Features
- [BLZ-58] - Open Threat Modeling Integration
- [BLZ-260] - New Diagram icons for new Azure components
- [BLZ-263] - New Diagram icons for new AWS components
- [BLZ-281] - Add Notification when the questionnaire is saved
- [INR-1] - XLSX file metadata not visible with exiftool but still written to inner XML file
- [INR-2] - Remove producer metadata from exported files
- [INR-3] - Report Improvements
- [INR-127] - Analytics signup
- [MSR-33] - Delete type from assets
- [MSR-45] - New dataflow conditions
- [MSR-112] - Remove the concept of "Component definition" and keep it just as "Component"
- [MSR-120] - Configure Component Definition screen with vertical separation
- [MSR-126] - Group components within the same condition
- [MSR-127] - Navigation by URL
- [MSR-137] - Order nodes in library XML
- [MSR-138] - Add copyright header to all default libraries
- [MSR-149] - Detect sensible data received by a component after crossing a trust boundary
- [MSR-148] - Allow to have IriusRisk opened in multiple tabs
- [MSR-150] - Detect sensible data sent by a component crossing a trust boundary
- [MSR-172] - Hide CAPEC from libraries selector of a component definition
- [MSR-179] - Disallow delete risk patterns and create use cases for default libraries
- [MSR-196] - Ordered elements on actions/conditions combos
- [MSR-242] - Remove community advice message on the questionnaire
- [GRA-11] - Add a language selector in IriusRisk
- [GRA-17] - Review the warning message in API token card for user profile panel
- [GRA-23] - Inconsistency auditing custom fields changes in threat fields
- [GRA-39] - Prevent users to use unsafe passwords with the common password list
- [GRA-59] - Redesign expiration screen
- [GRA-67] - Passwords set in Irius are visible to users with access to configuration panels
- [GRA-71] - Automatically modify size and resolution in profile pictures
- [GRA-127] - Create new global permission ANALYTICS_SETTINGS_UPDATE
- [GRA-128] - Create new url setting for analytics module
- [GRA-129] - Create new section for analytics module configuration
- [RT-6] - Add autofill on Unique ID field on "New countermeasure" form and on "Weakness Details" form
- [RT-35] - Apply countermeasures states changes
- [RT-49] - Add issue link for control in API response
- [RT-111] - Add issue link for controls in project XML export
- [RT-120] - Improve the visual distinction of icons in Threats & Countermeasures
- [RT-122] - Additional owner, component and use case filters for threats
- [RT-125] - Add threat bulk actions for accept risk, NA, delete risk and lock in tree view
- [RT-128] - Add flatten view for countermeasures
- [RT-167] - Additional source, weakness test filters for threats
- [RT-168] - Add issue id and issue link for weaknesses through the API
- [RT-169] - Add issue id and issue link for weaknesses through the project XML
- [RT-183] - Change the flatten view of threats to use the Vaadin Grid component
- [RT-185] - Add void components/use cases in the filter of components for threats
- [RT-186] - Change order of the columns in threats & countermeasures grid
- [RT-212] - Display standards to apply in alphabetical order
- [RT-230] - Sorting countermeasures in flatten view
- [RT-238] - Distinguish "Riesgo" from "Amenaza" in spanish
- [RT-297] - Replace HTML by JSON error response, when a file is not supplied in the API call
Bug Fixes
- [BLZ-135] - Not allowed to export/clone a project if it's in draft mode
- [BLZ-141] - Artifact preview empty after importing product from XML and creating template
- [BLZ-187] - Big Images on diagram thrown an unexpected exception
- [BLZ-214] - Fix some components styles icons
- [BLZ-219] - Diagram overrides page view and grid properties when importing a template
- [BLZ-255] - Error thrown when view architecture diagram of a product version
- [BLZ-273] - Components lose the styles when the artifact is generated
- [BLZ-282] - When trying to import a template on draft no error is displayed to the users
- [BLZ-302] - Wrong dashboard auditlog entry when a template is created
- [BLZ-303] - Wrong dashboard auditlog entry when a template is imported
- [MSR-34] - Wrong audit entries in the log when a new library is created or imported
- [MSR-136] - A user with LIBRARY_UPDATE permission can't add threats in libraries
- [MSR-170] - Unexpected error after saving multiple times a questionnaire that fires a rule with a missing trust zone
- [MSR-193] - Library importation process allows RCE to use the rule name
- [MSR-216] - Wrong audit entries in the log when a custom library is deleted
- [MSR-224] - Fix width on countermeasure description detail window
- [MSR-258] - Some risk patterns are not correctly mapped to component definitions through library import
- [GRA-16] - Issue tracker test connection is displayed when access to settings section
- [GRA-18] - Modify the "checkIfUserExists" precondition of the /api/v1/businessunits/:bu-id/users endpoints
- [GRA-21] - Bad encoding of spanish special characters in form tooltip message
- [GRA-24] - Audit CustomFields creation consistently with Envers
- [GRA-25] - Register correctly the event ISSUE_TRACKER_SYNCHRONIZATION_FAILED
- [GRA-29] - Restrict add users to a product
- [GRA-31] - error retrieving users using the API with a user with MANAGE_USER_BU permission
- [GRA-34] - Fix allows insert users through the API without the correct role[GRA-54] - Error when a user with ALL_USERS_UPDATE tries to create a new user
- [GRA-38] - When the SAML session expires while the user is working, they are not redirected to sessionExpired
- [GRA-82] - Removing all business units from a user performs no action
- [GRA-102] - Ensure API permission check takes into account WFS permissions
- [GRA-122] - Threat edit panel does not turn editable in the active session when EDIT_THREAT permission is granted to the already logged in user
- [GRA-124] - User is notified about not having permissions to use the API even he/she is allowed
- [GRA-180] - Login with email and non-valid password doesn't show the message
- [RT-9] - Display an alert window when the users check "Lock threat model" option of a workflow state and there are products in that workflow state with pending unsaved changes
- [RT-33] - Fix comments message in ServiceNow
- [RT-47] - Threat custom fields are not displayed when users try to edit the threat in the Product threats tab
- [RT-57] - Use cases can be accidentally "duplicated" when creating threats in them
- [RT-61] - Create comments in issue tracker consistently for Weakness Tests and Countermeasure Tests
- [RT-67] - Failed weaknesses ticket creation lacks failed status comment
- [RT-69] - Possible endless loop in the update control list
- [RT-136] - API User without permissions THREAT_VIEW, THREAT_UPDATE can get information about threats
- [RT-137] - It's possible to make countermeasure status updates without enough permissions
- [RT-162] - Weakness - Test tab is not correctly expanded
- [RT-163] - Threat appears red and centered when the weakness has test status Failed
- [RT-197] - Unexpected error selecting a library
- [RT-198] - When a countermeasure is manually introduced in a project, its priority is always Low
- [RT-257] - Error with the compliance filter in templates
- [RT-269] - Center to left the text in table cells
- [RT-270] - When entering in countermeasures tab with an empty list an unexpected error is thrown
- [RT-271] - Duplicated components after importing a project
- [RT-298] - Failed to create weakness issue in Jira, RedMine and TFS
- [RT-305] - Resolve errors in ThreatQueryRepositoryService
- [RT-306] - Fix problems with blank rows in the Threats flatten view
- [RT-310] - When searching by custom field value users can see components from other projects filled with the same value
- [RT-313] - Weaknesses and Countermeasures grid is not filled in Libraries & Templates sections
Security Bug Fixes
- [BLZ-256] - Update velocity-engine-core
- [BLZ-258] - Update commons-compress
- [BLZ-299] - Upgraded logback-core and logback-classic in order to fix a vulnerability
- [RT-172] - Fix ant high vulnerability
- [RT-303] - Excluded dependencies of com.h2database in order to fix a vulnerability (IriusRisk is not using in-memory database)
- [RT-239] - Update commons-beanutils
- [RT-235] - Update lucene-core
- [RT-236] - Update jackson-dataformat-cbor
- [RT-240] - Update ant
- [GRA-75] - Fix xmlsec high vulnerability
- [GRA-74] - Fix jsoup high vulnerability
- [GRA-116] - Update drools-compiler
- [MSR-182] - Upgraded commons-fileupload in order to fix a vulnerability
- [MSR-183] - Fix xstream high vulnerabilities
Hot Fixes included
- Hotfix 4.0.1
- Hotfix 4.0.2
- Hotfix 4.0.3
- Hotfix 4.0.4
- Hotfix 4.0.5
- Hotfix 4.0.6
- Hotfix 4.0.7
- Hotfix 4.0.8
API Changes
New Knowledge-base Content
New security content:
-
CON-1084. New countermeasures from the "NSA Kubernetes Hardening Guidance" technical report (https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/). Added 5 new countermeasures
-
1 for Kubernetes Etcd.
-
1 for Control Plane.
-
2 for Kubernetes Policies and Infrastructure.
-
1 for Kubernetes Container.
-
-
CON-1108, CON-1116 & CON-1117. New functional components library including:
-
11 Component definitions (11 new).
-
20 Risk patterns (20 new).
-
1 Use case.
-
43 Threats (43 new).
-
0 Weaknesses.
-
75 Countermeasures (37 new).
-
-
CON-1002. New countermeasure for the AWS Cloudtrail component
Updated/deprecated/new security standards:
New standards:
-
CON-1094. New Security Standard: 2021 OWASP Top 10.
New components:
-
CON-1084. New component for Kubernetes:
-
Kubernetes Pod that implements the following risk patterns:
-
containerized-application:kubernetes
-
kubernetes-container
-
-
-
CON-1057. New components for AWS:
-
AWS MediaStore
-
AWS MediaTailor
-
AWS Amplify
-
AWS MediaConvert
-
AWS MediaLive
-
AWS MediaPackage
-
AWS Lightsail
-
AWS Managed Services
-
AWS MediaConnect
-
AWS Global Accelerator
-
AWS Ground Station
-
AWS Launch Wizard
-
AWS Elemental Appliances & Software
-
AWS EMR
-
AWS FreeRTOS
-
-
CON-1059, CON-1069 & CON-1088. New components for Microsoft Azure:
-
Azure Defender for IoT
-
Azure Information Protection
-
Azure Dedicated HSM
-
Azure Attestation
-
Azure Confidential Ledger
-
Azure Bastion
-
Azure DNS
-
Azure Private Link
-
Azure Content Delivery Network (CDN)
-
Azure Network Watcher
-
Azure Virtual WAN
-
Azure HDInsight
-
Azure DataBricks
-
Azure Stream Analytics
-
Azure Data Catalog
-
Azure Data Factory
-
Azure Data Lake Analytics
-
Azure IoT Edge
-
Azure IoT Hub
-
Azure MarketPlace
-
Azure Bot Framework SDK
-
Azure Notification Hubs
-
Azure Relay
-
Azure Service Bus Messaging
-
Azure Machine Learning
-
Azure API Management
-
Azure VNet
-
Azure Sentinel
-
Azure Event Hub
-
Azure WAF
-
Azure Service Fabric
-
Azure Windows Virtual Machine
-
Azure Linux Virtual Machine
-
Azure Command Line Interface (CLI)
-
Azure Cloud Shell
-
Azure Database for MySQL
-
Azure Database for PostgresSQL
-
Azure SQL Database
-
Azure SQL Server Stretch Database
-
Azure SQL Database Edge
-
Azure Blockchain Workbench
-
Azure Power BI
-
Library refactors:
-
CON-1041. Set countermeasure's mitigation values to add up to 100.
-
CON-1075. Include the PCI Card Data Questionnaire for the Microservice component.
-
CON-1084. Component “Kubernetes Node” updated.
-
CON-970. Refactor of the Cloud Storage component definition. Added new security content with specific countermeasures for public cloud storage services.
-
CON-1128. Changed component definition name from “Management Console for AWS” to “AWS Management Console”
Articles:
-
CON-1091. Default Libraries Rules Interrelations. https://support.iriusrisk.com/hc/en-us/articles/4411640397713
Comments
0 comments
Article is closed for comments.