Skip to main content

Checkmarx SAST Vulnerability Integration with ServiceNow - Change Log

The following table lists the features and changes implemented for the plugin with the relevant version release. To obtain the plugin, go to the ServiceNow store.

Plugin Version

Changes / Features

Additional Information

1.0.27

September 2024

  • Checkmarx Application Vulnerable Item Integration will fetch findings in paginated API if the SAST Version is 9.5 HF22 and 9.6 HF12 (for other supported versions, all scan findings will be fetched using an XML report at once).

  • The Project Custom Field filter will be present on the Configuration Page to filter Projects using their Custom Field.

  • Scans can be imported using a Project Custom Field (ScanIDs added to a Project Custom Field in CxSAST must have a name containing Scan).

  • The path ID information of CxSAST findings has been mapped to the AVIT table in the Location field.

  • To get Fixed findings from CxSAST Delta API, we will compare the old scanId present in ServiceNow with the project's latest ScanID.

Supported SAST Versions: 9.4 HF23 or later, 9.5 HF14 or later, 9.6 HF5 For Result API with Pagination (9.5 HF22 and 9.6 HF12)

SCA Support: Supported

SNOW Compatibility: Washington, Vancouver, Utah, Xanadu.

1.0.25

August 2024

  • The Audit Trail API will be configurable in the Configuration Page.

  • If available in Checkmarx SCA, the exploitable path status for an SCA finding will be mapped to the Source Notes of the AVIT table.

  • Save and Test Credentials will validate the required permissions of users.

  • A skipped ScanID due to any error will be logged in the Application Vulnerability Scan Summaries Table.

  • The report generation time in Application Vulnerability Item Integration will be reduced.

  • The processing time for fixed vulnerability was reduced.

Supported SAST Versions: 9.4 HF23 or later, 9.5 HF14 or later, and 9.6 HF 5 or later.

SCA Support: Supported

SNOW Compatibility: Washington, Vancouver, and Utah.

1.0.24

July 2024

  • Information regarding ScanID skipped due to a large payload size can be found in the Application Vulnerability Scan Summaries table.

  • Optimizations in the Checkmarx Scan Summary Integration and Checkmarx Application Vulnerable Item Integration to reduce data retrieval time.

Supported SAST Versions: 9.4 HF23 or later, 9.5 HF14 or later, and 9.6 HF 5 or later.

SCA Support: Supported

SNOW Compatibility: Washington, Vancouver, and Utah.

1.0.23

May 2024

  • SAST Projects can be filtered by ID or Name.

  • Added a specific Checkmarx Team exclusion filter field.

  • Scans with XML attachment size greater than 18 MB will be skipped in the Integration Run, and the ScanID will be logged in the System Logs.

  • SAST and SCA integration can be run parallel once configured in the Configuration Page.

  • Path node details of Findings will appear in the Description column of the AVIT table.

  • The destination node of the Findings will appear in the Vulnerable Method column of the AVIT table.

  • DevOps Integration can be run by adding the Project Name and ID.

Supported SAST Versions: 9.4 HF23 or later, 9.5 HF14 or later, 9.6 HF 5

SCA Support: Supported

SNOW Compatibility: Washington, Vancouver, Utah, and Tokyo

1.0.21

March 2024

  • Addition of a SCA deltas result API. Risks that have been closed or marked as Not Exploitable in SCA will appear as Closed in ServiceNow.

  • Bugs Fixed:

    • CxSAST results - Duplicate entry of node information appears in Vulnerability Explanation Field in the AVIT Table.

    • CxSAST results - Project data is not imported if the token expires during the fetching of the project batch.

    • CxSAST results - AVITs were not created in ServiceNow due to missing snippet details in XML.

    • SCA results – SCA API using MID Server to establish a connection.

    • SCA results - Integrations picking the deleted project details.

  • Washington DC support.

Supported SAST Versions: 9.4 HF23 or later, 9.5 HF14 or later, 9.6 HF 5

SCA Support: Supported

SNOW Compatibility: Washington, Vancouver, Utah, and Tokyo

1.0.19

February 2024

  • LOC (Lines of Code) information in the SNOW Static Scan Size column of theApplication Vulnerability Scan Summaries table

  • SAST Unique Identifier, Similarity Id , and Hash of PathNode (Line + Column + FileName), mapped into the Source AVIT ID in SNOW.

    • Existing AVITs in SNOW were updated to the new unique identifier.

Supported SAST Versions: 9.4 HF23 or later, 9.5 HF14 or later, 9.6

SCA Support: Supported

SNOW Compatibility: Vancouver, Utah, and Tokyo

1.0.18

January 2024

  • In ServiceNow, the vulnerabilities result state changes to closed when resolved in SAST.

    • Available on SAST 9.5

  • If there is a Business Application or Application in the SAST project’s Custom Fields, this information will be mapped to the Business Application column of the Discovered Application and Application Vulnerability Item tables on SNOW.

  • SAST project’s Custom Fields are mapped to the Source Additional Info column in the Discovered Application table on SNOW.

  • You may filter up to 10 custom Result States when synchronizing between SAST and SNOW.

  • Added support for SCA Standalone. Three new integrations were added to synchronize SCA projects, scans, and results to SNOW.

    • Checkmarx SCA Application List Integration: Synchronize the project details and map them to the Discovered Application table on SNOW

    • Checkmarx SCA Scan Summary Integration: Synchronize the last scan of a project and map it to the Application Vulnerability Scan Summaries table on SNOW

    • Checkmarx SCA Application Vulnerable Item Integration: Synchronize the results of the last scan of a project and map them to the Application Vulnerability Item table on SNOW

Supported SAST Versions: 9.4 HF23 or later, 9.5 HF14 or later, 9.6

SCA Support: Supported

SNOW Compatibility: Vancouver, Utah, and Tokyo

1.0.17

January 2024

  • Bug fixes

Supported SAST Versions: 9.4 HF23 or later, 9.5 HF5 or later, 9.6

SNOW Compatibility: Vancouver, Utah, and Tokyo

1.0.16

December 2023

  • Added new DevOps Integration which will permit users with the DevOps Change Velocity license to view third-party scan summaries from Security Operations in DevOps.

    • This integration is listed in the Vulnerability Integrations [sn_vul_integration_list] table.

    • There is no impact on existing Application Vulnerability Response.

Supported SAST Versions: 9.4 HF23 or later, 9.5 HF5 or later, 9.6

SNOW Compatibility: Vancouver, Utah, and Tokyo

1.0.15

December 2023

  • Bug fixes

Supported SAST Versions: 9.4 HF23 or later, 9.5 HF5 or later, 9.6

SNOW Compatibility: Vancouver, Utah, and Tokyo

1.0.14

December 2023

  • Bug fixes

Supported SAST Versions: 9.4 HF23 or later, 9.5 HF5 or later, 9.6

SNOW Compatibility: Vancouver, Utah, and Tokyo

1.0.13

  • Synchronization of a specific list of projects ( You can add up to 10 projects at a time on the Configuration page to filter out projects in the Application Release Table)

  • Addition of branch project in the plugin (Branched project is now mapped to a project list)

  • Custom States will be mapped to SNOW.

Supported SAST Versions: 9.4 HF23 or later, 9.5 HF5 or later, 9.6

SNOW Compatibility: Vancouver, Utah, and Tokyo

1.0.12

  • Bug fixes

Supported SAST Versions: 9.4 HF23 or later, 9.5 HF5 or later, 9.6

SNOW Compatibility: Vancouver, Utah, and Tokyo

1.0.11

  • SNOW Vancouver compatibility

Supported SAST Versions: 9.4 HF23 or later, 9.5 HF5 or later, 9.6

SNOW Compatibility: Vancouver, Utah, and Tokyo

1.0.10

  • The Scan Summary Name column includes scanId , the Last Scan date in AVIT, and the Scan Summary Table.

  • Added OWSAP Top 10 and SANS 25 information for SAST vulnerabilities in OWASP and Short Description column of Application Vulnerability Entry Table (sn_vul_app_vul_entry.LIST)

Supported SAST Versions: 9.4 HF23 or later, 9.5 HF5 or later, 9.6

SNOW Compatibility: San Diego, Utah, and Tokyo