Critical Severity
This July 2024, Checkmarx One will add a new CRITICAL Severity to its list of severity options. This severity affects almost all of the platform. Some of the SAST, SCA and IaC Security vulnerabilities that were labeled as HIGH will be classified as CRITICAL.
This landing page will provide information on delivery dates, areas of impact, and actions that users might need to take in response to these changes.
Delivery dates
Region | Planned date | Release version | Status |
---|---|---|---|
All tenants | July 7, 2024 | TBD | On track |
Single Tenant | On Demand | TBD | On track |
Impact areas
Area | Impact (What is changing) |
---|---|
SAST Engine Results |
|
SCA Engine |
|
IaC Engine |
|
DAST Engine |
|
Reporting |
|
Analytics | Insights will be updated with “Critical” vulnerabilities in the corresponding dashboards. |
APIs | Critical Severity has been added to all relevant APIs. The change does not affect existing customers consuming the APIs. |
Feedback Apps |
|
Policy Management |
|
CI/CD Reports | Reports to have summary that includes “Critical” |
CLI Filtering |
|
FAQ
Question | Answer |
---|---|
Can I opt out of having the Critical severity? | No, this is a mandatory change for all customers. |
Will this change be gradual or all at once? | This change will be all at once. |
I have policies set up that report on High vulnerabilities, will I need to do anything? | Yes, you will need to manually go into the policy and add Critical as a criteria in your already existing policy. |
I have feedback apps that create bugs or notifications on High vulnerabilities. Will I need to do anything? | Yes, you will need to manually go into the feedback app and add “Critical” as a filter. |
I have thresholds set up in the CLI. Will I need to do anything? | Yes, you will need to update the CLI additional arguments and update the filter options on the thresholds. |
Do we expect the vulnerabilities to be set to Critical when the Critical Severity is released? | No, the vulnerabilities will change on a new scan. |
What are the dates for the “preview scan” and can this be somehow combines (preview of the new priority)? | It’s in a pre-release environment now but is not expected to be released until Q3 2024. |
How are severity labels for individual results calculated? | For SCA it is based on CVSS score. For SAST, our AppSec team identified vulnerability types that should be considered Critical. |
How are severity labels for projects and applications calculated? | If one Critical vulnerability is found, the project or application is considered Critical. |
How are historic results migrated? | They will be migrated as the same severity but they can change after the first scan. |
What impact will there be to my current dashboard/reports? | It’s possible that the HIGHs will go down and the CRITICAL will go up. |
Why did it take so long for Checkmarx to adopt CVSS v3 severity labels? | It’s been a Work In Progress for over a year. It affects all aspects of not only our current CxOne Platform and all the Engines but the CxSAST 9.x platform as well. |
How will this change impact the Checkmarx plugins I am using? | The plugins will support showing the Critical results but won’t affect the initiation of scans. |
If a vulnerability was manually changed from HIGH to LOW before the upgrade, will it be re-evaluated and updated to CRITICAL after the upgrade when the next scan is performed? | If the user manually changed the severity of a result before the upgrade, the severity will remain as defined by the user after the upgrade and will not change to Critical. |
If a vulnerability was detected as HIGH before the upgrade and changed to CRITICAL after the upgrade and next scan, will it still be considered a "recurrent" vulnerability and not "new"? | The severity may change, but the vulnerability is still considered Recurrent after a new scan. For example, before the upgrade, all vulnerability results were new; after the upgrade and a new scan, the results appear as Recurrent. |
Will the queryID and similarityId of a vulnerability detected as HIGH before the upgrade, and now as CRITICAL after the upgrade and next scan, will remain unchanged due to the upgrade (assuming the code has not changed)? | The SimilarityId algorithm is not impacted by changes in severity. |