Skip to main content

Checkmarx SCA Release Notes April 2024


These release notes relate to the SCA standalone product. Users who consume SCA through Checkmarx One should refer to the Checkmarx One release notes to see which SCA features have been released in Checkmarx One.


The IgnoreVulnerability and UnignoreVulnerability APIs, which had been used for triaging SCA vulnerabilities, will be deprecated on July 7. They have been replaced by the new Management of Risk API, which supports applying the new set of states and adding comments. We recommend migrating to the new API well in advance of the July 7 deadline.


Versions of SCA Resolver prior to 2.5.15 won't be supported after July 7. After that date, older versions will no longer be able to run Container scans. Download links for newer versions are available here.

We recommend always keeping up to date with the latest version of SCA Resolver, in order to benefit from the latest features as well as ongoing performance improvements and bug fixes.

Showing EPSS Score

We now show the EPSS (Exploit Prediction Scoring System) scores provided by First for vulnerabilities. This score is a data-driven estimate of the likelihood that this vulnerability is being exploited. It is a dynamic score that changes over time based on identified exploitation activity and various other factors. The score is presented as a percentage (indicating the likelihood of the vulnerability being exploited within the next 30 days), and also as a percentile (indicating the ranking of this risk relative to other vulnerabilities).

EPSS scores are shown on the scan results screens for SCA vulnerabilities.

In addition, EPSS score is shown in the AppSec Knowledge Center vulnerability data.

Detection Date

In the Scan Results > Risks tab, we now show the "Detection" date. This is the date that the vulnerability was first identified in the project that you are viewing. For vulnerabilities that were first identified in the scan that you are viewing, the NEW label is shown next to the date. You can alternate between showing the "Publication" date and the "Detection" date by clicking on the column header.

Legal Risk

We fundamentally changed the way that we handle legal risks. Instead of listing all Licenses in the Vulnerabilities > Legal Risk section, we now show a separate tab with a list of all licenses identified in the project. In the Vulnerabilities > Legal Risk section, we now show only the following types of legal risks:

  • Risky effective license - A license with medium or high severity License Score is marked as Effective for this package.

  • Package with no effective license - There is an open source package in your project for which no license has been marked as Effective.

  • Package with no license - Checkmarx didn't identify any licenses associated with this package.

Support for Perl

Added support for Perl using cpan package manager.


Languages/Frameworks: Perl

Repository: Cpan

File Types: none

Supported Package Managers

Exploitable Path

Supply Chain Security (SCS)

Manifest Files (Packages marked with are required)




cpanfile, spcanfile.snapshot

SCA Resolver Version 2.7.2 (Apr 18, 2024)

  • Added support for extracting .gz archives that contain .tar folder using the --extract-archives flag.

Download the new version here.