Skip to main content

CxPS Release Internal Note (v3.0.0)

Notice

IMPORTANT NOTE

  • This is an internal page for Checkmarx only, and should not be shared with customers, prospects, or partners.

  • Updates in this version are not final and therefore subject to change.

The following release updates are available for CxIAST version 3.0.0. Use the search tool to find a specific subject.

New Features and Changes

CxIAST version 3.0.0 includes the following new features and changes:

Category

Feature

Change to Documentation

Additional Information

Setup & Configuration

Version upgrade: If you have version 2.6.1 or below installed, it is required to clean the DB and uninstall the version before upgrading to v3.0.0 installation.

Docker Deployment - Running CxIAST Server in a Docker container.

CxIAST Server in AWS (for POC) - New process that allows running a POC in AWS (details to be shared soon).

Action Ability and Usability

Agent Tags: New parameters used during the agent deployment:

  • Application tag - Add a tag to an application. This allows to differentiate two applications with the same name or for easy filtering in the user interface (e.g., Application_1 will be Checkmarx:Application_1).

  • Scan tag - Add a tag to a scan. This allows to differentiate two different tests and to relate a scan in CxIAST to build version or test name. The scan tag is presented per scan in the scan list table.

  • Team name - Allow auto attachment of team to any of the applications discovered by the agent.

Setting up and Configuring the CxIAST Java Agent on the AUT Environment (v3.0.0 to v3.1.0)

Vulnerability Actions:

  • View and Add Comments - Comment on a specific vulnerability and view old comments and log on past activates (state, status or severity change, user assignment and state suggestions).

  • Change Severity - Allows changing a specific vulnerability Severity.

  • Suggest and Approve State - New change state flow. Based on permissions some users can only suggest new state, while privileged users can approve the suggestion.

Adding a Comment to a Vulnerability (v3.0.0)

Changing the Severity of a Vulnerability (v3.0.0)

Changing and Approving the State of a Vulnerability (v3.0.0)

Import Scans: Allows importing scans from one project to another. This allows for monitoring two versions of same application providing the capability to transfer existing scan information from the old version to the new version.

Importing Scans (v3.0.0)

Node.js – GA Version

Version Highlights:

  • GA version – Full agent capabilities

    • Major performance improvements

    • Auto update

    • Analysis mode

    • Agent logs export

    • SSL support

    • Custom instrumentation

  • Supported versions: Node.js 6 and above

  • Supporting all Web frameworks

  • Ecmasript6 and below

Supported databases: MongoDB, MySQL and PostgreSQL

Supported Vulnerabilities:

  • Command Injection

  • Deserialize Vulnerability

  • LDAP Injection

  • SQL Injection

  • Second Order Command Injection

  • Second Order LDAP Injection

  • Second Order SQL Injection

  • Second Order XPath Injection

  • Sensitive Data Exposure Credit Card

  • Session Id Disclosure

  • Stored XSS

  • XPath Injection

  • XSS

  • App DOS Database Connections

  • Blind SQL Injection

  • CSRF

  • Failed Login Without Audit

  • Log Forging

  • Open Redirect

  • Path Traversal

  • Second Order Path Traversal

  • Sensitive Data Exposure Email

  • Insecure Cookie

  • Insecure Outgoing Communication

  • Least Privilege Violation

  • Outgoing Connection Discovery

  • Successful Login Without Audit

  • Weak Cryptography

  • Weak DB Password

  • Weak Hashing

  • Weak Random

  • Application Entry Point

  • CORS

  • Click Jacking

  • Missing X Content Type Options Header

  • Missing X XSS Protection Header

  • Sensitive Data Exposure Long Number

Setting up and Configuring the CxIAST Node.js Agent on the AUT Environment (v3.0.0 to v3.1.0)

C# - GA Version

Version Highlights:

  • Major performance improvements

  • SSL support

  • Supported frameworks: version 3.5 and above

  • Web servers supported: IIS and IIS Express

  • Any Web applications or REST/SOAP applications

Supported Vulnerabilities:

  • Command Injection

  • LDAP Injection

  • SQL Injection

  • Second Order Command Injection

  • Second Order LDAP Injection

  • Second Order SQL Injection

  • Second Order XPath Injection

  • Sensitive Data Exposure Credit Card

  • Session Id Disclosure

  • Stored XSS

  • XPath Injection

  • XSS

  • Insufficient Session Expiration

  • Log Forging

  • Open Redirect

  • Path Traversal

  • Second Order Path Traversal

  • Sensitive Data Exposure Email

  • Insecure Cookie

  • Insecure Outgoing Communication

  • Least Privilege Violation

  • Outgoing Connection Discovery

  • Weak Cryptography

  • Weak DB Password

  • Weak Hashing

  • Weak Random

  • Application Entry Point

Setting up and Configuring the CxIAST C# Agent on the AUT Environment (v3.2.1 to v3.3.3)

CxIAST User Guide (.pdf)

CxIAST Software Documentation

Checkmarx CxIAST Setup and User Guide v3.0.0.pdf

Known Limitations

Category

Limitation

.NET Agent

  • C# and ASP.NET only

  • Missing capabilities (compared to Java)

    • Query customization is performed manually (not from the UI)

    • SAST Correlation

    • Code Coverage

Node.js agent

  • Node.js v10 is not supported

  • Missing capabilities (compared to Java)

    • SAST Correlation

    • Code Coverage

Java agent

Java 11 is not supported

Supported Environments

The following environments have been tested with CxIAST version 3.0.0

Operating System

Windows

10 (or higher)

Windows Server

2012 (or higher)

Linux

Any official Linux distribution (excl. macOS)

SQL Server

SQL

2012

* SQL express is supported, but as it is targeted for small-scale installations it is not recommended to be used.

Browsers

Microsoft

Edge

Google Chrome

43 (or higher)

Build Servers

Jenkins

2.91 (or higher)

Supported Code Languages

The following code languages can be scanned using CxIAST version 3.0.0

Language Supported

Version

OS

Application Server

6501145372.png

Java 6 (or higher)

Windows or Linux

Apache Tomcat v7 (or higher)

Jetty v8 (or higher)

JBoss EAP v7 (or higher)

Wildfly v10.1 (or higher)

WebLogic Server 12cR2

Eclipse Vert.x v3.1 (or higher)

WebSphere Liberty – 18 (or higher)

WebSphere Traditional - 9 (or higher)

Payara - 5

6501145369.png
6501145366.png

.NET framework 3.5 (or higher)

Windows or Linux

IIS, IIS Express

6501145363.png

Node.js version 6 (or higher)

Windows or Linux

Not Applicable

Send Documentation Feedback - If you have comments about this documentation, you can contact the documentation team by sending your feedback to us. We appreciate your feedback!