2024.3.2 October 2024 | Enhanced to provide support to Critical Severity. Enhanced to show SAST server Engine Pack Version in the logs. Enhanced to support Jenkins version 2.462.1. Upgraded below libraries: commons-compress to 1.27.0 cx-client-common to 2024.3.28 guava to 32.1.1-jre vertx-core to 4.5.9 rhino to 1.7.15 javax.annotation-api to 1.3.2 netty-common to 4.1.112.Final netty-buffer to 4.1.112.Final netty-transport to 4.1.112.Final netty-resolver to 4.1.112.Final netty-handler to 4.1.112.Final netty-transport-native-unix-common to 4.1.112.Final netty-codec to 4.1.112.Final netty-handler-proxy to 4.1.112.Final netty-codec-socks to 4.1.112.Final netty-codec-http2 to 4.1.112.Final netty-resolver-dns to 4.1.112.Final netty-codec-dns to 4.1.112.Final plexus-utils to 3.5.1 snappy to 0.5
| Supported SAST Versions: 9.5, 9.6, 9.7 OSA Support: Supported, * FSA supported version: 24.2.3 SCA Support: Supported Supported Tool Version:* Operating Systems: Windows, Linux* Jenkins versions : 2.164 to LTS 2.462.1 Supported Java Version OpenJDK 11, OpenJDK 17 Oracle JDK 8
NoteJenkins server version since 2.357 supports only OpenJDK 11 and OpenJDK 17. Checkmarx plugin is supported under both configurations.
|
2024.2.3 | Fixed an All users override issue for existing projects by the CxSCA team. Fixed an issue where the scaReportFormat:PDF parameter is present in the SCA pipeline script by default when the Generate CxSCA report checkbox is disabled. Fixed an issue where if the first scan in a pipeline or new project is asynchronous, it does not show a failed scan report if reports are not generated or a report of a previous successful scan is not available. Fixed a pipeline issue where builds failed and displayed a failed report in cases of an asynchronous scan, when a previous synchronous scan failed or the enable vulnerability threshold exceed checkbox was checked, but the parent checkbox, Enable synchronous mode, was not. Added form validation for the Enable vulnerability threshold checkbox when the CxSAST scan is not enabled. Fixed an issue where the scan failed and showed an error in the log if both the CxSAST and the dependency scan were disabled. Removed dependency on the Swagger call. Fixed an issue where a user could not assign a Scan Retention Rate to an existing CxSAST project. Upgraded below libraries: org.yaml:snakeyaml to 2.2 cx-client-common to 2024.2.3 commons-beanutils:commons-beanutils to 1.9.4 io.netty:netty-codec-http to 4.1.101.Final org.apache.commons:commons-compress to 1.26.0
| Supported SAST Versions: 9.4, 9.5, 9.6 OSA Support: Supported, * FSA supported version: 24.0.1 SCA Support: Supported Supported Tool Version:* Operating Systems: Windows, Linux* Jenkins versions : 2.164 to LTS 2.440.2 Supported Java Version OpenJDK 11, OpenJDK 17 Oracle JDK 8
NoteThe Jenkins server version since 2.357 supports only OpenJDK 11 and OpenJDK 17. The Checkmarx plugin is supported under both configurations. |
2023.4.3 | Enhanced to use with relevant versions of SAST APIs. Added support to Enable Policy Enforcement for SAST and SCA separately. (These two need to be configured separately) Enhanced the plugin to display the correct error message on the Checkmarx reports screen if SCA scan policies are violated. Added support for SAST Project Level Custom Fields. Added support for SCA Project Custom Tags. Added support for SCA Scan Custom Tags. Allowed special characters in scan and project-level custom fields for SAST and SCA. Allowed special characters in the Jenkins job name. Added support to propagate vulnerability threshold exceeds errors. Enhanced the plugin to support SCA URL in NoProxyHost. Added support for Jenkins Server v2.375.4 and v2.414.3. Fixed deserialization issue for API requests/responses. Upgraded below libraries: com.checkmarx:cx-client-common:2023.4.4 org.apache.commons:commons-compress:1.25.0 org.json:json:20231013 org.eclipse.jgit:org.eclipse.jgit:6.8.0.202311291450-r com.google.guava:guava:32.1.1-jre
| Supported SAST Versions: 9.4, 9.5, 9.6 OSA Support: Supported, * FSA supported version: 24.0.1 SCA Support: Supported Supported Tool Version:* Operating Systems: Windows, Linux* Jenkins versions : 2.164 to LTS 2.414.3 Supported Java Version OpenJDK 11, OpenJDK 17 Oracle JDK 8
NoteThe Jenkins server version since 2.357 supports only OpenJDK 11 and OpenJDK 17. The Checkmarx plugin is supported under both configurations. |
2023.2.6 | Added functionality to generate SCA Reports in various formats: PDF, XML, CSV, JSON, cyclonedxjson, and cyclonedxxml. Added functionality to generate reports in the agent's workspace directory. Added functionality to generate SCA/OSA reports in the workspace directory. SCA Resolver integration is enhanced and can reuse SAST-specific parameters like Project Name, Source Code Location, SAST Server URL, Credentials, and Result Path. According to the syntax of SCA Resolver arguments, the additional parameters are intended for extra arguments. Provided a new option to select a job status in cases where the CxSAST vulnerability threshold is crossed. The global setting SSL/TLS validation checkbox is enabled by default to enforce TLS/SSL server certificate validation. Set a specific scan retention rate for CxSAST Scan. Added support for CxSAST Scan Retention Settings when creating a project. Upgraded the following libraries: org.json:json:20230227
| Supported SAST Versions: 9.3, 9.4, 9.5 OSA Support: Supported, * FSA supported version: 23.0.1 Supported Tool Version: * Operating Systems: Windows, Linux * Jenkins versions: 2.164 - LTS 2.387.3 Supported Java Version: OpenJDK 11, OpenJDK 17 Oracle JDK 8
NoteJenkins server version since 2.357 supports only OpenJDK 11 and OpenJDK 17. The Checkmarx plugin is supported under both configurations. |
2022.4.3 | Corrected the config-as-code feature. Prior version failed to parse the cx.config file. The overrideProjectSetting plugin parameter indicates whether preset, engineConfigurationId value will be saved on the SAST project. HTTP links to OSA scan results that appear in the plugin logs are corrected Enhanced default include/exclude pattern to exclude SCAResolver’s result files. Introduced ABORTED as a new value for the jobStatusOnError and vulnerabilityThresholdResult parameters. Using this value will stop the pipeline immediately. Fixed an issue that the build was not marked as failed for SCA Policy violations. Upgraded the following libraries: org.apache.logging.log4j:log4j-core:2.17.1 org.apache.commons:commons-compress:1.22 com.google.code.gson:gson:2.8.9 org.yaml:snakeyaml:1.33
| Supported SAST Versions: 9.3, 9.4, 9.5 OSA Support: Supported, *FSA agent supported version: 21.0.5 SCA Support: Supported Supported Tool Version: Jenkins 2.164 - LTS 2.361.4, *Operating Systems: Windows, Linux Supported Java Version: OpenJDK 11, OpenJDK 17, Oracle JDK 8
NoteJenkins server version since 2.357 supports only OpenJDK 11 and OpenJDK 17. The Checkmarx plugin is supported under both configurations. |
2022.3.3 | | Supported SAST Versions: 9.3, 9.4, 9.5 OSA Support: Supported, *FSA agent supported version: 21.0.5 SCA Support: Supported Supported Tool Version: Jenkins 2.164 - LTS 2.346.3, *Operating Systems: Windows, Linux Supported Java Version: OpenJDK 11, Oracle JDK 8
|
2022.3.2 | Benign errors such as duplicate scan errors or timeout errors are suppressed by default. This can be disabled by defining the JVM property as 'suppressBenignErrors=false'. Special characters are now validated in custom fields. Introduced presetId 0 that causes SAST to use the presetid of previous scans in that project. If it is a new project, the preset in SAST gets defaulted to 'Checkmarx Default'. Pipeline scripts can be configured with scaTeamId instead of scaTeamPath. scaTeamId takes precedence though. The CxOrigin value now contains the Jenkins plugin version.
| Supported SAST Versions: 9.3, 9.4, 9.5 OSA Support: Supported, *FSA agent supported version: 21.0.5 SCA Support: Supported Supported Tool Version: Jenkins 2.164 - LTS 2.346.3, *Operating Systems: Windows, Linux Supported Java Version: OpenJDK 11, Oracle JDK 8
|
2022.2.3 | Fixed the CSRF and Permission check security issues that have been documented in the Jenkins Security Advisor 2022-02-15. If Matrix Authorization is enabled, a job or configure role is required to edit the Jenkins job. Proxy can now be enabled for CxSCA communication as well. Fixed the issue that caused dependency scan settings to be accessed from the global configuration instead of the specific job configuration, which resulted in a NullPointerException.
| Supported SAST Versions: 9.2, 9.3, 9.4 OSA Support: Supported, *FSA agent supported version: 21.0.5 SCA Support: Supported Supported Tool Version: Jenkins 2.164 - LTS 2.342.1, *Operating Systems: Windows, Linux Supported Java Version: OpenJDK 11, Oracle JDK 8
|
2022.2.1 | Fixed an issue that caused CxSCA scans with proxy to fail, if no CxSAST scan is performed. Fixed an issue that caused the ScaResolver to fail in Orchestrator/Worker configuration under Windows and Linux. Upgraded the Spring framework libraries to version 5.3.18. Corrected the scenario where the Postscanaction ID passed as 0 and failed on NullPointerException. PostScanActions now enclose arguments with quotes (""). Duplicated project scans are not queued anymore in the same queue.
| Supported SAST Versions: 9.2, 9.3, 9.4 OSA Support: Supported, *FSA agent supported version: 21.0.1 SCA Support: Supported Supported Tool Version: Jenkins 2.164 - LTS 2.342.1, *Operating Systems: Windows, Linux Supported Java Version: OpenJDK 11, Oracle JDK 8
|
2022.1.3 | | Supported SAST Versions: 9.2, 9.3, 9.4 OSA Support: Supported, *FSA agent supported version: 21.0.1 SCA Support: Supported Supported Tool Version: Jenkins 2.164 - LTS 2.303.1, *Operating Systems: Windows, Linux Supported Java Version: OpenJDK 11, Oracle JDK 8
|
2022.1.2 | | Supported SAST Versions: 8.9, 9.0, 9.2, 9.3, 9.4 OSA Support: Supported, *FSA agent supported version: 21.0.1 SCA Support: Supported Supported Tool Version: Jenkins 2.164 - LTS 2.303.1, *Operating Systems: Windows, Linux Supported Java Version: OpenJDK 11, Oracle JDK 8
|
2021.4.3 | | Supported SAST Versions: 8.9, 9.0, 9.2, 9.3, 9.4 OSA Support: Supported, *FSA agent supported version: 21.0.1 SCA Support: Supported Supported Tool Version: Jenkins 2.164 - LTS 2.303.1, *Operating Systems: Windows, Linux Supported Java Version: OpenJDK 11, Oracle JDK 8
|
2021.4.2 | | Supported SAST Versions: 8.9, 9.0, 9.2, 9.3, 9.4 OSA Support: Supported, *FSA agent supported version: 21.0.1 SCA Support: Supported Supported Tool Version: Jenkins 2.164 - LTS 2.303.1, *Operating Systems: Windows, Linux Supported Java Version: OpenJDK 11, Oracle JDK 8
|
2021.4.1 | Support has been added for post scan actions for SAST 9.3 and higher. Team names can now be ordered alphabetically. Scan level custom fields have been added for SAST 9.4. Support has been added to force-rescan source code with no changes. It is now possible to continue the build when the SAST scan times out. An interface issue has been fixed that made it impossible to clear Dependency Scan, if globally defined. Fixed an issue that caused tasks in Orchestrator/Worker format to be completed successfully when entering incorrect user credentails. Enable Synchronous Mode has been added to the user interface. It was missing in the user interface of the last version of the plugin, although the functionality was supported. Fixed an issue that caused HTML reports not to be generated for asynchronous scans. Fixed an issue that caused dependencies to conflict during an OSA HTML scan. Fixed an issue that caused multiple OSA scans to fail or logs to get mixed up when running them in parallel at the same agent.
| Supported SAST Versions: 8.9, 9.0, 9.2, 9.3, 9.4 OSA Support: Supported, *FSA agent supported version: 20.0.13 SCA Support: Supported Supported Tool Version: Jenkins 2.164 - LTS 2.303.1, *Operating Systems: Windows, Linux Supported Java Version: OpenJDK 11, Oracle JDK 8
|
2021.3.3 | Added support for FSA agent version 20.0.13 Added support for CxSAST languages in HTML reports Enabled the system to obtain the CxSAST results, if the CxSAST scan is completed before the CxOSA scan.
| Supported SAST Versions: 9.0, 9.2, 9.3, 9.4 OSA Support: Supported, *FSA agent supported version: 20.0.13 SCA Support: Supported Supported Tool Version: Jenkins 2.164 - LTS 2.289.1, *Operating Systems: Windows, Linux Supported Java Version: OpenJDK 11, Oracle JDK 8
|
2021.3.1 | Fixed an issue that caused the proxy to be used even when it had been disabled when configuring the job. It is now driven by the job level ‘Jenkins Proxy’ setting only. Fixed an issue that caused debug logs to remain hidden during a regression when ‘Hide Debug Logs’ was cleared. Fixed an issue that caused FSA logs to remain hidden during OSA scans.
| Supported SAST Versions: 8.9, 9.0, 9.2, 9.3, 9.4 OSA Support: Supported, *FSA agent supported version: 20.0.11 SCA Support: Supported Supported Tool Version: Jenkins 2.164 - LTS 2.277.4, *Operating Systems: Windows, Linux Supported Java Version: OpenJDK 11, Oracle JDK 8
|
2021.2.96 | Fixed the error that caused the Deserialization exception that has been triggered with the CxSCA functionalities ‘Break the build’ and ‘Include Source’. Fixed the error that caused the Serialization exception that has been triggered with Jenkins agent-based jobs. An exploitable path/attack vector has been added for CxSCA scans. The “EnablePolicyEnforcement” option now enforces CxSCA Policies in addition to CxSAST & CxOSA policies. An option to include source code with CxSCA scans has been added. Private registries and environment variables have been added for CxSCA scans. Project creation and team assignment capabilities have been added for CxSCA scans. Added an option to the user interface to hide debug/trace logs. Fixed the behavior for “Allow global comment” to concatenate job level and global comment when configured. Added a validation mechanism for SCA credentials. To fix security vulnerabilities, the libraries listed below have been upgraded to newer versions: “io.vertx:vertx-web“ to version 3.9.7 “commons-beanutils:commons-beanutils“ to version 1.9.4 “org.apache.httpcomponents:httpclient“ to version 4.5.13 “io.netty:netty-codec-http“ to version 4.1.60.Final “commons-io:commons-io“ to version 2.7
| Supported SAST Versions: 8.9, 9.0, 9.2, 9.3 OSA Support: Supported, *FSA agent supported version: 20.0.11 SCA Support: Supported Supported Tool Version: Jenkins 2.164 - LTS 2.277.4, *Operating Systems: Windows, Linux Supported Java version: OpenJDK 11, Oracle JDK 8
|
2021.1.2 | Support for the config as code functionality Support for the cxOrigin and cxOrigin url functionality Fixed the Project Settings Override functionality Added the ability to remove HTML results for the async mode Fixed various limitations and improved proxy support
| Supported SAST Versions: 8.9, 9.0, 9.2, 9.3 OSA Support: Supported, *FSA agent supported version: 20.0.10 SCA Support: Supported Supported Tool Version: Jenkins 2.164 - LTS 2.263.2, *Operating Systems: Windows, Linux Supported Java version: OpenJDK 11, Oracle JDK 8
|
2020.4.8 | Enable/Disable proxy support by global/job configuration. Proxy support added for both SAST and SCA. Fixed the SCA async behavior. Fixed resolving dependencies for an OSA scan issue. Fixed displaying zero values on SCA HTML reports. Fixed 'OSADependencies.json file is not generated under workspace' when the job is running on Orchestrator Worker. Added missing classes to the allowlist for security purpose. Added support for FSA custom variables.
| Supported SAST Versions: 8.9, 9.0, 9.2 OSA Support: Supported, *FSA agent supported version: 20.0.9 SCA Support: Supported Supported Tool Version: Jenkins LTS 2.249.3, *Operating Systems: Windows, Linux Supported Java version: OpenJDK 11, Oracle JDK 8
|
2020.4.3 | | Supported SAST Versions: 8.9, 9.0, 9.2 OSA Support: Supported, *FSA agent supported version: 20.0.8 SCA Support: Supported Supported Tool Version: Jenkins LTS 2.249.2, *Operating Systems: Windows, Linux Supported Java version: OpenJDK 11, Oracle JDK 8
|
2020.3.3 | | Supported SAST Versions: 8.9, 9.0, 9.2 OSA Support: Supported, *FSA agent supported version: 20.0.5 SCA Support: Supported Supported Tool Version: Jenkins LTS 2.235.3, *Operating Systems: Windows Supported Java version: OpenJDK 11, Oracle JDK 8
|
2020.2.20 | Support for the new SCA dashboard Saving the SCA response as json file Fix for exclude/include field with new lines and spaces
| Certified SAST Versions: 8.9, 9.0 OSA Support: Supported, *FSA agent supported version: 20.0.5 SCA Support: Supported Supported Tool Version: Jenkins LTS 2.204.3, *Operating Systems: Windows Supported Java version: OpenJDK 11, Oracle JDK 8
|
2020.2.5 | Added support for new CxSCA APIs Exposing CxSAST threshold variables for Jenkins pipeline Fix for Maven Path validation Fix for PDF Link generation The "Tenant" label has been renamed to "Account" The “CxSCA Server URL” has been renamed to “CxSCA API URL” A note has been added that SAML and SSO are not supported to log in to CxSCA The SCA Scan ID is displayed in the log
| Certified SAST Versions: 8.9, 9.0 OSA Support: Supported, *FSA agent supported version: 20.0.5 SCA Support: Supported Supported Tool Version: Jenkins LTS 2.204.3, *Operating Systems: Windows Supported Java version: OpenJDK 11, Oracle JDK 8
|
2020.1.10 | | Certified SAST Versions: 8.9, 9.0 OSA Support: Supported, *FSA agent supported version: 20.030 Supported Tool Version: Jenkins 2.164 – 2.204, *Operating Systems: Windows and Linux agents Supported Java version: OpenJDK 11, Oracle JDK 8
|
2019.4.2 | | Certified SAST Versions: 8.9, 9.0 OSA Support: Supported, *FSA agent supported version: 20.0.0 SCA Support: Supported Supported Tool Version: Jenkins 2.164 – 2.204, *Operating Systems: Windows and Linux agents
|
2019.4.1 | | Certified SAST Versions: 8.9, 9.0 OSA Support: Supported, *FSA agent supported version: 18.7.2.4 Supported Tool Version: Jenkins 2.164 – 2.204, *Operating Systems: Windows and Linux agents
|
9.00.5 | | Certified SAST Versions: 8.9, 9.0 OSA Support: Supported, *FSA agent supported version: 18.7.2.4 Supported Tool Version: Jenkins 2.164 – 2.206, *Operating Systems: Windows and Linux agents
|
8.90.4 (HF) | | |
8.90.3 (HF) | | |
8.90.0 | New Top-Bar ("red" scan failed, "green" scan passed) Support OSA scanning of NuGet package files Support OSA scanning of Python 3 package files Ability to break the build according to the OSA policy status
| |
8.80.0 | | |
8.70.0 | Embed OSA core library into the Checkmarx CI plugins Support OSA scanning of the NPM package.json Support OSA scanning of Maven POM.XML files
| |
8.60.0 | Display latest scan report when running the scan in asynchronous mode Report chart now shows both Recurrent and New bugs (Currently only CxSAST) Migration to Jenkins Credential Management
| |
8.50.0 | | |
8.42.0 | | |
8.8.0 | | |