What's new
February 4, 2026¶
Extended Component Rules for Component Detection¶
You can now enhance component detection by enabling Extended Component Rules in your Analysis Configuration. This feature uses fuzzy matching to identify software components that may be missed by standard detection methods.
Extended Component Rules work particularly well with stripped binaries or firmware with limited metadata.
Enable this feature under Configuration → Analysis Configurations by editing an already existing analysis configuration or by creating a new one.
There are three detection levels:
- Strict - Minimal false positives, may miss some components
- Balanced - Reasonable confidence with broader detection
- Loose - Maximum component discovery, higher false positive risk
Note: Enabling this feature increases analysis time. Looser detection levels find more components but increase false positive risk. We recommend starting with Strict and adjusting based on your needs.
Reanalyze existing firmware uploads for the changes to take effect.
January 12, 2026¶
Analysis Profile improvements¶
You can now update all vulnerability assessment fields automatically using Analysis Profile. This allows you to target previously uploaded firmware for mass updates – such as modifying Environmental CVSS scores – or to automatically set assessments for future uploads.
To access this function, click on Configuration and select Analysis Profile. Here, create rules using the ONEKEY Query Language (OQL) to assign or update any assessment fields – such as status, comments, severity, justification or SSVC.
Check the documentation to learn more about Analysis Profile.
For best results, we recommend reviewing the OQL docs before diving into rule creation.
For an easy example, you can check the Automate with Analysis Profile Rules section of the Filter out non-relevant CVEs docs page.
November 26, 2025¶
Import VEX files¶
You can now automatically update multiple CVE assessments in a single step by importing a VEX file. This new feature eliminates repetitive manual updates and helps ensure that vulnerability data stays aligned with sources such as vendor advisories.
Import a VEX file anytime after an analysis completes from Firmware Analysis view → CVEs by clicking Import VEX.
Select one or multiple VEX files, click Continue and follow the on-screen instructions.
The platform automatically processes the VEX file and applies updates to matching CVEs.
Supported formats: - OpenVEX - CSAF - CycloneDX
See the upload dialog for supported format versions.
Check the documentation to learn more about this feature.
November 3, 2025¶
Export VEX-enhanced SBOMs¶
CycloneDX SBOM exports have been extended with VEX data.
Exporting VEX information can, for example, support compliance with certain cybersecurity regulations (such as the Cyber Resilience Act), as it provides documented statements of vulnerability assessments and mitigations.
To export a VEX-enhanced SBOM:
- Select a firmware to open Firmware Analysis view.
- Click Download SBOM.
- For the SBOM format, select CycloneDX.
- Select which details to include using the checkboxes.
September 8, 2025¶
Improved Vulnerability Management¶
ONEKEY already allowed you to track security issues and CVEs by adding comments and setting statuses to filter out or highlight vulnerabilities. Now, we've gone one step further.
Building on status-based Automated Impact Assessment – introduced in v25.8.13 – Vulnerability Management has been redesigned to expand beyond basic tracking and now helps with triage, prioritization, and mitigation. Specifically:
- You can now conduct more comprehensive vulnerability triage and evaluation using CVSS Environmental scores and the VEX cybersecurity standard. Additionally, you can perform and record an SSVC assessment (Stakeholder-Specific Vulnerability Categorization).
- You can override severity decisions made by the platform.
- Automated Impact Assessment details are recorded as notes with evidence from the analyzed firmware for improved transparency and traceability.
- You can adjust the CVSS 3 Environmental scores by modifying individual metrics.
To get started, click on an issue/CVE to open the details popup, then click Edit.
You can also update multiple vulnerabilities by selecting their checkboxes and clicking "Set evaluation".
Note: The Copy status feature has been upgraded as well; you can now copy all evaluation fields – not just statuses – using the "Copy evaluation" button.
August 13, 2025¶
Status-based Automated Impact Assessment¶
Automated Impact Assessment now uses a status-based approach instead of filtering by match score, providing clearer categorization and more intuitive CVE management.
Previously, enabling the "Show only confirmed matching CVEs" checkbox would filter out CVEs with a match score below -2.
Starting with ONEKEY version v25.8.4, this checkbox has been removed, and CVEs with a score below -2 are automatically assigned the status "Not affected" by Automated Impact Assessment. Since "Not affected" is a closed status, these CVEs are hidden by default in the CVE tables. This new approach allows for more control over your vulnerability assessment workflow.
Note: To view CVEs marked as "Not affected," uncheck "Show only CVEs with open status" and filter for the "Not affected" status.
July 23, 2025¶
Custom issues¶
You can now create custom security issues to address organization-specific threats that standard frameworks might miss.
To get started, select the Custom Issues tab in the top menu bar and click Add new custom issue rule.
Provide a name, select a confidence level, and configure the CVSS 3.1 and 4.0 metrics. In the File query field, write an OQL rule to define where the issue should be triggered. See the complete list of file OQL fields for available options. Click Create Issue Definition when finished.
Rerun analysis on affected firmware for changes to take effect.
Your custom rules will appear in both the Global Issues page and the individual firmware analysis views after analysis completes.
SBOM-only uploads¶
You can now upload just an SBOM file without a firmware image.
Simply select Upload firmware, drag and drop your SBOM file in the SBOM area, and follow the on-screen instructions.
Note: In Firmware analysis view, firmware image-specific results are hidden or grayed out for SBOM-only uploads.
Android component detection¶
When uploading Android firmware, you can now see the applications (APKs) as components, giving you better visibility into the software inventory of Android-based devices.
Click the Components page in Firmware analysis to see Android packages with their names and versions.
Note: License or CPE information isn't available yet for these components, so no CVE matching is performed.
May 28, 2025¶
Component dependency visualizations¶
The new Component Dependency visualizations allow you to see the relationships between the components in your firmware, helping you better understand its structure and identify potential security implications of connected elements.
Explore all component relationships in your firmware through the Component dependencies tab in Firmware analysis view → Components.
- Hover over a node to highlight its dependencies.
- Click on a node to open the Component details popup.
For individual component dependencies, select any component and click Dependency graph on the popup.
- Drag and drop a dependency the move the graph around.
- Click to open the graph for the selected node.
- Click 1> to see the children of the node.
May 7, 2025¶
Compliance Overview¶
The new Compliance Overview feature provides a comprehensive visualization of your firmware's security status across multiple cybersecurity guidelines in one convenient diagram. This powerful tool helps you quickly identify compliance gaps and prioritize security fixes.
Access this feature through Firmware Analysis view → Compliance → Overview. At the top, choose between viewing Issues or CVEs.
Choose which standards to focus on using the Guidelines dropdown. To adjust the level of detail in the diagram, use the Columns dropdown. Hover over a node (an element containing text) to highlight its connections, showing which compliance provisions can be addressed by resolving the associated vulnerabilities.
Click on a component to display the specific security issues or CVEs affecting the connected provisions:
If you are not yet familiar with the Compliance Wizard, explore our Documentation to learn more about its features and capabilities.
April 14, 2025¶
RED II Compliance¶
You can now verify your compliance with the RED II (EN 18031-1:2024) cybersecurity guideline using our Compliance Wizard.
This standard applies to all radio equipment capable of internet communication; it ensures that the equipment does not adversely affect the network or its functionality and prevents misuse of network resources that could severely impact services.
To check the compliance of a firmware against this guideline:
- Enter Firmware analysis view by clicking on a firmware.
- Select the Compliance page.
- Select EN 18031-1: Common security requirements for radio equipment... from the dropdown menu.
Important: Old uploads must be reanalyzed for the Wizard to work correctly.
If you are new to our Compliance Wizard, click here to learn how to use it: Compliance Wizard
Highlighting new features¶
At ONEKEY, we are committed to providing the best support for our platform, which means we continuously introduce new updates and fixes. This can make our changelog sometimes a bit extensive, causing important updates to be easy to overlook.
To make sure you never miss an important new feature or update, we will now highlight only key changes in this popup instead of displaying the full changelog. As a result, you will see this dialog less often.
You can still view the complete changelog by clicking the Changelog button at the bottom of the page.
With each new release, we will show a changelog update notification at the top, so you can stay up to date even if there are no major updates to highlight.
To see all current and previous feature highlights, click What's new:
