Skip to main content

Current Single-Tenant Version 3.22

New features and enhancements

Redesign of SAST Results Viewer

The SAST Results Viewer page has been redesigned to be more intuitive and accessible.

A ribbon at the top of the page details the scanner type, project branch, scan date, and scan history. Details, like a result’s severity or source code file, are organized in a table, while quick links and buttons like Overview, Download Logs, Audit Scan, and Go To Project appear by hovering over a project row, making navigation between features quicker.

For more information, click here.

Filtering by Vulnerability Name

The Filter by Vulnerability Name feature in the Analytics module allows users to search for specific vulnerabilities detected in all projects within the Checkmarx One platform. Users can filter results based on vulnerability names, providing a comprehensive view of affected projects.

Enhanced Vulnerability KPIs with SCA and IaC Integration

The Top Open and Oldest Vulnerabilities KPIs metric has been enhanced by integrating Software Composition Analysis (SCA) and Infrastructure as Code (IaC) findings into the existing SAST data. This integration offers a comprehensive view of the vulnerability resolution lifecycle across these scanners, enabling better tracking and management of remediation efforts.

Removal of Incremental Scans KPI Chart from Scans Dashboard

The Incremental Scans KPI chart has been removed from the Scans dashboard, both in the Overtime and Total views. The new layout enhances clarity and usability by reordering elements and adding detailed information.

Ability to Delete Multiple Self-Hosted Repositories

You can now delete multiple self-hosted repositories from the Account Settings, either in the table view or within a configuration. If repositories are connected to a configuration, the delete option will be disabled, showing an information icon. Clicking the icon displays a list of projects associated with that configuration.

SCS (Supply Chain Security) Results Summary

The Scan Results Overview pie chart now includes results for SCS. Additionally, a new section titled "Supply Chain Security Vulnerabilities" has been introduced. This section displays a bar for each mini engine, such as "Secret Detection Severities" and "Scorecard Severities," categorized by severity levels.

Exporting Vulnerability Data in CSV Format

Users can now export data from the vulnerabilities table to a CSV file. The CSV will include all currently displayed columns in the table, along with a direct link to the results in the platform for each vulnerability.

Unified MTTR Analytics for SCA, IaC, and SAST

The new "MTTR to Support SCA and IaC" feature in Analytics improves the Mean Time to Remediation (MTTR) metric by incorporating findings from SCA and IaC into existing SAST data. This integration provides a comprehensive view of the vulnerability resolution process across different scanners, allowing for more effective tracking and management of remediation efforts.

Other Analytics Enhancements

  • The Applications Rating Score is now recalculated based on the Risk Management Score available in the Analysis Database.

  • Fixed vulnerability data has been added to the Vulnerability dashboard, enabling users to assess remediation effectiveness by comparing open vs. fixed vulnerabilities. This visualization helps users track progress and prioritize security actions.

Enhanced DAST Onboarding with Configuration File Support

We have completed the first phase of improving the onboarding process for DAST, enabling users to generate the necessary ZAP configuration file for running a scan.

When creating a new environment for DAST scanning, users now have the option to generate the required configuration file. Additionally, there is an option to generate configuration files for existing environments as well.

Postman Integration for DAST API Scanning

We have introduced a new feature that allows users to load Postman collections directly into the DAST API scanning process. With this integration, users can select a Postman collection file in the DAST API scan menu, which the engine then processes to simulate API traffic.

The DAST engine executes an API scan based on this traffic to identify potential vulnerabilities. Additionally, the platform includes a validation step to ensure that the selected file is compatible with the supported frameworks before proceeding with the scan.

Runtime Context for Project Prioritization

Cloud Insights now provide runtime context for each project, indicating if it's deployed and publicly exposed. This improves project prioritization, helping customers focus on vulnerabilities in publicly exposed projects first.

SCA Updates

Remediation Recommendations in SCA Scan Report

We now offer recommendations for remediating the package versions as part of the SCA scan report. When you generate an SCA scan report either via the UI or via API there are two new fields:

  • NextVersionWithoutVulnerabilities – gives the next package version (i.e., minimal change from currently used version) that has no vulnerabilities.

  • LatestVersionWithoutVulnerabilities – gives the latest package version (i.e. most recently released version) that has no vulnerabilities.

These fields were added to reports in format json, xml or csv (but not for pdf).

SCA Resolver Version 2.11.2 (Sep 20, 2024)

  • Added support for Pub package manager (for Dart and Flutter frameworks).

    Notice

    Current limitations: Only identifies direct dependecies and only identifies Malicious Packages.

  • Performance optimization during folder analysis.

  • Improved Risk Report and SBOM generation. SBOMs are now generated in CycloneDX v1.5 format (instead of v1.3).

  • For Gradle, we now remove dependencies which Gradle marks as FAILED (such as packages that conflict with a different package version) from our scan results.

Download the new version here.

Scanning SBOMs

You can now run an SCA scan on an SBOM file. The scan is run as a Checkmarx One project, with the source specified as an SBOM file. The SCA scanner returns comprehensive results of all risks associated with your open source packages. This enables customers who don’t want to submit their actual code, to obtain comprehensive SCA results for their project and manage the remediation via Checkmarx One.

Note

This capability is distinct from the existing capability to analyze an SBOM using the POST /analysis/requests API. The new method shows SCA results in the context of an actual Checkmarx One project, as opposed to just returning a report with the enriched SBOM data.

Limitations:

  • Supported upload formats CycloneDX (v1.0-1.5) and SPDX (v2.2)

  • It is mandatory to include the Package URL (purl) for each package in the SBOM. For more information about purl syntax, see here.

  • Can only be run from the UI (not CLI or API)

  • Only the SCA scanner can run on an SBOM

  • Can only run on a “manual” project (not a code repository integration)

Filtering Dev and Test Dependencies

The SCA scanner now identifies dev and test dependencies so that you can filter them out of your results. This reduces noise and enables you to focus on risks that affect your prod environment. This filter can be applied to the following REST APIs: Results Summary and All Scanners Results.

Learn more about how we identify dev and test dependecies here.

Notice

This filter is only effective for projects that were scanned by SCA after support for this feature was added (v3.19). For older scans, the unfiltered results will be returned.

SCA Resolver Version 2.10.2

  • For Npm, improved package.json identification when lerna.json is present    

  • For RubyGems, fixed circle dependencies  

  • For Yarn, fixed direct dependency identification for yarn.lock v2

  • We added the following items to the scan summary that is shown when a scan is completed:

    • Outdated packages

    • Vulnerable packages, with breakdown by severity level

    • Legal risks, with breakdown by severity level

    • Critical and Info level severity are now displayed. (However, results for these severities are only identified in accounts for which this feature has been activated.)

Download the new version here.

IAM Updates

  • The search for users and groups is now case-insensitive.

  • Keycloak has been upgraded to version 25.

Resolved IAM Issues

  • Users were missing firstName and lastName data.

  • OpenID Claim to Role Mapper removed existing roles.

  • It was possible to access the Keycloack page (account/#/applications) without proper authorization.

  • The IAM Groups tab was not displaying the groups list correctly due to the API being hardcoded to filter and limit the results to 200 entries.

  • SAML: Unable to change the NameID Policy Format when an email mapper was present.

  • SAML/OpenID login attempt failed if the creation of any group was unsuccessful.

  • In Force Sync mode, the SAML Attribute to Groups Mapper ignored all other Group Mappers.

Resolved Issues

  • It was not possible to save numbers in the query description.

  • Users with special characters in their first or last names occasionally encountered 500 Internal Server Error messages.

  • Unable to refresh repository permissions in SCM project.

  • The link to the vulnerable SCA package created by the GitHub PR decoration was incorrect.

  • Error: 'Failed to set need for recalculation' was encountered when modifying a vulnerability that is not from the last scan.

  • An error occurred while accessing the scan list of a project.

  • Application creation was taking longer than 30 seconds.

  • Specifying an image tag as a SHA256 hash resulted in no container package being found.

  • It was not possible to see to view resolved container packages.

  • Confusing information about a detected Docker image vulnerability.

  • The Policy Management page was failing to load for some users due to an encoded token issue.

  • A user with the 'view-projects-if-in-group' role received a 403 response.

  • The Results Summary API endpoint was returning illogical values in the 'stateCounters' field.

  • The tenant's name was not automatically filled in when logging into the ST environment.

  • The Risk Management GET /{applicationId}/results API returned 'Invalid limit argument' if the limit parameter was greater than 100.

  • The malicious package did not display details.

  • Project report generation was failing with the default settings.

  • The branch selector in the Containers Results Viewer was not functioning.

  • The scan kept failing with the error 'Failed to extract zip file' for a 2.8GB zip file.

  • Opening any item in the Packages & Version section of an SCA project resulted in a blank AppSec Knowledge Center page.

  • Failed to upload stream to the cloud (TIMEOUT ScanRunner).

  • SourceResolver was unable to locate missing packages.

  • Changes in packages were displayed even though the Mute option was applied.

  • The 50k limit was ignored when a filter was applied without pressing the 'Export Filter' button.

  • In Policy Management, the Categories condition under the SAST rule did not display the selected fields when more than one condition was applied.

  • Report generation failed when no valid sources were found for the SAST scanner.

  • API Security scans failed due to an invalid job in apisec-static-correlator-ast, resulting in the error: "invalid memory address or nil pointer dereference."

  • It was not possible to modify more than 1,000 results.

  • A group associated with more than 4,500 projects triggered a "ResourceExhausted" error when attempting to open the project list.

  • The Bitbucket PR Scan appeared as "Running" in Bitbucket, but was marked as "Complete" in Checkmarx One.

  • The Risk Management tab on the Application page did not have pagination.

  • The Scan History page showed 0 results for all scans when triggering a new scan.

  • SAST Policy encountered an exception while retrieving query information.

  • Checkmarx One platform returned an error when the language was set to Chinese.

  • A preset value was not shown in the scan configuration.

  • Users with the ast-viewer role were unable to view preset names in project settings rules or during scans.

  • It was not possible to update State for API Risks.

  • The filenames for the Remediation Manifest, SBOM, and SCA Report contained commas and spaces.

  • The Source Resolver encountered a timeout for a specific project.

  • There was no option to retry publishing messages for the distributed package.

  • Exporting a Global Inventory report with over 50,000 results or 10MB in size was not possible.

  • For OpenID , making a Claim to Role Mapper for a certain role had been interfering with the ability of individual users to log in with that same role.

  • Checkmarx SCA scan reports in CSV format had been returning inconsistent and inaccurate data.

  • The new auto-fill feature for opening support tickets had not been functioning properly.