- Checkmarx Documentation
- Checkmarx One
- Release Notes
- Previous Multi-Tenant Releases
- Version 3.25
Version 3.25
Multi-Tenant release date: November 10, 2024
Warning
The content and dates of these Release Notes are provisional and subject to change.
All new features, enhancements, and resolved issues will be available upon version deployment in the multi-tenant environment unless explicitly stated otherwise in the respective section's sub-heading.
New features and enhancements
Software Supply Chain Security (SCS)
(GA December 4)
We have released the new Software Supply Chain Security (SCS) module in Checkmarx One. SCS identifies various types of software supply chain risks that can put your applications at risk. This module is currently comprised of two scanners:·
Secrets Detection – Identifies 170+ different types of login credentials, access tokens, encryption keys, API keys, SSH keys, webhook URLs, and other sensitive information that may be exposed, enabling your development and security teams to quickly remove and change the discovered secrets.·
Repository Health (OSSF Scorecard) – Continuously evaluates the security health for all repositories included in your applications, based on key factors, such as code quality, dependency management, CI/CD best practices, and project maintenance.
SCS is fully integrated into the Checkmarx One platform. You can initiate SCS scans on Checkmarx One projects via the Checkmarx One web application (UI) , CLI or REST API. Scans can also be initiated automatically at specific SDLC stages via SCM integration" (e.g., pull request, build). You can view the results in the Checkmarx One web application (UI) and in scan reports.
Additional Attributes in Project Overview API
Added new attribute to the response body for GET /projects-overview
.
"importedProjName" - For migrated projects (manual projects that were converted to Code Repository projects), this shows the repo name
SCA Updates
Private Packages
We have expanded our support for private packages. When viewing the list of private packages in the Scan Results > Packages tab, you can now drill down to show additional details for a specific package.
Learn more about private packages here.
Remediation Tasks Tab
We added a new tab, Remediation Tasks, to the SCA results viewer. This tab shows detailed information about specific remediation tasks that Checkmarx recommends implementing for your Project. These tasks involve replacing vulnerable packages in your project with non-vulnerable versions of those packages.
Notice
Remediation tasks are currently supported only for JavaSript npm packages and for Nuget packages with .csproj manifest files, otherwise this tab isn't shown.
The Remediation Tasks tab contains sub-tabs that show two types of pages:
All Remediation Tasks – shows a list of remediation tasks that are recommended for this Project, with general info about each task.
Task Details – shows detailed info about a specific task. The task details tab is opened by clicking on the How to fix button in a task row in the All Remediation Tasks sub-tab.
Learn more about Remediation Tasks here.
Export Remediated Manifest File
You can now generate remediated manifest file/s that contain the recommended versions of your packages. You can download the remediated manifest files and use them to update your project.
You can export the remediated manifest file/s from the SCA scan results viewer page. The file/s is exported as a zip archive, which maintains your project's file structure.
Notice
Current limitations:
Supported only for npm
package.json
manifest filesRemediates only direct dependencies (not transitive)
Because this method updates all vulnerable packages (sometimes changing a major version) it may break methods used in your code. You may need to refactor your code to avoid changes in functionality.
SCA Resolver Version 2.11.6
(Nov 20, 2024)
For Gradle, fixed include modules feature to only resolve the specified modules and ignore the remaining modules.
Download the new version here.
SCA Resolver Version 2.11.4
(Nov 5, 2024)
Added the "@" symbol to the list of allowed characters for parameter sanitization
For Unity, improved detection of
manifest.json
filesFor SBT, fixed
plugins.sbt
file permissions for dependency resolutionFor Gradle, improved submodule detection
For Nuget, improved framework package version detection
Download the new version here.
IaC Security Updates
Checkmarx One now runs IaC Security version 2.1.3. This includes CWE information for the following platforms:
Terraform
OpenAPI
Ansible
CloudFormation
Kubernetes
gRPC
Knative
Buildah
Pulumi
Crossplane
CICD
Google Deployment Manager
ServerlessFW
Azure Resource Manager
DockerCompose
Access Management (IAM) Updates
IAM Improvements
Updated the label of the toggle for enabling downloading source code.
Improved effectiveness of searching for groups and sub-groups.
IAM Resolved Issues
API key that was created from the SAML user returned "unknown_error" for API call openid-connect/token.
SAML SSO login not working when Validate Signature is enabled.
Revoked Api Key appears as valid in API Keys tab.
The IAM Groups tab is not correctly showing the groups list, because the API is hardcoded filtering the results up to 200 results.
CLI and Plugins Releases of November 2024
CLI Version 2.3.5
Status | Item | Description |
---|---|---|
NEW | Pull Request Decoration | Added support for pull request decoration, using the |
CLI Version 2.3.4
Status | Item | Description |
---|---|---|
NEW | Supply Chain Security | Added support for the new Software Supply Chain Security (SCS) module, which enables running Secret Detection and Repository Health scans on your projects. For more info, see Software Supply Chain Security. TipOlder versions of the CLI may support this feature, but the functionality was only activated in the platform recently. |
NEW | Rust Support | Added support for *.rs (Rust source code) files. |
UPDATED | Scan Time | Improved scan times for scans run via IDE plugins. |
CLI Version 2.3.3
Status | Item | Description |
---|---|---|
NEW | General | General improvements and bug fixes. |
CLI Version 2.3.2
Status | Item | Description |
---|---|---|
NEW | General | General improvements and bug fixes. |
CI/CD Plugins
In November we released the following CI/CD plugin versions:
Jenkins Plugin - 2.0.13-668.ve20f04761b_01 (uses CLI v2.3.5)
TeamCity Plugin - 2.0.23 (uses CLI v2.3.3)
GitHub Actions Plugin - 2.0.38 (uses CLI v2.3.5)
Azure DevOps Plugin - 3.0.0 (uses CLI v2.3.5)
Improvements and Bug Fixes
Status | Item | Platform | Description |
---|---|---|---|
NEW | General | Jenkins, TeamCity, GitHub Actions | General improvements and bug fixes. |
NEW | Supply Chain Security | Jenkins, GitHub Actions, Azure DevOps | Added support for the new Software Supply Chain Security (SCS) module, which enables running Secret Detection and Repository Health scans on your projects. For more info, see Software Supply Chain Security. |
NEW | Rust Support | Jenkins, GitHub Actions, Azure DevOps | Added support for *.rs (Rust source code) files. |
NEW | Container Security | Jenkins, TeamCity, Azure DevOps | Added support for container-security as an independent scanner. For more info, see Container Security. |
UPDATED | Dependencies | Jenkins | Updated dependencies. |
UPDATED | README | Jenkins | Updated the README file. |
UPDATED | CLI Tool | Azure DevOps | To make the Checkmarx One plugin for ADO more lightweight, the CLI tool has been removed and now needs to be downloaded separately during use. This change may affect customers who restrict access to whitelisted domains, requiring them to add |
UPDATED | Proxy Parameters | Azure DevOps | Enabled seamless use of proxy parameters configured in Azure settings. |
FIXED | Scan Results | Jenkins | Fixed failure to show Checkmarx scan results when running Jenkins on Docker. |
Plugin | Marketplace | Code Repository | Documentation | Changelog |
---|---|---|---|---|
Azure DevOps | https://marketplace.visualstudio.com/items?itemName=checkmarx.checkmarx-ast-azure-plugin | |||
GitHub Action | https://github.com/marketplace/actions/checkmarx-ast-github-action | |||
TeamCity | https://github.com/CheckmarxDev/checkmarx-ast-teamcity-plugin | |||
Jenkins |
IDE Plugins
In November we released the following IDE plugin versions:
Improvements and Bug Fixes
Status | Item | Platform | Description |
---|---|---|---|
NEW | General | Eclipse, JetBrains, Visual Studio, VS Code | General improvements and bug fixes. |
NEW | ASCA | JetBrains | Added the AI Secure Coding Assistant (ASCA). The ASCA scanner is a lightweight scan engine that runs in the background as you work in JetBrains. Whenever you edit a file in JetBrains the ASCA scanner automatically scans that file. ASCA also provides customized prompts to get remediated code from Copilot. For more info about ASCA in JetBrains, see here. |
FIXED | KICS Scans Failing | VS Code | Fixed issue that KICS scans were failing due to syntax problems in the additional parameters. |
Get Latest Version from Marketplace | Changelog | Documentation |
---|---|---|
Resolved issues
Container Security Results were not loading after new AM feature flags were turned on.
Unclear error message when trying to access an application without permission.
Autofill is unexpectedly triggered for tags and tokens in Project Settings.
DAST False positive: .htaccess information leak.
Users with manage-groups roles can become Admin.
API results yield wrong information.
Failed to generate a Scan Report with SCA engine.
An error occurs when opening a vulnerability.
Package Reliability Indicators values in AppSec Knowledge Center disappear.
SBOM scan fails if purl is generic (POC).
SCA Scan: Package path is not loading.
Python SBOM SPDX scan fails (pip vs Pip).
Top vulnerabilities with empty vulnerability.
Search not working in "Assigned to" field for Azure DevOps feedback app.
Refresh organization data flow fails with an exception.