What’s new in Eficode ROOT: June 2024

Project development

CI/CD Catalog with components and inputs now generally available (all users)

As the temperature rises, GitLab is here to ensure your CI/CD workflow feels more like a leisurely pool day than a frantic race to the ocean. The "CI/CD Catalog with components and inputs" available means building pipelines is as simple as mixing your favorite summer cocktail. No more starting from scratch or sweating over complex configurations.

Components are reusable, single-purpose building blocks that take away the complexity of pipeline configuration. Think of them as LEGO pieces for your CI/CD workflows. By using components, you can assemble pipelines more efficiently without starting from scratch each time.

Reusability and efficiency: The feature allows for the creation of CI/CD components that are reusable building blocks. These can be assembled into pipelines using pre-defined abstractions rather than needing to write detailed configurations for each new project. This makes pipeline creation much quicker and reduces repetitive tasks.

Customization and flexibility: Each component can be customized with input parameters that enable them to be adapted to different projects or pipeline requirements without modifying the underlying code. This flexibility makes it easier to maintain and update pipelines as project needs evolve.

Quality and consistency: The components are stored in a centralized CI/CD catalog, making them easily accessible for use across the organization. This catalog not only helps in maintaining consistency across projects but also ensures that each component meets high-quality standards since they can be tested and refined centrally. Learn more here and see the demo below.

Enhanced epic deletion protection (Premium, Ultimate)

This feature provides an important safeguard for project management, significantly reducing the risk of accidental deletions.

Now when you delete a parent epic, instead of deleting all its child records automatically, we preserve them by detaching the parent relationship first. By adding these precautionary measures, GitLab ensures that critical project data is protected, maintaining the integrity of your project workflows and preventing the unintended loss of valuable information.

This feature underscores GitLab's commitment to enhancing data security and reliability in project management. Learn more here.

Always run after_script commands for canceled jobs (all users)

A significant update to the after_script behavior in CI/CD pipelines ensures that these commands will always execute even when a job is canceled. This change ensures that necessary cleanup actions or other important procedures are completed even if the main job isn’t finished, enhancing the robustness of the pipeline execution process. Learn more here.

Dependency scanning support for Android (Ultimate)

Users of dependency scanning can now scan Android projects. To configure Android scanning, use the CI/CD Catalog component. Android scanning is also supported for users of the CI/CD template. Learn more here.

Streamlined SAST analyzer coverage for more languages (all users)

With the latest release, GitLab has simplified the Static Application Security Testing (SAST) process by replacing language-specific analyzers with  GitLab-managed rules in the Semgrep-based analyzer.

This change affects a variety of programming languages, including Android, C, C++, iOS, Kotlin, Node.js, PHP, and Ruby. It means less complexity and more customization options, making it easier than ever to integrate SAST into your projects. This improvement allows teams to maintain high-security standards easily. Learn more here.

Commit signing for GitLab UI commits (all users)

Previously, web commits and automated commits made by GitLab could not be signed. Now, you can configure your self-managed instance with a signing key, a committer name, and an email address to sign web and automated commits. Learn more here.

^{Committer signature details in web commit.}

Optional configuration for policy bot comment (Ultimate)

Just like a lifeguard on duty who decides when to blow the whistle over a rambunctious beachgoer, the GitLab policy bot now offers optional configuration for its comments.

Bot posts a comment on merge requests when they violate a policy to help users understand when policies are enforced on their project after an evaluation is complete and if there are any violations blocking an MR, with guidance to resolve them.

These comments are now optional and can be enabled or disabled within each policy. This gives organizations the flexibility and control to determine how they want to communicate these policies to their users. Learn more here.

^{Actions view with requirements and bot settings.}

Project administration

Add a group to the CI/CD job token allowlist

Just like a pool party where only guests with invitations can dive in, adding a group to the CI/CD job token allowlist means only approved projects and groups can access your CI/CD resources.

Managing a guest list is much easier when you can admit groups one at a time rather than checking each person individually.

Note that the maximum limit of 200 now applies to both projects and groups, meaning a project allowlist can have up to 200 projects and groups authorized for access. Learn more here.

^{Adding group or project view.}

View issues from multiple Jira projects on GitLab (Premium, Ultimate)

This comprehensive view means project managers can keep an eye on multiple projects simultaneously, ensuring smooth sailing without having to jump from one project to another.

It’s about keeping everything in sight and under control, enhancing efficiency and oversight. You can do the following:

• Enter up to 100 Jira project keys separated by commas.
• Leave Jira project keys blank to include all available keys.

Learn more here.

Design management features extended to product teams (all users)

Design management features for product teams in GitLab bring everyone together to watch and contribute to the evolution of a project. This collaborative view ensures no detail is missed, much like how everyone enjoys the same stunning views. It allows for real-time feedback and continuous improvement, ensuring that every project detail is as breathtaking as a sunset, with smoother transitions and more inclusive discussions. Learn more here.

Guests in groups can link issues (Premium, Ultimate)

GitLab reduced the minimum role required to relate issues and tasks from Reporter to Guest, giving you more flexibility to organize work across your GitLab instance while maintaining permissions.

Service desk

Multiple external participants for the service desk

Imagine your service desk as a central hub for booking conference rooms in a bustling corporate office. With GitLab's new feature allowing multiple external participants, it's like opening up your booking system to include not just internal teams but also external partners and clients to support tickets.

This broadened support ticket access facilitates smoother coordination and communication for meetings and projects, ensuring that all necessary parties are involved from the start and can easily provide input or request changes.

Simply use the quick actions /add email and remove email to add or remove external participants in a few keystrokes.

Configure GitLab to add all email addresses from the Cc header of the initial email to the Service Desk ticket.

Tailor all service desk email templates to your liking using markdown, HTML, and dynamic placeholders. An unsubscribe link placeholder is available to make it easy for external participants to opt out of a conversation. Learn more here.

AI is even more helpful

AI Impact analytics in the Value Streams Dashboard (Ultimate)

Think of the AI Impact analytics as the smart thermostat of your office operations—constantly adjusting and optimizing the environment for maximum efficiency.

By analyzing continuous data streams, this tool helps you maintain the perfect temperature for productivity and project delivery, ensuring that every phase of your project lifecycle is as energy-efficient and effective as possible.

In this first release, AI usage is measured as the monthly Code Suggestions usage rate and is calculated as the number of unique monthly Code Suggestions users divided by the total monthly unique contributors.

The AI Impact dashboard is available to users on the Ultimate tier for a limited time. Afterward, a GitLab Duo Enterprise license is required to use the dashboard. Learn more here.

^{AI impact dashboard view.}

GitLab Duo Chat now uses Anthropic Claude 3 Sonnet (Premium, Ultimate)

Imagine the GitLab Duo Chat with Anthropic Claude 3 Sonnet as the latest high-tech AI assistant in your office. This integration transforms the chat tool into an even smarter collaborator, capable of understanding and generating more nuanced responses. Learn more here.

How-to questions in GitLab Duo Chat supported on self-managed deployments (Premium, Ultimate)

Think of it as setting up a DIY (Do It Yourself) help desk right in your messaging system. This feature acts like the handy toolbox in the corner, ready to pop up with tools and tips when you're stuck, providing instant how-to solutions and guidance directly within your workflow.

You can ask Chat for help with queries like, “How do I change my password in GitLab?” or “How do I connect a Kubernetes cluster to GitLab?” Learn more here.

^{GitLab Duo Chat answering the question.}

UI

Introducing deployment detail pages (Premium, Ultimate)

Adding deployment detail pages to GitLab is like setting up a comprehensive bulletin board in the office where every team member can post updates and check statuses. This feature ensures all deployment-related information is centralized and accessible, promoting transparency and better coordination.

It’s like having a well-maintained bulletin board where nothing gets missed, and everyone stays informed about the latest developments. To be precise, in this first version, the deployment details page offers an overview of the deployment job and the possibility to approve, reject, or comment on a deployment in a continuous delivery setting. Learn more here.

^{Deployment details page view.}

Milestones and iterations visible on issue boards (all users)

From now on, with milestone and iteration details directly visible on issue cards, you can easily track progress and adjust your team’s workload on the fly. This enhancement is designed to make your planning and execution more efficient, keeping you in the loop and ahead of schedule. Learn more here.

^{Milestone and iteration details are directly visible on issue cards.}

Track fast-forward merge requests in deployments (all users)

From now on, merge requests are tracked in deployments, including in projects with the merge method Fast-forward merge. Previously, merge requests were tracked in a deployment only if the project’s merge method was Merge commit or Merge commit with semi-linear history. Learn more here.

Relevant changes in member display (all users)

Now, when members of a private group are invited to a public group or project, their users are visible to all members. This transparency ensures that all guests are recognized and can see who else is attending, which can help in networking and social interactions during the event.

The source of membership will be masked from members who do not have access to the private group but visible to users who have at least the "Maintainer role" in the project or "Owner role" in the group so that they can manage members.

If the current user viewing the Members tab is unauthenticated or isn't a member of the group or project, they will not see the private group members. Learn more here.

Now, shared members are listed also in the Members tab, giving a complete overview of all the members that are part of a group or project at a glance. Previously, members of groups that were invited to a group or project were visible only in the Groups tab of the Members page. This meant users had to check both the Groups and Members tabs to understand who had access to a certain group or project. Learn more here.

Almost breaking changes

Standardized CI/CD Catalog component publishing process

GitLab made releasing versions from a CI/CD job with the release keyword and the release-cli image the only method. All improvements to the release process will apply to this method only.

To avoid breaking changes introduced by this restriction, make sure you always use the latest version of the image (release-cli:latest) or at least a version greater than v0.16. The Releases option in the UI is now disabled for CI/CD component projects. Learn more here.

Private group visibility changes when invited to a public group or project

Now, when members of a private group are invited to a public group or project, their users will become visible to all members. This transparency ensures that all guests are recognized and can see who else is attending, which can help in networking and social interactions during the event.

The source of membership will be masked from members who do not have access to the private group. However, the source of membership will be visible to users who have at least the "Maintainer role" in the project or "Owner role" in the group so that they can manage members in their project or group. If the current user viewing the Members tab is unauthenticated or not a member of the group or project, they will not see the private group members. Learn more here.

GitLab Runner disables runner registration tokens in favor of authentication tokens

GitLab Runner 17 disables runner registration tokens in favor of authentication tokens to register runners. Existing runners will continue to work as usual even after 18.0. This change only affects the registration of new runners. More details can be found here.

3.12.2 version

GitHub focused on security enhancements, including fixes for vulnerabilities that allowed unauthorized administrative SSH access via command injection in the Management Console (our customers were not affected).

There were also significant updates to package security versions and resolutions to various bugs affecting functionalities like audit log streaming connections and Git operations post-failover in cluster configurations.

3.12.3 version

This addressed different security issues, such as the unnecessary exposure of firewall port 9199, and deprecated the editor role for Management Console users due to a security vulnerability.

It also tackled various bugs, such as issues with LDAP error messages and incorrect license counts due to exclusions of admins in the actions organization. Additionally, improvements were made to enhance CPU/memory utilization visibility for secret scanning processes.

3.12.4 version

Containing only critical security fixes that used SAML single sign-on (SSO) authentication with the optional encrypted assertions feature meant that an attacker could forge a SAML response to provision and/or gain access to a user with administrator privileges. None of our customers were affected by this vulnerability.

Use the symbol for parameters in the build history of pending jobs

There is a UI update that changed the notepad icon in the build history for pending jobs with the symbol for parameters. Also, the wrapper in a link was removed.

Before:

After:

^{Removed and new icons.}

Add a "copy to clipboard" button to the build console output

This is a small QoL improvement to quickly copy the console output. It also supports progressive text output.

^{Copy button to the build console output.}

Add a computer icon legend and a new icon for agents that are not accepting tasks

The long-confusing UI arrangement gets solved! The same red cross icon is shown whether an agent is offline or not accepting tasks, which can be confusing to users who often associate a node that doesn’t accept tasks as being offline when it isn't.

Change focus in the new item page only if from has a valid job name

A bug that has been stuck with us since version 2.303.1  has finally found its resolution. When you leave the "Item name" field empty and start typing in the "Copy from" field, after a few characters, the focus shifts from the "Copy from" field back to the item name field. This has happened many times and has led to typos, but no more!

Artifactory

Improved Artifact Tree view

The Artifact Tree view has been significantly improved such that when opening a node on a repository, a specific (configurable) number of artifacts are displayed instead of the entire contents of the repository.

This significantly reduces loading time for repositories containing a large number of artifacts. The default display number is 500, but this can be changed in the Aritfactory UI (click here for instructions).

If there are more artifacts to display beyond the current list, a Load more option appears at the end of the list and, when clicked, displays more items.

The enhanced Artifact Tree view is available both in a Tree Browser and a Native Browser.

Access Token Creation by Project Admins

Project admins can create access tokens tied to projects they hold administrative privileges for. For more information, click here.

Changes to Anonymous Access

From Artifactory 7.84.3, new users with anonymous access cannot access any ad hoc repository. You need to create a new permission target, select the repository's anonymous user, and set actions; only then can you access the repositories. For more information, see Allow Anonymous Access.

Almost breaking changes

Replicator service for Release Bundles v1 has been deprecated

This only affects Enterprise+ customers starting from 7.84.10 with selected use case-dependent optimizations distributing software with JFrog Distribution. After the upgrade, JFrog Distribution will continue to function as it did before Replicator was deprecated.

Changes to anonymous access

From Artifactory 7.84.3, new users with anonymous access cannot access any ad hoc repository. You need to create a new permission target, select the repository's anonymous user, and set actions; only then can you access the repositories.

Breaking change

API key deprecation

As we mentioned in the Eficode ROOT February 2023 release note, JFrog officially started the countdown to fully discontinue its support for API Key. Since then, there have been changes in the timeline.

Functionality is planned to be deprecated in the following stages:

1. By the end of Q3 2024, you will not be able to create new API keys through UI or API.
2. By the end of Q4 2024, API keys are no longer supported.

Fixes

JFrog focused a lot on delivering fixes to issues bothering users and the functionalities. We’ve sorted them by categories:

• Scanner fixes whereby:
  • Deb built by the ‘fpm’ was not scanned correctly.
  • The violations table for a repository scan was not sorted properly.
  • Indexing of artifacts when its extension is either uppercase or a mixed case.
  • Scans List: The builds screen did not list all the builds whose versions were scanned, adding time to JSON and CSV reports.
• Stability fixes whereby: 
  • Scanning via JFrog CLI failed on Windows OS.
  • Xray DB sync failed when used via proxy.
  • Xray analysis did not stop when the Xray service was.
  • Artifact data was not retained for the desired period when configured per include patterns; Xray licenses were detected as expired, and all Xray functionality was disabled.
• UI fixes whereby: 
  • The wrong page count number was displayed when filtering Xray System Messages.
  • Improvements to the new Platform UI were added with more visibility over the Watches and Policies screen.
• Notification fixes whereby:
  • Watch recipients did not receive email notifications in an edge case where a previous send had failed.
  • The artifactory URL is now configured with email server configuration in the JFrog Platform for links in emails.
• General performance fixes reduced the time needed for JFrog’s Watches and Policies screen to load if the requested page size was 100 records or more.

Xray policies enhancements

Enhanced integration with Jira and New Wizard

The Create Policy UI has been revamped to be more intuitive and user-friendly. You can now add a Watch when creating a Policy.

JFrog Advanced Scans Enhancements

The Xray Jira Integration now supports ticket generation for ignored violations. A new Jira Integration Wizard was introduced that easily enables you to connect your Jira instance to Xray. Documentation here.

Contextual Analysis Statuses in REST APIs

Contextual Analysis results now provide richer results with the help of updated REST APIs. The previous boolean output is still available for backward compatibility but is now deprecated.

The new format is a string of the following values: not_scanned, applicable, not_applicable, undetermined, rescan_required, upgrade_required, and not_covered.

Apply Watch on Existing Content REST API

You can now apply a Watch or multiple Watches on existing content via REST API. Learn more here.

That’s all for June/July, see you in August!