Release Notes
Everything that's new in Polaris
December 2024
- Correction: To ensure Polaris and the Bridge CLI continue to function as expected, keep https://sig-repo.synopsys.com (34.110.245.127) on your allow list until February 14th, 2025. (POLDOCS-1025)
- Polaris now supports the Secure Tunnel solution for Polaris fAST Dynamic,
a simple and secure way to scan internal web applications and APIs. This
capability enables you to connect to applications within your private network,
without the need to manage physical or virtual appliances or perform complex
networking. Secure Tunnel opens a secure TLS connection between Polaris and the internal application, with all traffic securely tunnelled through port 443. Secure Tunnel is integrated with Bridge CLI 3.1.0 and uses
technology provided by Teleport, Inc.
Note: See Test an internal web application or API with Polaris Secure Tunnel and Connect to an internal DAST target from the Bridge CLI for more information.
- Polaris supports Black Duck® Bridge CLI 3.1.0.
- Now, you can use the Bridge CLI to run Polaris Secure Tunnel. Polaris Secure Tunnel establishes a secure connection between Polaris and your private network, allowing you to run DAST tests on applications and APIs on your internal network.
- Polaris supports Black Duck Detect 9.10.1.
- Polaris supports Black Duck Bridge CLI 3.0.0 (which replaces Synopsys Bridge). Now, the Bridge is served in two formats:
- Bundle: The existing Bridge package, renamed. The bundle includes a root directory that contains all of the essential files.
- Thin Client: The Thin Client downloads the necessary features at runtime, as it executes a workflow.
- Now, you can save report settings as report configurations. Once saved, you can quickly generate the same report without having to configure the report's settings each time.
See Create and manage report configurations for more information.
- The Bug Tracking Integration API was restructured to improve usability. This includes:
- Changing each endpoint's base path from
/api/issue-export-service/jira
to/api/integrations/bugtracking
. - Deprecating endpoints that reference the old base path. Deprecated endpoints have
deprecation
andsunset
headers. They will not be available after "Mon, 15 Sep 2025 23:59:59 GMT" (sunset date). - Updating terminology used in endpoint paths to improve clarity and consistency.
- Changing each endpoint's base path from
- The domains used for reports and dashboards changed:
- https://synopsys.sisense.com is now https://polaris.sisense.com
- https://synopsys-se.sisense.com is now https://poc-polaris.sisense.com
- https://synopsys-ie.sisense.com is now https://eu-polaris.sisense.com
See Polaris IP ranges for more information.
- The latest Code Sight releases added support for additional IDEs. With Code Sight 2024.11.0, you can:
- View Polaris issues in your IDE with Android Studio and additional JetBrains IDEs (in addition to IntelliJ, Visual Studio, and VS Code).
- Run tests on Polaris from you IDE with Android Studio, IntelliJ, and other JetBrains IDEs (in addition to VS Code).
- Many of the endpoints in the Findings API were updated. This includes:
- Adding the new base path (
/api/findings
) to remaining endpoints in the API (previously, only used in taxon query endpoints). The/api/specialization-layer-service
base path will continue to function until September 30, 2025 (sunset date). - Component and license endpoints in the API were restructured to improve usability. This includes:
- Replacing the
/api/specialization-layer-service/component-versions
endpoint with/api/findings/component-versions/_actions/triage
to better-indicate the endpoint's purpose. - Updating terminology used in endpoint paths and properties to improve clarity and consistency.
- Replacing the
- Deprecating endpoints that were replaced. Deprecated endpoints have
deprecation
andsunset
headers. They will not be available after "Mon, 30 Sep 2025 23:59:59 GMT" (sunset date).
- Adding the new base path (
- The Reports API was restructured to improve usability. This includes:
- Now you can create all reports with one endpoint:
/reports/{reportType}/_actions/run
(which replaces the /reports/{reportType}/generate
and/reports/{reportType}/export
endpoints). - Replacing the
/reports/{reportId}/download
endpoint with/reports/{reportId}/_actions/download
for consistency. - Deprecating endpoints that were replaced. Deprecated endpoints have
deprecation
andsunset
headers. They will not be available after "Mon, 1 Sep 2025 23:59:59 GMT" (sunset date).
- Now you can create all reports with one endpoint:
- With a subscription that permits external analysis tests, you can import SAST and SCA issue data from many third-party tools into SAST & SCA projects in Polaris. This is a limited availability release and not generally available. Please contact your account teams for more information.
Note: See Import results from third-party tools (limited availability) and Supported third-party tools for more information.
November 2024
- The Insights API was renamed and is now Reports.
- Polaris now supports Coverity 2024.9.1. It includes the following changes:
- Added support for Kotlin 2.0.
- Added support for Python 3.12.
- Added support for Android NDK r27 (Android NDK Clang up to 18.0.1).
- Added new API safety and hardcoded secret checks for Kotlin and Python.
Note: These new checkers could result in new issues found compared to previous scans.
- The new
report_bitand
option of theOVERRUN
checker reports a defect if the index expression used in an array access is the result of a bitwise AND operation and the value of the mask used in the bitwise AND operation indicates the index may be out of bounds. - Added new or updated checker support for C/C++:
OVERRUN
checker now reports cases when a receiving buffer of ascanf-
type function could be overrun.OVERRUN
checker now reports fewer false positives related tostrlen
function calls.- Added support for
std::rend
in theINVALIDATE_ITERATOR
checker. - Updated the
OVERRUN
checker to report when a call toscanf
contains a width specifier that might cause an overrun of the destination buffer. - Token patterns via CodeXM allowing ability to match preprocessor directives.
USE_AFTER_MOVE
checker improvements to report cases where a function returns after moving a reference parameter.
- Added new or updated checker support for C# :
- Added support for the
SESSION_FIXATION
checker. - Added ability to detect 'password' keywords for C# through the Sigma engine. The recognition of the keyword happens with or without its usage.
- Added support for the
- Added new or updated checker support for Go :
- Support for the
SESSION_FIXATION
checker.
- Support for the
- Added new or updated checker support for Visual Basic:
- Added support for the
SESSION_FIXATION
checker.
- Added support for the
- Support for Kotlin 1.9.x is deprecated and will be removed in a future release.
- Support for Kotlin 1.8 has been removed.
- Support for Open/Oracle JDK 22 is deprecated and will be removed in a future release.
- Support for .NET 6 is deprecated and will be removed in a future release.
- Fixes issues found in Coverity 2024.9.0.
- Correction: https://sig-repo.synopsys.com will continue to function until February 14, 2025.
Note: See Transition to repo.blackduck.com in Black Duck Community for more information.
- Correction: The Attempt Build Break action only affects tests run using Bridge.
Note: See Issue policies for more information.
- As an Organization Administrator, you can migrate your tenant on the Black Duck Polaris® Platform to the Black Duck domain. When the migration is complete, users in your organization can access Polaris via https://polaris.blackduck.com, https://poc.polaris.blackduck.com, or https://eu.polaris.blackduck.com — and old URLs will redirect users automatically. We strongly recommend you complete this migration by February 14, 2025.
Note: Find migration instructions here: Migrate Polaris to the Black Duck domain.
- Additional API references were renamed (without changes to functionality):
- The SCM Integrations Service is now Repos Integration.
- The Test Manager API is now Tests.
- The Tool Service is now Tools.
- Media type names used in Polaris APIs were renamed and no longer include "synopsys." Although media types that include "synopsys" were removed from the API specifications, existing endpoints will continue to support them until September 1, 2025. Please update your scripts to use the new media types.
October 2024
- Additional API references were renamed (without changes to functionality):
- The Audit API is now Audit.
- The Report Service is now Insights.
- The Notification API is now Notification.
- The Customer Identity and Access Management (CIAM) API is now Identity and Access Management.
- The Executive Overview Dashboard is available. The new dashboard provides an overview of application security and policy compliance in your organization.
- Several API references were renamed (without changes to functionality):
- The Issue Export Service is now Bug Tracking Integration.
- Polaris Issue Workflow Engine API is now Findings.
- Policy Management API is now Policies.
- Portfolio Service is now Portfolio.
- The Polaris Issue Workflow Engine Service API was restructured to improve usability. This includes:
- Adding the new base path.
/api/specialization-layer-service
is changing to/api/findings
(currently, only used in taxon query endpoints). The/api/specialization-layer-service
base path will continue to function until September 30, 2025 (sunset date). - Adding new taxon query endpoints. These return better-structured responses.
- Deprecating old taxon query endpoints. Deprecated endpoints have
deprecation
andsunset
headers. They will not be available after September 30, 2025 (sunset date). - Updating terminology used in endpoint paths and properties to improve clarity and consistency.
- Adding the new base path.
- Correction: Two Sisense domains included in the release notes at the start of October were corrected:
- https://poc-polaris.sisense.com (previously published as https://poc.polaris.sisense.com)
- https://eu-polaris.sisense.com (previously published as https://eu.polaris.sisense.com)
- The Policy Overview Dashboard is available. View the quantity of issues in your portfolio that violate your organization's policies.
Tip: Apply the Policy Name filter to limit results to applications with projects specific policies are assigned to.
- The Portfolio ROI Dashboard is available. View the impact of Polaris on your portfolio's security profile over time.
- The Synopsys Software Integrity Group (SIG) is now Black Duck. Soon, the name of the platform will become Black Duck Polaris® Platform.
- To ensure Polaris continues to function as expected, update your allow list.
- https://sig-repo.synopsys.com is now https://repo.blackduck.com/.
- https://community.synopsys.com/s/ is now https://community.blackduck.com/.
- See Polaris IP ranges for more information.
- Learning and support resources have moved:
- Black Duck Community: https://community.blackduck.com/.
- Black Duck Academy: http://blackduck.skilljar.com/.
- Black Duck on YouTube: https://www.youtube.com/@BlackDuckSoftware.
- Find documentation for other Black Duck products (including Bridge documentation) here: https://documentation.blackduck.com/.
- Soon, Polaris will send emails via noreply@blackduck.com. Please update your spam filters to avoid interruptions.
- Additional domain changes are coming soon (https://polaris.blackduck.com, https://poc.polaris.blackduck.com/, https://eu.polaris.blackduck.com/, https://store.polaris.blackduck.com/, https://store-eu.polaris.blackduck.com, https://store-poc.polaris.blackduck.com, https://tool-download.polaris.blackduck.com, https://polaris.sisense.com, https://poc-polaris.sisense.com, https://eu-polaris.sisense.com).
- See Black Duck Domain Change FAQ for more information.
- To ensure Polaris continues to function as expected, update your allow list.
- Events in the audit log that capture actions performed by internal (Black Duck) users are now associated with the Internal System User (in the User column).
Note: Events that are visible on the Audit Logs page before this update won't change.
September 2024
- The quality of upgrade guidance for vulnerable components (detected in SCA tests) was improved.
- Now (in addition to upgrade guidance for an individual component) upgrade guidance for components that bring in transitive dependencies appears in the user interface, when available.
- See Find component upgrade guidance for more information.
- You can run tests on Polaris from your IDE with Code Sight 2024.9.0.
- When you run a test from your IDE (using Code Sight), Code Sight creates a branch in Polaris. The names of branches created by Code Sight include
CodeSight_
and the email address of the user the branch was created for (for example,CodeSight_user@domain.com
).Important: The branches Code Sight creates are not compatible with SCM integrations. - By default, tests run with Code Sight are hidden on the Tests page. Select IDE with the Test Mode filter to show tests run with Code Sight.
- See Connect Code Sight to Polaris for more information.
- When you run a test from your IDE (using Code Sight), Code Sight creates a branch in Polaris. The names of branches created by Code Sight include
- To avoid exporting stale or resolved issues to Jira, exporting an issue to Jira was disabled on the Detected Issues and Absent Issues tabs (Tests > See Results > Detected Issues/Absent Issues). Use the Issues tab (Portfolio > select an application > select a project) to export issues to Jira.
- Polaris supports Synopsys® Bridge 2.9.0.
- To minimize cloud agent runtimes, set
polaris.waitForScan
tofalse
in your pipelines. When set, Bridge exits as soon as a test is queued, and does not perform post-analysis operations (break the build, fix PR, PR comments, SARIF, … etc.).
- To minimize cloud agent runtimes, set
- Date pickers on the Onboarding and Test Summary dashboards were improved.
Note: This update resets the default date filters. If necessary, use the new date pickers to change the default values for your organization.
- The License and Component dashboards were renamed to Table - Component Search and Table - License Search, respectively.
- The Application Tag filter was added to the Issues Summary Dashboard, Table - Component Search, Table - License Search, and Test Summary dashboards.
- The Vulnerability ID filter was added to the Issues Summary Dashboard.
- The Tool Name filter (found in Dashboards) now includes separate options for different SCA test types: Polaris Package Manager and Polaris Signature Analysis.
August 2024
- Now, you can run signature analysis tests using Synopsys Bridge on ARM-based Mac.
- Polaris supports Synopsys Bridge 2.8.0.
- Polaris supports Synopsys Detect 9.9.0.
- If you override properties of parent modules in your Maven project's pom.xml, Polaris uses the overrides to generate more precise results in code upload and SCM workflows.
- Now, you can include DAST test results in eligible reports (excluding the Developer Detail Static, Developer Detail SCA, and SBOM reports).
- Polaris fAST Dynamic now supports dynamic application security testing (DAST) of native APIs. To run a self-service DAST test against an API, you provide the base URL, API specification file, and any authorization headers. You can view issues found alongside HTTP evidence—including endpoints, request and response bodies, and attack payloads—and triage them by severity. REST and GraphQL APIs are both supported.
Note: To get started, create a new DAST project and specify an API target. See Run dynamic application security testing (DAST) on Polaris for more information.
- Now, DAST test and issue data is included in Dashboards.
Note: To include DAST tests in the Test Summary dashboard, the Display Default Branch filter must include true. If only false is selected, DAST test results are hidden.
- Polaris supports Synopsys Bridge 2.7.0.
- Now, if the application specified when triggering a test (
polaris.application.name
) doesn't already exist in Polaris, Bridge attempts to create the application before running the test.Note: A valid concurrent (team member) subscription is required to create applications in Polaris using Synopsys Bridge. - If you run a SAST and SCA test in the same job, Bridge ensures the SAST test runs first.
- Now, if the application specified when triggering a test (
- Now, you can create component policies that notify Organization Administrators when components with specific properties are detected in SCA tests. Policy violation quantities that appear throughout the user interface now include violations from issue and component policies.
Note: See Component policies for more information.
July 2024
- As an extension to Polaris SCM onboarding, Polaris will now support single project onboarding of self-hosted versions of GitHub.
- The Onboarding Dashboard is available. View the quantity of applications and projects created in a time period, and how many of the applications and projects were tested. Includes trend charts for applications and projects created, and a table with the total number of tests run per project. Apply the Application Tag filter to limit data to applications with particular tags.
Note: Any application with a SAST and/or SCA subscription is counted on the Onboarding Dashboard, but DAST projects and tests are ignored. SAST and SCA tests are used to evaluate the percentage of applications and projects scanned.
- For added security, a relay service was implemented that proxies requests from Polaris to LaunchDarkly.
Note: You don't need to allow list the IP ranges for LaunchDarkly (104.156.80.0/20, 151.101.0.0/16, and 52.21.152.96/32) anymore.
- Polaris now supports Coverity 2024.6.0. It includes the following changes:
- Support for Go 1.20 has been removed.
- Support for Java 11 has been removed.
- Support for LLVM Clang 8.x has been removed.
- Support for .NET 7.0 has been removed.
- Support for Open/Oracle JDK 11 has been removed.
- Support for macOS 12 is deprecated and will be removed in a future release.
- Support for Go 1.21 deprecated and will be removed in a future release.
- Support for LLVM Clang 9.0 is deprecated and will be removed in a future release.
- Added support for Go 1.22.
- Added support for Java 22.
- Added support for LLVM Clang 18.1.0 and Xcode 15.3.
- Added support for Open / Oracle JDK 22.
- Support for PHP has been improved. Note: Improved support could lead to an increase in the number of new PHP defects .
- Improvements to SQL injection checkers in Python Code.
- New or updated checkers for C#, Java, JavaScript/TypeScript, and Visual Basic.
- New secret patterns and checks for JavaScript and Java.
- Support for Bazel requires current users to make a one-time adjustment to their scans. For more information, see Changes to Bazel integration method.
- Now, you can add rules to issue policies that automate actions when issues with different fix-by statuses (Overdue, Due Soon, On Track, or Not Set) are detected in a test.
Note: We recommend you don't use Fix-By Status in conjunction with other properties. Instead, create a separate rule (or a separate issue policy) to automate actions with fix-by statuses. See Issue policies for more information.
- While viewing issues in a project, you can filter issues based on their the Fix-By Status.
- Issue exports (to CSV or JSON) include fix-by dates.
- As an extension to Polaris SCM onboarding, Polaris will now support single project onboarding of self-hosted versions of GitLab.
- Using Synopsys Bridge, you can run Black Duck® signature scans (a type of SCA test) and upload results to Polaris. These tests build a project during analysis and can identify components in your project that aren't referenced in your package manager's manifest file. Files and folders in each component captured in a signature analysis test are compared with a copy of the component in the Black Duck knowledge base to generate additional match types (beyond direct and transitive dependencies), and a (percentage) match score. A higher match score indicate a closer match, and a lower match score indicates a component was modified.
Please note that duplicate SCA issues appear when a component is detected in both package manager and signature analysis tests. While viewing issues in a branch or test, use the Tool Type filter to show SCA issues captured in Package Manager or Signature Analysis tests.
Note: To run a signature analysis test, include theSCA-SIGNATURE
SCA test type in your input.json file. See Running Polaris scans with a JSON file in the Synopsys Bridge documentation for more information. - Organization Administrators can update the subscriptions assigned to multiple applications at the same time. Note: See Update the subscriptions assigned to multiple applications for more information.
- Polaris supports Synopsys Bridge 2.6.8. Now, short test IDs appear in logs.
June 2024
- As an extension to Polaris SCM onboarding, Polaris will now support single project onboarding of self-hosted versions of Bitbucket.
- The Audit, CIAM, and Notification APIs were restructured to improve usability. This includes:
- Changing each API's base path:
- Audit: From
api/audit-service
toapi/audit
. - CIAM: From
api/ciam
toapi/auth
. - Notification: From
api/notification-service
toapi/notification
.
- Audit: From
- Deprecating endpoints that reference the old base paths. Deprecated endpoints have
deprecation
andsunset
headers. They will not be available after "Mon, 31 Mar 2025 23:59:59 GMT" (sunset date). - Updating terminology used in endpoint paths to improve clarity and consistency.
- Changing each API's base path:
- You can now triage components. This allows you to exclude specific components
from your Software Bill of Materials (SBOM) and removes vulnerabilities related
to that component in the issue view. This includes:
- When you exclude a component, any non-dismissed issues derived from the component are automatically dismissed.
- When you exclude a components, it reduces the violation counts (if policy is configured to filter only "non-dismissed" issues).
- Excluded components will not be in SBOM reports.
- If needed, you can switch a component from excluded back to the default (included).
- Polaris supports Synopsys Bridge 2.6.0. Now, in addition to passing arguments for Coverity and Detect in a configuration file, you can include tool-specific arguments in commands and environment variables.
Note: See Passing Arguments using the CLI in the Synopsys Bridge documentation for more information.
- The Notification API reference is available. Use this API to manage your organization's notification settings (including notification settings for users).
- The PATCH /api/ciam/resources/applications/{applicationId}/roles/{roleId}/users endpoint was added to the CIAM Service API. Use this endpoint to assign application-level roles to users.
Note: The new PATCH endpoint replicates the POST /api/ciam/resources/applications/{applicationId}/roles/{roleId}/users endpoint — but returns more informative responses.
- API reference documentation for the CIAM and Audit services was improved. This includes:
- Adding missing 405 and 500 error responses.
- Adding missing example values.
- Adding media types to error responses.
- The Policy Management (formerly, Risk Manager) API was restructured to improve usability. This includes:
- Changing the service's base path from
api/risk
toapi/policies
. - Adding V2 policy assignment endpoints. The V2 endpoints don't use path parameters, and make assigning policies to projects and branches easier.
- Adding new policy evaluation endpoints that retrieve the count of issues that violate policies and their rules.
- Deprecating endpoints that reference the old base path, and V1 policy assignment endpoints. Deprecated endpoints have
deprecation
andsunset
headers. They will not be available after "Sun, 1 Dec 2024 23:59:59 GMT" (sunset date).
Note: See the Policy Management API reference for more information. - Changing the service's base path from
- Organization Administrators and Organization Application Managers can add subscriptions to preexisting applications, and replace application subscriptions with concurrent subscriptions.
Note: See Assign subscriptions to applications for more information.
- Polaris supports Synopsys Bridge 2.5.0. Now, you can use Bridge to upload source code to Polaris, and then scan it with Polaris (mimicking the process a user would follow in the Polaris UI).
Note: See Source Code Upload Scan in the Bridge documentation for more information.
May 2024
- Polaris supports Synopsys Detect version 9.6.0.
- This includes support for Gradle's rich model for declaring versions, which allows you to define dependency conflict resolution rules for direct and transitive dependencies. Support for Gradle's rich model for declaring versions is only available when you test with Synopsys Bridge (CI/CLI).
Note: See Rich version declaration support in the Detect documentation for more information.
- This includes support for Gradle's rich model for declaring versions, which allows you to define dependency conflict resolution rules for direct and transitive dependencies. Support for Gradle's rich model for declaring versions is only available when you test with Synopsys Bridge (CI/CLI).
- Now, you can create an Executive Summary Report that provides an overview of your portfolio and modules that detail the overall risk posture including issue summaries, detected and absent issue charts, issue trend charts, top issue types and top issues with policy violations.
- Find the IPs you may need to allow list to work with Polaris here: Polaris IP ranges, Polaris IP ranges for Bridge CLI.
- Polaris supports Synopsys Bridge 2.4.45. Now, Bridge output includes links to Polaris where you can view:
- Each completed test's results.
- The branch that was tested.
- Polaris supports Coverity version 2024.3.1 which fixes a bug introduced in Coverity 2024.3.0 with cov-emit. This bug consumed excess time and memory which impacted Polaris scans completing.
- Now, you can create a Developer Detail Static Report that provides an overview of the issues in the selected application(s) including details that will help developers select what to focus on.
- Now, you can create a Standard Compliance Detail Report that provides an overview of the issues in the selected standard. It also provides an issue count for each project, and issue details organized by test type and standard.
- Now, you can use Polaris Assist to generate SAST remediation guidance with a large language model (LLM). Remediation guidance includes:
- A short summary of the issue
- An analysis of the code where the issue is found
- A revision (in code) that may remediate the issue
Note: See Generate SAST remediation guidance with Polaris Assist (Beta) for more information.
April 2024
New Features and Changes
- Now, you can create a Developer Detail SCA Report that provides an overview of the issues in the selected application(s) including details that will help developers select what to focus on.
- Polaris supports Synopsys Bridge 2.4.12.
- Now, you can create an Issue Overview Report that provides a high level overview of your applications and projects to show your risk posture across the entire portfolio.
- Now, you can create a Test Summary Report that allows you to see tests of your applications and/or projects (depending on selected scope). The report lists the first and last test, number of tests in a time period, test trends, assessment types scanned, and a list of applications and/or projects not tested in the time period.
- Polaris supports Synopsys Detect version 9.5.0.
- Use the
--detect.maven.include.shaded.dependencies
property to include a Maven project's embedded or shaded dependencies in its bill of materials (BOM).Note: See Include Shaded Dependencies in the Detect documentation for more information. - The Maven Project Inspector excludes Maven dependencies with
<exclude>
tags in the pom.xml file. - Improves the accuracy of SCA tests run on Maven and Gradle projects in Code Upload and SCM workflows.
- The Maven Project Inspector and Gradle Project Inspector detectors eliminate optional dependencies to reduce false positives.
- Use the
- Polaris now supports Coverity 2024.3.0. It includes the following changes:
- Support for Windows Server 2019 has been removed.
- Support for .NET 6.0 has been removed.
- Support for Oracle/Open JDK 20 has been removed.
- Support for Oracle JDK 11 is deprecated and support for it will be removed in a future release.
- Added support for C# 12.
- Added support for .NET 8.
- Two new dashboards are available:
- Component Dashboard: View all the components used in your organization's applications and projects, along with the license each component is subject to.
- License Dashboard: View all the licenses your organization's applications and projects are subject to, along with a description of each license, and each license's family.
Note: See Work with dashboards for more information. - Polaris supports fAST Dynamic. Optimized for advanced JavaScript frameworks and single page applications (SPA), fAST Dynamic enables you to run rapid, self-service security scans of pre-production web applications from within the Polaris platform.
Dynamic application security testing (DAST) is a method of AppSec testing that examines an application while it's running, without knowledge of the application's internal interactions or designs at the system level, and without access or visibility into the source program. This "black box" testing looks at an application from the outside in, examines its running state, and observes its responses to simulated attacks made by a testing tool. An application's responses to these simulations help determine whether the application is vulnerable and could be susceptible to a real malicious attack.
Note: See Run dynamic application security testing (DAST) on Polaris for more information. - A new application-level role is available in Polaris: Member. Members can do everything Contributors can do, except create, edit, and delete projects.
Note: See Roles and permissions for more information.
- Polaris supports Synopsys Detect version 9.4.0, which:
- Extends Conan support to Conan 2.0.14.
- Extends NuGet support to NuGet 6.2, and allows Polaris to capture dependencies in projects that use NuGet's Central Package Management.
- Extends Dart support to Dart 3.1.2 and Flutter 3.13.4.
- Extends BitBake support to BitBake 2.6.0 (Yocto 4.3.2).
- Extends pnpm support to pnpm 8.9.2 (using the v6 pnpm-lock.yaml file). Important: pnpm 6, and pnpm 7 (using the default v5 pnpm-lock.yaml file) are being deprecated. Support will be removed in future Synopsys Detect release.
- Extends Yarn support to Yarn 4.1.0.
- When testing Maven projects with the Maven CLI, arguments that control the number of threads used (included with
detect.maven.build.command
property) are ignored. - Includes several bug fixes and improvements.
- Includes a new detector for Python projects, PIP Requirements File Parse. Note: PIP Requirements File Parse is a buildless detector that acts as a LOW accuracy fallback for the PIP Native Inspector. This detector is triggered for Python projects that contain one or more requirements.txt files if Synopsys Detect does not have access to a PIP executable in the environment where the scan is run.
March 2024
New Features and Changes
- Polaris supports Synopsys Bridge 2.4.0.
- Now, you can create a Security Audit report that identifies vulnerable areas in your application including identifying different components that may be exploited, estimating protection from common attacks, and assessing the overall security risk across all threat areas.
- Now, you can use groups to manage access to applications. You can create groups manually in Polaris, or (after you set up single sign-on) you can synchronize groups in your identity provider (like Azure, or Okta) with Polaris.
Note: See Manage permissions with groups and Manage Polaris groups through your identity provider for more information.
- The General tab was added to the My Organization page (and replaces the Data Access and Notifications tabs, which were removed). Here, you can:
- Find your organization (tenant) name and ID.
- Enable/disable assessment center access to published issues (enabled by default).
- Enable or disable email notifications for all users (enabled by default).
- Now, you can create Standard Compliance reports that provide issue counts for each application as it relates to a selected standard, as well as a view of the total issues found per standard.
- Exporting a software bill of materials report to Cyclone DX v. 1.4 is now available.
- Now, you can apply fix-by dates to issues in your portfolio to help your developers prioritize issues for remediation, and enforce your organization's security standards across projects and applications. Fix by dates can be set:
- Automatically with issue policies, where you can specify severity-specific fix-by dates.
Note: See Fix-by dates for more information.
- Manually when you triage issues.
Note: See Ways to triage issues in Polaris for more information.
- Automatically with issue policies, where you can specify severity-specific fix-by dates.
- Polaris supports Synopsys Bridge 2.3.0. Now, using the Bridge CLI you can:
- Export issues to a SARIF file.
Note: See Exporting a SARIF File in the Bridge CLI documentation for more information.
- Use the
--out <outFile>
command to save final state data to a file.
- Export issues to a SARIF file.
- Reports can now be downloaded from the UI. New features include being able
to:
- View details, search and download reports from the past 30 days.
- Filter by type of report, date(s) or status.
- Improvements were made to the Test Summary dashboard, along with minor bug fixes. Improvements include revised test state labels and enhanced widget filtering.
February 2024
New Features and Changes
- Now, you can integrate Polaris with Secure Code Warrior. Once the Secure Code Warrior integration is enabled, links to free, interactive training resources appear in the Issue Details pane, when available. Links are context-sensitive, and direct you to training tailored to a specific issue.
Note: See Integrate Secure Code Warrior with Polaris for more information.
Synopsys is a Secure Code Warrior connect partner. Contact your Synopsys sales rep to take full advantage of the Secure Code Warrior platform, which includes additional activities, courses, tournaments, APIs, integrations, and reporting.
- Polaris now supports Coverity 2023.12.1. This fixes known scan error issues with JavaScript and Clang in Coverity 2023.12.0.
- Now, you can configure Polaris to automatically delete non-default branches that aren't tested for a period between 1 and 90 days. You can adjust this in each application, project, and branch's settings. By default, Polaris retains non-default branches indefinitely.
Note: See Configure automatic branch deletion for more information.
- Each issue's First Detected date (the date and time when an issue was first captured in a test) appears in issue grids and issue details.
- You can view an issue's detection history in the triage panel.
Note: See View issue history for more information.
- The new Summary tab is available when you open a project. Here, you'll find the Issues Over Time and Average Age of Outstanding Issues charts. Use these charts to monitor the quantity of issues in a project over time, and see the average age of issues in the project, grouped by severity.
Note: See Summary tab for more information.
January 2024
New Features and Changes
- Code Sight users can view Polaris issues in Visual Studio.
- Links in emails used to reset passwords, reset two-factor authentication, and join Polaris expire after 24 hours. Until now, these links expired after 12 hours.
- Polaris supports Synopsys Bridge 2.2.1.
Correction: Polaris supports Synopsys Bridge 2.2.1.
- Now, you can download a version of Synopsys Bridge that runs
on Apple® silicon (ARM-based Mac) from the Polaris user
interface.
- To download an ARM-compatible version of Synopsys Bridge, go to Account > Downloads.
- Polaris supports Coverity 2023.12.0. It includes the following changes:
- Support for macOS 11 has been removed.
- Support for Go 1.19 has been removed.
- Support for Windows Server 2019 is deprecated will be removed in a future release. Support for Go 1.20 deprecated as of 2023.12 and will be removed in a future release.
- Added support for Dart/Flutter.
- Added support for macOS 14.
- Added support for C++23.
- Added support for Go 1.21.
- Added support for Java 21. Preview features are not supported at this time. To avoid issues, ensure error recovery is enabled when using preview features.
- Added support for Ruby 3.x (via Breakman pro bundled into analysis kit).
- Added support for ECMAScript 2023.
- Added support for TypeScript 5.0, 5.1, and 5.2.
- Updated SQLI checkers optimize the number of false positives/negatives which could result in changes in the number of issues found in Polaris.
Important: Customers who test projects with JavaScript may experience errors after the Coverity 2023.12.0 upgrade. This is a known issue and a fix is scheduled in the upcoming weeks. - The Test Summary Dashboard was added to the Dashboards page. Use this dashboard to visualize the quantity of tests run against applications and projects in your organization. Switch between different dashboards using the new Dashboards pane.
- Customers with concurrent subscriptions can now integrate multiple repositories
from GitHub and GitHub Enterprise as applications or projects in Polaris. This
includes:
- Using your SCM repository to create new application(s) and project(s) or add multiple repositories to existing applications in Polaris. During this process the user can assign policies and, for applications, roles.
- Ability to update the connection credentials for all the projects under an application.
December 2023
New Features and Changes
- Polaris supports Synopsys Bridge 2.1.0.
- The retention period for events captured in audit logs was extended from 7 to 30 days.Note: Events that are visible on the Audit Logs page when the retention period changes are preserved for 30 days.
- Polaris supports additional package managers for SCA tests run via code upload or SCM integrations, including:
- Cargo
- Carthage
- CocoaPods
- Conan
- CRAN
- Dart
- Go Dep
- Go Vendor
- Gogradle
- Packagist
- RubyGems
- Swift
- Xcode
November 2023
New Features and Changes
- The Notes field was removed from the New Test page.
- Polaris supports Synopsys Bridge 2.0.0.
Important: When used with Polaris, this version requires the
polaris.branch.name
variable. Please update your pipelines to avoid errors. - Polaris supports Coverity 2023.9.2. It includes the following
changes:
- Support for Visual Basic is limited to CLI mode.
- Support for PHP quality checkers has been removed.
- Support for Kotlin 1.7.0-1.7.20 has been removed.
- Support for Open/Oracle JDK 19 compilers has been removed.
- Support for Kotlin 1.8.x is deprecated and will be removed in a future release.
- Added support for Kotlin 1.9.0.
- Added support for Python 3.11.
- Added support for Java 20.
- Added support for PHP 8.0. PHP 8 support is now available through Rapid Scan Static (Sigma), bundled with Coverity.
- Support for Ruby in Coverity quality checkers is being deprecated as of Coverity 2023.9.0 and will be removed in a future release.
- The Synopsys Security Scan Plugin for Jenkins is available in the Jenkins Marketplace. Use the Synopsys Security Scan Plugin (with Bitbucket) to run Polaris scans in your Jenkins pipeline.
- Three new filters were added to the Dashboards page. Now, you can filter issue data by CWE (Common Weakness Enumeration, CWE™), Location, and/or Issue Category.
- Polaris supports Synopsys Bridge 1.2.38. In this version, when Bridge creates a new project (when you test a project that doesn't already exist in Polaris), it uses the branch name you provide (in the command or JSON file) to create the project's default branch.
- Now, Common Vulnerabilities and Exposures (CVE®) and Black
Duck® Security Advisory (BDSA) codes appear in the issues
table for SCA issues, in the Vulnerability ID column. When
a CVE and BDSA code apply to a single issue, the BDSA code is hidden. Hover over
(+1) to see the BDSA code. Note: CVE and BDSA codes are not added to your existing test results. Retest your projects to reveal these values.
- Now, you can update quantities in the Total Active Policy
Violations columns (found on the Portfolio
and Portfolio Application pages) by triaging issues. To do
so, add triage statuses to your issue policies' rules. To exclude dismissed
issues from Total Active Policy Violations columns (and
mimic the behavior of other columns on these pages), make sure your policy's
rules capture issues with the To Be Fixed and
Not Triaged statuses.Note: The default issue policy for new Polaris tenants now excludes dismissed issues; however, this change is not applied to preexisting policies.
- The default branch name for new projects has been changed back to "main" and is no longer "polaris_main".
- Branching with an integrated SCM repository has been made easier including:
- Polaris automatically imports the default branch from the repository when you integrate.
- If you have a branch with the same name in your repository and in your Polaris project, Polaris will link the Polaris branch to the SCM branch and you will not lose scan data from the original branch.
- The Refresh buttons near the top of the Portfolio and Application pages were removed.
- Polaris supports Synopsys Detect version 9.0.0, which:
- Extends Gradle support to Gradle 8.2.
- Extends npm support to npm 9.8.1.Note: Polaris no longer supports scanning Node.js projects that use npm 6.
- Adds support for npm workspaces.
- Adds support for NuGet package reference properties from Directory.Build.props and Project.csproj.nuget.g.props files.
- A revised SCA Language and Package Manager Support table is available here:
Polaris Support Information. The new table includes:
- Entry points
- Detectors and their requirements
- The relative accuracy of different detectors
- Additional supported package managers (Cocoapods, CPAN, CRAN, Packagist, PEAR, RubyGems)
- Added the SCA Package Manager Versions (latest) table to the Polaris Support Information page.
- The known issue with dates in the Latest Completed Test column is fixed.
Correction
- Git and Bazel were removed from the SCA Language and Package Manager Support table. Neither of these tools is a package manager.
October 2023
New Features and Changes
- Export of software bill of materials (SBOM) via JSON file (SPDX v. 2.3) is now available.
- Polaris supports Synopsys Bridge 1.2.12.
- Policy violations appear on the Portfolio, and Tests pages. See Monitor policies in Polaris for more information.
- Now, you can find the latest test of a default branch in any of an application's projects on the Portfolio page.
Note: When you open the Portfolio page after this feature is released, the Latest Completed Test columns may be empty. Values appear after a project's default branch is scanned.
- An option to select one standard (OWASP®, CWE™ or PCI DSS) when you create a report has been added.
- The default branch name for new projects changed. Previously "main" was used. Now "polaris_main" is used.
- Polaris supports Synopsys Bridge 1.2.0.
- The default filters on the Dashboards page changed. Now, dismissed issues are hidden by default.
Known Issue (Fixed)
- Dates in the Latest Completed Test column (on the Portfolio page) may not be accurate. Our team is actively working on a fix to resolve this issue.
September 2023
Other Features and Changes
- The quantity of projects in each application appears on the Portfolio page (in the Projects column).
- The new Standards filter was added to the Dashboards page. When you apply the Standards filter, a new chart appears.
- We improved the usability of the Policy page, including renaming "test frequency policies" to "test scheduling policies."
- Polaris now supports Synopsys Bridge 1.1.0 and pull request commenting. See Using Bridge CLI with Polaris in the Synopsys Bridge CLI Guide.
- Application Observers can view triage history.
- Now, you can filter issues by triage status on the Dashboards page.
- Limitations for fields (application name, etc.) has been added to the documentation.
Enhanced Branch Support
Now, you can add branches to projects in Polaris. What you need to know:
- You can add up to 10 branches to each project by default (although this quantity varies from subscription to subscription). Each branch you add to a project can be connected to a branch in a repository (after you set up an SCM integration), but they don't have to be.
- If the same issue is detected in multiple branches of a project, you only need to triage it once. Triage actions are automatically applied across branches in a project.
- When a component with multiple licensing options is found in different branches of a project, you only need to set the component's license once. License selections are automatically applied across branches in a project.
- When branching features are enabled in Polaris, your projects are upgraded automatically.
- Projects that aren't connected to an SCM repository:
- Polaris creates the project's default branch (polaris_main).
- All preexisting test data is mapped to the polaris_main branch.
- The project's policies are applied to the polaris_main branch.
- Projects connected to an SCM repository:
- Polaris retrieves the default branch name from the repository.
Note: If the project's SCM access token is invalid, Polaris creates a default branch called
scm_token_invalid
. If this occurs, you need to create a new SCM access token, and reestablish the project's SCM integration. See Enhanced branch support and invalid SCM access tokens for more information. - Polaris creates the project's default branch (using the name retrieved from the repository).
- All preexisting test data is mapped to the default branch.
- The project's policies are applied to the default branch.
- Polaris retrieves the default branch name from the repository.
- Projects that aren't connected to an SCM repository:
- Each test runs on a branch. You can use filters to compare issues between a project's default and non-default branches.
- Default branches are used when you generate reports, or view dashboards.
- Branching actions are tracked in audit logs.
To get started with branching, familiarize yourself with the following:
- The data model: applications and projects in Polaris
- Create and manage branches in a project
- Assign policies to branches
- How to test from the web UI
- Compare default and non-default branches in a project
Correction
- Previous revisions of the SCA support matrix for Polaris included C/C++ (Clang) support. In fact, Polaris does not support C/C++ (Clang) for SCA scans, but support is being considered for a future release.
August 2023
New Features and Changes
- Polaris now supports Coverity 2023.6.1 which contains a Coverity CLI fix to handle Analysis OOM errors.
- Polaris now includes enhanced logging for policy changes.
- Polaris now supports npm, pip, pnpm, Poetry and Yarn package managers for SCA scans run on manually uploaded files, or SCM repositories integrated with Polaris.
- If multiple licensing options are available for a component, you can select the appropriate licenses for your use case.
July 2023
New Features and Changes
- Polaris now supports Coverity 2023.6.0. It includes the following
changes:
- Support for Go 1.18 has been removed.
- Support for macOS 11 is deprecated and will be removed in a future release.
- Support for Go 1.19 has been deprecated and will be removed in a future release.
- Added support for Go 1.20.
- Added partial support for Java 20. Methods using Java 20 features will be tolerated but not emitted.
- Improved performance of JavaScript webapp security analysis.
- Now, you can connect Code Sight to Polaris to view issue data in your IDE (VS Code or IntelliJ).
- Polaris supports Synopsys Detect version 8.10.0.
- Issue quantities for each application (organized by severity) appear on the Portfolio page.
- Issue quantities for each project (organized by severity) appear on the Application page.
June 2023
- BitBucket projects can now be integrated with Polaris.
- The Notifications event type was added to audit logs. The new event type
captures the following events:
- An Organization Admin enables or disables email notifications for all users (via My Organization > Notifications).
- A user modifies their personal email notification settings (via Account > Notifications).
- Now, you can see a list of applications linked to a subscription on the Subscriptions page.
- Synopsys Bridge CLI tool has been updated to use
--input
instead of the deprecated--state
argument. - Language support table has been updated.
May 2023
- Polaris now supports Coverity 2023.3.3 which includes:
- Added support for C#11.
- Added support for Java 19.
- Added support for Kotlin 1.8.0.
- Added support for TypeScript 4.9.
- Support for Go 1.18 is deprecated and will be removed in a future release.
- Support for Kotlin 1.7 is deprecated and will be removed in a future release.
- Support for Go 1.17 has been removed.
- Support for Kotlin 1.6.x has been removed.
- Documentation was updated with how to import third-party repos to Azure Repos so it can integrate with Polaris.
- A link to the System Status page has been added to the Need more help topic.
- Software Bill of Materials (BOM) details for SCA analysis have been added to help triage a project's open source component versions and licenses.
- A topic covering Synopsys GitLab Template has been added to Integrations.
- You can now set an issue policy action to create and bundle issues to a single Jira ticket.
- A new Reporting page allows the creation of customized downloadable reports of your test results.
- The previous reports page has been moved to the Dashboards page. It now contains high-level snapshots and issue details with filters to customize your view of test results.
- Synopsys Bridge now automatically creates a project if one is not present.
- A Synopsys Bridge security fix for CVE-2023-2453 has been implemented.
Previously
cov-build
andcov-configurewould
dump all environment variables to log files, which can present a security concern. This fix setsCOVERITY_NO_LOG_ENVIRONMENT_VARIABLES=1
as the default to close the vulnerability. - A topic covering Synopsys GitHub Actions has been added to Integrations.
April 2023
- Org Admin can delete users via MyOrganization > Users.
- Visual Basic is supported via Synopsys Bridge.
- Azure DevOps projects can now be integrated with Polaris.
- Polaris now support SAML SSO 2.0 integration with an identity provider such as Okta, Azure, etc. This allows users to log into Polaris with the same email and passwords with which they log into your organization.
March 2023
- The Bridge CLI tool is now called Synopsys Bridge.
- New
--diagnostics
command line option allows access to additional Synopsys Bridge diagnostic information.
February 2023
- Projects and applications can now be deleted by Org Admin or Application Managers.
- (Now allowed by default.) The assessment center can view published issues to answer questions and provide feedback. Organizational administrators can disable access via My Organization > Data Access.
- The Polaris UI shows metrics for completed tests, including the numbers of files captured and analyzed, and the duration of the test. For comparison, the previous successful test is also shown.
- Added GCC compiler configuration support for
coverity.yaml
. See Configuring Coverity Thin Client for use with Synopsys Bridge and Polaris. - Known Issue: Scan metrics are not available for tests initiated by the Bridge CLI on a Windows machine.
December 2022
New Features and Changes
The following are new features and changes from the GA release.
- Users are now automatically logged out after 15 minutes of inactivity.
- Synopsys Bridge now outputs colored
ERROR
andWARN
log messages in the terminal, making troubleshooting easier. - Synopsys Bridge now offers a
—json-log
option for the user to output JSON format logs. - Synopsys Bridge now offers a
—json-log-file
option, which formats thesynopsys-bridge.log
file as JSON. - Synopsys Bridge now provides more logs in adapters, with five log levels:
DEBUG
INFO
WARN
ERROR
FATAL
- Synopsys Bridge now offers improved array passing using comma separated
values (CSV). For example, you can pass
polaris.assessment.types=SAST,SCA
rather thanpolaris.assessment.types="[\"SAST\"]"
.
GA release
- Known Issues: If you have issues seeing the Dashboard or Reports pages,
check the following.
- Safari: “Prevent cross-site tracking” is not on.
- Chrome: “Allow 3rd party cookies” is on.