- Checkmarx Documentation
- Checkmarx One
- Release Notes
- Previous Multi-Tenant Releases
- Older Versions
- Version 3.9
Version 3.9
Multi-Tenant release date: March 19, 2024
New features and enhancements
Analytics module improvements
A new set of permissions has been implemented for using different Analytics dashboards.
A tooltip with the following disclaimer has been added to the Analytics Insights section: "Analytics data is available starting from December 2023. Projects scanned before this date will not be included until re-scanned. Subsequent data alignment occurs with each project or application's first scan post-December 2023.”
SCA Improvements
SCA Risk Management
We have improved the handling of Risk Management for vulnerabilities identified by the SCA scanner. You can now change the state of all SCA vulnerabilities and Supply Chain risks to any of the following states To Verify (default), Not Exploitable, Proposed Not Exploitable, Confirmed or Urgent. Whenever you make a state change you are required to add a comment explaining the rationale behind the change. In addition, there is an option to add a comment without making a state change.
When a state change is made, a red dot next to the Risks tab indicates the need for a recalculation in order to update the risk counters to reflect the changes. State changes are automatically applied to the identical risk if it is identified in subsequent scans of that project.
State changes can also be made via API, as documented here.
Support for VB.NET
We expanded our support for Nuget package manager to include VB.NET projects that use *.vbproj
manifest files.
Android Coverage
Improved coverage for Android projects.
Resolved issues
The Gitignore configuration caused all files to be excluded from the scan.
Project Migration failed to display repositories for GitHub users.
An exception occurred during scanning: "Stream was too long."
A manual refresh (F5) was required for changes in state to be reflected in the UI.
The SCA Packages tab displayed a malicious package even when corresponding risks were marked as "Not Exploitable."
The HideDevAndTestDependencies feature failed to conceal vulnerabilities and licenses in the generated SBOM.
The "state" did not match "isIgnore," leading to discrepancies in the UI.
A 3-second timeout in GraphQL for packages-search was inadequate for larger projects.
Changes in risk state were visible only after refreshing the page.
Scans could be deleted via direct API call while the scan was still running, resulting in zombie scans and blocking new scans from initiating.
From the Applications tab, the project menu (accessible via three-dot icon) couldn't open.
An error occurred when attempting to add a previously deleted project to an application.
The x509 certificate contained "CN=organization" instead of the realm name.
The Application Risk Management dashboard failed to update.
The Project Results page displayed with a non-existent branch.
The ScaRealtime scanner on VsCode only calculated results for zip source code.
A query compilation error occurred when changing pages.
The API UI only returned the latest configured SCM (by type).
Rules could not be added in the project's settings.
The Scan Report returned the wrong branch name.
Instead of displaying an error, the UI kept loading when unauthorized methods were used.