Checkmarx SCA Release Notes January 2025
Warning
The IgnoreVulnerability and UnignoreVulnerability APIs, which had been used for triaging SCA vulnerabilities, will be deprecated soon. They have been replaced by the new Management of Risk API, which supports applying any Checkmarx One state and adding comments. We recommend migrating to the new API soon.
SCA Updates
SBOM Improvements
We have upgraded our SBOM capabilities by adding support for CycloneDX version 1.6. CycloneDX SBOMs generated via the web application (UI) now conform to v1.6 specifications. This is true also for SBOMs generated using the Export Service API.
In addition, for SBOMs uploaded using the File Analysis API, we now support CycloneDX v1.6.
For SBOMs generated by Checkmarx SCA, we now add the following info to the
metadata field:Project name
Project tags
Scan date
Scan tags
Malicious Packages in Global Inventory & Risks
We now include results from Malicious Package Detection on the Global Inventory & Risks screen. The data is shown in the relevant tabs.
Packages tab - Malicious Packages and Suspected Malware are now shown in the table with the Vulnerabilities column showing the malicious icon
. You can filter and sort for Malicious Packages and/or Suspected Malware.Risks tab - Risks associated with malicious packages are shown in the table with the Risk Type listed as "Suspected Malware". You can filter and sort for Suspected Malware.
When you export the data from the SCA Inventory and Risks, the malicious package data is included in the report.
SCA Resolver Version 2.12.7
(Jan 3, 2025)
For Bower,
Fixed resolution for packages for which the version is declared as a range
Ignore transitive dev dependencies
For Gradle, skip command execution for ignored modules.
Download the new version here.