- [IR-3500] - Product components
- [IR-5177] - Multiple dataflows between components
- [IR-5333] - Lock threat model
- [IR-5556] - Nesting trustzones within components
- [IR-5704] - Create and restore product version
- [IR-6741] - Added help link regarding creating rules
- [IR-6875] - New setting created in order to enabled/disabled the upload artifact button
- [IR-5110] - Move skipped project with no diagram to debug
- [IR-5459] - Threat Menu action should end with "..."
- [IR-5463] - Improve export products message and bulk operation
- [IR-5464] - Actions modals improve message
- [IR-5465] - Improve message "Update/Import products"
- [IR-5467] - Improve message in the next | previous Workflow Stage
- [IR-5471] - Improve message "Create new issues for all requirements"
- [IR-5566] - Improve report file naming
- [IR-6183] - Validated that two threats of the same use case do not have the same ref
- [IR-6369] - Update capec and cwec libraries
- [IR-6509] - Removed setting no longer in use: Priority of TrustZone question
- [IR-6554] - Change tooltip for a product not sync icon
- [IR-6596] - Let the product search be case insensitive again
- [IR-6610] - Removed already used fields from dropdowns in ServiceNow settings configuration
- [IR-6665] - Removed setting "Prompt to upload requirements to issue tracker"
- [IR-6772] - Improve message for duplicated dataflows
- [IR-6965] - Remove "..." from the action button of the modals
- [IR-6986] - Remove "..." from the action button of the 'Expose risk' modal
- [IR-6902] - Marked as deprecated the main module action "Answer question from main questionnaire"
- [IR-6051] - Workflow States creation: Causing a validation error when creating a workflow state and then attempting to correct it results in an exception
- [IR-6071] - Id attributes are not unique on the Products page
- [IR-6102] - Wrong Tooltip in 'Apply to Products'
- [IR-6155] - When a version is selected, threats can be edited after performing search
- [IR-6156] - When a version is selected, threats can be edited after filtering threats tab
- [IR-6158] - Allow forward slash in the URI as a parameter through GET call to our API
- [IR-6182] - Users with permissions PRODUCTS_LIST_ALL_READ_ONLY should not be able to edit products settings
- [IR-6306] - Automatically remove setting not working with re-imported projects
- [IR-6363] - Change text "controls" by "countermeasures" when exports countermeasures
- [IR-6527] - Fixed Jira sync failing due to default max results
- [IR-6557] - Threats and countermeasures assigned to the system when importing a template fixed
- [IR-6720] - After adding a tag to a template and clicking on 'Apply to products' the diagram of a product is cleared
- [IR-6722] - Threat custom fields display format is broken
- [IR-6737] - IOException UI message thrown with some URLs when configuring ServiceNow
- [IR-6771] - Risk Summary not using custom config
- [IR-6814] - Error on Any parent component condition
- [IR-6882] - Fixed button description for creating Libraries and Templates
- [IR-6893] - Removed extra dots in the comment option for the countermeasures menu.
- [IR-6908] - Sync message on the template is not displayed
- [IR-6922] - Missing rules notifications for dataflows with repeated names
- [IR-6923] - Fix error when adding a new BU
- [IR-6956] - Import risk pattern action is not triggered with the condition 'Any component has a parent with a question answered' if the model was synchronized before.
- [IR-6948] - When mapping a PC to a custom image within Iriusrisk, the user cant go to the parent product
- [IR-6984] - Notifications tab not checking if the session is running
Security Bug Fixes
- [IR-6638] - Access blocked to grails login page
- [IR-6795] - Updated jackson-databind 2.9.6 critical library vulnerability
- [IR-6797] - Updated quartz 2.2.3 and 2.0.13 critical library vulnerability
- [IR-6798] - Updated xstream 1.4.11 critical library vulnerability
- [IR-6911] - Stored Cross-Site-Scripting vulnerability when rendering the product name in several locations
Hot Fixes included
This is also a cumulative release that also includes all the hotfixes on the 3.12.0:
New Knowledge-base Content
New security content
[CON-608] - A new risk pattern called HTTP-SERVICE:TOKEN:JWT with one threat and eleven new countermeasures has been created to include JWT security best practices (based on RFC8725) in the CS-Default library.
[CON-830] - Added two new countermeasures in the CS-Default library to mitigate Spectre-like side-channel attacks.
[CON-831] - Added OSA (Open Security Architecture) references to NIST 800-53 controls in six libraries (AWS Lambda, CS-Default, EU-GDPR, FEDRAMP, AWS, and IoT).
[CON-801] - New AWS components:
AWS Elastic Block Store (EBS)
AWS Elastic File System (Amazon EFS)
AWS FSx for Windows File Server
[CON-823] - New AWS components:
AWS Elastic Container Registry (ECR)
AWS Elastic Container Service (ECS)
AWS Elastic Container Service for Kubernetes (EKS)
[CON-850] - New AWS components:
[CON-779] - New IAM (Identity and Access Management) question group replaces the old question groups for authentication and authorization in client-side, server-side, and data storage components.
[CON-780] - Some text values (description, test steps, test references, risk rating values, and so on) were standardized for Threats/Weaknesses/Countermeasures across all default libraries.
[CON-810] - Fixed the countermeasure name for the ref: MASVS-8.2 in the MASVS library.
[CON-827] - We’ve removed the rule name “Risk Pattern: Authentication - Service - 2FA - if CWE-654 is applied” from the CS-Default because the risk pattern GENERIC-SERVICE:AUTHN-2FA is already imported only by answering the 2FA authentication question. Additionally, this rule uses the “Applied control” condition that will be deprecated soon.
[CON-839] - Replace EXTEND_RISK_PATTERN action with IMPORT_RISK_PATTERN for the MASVS library rules.
[CON-841] - The description of CWE-778 weakness was improved.
[CON-855] - A minor bug was detected in the refactor of the IAM questionnaire.