of detection has been improved. - **UI**: Global search has been reworked. Search is now significally faster and supports different filters. - Bugfixes and performance improvements. ### v1.18.0 (2019-09-25) - **Plugins** Added detection of Lua and Avahi Daemon in `ComponentDetection` - Bugfixes and performance improvements. ### v1.17.1 (2019-08-20) - **Plugins:** Added detection of Wind River VxWorks in `ComponentDetection`. ### v1.17.0 (2019-07-30) - **Plugins:** Added `ELFAnalysis` plugin. Analyzes the presence of compile time mitigations and use of insecure functions in the firmware. - **Plugins:** `CVEMatching`: Added several software components, improved detection for `curl`, `GNU glibc` and `strongSwan`. - **UI:** Filesystem browser redesign. Improved firmware file and extracted string search. - **Analysis:** Added the ability to reanalyze parts of large firmware images in case of an initial analysis failure. - Bugfixes and performance improvements. ### v1.16.0 (2019-06-18) - **Plugins:** Added `ImageVisualization` plugin. Extracts images from the firmware, compresses and stitches them together to a collage. - **UI:** Added ability to run the analysis for a firmware again. A warning will be shown if the analysis results are outdated. - Bugfixes and performance improvements. ### v1.15.0 (2019-05-29) - **Permissions:** Introduced **Permissions Feature**. Admins can now use role and object-based access control system to effectively manage user permissions. - **Plugins:** Added detection of GnuTLS, strongSwan and GNU Zebra in `ComponentDetection`. - **Plugins:** Added references to exploits in results of `CVEMatching`. - **Security:** Improved enforcement of password strength and throttling of login attempts. - Bugfixes and performance improvements. ### v1.14.0 (2019-03-07) - **Plugins:** Added detection of curl/libcurl in `ComponentDetection`. - **Plugins:** Added CVE CVSS Access Vector (AV) in results of `CVEMatching`. - **UI:** Added firmware column in certificate overview (analogous to passwords overview) - **UI:** Added functionality to download initially upload firmware image (firmware details page) - Bugfixes and performance improvements. ### v1.13.0 (2018-11-21) - **Plugins:** Improved `ManagementProtocolDetection` plugin, now detects further cases of Xiongmai XMeye and lists further information. - **Backend:** Major architecture redesign. - **Backend:** Switched from usernames to email as unique identifier. Implemented multitenancy, users can be in multiple environments. - **Backend:** Bumped major version. - Bugfixes and performance improvements. ### v0.12.0 (2018-06-27) - **UI:** Added account closedown option (account settings page). - Bugfixes and performance improvements. ### v0.11.0 (2018-05-30) - **API:** Added **IoT Inspector API**. If you have API permissions, you can enable the API via the account settings page. - **UI:** Improved string search and files search (performance and UI). - **UI:** Added notifications feature and option to modify personal (mail) notification preferences. - **UI:** The firmware details page now has a "Download Report" button, that allows PDF report download without creating a report configuration in the "Reporting" section first. - **Plugins:** `HardcodedPassword` now detects crypt(3) DES hashes in non-standard `passwd` file entries. - **Plugins:** Improved `ManagementProtocolDetection` plugin, now detects the Uniview "EZCloud" P2P Platform, Gwelltimes "Cloud-Links" Platform and the Ozvision Cloud Platform. - **Plugins:** Improved `ManagementProtocolDetection` plugin, results now come with detailed information about the protocol, its security track record and reference links. - Bugfixes and performance improvements. ### v0.10.0 (2018-04-26) - **UI:** Added a "notes" field in the firmware upload form. - **Plugins:** Added listing password hash type (e.g. DES (Unix), MD5(Unix), ...) in `HardcodedPassword` plugin results. - **Plugins:** Added description and reference URLs in `UnwantedSoftwarePattern` plugin results. - **Plugins:** Added description and reference URLs for Dangerous service launch `ConfigCheck` plugin results. - **Plugins:** Added support for `inetd.conf` files in Dangerous service launch `ConfigCheck` plugin results. - **Plugins:** Improved `ManagementProtocolDetection` plugin, now detects the Dahua "easy4ip" P2P Platform and Dahua "Lechange" P2P Platform. - **Plugins:** Added reference URLs for `VulnerabilityPattern` plugin results. - **Backend:** Added an alternative method for extracting EXT2/3/4 filesystems. - Bugfixes and performance improvements. ### v0.9.0 (2018-04-05) - **UI:** Overall redesign and usability improvements. - **UI:** Redesigned firmware details page. Improved results structure. Filesystem paths are links to filesystem browser. - **Plugins:** `HardcodedPassword` now detects users with empty passwords in `passwd` and `shadow` files. - **Plugins:** Improved `ManagementProtocolDetection` plugin, now detects the Wi-Fi Protected Setup (WPS) protocol. - **Plugins:** Added `NoResultsInfo` plugin. This plugin provides some further information for cases where no results were found during the plugin analysis. - **Plugins:** The plugin workflow has been modified for better performance. Now plugins are run on individual firmwares. - **Reporting:** For each PDF Report a CSV file with limited information on the results (product, firmware, result title, severity, ...) is now provided. - **Reporting:** Added a "Only latest firmware in scope" switch in the report configuration scope that lets users decide if only the latest firmware, or all firmware should be in the report scope. - **Reporting:** Customer logo and customer name can be customized. - Bugfixes and performance improvements. ### v0.8.0 (2017-12-01) - Bugfixes and performance improvements. ### v0.7.0 (2017-10-03) - **Plugins:** Added detection of Dnsmasq in `ComponentDetection` and VU#973527 Dnsmasq vulnerabilities in `VersionVulnerability`. - Bugfixes and performance improvements. ### v0.6.0 (2017-07-01) - **Backend:** Added extraction of [Intel HEX](https://en.wikipedia.org/wiki/Intel_HEX) (`.IHEX`) and [Motorola S-record]() (`.SREC`) files. - **Plugins:** Improved `ManagementProtocolDetection` plugin, now detects the PPPP P2P platform and Xiongmai XMeye. - Bugfixes and performance improvements. ### v0.5.0 (2017-03-01) - **Plugins:** Added `InformationLeakageDetection` plugin, now detects SVN and VIM editor artifacts. - **Reporting:** Changes to LaTeX templates. New logo. Each finding in a report now starts on a new page. PDF bookmarks for each finding. - Bugfixes. ### v0.4.0 (2017-02-01) - **Plugins:** Added `ManagementProtocolDetection` plugin, now detects DLNA, Goolink, HNAP, ONVIF, TR-064, TR-069, ThroughTek TUTK Kalay Platform and UPnP. - **Plugins:** Added instant password cracking based on previously cracked plaintext passwords from GPU cracking station to `HardcodedPassword` plugin. - **Plugins:** Added password list used in Mirai botnet to `HardcodedPassword` plugin. - **Plugins:** Improved `CVEMatching` processing performance. - **Plugins:** Added handling of `prev` tag (signals: all previous versions affected) in NIST NVD Feed Version (1.2.1) to `CVEMatching` plugin. This will yield additional CVE results for outdated versions. - **Backend:** Added handling for Android-based firmware. - **Plugins:** Added detection of insecure Android build configuration to `ConfigCheck` plugin. - **UI:** Added Censys API frontend. - **Reporting:** Added additional filtering capabilities (filter by plugin) to report configuration. - Bugfixes. ### v0.3.0 (2017-01-15) - **Plugins:** Added file paths list `ComponentDetection` results. - **Plugins:** Added `ConfigCheck` plugin, now detects telnetd, sshd and dropbear starts. - **UI:** Added "Results per plugin" view. - **UI:** Added new logo and favicon. - Bugfixes. ### v0.2.0 (2016-10-19) - **Plugins:** Improved `CVEMatching` processing performance. - **Plugins:** Added NVD CVE feed update background task for `CVEMatching`. - **UI:** Added changelog. - **UI:** Added links to associated vendor/product/firmware edit pages on vendor/product and firmware edit pages. - **UI:** Added delete functionality for vendors and products. Deletion is only allowed if vendor does not have any associated products / product does not have any associated firmwares. - **UI:** Added delete functionality for firmware. - **UI:** Changed plugin results order on firmware details page to match PDF report order (order by severity, title). - **UI:** Added plugin result coloring on firmware details page. - **UI:** Added HTML anchors for plugin results for easy referencing. - **UI:** Moved Binwalk results from firmware details page to separate page for faster page loads. - **UI:** Moved Kernel Module analysis results from firmware details page to separate page for faster page loads. - **UI/Plugins/Backend:** Added functionality to find new plugins results between different plugins runs. This is the groundwork for a future "alerting" feature for new vulnerabilities. Added and removed plugin results are now shown on the firmware details page. - Bugfixes and security improvements. ### v0.1.0 (2016-09-30) - First public version