Skip to main content

Critical Severity

This July 2024, Checkmarx One will add a new CRITICAL Severity to its list of severity options. This severity affects almost all of the platform. Some of the SAST, SCA and IaC Security vulnerabilities that were labeled as HIGH will be classified as CRITICAL.

This landing page will provide information on delivery dates, areas of impact, and actions that users might need to take in response to these changes.

Delivery dates

Region

Planned date

Release version

Status

All tenants

July 7, 2024

TBD

On track

Single Tenant

On Demand

TBD

On track

Impact areas

Area

Impact (What is changing)

SAST Engine Results

  • For the comprehensive list of SAST query updates in PDF format, click here.

    • Only new scans are affected

    • 9.6: High to Critical

    • 9.7: Medium to High

      • Expected release date - November 2024

    • Result Viewer will display “Critical”

    • Result Viewer will have filters on “Critical”

    • Project page will be updated with total number of “Critical” findings per project

    • Overview page will be updated with “Critical” trends

SCA Engine

  • Based off scoring (CVSS standard)

    • Only new scans are affected

IaC Engine

  • For the comprehensive list of IaC query updates in PDF format, click here.

    • Only new scans are affected

DAST Engine

  • The Engine does not provide Critical results

  • The customer can change the severity of a scan to Critical

  • DAST tab in the app will show Critical in the Risk bar

Reporting

  • Scan reports will support “Critical” findings

Analytics

Insights will be updated with “Critical” vulnerabilities in the corresponding dashboards.

APIs

Critical Severity has been added to all relevant APIs. The change does not affect existing customers consuming the APIs.

Feedback Apps

  • “Critical” state is added to the Wizard

  • Customers need to edit existing Trigger conditions to create Feedback issues with “Critical” findings

Policy Management

  • Customers to edit existing policies

  • All scanners support Critical severities in their respective policies

CI/CD Reports

Reports to have summary that includes “Critical”

CLI Filtering

  • CLI will support all “Critical” filtering

  • Thresholds updated to handle “Critical”

FAQ

Question

Answer

Can I opt out of having the Critical severity?

No, this is a mandatory change for all customers.

Will this change be gradual or all at once?

This change will be all at once.

I have policies set up that report on High vulnerabilities, will I need to do anything?

Yes, you will need to manually go into the policy and add Critical as a criteria in your already existing policy.

I have feedback apps that create bugs or notifications on High vulnerabilities. Will I need to do anything?

Yes, you will need to manually go into the feedback app and add “Critical” as a filter.

I have thresholds set up in the CLI. Will I need to do anything?

Yes, you will need to update the CLI additional arguments and update the filter options on the thresholds.

Do we expect the vulnerabilities to be set to Critical when the Critical Severity is released?

No, the vulnerabilities will change on a new scan.

What are the dates for the “preview scan” and can this be somehow combines (preview of the new priority)?

It’s in a pre-release environment now but is not expected to be released until Q3 2024.

How are severity labels for individual results calculated?

For SCA it is based on CVSS score. For SAST, our AppSec team identified vulnerability types that should be considered Critical.

How are severity labels for projects and applications calculated?

If one Critical vulnerability is found, the project or application is considered Critical.

How are historic results migrated?

They will be migrated as the same severity but they can change after the first scan.

What impact will there be to my current dashboard/reports?

It’s possible that the HIGHs will go down and the CRITICAL will go up.

Why did it take so long for Checkmarx to adopt CVSS v3 severity labels?

It’s been a Work In Progress for over a year. It affects all aspects of not only our current CxOne Platform and all the Engines but the CxSAST 9.x platform as well.

How will this change impact the Checkmarx plugins I am using?

The plugins will support showing the Critical results but won’t affect the initiation of scans.

If a vulnerability was manually changed from HIGH to LOW before the upgrade, will it be re-evaluated and updated to CRITICAL after the upgrade when the next scan is performed?

If the user manually changed the severity of a result before the upgrade, the severity will remain as defined by the user after the upgrade and will not change to Critical.

If a vulnerability was detected as HIGH before the upgrade and changed to CRITICAL after the upgrade and next scan, will it still be considered a "recurrent" vulnerability and not "new"?

The severity may change, but the vulnerability is still considered Recurrent after a new scan. For example, before the upgrade, all vulnerability results were new; after the upgrade and a new scan, the results appear as Recurrent.

Will the queryID and similarityId of a vulnerability detected as HIGH before the upgrade, and now as CRITICAL after the upgrade and next scan, will remain unchanged due to the upgrade (assuming the code has not changed)?

The SimilarityId algorithm is not impacted by changes in severity.

In this section: