Skip to main content

Version 3.28

Multi-Tenant release date: January 7, 2024

Warning

The content and dates of these Release Notes are provisional and subject to change.

All new features, enhancements, and resolved issues will be available upon version deployment in the multi-tenant environment unless explicitly stated otherwise in the respective section's sub-heading.

Release number

Resolved issues

3.28.18

After migration, custom project queries of Low severity appeared in Checkmarx One with High severity.

3.28.17

The integration layer was unable to get, edit, or delete SCM configurations.

New features and enhancements

Jira Feedback Apps - SCA Exploitable Path Filter

We added a new option to apply an Exploitable Path filter to Jira Feedback Apps. When you apply this filter, Jira tickets are created for SCA vulnerabilities only if an Exploitable Path was identified.

SCA Updates

Malicious Packages in SCA Inventory and Risks

We now include results from Malicious Package Detection (for licensed accounts) on the SCA Inventory and Risks screen. The data is shown in the relevant tabs.

  • Packages tab - Malicious Packages and Suspected Malware are now shown in the table with the Vulnerabilities column showing the malicious icon Image_1487.png. You can filter and sort for Malicious Packages and/or Suspected Malware.

  • Risks tab - Risks associated with malicious packages are shown in the table with the Risk Type listed as "Suspected Malware". You can filter and sort for Suspected Malware.

When you export the data from the SCA Inventory and Risks, the malicious package data is included in the report.

SCA Resolver Version 2.12.7

(Jan 3, 2025)

  • For Bower,

    • Fixed resolution for packages for which the version is declared as a range

    • Ignore transitive dev dependencies

  • For Gradle, skip command execution for ignored modules.

Download the new version here.

CLI and Plugins Releases of January 2025

CLI Version 2.3.12

Status

Item

Description

FIXED

SCS Scan

Fixed inaccurate error message when running scs scan without the required license.

CLI Version 2.3.11

Status

Item

Description

NEW

Scan Create

The scan create flags --sast-fast-scan and --sast-incremental, are now boolean, so that submitting them with the value true runs the scan in the specified mode and false does not.

Notice

If these flags are sent with no value (not recommended), then it is interpreted as true. If the flag is not sent then the default project or account settings are applied.

FIXED

SARIF Files

Fixed issue that SARIF files uploaded to GitHub from the CLI had been showing the query ID instead of the query Name when filtering by rule.

FIXED

Scan Create

Fixed issue that when --sast-fast-scan and --sast-incremental were not included in a scan create command, the scan would always run as a full scan, even if the project settings were set to run as Fast Scan or Incremental scan. Now, it defaults to the project configuration.

CLI Version 2.3.10

Status

Item

Description

UPDATED

Container Security Scanner

Improvements in the Container Security scanner.

FIXED

GitHub Cloud URLs

Fixed issue that some GitHub Cloud URLs weren't accepted.

FIXED

Scorecard Scans

Fixed issue that Scorecard scans were being triggered and failing for projects on unsupported SCMs. Now, Scorecard scans only run on GitHub Cloud repos.

CI/CD Plugins

In January we released the following CI/CD plugin versions:

Improvements and Bug Fixes

Status

Item

Platform

Description

NEW

Scan Create

GitHub Actions

The scan create flags --sast-fast-scan and --sast-incremental, are now boolean, so that submitting them with the value true runs the scan in the specified mode and false does not.

IDE Plugins

In January we released the following IDE plugin versions:

  • JetBrains - 2.2.4 (uses CLI v2.3.12)

  • Visual Studio - 2.0.65 (uses CLI v2.3.12)

  • VS Code - 2.30.0 (uses CLI v2.3.12)

Improvements and Bug Fixes

Status

Item

Platform

Description

NEW

Project Mismatch Warning

JetBrains

We now show a warning message if the user initiates a scan and the name of the repo doesn't match the name of the selected Checkmarx One project.

NEW

Secret Detection Scanner Results

VS Code

You can now view the results from the Secret Detection scanner (part of SCS) in VS Code. When you click on a result, the result details are shown in three tabs: General, Description and Remediation Examples.

NEW

Pagination

VS Code

We now use pagination when loading projects and branches in order to cut the loading time. We now load only 20 items at a time.

Note

This does not affect the search box, which still searches all projects and not only those that are currently loaded.

FIXED

Button Colors

Visual Studio

Fixed issue with inconsistent button colors.

FIXED

Results Marking

VS Code

Fixed issue that ASCA scanner had been marking results (with a squiggly underline) from the beginning of the line even when the code was indented.

Resolved issues

  • Container Engine didn’t show results if the user was "if in group".

  • It was not possible to add Azure Cloud as a self-hosted SCM if the URL contained user info.

  • It was not possible to import repositories from GitHub.

  • REST API /api/flags?filter={tenantID} allowed checking other tenant IDs.

  • The feedback app updated the status of the Jira tickets on every scan, even when they were already marked as Released.

  • Problems with filtering Container Security vulnerabilities and packages.

  • Attack vectors spanning multiple files had incorrect URL in Jira.

  • The view-results-if-in-group role didn’t work for "containers".

  • The results API was not working for the Container Security Engine.

  • Container scans wouldn’t finish in a test environment.

  • Inconsistency between CSV Applications report and the application UI overview.

  • Project's JSON report showed the package and technology names in the languagename field.

  • If Jenkins was running on a Linux machine, it wouldn’t collect the environment variable in lower case.

  • Users with the ast-admin role encountered a 403 Forbidden error page.

  • [Analytics] The application encountered a ReferenceError with the message: "stateColors is not defined".

  • Deleting a project failed with the error message: "Failed to fetch project".

  • It was requested to increase the gRPC max message size and decrease the pagination offset.

  • Scanning failed when a large number of secrets were inserted.

  • Inserting results failed.

  • Import queries were not working as expected.

  • Tenant name was not filled automatically when logging in to a single-tenant environment.

  • The Identity Provider Mapper of type SAML Attribute to Groups does not display subgroups.

  • SCS risks in the Application Risk Management UI could not be linked to the correct risk pages.

  • There was a discrepancy in results when processing two nearly identical ZIP files.

  • Irrelevant error message.

  • The GI search box was not filtering correctly.

  • The Package Usage feature encountered an OutOfMemory error.

  • The page redirected to a 404 error, and users were unable to retry by refreshing the page.

In this section: