- Checkmarx Documentation
- Checkmarx One
- Release Notes
- Current Multi-Tenant Version | 3.25 (Early Access)
Current Multi-Tenant Version | 3.25 (Early Access)
Multi-Tenant release date: November 10, 2024
Warning
The content and dates of these Release Notes are provisional and subject to change.
All new features, enhancements, and resolved issues will be available upon version deployment in the multi-tenant environment unless explicitly stated otherwise in the respective section's sub-heading.
New features and enhancements
Software Supply Chain Security (SCS)
(GA November 20)
We have released the new Software Supply Chain Security (SCS) module in Checkmarx One. SCS identifies various types of software supply chain risks that can put your applications at risk. This module is currently comprised of two scanners:·
Secrets Detection – Identifies 170+ different types of login credentials, access tokens, encryption keys, API keys, SSH keys, webhook URLs, and other sensitive information that may be exposed, enabling your development and security teams to quickly remove and change the discovered secrets.·
Repository Health (OSSF Scorecard) – Continuously evaluates the security health for all repositories included in your applications, based on key factors, such as code quality, dependency management, CI/CD best practices, and project maintenance.
SCS is fully integrated into the Checkmarx One platform. You can initiate SCS scans on Checkmarx One projects via the Checkmarx One web application (UI) , CLI or REST API. Scans can also be initiated automatically at specific SDLC stages via SCM integration" (e.g., pull request, build). You can view the results in the Checkmarx One web application (UI) and in scan reports.
Additional Parameter in Page API
Developers using the new Projects page API now receive an additional attribute, "imported_proj_name", in the API response to represent migrated projects.
DAST Scan History Support
(GA November 20)
You can now access results from previous scans, making it easy to review any scan results directly from the results or scan history tables.
Warning
This feature is not backward-compatible and applies only to future scans.
SCA Updates
Private Packages
We have expanded our support for private packages. We have added the following functionality:
When viewing the list of private packages in the Scan Results > Packages tab, you can now drill down to show additional details for a specific package.
We now have a dedicated page showing the Private Packages Catalog. This page shows the list of private packages in your account, with information about that versions that are used. You can drill down to see additional detals about which versions are used in each project and warnings related to usage of outdated projects.
Learn more about private packages here.
Remediation Tasks Tab
We added a new tab, Remediation Tasks, to the SCA results viewer. This tab shows detailed information about specific remediation tasks that Checkmarx recommends implementing for your Project. These tasks involve replacing vulnerable packages in your project with non-vulnerable versions of those packages.
Notice
Remediation tasks are currently supported only for JavaSript npm packages and for Nuget packages with .csproj manifest files, otherwise this tab isn't shown.
The Remediation Tasks tab contains sub-tabs that show two types of pages:
All Remediation Tasks – shows a list of remediation tasks that are recommended for this Project, with general info about each task.
Task Details – shows detailed info about a specific task. The task details tab is opened by clicking on the How to fix button in a task row in the All Remediation Tasks sub-tab.
Learn more about Remediation Tasks here.
Export Remediated Manifest File
You can now generate remediated manifest file/s that contain the recommended versions of your packages. You can download the remediated manifest files and use them to update your project.
You can export the remediated manifest file/s from the SCA scan results viewer page. The file/s is exported as a zip archive, which maintains your project's file structure.
Notice
Current limitations:
Supported only for npm
package.json
manifest filesRemediates only direct dependencies (not transitive)
Because this method updates all vulnerable packages (sometimes changing a major version) it may break methods used in your code. You may need to refactor your code to avoid changes in functionality.
Improved SCA Risk Score Calculation
The risk score for SCA vulnerabilities is now calculated in a more holisitic manner that incorporates multiple factors to determine the overall risk posed by each Common Vulnerabilities and Exposures (CVE).
The risk score for SCA vulnerabilities in the Application Risk Management screen is now calculated in a more holisitic manner that incorporates multiple factors to determine the overall risk posed by each Common Vulnerabilities and Exposures (CVE).
The assessment now uses the CVSS version 4.0 score when it is available, while continuing to use CVSS 3.0 for CVEs that don't have a v4.0 score. Also, we now take into consideration additional factors, such as Exploit Prediction Scoring System (EPSS) scores, whether the package is transitive or direct, and the presence of exploitable paths.
SCA Resolver Version 2.11.4
(Nov 5, 2024)
Added the "@" symbol to the list of allowed characters for parameter sanitization
For Unity, improved detection of
manifest.json
filesFor SBT, fixed
plugins.sbt
file permissions for dependency resolutionFor Gradle, improved submodule detection
For Nuget, improved framework package version detection
Download the new version here.
IaC Security Updates
Checkmarx One now runs IaC Security version 2.1.3. This includes CWE information for the following platforms:
Terraform
OpenAPI
Ansible
CloudFormation
Kubernetes
gRPC
Knative
Buildah
Pulumi
Crossplane
CICD
Google Deployment Manager
ServerlessFW
Azure Resource Manager
DockerCompose
Access Management (IAM) Updates
IAM Improvements
Updated the label of the toggle for enabling downloading source code.
Improved effectiveness of searching for groups and sub-groups.
IAM Resolved Issues
API key that was created from the SAML user returned "unknown_error" for API call openid-connect/token.
SAML SSO login not working when Validate Signature is enabled.
Revoked Api Key appears as valid in API Keys tab.
The IAM Groups tab is not correctly showing the groups list, because the API is hardcoded filtering the results up to 200 results.
Resolved issues
Container Security Results were not loading after new AM feature flags were turned on.
Unclear error message when trying to access an application without permission.
Autofill is unexpectedly triggered for tags and tokens in Project Settings.
DAST False positive: .htaccess information leak.
Users with manage-groups roles can become Admin.
API results yield wrong information.
Failed to generate a Scan Report with SCA engine.
An error occurs when opening a vulnerability.
Package Reliability Indicators values in AppSec Knowledge Center disappear.
Failed to sync DependencyModel - column "additional_data" is of type jsonb but expression is of type text.
SBOM scan fails if purl is generic (POC).
SCA Scan: Package path is not loading.
Python SBOM SPDX scan fails (pip vs Pip).
Top vulnerabilities with empty vulnerability.
Search not working in "Assigned to" field for Azure DevOps feedback app.
Refresh organization data flow fails with an exception.