Skip to main content

Version 3.22

Multi-Tenant release date: September 22

Warning

The content and dates of these Release Notes are provisional and subject to change.

All new features, enhancements, and resolved issues will be available upon version deployment in the multi-tenant environment, unless explicitly stated otherwise in the respective section's sub-heading.

Maintenance releases

Note

This table includes only the maintenance releases that addressed customer-facing issues. Maintenance releases that contained only internal enhancements are not listed.

Release number

Resolved issues

3.22.19

RabbitMQ was crashing after the Static-Correlator established a connection but failed to close it.

New Features and Enhancements

Unified MTTR Analytics for SCA, IaC, and SAST

The new "MTTR to Support SCA and IaC" feature in Analytics improves the Mean Time to Remediation (MTTR) metric by incorporating findings from SCA and IaC into existing SAST data. This integration provides a comprehensive view of the vulnerability resolution process across different scanners, allowing for more effective tracking and management of remediation efforts.

Other Analytics Enhancements

  • The Applications Rating Score is now recalculated based on the Risk Management Score available in the Analysis Database.

  • Fixed vulnerability data has been added to the Vulnerability dashboard, enabling users to assess remediation effectiveness by comparing open vs. fixed vulnerabilities. This visualization helps users track progress and prioritize security actions.

Enhanced DAST Onboarding with Configuration File Support

We have completed the first phase of improving the onboarding process for DAST, enabling users to generate the necessary ZAP configuration file for running a scan.

When creating a new environment for DAST scanning, users now have the option to generate the required configuration file. Additionally, there is an option to generate configuration files for existing environments as well.

Postman Integration for DAST API Scanning

We have introduced a new feature that allows users to load Postman collections directly into the DAST API scanning process. With this integration, users can select a Postman collection file in the DAST API scan menu, which the engine then processes to simulate API traffic.

The DAST engine executes an API scan based on this traffic to identify potential vulnerabilities. Additionally, the platform includes a validation step to ensure that the selected file is compatible with the supported frameworks before proceeding with the scan.

Runtime Context for Project Prioritization

Cloud Insights now provide runtime context for each project, indicating if it's deployed and publicly exposed. This improves project prioritization, helping customers focus on vulnerabilities in publicly exposed projects first.

SCA Updates

Scanning SBOMs

You can now run an SCA scan on an SBOM file. The scan is run as a Checkmarx One project, with the source specified as an SBOM file. The SCA scanner returns comprehensive results of all risks associated with your open source packages. This enables customers who don’t want to submit their actual code, to obtain comprehensive SCA results for their project and manage the remediation via Checkmarx One.

Note

This capability is distinct from the existing capability to analyze an SBOM using the POST /analysis/requests API. The new method shows SCA results in the context of an actual Checkmarx One project, as opposed to just returning a report with the enriched SBOM data.

Limitations:

  • Supported upload formats CycloneDX (v1.0-1.5) and SPDX (v2.2)

  • It is mandatory to include the Package URL (purl) for each package in the SBOM. For more information about purl syntax, see here.

  • Can only be run from the UI (not CLI or API)

  • Only the SCA scanner can run on an SBOM

  • Can only run on a “manual” project (not a code repository integration)

Filtering Dev and Test Dependencies

Note

This feature will be rolled out gradually by region. Full General Availability is expected on October 2, 2024.

This filter can also be applied to the following REST APIs: Results Summary and All Scanners Results.

Learn more about how we identify dev and test dependecies here.

Notice

This filter is only effective for projects that were scanned by SCA after support for this feature was added (v3.19). For older scans, the unfiltered results will be returned.

SCA Resolver Version 2.10.2

(September 3, 2024)

  • For Npm, improved package.json identification when lerna.json is present    

  • For RubyGems, fixed circle dependencies  

  • For Yarn, fixed direct dependency identification for yarn.lock v2

  • We added the following items to the scan summary that is shown when a scan is completed:

    • Outdated packages

    • Vulnerable packages, with breakdown by severity level

    • Legal risks, with breakdown by severity level

    • Critical and Info level severity are now displayed. (However, results for these severities are only identified in accounts for which this feature has been activated.)

Download the new version here.

CLI and Plugins Releases of September 2024

CLI Version 2.2.8

Status

Item

Description

NEW

Container Signing

Implemented container signing for Docker images in our application in order to ensure image authenticity and integrity.

FIXED

GitLab Dashboard

Fix issue that GitLab dashboard display was failing when no vulnerabilities were discovered.

CLI Version 2.2.7

Status

Item

Description

NEW

General

General improvements and bug fixes.

CLI Version 2.2.6

Status

Item

Description

UPDATED

Policy Violations

The Policy Violations section is now included in the response only when there is at least one violation.

UPDATED

ASCA Scanner

The name of the Vorpal scanner was changed to ASCA.

CI/CD Plugins

In September we released the following CI/CD plugin versions:

  • GitHub Actions Plugin - 2.0.34 (uses CLI v2.2.5)

Improvements and Bug Fixes

Status

Item

Platform

Description

NEW

General

GitHub Actions

General improvements and bug fixes.

IDE Plugins

In September we released the following IDE plugin versions:

  • Eclipse - 2.1.5 (uses CLI v2.2.5)

  • JetBrains - 2.1.4 (uses CLI v2.2.5)

  • VS Code - 2.21.0 (uses CLI v2.2.5)

Improvements and Bug Fixes

Status

Item

Platform

Description

NEW

General

Eclipse, JetBrains

General improvements and bug fixes.

NEW

Name Change

VS Code

The name of the Vorpal scanner was changed to AI Secure Coding Assistant (ASCA).

NEW

Vorpal Support

VS Code

Added support for running the Vorpal scanner on Linux and MacOS ARM machines (in addition to existing support for Windows).

Resolved Issues

  • In Policy Management, the Categories condition under the SAST rule did not display the selected fields when more than one condition was applied.

  • Report generation failed when no valid sources were found for the SAST scanner.

  • API Security scans failed due to an invalid job in apisec-static-correlator-ast, resulting in the error: "invalid memory address or nil pointer dereference."

  • It was not possible to modify more than 1,000 results.

  • A group associated with more than 4,500 projects triggered a "ResourceExhausted" error when attempting to open the project list.

  • The Bitbucket PR Scan appeared as "Running" in Bitbucket, but was marked as "Complete" in Checkmarx One.

  • The Risk Management tab on the Application page did not have pagination.

  • The Scan History page showed 0 results for all scans when triggering a new scan.

  • SAST Policy encountered an exception while retrieving query information.

  • Checkmarx One platform returned an error when the language was set to Chinese.

  • A preset value was not shown in the scan configuration.

  • Users with the ast-viewer role were unable to view preset names in project settings rules or during scans.

  • It was not possible to update State for API Risks.

  • The filenames for the Remediation Manifest, SBOM, and SCA Report contained commas and spaces.

  • The Source Resolver encountered a timeout for a specific project.

  • There was no option to retry publishing messages for the distributed package.

  • Exporting a Global Inventory report with over 50,000 results or 10MB in size was not possible.

  • For OpenID , making a Claim to Role Mapper for a certain role had been interfering with the ability of individual users to log in with that same role.

  • Checkmarx SCA scan reports in CSV format had been returning inconsistent and inaccurate data.

  • The new auto-fill feature for opening support tickets had not been functioning properly.