Release Notes

Improvements

• Customers can now issue a service request to have a certain set of tools preselected, when they create a new project or user.
• Updated Angular to fix some vulnerabilities.

Bugfixes

• When a project was saved, the project lead in Jira was set to sdcloud-admin since the previous version 2.2.1. This is fixed now, so if any user is set as the project lead, it will be kept.
• In some rare cases it could happen that Portal Technical Users were not listed on the Technical Users page. This is fixed now, so that refreshing the page is no longer required. Please note that Portal Technical User for Portal API access are only available, if you use a service request to enable the feature on your instance.
• In some rare cases it could happen that the Log-in button in the Re-Authenticate dialog was not clickable.

Improvements

• More columns were added to the License page for Portal Admins now showing more details about the license consumption.
• The Helm Charts link in the Habor tile of the dashboard is now linked to the new PROJECTKEY-helm project in Harbor which stores OCI Repositories.
• The date picker on the Audits page is now fully localized and will use the date format of the selected locale.
• Searching the audit log for patterns now works for the whole time period selected in the date picker.
• Customers can now order retention times for the audit log which are longer than the default of 90 days.
• When a user is deleted in the DevOps Portal, it needs to be deleted in all the tools. In Jira it can happen that a user is still a reporter or assignee of an issue. The user could be also listed as component lead in a project. In these cases, the user cannot be deleted. In the past these users were just set to inactive. This is a problem concerning data privacy. Therefore these users are now anonymized.
• In Harbor users can copy a CLI secret from their User Profile page to use it with docker and helm commands. It's now enforced that this CLI secret doesn't work when a user is locked. Since all roles are removed from locked users, the situation before was seen as secure enough, but now it's even better. When a user is unlocked, he or she needs to login at least once to Harbor to make the CLI secret work again.
• Portal Admins can force activating a created user on the users page. This action failed when the invitation link, which was sent to the new user, was expired. This has been changed, so that a created user can be forced to active at any time. In general, it's recommended to use this feature only for exceptions, as it skips the verification of the email.
• The DevOps Portal database was upgraded to PostgreSQL v16.
• The Keycloak database was upgraded to PostgreSQL v16.

Bugfixes

• For some notification emails it could happen that the saved locale of the user was not used. This could lead to an English email sent to somebody who had selected German before. This is fixed now for all emails.
• In some rare cases it could happen that the Log-in button in the Re-Authenticate dialog was not clickable.
• Locking and Deletion of technical users are now correctly recorded as TECH_USER_LIFECYCLE_CHANGEs instead of TECH_USER_CHANGEs in the audit log.
• When deleting retired projects, the total and remaining count at the top was not immediately updated, just after a page refresh. This is fixed now.
• A bug introduced in the previous version did overwrite Jira schemes with the ones configured on the project details page. This is now fixed, so that custom schemes can be set in Jira only and will be kept. For notification schemes the behavior is correct, since these schemes can be changed any time in the portal. It was only a problem with the other schemes that can be only set during project creation.

Enhancements

• If a SonarQube Enterprise license is detected, DevOps Portal will automatically set-up a Portfolio in SonarQube for each project, which aggregates the scan results of all git repositories in the project. You may need to rerun the build pipelines of your repositories to get the Portfolios populated with data. The following screenshot shows the Portfolios page in SonarQube with two examples:

  You can click on any of the listed porfolios to get the full break down of included scan results for all git repositories which are part of the corresponding DevOps Portal project. See the next screenshot for an example:

  

• Since Bitbucket v9 and later allows to use HTTP Access Tokens with simple auth, it was now possible to replace the technical users in Bitbucket which were used by Jenkins to retrieve the git repositories by HTTP Access Tokens. This frees a Bitbucket license for each project which uses Bitbucket and Jenkins. See Create HTTP Access Token for project or repository access for more details.

Improvements

• Audit log messages now only list changes of global roles, but don't list unchanged roles. This gives a better overview about changes.
• The accessibility and usability of the pages for login and password change have been improved.
• The accessibility and usability of tables has been improved. This includes a switch to the most recommended sorting indicator icons.
• Stream lined status messages shown when using the Terms & Conditions management page.
• Localized some date formats in automatically sent emails.

Bugfixes

• Multiple invocations of role removals could lead to a negative member count being displayed for the affected project. It could be healed at any time by reloading the page, but now the counter will always correctly stop at 0.
• When a table is sorted on a column, it can happen that due to an action triggered by the user the sort order is violated since the value of the current row was changed. In this case, the sorting indicator is now reset. You can still at any time sort again by clicking on the column header.

Security

• When a user was locked in the Portal, it was still possible to use personal access tokens of that user in Jira, if any were created. This is now prevented by setting the user to deactivated in Jira. This was just a minor issue, since all project roles are removed from a user when it's locked. That means the tokens could only be used for user-specific API calls, not for project-specific calls. To allow the deactivation in Jira to work, project lead assignments of the user are removed. When the user is unlocked, its reactivated in Jira, therefore the tokens are working again. The drawback is, that project lead assignments cannot be restored. Project lead is a special role in a Jira project usually only relevant for notifications. It's not the same like a Project Admin role.
• When a technical user in Jenkins was deleted in the DevOps Portal, its personal access tokens in Jenkins were still working, if any were created. This has been solved now. This was just a minor issue, since all project roles are removed from a user when it's locked. That means the tokens could only be used for user-specific API calls, not for project-specific calls.

This bugfix release was only rolled out to customers of the Competitive Toolchain.

Bugfixes

• A change introduced in the last version made gitea links in the dashboard tiles "Issue Tracking" and "Source Code Managment" unclickable.

Improvements

• Previously, users without a SonarQube license could log into the tool, but did not see any data, since they were granted no roles in the tool. This has been now further improved, so that users without SonarQube assigned will just get an error message, but cannot log into the tool
• A link to the Jenkins metrics was added to the dashboard. It's only visible for users which have a Grafana license assigned.
• When roles are changed or resynced, the success messages now give more valuable information about what was done.
• On the Terms and Conditions page, the action buttons were replaced by a "More" menu, like on the other pages.

Bugfixes

• Due to some changes in the duplicate check when renaming a project, changing just some letters from lower to uppercase or from uppercase to lowercase was rejected. Works now again.
• Fixed error 500 when connecting Bitbucket git repositories with SonarQube projects in delivery pipelines.

Improvements

• Improved keyboard navigation and support for screenreaders.
• Adapted auto provisioning of SonarQube to new Rest API version.

Bugfixes

• Highlighting of rows on the Users page was not working properly for users with Portal role USER.
• Removal of global roles in tools did not work properly in all cases.
• The "Remaining" count on Users page is based on license information which is not available for Portal role USER. Therefore the calculation was not correct and has been removed.
• Small fixes fo the new multi pattern search introduced in the previous version.

New Feature

• When the tool Dependency Track has been assigned to a user, it's now possible to add him or her to the global policy admin role in Deptrack.
  
  This allows the user to create and edit policies on the Policies Management page in Deptrack as shown below in the screenshot.
  Read access to policies is granted to all users automatically on the page Policy Violation Audit. In addition, Jenkins will automatically report about policy violations in each build.

Enhancements

• When a project is created or saved, the default for deleting the source branch after merging a pull request is now automatically set to On in the Bitbucket project. On merge, users can choose to override this setting. Learn more about branch deletion on merge. Please note, that it does not make much sense to keep already merged feature or bugfix branches. The full merge history will always be visible by checking the merged pull-requests. The benefit of the merged branch deletion is, that Jenkins will automatically delete the build history of those branches to save valuable disk space. Both in Bitbucket and Jenkins, you will in addition profit from a much cleaner UI, if merged branches are no longer cluttering up some of the pages.
• On the pages Projects, Users, Technical Users, Organizations, Synchronizations and Audits it's now clearly stated in which columns you can search. In addition, it's now possible to search for multiple patterns at once, by using commas or semicolons to separate them. Example: on the users page, you can search for multiple users with a string like "jane.doe@example.com;john.doe@example.com". This can help to quickly assign roles to multiple users with fewer clicks.
• Confluence auto-provisioning was changed from XML RPC to Rest API. The unnecessary Confluence "account created" email will no longer be sent to new users.

Improvements

• Accessibility has been improved by implementing keyboard access for several login pages served by Keycloak. On other pages, the labelling was optimized for screen readers and the locale menu on the top right is now also accessible by the keyboard.
• When hovering with the mouse over a table, the current row is now marked more prominently for easier reading.
• For customers using an own IdP, it's now possible to define a default set of tools which are assigned to users, which are automatically created when they log in for the first time.
• The default retention time of 90 days for audit log events can be changed for customers with special needs.

Bugfixes

• Empty descriptions for projects cannot be used in Dependency Track, therefore the string "-" is used instead if the description is set to empty in the Portal.

Enhancements

• You can now edit users in the DevOps Portal and add them to the sonar-quality-admins group by checking "Administer Quality Gates and Quality Profiles" in the SonarQube fieldset. Press Save when done.

  

Improvements

• In addition to the existing projects in Harbor, a new set of projects with the suffix "-helm" has been added to support the upcoming migration from Chart Museum to OCI Charts. Currently, Container images and Helm charts are located in the same project. In the future, it will be necessary to store Helm charts in a separate project, since Rancher doesn't support having container images in an OCI Chart project. For the moment, the *-helm projects are write-protected. This will be changed when the migration plan has been published.
• Users which are authenticated using an external identity provider are now marked with the label IDP in their status.
• A webhook is now automatically added to Harbor which notifies Jenkins about finished Trivy security scans. This was necessary to support the new feature in Jenkins Shared Library v3.7.0.
• The user selection on the project page can now be controlled using keystrokes.
• When hovering with the mouse over a table, the current row is marked for easier reading. Will be changed in the next version to stand out even more.
• Pop-up messages are now shown for 10 seconds, not just for 3.
• Updated Spring Boot.

Bugfixes

• Some rare special characters in project names could show error 400. This has been fixed.

Enhancements

• For more governance concerning usage of tools, customers can now opt in for some restrictions concerning editing and viewing tools in projects. When the first feature toggle is enabled, only Portal Admins can add tools to projects, but Project Admins cannot. In addition, another feature toggle is available, which defines if unassigned tools for users or projects can be viewed on the respective detail pages. Users, who have edit rights, will always see all available tools independently of this switch.
• Customers can opt in to define a default project for which new users will automatically receive a VIEWER role. While this can be used to offer internal documentation at a central place, it has the disadvantage that it weakens the data privacy implemented by organizations. If users have a role in the same project, they can see each other in the DevOps Portal, even when they are in different organizations.

Improvements

• Grafana is now a default tool. This means, it is preselected as a tool when new projects or users are created.

Bugfixes

• Some pixels were cut from the icons in the main menu on the left-hand side.
• Minor text fixes in notification mails.
• An issue happening just for some customers was fixed, which could redirect back to the users page when typing something on another page.

Enhancements

• Implemented Just-in-Time (JiT) provisioning for users authenticated by external identity providers (IdPs).
• It's now possible to manage Rancher Tech Users in the Portal. Assigning a Rancher Tech User to a project will only make it visible to the project members. It will not get automatically access to any cluster resources in Rancher. For this, you have to manually assign cluster roles to the "local" copy of the Tech User in Rancher. Login with the Technical User Name (without any '@domain' suffix). The page Creation of API Tokens for Technical Users shows the next steps which are necessary before you can use your Rancher Tech User for API calls into Rancher.

Improvements

• Reduced number of external dependencies in own code.
• Improved German translations of notification emails.

Bugfixes

• Fixed visibility for Dependency Track projects, so that it works for all versions of an analyzed project.