- Checkmarx Documentation
- Checkmarx SCA
- Checkmarx SCA Release Notes
- Previous Checkmarx SCA Release Notes
- Checkmarx SCA Release Notes 2022
- Checkmarx SCA Release Notes January 2022
Checkmarx SCA Release Notes January 2022
We are excited to announce important improvements in our Checkmarx SCA web application…
Key improvements
ChainJacking Risks
Checkmarx SCA now identifies Supply Chain risks for packages that are vulnerable to ChainJacking.
ChainJacking is when an attacker takes control of a renamed GitHub repository and hijacks its open-source packages in order to serve malicious code through those packages. Any package that stores its code in a renamed GitHub repository is vulnerable to this type of attack. See full documentation here.
Plugin Support for Checkmarx SCA Resolver
The Checkmarx plugins for Jenkins and Azure DevOps now support integration with Checkmarx SCA Resolver.
Notice
Checkmarx SCA Resolver is a Checkmarx tool that enables you to resolve and extract dependencies and fingerprints from your source code locally and send the data to the Checkmarx SCA cloud platform for risk analysis.
For Jenkins integration procedures, see “Configuring the Jenkins Plugin for Scanning” here.
For Azure DevOps integration procedures, see “Adding a Checkmarx SCA Scan Project” here.
Checkmarx SCA Resolver Updates
We released Resolver version 1.5.71 with the following improvements:
When Checkmarx SCA Resolver runs a scan with Exploitable Path, the Project settings are automatically updated to activate Exploitable Path on the Project level. (Previously, EP needed to be activated for the Project before it could be run in Checkmarx SCA Resolver.)
For sbt, we no longer change the
.sbtopts
file in order to force dependency resolution through Ivy. Dependencies will be resolved using the customer’s sbt resolver.
Download the latest version of Resolver here.
Improvements
Status | Item | Description |
---|---|---|
UPDATE | Pip dependency tree | Pip now uses a new tree converter to create the dependency tree. |
UPDATE | Exploitable Path | Improved scan times for large Exploitable Path scans. |
UPDATE | Unresolved packages | Improved handling of unresolved packages. |
Bug Fixes
Status | Item | Description |
---|---|---|
FIXED | Vulnerability identification | Removed mistaken matches for log4j vulnerabilities. |
FIXED | iOS package release dates | Fixed issue that release dates for some cocoa pod packages had been inaccurate. |