- Checkmarx Documentation
- Checkmarx SAST
- SAST Release Notes
- Main Releases
- Previous Main Releases
- Release Notes for 9.3.0
- 9.3.0 Hotfixes
9.3.0 Hotfixes
Installation Notes
Notice
Hotfixes and content packs are cumulative and include previous hotfix/content package updates.
The relevant hotfix must be installed on the CxManager, CxEngines and the CxAudit stations, unless otherwise indicated. In a distributed environment, the hotfix must also be installed on the Portal station.
To upgrade a Linux engine, please download the Linux Docker engine and follow these instructions to install it
After upgrades (major versions or hotfixes) or Content Pack updates, it is highly recommended to first run full scans before running incremental scans.
Resolved Issues and Changes
Category | Resolved Issues |
---|---|
HF29 | Parsing issues were fixed in the CPP source code scanning. |
The CPP_Best_Coding_Practice/Methods_Without_ReturnType query has been updated to improve the accuracy of the results. | |
Engine was improved by indicating the scans that terminate with errors in the Engine Agent as failed. | |
Engine has been improved by reducing memory consumption when running scans and thereby avoiding OutOfMemoryExcepion errors. |
Category | Resolved Issues |
---|---|
HF28 | The Tomcat version has been upgraded to Apache Tomcat version 8.5.81. |
Fixed an issue that caused the confidence level to be displayed in the Results Viewer screen incorrectly as 0%. This occurred when the scan was executed for a project that had no source code changes. | |
Improved the All Scans view by listing failed scans, which have some results, as partial scans. | |
Added the version number on the inventory libraries list in the HTML OSA report. | |
Fixed an issue that caused the user to be re-directed to the logout page when downloading a report from the client machine. | |
Fixed an error in the result service log that occurred while calculating the Best Fix Location. |
Category | Resolved Issues |
---|---|
HF27 | Fixed an issue by adding a retry mechanism for Windows for properly moving folders to their corresponding directories. |
The Project and Project State pages were improved by correctly listing the scans according to the latest scan date. | |
Fixed a Kotlin parsing issue that was causing stack overflow errors. | |
Updated the JavaScript library oidc-client to version 1.11.6 to fix a vulnerability. | |
Fixed an issue that occurred in the Viewer when users attempted to access the vulnerability descriptions, but were incorrectly redirected to project state pages. | |
Fixed an issue that occurred when opening the library information for scanned libraries that also exist in deprecated projects. | |
Email notifications for successful scans now include PDF report attachments where the projects have no defined owners. | |
Fixed an issue that will prevent automatic attempts to connect to Access Control when the Access Control service is stopped in the IIS Manager. | |
Upgrade process improved for deleting unnecessary old Log4j files. |
.
Category | Resolved Issues |
---|---|
HF26 | The following libraries have been updated:
During the installation of the Hotfix, the ActiveMQ\conf\activemq.xml file is replaced with the new file and the original file is backed up. If you implemented a configuration for ActiveMQ different than the default configuration, you might need to implement it again in the new activemq.xml file. Furthermore, if you implemented a configuration for ActiveMQ that involved additional customer created files, you might need to back them up before installing the Hotfix and then restore them after the Hotfix installation. |
.
Category | Resolved Issues |
---|---|
HF25 | Fixed an issue that caused the scanned source code to be written to the Engine log file when parsing an .xhtml file. |
Fixed an issue in the CxPortal Scan List screen that made the Download Scan Logs button unavailable. | |
Fixed an issue to prevent displaying incorrect result states for Recurrent results, when comparing two scans after overriding queries. | |
Fixed an issue that caused errors to be recorded in the incremental scan log after all the vulnerabilities detected in the full scan were removed. | |
Fixed an issue that caused scans to fail where the SAST users did not have permissions to the drive, although they did have permissions to the CxSRC folder. | |
Fixed an error to prevent CxAudit from failing when very large numbers of projects (> 100,000) are loaded. | |
Fixed an issue in Access Control where users who were able to remove the SAST Auditor role from other users, were unable to reassign the role to any other users. | |
Updated the JavaScript library oidc-client to version 1.11.6 to fix a vulnerability. | |
Corrected the documentation and error messages to indicate that Access Control user names can contain letters, digits, and the underscore(_), hyphen(-), period(.), plus(+) and at sign(@) characters. | |
Lower case characters can now be included when changing or resetting Access Control passwords on the Profile page. | |
Fixed an issue that caused the M&O (Management and Orchestration) Analytics page to display incorrect results, where some projects that should be marked as high risk are marked as low risk projects. |
Category | Resolved Issues |
---|---|
HF24 | ActiveMQ has been upgraded to 5.16.4. During the installation of the Hotfix, the ActiveMQ\conf\activemq.xml file is replaced with the new file and the original file is backed up. If you implemented a configuration for ActiveMQ different than the default configuration, you may need to implement it again in the new activemq.xml file. |
The following libraries have been replaced:
|
Category | Resolved Issues |
---|---|
HF23 | Improved the Incremental scan merge mechanism to avoid classifying, in some edge cases, similar results as two separated results. |
Fixed an issue that caused false positive (FN) results in incremental scans. This occurred where there were two files with the same name, but in different directories, and only one of these files was modified. If afterwards the scan results were checked in the Viewer, the file that was not modified was marked as 'Fixed', instead of correctly being marked as 'Recurrent'. | |
Fixed a failure in the Data Retention process, which occurred when the Engine Scan Logs Path was set to a shared folder. One of the ways that the failure was manifest was that scans that were supposed to be deleted were not deleted. | |
Fixed an issue on the Projects page that caused an error when displaying the Shared Location. | |
Fixed an issue that caused incorrect error messages to be logged when the data retention option was applied to scans which had previously been deprecated. | |
Fixed an issue that resulted in misleading response messages from API query requests, which occurred when the queries were missing descriptions. The specific API request: The misleading message: | |
Square brackets are now supported for filtering projects by name. | |
Improved stability for OSA scans, so that scans will not fail even when the database has reached its update limits with respect to "unresolved libraries". | |
Fixed an issue that caused scans on existing projects to fail because of empty folders in CxSRC, which resulted from failures in the ZIP extract process. This issue only occurred in HA (High Availability) environments. | |
Removed the Restricted Scan option from the OSA Settings. | |
Fixed an issue in the SAST Web Portal that caused incorrect scan logs to be downloaded when there were no code changes detected by the scan. |
Category | Resolved Issues |
---|---|
HF22 | Fixed an issue in AngularJS framework support that was causing intersection errors that resulted in high memory usage. |
Fixed an issue in CSharp language support that was causing scans to end abruptly in the middle of the flow. | |
Fixed an issue in Ruby language support that was causing errors when creating and executing bash scripts. | |
Improvements in TypeScript language support that were causing parsing exceptions for the following operations:
|
Category | Resolved Issues |
---|---|
HF21 | Fixed an issue that caused results with comments containing the “+” character to be excluded from the CSV reports. |
The Scan ID is now displayed on the Scans List and Scan Summary pages in the CxSAST Web Portal user interface. | |
Fixed a bug which caused the report creation to fail when the Path column, in the Projects table, contained more than one XML node for a subfolder. | |
Fixed the performance for the REST API endpoint GET \Projects. | |
Angular was updated to 1.8.2. | |
jQuery was updated from 3.4.1 to 3.6.0. | |
jQuery UI updated from 1.12.1/1.12.4 to version 1.13. |
Category | Resolved Issues |
---|---|
HF20 | Fixed all known log4j vulnerabilities for Management and Orchestration (M&O) by updating Log4J to version to 2.17.1. |
Fixed an issue in Access Control (AC) that caused a network error when upgrading SAST 9.3GA with Hotfix (HF) 19 to SAST 9.4. | |
Fixed an issue that caused inconsistent behavior with the Download System Logs management in HA (high availability) environments. The issue occurred when using non-default log locations. Note: The CentralizedLogsPath key in the database must be updated to maintain the logs in a centralized place for HA environments. For instructions how to perform the update, see Centralized Logs in HA Environment. | |
For security fixes, click this link for additional information. |
Category | Resolved Issues |
---|---|
HF19 | Fixed an error which caused a REST API GET request for a non existent projectName and teamId to return a HTTP 200 OK Success response with an empty body, instead of a HTTP 404 - Not found response. |
Fixed an error which caused REST API GET Projects requests to be case sensitive, causing API requests to fail. Now the API GET Projects requests are case insensitive. | |
Fixed a number of issues in Access Control that were related to User Creation. | |
Fixed the Result Viewer page so that all instances of a selected word are highlighted in the code. | |
The items in the displayed Projects State page can now be sorted independently of the entire list of Projects State items | |
Fixed the “Group By” option in the Results Viewer so that it works for all columns. | |
Fixed an error in the result service log while calculating the Best Fix Location. | |
Fixed an issue that caused SOAP API GetProjectsDisplayData requests to fail when users were not assigned to a team. | |
Fixed an issue in a particular incremental scan which caused a failure in the Results Service (indicated by a ResultsSavingStatus error in the log) preventing the completion of the scan. | |
The Tomcat version has been upgraded to Apache Tomcat version 8.5.72. | |
Fixed a bug where in an extreme edge case it was possible, using Swagger, to create duplicated teams with the same exact full name and same path. | |
Fixed an issue that occurred in the Excel file created when exporting the list of users from Access Control. The file only contained the Team and Role IDs, but not the user names. |
Category | Resolved Issues |
---|---|
HF18 | Fixed an issue that caused the scanning to fail and the client-log.log to record the following error message: "System.ArgumentException: An item with the same key has already been added." |
Fixed an issue so that now a Docker image can be deployed on Linux without root privileges. | |
Added an option for changing the time zone in the Docker image on Linux. | |
The default AWS Docker ulimits value has been increased to allow the CxSAST engine to work properly. | |
Fixed an issue that caused the scanning to fail when using an AbsInt component. | |
The nullish coalescing operator (??) is now supported when scanning JavaScript. |
.
Category | Resolved Issues |
---|---|
HF17 | The XML report has been enhanced with additional information regarding the ‘Queries Details’ and ‘Source Code’. Queries Details now contains:
Source Code now contains:
For these new features, configuration keys were added to the CxComponentConfiguration table in the CxSAST database.
|
.
Category | Resolved Issues |
---|---|
HF16 | Fixed an issue which prevented the name of the plugin, which triggered the scan, from being displayed in the ORIGIN column on the Scans page. |
Fixed an error which prevented the results of full and incremental scans from merging together. | |
Fixed an issue which prevented downloading logs from the WebPortal, where the location of the logs were changed from their default log location. | |
Fixed an issue which prevented the code contained in files with long path names from being displayed in the Results Viewer, | |
Fixed an issue where team-level query overrides are sometimes saved under incorrect teams. | |
Fixed an issue on the Projects page of the WebPortal which prevented items from being displayed in the "Shared Libraries" textbox in the OSA (Open Source Analysis) tab. | |
Fixed an issue which prevented the Post Scan Action from creating reports when the system was configured for LDAP environments. | |
Improved the Incremental scan flows mechanism so that the various possible incremental scan results are more consistent with the full scan results. | |
Fixed an issue which sporadically caused empty scan reports to be generated. | |
Fixed an issue which occurred when scanning zip files containing more than 65535 files. | |
Improved the Incremental scan flows mechanism so that incremental scan results are more consistent with the full scan results. | |
Improved the stability of the incremental scan process where several incremental scans are being triggered in parallel. | |
For security fixes, click this link for additional information. |
.
Category | Resolved Issues |
---|---|
HF15 | Fixed an issue that occurred when scanning C# files, which involved the GetHoldByText method call, that prevented the scan flow and definition from being located and displayed. |
Fixed an issue which resulted in the loss of the entire scan because of a single file timeout. | |
Fixed an issue that occurred when scanning JavaScript files, which caused the parsing process to time out, leading to the loss of many scan results. | |
Fixed an exception in the logs caused by a System.FormatException in the AST2DOM stage. | |
Improved the scan flow for supporting additional use cases. |
.
Category | Resolved Issues |
---|---|
HF14 | Users moving to cloud hosted environments, without direct access to the CxSAST database, can now obtain information about project branching and deletion using CxSAST REST API calls. The following additions are related to project branches:
The following additions are related to deleted projects:
|
Fixed an issue in the LDAP Settings section of Access Control that prevented users from scrolling through the "Cx Role - LDAP Group DN" mapping entries list in the Advanced Role Mapping window. | |
To enable users to add single LDAP role mappings to existing sets of LDAP role mappings, a PATCH method was added to the LDAPRoleMappings Access Control REST API. | |
Fixed a comma-separated string issue that affected the Okta SAML (Security Assertion Markup Language) integration with Access Control. The issue prevented the IdP (Identity Providers) Authorization and Team Attribute Mapping feature from assigning users to multiple teams. Now it is possible to specify multiple teams names, using comma separators, so that new users are automatically associated with multiple teams. |
.
Category | Resolved Issues |
---|---|
HF13 | Fixed an issue that occurred when parsing PHP language code. Text with HTML tags containing single quote marks prevented the retrieval of the DOM (Document Object Model), which in turn caused the scan to fail. |
Fixed an issue that caused some characters, which were typed by users into the scan comments, to be replaced by HTML encoded characters. In some cases, the HTML characters caused the Results Viewer page to lock. | |
Fixed an issue in Access Control limiting the User Manager to only being able to grant new users the User Manager role. Now the User Manager can grant new users with one or more of the CxSAST roles that exist in the system, except for the Admin and Access Control Manager roles. | |
Fixed an issue in the Results Viewer which prevented the total number of active results from being immediately updated after some results are marked as "Not Exploitable". | |
Fixed an issue that caused a discrepancy between the CxEngine logs and the user interface (UI) status. The logs indicated that the scanning was completed, but the UI status indicated that the scanning was still in progress. The result was that the CxManager aborted the scan and the scan results were not saved. | |
Fixed an issue that caused the CxEngine service to respond abnormally slowly to system status API requests. | |
Scan results can be marked to indicate one of the following result states: “To Verify”, “Not Exploitable”, “Confirmed”, “Urgent” or “Proposed Not Exploitable”. In addition, custom result states can also be defined by the user. Previously, users only required permissions for marking scans as "Not Exploitable". Now dedicated permissions are requested for each result state, including the user-defined states. For more information, see the updated Results Summary section in Navigating Scan Results (v9.3.0 and up), and the updated descriptions for the Results Updater and Results Verifier roles in CxSAST / CxOSA Roles and Permissions (v9.0.0 and up). For details regarding how to create custom result states, see Adding Custom Result States. Limitations:
| |
|
.
Category | Resolved Issues |
---|---|
HF12 | Improved the ‘Find_Inputs’ Query to better handle security checks. |
Fixed a bug which caused the scan engine to count the lines of code of text files. | |
Fixed a bug which in some cases caused scans using the multi-language mode to fail. | |
Fixed false negative SQL_injection results that occurred when scanning code from the MyBatis Java framework. | |
Fixed a bug which in some cases caused CxAudit to crash while parsing code from the Kotlin language. | |
Fixed a bug which caused results with single nodes to be ignored. | |
Improved the ‘APPLICATION_SECURITY’ Query to better handle security checks. | |
Fixed false positive DOM XSS results that occurred when scanning code from the Angular Web application framework. | |
Improved the recovery of scans in cases where the scan manager service crashes. | |
Fixed a bug which caused scans to abort because of security check failures, even though the queries for the security check are not part of the actual scans. | |
The query security configuration is now updated during installation and upgrading. | |
Added support for the global memory watchdog on Linux operating systems. | |
For security fixes, click this link for additional information. |
.
Category | Resolved Issues |
---|---|
HF11 | Fixed the displayed scan result state in OData to be aligned with the Web Portal UI. |
Triggering a new scan from the plugins will no longer require “create project” or “edit project” permissions. | |
Improved Engine stability when dealing with large scans. | |
Improved multiple client connections handling. | |
Improved queue mechanism which caused some scans to get stuck at 99% completion. | |
Fixed issue where CxARM fails to connect to the DB after hotfix installation. |
.
Category | Resolved Issues |
---|---|
HF10 | Fixed an issue that occurred when connecting SAST to the Azure DevOps repository using a PAT (Personal Access Token). |
Fixed an issue where some URL’s have been overwritten during upgrades. | |
Fixed a problem related to the scan request. | |
Fixed the post scan action used with LDAP environments. | |
Improved data synchronization in High Availability (HA) mode. | |
An error message is now logged when an Incremental Scan fails due to a missing or invalid MethodMapping.zip file in the source file. | |
Fixed an error which caused some scans to fail. | |
Tomcat was replaced with Apache Tomcat version 8.5.64. | |
Made improvements in the Java (MyBatis framework) parser. | |
Fixed an error that caused some engines to get stuck in idle state while scans were waiting in queue | |
Fixed an error message for the post scan action where scanning is performed via a Git repository. | |
Improved engine performance in the parsing stage. | |
Improved manager synchronization in High Availability (HA) mode. | |
Note: After the hotfix installation, CxARM might fail to connect to the DB. To resolve this, copy the contents of db.backup.properties file to the db.properties file and restart CxARM. |
.
Category | Resolved Issues |
---|---|
HF9 | Some fixes in this Hotfix require CP16 (9.3). For more information, see Content Pack Version - CP.9.3.0.16034 (CSharp, VBNet). |
Improved C# queries by fixing flows that did not go through a method declaration. | |
Several improvements in C# queries for better result accuracy. | |
Several improvements in Angular queries for better result accuracy. | |
Added a definition to the ESC function in Java. | |
An error message is now logged when an Incremental Scan fails due to a missing or invalid MethodMapping.zip file in the source file. |
.
Category | Resolved Issues |
---|---|
HF8 | Improvements in JavaScript parsing support. |
Improvements in TypeScript parsing support. | |
Improvements in APEX to support includeScript. | |
Improvements in APEX when importing components. | |
Fixed an error in CxAudit that prevented different users from overriding the same query on a project level. | |
Improvements in C++ support for macros and makefiles. | |
Fixed an error in the Linux engine to prevent an error when obtaining free space during a scan. |
.
Category | Resolved Issues |
---|---|
HF7 | Fixed the Japanese translation for "Not Exploitable" and "Propose not exploitable" result states. |
Allow customers that use SCA to enable an SCA widget to replace the content of the existing OSA widget, so that it is now possible to display CxSCA scan results in the summary page of CxSAST. For more information, see Displaying CxSCA Scan Results in CxSAST. |
.
Category | Resolved Issues |
---|---|
HF6 | M&O: Fixed misalignment between the number of projects displayed in the header and the actual number of violated projects on the page. |
Fixed an issue that prevents the Git connection from failing when the password has special characters. | |
Fixed an issue that caused scan failure when Git projects are configured via API and UserName contains a '+' (plus sign) character. | |
Changed settings to allow viewing the number of private scans for projects according to the Teams hierarchy. | |
Fixed the displayed scan result state when similar scanned projects are deleted. | |
Changed settings to allow triggering scans for private projects according to the Teams hierarchy. | |
Changed settings to allow the Admin and regular users to view and scan private projects according to the Teams hierarchy. Limitation: When an Admin is a member of a Team, the Admin user cannot view and scan the private projects of other members of the Team. However, the Admin can view and scan the private projects of members of the child teams of that Team. |
.
Category | Resolved Issues |
---|---|
HF5 | Fixed cases where the Results Service failed to start due to a problematic configuration in the Checkmarx path in the registry |
Fixed issues that prevented closing the Scan Summary page. | |
Corrected the name displayed for the scan schedule Initiator. | |
Improved performance of the Scan Manager stop/start actions. | |
Fixed an issue that prevents data retention from working due to failed scans in the selected date range. | |
Fixed an issue that prevents the engine scan folder from being deleted. | |
Fixed cases when the Results Service fail to start due to a missing SQL configuration in the host file. | |
Fixed an issue that prevents OSA Viewer from failing when M&O is not installed. | |
Improved the Scanned Languages description on the Scan Summary page when the scan returns zero findings. |
.
Category | Resolved Issues |
---|---|
HF4 | Several improvements in Perl parsing support. |
Improvements in AngularJS for preventing infinite loops during scanning. | |
Improvements in Ruby for preventing exceptions when line breaks are applied to object element definitions. | |
Implemented improvements in the Query Security mechanism. | |
Improved Apex language recognition in multi-language mode. | |
Updated CxPortal to comply with PCI DSS version 3.2.1. |
.
Category | Resolved Issues |
---|---|
HF3 |
|
The following frameworks are now supported:
| |
Updated support for the following frameworks (both created by Salesforce):
| |
Additional fixes introduced in this HF: | |
Engine improvements to prevent unfinished scans when scanning Java projects with several XML files. | |
Improvements in log information, such as indicating in the scan log when large files, which exceed the maximum limit, are excluded from the scan. | |
Improvements in VUE.JS parsing support. | |
Implemented several COBOL improvements and support for MicroFocus extensions. | |
Several improvements have been made for Swift parsing. | |
Missing Japanese query descriptions have been added. | |
Improvements in the query hierarchy mechanism according to the teams. | |
Memory management improvements in JavaScript. | |
Improvements to the incremental scans using ActiveMQ are preventing unfinished scans. | |
Implemented several improvements in the Query Security mechanism. | |
Improvements in the installer to fix installation directory locations when SAST is installed on a non-default drive. | |
Added support in ASP and PHP for files with .inc extension. | |
JavaScript scripts can now be recognized in .ASP files. | |
Improvements in C++, allowing the scans to complete successfully. | |
XML mapping improvements in MyBatis. | |
Improvements in type casting handling in VB6. | |
Improvements in JavaScript for Regex/ReDoS parsing. | |
Engine Improvements for preventing unfinished scans when matching regular expression patterns. | |
Added a new capability in the CxAudit for easily extracting the source code related to a query. To enable, please refer to the CxAudit Guide. | |
Improvements in log files to display the queries name that failed in the security check. |
.
Category | Resolved Issues |
---|---|
HF2 | Note: HF2 is the first Hotfix for Version 9.3.0. |
Fixed an issue that broke the link to the GIT integration, if the word 'git' was part of the URL. | |
Fixed misalignment in scan status in cases where the scan status still indicated “scanning” after the scan had already completed. | |
Fixed cases of misalignment between Access Control and CxSAST caused by a multiple hierarchy in the Teams tree. | |
Improved the response time for opening a Projects page containing a large number of projects. | |
Fix situations when Engine scan doesn’t complete successfully but is reflected as “Finished” in Portal. | |
Performance improvements for loading large repositories in the CxSAST Portal. | |
The CxSAST Portal now displays Git branches in all languages. | |
Added the ability to duplicate a user from the UI. | |
The Access Control login page now supports logo and background customizations. For details about how to customize the login page, see Customizing the Access Control Web Interface (v2.1 and up). | |
You can now configure the Global Admin role to exclude the CxAudit permission. For more information, see Access Control Configuration Guide. | |
The User Manager role is now able to grant roles that it does not have itself. For more information, see Access Control Configuration Guide. | |
Improved the error message when a SAML user is unable to login due to lack of permissions. | |
The Access Control API for GET Teams (GET /Teams) now returns a new attribute which is the "CreationDate" for each team: | |
Passwords entered manually in the connection strings (in the DbConnectionString.config file) were not encrypted. | |
Security fixes, refer to https://checkmarx.force.com/CheckmarxCustomerServiceCommunity/s/article/Checkmarx-Security-Updates for additional information. |
.