Single-Tenant Version | 3.32
New Features and Enhancements
SAST Engine Upgrade to Version 9.7.1
The SAST engine in Checkmarx One has been upgraded to version 9.7.1.
This version includes important enhancement of C++ support and accuracy. To further optimize scanning time for your C++ projects, we recommend using the File Exclusion feature (available under your Account or Project Settings). This will help you focus on relevant files, maximizing accuracy while keeping similar scan duration .
To discover all the new features and updates in the latest version, refer to this page.
Repository Insights API
We have introduced the Repository Insights API, providing metadata on developers' repositories, including Lines of Code (LOC), scanned files, and language usage. This enables AppSec managers to gain deeper insights into repository activity and refine security policies accordingly.
IaC Security Presets
Improve the accuracy of IaC Security scan results by creating IaC Security Presets - sets of queries that allow you to triage findings based on the core capabilities of the IaC Security scanner.
With preset management, you can easily create and manage custom or predefined presets, tailoring security scans to their specific needs.
Support for Repo URLs in Zip File Scans
The Repository Insights API now supports repo URLs for Zip file scan scenarios, extending coverage beyond Integrated Repo (SCM) and direct Repo URL scans. This enhancement provides AppSec managers with deeper insights into repository activity, including Lines of Code (LOC) and the number of scanned files, enabling more precise scan preset customization.
Light Queries
Light Queries have been introduced to enhance accuracy and efficiency in vulnerability detection. These queries focus on identifying the most relevant security risks, streamlining the triage process, and delivering faster, more precise scan results.
A new setting for Light Queries has been added to the Account and Project pages, allowing users to easily enable this optimized detection approach.
Feedback Apps - Stop Sending Alerts for All Scans
In order to reduce unnecessary noise in Feedback App Alerts (Slack, Teams, Email), we have stopped sending alerts each time that a scan is run. We now send alerts only when the specified conditions are met (i.e., a vulnerability with the specified severity and state is identified).
SCA Updates
SBOM Improvements
We have upgraded our SBOM capabilities by adding support for CycloneDX version 1.6. CycloneDX SBOMs generated via the web application (UI), CLI and API now conform to v1.6 specifications. In addition, for SBOMs uploaded using the File Analysis API, we now support CycloneDX v1.6.
For SBOMs generated by Checkmarx One, we now add the following info to the metadata field:
Project name
Project tags
Scan date
Scan tags.
Management of Packages - Mute and Snooze
You can now change the state of a package to “muted” so that the vulnerabilities associated with that package won’t be shown as risks in your project.
You can also “snooze” a package so that it is muted for a fixed period of time after which it will automatically revert back to being a regular monitored package. This can help to reduce noise in your system when you feel that a certain package does not pose a threat or where there is no available fixed version of the package.
When the snooze period ends, Checkmarx One automatically rescans the Primary branch of your project so that the project data accurately reflects the fact that the package has returned to being monitored.
For more information, see documentation.
Policy Management: Fine-Tuned Outdated Package Rules
We have added policy rules that enable you to specify thresholds for when outdated packages violate the policy. You can now specify the following:
Minor versions: The number of minor versions by which the package is outdated.
Major versions: The number of major versions by which the package is outdated.
Aging: The amount of time that has elapsed since the package version that you are using was published.
Container Security
Private Container Registry Integration
We now enable integration with private container registries, enabling you to automatically pull images from your private registries and scan them using the Checkmarx One Container Security scanner. We provide a convenient wizard on the Checkmarx One Integrations page that enables you to submit your credentials for the private registry and create the integration.
Limitations:
The integration is not effective for scans run via the Checkmarx One CLI tool or associated plugins.
Currently supported for: GitHub, JFrog and Private Dockerhub.
IAM Updates
Keycloak Upgrade
Keycloak was upgraded to version 26.
Concurrent Session Limiting
Users can now set a limit on the number of concurrent sessions per user, providing greater control and compliance with organizational policies.
Resolved Issues
OpenID Claim to Role Mapper removed existing roles.
A scan was canceled automatically without any apparent reason.
SCA results button failed to render in the contextual right panel.
The Projects PUT method wouldn’t update the "origin" field with an empty string.
An inconsistency in the sorting behavior of the
scans
endpoint.Adding a new tag or group filter by typing its name would clear previously selected filters in the Projects List.
The Scan List and Project Overview displayed different result counts for SCA findings.
It was not possible to select SPDX for the SBOM.
2MS scans failed with the error: "Failed to parse 2MS results into SARIF: the provided file path doesn't have a file."
Duplicate groups were showing for the same project.
The filter select option on the Project Page was unavailable when only a few projects (up to 3) were displayed.
Scans were taking too long to complete.
Clicking on a project name link on the Project page led to an empty page with the URL "/Projects/undefined."
The export data pop-up in the Global Inventory exhibited unexpected behavior.
Changing a result in a project with an incremental scan caused the result count on the Project Page to become inflated and incorrect.
FirstFoundAt was incorrectly updated.
Checkmarx One was not identifying Perl dependencies.
Bulk tags applied on the fly were in lower case.
It was not possible to open multiple Risk tabs for SCA scan results.
SourceResolverSandbox exception: No results.
Project conversion API got stuck in IN_PROGRESS state, and running another process was not possible.
The Policy page was not editable.
DAST incorrectly detected legitimate files as hidden vulnerabilities.
The
viewerLink
for the SAST scan report in JSON format was incorrect.SCA Resolver error.
Slowness in loading filters on the main Scans page.
When multiple results shared the same similarity ID and two of them were selected to add a note, the note was duplicated across all results with the same similarity ID.
Scan execution was encountering issues due to DOM-related errors.
The error "Clone succeeded, but checkout failed" occurred.
The report was not displaying IaC results for a specific project.
The project import status was not displayed when the repository was not included in the initial list.
A display-related issue occurred on the Code Repository page in Project Settings.
The Project overview page became distorted when the repository name was too long.
Old vulnerabilities were reported in the latest Redis Docker image.
There was a discrepancy in vulnerabilities between RedHat UBI 8 and UBI 9.
Drilling down into KPIs to view results triggered a 504 Gateway Timeout error.
A false positive was detected for "openssl 3.0.7".
A false positive was detected for a "jq" package.
A zip could be scanned via CLI but not via the UI.
Container Security was showing no results on the Scan Summary page, despite results being present.
The Project report included non-exploitable results even when the filter excluded them.
All scans finished with partial status due to SCM Azure project settings.
The Feedback App failed to retrieve additional fields due to a gRPC message size limitation (exceeding the maximum size of 10,485,760 bytes).
Filters were not working in Containers.
The OAuth Client UI regenerated the secret when pressing Enter in any field.
It was not possible to fetch the list of existing tags when creating a new project with a manual scan.
A CSV report from KPI was ignoring the tag filter.
Project Report generation failure.
Adding a note was resetting the state for the result API.
Opening an SCA result resulted in a "Cannot read null properties (read 'toLowerCase')" error.
KICS timeout was causing an error when fetching sources.
In the API endpoint
sast-results-predicates
, adding a note to a SAST finding causes the state to revert to the default value.The IaC results page got stuck in an infinite loading loop.
Error in commit transaction: failed to save SCA scan results.
The resolution was failing when parsing the Poetry dependency output.
SAST results sync issue due to large-sized object.
Export service could not download a 500k file.
The Private Packages overview tab kept loading endlessly.
The scan runner was unable to download the scan file because the pre-signed URL expired before the scan starts.
An error occurred when generating a Projects report.