- Checkmarx Documentation
- Checkmarx SAST
- SAST Release Notes
- Main Releases
- Previous Main Releases
- Release Notes for 9.5.0
Release Notes for 9.5.0
Version 9.5.0 includes the following updates:
Enterprise Updates for 9.5.0 (New Features and Enhancements)
CxSAST Engine
Core
.NET 6
Since .NET Core 3.1 reaches EOL (end of life) at the end of 2022, Checkmarx SAST has been transitioned to .NET 6.
.NET 6 includes the following benefits:
Improved Security
Improved Performance
Introduces Hot Reload - a faster way to view changes
C# 10 with which developers can make code simpler and more expressive
Support for three years
With the .Net 6 platform there will a performance increase for either Centralized or Distributed installations, with a corresponding 15-20% increase in memory and CPU usage.
Note: .NET 6 works only on Visual Studio 2022 version and later.
Linux OS - Fedora v33
Since Fedora v33 is not supporting .NET6, Checkmarx SAST Version 9.5.0 will not support Fedora v33.
Linux OS - CentOS 8
Since CentOS 8 has reached EOL (end of life), Checkmarx SAST will phasing out support for CentOS 8 in one of the upcoming Engine Packs.
New Improved Flow
In 9.5.0 the transition to the New Improved Flow is complete, meaning that all languages will be scanned with the New Improved Flow enabled.
Engine Configuration and Logs Refactoring
Engine configuration improvements, we reduced the number of configuration keys by ~10%, renamed some, and added a better description for better maintainability and use.
Engine Modernization
Our ongoing effort for improving the engine in several aspects, including performance, memory usage, and faster scans. We also focus on refactoring the DOM in order to achieve DOM persistency at a later stage.
Check available disk space before scanning
Previously when a new scan was being triggered, the system did not indicate whether the engine machine had enough disk space for executing the scan.
Now the following threshold validations must be met before scanning, otherwise the engine will go offline:
The source drive disk space is above the minimum threshold (an absolute value).
The scan drive has the minimum required space for the source code including all the files that will be created during the scan, such as logs and results.
Prevent Engine to run with previous version
An engine will be marked as "offline" if the engine version (major, minor and revision) is not equal to the latest engine pack installed. On the SAST portal, on the Engine Management page, an error message will appear next to a yellow exclamation mark explaining the reason why the engine is offline.
Languages and Frameworks
Regarding supported languages and frameworks, in 9.5.0 we are delivering all the previous content delivered in Engine Packs 9.4.1, 9.4.2, 9.4.3, 9.4.4 and 9.4.5.
The content includes the following:
Python frameworks Django and Flask
Improved support for preset MISRA C 2012
New languages support for RPG and Scala (and Finagle framework)
Improved Swift support
TypeScript 4.5
Angular 11 and 12
Kotlin 1.5 and 1.6
Java frameworks improvements: Struts, Spring, JSP and JSF
Improved C# queries for partial support for the latest version of .NET Core 5 and 6
Compliance improvements (presets and standards)
All supported code Languages & Frameworks versions can be found on the dedicated page.
CxSAST Application
Results Viewer Usability Enhancements
The Results Viewer is enhanced with the following features:
The Similarity ID is displayed in a new column in the Results Viewer.
The Similarity ID is now included in the displayed details.
Message is provided indicating that sources were deleted.
Assigned to User in the Report Generation
Previously when generating a report through the Checkmarx Portal, the label “Assign to User“ was displayed in the “Data Report Settings”. This label is now “Assigned to User“.
Portal User Settings Persistence
The SAST Web Portal user experience has been improved by enhancing several custom user settings with persistence.
Now instead of being reset to their default states each time the pages reload, custom settings in the Scans, Projects, and Results Viewer pages now persist even when switching between pages, closing the browser, or logging off and then logging back again.
Permissions for Creating and Updating Project Configurations
Currently, the save-project permission enables the user to create and save a project.
Starting in 9.5.0, the following additional permission are available:
create-project: allows creating projects
update-project: allows editing projects
Permissions for Managing Custom Result States
It is now possible to add, modify, delete and retrieve custom results state using the following APIs:
[GET] /sast/resultStates
[POST] /sast/resultStates
[PATCH] /sast/resultStates/{id}
[DELETE] /sast/resultStates/{id}
Project Branch Details
In case the project is a branch (created through the Checkmarx Portal), additional details with information of the Original Project Name and Branched on Scan Id are displayed in the Project screen on the General tab. These fields are only displayed when viewing the project configuration, and are informative and are not editable. The new fields are not available when creating a project.
Scan Id and Preset Details
Scan Id information is now available in the Checkmarx Portal, from the following views:
All Scans List
Project Scans List
Scan Summary (available from the Project Scans List)
The preset name is now available in All Scan List.
XML Report Improvements
XML reports were improved to provide additional information.
The following query details were added:
Risk: What might happen
Cause: How does it happen
General Recommendations: How to avoid it
Source Code Examples
To provide these details, a flag called AddQueryMetaDataToXmlReport must be enabled in the database (CxComponentConfiguration table). By default the value is false.
Additional scope to source code was added. The XML reports generated by SAST application contain the text line of the source code for every vulnerability node. The new feature allows adding not only the specific row but also additional rows above and below that row. A following configuration flag was added to CxComponentConfiguration table, XmlReportSourceLinesRange. By default, the value is 0.
Post Scan Actions Improvements
When defining a “Run post scan action“ in the project settings, is now possible to define the following:
Conditional Actions - To set a condition when the post scan action will run, enable the Run only if the scan has new results with a minimal severity of option and select the severity level from the drop-down list. By defining this rule, the post scan action will be triggered only after a successful scan that found new vulnerabilities which did not appear in the previous successful scan. For the first scan executed, the post scan action will run regardless of the Run only if the scan has new results with a minimal severity of condition.
Arguments - Optionally, additional arguments to the post scan action can be specified in the Post scan action arguments field. By having this option, you can set arguments which are project specific. These arguments can be added in addition to the ones specified at the post scan action level.
API Changes - The following APIs were changed to accommodate the new options:
REST API (v4)
[POST] sast/scanSettings
New fields added as parameters:
postScanActionConditions
postScanActionArguments
Permission needed:
save-project or update-project
[PUT] sast/scanSettings
New fields added as parameters:
postScanActionConditions
postScanActionArguments
Permission needed:
save-project or update-project
[POST] sast/scanWithSettings
New fields added as parameters:
runPostScanOnlyWhenNewResults
postScanActionArguments
Permission needed:
save-sast-scan
[GET] sast/scanSettings/{projectId} - New fields added in the response:
New fields added in the response:
postScanActionConditions
postScanActionArguments
Permission needed:
save-project or update-project or save-sast-scan
SOAP API
Portal - CreateNewProject - Inside the ProjectConfiguration parameter in the ScanActionSettings/ScanAction type, the following new fields are available:
PostScanActionConditions
PostScanActionArguments
Portal - GetProjectProperties - Inside the ProjectConfiguration parameter, the following new fields are available:
PostScanActionConditions
PostScanActionArguments
Source Pulling Performance Improvement for NAS
During source pulling processing, the source repository is cloned to a temporary CxSrc folder where the JobsManager processes it for data such as LOC (lines of code), exclusions, and deletions.
When the CxSrc is configured to use the NAS (Network Attached Storage) for HA (High Availability) environments or DR (Disaster Recovery) purposes, the cloning and JobsManager processes run directly on the NAS. Running these operations over the NAS consumes a large amount of network bandwidth and disk IOPS (input/output operations per second), and reduces performance and can become a bottleneck for systems using NAS storage.
To reduce this bottleneck, the new Source Pulling Performance Improvement feature provides an optimized way to execute the source control cloning and processing steps locally, instead of over the NAS.
Parallel Scan Feature
When running multiple scans of the same project on the same source code, users often require that only the newest or oldest scan be kept, and the remaining parallel scans are cancelled. An issued was fixed that caused multiple scans (such as the two oldest scans) to be kept.
In this release:
when setting Keep New (Creating Project -> Advanced Actions tab -> Parallel scan cancellation mode) only the newest scan finishes, while other scans are cancelled.
when setting Keep Old (Creating Project -> Advanced Actions tab -> Parallel scan cancellation mode) only the oldest scan finishes, while other scans are cancelled.
Forcing Scans for Environmental Changes with No Code Changes
Typically, when a scan is triggered in a schedule or from an API call, the source code files are compared to the previous scan. If no code changes are detected the scan is skipped, and all results are copied from the previous scan. However, even if there are no changes to the code, there might be changes to the environment or configuration that could affect the scan results. The new feature allows scans to be triggered even when the changes do not directly affect the code.
Services Availability - SAST Application Dashboard using Prometheus Metrics and Grafana
This release supports monitoring the status of SAST services running on each machine.
See SAST Application Dashboard- Using Prometheus Metrics and Grafana
Log Enhancements with Kibana Dashboards
The capabilities provided by the CxSAST structured logs have been extended with Kibana Dashboards. The following dashboards are now available, improving troubleshooting efforts by providing more detailed information about the various phases of the scans, ultimately resulting in more efficient root cause analysis:
Log statistics per application component
Scan time duration per stage
See 9.5 Log Enhancements.
Vulnerability Queries
There are new and updated vulnerability descriptions, queries, and queries according to presets for this version.
CxSAST Access Control
Password length
Password length was changed to have at least 10 characters.
This change does not affect existing users, but only new users or when existing users renew their passwords.
Supported Code Languages and Frameworks for 9.5.0
The following code languages can be scanned using CxSAST v9.5.0:
Environment | Primary Languages | Secondary Languages | Frameworks | File extensions | |
---|---|---|---|---|---|
|
|
|
| ||
|
|
|
| ||
|
|
|
| ||
|
| ||||
|
|
| |||
| JavaScript |
|
| ||
|
|
| |||
|
|
| |||
|
|
| |||
| |||||
|
| ||||
|
|
| |||
|
| ||||
| |||||
| |||||
|
|
|
| ||
|
|
| |||
|
|
| |||
|
|
| |||
|
|
| |||
|
| ||||
|
|
Supported Code Languages and Frameworks (CxOSA)
CxOSA analyzes the open sources using the following methods:
Analyzes the open source third parties themselves, supported in the languages list below.
Analyzes the projects' manifest files by resolving their dependencies against customer-defined repositories.
The following open source code analysis languages and package managers can be analyzed using v9.3.0:
Environment | File Extensions | Environment | File Extensions | ||
---|---|---|---|---|---|
Java | Jar files | .Net | DLL files | ||
JavaScript | .js | TypeScript | |||
React | NodeJS | ||||
Angular | WCF | ||||
WPF | F# | ||||
C# | DLL files | Kotlin | |||
Python | Groovy | ||||
PHP | Scala | ||||
Package Managers | File Extensions | Package Managers | File Extensions | ||
Gradle | Maven | ||||
NPM | Yarn | ||||
NuGet | nupkg files | Pip | |||
Composer | SBT | ||||
Bower |
Codebashing - Application Security Training Platform
For supported code for Codebashing, refer to the Codebashing documentation.
API Updates for 9.5.0
REST
Category | Details |
---|---|
Get a query version code (for BFL service) | [GET] /queries/queryVersionCode - To get the id and the query version code. The endpoint receives as input the following parameters:
The response will include:
|
Lock a scan | [PUT] /sast/lockScan - Enables locking a scan. The endpoint receives as input the scan id and return as response:
|
Unlock a scan | [PUT] /sast/unLockScan - Enables unlocking a scan. The endpoint receives as input the scan id and return as response:
|
List all scheduled jobs | [GET] /sast/sheduledJobs - To get the list of all scheduled jobs. As response the endpoint returns details for: project name, project Id, scan frequency, scan days and scan time. |
Get the timestamp for result updates | [GET] /sast/resultPathCommentsHistory - Enables getting the comment and timestamp for the result update. |
Pull license data | [GET] /serverLicenseData - Enables pulling license data details. The endpoint does not receive inputs. The response contains details and information for the following:
|
Get branch status | [GET] /projects/branch/{id} - To get the project branching status. Receives as input the project ID of the branched project. Returns as response the following information (based on details stored in [CxDB].[dbo].[ProjectBranchTree] table):
|
Force Scan on no-code changes | [POST] /projects/{id}/forceScanOnNoCodeChanges - Sets the next scheduled scan for project to bypass the “no code changes” scenario. |
SOAP
Category | Details |
---|---|
Portal - CreateNewProject | Inside ProjectConfiguration parameter in ScanActionSettings/ScanAction type there are two new fields available:
|
Portal - GetProjectProperties | Inside ProjectConfiguration parameter, two new fields are available:
|
ODATA
Category | Details |
---|---|
Tracking the age of vulnerabilities | To track the age of vulnerabilities, the vulnerability detection date was added to each Result metadata in OData. This can be helpful for customers that have internal SLAs and rules where the age of the vulnerabilities determines compliance with their enterprise's policies. It is possible to build queries to get the detection date of specific vulnerabilities. |