Release Notes for 9.6.0
CxSAST Engine
Warning
The Checkmarx Technical Team will handle all deployment processes.
Languages and Frameworks
In 9.6.0, all the previously supported languages and frameworks, and content delivered in engine packs 9.5.1, 9.5.2, 9.5.3, 9.5.4, and 9.5.5 are still supported.
Lua (Technical Preview)
In 9.6.0, we added support for Lua language in SAST, including the following features:
Variables: Global, Local, and Table fields.
Statements: Blocks, Chunks, Assignment, Control Structures, For Statement, Function Calls as Statements, Local Declarations and To-be-closed Variables.
Expressions: Arithmetic Operators, Bitwise Operators, Coercions and Conversions, Relational Operators, Logical Operators, Concatenation, The Length Operator, Precedence, Table Constructors, Function Calls, and Function Definitions.
Standard Libraries: Modules.
OpenResty (Technical Preview)
In addition to Lua language support, version 9.6.0 also includes support for OpenResty and the following:
Lua Code Block Directives:
File Directives: access_by_lua_file, body_filter_by_lua_file, content_by_lua_file, header_filter_by_lua_file, rewrite_by_lua_file, log_by_lua_file, set_by_lua_file
Config Directives: add_header, default_type, echo, echo_duplicate, error_log, lua_code_cache, lua_capture_error_log, lua_regex_match_limit
PHP
PHP language support was rewritten and is available as a Technology Preview.
To ensure enhanced accuracy and better results, a thorough review of all queries was conducted while implementing the new PHP support.
As a result, several queries underwent various modifications: some were renamed, while others were deprecated and are no longer recommended for use. Additionally, changes were made to the source code for certain queries, and the severity levels of some queries were updated. These changes are aimed at optimizing the PHP support and providing improved results.
Warning
Please be aware that the introduction of the new PHP support brings a significant disruption, as the old PHP support will no longer be available.
It's also important to note that this upgrade will lead to changes in your current PHP results.
Before upgrading to version 9.6.0, it is advisable to consult the updated documentation and release notes to understand the specific changes made to each query and how they might affect your application and results.
As with any significant update, it is recommended to thoroughly test your application after the upgrade to ensure compatibility with the new PHP support and to identify any potential issues that may arise due to the upgrade. Adequate preparation and testing can help mitigate disruptions and ensure a smooth transition to the enhanced PHP support provided.
Notice
To read and understand the Change Source section, follow these guidelines:
Lines with a "+" symbol: These lines represent new code that has been added to the query.
Lines with a "-" symbol: These lines indicate code that has been removed from the query.
By examining the lines with "+" and "-" symbols, you can track the specific modifications made to the query, including new code added and code removed.
This information is useful for understanding the changes introduced.
Notice
Technology Preview features provide early access to upcoming product innovations, enabling you to test functionality and provide feedback during the development process. However, these features are not fully supported, might not be functionally complete, and are not intended for production use.
As Checkmarx considers making future iterations of Technology Preview features generally available, we will attempt to resolve any issues that customers experience when using these features.
Swift
Swift language support has been updated to version 5.7, including the following features:
SE-0290: Unavailability Condition
SE-0335: Existential any
SE-0315: Support Type placeholders (formerly, “Placeholder types”)
SE-0345: if let shorthand for shadowing an existing optional variable
SE-0346: Lightweight same-type requirements for primary associated types
SE-0347: Type inference from default expressions
SE-0309: Unlock existentials for all protocols
SE-0336: Distributed Actor Isolation
SE-0326: Multi-statement closure parameter/result type inference
SE-0350: Regex Type and Overview
SE-0351: Regex builder DSL
SE-0354: Regex Literals
SE-0355: Regex Syntax and Run-time Construction
SE-0357: Regex-powered string processing algorithms
Kotlin Queries Alignment
To align Java and Kotlin, both JVM languages, several queries were incorporated and updated within Kotlin support to improve consistency and compatibility between the two languages when scanning.
New Queries
Kotlin_Low_Visibility
Use_of_Unsafe_JNI
Kotlin_Medium_Threat
Cleartext_Submission_of_Sensitive_Information
DoS_by_Sleep
Excessive_Data_Exposure
Frameable_Login_Page
Hardcoded_password_in_Connection_String
Improper_Locking
Missing_HSTS_Header
Missing_Secure_In_Code
Parameter_Tampering
Privacy_Violation
Reliance_on_Cookies_without_Validation
SSRF
Unsafe_Object_Binding
Kotlin_Spring
Spring_ModelView_Injection
Updated Queries
Kotlin_High_Risk
Deserialization_of_Untrusted_Data
Kotlin_Medium_Threat
Use_of_Hardcoded_Cryptographic_Key
Scala Queries Alignment
To align Java and Scala, both JVM languages, several queries were incorporated and updated within Scala support. Users can now experience greater consistency and compatibility between the two languages when scanning.
New Queries
Scala_High_Risk
Expression_Language_Injection_MVEL
Expression_Language_Injection_SPEL
Scala_Medium_Threat
JWT_Use_Of_Hardcoded_SecretExcessive_Data_Exposure
JWT_Lack_Of_Expiration_Time
JWT_No_Signature_Verification
JWT_Sensitive_Information_Exposure
JWT_Use_Of_Hardcoded_Secret
Spring_ModelView_Injection
Stored_Command_Injection
Unvalidated_Forwards
Scala_Low_Visibility
JWT_Excessive_Expiration_Time
JWT_Use_Of_None_Algorithm
Use_of_Unsafe_JNI
Updated Queries
Scala_Medium_Threat
Stored_External_XML_Entities_XXE
Use_of_Hardcoded_Cryptographic_Key
Removal of deprecated queries from Presets
The actions announced on the latest version are being postponed to the upcoming versions.
Beginning in the next version, 9.6.2, the following actions are planned:
Deprecated queries will be removed from the engine.
Queries from presets can be removed according to compliance standards updates.
All the changes will be properly communicated in advance in the Engine Pack release notes.
Warning
When performing the initial cleaning action (9.6.2), we undertake the removal of old queries and presets that have been deprecated for an extended period. This removal is a permanent, and once deleted, there is no rollback option to restore it.
This means that after upgrading to the version where queries and presets have been removed, downgrading to the previous version will not add back the queries or presets that were previously available. The removal is irreversible.
However, starting from version 9.6.2 and onward, any deletion that can occur is reversible and can be rolled back with the previous engine pack.
To ensure a smooth transition between versions and maintain essential functionalities, it is essential to thoroughly review release notes and documentation before upgrading to a version that involves removing queries or presets.
Actions to be executed in the upcoming version 9.6.2:
Deprecated queries are going to be removed from the presets according to the following list:
(Query Id, Query Name)
In addition, the presets Default and Default 2014 will be removed according to the following rules:
If the preset is unrelated to any projects, it will be removed.
If the presets are related to a project, they won´t be removed.
Core
Regarding Core content and improvements, 9.6.0 includes all the previous content in engine packs 9.5.1 through 9.5.5 and a 20% performance improvement in incremental scans.
M&O Service
For M&O users, please note this version does not support M&O and you will not be able to upgrade your SAST version and the deployment process will be aborted. We are currently working on developing innovative enhancements. Please reach out to your TAMs to learn more.
CxSAST Application
New REST APIs
API Returning Information From The Audit Trail
The goal is to create several APIs to retrieve audit information from the database. The information concerns actions such as Create/Update/Delete/Import/Export on the presets, results, roles, and teams tables.
Request definition:
Included in version 5 of API (SAST 9.6)
request created:
REST API - sast/presets/auditTrail
REST API - sast/results/auditTrail
REST API - sast/roles/auditTrail
REST API - sast/teams/auditTrail
Add a REST API endpoint for all the historical actions taken from the pathid
The goal is to get the result path action history using scanId and path id to display via REST API.
Types of scans to consider for SOAP request compatibility:
Scan finished
Request definition:
Included in version 5 of API (SAST 9.6)
request: GET sast/scans/{scanId}/actionResults/{pathId}/labels
REST API for Query info
Added a REST API that provides the following information for a given preset-
Query Id
Query Name
Query Language
Query Source
Request definition :
Included in version 5 of Rest API (SAST 9.6)
Request :
GET /sast/presetDetails/{id}
Azure DevOps TFS using PAT
Added ability to connect to a source control system using ADO TFS.
Notice
Note - Azure DevOps TFS repository would be accessible only using PAT.
Updating SAST Web Portal Online Help Links
Includes the following updates:
On the SAST Portal, the button Services & Support was renamed to Support and linked to https://support.checkmarx.com
Added another button for Documentation that links to the SAST documentation page: https://checkmarx.com/resource/documents/en/34965-44074-checkmarx-sast.html
Supportability and Usability Improvements
The Checkmarx logo available in the User Interface has been updated according to the most recent company branding.
Added a more visible button to view vulnerability details on the scan results page.
Scan Cancellation: You can now cancel your own scans that are not complete or were accidentally initiated without requiring the permissions for deleting completed scans.
Swagger Link: Link to Swagger docs added to the SAST user interface.
Previously, this configuration allowed you to define a comment as mandatory when the Result State changed to Not Exploitable. In 9.6.0, you can also define a comment as mandatory when the Result State is changed to Proposed Not Exploitable.
Define Engine Limit: You can now limit an engine to take scans of specific teams, projects, and jobs.
Filter for Grid: Added a filter feature. You can apply a filter to the grid by specifying it in the URL, while the address bar updates accordingly.
Saved UI Settings in Database: Your user interface settings will be saved in the database instead of in cookies to prevent problems due to limited save sizes and enable you to maintain their settings whenever logging in.
Added an option to Delete scans older than (X days) for more flexibility in data retention.
Notification for Offline Engine:Added an email alarm function that notifies you when an engine is offline - this is especially helpful when managing many engines.
Enhance the license expiration details and HID information, in case it has been changed and requires attention (HID might be dynamic when dealing with VMs in the cloud environment).
Scans Queue Improvements:Scans without available engines are waiting in queue with an informative message instead of failing.
Mandating Custom Fields:Added the option to configure whether a project's custom field is mandatory during creation or editing. Legacy custom fields (created before 9.6.0) are kept optional, but they can be edited and marked as mandatory. When creating a new project, mandatory project custom fields must be defined. A warning message is displayed if they are not defined, and you cannot save the project. When editing a project, if a custom field is labeled mandatory, you will be requested to redefine custom fields that are now mandatory.
The UI now enforces a full scan after 5 consecutive incremental scans for improved results to enhance accuracy in incremental scans.
Results Viewer Enhancements:Results Viewer has been enhanced and includes more details, like the number of results for each severity level ( High, Medium, Low), in the Results tree.
The Include files and folders have been added alongside the existing Exclude option, simplifying situations where most files and folders need to be excluded.
Scans no longer fail when triggering REST APIs where the parameters do not match the project settings, like where zip files are uploaded to a source control project (SVN) and vice-versa.
A new entry,
MaxRequestsPerMinute
, with a default value of 100 was added to the WebAPI web.config. Upgrading with this default value may result in significant API failures for enterprise clients. To maintain the previous behavior of unlimited requests, the value must be set to 0.
Dynamic Engines
Dynamic Engines are used in creating and destroying engines using docker containers or VMs in all types of cloud networks. This lets you work with the scans dynamically and lets the K8S manage the deployment in real-time. You can take full advantage of their hardware, maximize the use of their machines (when not in use, the resources can be used for other purposes) and easily scale up the system when adding or replacing machines.
APIs Changes
REST API v5.0
The following APIs were changed to return a new output called IsMandatory:
[GET] GENERAL/customFields
[GET] GENERAL/projects
[GET] GENERAL/projects/{id}
The API [PUT] GENERAL/projects/{id} has been updated to return an error in case not all the mandatory custom fields are defined.
Result Viewer column filter by not contains
Results Viewer has been improved and now includes a new allowed filter: not contains.
In addition, the following screens also take advantage of the new filter:
Dashboard -> Project States
Dashboard -> Failed Scans
Projects & Scans -> Queue
Projects & Scans -> Projects
Projects & Scans -> Projects -> View Project Scans
Projects & Scans -> All Scans
Projects & Scans -> All Scans -> Open Result Viewer
Settings -> Scan Settings -> Preset Manager
Settings -> Scan Settings -> Pre & Post Scan Actions
Settings -> Scan Settings -> Source Control Users
Settings -> Application Settings -> Installation Information
Settings -> Application Settings -> Issue Tracking Settings
Enhanced Failed Scans and Project State dashboards
The Failed Scans dashboard screen has been improved with:
a new Team Name column that allows you to consult the team responsible for each project.
a new link to the Project Name that redirects you to the Project State page filtered by the selected project.
The following CxPortal displays were improved and now show the DATE in seconds in addition to hours and minutes:
Dashboard -> Projects State (Last Scan Date)
Dashboard -> Failed Scans (Scan Date)
Projects & Scans -> Queue (Queued Date)
Projects & Scans -> Projects (Last Scanned)
Projects & Scans -> All Scans (Scan Date & Scan Complete)
Projects & Scans -> All Scans -> Click on Open Viewer for any scan (Detection Date)
Projects & Scans -> Projects -> Click on View Project Scans for any project (Scan Date & Scan Complete)
Both dashboards for Failed Scans and Projects State are improved and now use all the available space in the window screen to avoid scrolling down the list to view the data.
Multi-select severity and Result State in the results filter in the viewer
Starting in 9.6.0, it's possible to filter the scan results in the Result Viewer by applying multiple severities and states at once.
The following screens have also been affected by this change:
Dashboard -> Project States
Dashboard -> Failed Scans
Projects & Scans -> Queue
Projects & Scans -> Projects
Projects & Scans -> Projects -> View Project Scans
Projects & Scans -> All Scans
Projects & Scans -> All Scans -> Open Result Viewer
Settings -> Scan Settings -> Preset Manager
Settings -> Scan Settings -> Pre & Post Scan Actions
Settings -> Scan Settings -> Source Control Users
Settings -> Application Settings -> Installation Information
Settings -> Application Settings -> Issue Tracking Settings
Thousands Separator
Large numbers without separators are difficult to read quickly, and the SAST GUI does not include separators between thousands or millions. Therefore, we changed how the Scan Size is displayed to include a thousand separator defined in the operating system configurations and shown in the following option path:
Settings | Application Settings | Engine Management → Scan Size
LOC(number) should be represented using a thousand separators
Large numbers without separators are difficult to read quickly, and the SAST GUI does not include separators between thousands or millions. Therefore, we changed how the LOC is displayed to include a thousand separator defined in the operating system configurations and shown in the following option path:
Projects and Scans -> All scans (LOC field )
Access the CxSAST Reporting Service through the CxPortal
A new button allowing access to the CxSAST Reporting Service User Interface is now visible in CxPortal (next to the CodeBashing button).
If Reporting Service is not installed, the button is unavailable in the CxPortal.
If Reporting Service is installed:
Once you log in to the CxPortal, a button to access Reporting Service becomes available;
By clicking on the button, you are redirected to the CxSAST Reporting Service User Interface;
A login is not requested when accessing the CxSAST Reporting Service User Interface;
When the CxSAST Reporting Service UI is displayed, your actions are determined by the Reporting Service permissions assigned to you.
To enable this feature, CxReportingService 3.0.2 must be installed.
CxSAST Access Control
Multi-factor Authentication
IP Restrictions - an allowed list of permitted IPs can be set, and all others will be blocked.
A password complexity policy mechanism has been added where the users can define several security levels, password length and structure, password expiration period, trusted browsers, manage lockout period in case of locked users, and more.
Audit Trail (DB) and logs now show more detailed information about user activity.