Skip to main content

Current Multi-Tenant Version | 3.25

Multi-Tenant release date: November 10, 2024

Warning

The content and dates of these Release Notes are provisional and subject to change.

All new features, enhancements, and resolved issues will be available upon version deployment in the multi-tenant environment unless explicitly stated otherwise in the respective section's sub-heading.

New features and enhancements

Software Supply Chain Security (SCS)

(GA December 4)

We have released the new Software Supply Chain Security (SCS) module in Checkmarx One. SCS identifies various types of software supply chain risks that can put your applications at risk. This module is currently comprised of two scanners:·

  • Secrets Detection – Identifies 170+ different types of login credentials, access tokens, encryption keys, API keys, SSH keys, webhook URLs, and other sensitive information that may be exposed, enabling your development and security teams to quickly remove and change the discovered secrets.·

  • Repository Health (OSSF Scorecard) – Continuously evaluates the security health for all repositories included in your applications, based on key factors, such as code quality, dependency management, CI/CD best practices, and project maintenance.

SCS is fully integrated into the Checkmarx One platform. You can initiate SCS scans on Checkmarx One projects via the Checkmarx One web application (UI) , CLI or REST API. Scans can also be initiated automatically at specific SDLC stages via SCM integration" (e.g., pull request, build). You can view the results in the Checkmarx One web application (UI) and in scan reports.

Additional Attributes in Project Overview API

Added new attribute to the response body for GET /projects-overview.

  • "importedProjName" - For migrated projects (manual projects that were converted to Code Repository projects), this shows the repo name

SCA Updates

Private Packages

We have expanded our support for private packages. When viewing the list of private packages in the Scan Results > Packages tab, you can now drill down to show additional details for a specific package.

Learn more about private packages here.

Remediation Tasks Tab

We added a new tab, Remediation Tasks, to the SCA results viewer. This tab shows detailed information about specific remediation tasks that Checkmarx recommends implementing for your Project. These tasks involve replacing vulnerable packages in your project with non-vulnerable versions of those packages.

Notice

Remediation tasks are currently supported only for JavaSript npm packages and for Nuget packages with .csproj manifest files, otherwise this tab isn't shown.

The Remediation Tasks tab contains sub-tabs that show two types of pages:

  • All Remediation Tasks – shows a list of remediation tasks that are recommended for this Project, with general info about each task.

  • Task Details – shows detailed info about a specific task. The task details tab is opened by clicking on the How to fix button in a task row in the All Remediation Tasks sub-tab.

Learn more about Remediation Tasks here.

Export Remediated Manifest File

You can now generate remediated manifest file/s that contain the recommended versions of your packages. You can download the remediated manifest files and use them to update your project.

You can export the remediated manifest file/s from the SCA scan results viewer page. The file/s is exported as a zip archive, which maintains your project's file structure.

Notice

Current limitations:

  • Supported only for npm package.json manifest files

  • Remediates only direct dependencies (not transitive)

  • Because this method updates all vulnerable packages (sometimes changing a major version) it may break methods used in your code. You may need to refactor your code to avoid changes in functionality.

SCA Resolver Version 2.11.4

(Nov 5, 2024)

  • Added the "@" symbol to the list of allowed characters for parameter sanitization

  • For Unity, improved detection of manifest.json files

  • For SBT, fixed plugins.sbt file permissions for dependency resolution

  • For Gradle, improved submodule detection

  • For Nuget, improved framework package version detection  

Download the new version here.

IaC Security Updates

Checkmarx One now runs IaC Security version 2.1.3. This includes CWE information for the following platforms:

  • Terraform 

  • OpenAPI

  • Ansible

  • CloudFormation

  • Kubernetes

  • gRPC

  • Knative

  • Buildah

  • Pulumi

  • Crossplane

  • CICD

  • Google Deployment Manager

  • ServerlessFW

  • Azure Resource Manager

  • DockerCompose

Access Management (IAM) Updates

IAM Improvements

  • Updated the label of the toggle for enabling downloading source code.

  • Improved effectiveness of searching for groups and sub-groups.

IAM Resolved Issues

  • API key that was created from the SAML user returned "unknown_error" for API call openid-connect/token.

  • SAML SSO login not working when Validate Signature is enabled.

  • Revoked Api Key appears as valid in API Keys tab.

  • The IAM Groups tab is not correctly showing the groups list, because the API is hardcoded filtering the results up to 200 results.

Resolved issues

  • Container Security Results were not loading after new AM feature flags were turned on.

  • Unclear error message when trying to access an application without permission.

  • Autofill is unexpectedly triggered for tags and tokens in Project Settings.

  • DAST False positive: .htaccess information leak.

  • Users with manage-groups roles can become Admin.

  • API results yield wrong information.

  • Failed to generate a Scan Report with SCA engine.

  • An error occurs when opening a vulnerability.

  • Package Reliability Indicators values in AppSec Knowledge Center disappear.

  • SBOM scan fails if purl is generic (POC).

  • SCA Scan: Package path is not loading.

  • Python SBOM SPDX scan fails (pip vs Pip).

  • Top vulnerabilities with empty vulnerability.

  • Search not working in "Assigned to" field for Azure DevOps feedback app.

  • Refresh organization data flow fails with an exception.

In this section: