Changelog

[v2.4.0] [2026-01-21]

Added

  • Vulnerabilities Evolution Dashboard: New component-level dashboard that visualizes the evolution of vulnerabilities over time, helping teams track remediation progress and identify trends. Accessible from the sidebar under the "Component" section in the WebUI.

  • Vulnerability Matching Details: Enhanced vulnerability details page with a new "Matches" section that displays why a package was matched to a specific vulnerability, including the matching connector used and criteria applied.

  • CVSS V4 CSV Export Support: Extended CSV export functionality to include CVSS Source and CVSS V4 metrics: CVSSv4 Base Score, CVSSv4 Attack Vector, and CVSSv4 Source.

  • Keycloak Custom Theme: Added a custom Keycloak authentication theme that aligns with CVEScan's color palette.

  • Jira Integration (Experimental): Introduced Jira integration to seamlessly link CVEScan annotations with Jira issues. Note: This is an experimental feature and may undergo changes in future releases. See Jira Integration documentation for more details.

Modified

  • Dashboard Filters Persistence: Dashboard page filter selections are now persisted across sessions, improving workflow efficiency.

  • Tables Sorting: Tables sorting such as in the vulnerabilities table and the packages table are now case-insensitive.

Fixed

  • Quick Scan Review Rework: Fixed an issue where the latest review rework feature was not functioning correctly in the Quick Scan application.

[v2.3.1] [2025-10-07]

Fixed

  • Scan and annotations reports: Restored backward compatibility with older scan and annotations reports.
  • Role assignment: Fixed an issue where system administrators could not assign the Vault admin role to users if the target vault did not have any projects.
  • Navigation: Fixed an issue where users with browser extensions that modify the global history object would get a blank page when navigating between pages. While this resolves the blank page issue, users with such extensions might encounter problems with the restore scroll and focus features when navigating back to the previous page.

[v2.3.0] [2025-10-02]

Version Alignment Notice

We've jumped from v2.0.0 directly to v2.3.0 to keep our CVEScan Web and CLI versions synchronized, making it easier to work with our complete security scanning suite. No intermediate releases were made between these versions.

Added

  • Access Tokens: Enhanced API authentication with access tokens feature. Users can now generate tokens with specific permissions for programmatic API access. Currently supports create-scan permission. Tokens can be generated at vault, project, and component levels through the WebUI access token management page. The Upload new scan page now includes dedicated API integration section for token-based authentication. See Access Tokens documentation for detailed information.

  • Archive Feature: New archiving capability for components and projects. This feature allows users to archive entities that are no longer actively used but cannot be deleted due to existing annotations or historical work, maintaining data integrity while improving workspace organization. See Archive and Deletion documentation for detailed information.

  • Packages Page: New dedicated page that displays all packages used within a component along with detailed vulnerability information, enabling better package-level security oversight.

  • Exports Page: Comprehensive export functionality providing CSV vulnerability reports and JSON annotations reports for external analysis.

  • Vault Import/Export Annotations Page: Introduced an import/export annotations page for vault-level annotation management. Features include:

    • Import annotations from external reports (requires empty vault with matching structure).
    • Export annotations reports.
    • Purge functionality to remove all annotations, scratchpads, and flags.
    • Structure validation view that assists users in verifying their vault's structure prior to importing annotations.

  • CVSS V4 Support: Added support for the latest CVSS V4 scoring system. CVSS V4 scores are displayed by default when available, with all CVSS versions (V2, V3, V4) accessible in the vulnerability details page for comprehensive scoring information.

  • Delete Latest Scan Feature: Introduced the option to remove the most recent scan for a component. This action can be performed via the actions menu on a component row in the project components page. Note: Deletion is permitted only if no subsequent work has been performed on the scan since it was uploaded.

  • Open Vulnerability in New Tab Feature: Added the ability to open a vulnerability in a new tab.

  • Quick Scan Application: Added the source code of the Quick Scan Application to the monorepo, providing a standalone client side only application for rapid vulnerability assessment.

Modified

  • NGINX Configuration: Increased proxy buffer sizes to handle large response headers from Keycloak (such as session cookies), preventing errors caused by oversized upstream headers.

  • Scope Entity Naming: Prohibited the use of * characters in scope entity names (Vault, Project, Component, and Transversal) to ensure consistent naming conventions and prevent potential conflicts when importing an annotations report.

  • Scan Report Validation: Updated scan report validators to accept reports with zero vulnerabilities.

  • Rework latest review feature: The rework button is now available for the latest review of all annotations, even if it was not made within the current quick scan session.

Fixed

  • Vault Users Page: Fixed a bug where switching to a different vault did not refresh the users list. The users list now updates correctly whenever the selected vault is changed.

  • Component Dashboard: Fixed severity distribution chart formatting on component dashboard where floating-point values were incorrectly displayed (e.g., showing 2.000000000000000 instead of 2).

  • Navigation: Fixed page freeze issue when navigating to the dashboard or vulnerabilities page for components with no scans, ensuring proper error handling and better user experience.

  • Annotation Forking: Resolved issue where users could select already-used scopes when forking annotations for vulnerabilities with non-semver package versions, preventing scope conflicts.

  • Annotation Scope Management: Fixed bug preventing users from changing the scope of version-specific annotations to scopes used by non-version-specific annotations, improving annotation flexibility.

[v2.0.0] [2025-06-30]

Major release with significant changes. CVEScan now integrates an API service to manage and store data. This integration allows the application to provide more features such as user management, role-based access control, and a complete historical record for cybersecurity audits.

Features

  • API Integration: CVEScan now integrates with an API service for data management.
  • User Management: Added user management features.
  • Role-Based Access Control: Implemented role-based access control for enhanced security.
  • Historical Record: Maintains a complete history of all changes, assessments, and annotations and offers a "time travel" feature to review the state of vulnerabilities and actions taken at any point in the past, making it ideal for auditing and compliance.