Version 3.27
Multi-Tenant release date: December 15, 2024
Warning
The content and dates of these Release Notes are provisional and subject to change.
All new features, enhancements, and resolved issues will be available upon version deployment in the multi-tenant environment unless explicitly stated otherwise in the respective section's sub-heading.
Release number | Resolved issues |
---|---|
3.27.23 | The scan fails with an error indicating a failure to parse results into SARIF. |
3.27.20 | The Repostore service fails to load the index file. |
New features and enhancements
Support for Critical Severity
The Checkmarx One platform now supports a new Critical severity level for vulnerability triaging across all scanners (excluding DAST), components and result APIs.
For more information, refer to our Documentation Portal.
Cursor Behavior Change
The cursor has changed from an arrow to a 'hand' icon when hovering over a row, even in areas that are not actually clickable.
License Page Enhancement: Contributor Developer Breakdown
The updated License Page now includes a Contributing Developers modal, offering detailed insights into active committers across repository services (SCMs).
Key features include:
Total contributing developers and license-based allowed committers.
Breakdown of contributors by repository type.
CSV export functionality for detailed data.
IAM Search Enhancement
We implemented the ability to search by both group and subgroup within a single query in the IAM (Identity and Access Management) module.
IaC Results in Application Risk Management
The Application Risk Management system now includes results from Checkmarx's IaC engine. This integration bridges a critical gap by identifying security risks and misconfigurations in infrastructure, ensuring comprehensive risk assessment.
Enhancing DAST Flexibility with ZAP Engine
DAST now supports traffic-agnostic scanning, allowing users to leverage existing company processes, such as QA, to define traffic for scanning. The ZAP engine has been updated to run scans in sequence, enabling integration with these workflows.
Checkmarx One's Left Side Menu Enhancement
The left side menu in Checkmarx One has been standardized for consistency and better usability. This enhancement improves user satisfaction, boosts efficiency, and drives better adoption and productivity.
Consolidating Container Image Replicas in Cloud Insights
Cloud Insights no longer shows replicas of the same container image when it is used in multiple pods. This update simplifies the analysis process, reducing unnecessary effort for customers with multiple replicas in production environments.
Licensing Support for Cloud Insights
Cloud Insights now includes licensing capabilities within Checkmarx One.
Note
Cloud Insights is included in the Essential, Professional and Enterprise license bundles.
Private Packages Regex Filter (Container Security)
Introduced a new rule-setting option (Project / Account settings) that allows users to define custom regex patterns to identify private packages.
Packages matching the specified regex will be excluded from analysis, ensuring they remain private and are not uploaded to external servers for scanning. This provides enhanced control and security for sensitive packages while enabling more focused scans.
SCA Updates
SCA Resolver Version 2.12.3
(Dec 10, 2024)
Improved logging for the project creation process
Fixed issue with manifest file upload on Windows operating systems
Fixed issue with certificate expiration for Windows binary digital signing
Download the new version here.
CLI and Plugins Releases of December 2024
CLI Version 2.3.9
Status | Item | Description |
---|---|---|
NEW | Project Filter | Added the ability to filter for projects with no tags by specifying |
CLI Version 2.3.8
Status | Item | Description |
---|---|---|
NEW | Automatic Retry | Added automatic retry when report generation fails. |
CLI Version 2.3.7
Status | Item | Description |
---|---|---|
NEW | File Support | Added support for *.jsx files. |
NEW | Repo Access Token | Added support for submitting a repo access token for SCS Scorecard scans as an environment variable. See Repository Health (OSSF Scorecard) |
CLI Version 2.3.6
Status | Item | Description |
---|---|---|
NEW | Pull Request Decoration | Added support for pull request decoration, using the |
CI/CD Plugins
In December we released the following CI/CD plugin versions:
Jenkins Plugin - 2.0.13-684.v8d2a_7b_b_1ceb_5 (uses CLI v2.3.9)
TeamCity Plugin - 2.0.26 (uses CLI v2.3.7)
GitHub Actions Plugin - 2.0.41 (uses CLI v2.3.9)
Azure DevOps Plugin - 3.0.4 (uses CLI v2.3.9)
Improvements and Bug Fixes
Status | Item | Platform | Description |
---|---|---|---|
NEW | General | TeamCity, GitHub Actions, Azure DevOps | General improvements and bug fixes. |
NEW | Reports | Jenkins | By default, reports are saved to the workspace. If the user submits the |
NEW | Envionment Variable | Azure DevOps | Added a new environment variable, |
NEW | Supply Chain Security | TeamCity | Added support for the new Software Supply Chain Security (SCS) module, which enables running Secret Detection and Repository Health scans on your projects. For more info, see Software Supply Chain Security. |
NEW | Rust Support | TeamCity | Added support for *.rs (Rust source code) files. |
NEW | Container Security | TeamCity | Added support for container-security as an independent scanner. For more info, see Container Security. |
FIXED | Primary Branch | GitHub Actions | Fixed issue that primary branch in Checkmarx One was being overriden by GitHub Action commands. |
IDE Plugins
In December we released the following IDE plugin versions:
Improvements and Bug Fixes
Status | Item | Platform | Description |
---|---|---|---|
NEW | General | Eclipse, JetBrains, Visual Studio, VS Code | General improvements and bug fixes. |
NEW | Branch Creation | JetBrains | Added the ability to create a new branch in the Checkmarx project when you run a scan from the IDE. |
NEW | Project Mismatch Warning | VS Code | We now show a warning when the selected Checkmarx One project doesn't match the locan project in your workspace. |
NEW | Branch Create | VS Code | Added the ability to create a new branch in the Checkmarx project when you run a scan from the IDE. |
UPDATED | Background Run | Visual Studio | The plugin now runs in the background when you open the IDE and automatically loads results for the previous Checkmarx One project. When you open the Checkmarx plugin, the results are shown immediately. |
UPDATED | Logs Save | Visual Studio | Logs are now saved to a file in "Temp\ast-visual-studio-extension\Logs\ast-extension.log". |
UPDATED | Results Loading | VS Code | Improved ability to load results for projects with a large number of results (above 40k). |
FIXED | Run Scan Activation | Visual Studio | Fixed issue that when no project was selected, clicking on "Run scan" would create a new project with the name "select a project". Now, the "Run scan" button is only activated when a project and branch are selected (or, alternatively the option to create a local branch is selected). |
FIXED | Run Scan Reactivation | VS Code | Fixed issue that the "run scan" button wasn't reactivated after a scan failed. |
Resolved issues
SCA engine results have been added to the logs for analysis purposes.
Scan-Summary API returned a negative number of findings.
Incorrect project results on the Projects List page.
Filters in the SAST results grid were ignored when performing a search by name.
Recurrent vulnerability status was shown as +1 in the Checkmarx One UI.
No "fixable" recommendations for a private image that was using public base images.
The count for selected vulnerabilities did not reset after an action.
The Result Viewer did not provide an option to cancel filters once the list was empty.
Cloning failed with a "destination path already exists and is not an empty directory" error message.
The Jira feedback app created a duplicate ticket for the same finding in the same project when scans were triggered differently.
Trying to integrate already integrated project led to the removal of SCM repository data.
An attempt to download a contributors CSV file resulted with an “error 403 forbidden”.
An API Security scan failed to find source code when organization name contained white spaces.
Misleading response message on SAST Scan Results comparison API endpoint.
IAM: For any group created from the Identity Provider Mapper section, the Created By field was blank.
IAM: the manage-clients role was not available in the Group role mapping.
IAM: The IAM Groups tab was not correctly showing the groups list, because the API was hardcoded filtering the results up to 200 results.
IAM: The GET /users API endpoint returned a partial response in some cases.
Scan failure possibly caused by a MinIO outage or temporary disruption.
Short GRPC timeout.
Wrong error code was sent to Zeebe.
Impossible to change one specific vulnerability status (CVE-2017-12626).
SCA - Reoccurring Problem - Internal Error.
Top vulnerabilities with empty vulnerability description.
Private package did not appear in the UI, but it did appear in the results file.
GetEvaluableEntities query should not rely on TenantId to filter data.
Failing to get comparison results when using a language different than English.
API Security doesn't find the OpenAPI definition.
GET /api/scans request did not retrieve the commitID.
Analytics displayed no results for a specific application and project, despite the application and project having generated results.
The path on the Project page became overlaid and unreadable when the page was zoomed.
Incorrect link for Checkmarx One External IP's List.
Missing projects in Analytics.
End-of-life Node version warning in ADO pipelines.
Viewing results for a specific application from Risk management was failing.
The manage-feedbackapp role was removed from ast-admin in IAM 3.24.
Attack vectors spanning multiple files had an incorrect URL in Jira.
The "Friendly Name" attribute in the "SAML Attribute to Role" mapper did not behave as in other mappers.
Unable to generate a project report.
Syncing DependencyModel failed with the error:
column "additional_data" is of type jsonb but expression is of type text
.A 500 GraphQL error occurred after marking CVE-2024-37568 as "Proposed Not Exploitable."
The PDF SCA report did not reflect the data shown in the UI.
HashMatching was taking too long to analyze packages.
Inconsistent order in the Global Inventory.
The screen to change the status of the SCA vulnerability failed to load.
Request to add SCA engine results to the logs.
SBOM scan failed.
Users with manage-groups roles were able to obtain Admin privileges.
An error occurred when attempting to update the password for any user.