Skip to main content

Checkmarx SCA Release Notes February 2025

Notice

These release notes relate to the SCA standalone product. Users who consume SCA through Checkmarx One should refer to the Checkmarx One release notes to see which SCA features have been released in Checkmarx One.

Warning

The IgnoreVulnerability and UnignoreVulnerability APIs, which had been used for triaging SCA vulnerabilities, will be deprecated soon. They have been replaced by the new Management of Risk API, which supports applying any Checkmarx One state and adding comments. We recommend migrating to the new API soon.

SCA Updates

Support for CVSS 4.0

We have added support for the CVSS 4.0 scoring system, which uses additional metrics to provide better granularity and further refine the scoring methodology. We now show the CVSS 4.0 score for each vulnerability that has such a score. When no CVSS 4.0 score is available, we continue to use the most recent available score from previous scoring systems (3.1 or 2.0). Additional details about this change are available here.

New SCA Policy Conditions

We have added several new policy conditions, enabling granular detection of specific risk factors:

  • EPSS - set thresholds based on EPSS score or EPSS percentile.

  • State - set a condition for vulnerabilities in one or more specified states. Options are: To Verify, Proposed not Exploitable, Confirmed and Urgent.

  • Malicious Package detection (for accounts with the relevant license) - you can now create conditions based on specific types of malicious attacks (e.g., Typosquatting, Chainjacking etc.). You can also create conditions based on thresholds for the following package integrity metrics: Contributor Reputation, Reliability Score and Behavioral Integrity.