Skip to main content

Checkmarx SCA Release Notes May 2024


These release notes relate to the SCA standalone product. Users who consume SCA through Checkmarx One should refer to the Checkmarx One release notes to see which SCA features have been released in Checkmarx One.


The IgnoreVulnerability and UnignoreVulnerability APIs, which had been used for triaging SCA vulnerabilities, will be deprecated on July 7. They have been replaced by the new Management of Risk API, which supports applying any Checkmarx One state and adding comments. We recommend migrating to the new API well in advance of the July 7 deadline.


Versions of SCA Resolver prior to 2.5.15 won't be supported after July 7. After that date, older versions will no longer be able to run Container scans. Download links for newer versions are available here.

We recommend always keeping up to date with the latest version of SCA Resolver, in order to benefit from the latest features as well as ongoing performance improvements and bug fixes.

Scan Reports

We made the following improvements in the SCA scan reports:

  • Reports generated via the web application are now generated in the background so that the user can continue working. When the report is ready, the user is prompted to download the report.

  • We improved the content of the scan reports for all formats (PDF, CSV, XML, JSON). The reports now include all relevant data that is available via the web portal, including exploitability indicators and the transitive package paths.

  • You can now generate reports from the Global Inventory screen and filter the report data based on the filters that are applied to the Global Inventory.

Support for .NET 8

Added support for .NET 8 for the SCA scanner

Changed Name of "Supply Chain" Risks

The category of risks that had been referred to as "Supply Chain" are now referred to as "Suspected Malware", which more accurately expresses the nature of the risk. This is reflected in the section title and icon on the All Risks page as well as in all places that the category name is used.


In addition the package metrics that had been titled "Supply Chain Analysis" are now titled "Package Reliability Indicators".


SCA Resolver Version 2.7.4 (May 13, 2024)

  • Added support for the Cpan package manager for Perl projects. For more information, see here.

  • For Maven, added support for omitted package versions.

  • For Go, fixed an issue that Go packages weren't being scanned when executing on Windows.

Download the new version here.