Changelog

Versioning schema

In order to get new features to you as quickly as possible, if you are tracking versions in QMS, note that we currently have a web UI version and a core infrastructure version. Versions are depicted with web UI version first, followed by core infrastructure version, e.g., v3.2.0 | 2.71.1

In order to get new features to you as quickly as possible, if you are tracking versions in QMS, note that we currently have a web UI version and an infrastructure version.

v3.6.17 | 2.75.2

May 13, 2024

Summary

  • Auto-update vulnerability temporal metrics across product version

  • Enhanced dependency component matching for fewer unmatched components

  • Purl and cpe id’s now considered in sbom entry uniqueness

  • Enhanced CycloneDX SBOM and VDR reports with bom-refs for unmatched components

  • Performance improvements on SBOM page loading

  • Enhanced CycloneDX VEX and VDR reports with vulnerability rescores

  • New sign in page

  • Bug fixes and UX improvements

Auto-update vulnerability temporal metrics across product version

Let us take some of the load of managing vulnerabilities off of you! When you create or modify a rescoring profile for product version, you can set all V3 vulnerabilities for that version to automatically rescore with any changes to their temporal score metrics coming from the NVD. This enhancement streamlines your vulnerability management process, ensuring that temporal scores reflect the most up-to-date information, saving you time spent manually monitoring and updating this information, thereby reducing the risk of missing critical updates, so you can ensure you're focusing on the vulnerabilities that matter most.

Auto-update vulnerability temporal scores

You can also set individual vulnerabilities to automatically update their temporal scores based on NVD data refreshes. This timesaving feature ensures your vulnerability information stays current with minimal manual effort.

Enhanced dependency component matching for fewer unmatched components

We've improved our dependency component matching algorithm to better handle scenarios where a vendor of an unknown dependency component doesn't directly match known software. We will now automatically match unknown dependency components that have CPE and PURL matches, but have an incorrect supplier. Previously, these dependency components were initially marked with a Not found in NVD status, but could actually be resolved to the correct component via our match suggestions. Helm now identifies the corresponding known software, which will either be uniquely identified or will have a Multiple matches status (if there are still multiple possibilities). Our enhanced matching process should result in fewer unmatched components, thus ensuring more accurate and efficient component resolution.

Enhanced determination of dependency component uniqueness

We have added CPE and PURL IDs when determining if an SBOM dependency component is unique or is a duplicate.

Enhanced CycloneDX SBOM and VDR reports with bom-refs for unmatched components

In response to feedback, we've added the CycloneDX bom-ref parameter to all dependency components in your SBOM export, enabling you to point each vulnerability back to a dependency component, regardless of whether it is matched to known software. Initially, the bom-ref only displayed for matched dependency components. For any unknown (unmatched or not uniquely matched) software, this will be the unique ID that was generated for that SBOM dependency component when it was added to Helm. This will now be in your SBOM or VDR report.

Performance improvements on SBOM page loading

We've made a number of coding and query improvements to load SBOMs more quickly, which may also improve load time for your vulnerabilities.

Enhanced CycloneDX VEX and VDR reports with vulnerability rescores

If you've rescored your vulnerabilities either across a product version or individually, your CycloneDX VEX and VDR reports will now include vulnerability rescore information. This will now align with the Vulnerabilities report. You will now see a ratings section in your JSON file that will include a rating for any rescore on that vulnerability. For vulnerabilities rescored both at the product version level and individually, all associated scores will be included. While CVSS v2 scores remain static, they are also included in the ratings section to provide a comprehensive view. The source for all score data is set to Medcrypt Helm.

New sign in page

We've replaced our initial sign in page with a new look-and-feel. After clicking Sign in, you'll be prompted to enter your username and password on our authentication page.

v3.6.10 | 2.74.2

April 30, 2024

Summary

  • Rename products and versions

  • Enhanced granularity for CVSS score filtering

  • UX improvements

Rename products and versions

In response to customer feedback, we've added the ability for you to rename products and versions right from the product and version drop-downs on each page of Helm. Simply hover over the product or version in the respective drop-down to display the edit icon, then edit the product name or version.

Enhanced granularity for CVSS score filtering

We've improved the CVSS score filtering functionality to support floating-point values, allowing you to pinpoint vulnerabilities with greater precision. Now you can filter vulnerabilities using specific scores like 7.9, which will return everything from 7.9 to 10. This will enable you to precisely target and remediate vulnerabilities that fall within a more granular threshold.

UX improvements

  • Enhanced API key generation from the UI

  • Improved loading performance

v3.6.8 | 2.73.0

April 11, 2024

Summary

  • Enhanced support for large SBOMs

  • CycloneDX 1.5 support

  • Daily and monthly digests for new vulnerabilities

  • Bug fixes, UX and doc improvements

Enhanced support for large SBOMs

Our platform now let you upload SBOMs of up to 50MB in size. This significant enhancement enables organizations with larger software inventories to efficiently manage and analyze their software bill of materials within our platform.

CycloneDX 1.5 support

You can now upload your CycloneDX 1.5 SBOM to Helm. Any information in your file that is not currently supported in Helm will still be retained if you want to export either your original or enhanced SBOM.

Daily and monthly digests for new vulnerabilities

In response to customer feedback on our new weekly email digests that keep you informed of the latest new vulnerabilities impacting your products, we've expanded this offering to include daily and monthly digests. You can choose one or more email frequencies based on your needs, and can manage your email preferences in your user profile.

Bug fixes, UX, and doc improvements

  • Fixed issue where loading page status displayed on the Vulnerabilities table after sorting columns. The Vulnerabilities Detected/Updated field now sorts only by date detected and not by date updated.

  • Resolved caching issue where some dependency components would not display when the SBOM page was filtered.

  • Adjusted permissions to allow non-admin users with SBOM and Vulnerability modification access to create rescore profiles for product versions.

  • Numerous UI improvements

v3.3.0 | 2.71.1

March 22, 2024

Summary

  • Processing modals

  • Bug fixes and UI improvements

  • New & updated docs

Processing modals

For larger SBOMs that can take longer to load, we've added a processing modal so you'll know when your upload is completed and whether it was successful. Similarly, we've added a processing modal for other operations that could take longer, including when you're rescoring a lot of vulnerabilities across an entire product version or if you've just added a dependency component manually and we're attempting to automatically match it to known software in the NVD or package manager.

Bug fixes and UI improvements

We've improved performance when filtering your SBOM. We also fixed a bug where filters were not persisting if you copied a Helm URL that included a match status to another tab, or if you navigated from a filtered item from the global search results (Discover) page.

We've added and enhanced "empty state" pages to help you get started quickly, improved visibility of system status, enhanced our RBAC permissions, and made other UI improvements.

New & updated help docs

Since we're continually adding and enhancing great new features, we want to make sure you can take advantage of all the new functionality, so we'll let you know any important doc updates in this section.

Enhanced docs:

v3.2.0 | 2.71.1

March 14, 2024

Summary

  • Added VDR (Vulnerability Disclosure Report) report

  • Email notifications for new vulnerabilities

  • Support for CycloneDX XML SBOMs

  • Enhanced API documentation

  • Bug fixes and other improvements

VDR reports

As part of our continuous commitment to fulfill your FDA SBOM and cybersecurity vulnerability needs, we've added VDR (Vulnerability Disclosure Reports) to our suite of reports. Offering comprehensive insights into identified vulnerabilities, these reports equip you with proactive mitigation strategies, bolstering your defense against emerging threats.

Stay on top of new vulnerabilities

Never miss a beat with our new vulnerability email notification system. Stay ahead of the curve by receiving timely alerts for any new vulnerabilities impacting your software supply chain. Manage your preferences effortlessly through your user avatar > My profile in the top navigation area of Helm.

Support for CycloneDX XML SBOMs

You can now upload your CycloneDX in XML format for improved compatibility and versatility.

Enhanced API documentation

Automate your calls to our Helm application using our robust API. You can upload an SBOM for a new or existing product and version, get a list of all unmatched entries, and a list of all vulnerabilities.

Bug fixes and other improvements

We've made numerous enhancements to improve the UI and SBOM loading performance.

We'd love to hear your feedback!

Thank you for your continued support and feedback as we strive to deliver top-notch solutions to meet your evolving cybersecurity needs! Let us know if you have suggestions on how to improve your experience!


v3.0.1 | 2.70.0

February 15, 2024

Summary

  • VEX reports

  • Improved vulnerability query performance

VEX reports

Introducing VEX (Vulnerability Exploitability eXchange) reports – the latest addition to your cybersecurity arsenal! These reports focus on vulnerability exploitability, ease of exploitation, and potential impact. Now, effortlessly communicate vulnerabilities with a VEX remediation status, empowering your customers to focus on fixing the vulnerabilities that matter most.

Stay tuned! As a part of our continuous commitment to fulfill your FDA SBOM and cybersecurity vulnerability needs, we will be adding VDR (Vulnerability Disclosure Reports) to our suite of reports soon. Offering detailed insights into identified vulnerabilities, VDR reports equip you with comprehensive understanding and proactive mitigation strategies, ensuring robust security posture against emerging threats.


v2.68.0 | 2.69.1

January 29, 2024

Summary

  • FDA-ready reports

  • Export SDPX SBOM

  • New About modal

FDA-ready reports

Get the Medcrypt advantage with the only FDA expert-crafted SBOM that ensures you meet FDA SBOM requirements! In addition, you'll now get a suite of reports to make meeting FDA cybersecurity requirements a breeze, including your enhanced SBOM in CycloneDX or CSV format, as well as your vulnerabilities in CSV format.

In our continuous commitment to fulfill your FDA SBOM and cybersecurity vulnerability needs, we will also be adding VDR (Vulnerability Disclosure Reports) and VEX (Vulnerability Exploitability eXchange) reports to our suite of reports soon. VDR reports provide detailed insights into identified vulnerabilities, providing a comprehensive understanding of vulnerability details, impact, and mitigation strategies to proactively respond to potential security threats. VEX reports focus on the exploitability of vulnerabilities, how easily they can be exploited, and their potential impact.

Export SPDX SBOM

You can now export your original or enhanced SPDX SBOM in JSON. For an enhanced SBOM, you can also include PURL and CPE info for any matches, as well as include all associated vulnerabilities.

New About modal

You may have noticed that the bottom bar where your Helm version displays has been removed. Don’t worry, you can still get to your version from the sidebar > Help > About. This will launch an About modal, where you can see your current Helm version.


v2.66.1 | 2.66.1

January 4, 2024

Summary

  • Added ability to remediate vulnerabilities

  • Bug fixes, UI, and performance improvements

Remediate vulnerabilities

You can now remediate vulnerabilities to add granular status information, including tracking remediation changes and providing evidence for why changes were made. For each vulnerability, you can now set a CycloneDX 1.4 and/or CycloneDX 1.4 VEX status, or both. We're adding a more robust audit trail, and you can see the next step toward this in the Vulnerability details modal. You can see any interim statuses and notes you provided manually, as well as automatic tracking of any new remediation changes. If you set any interim statuses, the last one you set will now be reflected in that vulnerability's VEX status.

Bug fixes and other improvements

  • Fixed issue where a rescore profile would fail when rescoring large numbers of vulnerabilities

  • Several UI and experience improvements


v2.65.2 | 2.65.13

December 7, 2023

Summary

  • Rescore all vulnerabilities in a product version via rescore profiles

  • Rescore individual vulnerabilities

  • Support for SPDX SBOMs

  • Enhanced SBOM export now includes CPE and PURL data

  • New exploits and threats info, including EPSS and CISA KEV

  • Bug fixes and other improvements

Rescore all vulnerabilities in a product version via rescore profiles

You can create and apply rescore profiles to a product version based on your product's particular environment and usage, ensuring you're focusing on the most exploitable and impactful vulnerabilities. Any newly detected vulnerabilities for that product version will be automatically rescored with that profile.

Rescore individual vulnerabilities

You can now rescore the CVSS v3 score of any individual vulnerability associated with a particular product version so that it reflects your product's particular environment and usage. This will override any rescore profile already applied to the associated product version.

Support for SPDX SBOM format

You can now upload SPDX SBOM files, including those generated using Yocto on Linux. You can take all of your generated SPDX files, zip them using WinZip or gzip, then upload that zipped file to Helm. We'll do the rest!

Enhanced SBOM export now includes CPE and PURL data

When you upload your SBOM, we'll attempt to find exact matches in the NVD, as well as in supported package managers. If we find an exact CPE or PURL match in a package manager or if you manually specify the CPE and/or PURL for a dependency component, you'll now be able to export an enhanced SBOM that includes CPE and PURL data.

Focus on the most exploitable vulnerabilities

You can now benefit from robust exploit and threat information from a variety of sources, including CISA KEV, ExploitDB, Metasploit, and Top 25 CWEs. You can also ensure that you're focusing on the most impactful and exploitable vulnerabilities via EPSS scores.

Bug fixes and other improvements

  • Improved performance when loading SBOM and vulnerability information

  • Improved onboarding to get you started or unstuck quickly. We now provide in-page guidance to help you upload an SBOM, view dependency components for a particular product version, or expand your search criteria when there are no results. You'll see these in our SBOM, Vulnerabilities and Discover (Global search) pages.

  • Numerous user interface improvements


v2.62.6 | 2.62.6

November 2, 2023

Summary

  • Windows KB patch support

  • In-app status notifications

  • Performance and user experience improvements

Native support for Microsoft Windows KBs

Although a lot of medical devices run on Microsoft Windows operating systems, the NVD does not account for vulnerabilities having been patched by Windows KBs, making it very difficult to understand what vulnerabilities might still be impacting your device. You can now add KBs to your devices running a Windows OS, aligning your digital product version with your physical test device and thus ensuring that you have an accurate list of vulnerabilities that impact your Windows device.

In-app status notifications

You’ll now see in-app status notifications in the top-right corner to let you know that an action has been completed, such as uploading an SBOM or applying KBs to a product version.

Performance improvements and bug fixes

We’ve made significant performance improvements, as well as several enhancements to improve your user experience.

Let us know how we’re doing!

We welcome your feedback on these new features, and would love to hear about other feature suggestions that would further enhance your experience.

Get a V&V report

If you would like a V&V report for your QMS, contact support.


v2.60.1

October 2023

Summary

  • Allowing SBOMs that pass NTIA minimum requirements

  • Performance improvements and bug fixes

Allowing SBOMs that pass NTIA minimum requirements

We improved our capabilities to handle SBOMs that pass NTIA minimum requirements. If the SBOM you are uploading is an invalid CycloneDX SBOM, Helm will still accept it and process it for vulnerabilities.

Performance improvements and bug fixes

This release has improvements to performance and a few bug fixes on the dashboard page.


v2.59.2

November 2023

Summary

  • Performance improvements and bug fixes

  • Online help documentation added

Performance improvements and bug fixes

This release has a lot of improvements to performance and a few bug fixes. You should be having a faster, more responsive experience.

Online help documentation added

We’ve added a lot of great information to ensure you can get started, get your SBOM dependency components matched quickly, and begin (or continue) to assess and mitigate your vulnerability risk across your software supply chain. Check it out on helm.docs.medcrypt.com!


v2.57.3

November 2023

Summary

  • New Get started modal

  • Export SBOM with vulnerabilities

  • Combined Upload SBOM modal

  • Improved feedback when SBOM fails to upload

  • Other usability improvements and bug fixes

New Get started modal

If you haven’t uploaded any SBOM yet or created one manually, you will see a new Get started modal pop up when you sign in to Helm. You’ll have four different options:

  • You need help with your FDA submission: You can request help from our expert Services team and leverage our best practices, templates, and checklists in improving your FDA submission.

  • You have a CycloneDX format. You can upload your SBOM file all in one step.

  • You have an SBOM in another format. You can contact us and we’ll get right back to you to get you moving.

  • You don’t know what an SBOM is or don’t have one yet. We’re here to help. Our expert Services team will help you create your SBOM, assess your current state, and help you identify and mitigate cybersecurity risks.

Export your SBOM with vulnerabilities

You can now choose to export your original SBOM or your enhanced SBOM with identified vulnerabilities. This will include the source name (currently always the NVD), a link to the vulnerability, both its v2 and v3 CVSS scores and vector strings, when the vulnerability was first detected, when it was updated, and more. Refer to Export your SBOM for more information.

Combined Upload SBOM modal

We’ve simplified your upload experience. If you’re uploading your first SBOM, you’ll see an Add SBOM drop-down button, from which you can select Upload SBOM. You can now browse to your SBOM file and specify your product name and product version in one step. Once you’ve uploaded at least one SBOM, this drop-down button changes to Manage SBOMs. In that case, you’ll be able to either select an existing product name and version, or create a new product name/version pair.

Improved feedback when an SBOM file fails to upload

If you upload an SBOM file, you can hover over the FAIL status to get more information on why the file failed to upload, including scenarios such as: missing required fields, additional fields present that are not defined in the JSON schema when the schema does not allow additional properties, and field values not matching expected data types.


v2.56.6

October 2023

Summary

  • Added match status tokens and enhanced status indicators

  • Added CPE and PURL package manager support

  • Enhanced details for dependency components

  • Enhanced filters for SBOMs

  • In-product help added

Added NVD and NOT IN NVD tokens and enhanced status indicators

In response to customer feedback on the importance of knowing whether a dependency component is or is not found in the NVD, we’ve added two tokens: NVD and NOT IN NVD. We’ve changed the NVD status column to Match status, and improved the status labels. You’ll now see:

  • Green checkmark next to Matched status when you have an exact match. You’ll also see the respective tokens that we used to make that match or that a user matched via selecting a match suggestion or creating an alias.

  • Yellow indicator next to Multiple matches status when you have multiple strong matches. You’ll be able to see the sources that the match suggestions are coming from, and will need to resolve this by selecting one of our suggestions or creating your own alias.

A red error indicator next to Not found status and NOT IN NVD token indicates that weren’t able to find a match in the NVD. This could mean that there are no known vulnerabilities or that your software has a different name in the NVD, so you’ll need to resolve these to make sure that you understand whether it is a risk or not.

Added CPE and PURL package manager support

Our valued customers asked for this and we delivered! We now support CPE and PURL (Package URL) matching. We support the following PURL package managers: Cargo, NPM, NuGet, and PyPI. If you upload an SBOM, you'll automatically find any matches in these package managers. You'll see a token, such as NPM, next to each dependency component that matches a package manager. See Match sources for more information.

Note: This is not retroactive, so in order to take advantage of this cool new feature, you'll need to upload a new version of your SBOM.

Enhanced details for dependency components

We’ve added a lot of information to your dependency component details, so that you can tell exactly how it was matched as well as letting you know the last review note any of your team members added. You can hover over any token

Enhanced filters for SBOMs

You can now filter by match source, such as NVD, CPE, Alias, one of our supported package managers, user-selected matches, and NOT IN NVD. You can also filter on review status.

In-product help added

We’ve added help icons to many columns and fields throughout the UI to get you started and unstuck. If you need more clarification on the help or if you have a question on something that doesn’t currently have help, let us know so that we can get it clarified or added.

Let us know if you see other areas we could improve!

If you run into issues or would like to request new features or feature enhancements, we'd love to hear from you! Thank you so much for taking the time to help us improve your experience!

Interested in providing feedback on upcoming features?

We are working on adding some great new functionality, including:

  • Windows KB patching,

  • a customer-facing API to automatically ingest SBOMs as part of your CI/CD process,

  • the ability to copy/paste from a CSV or other file to create an SBOM,

  • more human-readable information,

  • complete CycloneDX ingestion and export,

  • SPDX support,

  • and other cool new things.

We'd love to get your feedback on these to make sure what we're creating will improve your management and mitigation of your software supply chain risk. It will also give you a great opportunity to let us know features and feature enhancements you'd like us to consider adding! Note that this link will create a support ticket that will let us know you're interested, then we'll contact you directly to set up some time to do some feature walkthroughs. Thank you so much for your insights and expertise!


v2.55.5

September 2023

Summary

  • Enhanced global search

  • Changed date first detected time

  • Added date dashboard was last updated

  • Removed character restrictions on input fields

  • Added SSO support for PingID

Global search is now expanded to include searching across all your Product SBOMs for a particular dependency component. You can still search for a specific CVE via CVE-ID, now you get a summary of the vulnerability as well as a list of any products that might be potentially impacted.

Changes to first detected time

The first detected date in Helm on the Vulnerabilities page now reflects the date when Helm detected the vulnerability for your dependency component.

Last update timestamp

On the Metrics dashboard you can now see when the dashboard was last updated.

Character restrictions in input fields

Helm had strict character restrictions in input fields that have now been removed.

SSO support for PingID

Helm supports SSO for organizations on the enterprise plan. We now have a working integration with PingID.


v2.54.7

September 2023

Summary

  • Enhanced look-and-feel with new page layouts

  • Performance improvements and bug fixes

New page layouts

Both the Products page and the Vulnerabilities page now have a new look and feel as well as some new functionality for vulnerability filters.

Performance improvements and bug fixes

This release has a lot of improvements to performance and a few bug fixes. You should be having a faster, more responsive experience.

Last updated

© Copyright MedCrypt 2023, All rights reserved.