What’s new in Eficode ROOT: October 2024

Security

Restrict file extensions that can be uploaded to Jira

Protect your Jira instance and your organization’s infrastructure from potential malware; admins can now restrict unwanted file extensions from being uploaded through issues. To restrict specific file formats, you need to create a blocklist or allowlist of file extensions. Learn more here.

Tightening security with a websudo allowlist

To add an extra layer of security to websudo operations, you can configure and enable your IP address/subnet allowlist for Jira. This means that certain superuser operations can only be performed from pre-approved IP addresses. Learn more here.

Confluence page viewer replaces Confluence page gadget

In this release, the old and popular Confluence page gadget is replaced with the new Confluence page viewer. The new gadget is built on top of a modern and secure technology stack and comes with several UI improvements for a better overall experience. As with the old one, you can use the Confluence page viewer to embed a page from a linked Confluence Data Center site on your Jira dashboard. Learn more about gadgets here.

^{New Confluence page viewer}

Administration

Streamlined field configuration experience

Performance, stability, and appearance of field configuration pages have been significantly improved. They now include pagination, search, and modern UI components for a much smoother experience.

^{Field configuration gets a new look}

Archive unused assets objects

Declutter your instance and improve the performance of object searches by archiving the assets you no longer need. Previously, you had to permanently delete objects when your available index memory was low to make room for new objects. Now, you can archive objects instead (if you accidentally archive something, you can always restore it).

Archiving objects reduces the amount of memory used, allowing more objects to be stored without the need for additional instance memory. For example, archiving 30% of the objects in an instance will:

• Reduce memory usage by 30%.
• Accelerate operations that act on all objects by 30%, e.g., a re-index or opening the object schemas list page.

Note: Archived objects do not count towards assets object limits in guardrails.

^{Archiving unused assets objects}

Restoring archived objects is now even easier and can be done directly from the new "archived objects" page. This includes the ability to filter by objects archived by the user and bulk restore options, allowing either selective restoration of specific objects or all filtered results.

^{Bulk objects restore}

A new "archive object" action has been added to the assets automation, enabling the automated archiving of objects based on defined rules. However, actions that modify archived objects, such as updating attributes, will fail since archived objects are read-only. Learn more here.

Restrict file extensions that can be uploaded to your Jira

A new security feature was introduced, allowing administrators to restrict specific file extensions from being uploaded to Jira. This feature is aimed at protecting the Jira instance and the organization's infrastructure from potential malware or malicious files.

Admins can now set up a blocklist or allowlist of file extensions, either blocking or allowing specific file types for uploads through issues. This gives organizations greater power over the kinds of files that users can attach, adding another layer of security to Jira's operations. Learn more here.

Optimized workload reports for better performance and usability

Atlassian introduced optimized workload reports to enhance performance and usability, particularly in larger instances. Previously, reports would either take a long time to load or result in timeouts due to the system fetching the workload of all agents by default. To address this, Atlassian added new filters that display only agents with assigned issues by default, significantly reducing the load.

If administrators need to view the workload of all agents, they can modify the search filters to expand the report. These changes make workload management more efficient and improve the user experience, especially for instances with a large number of agents​.

^{New filter to view agents with workload}

Advance notice for Jira Service Management 10

In Jira Service Management 5.15, Atlassian announced future changes to tools.

Groovy 2 to 4 upgrade

Groovy 2 to Groovy 4 is set to occur in version 10.0, which we plan to implement at the beginning of next year. This upgrade is designed to improve security, functionality, and syntax support.

Key changes include updated syntax for the switch statement and the intersect() method, removal of certain modules like groovy-jaxb, groovy-bsf and improvements in parsing through the new Parrot parser. Additionally, users of JsonSlurper might need to replace it with Jackson ObjectMapper in case of compatibility issues​. Learn more here.

Removal of internal GraphQL APIs in assets

The GraphQL APIs in the assets module have been removed as part of an ongoing effort to enhance security, improve API consistency, and clean up the codebase. These internal GraphQL APIs, which were used to configure assets, have been replaced with new internal REST endpoints.

Key GraphQL queries and mutations have been deprecated and removed. This change ensures that Jira Service Management's APIs adhere to a consistent structure across different modules while improving overall security​. Learn more here.

• The removal of guests being able to potentially access the full source code of private projects through custom group-level templates.
• The removal of a vulnerability that allowed bypassing pipeline execution policy protections so that authenticated users could overwrite variables using a CI/CD template.

Other bug fixes:

• No more timeout errors when checking group dependencies and empty geo-replication details.
• The default PostgreSQL shared buffer minimum increased to 256 MB to enhance performance.
• Several improvements were made related to background migrations, pipeline executions, and repository storage configurations.

Note: Customers directly impacted by the vulnerabilities listed above were immediately patched and the rest of our clients can rest assured knowing that they will receive these patches during the standard monthly maintenance window.

Important announcement!

Jenkins announced plans to stop Java 11 support. No date has been specified yet, but we expect that it may be brought in with the next LTS feature release.

In keeping with their plan, in November, we plan to upgrade to Java 17 and will update all agents that we have control over to this version. Please prepare any of your agents that we don’t have control over. If you have any questions regarding this process, don’t hesitate to contact us.

Note: This won't affect your ability to build older distributions of Java (such as 8 or 11), as this change only concerns the default Java of your agents. As such, if you are managing your own agents, you will have to change the default Java version you're using. After this, you can select the other Java Development Kit (JDK) versions from within your jobs.

UI/UX

This release introduces a couple of UI/UX improvements aimed at enhancing the overall user experience. These updates streamline navigation, improve accessibility, and modernize the interface, making Jenkins easier and more intuitive for both new and experienced users. The updates allow you to:

• Refresh the “new item” page.
• Move the “add description” to the app bar.
• Improve the edit build information page.
• Avoid jumping layout due to tooltips.
• Refine button appearances in sidebars, menus, pages, and breadcrumbs.
• Adjust heading weights and sizes.

Jenkins, of course, didn’t forget about bugs in the UI/UX, which were also resolved in this release.

Performance improvements

Key optimizations in this release improve resource management and boost overall stability, allowing for faster job execution and smoother operations. The specifics include:

• Improved performance of JSON parsing.
• Improved performance of file compression and decompression.
• Improved startup performance when jobs have been created via REST API or command line interface.
• Pipeline jobs to run when the built-in node is offline.

New features

Deploy large files using multi-part upload

Artifactory implemented a fast and reliable multi-part upload approach for large files with the JFrog CLI. In the case of an unsuccessful upload, a retry mechanism resumes from the point of failure, thus preserving all content that was uploaded prior. In contrast, with the standard upload, a failure resulted in the loss of all data and required a restart.

Multi-part upload is available using S3 and GCP storage types. The default value for the minimum file size requiring multi-part upload is 200 MB, although this value can be changed. Learn more here.

Additional package types added to support archiving

The full list of package types that now support package archiving includes Docker, Maven, npm, Gradle, YUM, generic, NuGet, Conan, and Helm. Learn more here.

Support for PyPI name normalization and enforce layout

Artifactory now supports the PyPI package features name normalization and enforces layout, as specified in PEP-440. These features help you keep a consistent naming method for PyPI packages and avoid issues.

For more information, see Use PyPI File Path Name Normalization, Use PyPI Enforce Layout, and Using Both PyPI File Path Naming Normalization and Enforce Layout.

Project storage quotas

You can now view and manage project storage quotas. A table view with project details is now the default “all project view,” and a new storage quota column with a usage bar has been added. 

You can now also perform actions, such as editing storage to manage and change the storage quota from the table view. Learn more here.

Performance improvements

The following performance improvements were made in the artifacts tree/native browser:

• For users with limited permissions, loading the list of repositories at the root level of the tree browser is faster, as is expanding a folder with a long list of artifacts and displaying repository and artifact details.
• The displayed list of artifacts is limited to a maximum of 20K, and artifacts that are not displayed are accessible through the search.

Major performance improvements for Alpine

This version includes an 87% improvement in response time in Alpine-related use cases, such as downloading from a virtual repository.

New platform navigation

JFrog is launching the new platform UI navigation for self-hosted instances. This will be the default experience when using version number 7.90.x. Learn more here.

Among all the new features and enhancements are bug fixes, such as that of XRAY-51523. When the build version contained slash characters, it caused an issue in the overview screen of the build version in the scans list, but no more.

Secrets scanning is now available for generic repositories

All supported file extensions from other repositories are now supported in the generic repository with the following zip formats: zip, tar, tgz, rar, 7zip, and Gzip.

Enhanced secrets scanning: Token validation

JFrog Advanced Security (JAS) now has enhanced scanning capabilities. This release introduces token validation, further strengthening your security posture by verifying the validity of detected tokens. Previously, secrets scanned identified tokens; now, you can distinguish between active and inactive ones by authenticating against the token provider. Learn more here.

Compare security differences between build versions

This new feature enables the comparison and identification of vulnerabilities across different build versions. Xray now offers comprehensive visibility into vulnerabilities that have been added, resolved, or modified, facilitating a better understanding of which components have been added, removed, or updated. Learn more here.

Additional features support for go packages in shift left

Contextual analysis and SAST are now supported for “go packages” in the visual studio code and JFrog CLI for security. Learn more here.

Deprecation notice

As of version Xray 3.102.x, Xray no longer supports "npm audit" for new instances. This is also the case for existing instances, which, in addition, are no longer supported by the custom vulnerability feed integration. To check Xray vulnerabilities from the command line, please use "jf audit" instead. Custom vulnerabilities can still be added via API.