Skip to main content

Version 3.22 (Early Access)

Multi-Tenant release date: September 22

Warning

The content and dates of these Release Notes are provisional and subject to change.

All new features, enhancements, and resolved issues will be available upon version deployment in the multi-tenant environment, unless explicitly stated otherwise in the respective section's sub-heading.

New Features and Enhancements

Unified MTTR Analytics for SCA, IaC, and SAST

The new "MTTR to Support SCA and IaC" feature in Analytics improves the Mean Time to Remediation (MTTR) metric by incorporating findings from SCA and IaC into existing SAST data. This integration provides a comprehensive view of the vulnerability resolution process across different scanners, allowing for more effective tracking and management of remediation efforts.

Enhanced DAST Onboarding with Configuration File Support

We have completed the first phase of improving the onboarding process for DAST, enabling users to generate the necessary ZAP configuration file for running a scan.

When creating a new environment for DAST scanning, users now have the option to generate the required configuration file. Additionally, there is an option to generate configuration files for existing environments as well.

Postman Integration for DAST API Scanning

We have introduced a new feature that allows users to load Postman collections directly into the DAST API scanning process. With this integration, users can select a Postman collection file in the DAST API scan menu, which the engine then processes to simulate API traffic. The DAST engine executes an API scan based on this traffic to identify potential vulnerabilities. Additionally, the platform includes a validation step to ensure that the selected file is compatible with the supported frameworks before proceeding with the scan.

SCA Updates

Scanning SBOMs

You can now run an SCA scan on an SBOM file. The scan is run as a Checkmarx One project, with the source specified as an SBOM file. The SCA scanner returns comprehensive results of all risks associated with your open source packages. This enables customers who don’t want to submit their actual code, to obtain comprehensive SCA results for their project and manage the remediation via Checkmarx One.

Note

This capability is distinct from the existing capability to analyze an SBOM using the POST /analysis/requests API. The new method shows SCA results in the context of an actual Checkmarx One project, as opposed to just returning a report with the enriched SBOM data.

Limitations:

  • Supported upload formats CycloneDX (v1.0-1.5) and SPDX (v2.2)

  • It is mandatory to include the Package URL (purl) for each package in the SBOM. For more information about purl syntax, see here.

  • Can only be run from the UI (not CLI or API)

  • Only the SCA scanner can run on an SBOM

  • Can only run on a “manual” project (not a code repository integration)

Resolved Issues

  • In Policy Management, the Categories condition under the SAST rule did not display the selected fields when more than one condition was applied.

  • Report generation failed when no valid sources were found for the SAST scanner.

  • API Security scans failed due to an invalid job in apisec-static-correlator-ast, resulting in the error: "invalid memory address or nil pointer dereference."

  • It was not possible to modify more than 1,000 results.

  • A group associated with more than 4,500 projects triggered a "ResourceExhausted" error when attempting to open the project list.

  • The Bitbucket PR Scan appeared as "Running" in Bitbucket, but was marked as "Complete" in Checkmarx One.

  • The Risk Management tab on the Application page did not have pagination.

  • The Scan History page showed 0 results for all scans when triggering a new scan.

  • SAST Policy encountered an exception while retrieving query information.

  • Checkmarx One platform returned an error when the language was set to Chinese.

  • A preset value was not shown in the scan configuration.

  • Users with the ast-viewer role were unable to view preset names in project settings rules or during scans.

  • It was not possible to update State for API Risks.

  • The filenames for the Remediation Manifest, SBOM, and SCA Report contained commas and spaces.

  • The Source Resolver encountered a timeout for a specific project.

  • There was no option to retry publishing messages for the distributed package.

  • Exporting a Global Inventory report with over 50,000 results or 10MB in size was not possible.

  • For OpenID , making a Claim to Role Mapper for a certain role had been interfering with the ability of individual users to log in with that same role.

  • Checkmarx SCA scan reports in CSV format had been returning inconsistent and inaccurate data.

  • The new auto-fill feature for opening support tickets had not been functioning properly.

In this section: