- Checkmarx Documentation
- Checkmarx One
- Release Notes
- Version 3.12
Version 3.12
Multi-Tenant release date: May 5, 2024
Caution
Version 3.11 was not released for use.
New features and enhancements
Caution
Some of these features are being rolled out gradually. Therefore, not all of the changes will be available immediately in your environment.
Net New Vulnerabilities Policy
Users can now fail builds or block merges when a new vulnerability is discovered in a specific pull request. To define this rule, use the new checkbox Net New Vulnerabilities in the Rules section of the Create Policy dialog.
If Net New Vulnerabilities is selected, users can also specify the severity level of the new vulnerability to which this rule applies: Critical, High, Medium, and/or Low. This new option can be applied to all scanners or to specific scanners.
Query Editor
We have redesigned the Query Editor UI, further improving user flows and query organization.
Code Repository Integration via API
It is now possible to create new Code Repository Integration projects via REST API. This is done by setting up an integration with your SCM and creating a Checkmarx One project for each repo that you would like to scan. There is also an API for monitoring the status of the import process. See documentation
Note: This is currently supported only for GitHub repos.
Specify Compliance Standards
You can now specify which compliance standards to include in the scan results. When this is configured, the Compliance section in the Project Overview page will only show results for the specified compliances. The Results Summary API will also return results only for the specified compliances.
This can currently only be set via the Scan Configuration API (not in the UI) and only on the tenant level (not for specific projects).
Application Risk Management Improvements
To provide a more comprehensive and precise assessment of an application's risk, the algorithm for calculating the overall risk score has been updated. Instead of averaging the 50 risk scores, it now uses this formula:
Half of the score is based on the application's criticality level, as specified by the user during application creation or editing. This scale, ranging from 0 to 5, is converted to a scale of 0 to 10 by multiplying by 2.
The other half is derived from the average of 50 individual risk scores.
To enable users to leverage a comprehensive set of interconnected data, which includes exploitability, public exposure, and usage in highly trafficked microservices, correlated results are now integrated into the Risk Management feature.
Scan Reports Improvements
A wizard-style area has been implemented on the Analytics page to support the definition and generation of scan reports, complete with an intuitive and efficient one-click reporting flow. See documentation
To enhance the Checkmarx SAST report generation via API, customizable options have been introduced for selecting specific vulnerability states and severity levels, providing users with a more refined and targeted reporting experience. There is also a new API for generating these reports, see API documentation.
Redesigned Projects Page
This release features a fully redesigned Projects page with the following key enhancements:
New Look & Feel: A modern and intuitive design, making it easier for you to navigate and get the scanners results you need.
Improved Performance: Faster loading times and smoother interactions, ensuring a seamless experience every time you view the projects page.
Enhanced Features: New functionalities for sorting, filtering, grouping and other grid manipulations.
See documentation
Integrations Page
The Integrations page has been split into Integrations and Plugins.
Unlimited Project Imports
Previously, users were limited to importing up to 75 projects at a time, causing delays, particularly for enterprise customers with extensive repositories. To address this, we've implemented a non-blocking thread, enabling imports to run concurrently in the background while customers are working with Checkmarx One. Additionally, we now offer support for unlimited repositories, enhancing the onboarding experience for enterprise customers managing hundreds of repositories.
SCA Improvements
Caution
Some of these features are being rolled out gradually. Therefore, not all of the changes will be available immediately in your environment.
Warning
We are in the process of rolling out a new comprehensive Management of Risks service for the SCA scanner which will replace the current service. The new APIs are documented in Checkmarx SCA (REST) API - Management of Risk. The current APIs IgnoreVulnerability
and UnignoreVulnerability
as well as other non-documented APIs using the old risk-management service will be deprecated soon. For more info, feel free to contact your Technical Account Manager.
Changed Name of "Supply Chain" Risks
The category of risks that had been referred to as "Supply Chain" are now referred to as "Suspected Malware", which more accurately expresses the nature of the risk. This is reflected in the section title and icon on the All Risks page as well as in all places that the category name is used.
In addition the package metrics that had been titled "Supply Chain Analysis" are now titled "Package Reliability Indicators".
Showing EPSS Score
We now show the EPSS (Exploit Prediction Scoring System) scores provided by First for vulnerabilities. This score is a data-driven estimate of the likelihood that this vulnerability is being exploited. It is a dynamic score that changes over time based on identified exploitation activity and various other factors. The score is presented as a percentage (indicating the likelihood of the vulnerability being exploited within the next 30 days), and also as a percentile (indicating the ranking of this risk relative to other vulnerabilities).
EPSS scores are shown on the scan results screens for SCA vulnerabilities.
In addition, EPSS score is shown in the AppSec Knowledge Center vulnerability data.
Detection Date
In the Scan Results > Risks tab, we now show the "Detection" date. This is the date that the vulnerability was first identified in the project that you are viewing. For vulnerabilities that were first identified in the scan that you are viewing, the NEW label is shown next to the date. You can alternate between showing the "Publication" date and the "Detection" date by clicking on the column header.
Legal Risk
We fundamentally changed the way that we handle legal risks. Instead of listing all Licenses in the Vulnerabilities > Legal Risk section, we now show a separate tab with a list of all licenses identified in the project. In the Vulnerabilities > Legal Risk section, we now show only the following types of legal risks:
Risky effective license - A license with medium or high severity License Score is marked as Effective for this package.
Package with no effective license - There is an open source package in your project for which no license has been marked as Effective.
Package with no license - Checkmarx didn't identify any licenses associated with this package.
See documentation
Support for Perl
Added support for Perl using cpan package manager, see here.
Perl | Languages/Frameworks: Perl Repository: Cpan File Types: none | ||
---|---|---|---|
Supported Package Managers | Exploitable Path | Supply Chain Security (SCS) | Manifest Files (Packages marked with are required) |
Cpan |
|
SCA Resolver Version 2.7.4 (May 13, 2024)
Added support for the Cpan package manager for Perl projects. For more information, see here.
For Maven, added support for omitted package versions.
For Go, fixed an issue that Go packages weren't being scanned when executing on Windows.
Download the new version here.
CLI and Plugins Releases of May 2024
CLI Version 2.1.4
Status | Item | Description |
---|---|---|
NEW | General | General improvements and bug fixes |
CLI Version 2.1.3
Status | Item | Description |
---|---|---|
NEW | General | General improvements and bug fixes |
CLI Version 2.1.2
Status | Item | Description |
---|---|---|
NEW | General | The CLI is now signed with the Checkmarx digital signature, indicating that this is an official Checkmarx product. This enables the signed CLI to bypass firewalls on Windows computers that previously blocked the unsigned CLI. |
CLI Version 2.1.1
Status | Item | Description |
---|---|---|
NEW | Folder exclusion | We now exclude certain irrelevant folders (.vs, .vscode, .idea) from the scan. |
FIXED | SCA thresholds | Fixed issue that setting SCA thresholds was causing errors in certain edge cases. |
CLI Version 2.1.0
Status | Item | Description |
---|---|---|
NEW | Exit codes | We have improved the precision of the exit codes in order to give a more clear picture of which particular scanners failed. We have also created a new command, CautionFor users who are using external commands (e.g., $LastExitCode for Powershell) to obtain exit codes for the |
FIXED | GitLab integration | Fixed issue with GitLab Security Dashboard integration failing when no vulnerabilities are identified. |
CLI Version 2.0.76
Status | Item | Description |
---|---|---|
FIXED | New project | Fixed issue that some scans were failing when new project created under an application. |
FIXED | Validate threshold | Added validation for valid user input when setting a threshold. |
CI/CD Plugins
In May we released the following CI/CD plugin versions.
Azure DevOps - 2.0.34 (uses CLI v2.1.2)
GitHub Actions Plugin - 2.0.28 (uses CLI v2.1.2)
Jenkins Plugin - 2.0.13-575.ve032ddd17a_a_4 (uses CLI v2.1.2)
Improvements and Bug Fixes
Status | Item | Platform | Description |
---|---|---|---|
NEW | Digital signature | Azure DevOps, GitHub Actions | The CLI that these plugins are based on is now signed with the Checkmarx digital signature, indicating that this is an official Checkmarx product. This enables communication from this plugin to bypass firewalls on Windows computers that previously blocked the unsigned CLI. |
UPDATED | Exit codes | Azure DevOps, GitHub Actions | We have improved the precision of the exit codes in order to give a more clear picture of which particular scanners failed. We have also created a new CLI command, CautionFor users who are using external commands (e.g., $LastExitCode for Powershell) to obtain exit codes for the |
Plugin | Marketplace | Code Repository | Documentation | Changelog |
---|---|---|---|---|
Azure DevOps | https://marketplace.visualstudio.com/items?itemName=checkmarx.checkmarx-ast-azure-plugin | |||
GitHub Action | https://github.com/marketplace/actions/checkmarx-ast-github-action | |||
TeamCity | https://github.com/CheckmarxDev/checkmarx-ast-teamcity-plugin | |||
Jenkins |
IDE Plugins
In May we released the following IDE plugin version:
Improvements and Bug Fixes
Status | Item | Platform | Description |
---|---|---|---|
NEW | Digital signature | All | The CLI that these plugins are based on is now signed with the Checkmarx digital signature, indicating that this is an official Checkmarx product. This enables communication from this plugin to bypass firewalls on Windows computers that previously blocked the unsigned CLI. |
FIXED | Remediation | Visual Studio | Remediated vulnerabilities that we identified in our project. |
FIXED | CLI version | Visual Studio | Uses new CLI version in which vulnerabilities affecting our CLI project have been remediated. |
FIXED | Documentation link | VS Code | Fixed broken documentation link in marketplace. |
IDE Plugin Quick Links
Get Latest Version from Marketplace | Changelog | Documentation |
---|---|---|
Resolved Issues
GitHub issue IDs, which could exceed the integer range, are now managed as long values.
Scan results were not refreshing in BitBucket self-hosted instances.
The request GET /audit returns a 400 error when query parameters are not specified.
Azure Feedback app configuration erroneously includes users from the wrong tenant in 'Assigned to' settings.
The CLI crashes with an unhandled exception when executing the 'utils contributors-count' command.
WebAudit encounters issues with large projects due to missing project filter support.
Enhance WebAudit autocomplete functionality based on our API Guide.
Debug messages lack vertical and horizontal scroll bars, hindering readability.
The 'Save multiple queries' button only saves one query instead of multiple.
Special characters can disrupt the graphical interface.
Web Audit doesn't support opening two simultaneous sessions.
The Query Editor UI is displaying incorrectly.
The 'Go To' function doesn't work for the base query.
An error occurs when saving a query in the Query Editor.
Deleting a query succeeds but results in an HTTP error 502.
Inconsistencies exist in package count tracking.
The API Audit Trail returns null events when using the "TO" parameter.
Performance testing and reporting for global scan durations are missing.
The project/application-list reports are slow and consistently fail due to a 20-minute timeout.
Timeout errors occur with message "context deadline exceeded."
Links to vulnerabilities are broken for OpenSSL-Universal@1.0.2.20.
The allowed range is not specified for OAuth Clients Expiration Period.
Validation rules in Policy Management fail to check if vulnerability status is "Not_exploitable."
Integration with Azure DevOps fails in Single Tenant environments.
Azure Feedback App returns users from the wrong tenant.
VsCode plugin fails to calculate NuGet results sent by ScaRealtime.
Scan Reports - Executive Summary does not honor engine filters.
Import project-to-app mapping in single-tenant useds external FQDN.
The
proxy-user
tag was not implemented, hence PAC format was not supported.Feedback App Azure Boards: No Lists project work items were displayed and a
status: 417
response was obtained.500 internal error when sorting SAST results by Detection Date on the SAST Results Comparison page.
In certain scenarios, the Analytics dashboard widget displayed incorrect information in the Executive overview.
api/policy_management_service_uri/evaluation
got stuck in the EVALUATING status.Different count from application overview vulnerability as compared with the Aging summary.
Quick Start Guide link on welcome e-mail led to a 404 error page.
Re-imported SCM project with similar names caused misleading.
Bad casing when showing file name\path. Checkmarx One CLI contributing developers could not handle disabled repos in ADO.
CSV export of contributors failed when encountering a large number of contributing developers.
Contributing Developers report failed with a 500 HTTP error when having 4500+ contributors.
Project tags autocomplete showed suggestions that were not tags from the current tenant.
Selecting Assign to Applications from UI removed other projects for the application. Token validation timeout needed to be increased.
In certain scenarios, the Top Vulnerable Projects widget ranked applications incorrectly.
On rare occasions, a client secret could be disclosed. Error when attempting to extract repo base URL.
Azure cloud with 'on-prem' configuration with the enabled MANAGE_SELF_HOSTED_ENABLED feature flag failed on a test connection.
A direct link to the /account-settings page allowed accessing it without proper permissions.
A hyperlink was broken in the SCA Results Vulnerable package path in SCA standalone and Checkmarx One.
Known issues
A load test involving approximately 200 simultaneous engine scans per hour results in approximately 4% of the scans becoming stuck.
Some multi-engine scans are categorized as 'Partial Failed' due to SAST ETL errors, even though they successfully completed for SAST, with results available and accessible. However, for API Security scans, the results are not displayed.
When performing a Git scan with KICS, no LoC information is provided. However, the same scan conducted using a zip file does display the LoC.