Changelog

[v2.3.0] [2025-10-02]

Version Alignment Notice

We've jumped from v2.0.0 directly to v2.3.0 to keep our CVEScan Web and CLI versions synchronized, making it easier to work with our complete security scanning suite. No intermediate releases were made between these versions.

Added

  • Access Tokens: Enhanced API authentication with access tokens feature. Users can now generate tokens with specific permissions for programmatic API access. Currently supports create-scan permission. Tokens can be generated at vault, project, and component levels through the WebUI access token management page. The Upload new scan page now includes dedicated API integration section for token-based authentication. See Access Tokens documentation for detailed information.

  • Archive Feature: New archiving capability for components and projects. This feature allows users to archive entities that are no longer actively used but cannot be deleted due to existing annotations or historical work, maintaining data integrity while improving workspace organization. See Archive and Deletion documentation for detailed information.

  • Packages Page: New dedicated page that displays all packages used within a component along with detailed vulnerability information, enabling better package-level security oversight.

  • Exports Page: Comprehensive export functionality providing CSV vulnerability reports and JSON annotations reports for external analysis.

  • Vault Import/Export Annotations Page: Introduced an import/export annotations page for vault-level annotation management. Features include:

    • Import annotations from external reports (requires empty vault with matching structure).
    • Export annotations reports.
    • Purge functionality to remove all annotations, scratchpads, and flags.
    • Structure validation view that assists users in verifying their vault's structure prior to importing annotations.

  • CVSS V4 Support: Added support for the latest CVSS V4 scoring system. CVSS V4 scores are displayed by default when available, with all CVSS versions (V2, V3, V4) accessible in the vulnerability details page for comprehensive scoring information.

  • Delete Latest Scan Feature: Introduced the option to remove the most recent scan for a component. This action can be performed via the actions menu on a component row in the project components page. Note: Deletion is permitted only if no subsequent work has been performed on the scan since it was uploaded.

  • Open Vulnerability in New Tab Feature: Added the ability to open a vulnerability in a new tab.

  • Quick Scan Application: Added the source code of the Quick Scan Application to the monorepo, providing a standalone client side only application for rapid vulnerability assessment.

Modified

  • NGINX Configuration: Increased proxy buffer sizes to handle large response headers from Keycloak (such as session cookies), preventing errors caused by oversized upstream headers.

  • Scope Entity Naming: Prohibited the use of * characters in scope entity names (Vault, Project, Component, and Transversal) to ensure consistent naming conventions and prevent potential conflicts when importing an annotations report.

  • Scan Report Validation: Updated scan report validators to accept reports with zero vulnerabilities.

  • Rework latest review feature: The rework button is now available for the latest review of all annotations, even if it was not made within the current quick scan session.

Fixed

  • Vault Users Page: Fixed a bug where switching to a different vault did not refresh the users list. The users list now updates correctly whenever the selected vault is changed.

  • Component Dashboard: Fixed severity distribution chart formatting on component dashboard where floating-point values were incorrectly displayed (e.g., showing 2.000000000000000 instead of 2).

  • Navigation: Fixed page freeze issue when navigating to the dashboard or vulnerabilities page for components with no scans, ensuring proper error handling and better user experience.

  • Annotation Forking: Resolved issue where users could select already-used scopes when forking annotations for vulnerabilities with non-semver package versions, preventing scope conflicts.

  • Annotation Scope Management: Fixed bug preventing users from changing the scope of version-specific annotations to scopes used by non-version-specific annotations, improving annotation flexibility.

[v2.0.0] [2025-06-30]

Major release with significant changes. CVEScan now integrates an API service to manage and store data. This integration allows the application to provide more features such as user management, role-based access control, and a complete historical record for cybersecurity audits.

Features

  • API Integration: CVEScan now integrates with an API service for data management.
  • User Management: Added user management features.
  • Role-Based Access Control: Implemented role-based access control for enhanced security.
  • Historical Record: Maintains a complete history of all changes, assessments, and annotations and offers a "time travel" feature to review the state of vulnerabilities and actions taken at any point in the past, making it ideal for auditing and compliance.