Home > Blog > RhodeCode 4.8.0 Release: Audit Logs and improved code review rules

RhodeCode 4.8.0 Release: Audit Logs and improved code review rules

Published on July 18, 2017, by Marcin Kuzminski

Our latest release of RhodeCode 4.8 is out. In this release, we focused on improving code review rules, and we made them Common Criteria Compatible.
Additionally, we introduced new advanced audit logs functionality to track the most important actions.
Finally, we added a bunch of security fixes and improvements after performing an excessive security audit using hacker one program.

This release highlights are:

  • Common Criteria Compatible code-review workflow.
  • Audit Logs action tracking.
  • Mercurial: enabled evolve extension.
  • Integrations: exposed permalinks in event data and repository extra fields variables.
  • SVN: increases compatibility option to allow pre 1.9 version.
  • Fixed few security issues found during an audit.

Take a few minutes to update your RhodeCode instance:
rccontrol self-update && rccontrol upgrade '*'

New to RhodeCode? Download the latest RhodeCode 4.8 Series from our website.
Keep reading for full release details.

Common Criteria compatible Code Review

Common Criteria is a computer security certification also sometimes called EAL (Evaluation Assurance Level).
Over last months we have partnered with one of the largest security companies in the world and ensured that our code-review
process meets the strict requirements of CC.

As previously announced our default reviewers functionality allows to specify rules for who should review the code. You can add reviewers for certain file patterns, e.g. *.sql would add someone from the Database team.
We extended this system now to be able to define Mandatory reviewers or forbid adding new reviewers after a PR was submitted.
In addition, new options were added to forbid author of code review or author of commits to be in the reviewer pool. This basically blocks people from being able to review they own code.

Common Criteria Code Review

Audit Logs

Enabling enhanced security of source code, often the most important intellectual property of your organization has always been one of our priorities.
In order to even further increase the security features of RhodeCode we introduced new functionality called audit logs.
Audit logs are tracking most important actions that are happening in the RhodeCode server.
Admins can track events such as deletion of resources, permissions changes, user groups changes, or failed/successful login attempts. Each event tracks the user with his IP and user agent.

In addition, advanced filters allow admins to search for particular IPs or event types. Exportable via API can also be used in external tools for examination.

Audit Logs

Mercurial Evolve

RhodeCode now ships with evolve extension bundled. Each repository can be configured to support evolve, commit phases, and evolve state are also shown in commit and changelog views.
We see that more and more organizations are starting to use this powerful feature of Mercurial
Version Control system. To allow easier adoption evolve is not shipped together with our installer and available to be used via our
web interface settings.

Easier Pull Request Creation

When you push a new branch, or bookmark RhodeCode will now detect this, and return links to open a pull request from the newly submited reference.

Example link below: 

pushing to https://code.rhodecode.com/tools-fork  
searching for changes  
remote: RhodeCode: open pull request link: https://code.rhodecode.com/tools-fork/pull-request/new?bookmark=audit-log-fixes  
remote: RhodeCode: push completed

Integrations

We extended our webhook integration with the ability to read and replace the extra fields of repositories. This greatly increases the flexibility of webhook for usage in CI integration.
Please check our new CI/CD integration docs here.

Security fixes

Security is very important for us. We created a security bug bounty program on Hackerone platform. This ongoing campaign discovered few security issues. This release fixes all found problems.
Amongst those, we fixed 2 stored XSS, few self-stored XSS and a potential issue with repository admins being able to delete other users comments.
We'll disclose further details of those later on and let our users upgrade in the meantime.

Performance

We looked at the diff generation code and optimized it a bit for lower memory usage. Now large diffs and pull requests should take less memory.

See the full list of changes in the release notes.

As usual, the update process is a simple one-liner type:
rccontrol self-update && rccontrol upgrade '*'
in the command line interface. Done!

Securely yours,
The RhodeCode team.

Back to Article List