Skip to main content

Version 3.20

Multi-Tenant release date: August 18, 2024

Warning

The content and dates of these Release Notes are provisional and subject to change.

All new features, enhancements, and resolved issues will be available upon version deployment in the multi-tenant environment unless explicitly stated otherwise in the respective section's sub-heading.

Maintenance releases

Note

This table includes only the maintenance releases that addressed customer-facing issues. Maintenance releases that contained only internal enhancements are not listed.

Release number

Resolved issues

3.20.17

Users with certain permissions encountered 403 errors when attempting to add notes or change the state/status for specific results, even though they could perform these actions for other results within the same scan.

3.20.16

After upgrading to version 3.18, the tenant name was not automatically populated, even though the web app service was correctly configured.

New features and enhancements

Container results in Scan Report summary

Note

This feature is currently available only in Multi-Tenant environments and is not yet supported for Single-Tenant customers.

The Scan Report summary displayed in the main header has been enhanced to include Container results, providing a more comprehensive overview of your security posture.

The Scan Results Overview section has been expanded to feature specific KPIs related to Containers, offering deeper insights and more detailed visibility into your container security status.

Download source code (ZIP file) - Admins Only

This version introduces the capability to download the ZIP file submitted for scanning. This functionality enables quick rescans for minor changes, saves time, and enhances productivity.

In Identity Access Management (IAM), this functionality is off by default and can only be toggled on by the Admin. When toggled on, the permission - download-source-code - can be assigned to any user and allows them to download the source code as a ZIP file.

Checkmarx Support users also have this permission off by default and must be assigned the permission in IAM by the tenant Admin.

TAR file upload support

To enhance flexibility and accommodate a wider range of formats, Checkmarx One now supports .tar file upload.

Access to scans from Projects page

A new Query Editor button has been added to the Projects page for quicker access to your scans. Clicking on the button opens a dropdown list with available SAST or IaC scans for that project. The Query Editor button appears when there are SAST or IaC scans for that project.

The Query Editor button appears when there are SAST or IaC scans for that project.

UI enhancements

This version introduces the following UI updates:

  • On the Project page, on a project row, right-click Results, Overview, or Project Settings (ellipsis) and select Open link in new tab, to open the respective window in a new tab.

  • On the Overview page, in the Branch drop-down, right-click a branch and select Open link in new tab, to open it in a new tab.

  • On the Scan History page, after selecting a scan, right-click Results or Query Editor (Audit Scan) and select Open link in new tab, to open the respective window in a new tab.

Redesign of SAST Results Viewer

Note

This feature is currently available only in Multi-Tenant environments and is not yet supported for Single-Tenant customers.

The SAST Results Viewer page has been redesigned to be more intuitive and accessible.

A ribbon at the top of the page details the scanner type, project branch, scan date, and scan history. Details, like a result’s severity or source code file, are organized in a table, while quick links and buttons like Overview, Download Logs, Audit Scan, and Go To Project appear by hovering over a project row, making navigation between features quicker.

For more information, click here.

Retrieve list of SAST supported compliances via API

For the GET /queries/categories-types API, which fetches a list of supported compliances for SAST, we added a filter to retrieve only the “standard” compliances.

The “standard” compliances are the subset that Checkmarx One shows by default on the project page.

SCA

Delta Scan feature

Note

This feature is currently available only in Multi-Tenant environments and is not yet supported for Single-Tenant customers.

We have dramatically cut the time of SCA scans by introducing the new Delta scan feature. When rescanning an existing project, if the manifest files haven’t been changed since the last scan, then we skip the dependency resolution process. This can cut scan times by up to 95% without detracting from the accuracy of the scan.

Currently, this only applies to scans run in the cloud, not to scans run using SCA Resolver.

For more information, click here.

CLI and Plugins Releases of August 2024

CLI Version 2.2.5

Status

Item

Description

FIXED

GitLab Dashboard

Fix issue that GitLab dashboard display was failing when no vulnerabilities were discovered.

CLI Version 2.2.4

Status

Item

Description

FIXED

Project Branches

Fixed issue that multiple project branches were being created when branch names included spaces.

FIXED

Scan Create

Fixed issue that users with group related permissions weren't able to create and scan a new project using the scan create command.

CLI Version 2.2.3

Status

Item

Description

FIXED

SBOM Reports

Fixed problem with generating SBOM reports.

FIXED

IaC Vulnerabilities

Remediated IaC vulnerabilities that we identified in our CLI application.

CLI Version 2.2.2

Status

Item

Description

NEW

Upload Fail

Added error message when upload fails, suggesting adding domain to allow list.

FIXED

Threshold Violations

Fixed issue that threshold for api-security wasn't identifying threshold violations.

CI/CD Plugins

In August we released the following CI/CD plugin versions:

Improvements and Bug Fixes

Status

Item

Platform

Description

NEW

Scan Summary Report

Jenkins

Support showing scan summary report that was stored on an external artifact manager.

NEW

Digital Signature

TeamCity

The CLI that this plugin is based on is now signed with the Checkmarx digital signature, indicating that this is an official Checkmarx product. This enables communication from this plugin to bypass firewalls on Windows computers that previously blocked the unsigned CLI.

NEW

Exit Codes

TeamCity

We have improved the precision of the exit codes in order to give a more clear picture of which particular scanners failed. We have also created a new CLI command, results exit-code, for retrieving information about the completion status for a particular scan in Checkmarx One, as well as details about failures of specific scan engines.

Caution

For users who are using external commands (e.g., $LastExitCode for Powershell) to obtain exit codes for the scan create command, this is a breaking change. You need to refactor your pipelines based on the new exit codes, which are shown here.

NEW

Fast Scan Mode

TeamCity

Added a new flag, --sast-fast-scan to the additional_params, for running SAST scans in fast scan mode.

NEW

Project Assign

TeamCity

Added a new flag --application-name to the additional_params, which enables users to assign the project to a specific application.

Note: This is only effective when creating a new project and assigning it to an existing application.

NEW

Included Files

TeamCity

Added Directory.Packages.props to the list of included files (when creating the zip archive for scanning).

UPDATED

Scan Report

TeamCity

Improved the content and graphic presentation of the PDF scan report generated using --report-format pdf in the additional_params. Learn about the improved scan report here.

FIXED

SBOM Reports

GitHub Actions

Fixed problem with generating SBOM reports.

IDE Plugins

In August we released the following IDE plugin versions:

  • JetBrains - 2.0.16 (uses CLI v2.2.5)

  • Visual Studio - 2.0.59 (uses CLI v2.2.2)

  • VS Code - 2.19.0 (uses CLI v2.2.0)

Improvements and Bug Fixes

Status

Item

Platform

Description

NEW

ASCA

VS Code

Added the AI Secure Coding Assistant (ASCA). The ASCA scanner is a lightweight scan engine that runs in the background as you work in VS Code. Whenever you edit a file in VS Code the ASCA scanner automatically scans that file.

NEW

Name Change

VS Code

Changed the name of KICS Auto Scanning to KICS Real-time scanning.

UPDATED

Display Response

Visual Studio

Made the plugin display more responsive to accommodate various types of devices.

FIXED

Issue Labeling

VS Code

We now correctly label the issues identified by the Vorpal scanner as "best practice" issues and not vulnerabilities.

FIXED

Output Tab

VS Code

Fixed issue that the Output tab would open every time the user opens a new window.

Resolved issues

  • Adding a SAST or IAC rule in Policy Management caused the UI to freeze.

  • The PR failed to include the subgroups that the repository belongs to during the redirection.

  • The Common query was not showing in the UI.

  • Sorting SAST results by Detection Date caused the results to be deleted and triggered a 400 error.

  • PDF and JSON report generation failed from both the UI and API with the grpc: received message larger than max error.

  • Users without the manage-reports permission were shown the option to generate reports, but the feature did not function.

  • The SAST Policy Manager rule was not functioning correctly: even when all conditions passed, the rule still failed.

  • SCA scan export failed.

  • SBOM vulnerability analysis.

  • The SourceResolverSandbox ran out of memory due to the large project size.

  • A CVE with a score of zero was incorrectly categorized as High.

  • SCA risks filter issues.

  • SCA risk results returned a 404 response code.

  • It was not possible to to delete existing policies from the Policy Management.

  • Two different namespaces were used for two scans of the same source code and caused for a wrong feedback Apps integration.

In this section: