- Checkmarx Documentation
- Checkmarx One
- Release Notes
- Previous Multi-Tenant Releases
- Older Versions
- Version 3.22
Version 3.22
Multi-Tenant release date: September 22
Warning
The content and dates of these Release Notes are provisional and subject to change.
All new features, enhancements, and resolved issues will be available upon version deployment in the multi-tenant environment, unless explicitly stated otherwise in the respective section's sub-heading.
Maintenance releases
Note
This table includes only the maintenance releases that addressed customer-facing issues. Maintenance releases that contained only internal enhancements are not listed.
Release number | Resolved issues |
|---|---|
3.22.19 | RabbitMQ was crashing after the Static-Correlator established a connection but failed to close it. |
New Features and Enhancements
Unified MTTR Analytics for SCA, IaC, and SAST
The new "MTTR to Support SCA and IaC" feature in Analytics improves the Mean Time to Remediation (MTTR) metric by incorporating findings from SCA and IaC into existing SAST data. This integration provides a comprehensive view of the vulnerability resolution process across different scanners, allowing for more effective tracking and management of remediation efforts.
Other Analytics Enhancements
The Applications Rating Score is now recalculated based on the Risk Management Score available in the Analysis Database.
Fixed vulnerability data has been added to the Vulnerability dashboard, enabling users to assess remediation effectiveness by comparing open vs. fixed vulnerabilities. This visualization helps users track progress and prioritize security actions.
Enhanced DAST Onboarding with Configuration File Support
We have completed the first phase of improving the onboarding process for DAST, enabling users to generate the necessary ZAP configuration file for running a scan.
When creating a new environment for DAST scanning, users now have the option to generate the required configuration file. Additionally, there is an option to generate configuration files for existing environments as well.
Postman Integration for DAST API Scanning
We have introduced a new feature that allows users to load Postman collections directly into the DAST API scanning process. With this integration, users can select a Postman collection file in the DAST API scan menu, which the engine then processes to simulate API traffic.
The DAST engine executes an API scan based on this traffic to identify potential vulnerabilities. Additionally, the platform includes a validation step to ensure that the selected file is compatible with the supported frameworks before proceeding with the scan.
Runtime Context for Project Prioritization
Cloud Insights now provide runtime context for each project, indicating if it's deployed and publicly exposed. This improves project prioritization, helping customers focus on vulnerabilities in publicly exposed projects first.
SCA Updates
Scanning SBOMs
You can now run an SCA scan on an SBOM file. The scan is run as a Checkmarx One project, with the source specified as an SBOM file. The SCA scanner returns comprehensive results of all risks associated with your open source packages. This enables customers who don’t want to submit their actual code, to obtain comprehensive SCA results for their project and manage the remediation via Checkmarx One.
Note
This capability is distinct from the existing capability to analyze an SBOM using the POST /analysis/requests API. The new method shows SCA results in the context of an actual Checkmarx One project, as opposed to just returning a report with the enriched SBOM data.
Limitations:
Supported upload formats CycloneDX (v1.0-1.5) and SPDX (v2.2)
It is mandatory to include the Package URL (purl) for each package in the SBOM. For more information about purl syntax, see here.
Can only be run from the UI (not CLI or API)
Only the SCA scanner can run on an SBOM
Can only run on a “manual” project (not a code repository integration)
Filtering Dev and Test Dependencies
Note
This feature will be rolled out gradually by region. Full General Availability is expected on October 2, 2024.
This filter can also be applied to the following REST APIs: Results Summary and All Scanners Results.
Learn more about how we identify dev and test dependecies here.
Notice
This filter is only effective for projects that were scanned by SCA after support for this feature was added (v3.19). For older scans, the unfiltered results will be returned.
SCA Resolver Version 2.10.2
(September 3, 2024)
For Npm, improved package.json identification when lerna.json is present
For RubyGems, fixed circle dependencies
For Yarn, fixed direct dependency identification for yarn.lock v2
We added the following items to the scan summary that is shown when a scan is completed:
Outdated packages
Vulnerable packages, with breakdown by severity level
Legal risks, with breakdown by severity level
Critical and Info level severity are now displayed. (However, results for these severities are only identified in accounts for which this feature has been activated.)
Download the new version here.
CLI and Plugins Releases of September 2024
CLI Version 2.2.8
Status | Item | Description |
|---|---|---|
NEW | Container Signing | Implemented container signing for Docker images in our application in order to ensure image authenticity and integrity. |
FIXED | GitLab Dashboard | Fix issue that GitLab dashboard display was failing when no vulnerabilities were discovered. |
CLI Version 2.2.7
Status | Item | Description |
|---|---|---|
NEW | General | General improvements and bug fixes. |
CLI Version 2.2.6
Status | Item | Description |
|---|---|---|
UPDATED | Policy Violations | The Policy Violations section is now included in the response only when there is at least one violation. |
UPDATED | ASCA Scanner | The name of the Vorpal scanner was changed to ASCA. |
CI/CD Plugins
In September we released the following CI/CD plugin versions:
GitHub Actions Plugin - 2.0.34 (uses CLI v2.2.5)
Improvements and Bug Fixes
Status | Item | Platform | Description |
|---|---|---|---|
NEW | General | GitHub Actions | General improvements and bug fixes. |
Plugin | Marketplace | Code Repository | Documentation | Changelog |
|---|---|---|---|---|
Azure DevOps | https://marketplace.visualstudio.com/items?itemName=checkmarx.checkmarx-ast-azure-plugin | |||
GitHub Action | https://github.com/marketplace/actions/checkmarx-ast-github-action | |||
TeamCity | https://github.com/CheckmarxDev/checkmarx-ast-teamcity-plugin | |||
Jenkins |
IDE Plugins
In September we released the following IDE plugin versions:
Improvements and Bug Fixes
Status | Item | Platform | Description |
|---|---|---|---|
NEW | General | Eclipse, JetBrains | General improvements and bug fixes. |
NEW | Name Change | VS Code | The name of the Vorpal scanner was changed to AI Secure Coding Assistant (ASCA). |
NEW | Vorpal Support | VS Code | Added support for running the Vorpal scanner on Linux and MacOS ARM machines (in addition to existing support for Windows). |
Get Latest Version from Marketplace | Changelog | Documentation |
|---|---|---|
Resolved Issues
In Policy Management, the Categories condition under the SAST rule did not display the selected fields when more than one condition was applied.
Report generation failed when no valid sources were found for the SAST scanner.
API Security scans failed due to an invalid job in apisec-static-correlator-ast, resulting in the error: "invalid memory address or nil pointer dereference."
It was not possible to modify more than 1,000 results.
A group associated with more than 4,500 projects triggered a "ResourceExhausted" error when attempting to open the project list.
The Bitbucket PR Scan appeared as "Running" in Bitbucket, but was marked as "Complete" in Checkmarx One.
The Risk Management tab on the Application page did not have pagination.
The Scan History page showed 0 results for all scans when triggering a new scan.
SAST Policy encountered an exception while retrieving query information.
Checkmarx One platform returned an error when the language was set to Chinese.
A preset value was not shown in the scan configuration.
Users with the ast-viewer role were unable to view preset names in project settings rules or during scans.
It was not possible to update State for API Risks.
The filenames for the Remediation Manifest, SBOM, and SCA Report contained commas and spaces.
The Source Resolver encountered a timeout for a specific project.
There was no option to retry publishing messages for the distributed package.
Exporting a Global Inventory report with over 50,000 results or 10MB in size was not possible.
For OpenID , making a Claim to Role Mapper for a certain role had been interfering with the ability of individual users to log in with that same role.
Checkmarx SCA scan reports in CSV format had been returning inconsistent and inaccurate data.
The new auto-fill feature for opening support tickets had not been functioning properly.