Skip to main content

Version 3.14

Multi-Tenant release date: May 26, 2024

Maintenance releases


This table includes only the maintenance releases that addressed customer-facing issues. Maintenance releases that contained only internal enhancements are not listed.

Release number

Resolved issues


Permissions related to state changes have been adjusted to avoid confusion.


Solved an issue that caused a SAST scan failure if even one query failed.


If scan results included many High-severity vulnerabilities with at least one Medium-severity vulnerability among them, the Break a build upon violation option did not work as intended in the policy.


When using the Checkmarx One Migration API with a customer's SCM on-prem URL, the provided URL was processed incorrectly. We now use the direct URL received from the request, and the customer is responsible for providing the correct URL.


Users belonging to a specific group couldn't view projects associated with that group.

New features and enhancements

Scan duration time per scanner

The Scan Results UI and API now display the specific scan duration for each scanner instead of the total scan duration for all scanners. This enhancement allows customers to see the scan duration differences between engines, enabling them to adjust scan configurations as needed based on the scan duration.

New roles for updating state and severity results

We have implemented a granular level of access rights by differentiating permissions for updating state results and severity results. As a result, the following new roles are now available:

  • update-result-state-not-exploitable (can change to this state only)

  • update-result-state-propose-not-exploitable (can change to this state only)

  • update-result-states (can change all states except not-exploitable; can’t change the severity)

  • update-result-severity (can change only severities)

  • add-notes (can add, edit, or delete notes).


  • The existing update-results role will continue to work. However, if you want to assign a new role to a user who already has the update-results role, it needs to be unassigned first.

  • The new roles are available in SAST and IaC. Support for these roles in SCA will be added soon.

Executive Overview dashboard improvements

  • Total Open Vulnerabilities per Thousand LOC: Provides a visualization of the trend in vulnerabilities per thousand lines of code (LOC). Offers a quick, at-a-glance understanding of the security posture over time, enabling informed decision-making and timely responses to emerging trends in vulnerabilities.

  • Total Vulnerabilities Fixed by Severity KPI: Provides a visualization of the trend in total vulnerabilities fixed, categorized by severity. Offers a quick, at-a-glance understanding of the security posture over time, enabling informed decision-making and timely responses to emerging trends in vulnerabilities.

  • Vulnerability Density: Shows the number of vulnerabilities per thousand lines of code (kLOC).

New standards for compliance results

Compliance results are now shown for two new standards recently added: PCI DSS version 4 and OWASP Top 10 API 2023.


The SAST engine in Checkmarx One has been updated to version 9.6.5.


IaC v2.0.0 has been released with the following new features:

  • Taking scan speed to a whole new level! On average, the Parallel Scan feature cuts scan durations by up to 50%.

  • CWE IDs are now included in the results for Common and Dockerfile queries.

  • New queries have been added for the CloudFormation, Docker Compose, Crossplane, and Pulumi platforms.

  • New exit status code for the Critical severity (60) has been added.

  • Terraformer support has been removed.  

All queries have been reviewed by our AppSec team and several have been deprecated. 

  • Click here to check the deprecated queries list.



The IgnoreVulnerability and UnignoreVulnerability APIs, which had been used for triaging SCA vulnerabilities, will be deprecated on July 7. They have been replaced by the new Management of Risk API, which supports applying any Checkmarx One state and adding comments. We recommend migrating to the new API well in advance of the July 7 deadline.


Versions of SCA Resolver prior to 2.5.15 won't be supported after July 7. After that date, older versions will no longer be able to run Container scans. Download links for newer versions are available here.

We recommend always keeping up to date with the latest version of SCA Resolver, in order to benefit from the latest features as well as ongoing performance improvements and bug fixes.

  • Reports generated via the web application are now generated in the background so that the user can continue working. When the report is ready, the user is prompted to download the report.

  • We improved the content of the scan reports for all formats (PDF, CSV, XML, JSON). The reports now include all relevant data that is available via the web portal, including exploitability indicators and the transitive package paths.

  • You can now generate reports from the Global Inventory screen and filter the report data based on the filters that are applied to the Global Inventory.

  • Added support for .NET 8 for the SCA scanner.

Resolved issues

  • Analytics dashboard widget in Vulnerabilities showed a wrong number of vulnerabilities.

  • SAST scan failed during every partial scan for a specific project.

  • Failure to retrieve SCM settings from the configuration for a scan.

  • The following error was encountered in the Access Management UI: “Deadline Exceeded Access Management Service”.

  • Binary files were opened as text files.

  • The create-assignments-nv command was missing some mandatory environmental properties.

  • Permissions that were added to  the Application level granted access to the Tenant level.

  • A scan failed due to a timeout while using gRPC between kics-runner and repostore.

  • ADO Tickets did not include an attack vector.

  • Repo Import was unstable with GitLab self-hosted SCM: sometimes it successfully retrieved the organization list, and other times it did not.

  • The AI query builder for SAST was not working.

  • Occasionally, the Integrations page showed no data.

  • Bad casing when showing file name\path.

  • False negatives occurred due to the server_side_encryption_configuration argument being deprecated.

  • Error when saving the query results.

  • SSH worked when fetching branches but failed on the clone command.

  • Application was deleted but remained on the Analytics page.

  • Different zip files were generated for the same source with different behavior scan results.

  • Compliance (categories) were not updated when re-scanning the same source code.

  • PDF report for some vulnerabilities was different from the CSV report generated.

  • "View Management of Risk History" appeared blank.

  • Container packages vulnerables seemed to be a error.

  • Transitive Dependency Vulnerable Package Path was empty after recalculation.

  • Some URLs in JSON reports contained extra spaces at the beginning.

  • SCA supply chain filters were not working in a Single Tenant environment.

  • An SCA scan showed an unknown Copy Left Need confirmation.

  • WhatsApp banking SCA open points.

  • A "Failed to set need for recalculation" error was encountered when attempting to change a vulnerability other than the last scan.

  • Some components were missing in the Checkmarx One database.

  • The filter in the Identified Package column in the SCA Risk tab was disabled.

  • Maven override false positives.

  • Maven dependencies command omitted flag ignored.