Release 4.9.0 - 10-11-2022

Features

• [RT-504] - Set the reporter of a ticket in Jira issuetracker
• [SIN-197] - Add Audit log option into the Settings section
• [SIN-356] - New feature for disabling a user
• [INR-264] - New Standard Coverage Widget and Top 10 Countermeasures improvements
• [INR-368] - Improvements in the overall Risk Widget
• [OPT-228] - Generate or update threat models from Microsoft Threat Modeling Tool (MTMT)
• [RT-284] - Improve bulk actions for threats & countermeasures
• [RT-487] - Map Standards into ServiceNow giving more information in the ticket to implement or act upon
• [DRA-539] - Ability to add general threats on the template's creation window
• [DRA-540] - Join imported template component "General product threats" to the existing one of the one for the project
• [DRA-611] - Use PRODUCT_OWNER_UPDATE permissions for OWNERSHIP tab
• [OPT-32] - Enhance CFT ec2 mapping (subnetId) for EC2 instances as web servers
• [OPT-216] - Added support for Visio AWS complex stencils shapes
• [OPT-363] - Improved 400 response for invalid IaC CFT file
• [OPT-413] - Improved validation of Visio files 
• [OPT-445] - Map MTMT Stencils to IriusRisk components
• [SIN-288] - Add new entry to allow users with roleUSER_AUDIT_LOG_VIEWto view new section that includes the audit log

Bug Fixes

• [MSR-815] - Unexpected error updating a Countermeasure with at least one 'Countermeasure' custom field type combobox (User or Business Unit) without value
• [DRA-668] - Error when loading diagram (add NPE protection)
• [DRA-683] - Quick navigation from project to list is throwing an exception
• [DRA-693] - Incorrect error message when calling version creation API with empty name
• [DRA-748] - Issue filtering by "Custom Field"
• [DRA-759] - Fix the audit log icon from the sidebar
• [INR-425] - Error when trying to load combo with business units from the user when it's not Admin in Portfolio Page
• [INR-451] - Fix Standard compliance performance
• [INR-453] - Links are broken when accessing to Audit Log from Home Dashboard
• [MSR-670] - User with permission 'LIBRARY_UPDATE' is not able to add threats from the use case context menu
• [OPT-466] - OTM file has inconsistent IDs when parsing SecurityGroupIngress Resource
• [SIN-419] - Fix a bug sorting by multiple fields in the AuditLog endpoint
• [RT-605] - Issuetracker settings are not horizontally expanded
• [RT-625] - Avoid the selection of all threats when you delete a threat/use case
• [RT-655] - Broken issue link is shown in the Threat view when the issue tracker configuration is defined at the countermeasure level
• [RT-666] - Issue tracker at countermeasure level is not imported in the project action "Update data from file..."
• [RT-669] - No use cases are displayed when trying to add a threat from the main menu
• [RT-671] - On add threat window, if you click outside the window, it shouldn't close
• [RT-759] - Null pointer exception when you select a parent node in the countermeasures table and try some bulk actions

Security Fixes

• [ARCH-264] - Improve the communication security layer between frontend and backend
• [DRA-767] - Fix vulnerability in library com.google.guava:guava
• [DRA-782] - Cross-Site-Scripting vulnerabilities when importing a tampered product list from an Excel file
• [RT-678] - Fix XSS by adding a link with the rich text editor
• [RT-728] - Fix vulnerability in library com.fasterxml.jackson.core:jackson-databind

Hot Fixes included

• Hotfix 4.8.1

API Changes

• API Release Notes 1.17.0

New Knowledge-base Content

New security standards

• [CON-1341] - Added OWASP Top 10 Kubernetes standard to current countermeasures in the Kubernetes and Microservices libraries.

Cloud components

• [CON-1345] - New components for AWS:

  • AWS IAM

• [CON-1352] - New components for Azure;

  • Azure Managed Apps

  • Azure Resource Manager

  • Azure Container Apps

New libraries

• [CON-1343] - IR-Virtual-Components (3 new components): This library contains risk patterns related to virtual components.

• [CON-1328] & [CON-1343] - IR-Network-Components (2 new components): This library contains risk patterns related to network devices and systems.

• [CON-1343] - IR-Hardware-Components (41 new components): This library provides us with set of threats and countermeasures for hardware devices.

• [CON-1351] - mitre-attack-framework (0 components): This library provides us a set of threats and countermeasures obtained from Mitre ATT&CK STIX file: enterprise-attack-11.3.json

Content Updates

• [CON-1338] - Updated component name: from “GCP Identity-Aware Proxy” to “GCP IAP (Identity-Aware Proxy)”

Detailed changelog ([N]ew/[E]dited/[D]eleted)

• Libraries

  • [N] mitre-attack-framework

  • [N] IR-Virtual-Components

  • [N] IR-Hardware-Components

  • [N] IR-Network-Components

• Threats

  • [N] OWASP-A10-2017

• Supported Standards

  • [N] owasp-kubernetes-top-10-2022

• Component Definitions

  • [N] CD-MICROSOFT-AZURE-BATCH

  • [N] CD-MICROSOFT-AZURE-CONTAINER-APPS

  • [N] CD-MICROSOFT-AZURE-MANAGED-APPS

  • [N] CD-MICROSOFT-AZURE-RESOURCE-MANAGER

  • [N] CD-MICROSOFT-AZURE-VM-SCALE-SET

  • [E] CD-GOOGLE-CLOUD-ID-AWARE-PROXY ["name"]

  • [N] CD-AWS-IAM

• Controls

  • [N] C-AZURE-API-MNGMT1

  • [N] C-AZURE-TIME-SYNC

  • [N] AZURE-SERVICE-PRINCIPAL

  • [N] C-AZURE-API-MNGMT2

  • [N] C-AZURE-API-MNGMT3

  • [N] C-AZURE-API-MNGMT4

  • [N] C-AZURE-API-MNGMT5

  • [N] C-AZURE-API-MNGMT6

  • [N] C-AZURE-API-MNGMT7

  • [N] C-AZURE-RESOURCE-MANAGER1

  • [N] C-AZURE-BATCH2

  • [N] C-AZURE-BATCH3

  • [N] C-AZURE-BATCH4

  • [N] C-AZURE-BATCH5

  • [N] C-AZURE-BATCH6

  • [N] C-AZURE-BATCH1

  • [N] C-AZURE-VM-SCALE-SET4

  • [N] C-AZURE-VM-SCALE-SET3

  • [N] C-AZURE-VM-SCALE-SET2

  • [N] C-AZURE-VM-SCALE-SET1

• RiskPattern

  • [N] RP-AZURE-BATCH

  • [N] RP-AZURE-CONTAINER-APPS

  • [N] RP-AZURE-MANAGED-APPS

  • [N] RP-AZURE-RESOURCE-MANAGER

  • [N] RP-AZURE-VM-SCALE-SET