Additional vulnerability data added to our web app
Packages added to Cloudsmith are scanned for vulnerabilities and malware, and passed through our policy engine. When we identify vulnerable packages, we produce and collate a range of descriptive data to help explain those vulnerabilities. Previously, that data was only available in our legacy web app, and more recently via our API. We've now brought more of this descriptive vulnerability data into the new web app.
Expanding vulnerability information in the new web app
When you see a vulnerability listed, you can expand the row to show descriptive information. You'll also see links out to sources of information; such as NVD. We've also made minor improvements to vulnerability listings; these are now sorted by severity.
The official Cloudsmith extension for Visual Studio Code is here. It brings your package visibility workflow directly into the IDE, allowing you to browse and inspect repositories and packages without switching context…
Client log exports now provide a more comprehensive overview of package delivery. In addition to GET requests, client log exports will include other HTTP request types, including HEAD, POST, and OPTIONS requests. This gives you a full view of package delivery, moving beyond just download tracking to include metadata checks and other repository interactions…
You can now use package license data in Enterprise Policy Management (EPM) to create policies based on a package’s software license. This lets you automatically govern license usage in line with your organization’s policies, giving you direct control over which packages are approved for use in your software supply chain…
Client logs and usage reporting improvements are now generally available in the new web application. These updates give you deeper visibility into package downloads, delivery trends and the repositories or tokens driving your usage…
You can now view architecture and distribution tags in the Packages table in the new web application. This makes it easier to tell apart packages with the same name but different architectures or distributions, and to quickly find the right one…
If you use Renovate to manage dependencies, you can now include packages from your Cloudsmith repositories in the same automated workflows. That means Renovate can track and update internal packages, as well as any open source dependencies pulled through upstream registries…