V3.3.1 Release Notes

Full List of Enhancements:

• Java 21: upgraded core ModelOp Services to Java 21

  • Upgraded Spring Boot to v3.3.2

  • Upgraded Camunda to v7.21.0

• Jira SDK: replaced the Atlassian Jira SDK with an upgraded Feign-based client

  • Overcomes the issue where Customers had more than 500 custom fields within their Jira projects.

• Inventory & Reporting:

• Use Case Page:

  • Added a list of Running Model Lifecycles to the Use Case page. Note that this will show ALL related running model lifecycles, across Use Cases, Model Implementations, or Snapshots of a Model Implementation

  • Updated the Governance Score to refresh automatically upon saving of Custom Form Data

• Governance Score:

  • Updated the default Governance Score rules to look for Model Cards for a specific snapshot, instead of at the use case level

  • Updated the default Governance Score rules to check that there are no high and open Notifications

• Model Implementations:

  • Assets: added support to upload an Asset to a specific directory, such that the assets can be materialized in that directory on a ModelOp Runtime when deployed for Model Scoring

  • Metadata: added support to show the embedded model implementation custom metadata for a given Snapshot

  • Details: updated the details tab to gray out the fields if a user has READ only permissions

  • Add an Implementation: updated the Add an Implementation wizard to include the tags field

• Git:

  • Multiple Models: added support to allow multiple models to exist within a given git repository. Note that the models must exist under different folders within the Git repository.

  • Force Sync: added the ability to allow a user to FORCE option for the manual git sync within the UI, which would cause ModelOp to reclone the git repo from scratch. This is helpful when there are git merge conflicts or other errors on the git repository side

• Model Lifecycles:

  • REST Delegate: Added ability to post to a REST endpoint and wait for a response. The wait can used REGEX to filter the response for a specific value

• Dashboard & Tests/Monitors:

  • Privacy (PII Detection): added the PII detection monitor to the OOTB standard risk tests, allowing users to detect any potential PII leakage in a model output

  • Dashboard:

    • Updated the Default Dashboard Monitor to support LLM-based metrics, including PII detection and SBert Similarity analysis.

    • Also updated the Default Dashboard Monitor to include Risk Tier and Governance Score, by default

    • Added support to filter the Models by the available columns (e.g. Business Unit). This includes support for any custom columns defined by the Customer.

    • Added a “summary section” to a Model Test Result page that allows the Model Test Result to display a configurable heatmap to summarize the contents of the test result. This is useful for situations where the user may want to analyze different segments of a model in a detail, but still have a rollup across all segments.

    • Updated the Home Dashboard to allow an individual Red / Green / Yellow item in the heatmap to be clickable, thus directing the user to the specific metrics that generated the heatmap item

  • OOTB Monitors:

    • Job Errors: Updated the default behavior of the OOTB monitors to WARN instead of ERROR out a job, should there be a python-based warning in the monitor execution

    • Performance Monitors:

      • Updated the OOTB performance-regression monitor to fix NaN and Column Types, should the input data have blank values

      • Addressed issue where the OOTB Performance Classification Monitor errors out when bigint data type is used.

• Documentation Generation:

  • Updated the styling of the LLM Risk Test and Standard Risk Test document templates

  • Made minor updates to the content of the LLM Risk Test and Standard Risk Test model card templates

• PowerBI:

  • Updated connector to include new core metadata fields (e.g. modelStage) that were introduced in v3.3.x

• ModelOp Runtime:

  • Added the ability to allow Runtimes to use HTTPS for Eureka connections

  • Added support to rotate the Runtime logs after the max size has been reached

• CLI:

  • Added ability to copy existing associations when creating a new snapshot via the CLI

• Jupyter:

  • Upgraded the Jupyter plugin to disable/Hide buttons if user does NOT have required permissions

• Security:

  • Updated the Permissions page for administrators to allow the admin to set permissions across all groups

• Import Utility:

  • Enhanced the UI for the Excel import utility to allow users to more easily map the columns from the Excel sheet to the custom metadata

Bug Fixes:

• Git:

  • Addressed issue where the automated git sync process could not go through all the existing StoredModels when the number of StoredModels exceeds 1000 models

  • Addressed sporadic issue where the git sync would fail with a 504 error

• Tableau:

  • Addressed an issue where the Tableau connector was failing to import data when the custom metadata contained special characters

• Scheduler:

  • Addressed an issue with the advanced scheduler (cron) option, where if the users saves a Schedule with a invalid cron expression, other newer expressions are not saved either.

  • Additionally provided UI-based warnings if a user attempts to save an invalid cron expression

• Champion/Challenger:

  • Addressed a UI routing issue when attempting to open the Champion/Challenger view from the Inventory and Model Details page

• AWS SageMaker:

  • Addressed an issue in the UI where AWS SageMaker jobs could not be re-run

• Custom Form Configuration - Custom Field Types:

  • Addressed an issue with the Custom Field Types (in the Forms Configuration admin page) where the user could not change the name of the field when a custom field type was added to a form.

• Model Implementations:

  • Addressed an issue in the Model Implementation Details page where all notifications were being shown, instead of notifications specific to that Model Implementation

• Compliance Overview Page:

  • Addressed issue where the compliance overview charts are not the same height, when no data is available

• Azure AD:

  • Addressed issue where the Azure AD group id is not getting replaced by the name on the stored model details page for some users

Deprecated Library Updates:

Updated or removed the following deprecated libraries:

• Remove Deprecated MomentJS Library

• Upgraded the EOL Joda-time v2.9 dependency in Eureka

• Upgrade the ORACLE JavaBeans Activation Framework 1.1 in MLC Service

Security Fixes/Patches:

NOTE: many of the below are NOT related to ModelOp software, but rather related to dependencies

• Addressed CVE-2023-34036 - Reactive web applications that use Spring HATEOAS to produce hypermedia-based responses might be exposed to malicious forwarded headers.

  • Issue Link: https://spring.io/security/cve-2023-34036

• Addressed CVE-2023-4759 - a symbolic link present in a specially crafted git repository can be used to write a file to locations outside the working tree

  • Issue Link: https://access.redhat.com/security/cve/cve-2023-4759

• Addressed CVE-2016-1000027 - Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE)

  • Issue Link: https://nvd.nist.gov/vuln/detail/cve-2016-1000027

• Addressed CVE-2023-6378 CVE-2023-6481 - Logback: Serialization vulnerability in logback receiver

  • Issue Link: https://access.redhat.com/security/cve/CVE-2023-6378

• Addressed CVE-2024-21634 - Allocation of Resources Without Limits or Throttling

  • Issue Link: https://access.redhat.com/security/cve/cve-2024-21634

• Addressed CVE-2024-38816 - spring-webmvc: Path Traversal Vulnerability in Spring Applications Using RouterFunctions and FileSystemResource

  • Issue Link: https://access.redhat.com/security/cve/cve-2024-38816

• Addressed CVE-2024-47554 commons-io on Document Service

  • Issue Link: https://access.redhat.com/security/cve/cve-2024-47554

• Addressed CVE-2022-40152 - DOS risk with Woodstock-core dependency

  • Issue Link: https://access.redhat.com/security/cve/cve-2022-40152