- Checkmarx Documentation
- Checkmarx SAST
- SAST Release Notes
- Main Releases
- Previous Main Releases
- Release Notes for 9.3.0
- 9.3.0 Enterprise Updates
9.3.0 Enterprise Updates
New Features and Changes
Starting with SAST v9.3.0, Access Control and CxEngine parameters in use are now available for viewing and editing via Environment Properties under Windows Properties. This approach provides an interface for reconfiguring Access Control and CxEngine parameters at a later stage for users who wish to do so. For detailed information, see CxSAST Environment Variables (v9.3.0).
CxSAST (Engine)
Category | Feature / Change | Details |
|---|---|---|
Application Security | ||
Engine Configurations | Scans relevant languages only according to the selected preset. | If the preset is relevant for specific languages only, the scan does not parse other languages. The functionality is turned off by default. The flag is SCAN_PROJECT_ACCORDING_TO_QUERY_LANGUAGE |
Engine Deployment | Engine on Linux | Introducing CxEngine on Docker Linux. You can now deploy the CxSAST Engine as a Docker container on a Linux host. For additional information and instructions, refer to Installing and Configuring the CxEngine Server on Linux (v9.3.0) |
Engine Server | ||
Languages/Frameworks | Kotlin (Server Side) | This version adds and updates support for the latest versions of the Kotlin Server Side frameworks, Ktor and Vert.X. Support for the following framework features has been added to Ktor:
Support for the following framework feature has been added to Vertx.X:
Additional generic support has been added:
Additional information can be found on the dedicated support page at Kotlin for Server Side |
Languages/Frameworks | Apex | This version adds and updates support for the latest versions of Apex that can be activated with the Engine Flag NEW_APEX. Support for the following language features has been added:
Improved the following queries:
Additional information can be found on the dedicated support page at Apex |
Languages/Frameworks | JavaScript | This version adds and updates support on EcmaScript for JavaScript support
Additional information can be found on the dedicated support page at EcmaScript 10 (2019) and EcmaScript 9 (2018) |
Languages/Frameworks | Logs | Added new metrics in logs for the scans. Scan coverage by lines. |
Vulnerability Descriptions | New and updated vulnerability descriptions | New and updated vulnerability descriptions for this version – giving more detailed guidance for code remediation. The list is available for download from 9.3.0 Vulnerability Queries. |
Vulnerability Queries for Presets | Vulnerability Queries according to Presets | Vulnerability Queries according to Presets for this version. The list is available for download from 9.3.0 Vulnerability Queries. |
Vulnerability Queries (Full List) | Vulnerability Queries | Vulnerability Queries for this version. The list is available for download from 9.3.0 Vulnerability Queries. |
Vulnerability Queries (New and Updated) | New and Updated Vulnerability Queries | New and Updated Vulnerability Queries for this version. The list is available for download from 9.3.0 Vulnerability Queries. |
CxSAST (Application)
Category | Feature / Change | Details |
|---|---|---|
CxEnterprise Web Portal Interface | The ability to block, unblock and unregister multiple engine servers has been added to the engine server table on the Engine Management page. | Enables quick blocking and unregistering multiple engines. |
The Engine URL on the Management page is clickable. | Users can enter the engine service screen with one click. | |
The Engine Management page now displays the engine version. | Displays the version for each engine. | |
New Telerik version | The Telerik version has been upgraded to 2020.1.114.45 version. | |
M&O: new Tomcat version | The Tomcat server version has been upgraded to 8.5.57 | |
CxSAST Projects & Scans | Added an origin URL option when triggering the scan. | Allows users to move to the triggered URL of origin (e.g., Jenkins URL). |
The vulnerability detection date has been added to the Portal. | The vulnerability detection date has been added to the results in UI&Reports and allows for different notifications, alerts and views. | |
CxSAST Results Viewer | Comments are mandatory when changing the result state, if this functionality has been activated. | This functionality is inactive (disabled) by default and can be activated (enabled) in two ways:
|
CxSAST Reports | The STIG category has been added to the reports. | Scan results are categorized by the DISA Application and Development STIG once the STIG post-installation script has been run. |
Application Settings | Introducing a permission to view results | Adding a permission that allows users to scan projects, but not display certain results. |
Security | A new encryption mechanism has been added. | The encryption key can now be de-activated and is not hard-coded anymore. |
CxAudit
Category | Feature / Change | Details |
|---|---|---|
CxQL – Query Language | CxQL changes | Updated according to changes in version 9.3.0 |
Known Limitations
Category | Limitation | Details |
|---|---|---|
CxEnterprise Installer | CxSAST and M&O | In unique cases, when Checkmarx (SAST) is installed with M&O (Management and Orchestration) selected, then uninstalled, and then re-installed without M&O selected, the user may face difficulties logging into the Checkmarx Portal for the first time. To resolve this issue, clear the portal’s web storage in the browser settings. The following article explains this procedure: https://www.ghacks.net/2015/02/05/how-to-clear-web-storage-in-your-browser-of-choice/ |
CxEnterprise Installer | CxSAST and M&O | In case Checkmarx (SAST) is installed with M&O (Management and Orchestration) selected, the Management and Orchestration tab is not visible in the Web Portal. To resolve this issue, log out and then log in again. |
.