Skip to content

SandboxAQ Security Suite Changelog

This is the list of version numbers of the SandboxAQ Security Suite and their deployment dates in SaaS at analyzer.cryptosense.com. Each version number is shown with a list of changes brought by that version.

23.11.2 - 2023-11-30

What’s new

  • APIs & Backend
    • [GraphQL]:
      • Adding ability to query for key roles from operations field within GraphQL

Bug fixes

  • APIs & Backend
    • [GraphQL]:
      • Requesting on GraphQL node without an inline fragment no longer raises an exception
      • Requesting on GraphQL node with a different inline fragment than the one in ID no longer raises an exception
    • Fix handling of special characters in passwords in the database URL

23.11.1 - 2023-11-22

What’s new

  • APIs & Backend
    • [GraphQL]:
      • New type in the API: RuleObjectType
      • New API field: `Rule.mainObjectTypes

Bug fixes

  • APIs & Backend
    • Logs for incoming requests are now correctly JSON formatted.
    • app.models.key.py::Key.information method is now much more efficient. This should positively affect:
      • load-time of Report view
      • load-time of Organization dashboard view
      • GQL queries requesting information field on Key and OrganizationKey types

23.11.0 - 2023-11-15

What’s new

  • UI
    • Improved readability of issue severity in the Project Dashboard and Report Issues views
    • Updated the project dashboard inventory display to match Report and Organization inventory
    • Introduced saved filters to organization dashboard
      • Added saved filters to the URL so that when revisiting the page with the same UI, filters will be pre populated
      • Turned filters on for the following pages:
        • Organization certificates
        • Organization keys
        • Organization projects
        • Project reports
        • Report certificates
        • Report handshakes
        • Report keys
  • APIs & Backend
    • [GraphQL]:
      • GraphQL query optimizations
      • For instances of key-based rules, only the relevant key will be showed
    • Added structured logs for all application logs

23.09.10 - 2023-11-08

What’s new

  • APIs & Backend
    • Add support for the AWS Secret Manager
    • For instances of certificate-based rules, only show the relevant certificate.
    • OpenID Connect: Allow the claim specified by OIDC_ROLE_CLAIM_NAME to point to a list of groups (not just one group).

Bug fixes

  • APIs & Backend
    • Improve validation of GraphQL IDs, for better error messages.

23.09.9 - 2023-10-20

What’s new

  • UI
    • Added saved filters to the organization dashboard

Bug fixes

  • UI
    • Fixed a11y issues:
      • organization dashboard responsiveness
      • contrast colors on org dashboard graphs
      • tooltips are “hoverable” for the accessibility
      • checkbox groups are fixed with a11y changes
  • APIs & Backend
    • Fix for the user to be able to upload trace size larger than 2 GB
    • Fixed an issue with hsm fuzzer seen when trying to generate a report after a successful upload
    • Enable the default settings to log everything in the console
    • Ability to vertically scale RQ_WORKERS in on-prem installation using below keys in the config file
      • RQ_NUM_WORKERS customizes the number of calls to flask rq worker
      • RQ_NUM_WORKERS_ANALYSIS customizes the number of calls to flask rq worker analysis
      • The default value is set to 1. It should have no impact on users if not set.

23.09.7 - 2023-10-11

What’s new

  • UI
    • Sandbox Security suite jira integration enables users to submit tickets to Jira individually or in bulk. This integration is performed in the Security Suite Web Interface. You can configure Jira integration in two ways:
      • Jira issue export: Export one or more instances to automatically create issues in Jira.
      • Jira form integration: Launch an editable form to submit an individual instance as a Jira issue.

For more information, check https://securitysuite.sandboxaq.com/docs/discovery/jira/

Bug fixes

  • UI
    • The priority fix is now linked to the project dashboards
  • APIs & Backend
    • Fixed the issue where uploading a trace via the CreateTrace mutation failed when the trace size is more than 2GBs
    • Fixed logging streams to have JSON-encoded audit logs show up in the regular logs if no specific LOG_FILE_AUDIT has been specified
    • Add support for handling old host scanner traces

23.09.6 - 2023-10-03

What’s new

  • General
    • New cs debug command to diagnose issues for on-prem setups.
  • APIs & Backend
    • OpenID connect: new configuration variable to list scopes to use (see OIDC_EXTRA_SCOPES)
    • OpenID connect: refuse authentication if the final list of roles for a user is empty

Bug fixes

  • APIs & Backend
    • Improve loading times of non-optimized reports

23.09.5 - 2023-09-29

What’s new

  • APIs & Backend
    • Support a new way to verify S3 connectivity and rights by uploading/downloading a small amount of data. See the STORAGE_EXTENDED_HEALTH_CHECK configuration variable for more information.

23.09.4 - 2023-09-28

What’s new

  • UI

    • Updated Pages:

      • Report Issues Tab
        • Three column layout allows seeing more information at the same time and navigating through instances faster.
        • Star and Dismiss for instances have been deprecated. Ability to export already starred / dismissed instances in the Exports tab remains.
        • Added ability to “filter” issues and instances by severity
      • Report Exports
        • Inventory & issue overview has a new UI
    • New Features:
      • Network Analyzer Handshakes & Ciphersuites Tabs
        • Network Analyzer reports now contain a Handshakes & Ciphersuite tab
        • Ciphersuite table:
          • Contains all ciphersuites that were selected and negotiated with
          • Includes ability to filter by “selected” and “IETF recommended”
          • Clicking on a ciphersuite navigates to the handshakes table filtered by that ciphersuite
        • Handshakes table:
          • Contains all the handshakes found
      • Dashboard Exports
        • PDF & CSV formats available
        • Aggregated inventory and aggregated issues
      • Jira form integration
        • Ability to set up an issue collector for jira company-managed projects

All new and updated pages are WCAG 2.1 AA and ADA compliant.

  • APIs & Backend
    • Revamped logging in web-findings and added audit logs including:
      • option to log to a file instead of stdout
      • option to log to a rotating file, the output file will be renamed to .<%Y-%m-%d_%H-%M-%S> daily
      • option to log audit logs to a different file
      • option to set audit log level separately from general log level
      • an API to generate structured audit logs
    • Updates to Tanium Integration
      • Rate limiters for Tanium, configurable limits for the request rate to Tanium, to avoid system overload
      • Tanium InfoSensor - Checks for new trace presence on the endpoint
      • Tanium MonitorSensor - The sensor will provide information on any running host scanner process or the latest run, including status, runtime, memory, etc.
      • Ability to configure Tanium settings per project instead of just organization level
      • Automatic Report Generation
    • Authentication & Authorization
      • Support for tag based authorization
      • Assigning roles based on OpenID Connect token claim

23.09.3 - 2023-09-19

Bug fixes

  • APIs & Backend
    • Implemented printable layouts for report summary and org dashboard
    • Accessibility fixes for report inventory and report export pages

23.09.2 - 2023-09-19

What’s new

  • UI

    • Upgraded the following pages, including more powerful filtering capabilities.
      • Organization Keys tab
      • Organization Key Details page
      • Organization Certificates tab
      • Organization Certificate Detail page
  • APIs & Backend
    • Improve performance of GraphQL queries which only do counting (i.e. with the totalCount field).
    • GraphQL API:
      • Breaking changes:
        • Field: ReportDone.handshakes.
          • New parameter: filters: HandshakesFilter.
          • New parameter: sorters: [HandshakesSorter].
      • New field: Rule.filterStatus.

Bug fixes

  • UI

    • Accessibility fixes (color contrast, font & labeling adjustments), throughout a variety of pages including organization dashboard and report pages.
  • APIs & Backend
    • Fix a token verification failure in OpenID Connect integration. This would prevent users from logging in with some identity providers with an “at_hash” error.
    • Improve the analysis of host scans so that a keystore location counts as one location for a given key even if that key appears several times in that keystore.

23.09.1 - 2023-09-07

What’s new

  • UI
    • The new UI is now available in the on-premises packages but disabled by default. Contact us if you want to try it out.

Bug fixes

  • APIs & Backend
    • Fix a token verification failure in OpenID Connect integration. This would prevent users from logging in with some identity providers.

23.09.0 - 2023-09-01

What’s new

  • UI

    • Tanium integration: Computer Group setting is now set at the project level (formerly at the organization level).
  • APIs & Backend
    • Improve host scan instance deduplication.
      • In the legacy UI, it adds a “Locations” box to show the path of keys related to an instance.

Bug fixes

  • APIs & Backend
    • Both trace and potentially autocreated reports are marked as failed if there is a mismatch between trace/slot types.

23.08.2 - 2023-08-28

What’s new

  • UI

    • When uploading a trace in an existing slot, the app lets the user choose the name of the trace/report.
    • Inventory summary will show respective bars in the chart on printable export of report page.
  • APIs & Backend
    • GraphQL API
      • Breaking changes:
        • Location.fileType: changed type from String to Filetype.
        • New input fields: CreateTraceInput.fileName: String.
        • New enum values: InstancesFilterFields.number.
        • Input field CreateTraceInput.name: changed type from String! to String.
        • New fields: Certificate.extensions, Certificate.signature, Certificate.version, Operation.tlsHandshake, OrganizationCertificate.extensions, OrganizationCertificate.signature, Rule.instances, Rule.severity.
        • New types: Filetype, CertificateExtensionData.

Bug fixes

  • APIs & Backend
    • Improve compatibility with OpenID Connect identity providers. Previously, login via OpenID Connect failed when the identity provider advertised support for multiple JWT signing algorithms.
    • Fix that will allow to query handshake object from TLS handshake operations.

23.08.1 - 2023-08-24

What’s new

  • APIs & Backend
    • GraphQL API:
      • New field: ReportDone.rules.
      • New types: RuleConnection, RuleEdge, RulesFilter, RulesFilterFields.

Bug fixes

  • UI
    • Fix an issue that prevented the report optimization status from being displayed after changes to the project exceptions.

23.08.0 - 2023-08-15

What’s new

  • UI

    • Organization dashboard
      • New functionality available:
        • Ability to slice and filter the dashboard by tags, projects and profiles
        • Aggregation of the instance count and percentages overall and across different analysis types
        • Instead of the top 5 priority issues, you can now see a more extensive list
      • Things that have changed:
        • “Organization issues summary” information has been moved to the Projects tab, where you can see a breakdown of the issue count for each project.
    • Projects page
      • New functionality available:
        • Projects can now be uncollapsed to show top priority issues for that project
        • Top priority issues can be uncollapsed also to show the list of reports affected & breakdown of instances per report
        • Horizontal bar per project with the number of high, medium, low and no warning issues
        • Powerful filtering capabilities for: Name, Tags, Profiles, Last updated
      • Things that have changed:
        • To view and edit project information or assign testers, use the three dot menu on the right of each project.
    • Slots, reports and traces pages
      • New functionality available:
        • Reports table contains the active / latest report for each slot
        • Table contains information on the status of the report (e.g. failed, done etc.)
        • Ability to filter by slot name and type
        • In an upcoming release additional filters and sorters will be added
      • Things that have changed:
        • From the UI, cannot manually run a report from a trace, from the UI, reports will be analyzed automatically when uploading a trace using the profile defined for the project. Reports will be named after the trace name.
        • From the UI, cannot run a report using a profile other than the default for the project in which it belongs.
        • Must use the API if you wish to run a report using a different profile than the project default or run another report with an already uploaded trace.
        • To see past reports in a slot, you must go into the latest report (accessible from the Project reports tab) and use the “Version” selector to select an archived report.
        • The former “Slots” table has been replaced by the new “Reports” in which we show the latest (current) report from each slot.
        • In order to change information about the slot or add tags use the three dot action menu on the right.
    • The product version number is now visible in the user menu (top right corner).
  • APIs & Backend
    • GraphQL API:
      • New argument sorters: [SlotsSorters] in Project.slots.
      • New enum values in SlotsFilterFields: lastReportCreatedAt, lastReportState, lastReportTraceName.
      • New types: SlotsSorter, SlotsSorterFields and State.
      • New fields: Key.pkcs11Attributes, Key.source, Location.hostname, algorithmSummary, Operation.operationContext, Operation.operationType, Operation.report, Query.version, Report.project, Slot.distinctCallSites, Slot.lastReport, Slot.lastReportCreatedAt, Slot.lastReportState, Slot.lastReportTraceName, Slot.latestReport, Slot.reportCount.

Bug fixes

  • APIs & Backend
    • Fix inventory and stats on projects with multiple slots but only one trace type.
    • Fixed pagination for Organization.projects.

23.07.2 - 2023-07-26

What’s new

  • APIs & Backend
    • GraphQL API:
      • Added GraphQL filters for report key and org key.

Bug fixes

  • APIs & Backend
    • Fix so that network traces can be analyzed directly using the createTrace query
    • Fix to retrieve operations data of an instance using the API
    • Addition of filters on Instance nodes in GraphQL

23.07.1 - 2023-07-19

What’s new

  • APIs & Backend
    • Certificate filters are now available for network reports. This only applies to the legacy UI (the new UI already has filters for all certificates).
    • Redis is no longer an external dependency of the SandboxAQ Security Suite Analyzer Platform all-in-one package: it’s built in and runs under the name cryptosense-analyzer-redis in system. The distributed installation of the SandboxAQ Security Suite is unchanged.
      • Impact & user action required: Redis should be uninstalled on existing machines, preferably before the upgrade of the all-in-one package.
    • GraphQL API:
      • Breaking changes:
        • Field Operation.type changed type from OperationType! to String!.
        • Type OperationType was removed.
        • Field Rule.access changed type from String! to String.
        • Field Rule.consequences changed type from String! to String.
        • Field Rule.expertise changed type from String! to String.
        • Field Rule.explanation changed type from String! to String.
        • Field Rule.kbLink changed type from String! to String.
        • Field Rule.resources changed type from String! to String.
        • Field Rule.shortExplanation changed type from String! to String.
      • New types: CreateProjectExceptionInput, CreateProjectExceptionPayload, GeneralRemediation, JiraExportInstanceInput, JiraExportInstancePayload, JiraIntegration, OperationCategory, ProjectException, ProjectExceptionType, Remediation.
      • New fields in Call, Instance, Operation.
      • New mutations: createProjectException, jiraExportInstance.

Bug fixes

  • APIs & Backend
    • Remove spurious log messages (containing the string Record.t.key) during the analysis of PKCS#12 files.
    • Improve robustness of the installation of the on-premises SandboxAQ Security Suite packages by deprecating the use of the file /etc/cryptosense-analyzer/package-variation. No action needed: it will be removed automatically when upgrading.

23.07.0 - 2023-07-13

What’s new

  • APIs & Backend
    • The on-premises RPM packages no longer depend on postgresql-libs but on libssl.so directly, which simplifies their installation
    • GraphQL API:
      • New types: Overview, OverviewItem, OverviewSecure, OverviewSummary, OverviewWithMeta, ProfilesFilter, ProfilesFilterFields, InstanceStat.
      • New fields in Organization, ReportVulnerability, Vulnerability.
      • New parameters: filters: ProfilesFilter added to Organization.profiles.
      • New enum values in ProjectsFilterFields: defaultProfile, lastUpdatedtags.

Bug fixes

  • APIs & Backend
    • Fix network analysis in the on-premises package for Debian 10 and Ubuntu 18.04
    • Fix the SandboxAQ Security Suite on-premises packages to be installable again on Ubuntu 18.04

23.06.4 - 2023-07-11

What’s new

  • APIs & Backend
    • Support for Integrated Network Analyzer. Features include:
      • Offline Analysis of PCAP files.
      • PCAP files can be uploaded via API or directly via UI.
      • Integrated Network Analyzer extracts below attributes from PCAP files. Below attributes are available via GraphQL API
        • Source IP
        • Target IP
        • Source Port
        • Target Port
        • Symmetric Encryption
        • Selected Cipher Suite
        • Client supported cipher suites (same attributes as selected cipher suite)
        • Recommended ciphersuite as per IETF
        • TLS version
        • Certificate information (TLS 1.2 and lower). This will also be available via UI
        • Key information
        • RFC Reference
        • Client timestamp
        • Server timestamp
        • Server name
        • Captures incomplete handshakes
      • Ability to apply rules to detect vulnerabilities for Certs and Keys.
      • Ability to correlate Network scan certificates and keys across host and application reports.
      • Crypto object inventory detected in PCAP traces
      • Report summarization of vulnerabilities and issues based on rules applied on network trace crypto inventory
      • Relationship between network trace keys and certificates
      • Ability to extract keys and certificate specific fields via GraphQL API

23.06.3 - 2023-06-20

Bug fixes

  • APIs & Backend
    • Fix GraphQL mutation CreateTrace to create the trace with appropriate properties in the database when an existing defaultSlotName is chosen. Before this fix, the trace would be created but subsequent analysis of that trace would be refused by the server (with the error message: “This trace is still being processed”).

23.06.2 - 2023-06-16

What’s new

  • APIs & Backend
    • PKCS#11 fuzzing report changes:
      • In all reports, the “Vulnerabilities”/”Non-compliance” tab is now labeled “Issues” (legacy UI).
      • Analyzing a PKCS#11 fuzzing trace results in only one generated report (instead of two). Existing PKCS#11 fuzzing reports are unchanged but they won’t be taken into account correctly in dashboards until they are regenerated after the upgrade.
      • PKCS#11 “vulnerability” rule numbers are shifted by 200 (new = old + 200) to avoid colliding with the numbers of “compliance” rules.
    • Improved the GraphQL field Certificate.locations to only return relevant locations. Before this version, it could return locations of the certificate’s public key or that of another certificate using the same key.
    • Remove field: CreateTracePayload.reports: [Report].
    • Add field CreateTracePayload.report: Report.

Bug fixes

  • APIs & Backend
    • Fix a server error when CreateTraceInput.generateReport is true and the chosen trace name already exists. The server now replies correctly with an error message in such a case.
    • Fix an issue where the GraphQL field Certificate.operations would always return an empty list.

23.06.1 - 2023-06-13

What’s new

  • UI - Creating a new project supports a maximum of 100 reports per slot.

Bug fixes

  • APIs & Backend
    • There were some instances when the “stale private key rule” did not have any key linked to them. This fix added keys from keystore private key entries to objects and instances. As a side-effect you will see a “short encrypted private key in keystore” instance.

23.06.0 - 2023-06-01

What’s new

  • UI: In this release, we’ve performed a significant overhaul of the dashboards, issues, and inventory pages to provide a better and more intuitive user experience. These changes lay the foundation for future enhancements, which will include dashboard view customization and aggregate count creation. The changes below are already in our SaaS product and for on-premises deployments you will be notified when these changes are available.
    • Organization Dashboard
      • The dashboard is now organized by projects, displaying aggregate numbers for issues per project.
      • Projects can be uncollapsed for more detailed insights, showing specific issues, the slots in which they occurred and the instance count.
      • As we make a transition to the new UI, users will temporarily not be able to view Issue count + inventory summary at the organization level.
    • Project Dashboard
      • The Project Dashboard consists of two main components: Issues and Inventory.
      • The ‘Issues’ section mirrors the structure of the Organization Dashboard, offering high level to detailed granularity, up to the instance level.
      • The ‘Inventory’ section has been updated with a series of pie charts for a more comprehensive view.
    • Report Inventory + Issues
      • Inventory data is now presented via a series of pie charts.
      • The “Crypto operation security” table has been deprecated, this information can be found in the “Issues” tab. The “Call sites limiting” has also been deprecated.
      • The report metadata block allows users to change the report version, enabling quick navigation to different reports.
      • We’ve released a new feature that allows you to give feedback quicker through the app. This “Report a bug” feature is located in the header.
  • APIs & Backend
    • Add ability to schedule report generation during trace upload with a new input field CreateTraceInput.generateReport.
    • Bump version of PostgreSQL server in all-in-one on-premises deployments from 12.9 to 12.15. This is meant to increase its robustness and reduce the likelihood of data corruption in those non-production deployments.
      • No action required from the user and no migration necessary.
    • Added a count of the number of vulnerability detection rules that were marked “disabled” in the chosen profile to the statistical summary of a report.”
    • GraphQL API changes
      • Modify field: CreateProjectInput.profileId is now required.
      • Add field: CreateTraceInput.generateReport.
      • Add field: CreateTracePayload.reports.
      • Add enum value: DisplaySeverity.DISABLED.
      • Add fields: Project.vulnerabilities and Report.vulnerabilities.

Bug fixes

  • APIs & Backend
    • Fix vulnerability statistics for projects and reports to not count disabled rules. This resolves a potential overestimation of the number of issues in each report or project.

23.05.3 - 2023-05-25

  • Improve links between host scan instances and certificates to only link relevant certificates (in the API this is materialized in the field Instance.certificates).
    • This requires new reports to be generated for the links to work properly.
  • GraphQL API:
    • Modify the field Instance.certificates to show only relevant certificates. Before this change, it would also list irrelevant certificates with the same public key as the relevant certificate.

23.05.2 - 2023-05-25

  • Add ability to change project testers and max item count via the GraphQL API.
  • Add support for the use of a custom SQL database schema on premises in a highly available deployment (instead of the default public schema). This is controlled by a new configuration parameter: DATABASE_SCHEMA.
  • Remove support for database URLs with the postgres:// prefix. The only supported URL scheme is now postgresql://.
    • No action is needed for the user: configuration will be updated automatically when the new SandboxAQ Security Suite package is installed.
  • GraphQL API
    • Add fields: CreateProjectInput.maxItemCount, Project.maxItemCountand UpdateProjectInput.maxItemCount.
    • Add fields: Organization.testers, Project.testers and UpdateProjectInput.testers.

23.05.1 - 2023-05-16

  • Improve links between host scan instances and keys to only link relevant keys (in the API this is materialized in the field Instance.keys).
    • This requires new reports to be generated for the links to work properly.
  • Fix parsing of host scan traces with tags in the header (generated with the --tags CLI parameter of the host scanner).
  • Fix the profile creation form to show correct applicability of rules to the analysis of OpenSSL traces.
  • GraphQL API:
    • Modify the field Instance.keys to show only relevant keys. Before this change, it would also list irrelevant keys at the same filesystem location as the relevant keys.
    • Add types Integration and TaniumIntegration and add field Organization.integrations.

23.05.0 - 2023-05-02

  • Fix bug where users would sometimes end in an infinite redirect loop at login.
  • GraphQL API:
    • Add Location node with connections to Key, Certificate and Instance.
    • Add ReportVulnerability, OrganizationCertificate nodes.
    • Add method field to the response of the generateTraceUploadPost mutation.
    • Add deleteSlot mutation.

23.04.2 - 2023-04-18

  • GraphQL API:
    • Add OrganizationKey and related types.
    • Add fields: Organization.keys, Key.organizationKey.
    • Rename field Key.keyMetadata to Key.metadata.
    • Rename field Key.keyType to Key.type.
    • Rename field Key.keyCategory to Key.category.

23.04.1 - 2023-04-11

  • Add support for tags in SandboxAQ Security Suite UI.
  • GraphQL API:
    • Add Handshake and TlsHandshake objects
    • Add sorters to Organization.profiles
    • Expand project VulnerabilitySlot with latest report id

23.04.0 - 2023-04-06

  • API:
    • Fix crash when fetching instances of a report without a profile
    • Add sorters and filters to Organization.projects
    • Update updateSlot mutation with tags
    • Add fields:
      • Project.tags
      • Vulnerability.slots
      • Project.vulnerabilities
      • Report.firstAnalysis, Report.lastAnalysis and Report.distinctCallSites

23.03.5 - 2023-03-27

  • Fix deletion of host scan reports. A failure caused reports to stay in the database.
    • Previous failures will be handled after upgrading and deleting one report.
  • GraphQL API:
    • Add fields:
      • Mutation.deleteProject
      • Project.vulnerabilityStatistics: Rule counts for each severity, at the project level.
      • Project.lastUpdated
      • Organization.allowedTraceTypes: Types of traces that users can analyze in this organization.
      • Trace.size

23.03.4 - 2023-03-22

  • GraphQL API:
    • Rename type Api to TraceType.
    • Rename fields api to traceType throughout the API (Slot, Trace, Report, etc).

23.03.3 - 2023-03-21

  • Improve the logging of failed Jira operations.
  • GraphQL API:
    • Remove duplicate api type in favor of the existing API type.
    • Rename values to subFilters in SlotsFilter, ReportsFilter etc.
    • Add filtering of slots based on their tags with a new CONTAINS operator.
    • Add fields:
      • Mutation.updateProject: change the attributes of a project.
      • ReportDone.inventory: statistics about a report.
      • Report.api
      • Trace.api

23.03.2 - 2023-03-10

  • GraphQL API:
    • Link host scan instances to keys and certificates via locations. The Key.instances, Instance.keys and Certificate.instances fields will now return more results by linking results through the location of the node.

23.03.1 - 2023-03-10

  • Maintenance release

23.03.0 - 2023-03-07

  • GraphQL API:
    • Add field: Key.report.
    • Add field: Certificate.report.
    • Add field: Operation.keys.
    • Add field: Project.organization.
    • Add defaultSlotName to CreateTraceInput.
  • Check for slot/trace API compatibility:
    • Display error if different APIs for slot and trace.
    • Display error if organization does not have rights on API.
  • Introduce a view for traces that have no slot. Happens for pending or failed traces uploaded by the user without specifying a destination slot.

23.02.4 - 2023-02-26

  • GraphQL API:
    • Add type: SignatureAlgorithm and link it to Certificate node.
    • Add nodes: CallSite and Operation.
    • Add fields: Certificate.notBefore, Certificate.notAfter and Certificate.signatureAlgorithm.
    • Add fields: Trace.reports, Trace.jvmName, Trace.jvmVendor, Trace.jvmArguments and Trace.javaClassPath.
    • Add field: Report.url.

23.02.3 - 2023-02-23

  • GraphQL API:
    • Simplify filters and sorters enum names.
      • ProjectsFilterFilterFields (resp. Traces, Slots and Reports) is now ProjectsFilterFields.
      • ProjectsSorterSorterFields (resp. Traces, Slots and Reports) is now ProjectsSorterFields.
    • Make the AnalyzeInput.profileId parameter optional.
    • Add fields: Certificate.isCa and Certificate.isSelfSigned.
    • Add fields: Report.profile and Report.trace.
    • Add field: Project.description.
    • Add description to CreateProjectInput.
  • On-prem:
    • Support AWS IAM Role-based authentication for S3.
  • Projects can now have a default profile. This lets the user analyze a trace or scan without specifying a profile.

23.02.2 - 2023-02-14

  • GraphQL API:
    • Add types: InventoryRecapLineData, InventoryRecapCategory and InventoryRecapData.
    • Add fields: Certificate.publicKey and Key.certificates.
    • Fix Key.id and Certificate.id fields: they were in the wrong format.
    • Fix Key.length and Key.keyMetadata fields: queries with those fields would fail.

23.02.1 - 2023-02-09

  • OpenSSL analysis: Fix an analysis error occurring when two certificates or more are inserted into the database.
  • GraphQL API:
    • Add field: Organization.name.

23.02.0 - 2023-02-01

  • Add support for Shrouded Keybag in PKCS#12 host scan analysis.
  • GraphQL API
    • Introduce generic filters:
      • Project.reports has one new parameter: sorters.
      • User.projects has two new parameters: filters and sorters.
    • Add fields: Trace.slot, Report.slot, Slot.project and Project.slots.
    • Add an updateSlot mutation to change the properties of a slot.
  • Fix a rendering error on the slot details page when the latest report isn’t linked to a trace.
  • Fix a rendering error on the slot details page when the latest report is in the “failed” state.
  • On the project details page, replace the obsolete “trace” and “report” links with a “slot” link.

23.01.4 - 2023-01-30

  • Link instances to keys and certificates in the API
  • Add Rule type to instances in the API.
  • Fix issue in the createProject mutation where users would not be linked to projects.
  • Add missing “Stored Key” operation filter to keys table.

23.01.3 - 2023-01-23

  • Maintenance release

23.01.2 - 2023-01-18

  • Improve compatibility of OpenID Connect integration.
  • Fix report diff creation: Diffs were created without being assigned to a slot.
  • Fix User.projects field in the API when used with pagination arguments.

23.01.1 - 2023-01-10

  • Fix handling of special characters in certificate search.
  • Fix analysis of PEM files: If one PEM element couldn’t be analyzed, it would cause the whole file to be dropped.

23.01.0 - 2023-01-03

  • Add analysis of PKCS#7 files found by the host scanner.

22.12.2 - 2022-12-19

  • Fix the trace/report auto-deletion threshold to work with slots.
  • Fix the computation of the “has private key” property for keys when reports have been deleted.
  • Add new analysis pipeline for OpenSSL (libssl) traces.
  • Add analysis of PuTTY private key (PPK) files found by the host scanner.

22.12.1 - 2022-12-05

  • Add “View traces” and “View reports” buttons to the slots page.

22.12.0 - 2022-12-05

  • Traces and Reports are now organized into Slots inside their project. Multiple traces of the same type can now be analyzed in parallel in the same project.
  • Add support for the PPK format.

22.11.0 - 2022-11-28

  • Added EC analysis to Evp

22.10.2 - 2022-10-28

  • Added optional resource parameter to OpenID Connect authorize URL.

22.10.1 - 2022-10-24

  • Improved performance of keys and certificates pages at the organization level.
  • Fixed error when OpenID server is unavailable by falling back to classic login.

22.10.0 - 2022-10-07

  • Add option to search projects by name through the API.
  • Add option to use OpenID Connect and Ping Federate for the on-premise version.

22.09.1 - 2022-09-07

  • Fix the deletion of projects.

22.09.0 - 2022-09-05

  • Fix bugs appearing when uploading and analyzing a large number of traces in parallel.
  • Traces and reports will now be timed out and marked as failed after 2 hours and 4 hours respectively.
  • Make traces / reports names and descriptions editable in their summary box.
  • OpenSSL (libcrypto) analysis now supports more cipher algorithms.
  • Improve the overall quality of the filesystem analysis with a new implementation.
  • Add the analysis of cleartext data in PKCS#12 keystores from filesystem scans.
  • Optimize the computation and improve the appearance of keys and certificates tables.

22.07.5 - 2022-07-26

  • Add support for SHA-2 and SHA-3 algorithms in OpenSSL libcrypto analysis.

22.07.4 - 2022-07-26

  • Pending traces and reports will now be marked as failed after a while.
  • Link report key to corresponding org key, report cert to its public key, report cert to corresponding org cert, org cert to its public key and org key to all corresponding org certs.

22.07.3 - 2022-07-26

  • Avoids accumulation of files resulting from incomplete uploads (e.g. because of a client error) by automatically removing those files after a certain time.
  • Add “Export” and “Compare” buttons to a report’s “Inventory” page.
  • Add the current SandboxAQ Security Suite version to the footer.
  • Add a “Keys” column to the operations table in an instance details page, with links pointing to the related keys for each operation. This only applies to application tracing.

22.07.2 - 2022-07-12

  • Maintenance release.

22.07.1 - 2022-07-12

  • Fix analysis failures not being reported as such in SandboxAQ Security Suite Analyzer Platform. This could lead to some traces or report to get stuck in an “in progress” state.
  • Improve visual appearance of report details so that it matches that of trace details more closely.

22.07.0 - 2022-07-04

  • Fix an occasional analysis failure for PKCS#11 traces.
  • Avoid log warnings when analyzing concatenated trace files.

22.06.1 - 2022-06-17

  • Harden the CSP header to prevent the execution of inline JavaScript. This is an additional fix to defend against potential future XSS attacks.
  • On the main dashboard in the “Organization Issue Summary” bar chart, merge bars for the same project.
  • Add pagination to the organization certificates details page.

22.06.0 - 2022-06-13

  • Harden the CSP header to restrict possible connections. This is an additional fix to defend against potential future XSS attacks.
  • Update dependencies to secure versions. The security of SandboxAQ Security Suite was not affected overall.
  • Add pagination to the organization keys details page.
  • Add a button to test the Venafi integration configuration.
  • Add an option to define custom certificates for the Venafi integration.
  • On the main dashboard in the “Overview”, replace the number of applications/filesystems/tokens and the number of traces by just the number of projects (relevant to each category: application/filesystem/PKCS#11 token).

22.05.8 - 2022-05-25

  • Update dependencies to secure versions. The security of SandboxAQ Security Suite was not affected overall.
  • Fix stored XSS on the certificates details page. This vulnerability could be triggered through manipulated traces. No indication of attempted attacks were found, but if you have SandboxAQ Security Suite on-premises, upgrading is highly recommended.

22.05.7 - 2022-05-24

  • Update dependencies to secure versions. The security of SandboxAQ Security Suite was not affected overall.
  • Fix analysis of certain libssl traces.
  • Fix the analysis of Fermat attack on RSA to mark safe RSA keys as “Passed”.

22.05.6 - 2022-05-19

  • Fix totalCount field for some connections in the GraphQL API (for example: ReportConnection in a Project).
  • Improve error message in the GraphQL API when the ID of a profile, project, trace or report can’t be found by the server.

22.05.5 - 2022-05-06

  • Rules specific to the Host Scanner are no longer included in FIPS specific profiles.
  • Improved appearance of the organization certificate details page.
  • Fix analysis of certain certificate chains picked up by the host scanner.

22.05.4 - 2022-05-05

  • Maintenance release.

22.05.3 - 2022-05-04

  • Maintenance release.

22.05.2 - 2022-05-03

  • Maintenance release.

22.05.1 - 2022-05-03

  • Maintenance release.

22.05.0 - 2022-05-02

  • Add rule for Java applications: Psychic signatures (CVE-2022-21449).
  • Add rule for hosts and applications: Fermat attack on RSA (CVE-2022-26320).
  • Sanitize Venafi instance URL: a trailing slash no longer causes invalid links to be generated by SandboxAQ Security Suite.
  • Add createdAt date field to trace and report types in GraphQL API.
  • Remove api field from project type in GraphQL API.
  • Add deleteReport mutation to GraphQL API.
  • Improve appearance of organization key details page.
  • Improve parsing of PKCS#11 usage traces.

22.04.3 - 2022-04-15

  • Improve performance of the organization keys page.

22.04.2 - 2022-04-14

  • Improve loading time for report keys page.

22.04.1 - 2022-04-14

  • New organization certificates tab.
  • New page to display details of a key at the organization level.
  • Fix broken link in trace upload tutorial
  • Fix keys tab filter to stop hiding keys of unknown length

22.04.0 - 2022-04-04

  • Existing projects are no longer tied to a specific type of trace and can now contain any type of trace allowed by the organization.

22.03.7 - 2022-03-31

  • Fix a bug that would appear when the wrong files are uploaded to recent projects.
  • Add a keptByFilters: Boolean parameter to ReportDone.instances field in the GraphQL API.

22.03.6 - 2022-03-18

  • Add “Cryptosense 2022” profiles for everyone.
  • Check if a profile can be deleted before asking the user for confirmation.

22.03.5 - 2022-03-16

  • Add Jira integration:
    • The link to a Jira instance can be configured in the “Integrations” tab.
    • Users can then export individual findings as Jira issues.
    • Findings can also be exported in batches.
  • Add a Host Scanner download button for users authorized to analyze host scans.
  • Improve performance of dashboards for key store statistics coming from newly generated host scanner reports. This doesn’t affect performance for existing reports.
  • Improve report generation performance when the organization has a lot of keys.
  • Add “Date Uploaded” and “Uploaded By” to traces in the project “Traces” tab.
  • Fix rule and instance counts in report export printable view.

22.03.4 - 2022-03-09

  • Update text shown only to users of the free demo account.

22.03.3 - 2022-03-09

  • Maintenance release.

22.03.2 - 2002-03-08

  • Add 5 new application analysis rules related to post-quantum readiness. Those rules are disabled by default.
  • Add a new “Post Quantum Readiness” builtin profile using only the aforementioned rules

22.03.1 - 2022-03-04

  • Fix a bug where the severity of certificate digest findings in host scan reports was not set to low for self-signed certificates inside keystores.

22.03.0 - 2022-03-02

  • Fix potential database synchronization issues associated with the organization keys table and automated deletion of old reports.
  • Fix overflow of a table in the report print view.

22.02.4 - 2022-02-18

  • Add a completedAt: String field to the Report type in the GraphQL API.
  • Add a url: String field to the Instance type in the GraphQL API.

22.02.3 - 2022-02-16

  • Fix CSV export of findings: the file was empty for some types of reports.

22.02.2 - 2022-02-15

  • Add new application analysis rule: “Asymmetric key-transport key outside cryptoperiod”.
  • Enforce the uniqueness of project names within each organization.
  • In host scan reports, set severity of certificate digest findings to low if the certificate is self-signed.

22.02.1 - 2022-02-08

  • Maintenance release.

22.02.0 - 2022-02-01

  • Add organization keys tab. This shows all keys found in reports generated from now on. To see keys from old reports, you will need to run them again.

22.01.4 - 2022-01-31

  • Add help tooltips for some certificate filters: “Self-signed” and “CA certificates”.
  • Improve performance of the “Certificates” tabs in all analyzer reports.

22.01.3 - 2022-01-21

  • Fix database migration script.

22.01.2 - 2022-01-21

  • Add pagination information (page number and next/previous page links) to the bottom of paginated lists.
  • Fix serialization and parsing of some key metadata.

22.01.1 - 2022-01-14

  • Fix issue with the filters for self-signed and CA certificates that caused some certificates to be hidden.
  • Add filters for key lengths to the keys and certificates tabs.

22.01.0 - 2022-01-10

  • Hide the “has-private-key” attribute in the key detail page for symmetric keys.

21.12.2 - 2021-12-29

  • Improve the performance of the “Keys” tab in host scanner reports, especially when the database contains a large number of file entries.

21.12.1 - 2021-12-20

  • Add the following rules to Java analysis:
    • Invalid certificate
    • Certificate validity too long
  • Extract certificates from KeyStore.getCertificateChain calls in Java.
  • Show organization name on dashboard.

21.12.0 - 2021-12-13

  • Add filters for key file type in host scanner reports
  • Add filters for self-signed and CA certificates for Java and host scanner reports.
  • Operations are now ordered by last call
  • Include Host Scanner rules into tracer profiles
  • Display compatible APIs for rules on the profile page
  • Improve performance of the keys tab in host scan reports.
  • New projects are multi-type, they can handle multiple trace types at once and summarize them.

21.11.3 - 2021-11-26

  • Fix parsing of X.509 certificate extensions, which caused wrong interpretations of whether some certificates are CA certificates or not.

21.11.2 - 2021-11-25

  • On the certificate details page, show whether a certificate is self-signed or a CA certificate.
  • Added certificate expiration and stale key warning limits to the profile.

21.11.1 - 2021-11-18

  • Display file type in key information column for keys tab in host scan reports.
  • Fix bug where all key files in a host scan were categorized as SSH keys. Key files are now categorized as SSH, PGP, PKCS#8, etc.
  • Change location stats computation: previously it was counting instances; now it counts locations and the maximum severity per location.

21.11.0 - 2021-11-16

  • First numbered version.