Skip to main content

Checkmarx SCA Release Notes May 2023


These release notes relate to the SCA standalone product. Users who consume SCA through Checkmarx One should refer to the Checkmarx One release notes to see which SCA features have been released in Checkmarx One.


The IgnoreVulnerability and UnignoreVulnerability APIs, which had been used for triaging SCA vulnerabilities, will be deprecated on July 7. They have been replaced by the new Management of Risk API, which supports applying any Checkmarx One state and adding comments. We recommend migrating to the new API well in advance of the July 7 deadline.

New Version of AppSec Knowledge Center

We have released a new version of the AppSec Knowledge Center. The new version maintains the same core functionality as the previous version. However, the look and feel has been completely redone and many improvements have been introduced.

Figure 1. 

GIF - Searching by Package in AppSec Knowledge Center

The following are some of the main improvements:

  • The Package page now shows Supply Chain risks, and Licenses associated with the package (in addition to vulnerabilities).

  • Package selection is now done by entering the package name and then clicking on a marker for a specific version.


    The markers representing the package versions are now color coded as follows:

    • Red with dot - malicious package

    • Red - high severity

    • Yellow - medium severity

    • Gray - low severity or no risk

  • When you select a package version for viewing, a summary page is shown which gives data for Supply Chain Analysis, as well as aggregated risks.


    You can then drill down to view a list of vulnerabilities, supply chain risks and licenses. For vulnerabilities, you can drill down further to show the vulnerability details screen.

  • The vulnerability details screen has been redesigned.


    The info is now divided into the following elements:

    • Overview - gives general info about the vulnerability including the CVSS score.

    • Info Pane - shows the description of the vulnerability and CWE and gives references for further research.

      • Notes - Within the info pane, we have added a section for notes. This section shows notes that were added to a vulnerability by the Checkmarx AppSect team. These notes may explain discrepancies between our data and data shown in NVD, such as when we have confirmed the disputation of a vulnerability. They may also suggest specific mitigation actions such as changing configurations, or offer other helpful insights from our AppSec team.

    • Detail Tabs - The bottom section gives additional details about the vulnerability and the packages affected by the vulnerability. The info is divided into tabs for Affected Versions, Score and Status.

Tags in Global Inventory

We added a Tags column to the Packages table on the Global Inventory screen. This shows both the scan tags and project tags associated with the most recent scan in which the package was identified.


This can be useful for tracking which project branch uses the package.


SCA Resolver Releases

We released the following new versions of SCA Resolver:


The complete changelog, and links to download SCA Resolver are available here.

Version 2.2.2

  • Syft is now used automatically whenever the --scan-container flag is used. The --use-syft flag is no longer in use.


    This is a breaking change. If you have pipelines that use the --use-syft flag, it needs to be removed.


    For syft to run on your scans, you need to have it installed on the machine that is running Resolver, see Prerequisites.

  • For PIP:

    • Added a new argument for including custom manifest files for resolution.

    • Improved detection of the Python version installed on the system.

  • For Gradle, dependencies that were ignored by the package manager are now ignored by Resolver.

  • For NPM, the problem with the decision to run commands for NPM6 or NPM7 has been fixed.

  • Fixed "out of memory" issues that were occurring in some edge cases.

Version 2.1.9

  • For Gradle, added support for dynamic submodule declaration.

  • ImageResolver updated to version 2.0.47.