Implemented enhancements

⛓️ Supply chain security section: We have implemented the Supply chain section within the groups on the platform where you can see all those security issues associated with third-party software components and dependencies you use in your apps. These problems were separated from the other vulnerabilities because they often generated noise in the reports and made it challenging to prioritize other vulnerabilities for remediation. In this new section, you will be able to pay more attention to each of these issues to determine if they represent a significant risk exposure for your company that must be mitigated.

In fact, you will soon see that the risk exposure charts in the Analytics sections will reflect substantial decreases because these types of vulnerabilities, we call "Use of software with known vulnerabilities" and "Use of software with known vulnerabilities in development," will be treated separately in the Supply chain section, which we hope you will get used to.

🔄 Transition from CVSS 3.1 to CVSS 4.0: We remind you that the toggle to switch from viewing your vulnerability data according to CVSS 3.1 to CVSS 4.0 is now available for each of your groups within the platform (the latter is the default option). In addition, please note that you can still run our CI Agent in both versions, but the data in the Analytics sections only appears in terms of CVSS 4.0. The idea is that you become increasingly familiar with this transition, which we will try to complete soon.

📮 Mailmap management from the platform: Fluid Attacks' Git mailmap was a plain text file used to organize and unify the names and email accounts of contributing developers or "authors" in Continuous Hacking projects, which was managed within GitLab for billing. Now, the information that was there is part of the database of our platform, where there is already a Mailmap section for easier, faster, and more comfortable management. Today, only Customer Managers can edit the mailmap, while User Managers can view it. However, the latter will soon have the opportunity to manage it on their own, which will also help avoid billing issues.

🧾 Vulnerability closing reasons: There are different reasons why vulnerabilities we report to our clients are considered resolved or "closed." Sometimes, we say a vulnerability was closed because our hackers or tools reevaluated it and determined its remediation was successful. In other cases, it may be due to moves, deactivation, or removal of environments or roots where they were detected. For these or other reasons, from now on, you can be aware of them in the Details and Tracking of each vulnerability location. In addition, in the Analytics section of your groups, you have a chart that shows the percentage distribution for these reasons.

🚫 Free trial account creation is unavailable for clients: Users from current client organizations are not allowed to start our free trial. This will avoid confusion with reports, new group creations, and extra work for both Fluid Attacks and clients. Furthermore, any attempt to do so will be reported to the organization's administrators.

Upcoming enhancements

🤖 Custom fix and Autofix increasingly support more languages: Currently, the GenAI-based vulnerability remediation support channel we offer (Custom fix and Autofix) supports about 70% of the programming languages that can be scanned by our SAST tool. We strive to reach 100% soon and assist you to the utmost possible extent through this valuable means, which you can enjoy in any of our Continuous Hacking plans.

📈 Enhanced vulnerability prioritization: You will soon have the opportunity to define concrete values in the Policies section of the platform for a list of vulnerability prioritization criteria. From this, you will get final values in the "Priority" column for each (type of) vulnerability, which, more tailored to your company's needs and principles than a mere CVSS score, will allow you to determine which security issues should be fixed before others.

🧩 New IDE extension: In the near future, we will add one more IDE plugin to our list of integrations with our platform. We are talking about an extension for IntelliJ IDEA, from which you will enjoy the same vulnerability management benefits that we offer for VS Code.