Skip to main content

Version 3.0

Multi-Tenant release date: October 29, 2023

New features and enhancements

SAST engine upgrade

The SAST engine in Checkmarx One has been upgraded to version 9.6.1.

SCA Policy Management

Notice

Checkmarx One Policies enable users to apply customized security rules to their projects in order to easily identify projects that are non-compliant with these self-defined thresholds. Policies can also be configured to automatically break builds upon policy violation.

We added the ability to create custom policy rules based on results identified by the SCA scanner. The following types of SCA conditions can be configured:

  • Packages Conditions - conditions related to the open source packages used in the project, e.g., malicious packages, outdated packages, specific package names etc.

  • Vulnerability Conditions - conditions related to the vulnerabilities effecting the open source packages in your project, e.g., severity thresholds, specific CVEs or CWEs, vulnerabilities with an Exploitable Path etc.

  • Supply Chain Risk Conditions - condition related to identifyin supply chain risks of specified severity thresholds.

  • License Conditions - conditions related to packages with specific licenses or license risk thresholds.

For more information about the types of SCA conditions that can be created, see ???.

For more information about creating Checkmarx One policies, see Policy Management.

Displaying Lines of Code on Scan Management page

We have introduced a new LOC (Lines of Code) column to the Scan Management page, enhancing the scan overview.

This feature is essential for users seeking a comprehensive view of their scans, enabling them to promptly spot gaps or missing data, ensuring a thorough analysis.

CLI version in debug log

Users can now easily identify the running version of the CLI when inspecting debug logs from the CI/CD pipeline. The CLI version is conveniently displayed as the first line in the debug log, making it a valuable aid for troubleshooting CLI-related problems.

Viewing Checkmarx One version via API

Users can access the latest version of the deployed Checkmarx One environment through a new API endpoint ast_version. This is very helpful for various purposes, including system monitoring, ensuring compatibility with other components, and tracking changes or updates in the environment.

SCA Updates

Sysdig Integration

We have implemented a new integration with Sysdig for identifying runtime usage of container packages. This provides important insights for prioritizing remediation activities.

Once the integration has been configured for your account, you will see a new column Runtime Usage in the Containers Packages tab (under SCA results) indicating which packages are used in runtime. In addition, in the Containers Vulnerabilities tab, runtime usage will be shown as a Risk Factor for specific vulnerabilities.

Notice

This integration is only available for accounts that have a Sysdig license. To set up the integration, please contact your account manager and provide them with your Sysdig Risk Spotlight token.

Exploitable Path Queries

We improved the performance of Exploitable Path scans for Java projects. The updated queries yield more complete results while cutting the scan time by as much as half.

SCA Resolver Version 2.4.8

We released a new version of SCA Resolver with the following improvements:

  • For Yarn, scripts that are defined on package.json are now ignored.

  • For Swift, lock file version 2 is now supported.

Download the new version here.

CLI and Plugins Release of October 2023

CLI Version 2.0.60

Status

Item

Description

FIXED

Sort results

We now sort results by severity from high to low (instead of low to high). This ensures that even in edge cases that exceed the supported number of results (10k), the most important results won't be missed.

FIXED

PDF failures

Fixed issue that requesting report status had been causing PDF reports to fail.

CLI Version 2.0.59

Status

Item

Description

UPDATE

Debug mode

In debug mode, the CLI version is now shown in the logs.

FIXED

Exploitable path

Fixed issue that when --sca-exploitable-path was submitted as false you were nonetheless required to run the SAST scanner.

FIXED

Contributor count

Fixed issue that running contributor count when empty had been causing an error.

FIXED

Policy violations

Fixed issue that when checking for policy violations times out it had been causing the scan to fail.

CLI Version 2.0.58

Status

Item

Description

FIXED

SCA results

Fixed issue that PDF reports hadn't been including SCA results unless specified explicitly.

FIXED

SummaryJson report

Fixed issue with creating a summaryJson report for a scan that hasn't yet completed. Instead of returning an error, the report is now created with a label indicating that the scan hadn't completed.

CI/CD Plugins

In October we released the following CI/CD plugin versions.

  • GitHub Actions - 2.0.21 (uses CLI v2.0.58)

  • Azure DevOps - 2.0.27 (uses CLI v2.0.60)

  • TeamCity - 2.0.20 (uses CLI v2.0.60)

Improvements and Bug Fixes

Status

Item

Platform

Description

NEW

Results summary

GitHub Actions

We now return an unlimited number of results in the results summary (had been limited to 10k).

NEW

Ignore Proxies

GitHub Actions, TeamCity

Added an environment variable, "CX_IGNORE_PROXY", for ignoring proxies. Mark the variable as true to ensure that all Checkmarx One CLI commands run directly from the local machine.

NEW

Scan ID

Azure DevOps

Added an output variable CxOneScanId, which can be used to reference the scan later on in the pipeline, e.g., to generate a report.

UPDATE

CLI version

GitHub Actions, TeamCity

Updated CLI code to GO version 1.21.1 in order to remediate a vulnerability.

UPDATE

Included files

GitHub Actions, TeamCity

Added Podfile and Podfile.lock to the list of included files (when creating the zip archive for scanning).

FIXED

Policy violations

Azure DevOps

Fixed issue that when checking for policy violations times out it had been causing the CLI to return a fail status.

IDE Plugins

In October we released the following IDE plugin version:

  • VS Code - 2.5.0 (uses CLI v2.0.57)

Improvements and Bug Fixes

Status

Item

Platform

Description

FIXED

KICS Auto Scanning

VS Code

Fixed issue that KICS Auto Scanning had been running even when the feature was disabled.

FIXED

Libraries update

VS Code

Updated for CLI version that uses GO version 1.21.1, in order to remediate a vulnerability.

IDE Plugin Quick Links