Skip to main content

9.5.0 Hotfixes

Installation Notes


  • Hotfixes and content packs are cumulative and include previous hotfix/content package updates.

  • In a distributed environment, the relevant hotfix must be installed on the CxManager server(s) and the Web Portal server.

  • After upgrades (major versions or hotfixes) or Content Pack updates, it is highly recommended that full scans be run first, followed by incremental scans.

Resolved Issues and Changes


Resolved Issues

HF20 July 2024

Incorrect Origin value in Scans tables when scans are identified as unchanged and not triggered.

Accent characters in file names caused broken paths due to incorrect database storage.

The Compare scan mechanism displayed the wrong severity when the query’s severity was modified and overridden.

Fixed report mechanism. The Change template option wrongly affected CSV reports; it should only affect PDF and RTF.

Fixed line number inconsistencies between the results viewer and the scan report.

API retrieved wrong labels when results had multiple labels from different projects.

Fixed incomplete short descriptions for PHP files with <?.


Resolved Issues

HF19 June 2024

Fixed a bug that caused the license importer to get an error while not in focus.

Fixed a bug that marked results as New in the SAST reports when a query with results was overridden between scans.

The Tomcat version has been upgraded to Apache Tomcat 9.0.87

Fixed a bug where deleting a customized query influenced the results state when viewed in compare mode.

The config key MAX_RESULTS_PER_QUERY in the database has been deprecated.

Fixed oData parameter $expand=QueryGroupType; when using this parameter, the QueryGroup and QueryGroupType did not expand.

Added back the timestamp in several missing fields on the Scan Summary page.

Corrected the inheritance of result labels in private scans.


Resolved Issues

HF18 May 2024

Fixed a bug where deleting a Team-level overridden query affected previously created scans.

Fixed an issue in the Dashboard where the Risk page did not display graphs.

Fixed an issue where SAST excluded files containing .ini in their names.

Resolved an issue where zip sources were mishandled when the zip encoding differed from the default.

Fixed an issue where the Last parameter in the API endpoint, GET/sast/scans, worked incorrectly.

Opening a direct link now clears all filters from the Results Viewer.


Resolved Issues

HF17 April 2024

Eliminated the dependency on C++ Redistributable version 2010. Now, dependent only on .NET Core.

Fixed the API PATCH /sast/scansQueue/{id} to support the Postponed status.

Added support for the Security field in the JIRA on-prem v8 REST API.

Fixed a failure to generate a PDF report issue in cases where the source code was deleted from the CxSrc folder.

Fixed a timeout error for Perforce source code uploads exceeding 15 minutes, now configurable in the database.

Scan cancellation permission is separate from Delete scan permission. Users who initiate a scan may cancel without having the Delete Scan permission.


Resolved Issues

HF16 February 2024

Resolved a CPU overload issue caused by HF15 in environments without M&O.

HF15 January 2024

CxSAST publishing results into the Policy Management queue despite M&O not being installed.

Resolved an issue where the Open Viewer button doesn't work on a Linux or Windows machine with Chrome.

Completely removed C++ 2010 and 2015 dependencies.

Fixed an issue where an incremental scan showed sources of wrong baselines.

Fixed an issue where the UI shows a partial list of branches in case one of the GitHub branches contains @ in the name.


Resolved Issues

HF14 December 2023

The compareResultsTo API has been updated and includes the SimilarityID key.

Various security fixes.


Resolved Issues

HF13 November 2023

ActiveMQ version was replaced with version 5.17.6

Tomcat version for M&O was replaced with version 8.5.95


Resolved Issues


Fixed an issue to prevent null values when configuring JIRA custom fields in the project settings.

Fixed a bug where moving projects from one team to another while filters were applied overwrote an existing project name.

Fixed an issue where GIT scans failed when the default value of the SourcePullingTemporaryPath was changed.

Fixed a UI bug where the severity icon was not centered in the project state dashboard.

Added a new checkbox in the UI to enable or disable the support for wildcard * in LDAP management. The default behavior will remain as is for customers without wildcard support.

Changed the color of the Auth Plain authentication method button to be more visible.

Added missing translations in Access Control pages. Languages added: Chinese, Portuguese, Korean, Japanese, French, and Spanish.

Added the ability to block LDAP user access to the SAST UI.

Fixed the logout URL configured in SAML, which redirected to a broken page.


Resolved Issues


Updated Tomcat version for AMQ to 9.0.75.

Resolved an issue in JIRA configuration related to IssueTypes for projects, allowing users to succeed on projects they have permissions for.

Added a flag to maintain the existing behavior: AllowFailureOfGetJIRAProjectIssueTypesMetadata (default: false).

Upgraded Commons-Configuration2-2.7.jar to Commons-Configuration-2.8.0.jar.

Upgraded Springframework:spring-webmvc 5.3.23 to version 5.3.26.

Improved performance of scan metrics values and source pulling information in ActiveMQ responses.

Resolved an error in the widget on the Project State page, displaying project information correctly now.

Improved the message, explaining username creation rules when creating a message, with full information (letters, digits, underscore(_), hyphen(-), period(.), plus(+), and at sign(@) ).

Updated the role description for the old Manage Users role to manage users and teams.

Added 2nd last login + IP information for additional user security.

Introduced a new dedicated role for creating teams without user creation permission.

Added hostname information in Audit Trail for SAST module requests to log in to HA environments, enabling users with an HA environment to identify the Manager making the request.

Fixed missing Spanish translation strings on the Access Control page.

Addressed a translation issue, displaying an error message in English for users with a Chinese (Simplified or traditional) UI trying to create a user with an invalid name.

Corrected the description of the Team Manager’s permission in the database.


Resolved Issues


The calculation of lines of code (LOC) has been modified to consider files and folders excluded from a project.

Resolved an issue where scans were not triggered in certain cases when using a GitHub Webhook.

Resolved a bug that caused an error message stating "Project name already exists" to appear when attempting to create a project with the same name as a previously deleted project.

The administrator can now configure the default login method in the Access Control settings, which can be either Credentials/LDAP or SSO/MAC. Additionally, the administrator can choose to hide the credentials fields.

Login and Login Settings pages now include translations.

Resolved an issue with the "Default LDAP server" selection due to a conflict between the default LDAP server and SSO configurations, causing it not to be selected correctly.

Fixed a bug where an incremental scan would erroneously include "Find" results from its flow that were part of deleted files.

The "Teams" column and the "Teams tree" on the Access Control pages have been fixed and can now be resized.

For security fixes, click this link for additional information.


Resolved Issues


Fixed a bug related to memory reservation when scanning large source code; a scan would sometimes reach a 15-minute timeout and abort, causing it to remain stuck in the queue while the next scan proceeded. The solution is to now fail the scan with an option to increase the timeout through configuration settings.

Fixed a bug causing scans in the queue page to fail instead of waiting in the "Queued" state. This occurred when the maximum number of concurrent scans specified in the general settings did not equal the maximum number of scans allowed for the engine.

Fixed the configuration "INCREMENTAL_SCAN_MERGE_NOT_EXPLOITABLE_RESULTS." This configuration enables NE (not exploitable) results to be merged in an incremental scan.

Fixed a memory leak in Jobs Manager that caused scans to get stuck in the queue.

Resolved an issue where the Results Viewer page displayed an incorrect vulnerability status.

Fixed a bug that allowed multiple projects with the same name to be created when using PowerShell scripts to create the projects.

Added configuration options for the 15-minute memory reservation timeout value.

Added the ability to set the LDAP server as a default sign-in method.

The API authentication now only requires user validation (valid credentials) instead of a previously required permissions set.

For security fixes, click this link for additional information.

Tomcat updated to version 2.88.


Resolved Issues


Fixed an issue that caused the old AMQ jar file to be maintained after a hotfix installation.

Fixed an issue that caused the scan to retrieve an incorrect line of code (LOC) and use incorrect sources.

Fixed a REST API call for scheduling that returned a message code ‘500’ instead of ‘200’.

Fixed stuck scans caused by redundant files created in the CxSrc folder during an incremental scan.

Added the engine pack version to the response of the REST API 'GET /system/version'.

2 APIs related to comparing scans have been converted from SOAP to REST:  

  • [GET] /sast/scans/{oldScanId}/compareResultsTo/{newScanId}  

  • [GET] /sast/scans/{oldScanId}/compareSummaryTo/{newScanId}

Resolved an issue that caused the connection with the Jira Server to fail when creating a new project.

Updated the SAST API and removed the usage of a deprecated Jira method.

Fixed an issue in the UI when adding the Jira Server in the issue tracking settings.

The following libraries have been updated: Newtonsoft.Json to version 13.0.2 and jQuery to version 3.6.2

Fixed an error message returned with all of the JIRA REST API calls when a JIRA cloud was defined instead of a JIRA server.

A new schema has been added to the database to allow non “db_owner” users to use it. By customers' request, they can now grant access to the Cx tables while limiting access to other parts of the database.

Tomcat version was updated to 8.5.85

A new permission has been added that blocks users from accessing the user interface while maintaining access to the APIs. This allows technical users, like those using Jenkins in a CI pipeline, to trigger a scan without being able to access the WebPortal.

Added some missing Russian-translated text in the access control pages.

Fixed the date format in the Users table while the browser’s Language is set to English (Australia).

Now, for example, it will display the date 28/10/2021 instead of 10/28/2021


Resolved Issues


Fixed an issue with the GET /projects/branch/{id} endpoint from SAST REST API v4, which occurred when the BranchProjectId did not exist.

Fixed an issue where the project branching process validation failed.

Fixed an issue that caused performance degradation in the "Source Pulling & Deployment" stage.

Fixed an issue with the Result Service log that caused an overflow error when the SQL TaskScan table was updated with an out-of-range DateTime value.

Fixed an issue in the View Project Scans page, enabling seconds to be correctly displayed in the SCAN DATE and SCAN COMPLETE columns.

Fixed an issue that prevented the Services Availability from functioning when the SAST Web Portal was secured with SSL (HTTPS).

The license expiration date for the Services Availability can now be validated.

The GetResultPath and GetFileNamesForPath SOAP methods were converted from the SAST Web Portal to the SAST SDK (software development kit).

Access Control is enhanced with a new "Back to SAST" button directly opening the SAST Web Portal.

Fixed an issue in Access Control that prevented usernames from appearing in the logs for the logging-in and signing-out events.


Resolved Issues


In this Hotfix, the wrapper.conf file from ActiveMQ was replaced. If there were customizations in the old wrapper.conf files must be retrieved from the backup folder and added to the new wrapper.conf file.

Fixed an issue that prevented new teams from being created when the team name length was between 100 and 128 characters. No error messages were displayed in the User Interface to warn the user.

Fixed an issue that prevented a custom description from being uploaded. This occurred when the User Interface was set to Spanish, and the user tried to upload a second time after the first upload was successful.

Improved performance in the Results Viewer page for loading large numbers of results. In some cases, the loading failed with a timeout error.

Fixed an issue that prevented a comparison between two public scans from displaying correctly. This occurred if the private scan results of the project were previously marked Not Exploitable.

Fixed an issue with the GetSourceCodeForScan API that occurred when retrieving files with long paths consisting of 260 or more characters, even when the Long Path option was enabled.

The following features were added to the Audit Trail API:

  • Reasons to help explain failed login attempts (such as invalid username, invalid password, and account inactive)

  • Logoff events, including forced logoffs due to session timeouts

  • Details regarding UserUpdated events to help explain changes to the Active User status

  • Details regarding UserUpdated events to indicate password resets

  • Hostname of Checkmarx components that are included in the Audit Trail record

Added several User Interface translations that were missing from the Access Control Password Complexity panel.

Resolved an issue with Access Control that prevented the Update button from updating the SMTP Settings.

The Apache Shiro library was upgraded to version 1.10.1.


Resolved Issues


Improved the performance of the REST API: GET /sast/scans.

Resolved an issue in the SAST web portal that caused the result status to be incorrectly displayed in the generated CSV reports.

Added support for the Jira "Due date" field.

The performance of the Data Retention procedure has been improved and an additional transaction was added to maintain data integrity when deleting data.

For the Data Retention, a configurable value has been added to the stored procedure to control the timeout length, instead of the fixed 120 seconds.

The following actions were added to the Audit Trail API:

  • Update in Results Status/Severity/Assignee/Add Comment

  • Create/Update/Delete/Import/Export the Preset

  • Create/Update/Delete the Role

  • Create/Update/Delete the Team

The Tomcat version has been upgraded to Apache Tomcat 8.5.83.

Updated Apache Commons Text library.

Fixed an issue in Access Control that caused a SAST Active Directory user with Polish characters to be assigned to a default Team and Role instead of being synchronized with the LDAP.


Resolved Issues


Fixed an issue in the SAST Web Portal interface that caused the breadcrumbs to appear overlapping the main panel instead of in a separate panel.

Fixed an issue that caused the SAST Web Portal to fail with an error on the All Scans page after filtering by either Scan Date or Scan Completed. This occurred when the Locale was set to French in Access Control.

Fixed an issue that prevented loading the CxWebClient logs in PortalAll.log after configuring SAST for Prometheus.

Fixed an issue that caused the Project and Project State pages to be incorrectly displayed, being filtered according to the latest scan dates instead of according to the scan IDs.

Fixed an issue in the REST API GET sast/results/{id}/comments endpoint that caused an empty list to be returned when the author of the comment was not found.

Fixed an issue with PDF scan reports that prevented files from being included under the Scanned Files section of the reports. This occurred for files with long paths.

Fixed an issue in the Results Viewer that caused the Recurrent result state to be displayed incorrectly instead of the New result state. This occurred if the ScanID value of a branched project was larger than the ScanID value of the original project.

Fixed an issue that caused the Query Result tree in the report creation dialog to appear empty.

Fixed an issue in the Results Viewer that caused the Navigation tree to be missing from the Scan Results Severity pane. This occurred when the RESULT_ATTRIBUTES_PER_SIMILARITY key in the CxComponentConfiguration table was set to false.

The following special characters (/ \ , " ' ? <> [ ] { } | ~ : ;) have been added to the list of supported characters to be used in passwords when a user is being created or modified.

Fixed an issue with the POST Teams API that occurred when using the Access Control Swagger, which caused a NULL (instead of the Team ID) to be returned in the response body.

The default value for the Dynamic Password Expiration Date was changed to 0 (days), so that the password never expires. This is beneficial when using automated pipelines.

Resolved an issued so that multi-factor authentication (MFA) is no longer required for LDAP and SAML users.

Resolved an issue in the Access Control GET Teams/{id}/Users API that caused duplicated Role and Team IDs.

Resolved an issued that prevented updating the Job title for an SAML user in the Access Control profile.

Several enhancements have been added to Access Control, allowing the administrator more control of the new security mechanism.

The administrator can now perform the following:

  • enforce multi-factor authentication (MFA) on all users

  • define trusted browsers, eliminating the need to use a one-time password (OTP) for each login (requiring an explicit action only on the first login)

  • set the lockout period for users who have exceeded the threshold of failed login attempts

  • control whether or not the Forgot Password link is displayed

  • set the password expiration period, defining how often each user must update his own password

  • determine how many passwords are saved in the history, controlling the reuse of old passwords

  • exempt specific users from requiring MFA, supporting the automated users required in automated pipelines and CI.

For security fixes, click this link for additional information.


Resolved Issues


Improved the Reflected_XSS_All_Clients query.

Resolved an issue that was causing an error when the Query Viewer page was uploading.

The Tomcat version has been upgraded to Apache Tomcat version 8.5.82.

Resolved an issue that was causing difference in the results when using the GetCompareScanResults and GetScanCompareSummary SOAP API endpoints.

Resolved an issue that was causing the audits of private projects to be displayed in public projects.

Resolved an issue that was causing the ResultsService to fail to recognize overridden queries when the SAST machines were not time-zone aligned.

Resolved an issue that prevented opening scans in the SAST Web Portal.

Resolved an issue that caused the total scan times to be calculated incorrectly when two scans were compared.

The SAST Web Portal now displays the complete Engine Pack (EP) version, installed including the revision number.

Removed the reference to the YUI v2.9.0 vulnerable library.

Implemented a workaround mechanism for displaying the vulnerability description page on a browser that does not fully support CxAudit.

Resolved an issue that prevented SAST from scanning all the files in a multi-language project.

Resolved an issue that was causing failures when the Management and Orchestration (M&O) pages were opened.

Note: Some issues in this Hotfix were resolved with changes in the EngineUtilsCLI.exe. Starting with Engine Pack 9.5.2, EngineUtilsCLI.exe was removed from the Engine Pack and added to the Hotfix, starting with this HF3.

If a customer installs HF3 these issues will be resolved. However, if the customer afterwards installs Engine Pack 9.5.1, the issues will not be fixed.

For security fixes, click this link for additional information.


Resolved Issues


Fixed an issue in the REST API POST /{ProjectId}/sourceCode/remoteSettings/shared that prevented the API from working when a shared folder was set on the manager drive.

Fixed an issue which prevented the viewer from displaying the source code of a file with a long path, even when the long path option was enabled.

Fixed an issue that was causing log information loss.

Fixed the link on the Full Scan Results button, which incorrectly redirected to the Project State page.

Fixed an issue that prevented the selection of Pre and Post Scan actions.

Fixed the Japanese description of a Java High Risk Code Injection query.

Added the version number on the inventory libraries list in the HTML OSA report.

Fixed an issue in the Checkmarx SAST Portal that caused usernames containing special characters to be displayed incorrectly.

Fixed an issue that caused the SAST to SCA integration to fail when the project name contains the ampersand (&) character.

Fixed an issue that caused scans to fail when unzipping the projects from shared folders.

Fixed an issue that allowed unauthorized users access to the following Access Control APIs:

  • GET/AssignableUsers

  • GET/AuthenticationProviders

  • GET/Configurations

  • POST/Users/FirstAdmin

  • GET/LDAPTeamMappings

  • PUT/LDAPServers/{id}/TeamMappings

  • PATCH/LDAPServers/{id}/TeamMappings

  • DELETE/LDAPTeamMappings/{id}

  • POST/Users/ChangePassword

  • POST/Users/ForgotPassword

  • POST/Users/ResetPassword

Fixed an issue in the Access Control API that allowed the API to retrieve privileged information.

Fixed an issue that allowed XSS vulnerabilities in SCA Swagger pages.

The jQuery UI library was upgraded to v1.13.2.

For security fixes, click this link for additional information.


Resolved Issues


Fixed an issue that caused the confidence level to be displayed in the Results Viewer screen incorrectly as 0%. This occurred when the scan was executed for a project that had no source code changes.

Fixed an issue, which occurred when the severity of the OOTB queries was changed, that caused the result states for recurrent results to be incorrectly displayed in the following UI dialogs:

  • Scan Compare\Summary table

  • Scan Compare\Results details

Fixed an issue that caused the report generation to fail.

Fixed a performance issue affecting the Results Viewer that was caused by a previous fix to prevent audits of private projects from being displayed in public projects. The current fix improves the performance, but reverts back to the previous behavior where the comments and results state history of private scans are visible from the public scans.

Improvements were made in the scanning mechanism to prevent displaying incorrect numbers of projects and scans in the Checkmarx Web Portal.

Fixed a performance issue caused in the Results Viewer page, by controlling the query timeout with the CxComponentConfiguration\SqlExecuteCommandTimeout configuration key.

Fixed a performance issue caused in the Results Viewer page, by providing an additional timeout adjustment for backend SOAP calls with the new web.config\CxPriorityWebServicesTimeout configuration key.

Fixed an issue that caused OSA scans to fail when the maximum number of client connections was exceeded.

The following have been added to Access Control:

  • A multifactor authentication (MFA) feature is now available for providing additional security for SAST and SCA application users. When this feature is enabled, a one time password (OTP) is provided during the login process.

  • An IP Authorization feature now enables an organization to restrict access to the SAST and SCA application portals using a predefined IP allowlist, which is stored in the database. All other IPs will be blocked.


  • By default, these features are disabled. See Access Control.

  • Hosted customers can contact the Checkmarx CloudOps team to activate and define the features.