Skip to main content

Version 3.16

Multi-Tenant release date: June 23, 2024

Warning

The content and dates of these Release Notes are provisional and subject to change.

All new features, enhancements, and resolved issues will be available upon version deployment in the multi-tenant environment, unless explicitly stated otherwise in parentheses in the respective section heading.

New features and enhancements

BYOR (Bring Your Own Results) (GA: June 19, 2024)

The Bring Your Own Results feature allows organizations to import vulnerability results from third-party security tools and services, regardless of their origin, if they adhere to a specific standard format: SARIF.

By incorporating these external results into Checkmarx One, organizations can gain a comprehensive view of their application security landscape, identifying and prioritizing vulnerabilities more effectively.

To optimize performance and resource utilization, we set thresholds for the number of results and rules per import run. These limits prevent overload and ensure efficient data processing.

For more information, refer to this page.

Download Report enhancement (GA: June 19, 2024)

The Download Report functionality menu has been updated to offer two options:

  • Generate Default Report: This option generates a report with default settings, including PDF format, Scan report type, Severity levels, Status, By Projects, Scanners, and Results State.

  • Customize Report: This option opens the new MFE, allowing users to customize the report.

The bulk report will download all scans separately using their default settings.

Default Policy

Users can now set a Default Policy that will be applied to all scans across existing and new projects.

Only one Default Policy can be active at a time.

Retrieving tags per scan ID

The Checkmarx One scans/tags API has been enhanced to retrieve all tags not only per tenant but also per specific scan ID. This allows users to get Checkmarx One results based on these scan tags.

Not Exploitable vulnerabilities set to None risk level

We have implemented a feature that adjusts the risk level to "None" (0 - no risk) for vulnerabilities triaged as "Not Exploitable" after a new scan. This ensures the risk accurately reflects the mitigated or non-exploitable nature of the issue. The new top 50 results will be recalculated with each scan.

This enhancement provides a more precise and transparent risk assessment, aiding in informed decision-making and resource prioritization, and promoting a more accurate evaluation of the security posture.

Enhancements to risk scoring mechanism for SAST results

The risk scoring mechanism for SAST results has been refined to consider a broader set of factors for each result. This provides more precise risk evaluations for each vulnerability as well as better decision-making and prioritization. It also enhances overall cybersecurity by addressing vulnerabilities more effectively.

Option to deselect all scanners

A Clear all button is now available in addition to the existing Select all button. This enhancement saves users time by allowing them to quickly deselect all engines and then select only the ones they need, resulting in faster scans.

Vulnerabilities dashboard ramp-up

We have enhanced the Vulnerabilities dashboard, introducing a modernized view and new critical KPIs:

  • Modern view: A refreshed interface for an improved user experience.

  • Key KPIs added:

    • MTTR (Mean Time to Resolution): Tracks remediation efficiency

    • Top 20 Vulnerabilities: Highlights the most critical vulnerabilities

    • Top Old Vulnerabilities: Focuses on aging vulnerabilities

    • Vulnerabilities by Status: Tracks vulnerabilities by their status, whether new or recurrent.

Explore these enhancements to better manage and understand your security posture.

SCA Improvements

Remediation Advisory improvements

  • For Remediation Tasks, we have cut out the “noise” by showing recommendations for replacing transitive packages only if the current package has vulnerabilities. For outdated packages without vulnerabilities, we no longer show remediation suggestions.

  • When a remediated version of the package exists, we now show a remediation icon next to the package in the Packages tab of the scan results. Clicking on this icon takes you to that item in the Remediation Tasks tab.

Note

This feature is only available for direct dependencies.

SCA Inventory and Risks improvements

We have enriched the SCA Inventory and Risks to include all relevant data from the SCA scan results page. We have added the following items in the Packages and Risks tabs respecitvely:

  • Packages Tab

    • Show only Effective licenses

    • Added Scan Date

  • Risks Tab

    • Added severity Score

    • Added risk State

    • Added Exploitability indicators

    • Added Category (CWE)

    • Made Package Name and Package Version into separate items

    • Added Detection Date

In addition we have improved filter and search capabilities.

SCA Resolver Version 2.8.2

  • Added warning that ScaResolver should be updated when the version is older than 6 months.

  • Updated container scanner to 3.1.1.

  • Manifests extracted from compressed archives are now uploaded.

  • For Maven, apply -Dverbose parameter by default in order to extract more data about dependencies.

  • For Yarn, fixed version identification when using a yarn executable inside a project.

  • For RubyGems, fixed execution when Gemfile is lower case (i.e., "gemfile").

  • For Nuget, fixed dotnet "packs" folder lookup.

Download the new version here.

IAM (Version 3.10.1)

  • A new setting has been added to the General Settings page for downloading source code.

  • A new headline has been added to the Identity & Access Management screen, displaying the tenant name.

  • Keycloak has been upgraded to version 23.

  • A new permission called download-source-code has been added and assigned to the ast-admin role.

  • Users with the manage-clients permission but without the manage-users could not create OAuth Clients.

CLI and Plugins Releases of June 2024

CLI Version 2.1.5

Status

Item

Description

NEW

Included files

Added pyproject.toml and poetry.lock which are analyzed by the SCA scanner, to the list of automatically included files.

NEW

Partial scan

Added details of partial scan completion (specific scanners) to the console response.

FIXED

PDF reports

Fixed issue that PDF reports with large amounts of data were failing due to timeout.

FIXED

API requests

Fixed issue that API requests with a lot of filter items were failing because of URL length limitations.

CI/CD Plugins

In June we released the following CI/CD plugin versions:

Improvements and Bug Fixes

Status

Item

Platform

Description

NEW

General

GitHub Actions, Jenkins

General improvements and bug fixes.

IDE Plugins

In June we released the following IDE plugin versions:

  • JetBrains - 2.0.15 (uses CLI v2.1.5)

  • Visual Studio - 2.0.50 (uses CLI v2.1.5)

  • VS Code - 2.14.0 (uses CLI v2.1.6)

Improvements and Bug Fixes

Status

Item

Platform

Description

NEW

Digital signature

Visual Studio

The CLI that these plugins are based on is now signed with the Checkmarx digital signature, indicating that this is an official Checkmarx product. This enables communication from this plugin to bypass firewalls on Windows computers that previously blocked the unsigned CLI.

IDE Plugin Quick Links

Resolved issues

  • Different counts in the application overview vulnerabilities versus the grid application vulnerabilities.

  • Cxsast_exporter_1.4.0 was creating state="5" as part of triage migration.

  • When displaying the list of vulnerabilities from an IaC scan on a project and filtering the results by query name, the display was incorrect.

  • Compliance failed with only low vulnerability results.

  • The JSON format for the new report only retrieved the source and destination source code.

  • Pull Decoration failed with the following error: "query did not return a unique result: 2; nested exception is".

  • API calls to scan-summary for 1,000 scans sometimes failed with a 500 error message.

  • Project-list report API did not work as described in the documentation.

  • Filters did not work on the application’s Projects tab.

  • The restriction of scan deletion due to missing delete-scan permission presented a UI usability problem.

  • Generating an Open Vulnerabilities Report returned an error when there was a long list of tags and/or names used as filters.

  • It was not possible to save project settings when the Skip Submodules property in Global Settings did not allow overrides.

  • Self-hosted Bitbucket customers were unable to update the Account setting for their repositories.

  • The criteria for sorting the Projects list always returned empty values at the top of the list.

  • The Go To Query option was missing in some queries.

  • It was not possible to update project settings for repository projects with an SSH key.

  • Export as CSV functionality was not working on the Project page.

  • Checkmarx One ignored the --sca-exploitable-path that was sent from the Checkmarx One CLI plugin.

  • A 403 Forbidden error occurred when changing the state, but the state was changed anyway.

  • Private packages were included in the Total tile count but were not displayed in the UI.

  • GET /api/results-overview/projects API endpoint inconsistencies.

  • Failure at an attempt to import repositories with 2120 projects from Azure.

  • An empty array in JSON was not passed correctly.

  • CLI plugin failed to scan a source from Azure self-hosted repositories due to the failure of the Repostore service.

  • UI issue in the Read More section of the SAST result description.

  • Analytics permissions were not visible even if ANALYTICS_ROLES_ENABLED flag was set to True.

  • It was not possible to save a policy after changing the rule for the scanners.

  • The updateAt field was missing in the response of api/results.

  • The configuration for Net New Vulnerabilities saved the severity incorrectly in the database.

  • Users belonging to a specific group could not view projects associated with that group.

  • Update-Result and Update-Result-Not-Exploitable were reversed.

  • There was a discrepancy between the Scan Report and the SBOM Export Service when using scan results from the cloud.