Polaris 2020.07 Release Notes

Here's what's new in Polaris 2020.07.

Polaris Platform

  • Polaris and Reporting Platform no longer support the 2013 OWASP Top Ten, which has been deprecated by the OWASP foundation.
  • Coverity 2020.06 is supported on Polaris.
  • Coverity 2019.06 is no longer supported.
  • Polaris now supports scanning Kotlin code with Coverity.

Polaris CLI

  • The Polaris CLI requires Java 11 when local analysis is performed using coverity.
  • In an upcoming release, support will end for Polaris CLI version 1.7.124 and older. This is to ensure compatibility going forward with Google Content Delivery Network (CDN). After the Polaris 2020.08 release, older versions of the CLI tool will no longer be able to download other tools from the Polaris server.
  • The Polaris CLI is now deployed as a single binary file, rather than several files.
  • The Polaris CLI now publishes its version in the scan results output.
  • The Polaris CLI now publishes the total number of audit severity issues found in a scan in the scan results output and adds this number to the total.
  • The Polaris CLI now publishes the job ID in the scan results output.
  • The Polaris CLI now generates gradlew for build/clean commands in default configuration file.
  • The Polaris CLI is now compatible with Mac OS Catalina. A manual security exception is required before running the executable with Catalina. Instructions are available in the CLI documentation section.
  • Error codes are updated and simplified.
  • CLI gateway changes were made in 2020.07. This is to ensure compatibility going forward with Google Content Delivery Network (CDN).

Polaris API

Improvements to the API reference include:

  • Documenting additional query parameters that were not documented before.
  • Removing query parameters that are no longer valid.
  • Adding text descriptions to API Reference docs to make them easier to understand.
  • The job service now returns information about how long the capture phase took when executed by the CLI. The service was already reporting the duration of Coverity analysis phases executed on the job server. (This data is provided only for Coverity and won't necessarily become available for other tools.)
  • You can now use the Issue Query service to get a list of issues that are unique to a branch, revision, or run. New parameters for the Issue Query API can be used to return a list of issues that represent the difference between two runs performed on the same codebase.
  • Requests to the Auth service are limited to 500 results. Authorization Service list endpoints that have pagination implemented now have a page[limit] validation: page[limit] should be > 0 and <= 500.

Other API improvements in this release:

  • You can retrieve a list of checkers used in a particular run.
  • We added documentation about how to retrieve the issues in a project by means of filtering with a taxonomy.
  • The tool service is able to delete an uploaded tool license.

In recent releases new documentation in this set of documents includes:

  • A glossary (in the overview section)
  • A guide to Polaris API services (in the API Getting Started section),
  • A reference guide for the webhook payload (under the API reference section).

Bug Fixes

  • POL-6862 The comand --co project.name="" created two projects instead of one.
  • POL-7492 Ability for CLI to display job id at the end in console output.
  • POL-8260 When triaging issues by filter and path, more issues are affected than should be.
  • POL-8723 Selections that dismissed or not dismissed are not showing up properly in triage pane
  • POL-8846 Group membership on projects not displaying correctly.
  • POL-8991 Docs: How to exclude subdirectories from a build.