Skip to main content

Version 3.16

Multi-Tenant release date: June 23, 2024


The content and dates of these Release Notes are provisional and subject to change.

All new features, enhancements, and resolved issues will be available upon version deployment in the multi-tenant environment, unless explicitly stated otherwise in parentheses in the respective section heading.


Note for Chrome users:

Please clear your browser cache to avoid potential UI issues. Failure to do so may result in the Checkmarx One user interface not functioning correctly.

New features and enhancements

BYOR (Bring Your Own Results) (GA: June 19, 2024)

The Bring Your Own Results feature allows organizations to import vulnerability results from third-party security tools and services, regardless of their origin, if they adhere to a specific standard format: SARIF.

By incorporating these external results into Checkmarx One, organizations can gain a comprehensive view of their application security landscape, identifying and prioritizing vulnerabilities more effectively.

To optimize performance and resource utilization, we set thresholds for the number of results and rules per import run. These limits prevent overload and ensure efficient data processing.

For more information, refer to this page.

Download Report enhancement (GA: June 19, 2024)

The Download Report functionality menu has been updated to offer two options:

  • Generate Default Report: This option generates a report with default settings, including PDF format, Scan report type, Severity levels, Status, By Projects, Scanners, and Results State.

  • Customize Report: This option opens the new MFE, allowing users to customize the report.

The bulk report will download all scans separately using their default settings.

Default Policy

Users can now set a Default Policy that will be applied to all scans across existing and new projects.

Only one Default Policy can be active at a time.

Retrieving tags per scan ID

The Checkmarx One scans/tags API has been enhanced to retrieve all tags not only per tenant but also per specific scan ID. This allows users to get Checkmarx One results based on these scan tags.

Not Exploitable vulnerabilities set to None risk level

We have implemented a feature that adjusts the risk level to "None" (0 - no risk) for vulnerabilities triaged as "Not Exploitable" after a new scan. This ensures the risk accurately reflects the mitigated or non-exploitable nature of the issue. The new top 50 results will be recalculated with each scan.

This enhancement provides a more precise and transparent risk assessment, aiding in informed decision-making and resource prioritization, and promoting a more accurate evaluation of the security posture.

Enhancements to risk scoring mechanism for SAST results

The risk scoring mechanism for SAST results has been refined to consider a broader set of factors for each result. This provides more precise risk evaluations for each vulnerability as well as better decision-making and prioritization. It also enhances overall cybersecurity by addressing vulnerabilities more effectively.

Option to deselect all scanners

A Clear all button is now available in addition to the existing Select all button. This enhancement saves users time by allowing them to quickly deselect all engines and then select only the ones they need, resulting in faster scans.

Vulnerabilities dashboard ramp-up

We have enhanced the Vulnerabilities dashboard, introducing a modernized view and new critical KPIs:

  • Modern view: A refreshed interface for an improved user experience.

  • Key KPIs added:

    • MTTR (Mean Time to Resolution): Tracks remediation efficiency

    • Top 20 Vulnerabilities: Highlights the most critical vulnerabilities

    • Top Old Vulnerabilities: Focuses on aging vulnerabilities

    • Vulnerabilities by Status: Tracks vulnerabilities by their status, whether new or recurrent.

Explore these enhancements to better manage and understand your security posture.


Remediation Advisory improvements

  • For Remediation Tasks, we have cut out the “noise” by showing recommendations for replacing transitive packages only if the current package has vulnerabilities. For outdated packages without vulnerabilities, we no longer show remediation suggestions.

  • When a remediated version of the package exists, we now show a remediation icon next to the package in the Packages tab of the scan results. Clicking on this icon takes you to that item in the Remediation Tasks tab.


This feature is only available for direct dependencies.

SCA Inventory and Risks improvements

We have enriched the SCA Inventory and Risks to include all relevant data from the SCA scan results page. We have added the following items in the Packages and Risks tabs respecitvely:

  • Packages Tab

    • Show only Effective licenses

    • Added Scan Date

  • Risks Tab

    • Added severity Score

    • Added risk State

    • Added Exploitability indicators

    • Added Category (CWE)

    • Made Package Name and Package Version into separate items

    • Added Detection Date

In addition we have improved filter and search capabilities.

Resolved issues

  • Different counts in the application overview vulnerabilities versus the grid application vulnerabilities.

  • Cxsast_exporter_1.4.0 was creating state="5" as part of triage migration.

  • When displaying the list of vulnerabilities from an IaC scan on a project and filtering the results by query name, the display was incorrect.

  • Compliance failed with only low vulnerability results.

  • The JSON format for the new report only retrieved the source and destination source code.

  • Pull Decoration failed with the following error: "query did not return a unique result: 2; nested exception is".

  • API calls to scan-summary for 1,000 scans sometimes failed with a 500 error message.

  • Project-list report API did not work as described in the documentation.

  • Filters did not work on the application’s Projects tab.

  • The restriction of scan deletion due to missing delete-scan permission presented a UI usability problem.

  • Generating an Open Vulnerabilities Report returned an error when there was a long list of tags and/or names used as filters.

  • It was not possible to save project settings when the Skip Submodules property in Global Settings did not allow overrides.

  • Self-hosted Bitbucket customers were unable to update the Account setting for their repositories.

  • The criteria for sorting the Projects list always returned empty values at the top of the list.

  • The Go To Query option was missing in some queries.

  • It was not possible to update project settings for repository projects with an SSH key.

  • Export as CSV functionality was not working on the Project page.

  • Checkmarx One ignored the --sca-exploitable-path that was sent from the Checkmarx One CLI plugin.

  • A 403 Forbidden error occurred when changing the state, but the state was changed anyway.

  • Private packages were included in the Total tile count but were not displayed in the UI.

  • GET /api/results-overview/projects API endpoint inconsistencies.

  • Failure at an attempt to import repositories with 2120 projects from Azure.

  • An empty array in JSON was not passed correctly.

  • CLI plugin failed to scan a source from Azure self-hosted repositories due to the failure of the Repostore service.

  • UI issue in the Read More section of the SAST result description.

  • Analytics permissions were not visible even if ANALYTICS_ROLES_ENABLED flag was set to True.

  • It was not possible to save a policy after changing the rule for the scanners.

  • The updateAt field was missing in the response of api/results.

  • The configuration for Net New Vulnerabilities saved the severity incorrectly in the database.

  • Users belonging to a specific group could not view projects associated with that group.

  • Update-Result and Update-Result-Not-Exploitable were reversed.

  • There was a discrepancy between the Scan Report and the SBOM Export Service when using scan results from the cloud.