Skip to main content

Version 3.25

Multi-Tenant release date: November 10, 2024

Warning

The content and dates of these Release Notes are provisional and subject to change.

All new features, enhancements, and resolved issues will be available upon version deployment in the multi-tenant environment unless explicitly stated otherwise in the respective section's sub-heading.

New features and enhancements

Software Supply Chain Security (SCS)

(GA December 4)

We have released the new Software Supply Chain Security (SCS) module in Checkmarx One. SCS identifies various types of software supply chain risks that can put your applications at risk. This module is currently comprised of two scanners:·

  • Secrets Detection – Identifies 170+ different types of login credentials, access tokens, encryption keys, API keys, SSH keys, webhook URLs, and other sensitive information that may be exposed, enabling your development and security teams to quickly remove and change the discovered secrets.·

  • Repository Health (OSSF Scorecard) – Continuously evaluates the security health for all repositories included in your applications, based on key factors, such as code quality, dependency management, CI/CD best practices, and project maintenance.

SCS is fully integrated into the Checkmarx One platform. You can initiate SCS scans on Checkmarx One projects via the Checkmarx One web application (UI) , CLI or REST API. Scans can also be initiated automatically at specific SDLC stages via SCM integration" (e.g., pull request, build). You can view the results in the Checkmarx One web application (UI) and in scan reports.

Additional Attributes in Project Overview API

Added new attribute to the response body for GET /projects-overview.

  • "importedProjName" - For migrated projects (manual projects that were converted to Code Repository projects), this shows the repo name

SCA Updates

Private Packages

We have expanded our support for private packages. When viewing the list of private packages in the Scan Results > Packages tab, you can now drill down to show additional details for a specific package.

Learn more about private packages here.

Remediation Tasks Tab

We added a new tab, Remediation Tasks, to the SCA results viewer. This tab shows detailed information about specific remediation tasks that Checkmarx recommends implementing for your Project. These tasks involve replacing vulnerable packages in your project with non-vulnerable versions of those packages.

Notice

Remediation tasks are currently supported only for JavaSript npm packages and for Nuget packages with .csproj manifest files, otherwise this tab isn't shown.

The Remediation Tasks tab contains sub-tabs that show two types of pages:

  • All Remediation Tasks – shows a list of remediation tasks that are recommended for this Project, with general info about each task.

  • Task Details – shows detailed info about a specific task. The task details tab is opened by clicking on the How to fix button in a task row in the All Remediation Tasks sub-tab.

Learn more about Remediation Tasks here.

Export Remediated Manifest File

You can now generate remediated manifest file/s that contain the recommended versions of your packages. You can download the remediated manifest files and use them to update your project.

You can export the remediated manifest file/s from the SCA scan results viewer page. The file/s is exported as a zip archive, which maintains your project's file structure.

Notice

Current limitations:

  • Supported only for npm package.json manifest files

  • Remediates only direct dependencies (not transitive)

  • Because this method updates all vulnerable packages (sometimes changing a major version) it may break methods used in your code. You may need to refactor your code to avoid changes in functionality.

SCA Resolver Version 2.11.6

(Nov 20, 2024)

  • For Gradle, fixed include modules feature to only resolve the specified modules and ignore the remaining modules.

Download the new version here.

SCA Resolver Version 2.11.4

(Nov 5, 2024)

  • Added the "@" symbol to the list of allowed characters for parameter sanitization

  • For Unity, improved detection of manifest.json files

  • For SBT, fixed plugins.sbt file permissions for dependency resolution

  • For Gradle, improved submodule detection

  • For Nuget, improved framework package version detection  

Download the new version here.

IaC Security Updates

Checkmarx One now runs IaC Security version 2.1.3. This includes CWE information for the following platforms:

  • Terraform 

  • OpenAPI

  • Ansible

  • CloudFormation

  • Kubernetes

  • gRPC

  • Knative

  • Buildah

  • Pulumi

  • Crossplane

  • CICD

  • Google Deployment Manager

  • ServerlessFW

  • Azure Resource Manager

  • DockerCompose

Access Management (IAM) Updates

IAM Improvements

  • Updated the label of the toggle for enabling downloading source code.

  • Improved effectiveness of searching for groups and sub-groups.

IAM Resolved Issues

  • API key that was created from the SAML user returned "unknown_error" for API call openid-connect/token.

  • SAML SSO login not working when Validate Signature is enabled.

  • Revoked Api Key appears as valid in API Keys tab.

  • The IAM Groups tab is not correctly showing the groups list, because the API is hardcoded filtering the results up to 200 results.

CLI and Plugins Releases of November 2024

CLI Version 2.3.5

Status

Item

Description

NEW

Pull Request Decoration

Added support for pull request decoration, using the utils pr command, for Azure DevOps (both cloud and self-hosted) as well as for GitHub and GitLab self-hosted (in addition to existing support for GitHub and GitLab cloud). For more info, see here.

CLI Version 2.3.4

Status

Item

Description

NEW

Supply Chain Security

Added support for the new Software Supply Chain Security (SCS) module, which enables running Secret Detection and Repository Health scans on your projects. For more info, see Software Supply Chain Security.

Tip

Older versions of the CLI may support this feature, but the functionality was only activated in the platform recently.

NEW

Rust Support

Added support for *.rs (Rust source code) files.

UPDATED

Scan Time

Improved scan times for scans run via IDE plugins.

CLI Version 2.3.3

Status

Item

Description

NEW

General

General improvements and bug fixes.

CLI Version 2.3.2

Status

Item

Description

NEW

General

General improvements and bug fixes.

CI/CD Plugins

In November we released the following CI/CD plugin versions:

Improvements and Bug Fixes

Status

Item

Platform

Description

NEW

General

Jenkins, TeamCity, GitHub Actions

General improvements and bug fixes.

NEW

Supply Chain Security

Jenkins, GitHub Actions, Azure DevOps

Added support for the new Software Supply Chain Security (SCS) module, which enables running Secret Detection and Repository Health scans on your projects. For more info, see Software Supply Chain Security.

NEW

Rust Support

Jenkins, GitHub Actions, Azure DevOps

Added support for *.rs (Rust source code) files.

NEW

Container Security

Jenkins, TeamCity, Azure DevOps

Added support for container-security as an independent scanner. For more info, see Container Security.

UPDATED

Dependencies

Jenkins

Updated dependencies.

UPDATED

README

Jenkins

Updated the README file.

UPDATED

CLI Tool

Azure DevOps

To make the Checkmarx One plugin for ADO more lightweight, the CLI tool has been removed and now needs to be downloaded separately during use. This change may affect customers who restrict access to whitelisted domains, requiring them to add download.checkmarx.com to their whitelist. Customers who are unable to whitelist this domain, can use an older version of the plugin, follow the links provided below.

UPDATED

Proxy Parameters

Azure DevOps

Enabled seamless use of proxy parameters configured in Azure settings.

FIXED

Scan Results

Jenkins

Fixed failure to show Checkmarx scan results when running Jenkins on Docker.

IDE Plugins

In November we released the following IDE plugin versions:

  • Eclipse - 2.1.7 (uses CLI v2.3.5)

  • JetBrains - 2.2.1 (uses CLI v2.3.5)

  • Visual Studio - 2.0.61 (uses CLI v2.3.3)

  • VS Code - 2.26.0 (uses CLI v2.3.5)

Improvements and Bug Fixes

Status

Item

Platform

Description

NEW

General

Eclipse, JetBrains, Visual Studio, VS Code

General improvements and bug fixes.

NEW

ASCA

JetBrains

Added the AI Secure Coding Assistant (ASCA). The ASCA scanner is a lightweight scan engine that runs in the background as you work in JetBrains. Whenever you edit a file in JetBrains the ASCA scanner automatically scans that file.

ASCA also provides customized prompts to get remediated code from Copilot. For more info about ASCA in JetBrains, see here.

FIXED

KICS Scans Failing

VS Code

Fixed issue that KICS scans were failing due to syntax problems in the additional parameters.

Resolved issues

  • Container Security Results were not loading after new AM feature flags were turned on.

  • Unclear error message when trying to access an application without permission.

  • Autofill is unexpectedly triggered for tags and tokens in Project Settings.

  • DAST False positive: .htaccess information leak.

  • Users with manage-groups roles can become Admin.

  • API results yield wrong information.

  • Failed to generate a Scan Report with SCA engine.

  • An error occurs when opening a vulnerability.

  • Package Reliability Indicators values in AppSec Knowledge Center disappear.

  • SBOM scan fails if purl is generic (POC).

  • SCA Scan: Package path is not loading.

  • Python SBOM SPDX scan fails (pip vs Pip).

  • Top vulnerabilities with empty vulnerability.

  • Search not working in "Assigned to" field for Azure DevOps feedback app.

  • Refresh organization data flow fails with an exception.