Back to the articles

Product Update #5

picture of the author

Bálint Jánvári

August 2, 2023 6 mins read

Product Update #5

Today, we are releasing the largest update to our platform since our launch in February. Some of the changes I will be talking about have been silently released (as usual) during the past week or two - but there are quite a few that are brand new.

A new way to browse findings

Perhaps the most important output of our scans is the list of findings. Previously, there was no single place where you could review these, and to be honest there was very little transparency on what we consider a "finding". The Known Vulnerabilities page we had sort of looked like such a place, but it did not include everything. So let me introduce you to the new Findings page: a single, convenient location to review all security-relevant findings. Clicking on a finding will take you to other pages in the scan report, and you can also accept or reject findings right here.

Look what I found Look what I found

This new page also offered us the unique opportunity to add an often-requested feature: a way to compare the results of two scans. This can, for example, help you determine whether a newer version of the same firmware image fixes a particular vulnerability or not. Filters are available to highlight only findings that changed between versions.

The difference 4 years makes The difference 4 years makes

Dependencies and SBOM export

One of the steps we perform during every scan is the identification of third-party dependencies. Unfortunately, there wasn't any way to see a list of these, as we only used the list internally to look for known vulnerabilities, and we have shown those without any grouping. Dependencies without known vulnerabilities weren't shown at all. This changes with this update - Dependencies is now a dedicated report page. Together with the new Findings page, it replaces the old Known Vulnerabilities page, and shows a list of all identified third-party dependencies, as well as their known vulnerabilities and other metadata (including the list of files we used to identify it). You can also accept or reject all findings related to a single dependency, instead of going through them one by one.

An answer to the cries of the "I don't care about kernel vulnerabilities" crowd An answer to the cries of the "I don't care about kernel vulnerabilities" crowd

Additionally, you can now export this list - the reverse-engineered SBOM of the firmware image - in CycloneDX and SPDX format. If you choose to export a CycloneDX SBOM, we even include the list of known vulnerabilities, as well as their state (based on whether you accepted or rejected individual vulnerabilities).

XML is so 1996 XML is so 1996


If you have a keen eye, you might have noticed the new buttons in the header of the Dependencies page on the screenshot in the previous section. From now on (if you have an Enterprise plan), you can enable monitoring for new vulnerabilities for the dependencies we identified. For scans with monitoring enabled, whenever a new CVE appears in the National Vulnerability Database that affects the firmware image, you will get e-mail notifications and the report will update to include the newly identified vulnerability. (You will also get notified if the severity or classification of a vulnerability changes, or if it turns out that it does not affect the firmware image after all.)

New vulnerabilities deserve their own little purple icon New vulnerabilities deserve their own little purple icon

Monitoring is tightly integrated with product- or project-based scan grouping. When you start new scans and assign them to a product or project (and you should really consider doing so, it keeps your workspace neat and organized), the scan will by default inherit their monitoring policy, which can automatically enable monitoring. Products also support a special monitoring policy, "Latest" - this will turn monitoring off for the previous scan when a new one succeeds, ensuring that only the latest version of the firmware image is monitored for a particular product.

Technically, Latest is also On Technically, Latest is also On

When you enable monitoring (and you can enable it for older scans, should you wish to), the scan will immediately be updated to reflect new vulnerabilities that were discovered since the scan was originally performed. You can trigger this without enabling monitoring using the Rescan button, if you want to bring the scan up to date. Manual rescans are available in all paid plans.

This is animated, but I was too lazy to make a gif This is animated, but I was too lazy to make a gif

Watch me

A new feature related to (but not exclusive to) monitoring is the ability to "watch" scans, projects or products. Previously, you received e-mail notifications for all scans that were started in your workspace, and there was only a global opt-out of all such messages in the Profile page. From now on, you will only receive notifications (including vulnerability alerts) for scans you directly watch, or which are assigned to a project or product you watch. By default, you watch new scans you start and all products and projects you create, but you can change this with a single click. (This global opt-out is still there, if you need it.)

It's the one with the eye It's the one with the eye


One of the less documented (okay, undocumented) features we have had for a while is that scans grouped by product tracked and shared exploitability information. If you accept or reject a finding in the latest scan that is assigned to a product, we make note of it. If the same finding is found in subsequent scans assigned to the same product, it will be accepted or rejected immediately. To expose this feature, and give you more control, we have added the Exploitability page - where you can see the list of findings that were accepted or rejected for a particular product.

Another table full of findings Another table full of findings

Other improvements

  • File uploads should fail less often, and can now be retried
  • Progress bars will no longer take a step back after reaching 70%
  • Most tables now have friendlier empty and loading states
  • Added little icons to indicate if a scan report is shared via link
  • Improved positioning of chart labels
  • Better diagnostic messages for failed scans
  • Slightly better experience when using (unsupported) mobile browsers
  • File Explorer header finally aligns with the rest of the section headers

What's next

We have our work cut out for us - our documentation is still playing catch-up with new features, and since we planned to focus on UX improvements and better documentation for the next few weeks anyways, we will take a stab at improving the situation.

Was it worth your time?

Sign up for our newsletter to receive articles like this in your inbox 1-2 times per month.