Skip to main content

Current Multi-Tenant Version | 3.25 (Early Access)

Multi-Tenant release date: November 10, 2024

Warning

The content and dates of these Release Notes are provisional and subject to change.

All new features, enhancements, and resolved issues will be available upon version deployment in the multi-tenant environment unless explicitly stated otherwise in the respective section's sub-heading.

New features and enhancements

Software Supply Chain Security (SCS)

(GA November 20)

We have released the new Software Supply Chain Security (SCS) module in Checkmarx One. SCS identifies various types of software supply chain risks that can put your applications at risk. This module is currently comprised of two scanners:·

  • Secrets Detection – Identifies 170+ different types of login credentials, access tokens, encryption keys, API keys, SSH keys, webhook URLs, and other sensitive information that may be exposed, enabling your development and security teams to quickly remove and change the discovered secrets.·

  • Repository Health (OSSF Scorecard) – Continuously evaluates the security health for all repositories included in your applications, based on key factors, such as code quality, dependency management, CI/CD best practices, and project maintenance.

SCS is fully integrated into the Checkmarx One platform. You can initiate SCS scans on Checkmarx One projects via the Checkmarx One web application (UI) , CLI or REST API. Scans can also be initiated automatically at specific SDLC stages via SCM integration" (e.g., pull request, build). You can view the results in the Checkmarx One web application (UI) and in scan reports.

Additional Parameter in Page API

Developers using the new Projects page API now receive an additional attribute, "imported_proj_name", in the API response to represent migrated projects.

DAST Scan History Support

(GA November 20)

You can now access results from previous scans, making it easy to review any scan results directly from the results or scan history tables.

Warning

This feature is not backward-compatible and applies only to future scans.

SCA Updates

Private Packages

We have expanded our support for private packages. We have added the following functionality:

  • When viewing the list of private packages in the Scan Results > Packages tab, you can now drill down to show additional details for a specific package.

  • We now have a dedicated page showing the Private Packages Catalog. This page shows the list of private packages in your account, with information about that versions that are used. You can drill down to see additional detals about which versions are used in each project and warnings related to usage of outdated projects.

Learn more about private packages here.

Remediation Tasks Tab

We added a new tab, Remediation Tasks, to the SCA results viewer. This tab shows detailed information about specific remediation tasks that Checkmarx recommends implementing for your Project. These tasks involve replacing vulnerable packages in your project with non-vulnerable versions of those packages.

Notice

Remediation tasks are currently supported only for JavaSript npm packages and for Nuget packages with .csproj manifest files, otherwise this tab isn't shown.

The Remediation Tasks tab contains sub-tabs that show two types of pages:

  • All Remediation Tasks – shows a list of remediation tasks that are recommended for this Project, with general info about each task.

  • Task Details – shows detailed info about a specific task. The task details tab is opened by clicking on the How to fix button in a task row in the All Remediation Tasks sub-tab.

Learn more about Remediation Tasks here.

Export Remediated Manifest File

You can now generate remediated manifest file/s that contain the recommended versions of your packages. You can download the remediated manifest files and use them to update your project.

You can export the remediated manifest file/s from the SCA scan results viewer page. The file/s is exported as a zip archive, which maintains your project's file structure.

Notice

Current limitations:

  • Supported only for npm package.json manifest files

  • Remediates only direct dependencies (not transitive)

  • Because this method updates all vulnerable packages (sometimes changing a major version) it may break methods used in your code. You may need to refactor your code to avoid changes in functionality.

Improved SCA Risk Score Calculation

The risk score for SCA vulnerabilities is now calculated in a more holisitic manner that incorporates multiple factors to determine the overall risk posed by each Common Vulnerabilities and Exposures (CVE).

The risk score for SCA vulnerabilities in the Application Risk Management screen is now calculated in a more holisitic manner that incorporates multiple factors to determine the overall risk posed by each Common Vulnerabilities and Exposures (CVE).

The assessment now uses the CVSS version 4.0 score when it is available, while continuing to use CVSS 3.0 for CVEs that don't have a v4.0 score. Also, we now take into consideration additional factors, such as Exploit Prediction Scoring System (EPSS) scores, whether the package is transitive or direct, and the presence of exploitable paths.

SCA Resolver Version 2.11.4

(Nov 5, 2024)

  • Added the "@" symbol to the list of allowed characters for parameter sanitization

  • For Unity, improved detection of manifest.json files

  • For SBT, fixed plugins.sbt file permissions for dependency resolution

  • For Gradle, improved submodule detection

  • For Nuget, improved framework package version detection  

Download the new version here.

IaC Security Updates

Checkmarx One now runs IaC Security version 2.1.3. This includes CWE information for the following platforms:

  • Terraform 

  • OpenAPI

  • Ansible

  • CloudFormation

  • Kubernetes

  • gRPC

  • Knative

  • Buildah

  • Pulumi

  • Crossplane

  • CICD

  • Google Deployment Manager

  • ServerlessFW

  • Azure Resource Manager

  • DockerCompose

Access Management (IAM) Updates

IAM Improvements

  • Updated the label of the toggle for enabling downloading source code.

  • Improved effectiveness of searching for groups and sub-groups.

IAM Resolved Issues

  • API key that was created from the SAML user returned "unknown_error" for API call openid-connect/token.

  • SAML SSO login not working when Validate Signature is enabled.

  • Revoked Api Key appears as valid in API Keys tab.

  • The IAM Groups tab is not correctly showing the groups list, because the API is hardcoded filtering the results up to 200 results.

Resolved issues

  • Container Security Results were not loading after new AM feature flags were turned on.

  • Unclear error message when trying to access an application without permission.

  • Autofill is unexpectedly triggered for tags and tokens in Project Settings.

  • DAST False positive: .htaccess information leak.

  • Users with manage-groups roles can become Admin.

  • API results yield wrong information.

  • Failed to generate a Scan Report with SCA engine.

  • An error occurs when opening a vulnerability.

  • Package Reliability Indicators values in AppSec Knowledge Center disappear.

  • Failed to sync DependencyModel - column "additional_data" is of type jsonb but expression is of type text.

  • SBOM scan fails if purl is generic (POC).

  • SCA Scan: Package path is not loading.

  • Python SBOM SPDX scan fails (pip vs Pip).

  • Top vulnerabilities with empty vulnerability.

  • Search not working in "Assigned to" field for Azure DevOps feedback app.

  • Refresh organization data flow fails with an exception.