Skip to main content

9.5.0 Hotfixes

Installation Notes

Notice

  • Hotfixes and content packs are cumulative and include previous hotfix/content package updates.

  • The relevant hotfix must be installed on the CxManager server(s). The hotfix must also be installed on the Web Portal server in a distributed environment.

  • After upgrades (major versions or hotfixes) or Content Pack updates, it is highly recommended to first run full scans before running incremental scans.

Resolved Issues and Changes

Category

Resolved Issues

HF16 February 2024

Resolved a CPU overload issue caused by HF15 in environments without M&O.

HF15 January 2024

CxSAST publishing results into the Policy Management queue despite M&O not being installed.

Resolved an issue where the Open Viewer button doesn't work on a Linux or Windows machine with Chrome.

Completely removed C++ 2010 and 2015 dependencies.

Fixed an issue where an incremental scan showed sources of wrong baselines.

Fixed an issue where the UI shows a partial list of branches in case one of the GitHub branches contains @ in the name.

Category

Resolved Issues

HF14 December 2023

The compareResultsTo API has been updated and includes the SimilarityID key.

Various security fixes.

Category

Resolved Issues

HF13 November 2023

ActiveMQ version was replaced with version 5.17.6

Tomcat version for M&O was replaced with version 8.5.95

Category

Resolved Issues

HF12

Fixed an issue to prevent null values when configuring JIRA custom fields in the project settings.

Fixed a bug where moving projects from one team to another while filters were applied overwrote an existing project name.

Fixed an issue where GIT scans failed when the default value of the SourcePullingTemporaryPath was changed.

Fixed a UI bug where the severity icon was not centered in the project state dashboard.

Added a new checkbox in the UI to enable or disable the support for wildcard * in LDAP management. The default behavior will remain as is for customers without wildcard support.

Changed the color of the Auth Plain authentication method button to be more visible.

Added missing translations in Access Control pages. Languages added: Chinese, Portuguese, Korean, Japanese, French, and Spanish.

Added the ability to block LDAP user access to the SAST UI.

Fixed the logout URL configured in SAML, which redirected to a broken page.

Category

Resolved Issues

HF11

Updated Tomcat version for AMQ to 9.0.75.

Resolved an issue in JIRA configuration related to IssueTypes for projects, allowing users to succeed on projects they have permissions for.

Added a flag to maintain the existing behavior: AllowFailureOfGetJIRAProjectIssueTypesMetadata (default: false).

Upgraded Commons-Configuration2-2.7.jar to Commons-Configuration-2.8.0.jar.

Upgraded Springframework:spring-webmvc 5.3.23 to version 5.3.26.

Improved performance of scan metrics values and source pulling information in ActiveMQ responses.

Resolved an error in the widget on the Project State page, displaying project information correctly now.

Improved the message, explaining username creation rules when creating a message, with full information (letters, digits, underscore(_), hyphen(-), period(.), plus(+), and at sign(@) ).

Updated the role description for the old Manage Users role to manage users and teams.

Added 2nd last login + IP information for additional user security.

Introduced a new dedicated role for creating teams without user creation permission.

Added hostname information in Audit Trail for SAST module requests to log in to HA environments, enabling users with an HA environment to identify the Manager making the request.

Fixed missing Spanish translation strings on the Access Control page.

Addressed a translation issue, displaying an error message in English for users with a Chinese (Simplified or traditional) UI trying to create a user with an invalid name.

Corrected the description of the Team Manager’s permission in the database.

Category

Resolved Issues

HF10

The calculation of lines of code (LOC) has been modified to consider files and folders excluded from a project.

Resolved an issue where scans were not triggered in certain cases when using a GitHub Webhook.

Resolved a bug that caused an error message stating "Project name already exists" to appear when attempting to create a project with the same name as a previously deleted project.

The administrator can now configure the default login method in the Access Control settings, which can be either Credentials/LDAP or SSO/MAC. Additionally, the administrator can choose to hide the credentials fields.

Login and Login Settings pages now include translations.

Resolved an issue with the "Default LDAP server" selection due to a conflict between the default LDAP server and SSO configurations, causing it not to be selected correctly.

Fixed a bug where an incremental scan would erroneously include "Find" results from its flow that were part of deleted files.

The "Teams" column and the "Teams tree" on the Access Control pages have been fixed and can now be resized.

For security fixes, click this link for additional information.

Category

Resolved Issues

HF9

Fixed a bug related to memory reservation when scanning large source code; a scan would sometimes reach a 15-minute timeout and abort, causing it to remain stuck in the queue while the next scan proceeded. The solution is to now fail the scan with an option to increase the timeout through configuration settings.

Fixed a bug causing scans in the queue page to fail instead of waiting in the "Queued" state. This occurred when the maximum number of concurrent scans specified in the general settings did not equal the maximum number of scans allowed for the engine.

Fixed the configuration "INCREMENTAL_SCAN_MERGE_NOT_EXPLOITABLE_RESULTS." This configuration enables NE (not exploitable) results to be merged in an incremental scan.

Fixed a memory leak in Jobs Manager that caused scans to get stuck in the queue.

Resolved an issue where the Results Viewer page displayed an incorrect vulnerability status.

Fixed a bug that allowed multiple projects with the same name to be created when using PowerShell scripts to create the projects.

Added configuration options for the 15-minute memory reservation timeout value.

Added the ability to set the LDAP server as a default sign-in method.

The API authentication now only requires user validation (valid credentials) instead of a previously required permissions set.

For security fixes, click this link for additional information.

Tomcat updated to version 2.88.

Category

Resolved Issues

HF8

Fixed an issue that caused the old AMQ jar file to be maintained after a hotfix installation.

Fixed an issue that caused the scan to retrieve an incorrect line of code (LOC) and use incorrect sources.

Fixed a REST API call for scheduling that returned a message code ‘500’ instead of ‘200’.

Fixed stuck scans caused by redundant files created in the CxSrc folder during an incremental scan.

Added the engine pack version to the response of the REST API 'GET /system/version'.

2 APIs related to comparing scans have been converted from SOAP to REST:  

  • [GET] /sast/scans/{oldScanId}/compareResultsTo/{newScanId}  

  • [GET] /sast/scans/{oldScanId}/compareSummaryTo/{newScanId}

Resolved an issue that caused the connection with the Jira Server to fail when creating a new project.

Updated the SAST API and removed the usage of a deprecated Jira method.

Fixed an issue in the UI when adding the Jira Server in the issue tracking settings.

The following libraries have been updated: Newtonsoft.Json to version 13.0.2 and jQuery to version 3.6.2

Fixed an error message returned with all of the JIRA REST API calls when a JIRA cloud was defined instead of a JIRA server.

A new schema has been added to the database to allow non “db_owner” users to use it. By customers' request, they can now grant access to the Cx tables while limiting access to other parts of the database.

Tomcat version was updated to 8.5.85

A new permission has been added that blocks users from accessing the user interface while maintaining access to the APIs. This allows technical users, like those using Jenkins in a CI pipeline, to trigger a scan without being able to access the WebPortal.

Added some missing Russian-translated text in the access control pages.

Fixed the date format in the Users table while the browser’s Language is set to English (Australia).

Now, for example, it will display the date 28/10/2021 instead of 10/28/2021

Category

Resolved Issues

HF7

Fixed an issue with the GET /projects/branch/{id} endpoint from SAST REST API v4, which occurred when the BranchProjectId did not exist.

Fixed an issue where the project branching process validation failed.

Fixed an issue that caused performance degradation in the "Source Pulling & Deployment" stage.

Fixed an issue with the Result Service log that caused an overflow error when the SQL TaskScan table was updated with an out-of-range DateTime value.

Fixed an issue in the View Project Scans page, enabling seconds to be correctly displayed in the SCAN DATE and SCAN COMPLETE columns.

Fixed an issue that prevented the Services Availability from functioning when the SAST Web Portal was secured with SSL (HTTPS).

The license expiration date for the Services Availability can now be validated.

The GetResultPath and GetFileNamesForPath SOAP methods were converted from the SAST Web Portal to the SAST SDK (software development kit).

Access Control is enhanced with a new "Back to SAST" button directly opening the SAST Web Portal.

Fixed an issue in Access Control that prevented usernames from appearing in the logs for the logging-in and signing-out events.

Category

Resolved Issues

HF6

In this Hotfix, the wrapper.conf file from ActiveMQ was replaced. If there were customizations in the old wrapper.conf files must be retrieved from the backup folder and added to the new wrapper.conf file.

Fixed an issue that prevented new teams from being created when the team name length was between 100 and 128 characters. No error messages were displayed in the User Interface to warn the user.

Fixed an issue that prevented a custom description from being uploaded. This occurred when the User Interface was set to Spanish, and the user tried to upload a second time after the first upload was successful.

Improved performance in the Results Viewer page for loading large numbers of results. In some cases, the loading failed with a timeout error.

Fixed an issue that prevented a comparison between two public scans from displaying correctly. This occurred if the private scan results of the project were previously marked Not Exploitable.

Fixed an issue with the GetSourceCodeForScan API that occurred when retrieving files with long paths consisting of 260 or more characters, even when the Long Path option was enabled.

The following features were added to the Audit Trail API:

  • Reasons to help explain failed login attempts (such as invalid username, invalid password, and account inactive)

  • Logoff events, including forced logoffs due to session timeouts

  • Details regarding UserUpdated events to help explain changes to the Active User status

  • Details regarding UserUpdated events to indicate password resets

  • Hostname of Checkmarx components that are included in the Audit Trail record

Added several User Interface translations that were missing from the Access Control Password Complexity panel.

Resolved an issue with Access Control that prevented the Update button from updating the SMTP Settings.

The Apache Shiro library was upgraded to version 1.10.1.

Category

Resolved Issues

HF5

Improved the performance of the REST API: GET /sast/scans.

Resolved an issue in the SAST web portal that caused the result status to be incorrectly displayed in the generated CSV reports.

Added support for the Jira "Due date" field.

The performance of the Data Retention procedure has been improved and an additional transaction was added to maintain data integrity when deleting data.

For the Data Retention, a configurable value has been added to the stored procedure to control the timeout length, instead of the fixed 120 seconds.

The following actions were added to the Audit Trail API:

  • Update in Results Status/Severity/Assignee/Add Comment

  • Create/Update/Delete/Import/Export the Preset

  • Create/Update/Delete the Role

  • Create/Update/Delete the Team

The Tomcat version has been upgraded to Apache Tomcat 8.5.83.

Updated Apache Commons Text library.

Fixed an issue in Access Control that caused a SAST Active Directory user with Polish characters to be assigned to a default Team and Role instead of being synchronized with the LDAP.

Category

Resolved Issues

HF4

Fixed an issue in the SAST Web Portal interface that caused the breadcrumbs to appear overlapping the main panel instead of in a separate panel.

Fixed an issue that caused the SAST Web Portal to fail with an error on the All Scans page after filtering by either Scan Date or Scan Completed. This occurred when the Locale was set to French in Access Control.

Fixed an issue that prevented loading the CxWebClient logs in PortalAll.log after configuring SAST for Prometheus.

Fixed an issue that caused the Project and Project State pages to be incorrectly displayed, being filtered according to the latest scan dates instead of according to the scan IDs.

Fixed an issue in the REST API GET sast/results/{id}/comments endpoint that caused an empty list to be returned when the author of the comment was not found.

Fixed an issue with PDF scan reports that prevented files from being included under the Scanned Files section of the reports. This occurred for files with long paths.

Fixed an issue in the Results Viewer that caused the Recurrent result state to be displayed incorrectly instead of the New result state. This occurred if the ScanID value of a branched project was larger than the ScanID value of the original project.

Fixed an issue that caused the Query Result tree in the report creation dialog to appear empty.

Fixed an issue in the Results Viewer that caused the Navigation tree to be missing from the Scan Results Severity pane. This occurred when the RESULT_ATTRIBUTES_PER_SIMILARITY key in the CxComponentConfiguration table was set to false.

The following special characters (/ \ , " ' ? <> [ ] { } | ~ : ;) have been added to the list of supported characters to be used in passwords when a user is being created or modified.

Fixed an issue with the POST Teams API that occurred when using the Access Control Swagger, which caused a NULL (instead of the Team ID) to be returned in the response body.

The default value for the Dynamic Password Expiration Date was changed to 0 (days), so that the password never expires. This is beneficial when using automated pipelines.

Resolved an issued so that multi-factor authentication (MFA) is no longer required for LDAP and SAML users.

Resolved an issue in the Access Control GET Teams/{id}/Users API that caused duplicated Role and Team IDs.

Resolved an issued that prevented updating the Job title for an SAML user in the Access Control profile.

Several enhancements have been added to Access Control, allowing the administrator more control of the new security mechanism.

The administrator can now perform the following:

  • enforce multi-factor authentication (MFA) on all users

  • define trusted browsers, eliminating the need to use a one-time password (OTP) for each login (requiring an explicit action only on the first login)

  • set the lockout period for users who have exceeded the threshold of failed login attempts

  • control whether or not the Forgot Password link is displayed

  • set the password expiration period, defining how often each user must update his own password

  • determine how many passwords are saved in the history, controlling the reuse of old passwords

  • exempt specific users from requiring MFA, supporting the automated users required in automated pipelines and CI.

For security fixes, click this link for additional information.

Category

Resolved Issues

HF3

Improved the Reflected_XSS_All_Clients query.

Resolved an issue that was causing an error when the Query Viewer page was uploading.

The Tomcat version has been upgraded to Apache Tomcat version 8.5.82.

Resolved an issue that was causing difference in the results when using the GetCompareScanResults and GetScanCompareSummary SOAP API endpoints.

Resolved an issue that was causing the audits of private projects to be displayed in public projects.

Resolved an issue that was causing the ResultsService to fail to recognize overridden queries when the SAST machines were not time-zone aligned.

Resolved an issue that prevented opening scans in the SAST Web Portal.

Resolved an issue that caused the total scan times to be calculated incorrectly when two scans were compared.

The SAST Web Portal now displays the complete Engine Pack (EP) version, installed including the revision number.

Removed the reference to the YUI v2.9.0 vulnerable library.

Implemented a workaround mechanism for displaying the vulnerability description page on a browser that does not fully support CxAudit.

Resolved an issue that prevented SAST from scanning all the files in a multi-language project.

Resolved an issue that was causing failures when the Management and Orchestration (M&O) pages were opened.

Note: Some issues in this Hotfix were resolved with changes in the EngineUtilsCLI.exe. Starting with Engine Pack 9.5.2, EngineUtilsCLI.exe was removed from the Engine Pack and added to the Hotfix, starting with this HF3.

If a customer installs HF3 these issues will be resolved. However, if the customer afterwards installs Engine Pack 9.5.1, the issues will not be fixed.

For security fixes, click this link for additional information.

Category

Resolved Issues

HF2

Fixed an issue in the REST API POST /{ProjectId}/sourceCode/remoteSettings/shared that prevented the API from working when a shared folder was set on the manager drive.

Fixed an issue which prevented the viewer from displaying the source code of a file with a long path, even when the long path option was enabled.

Fixed an issue that was causing log information loss.

Fixed the link on the Full Scan Results button, which incorrectly redirected to the Project State page.

Fixed an issue that prevented the selection of Pre and Post Scan actions.

Fixed the Japanese description of a Java High Risk Code Injection query.

Added the version number on the inventory libraries list in the HTML OSA report.

Fixed an issue in the Checkmarx SAST Portal that caused usernames containing special characters to be displayed incorrectly.

Fixed an issue that caused the SAST to SCA integration to fail when the project name contains the ampersand (&) character.

Fixed an issue that caused scans to fail when unzipping the projects from shared folders.

Fixed an issue that allowed unauthorized users access to the following Access Control APIs:

  • GET/AssignableUsers

  • GET/AuthenticationProviders

  • GET/Configurations

  • POST/Users/FirstAdmin

  • GET/LDAPTeamMappings

  • PUT/LDAPServers/{id}/TeamMappings

  • PATCH/LDAPServers/{id}/TeamMappings

  • DELETE/LDAPTeamMappings/{id}

  • POST/Users/ChangePassword

  • POST/Users/ForgotPassword

  • POST/Users/ResetPassword

Fixed an issue in the Access Control API that allowed the API to retrieve privileged information.

Fixed an issue that allowed XSS vulnerabilities in SCA Swagger pages.

The jQuery UI library was upgraded to v1.13.2.

For security fixes, click this link for additional information.

Category

Resolved Issues

HF1

Fixed an issue that caused the confidence level to be displayed in the Results Viewer screen incorrectly as 0%. This occurred when the scan was executed for a project that had no source code changes.

Fixed an issue, which occurred when the severity of the OOTB queries was changed, that caused the result states for recurrent results to be incorrectly displayed in the following UI dialogs:

  • Scan Compare\Summary table

  • Scan Compare\Results details

Fixed an issue that caused the report generation to fail.

Fixed a performance issue affecting the Results Viewer that was caused by a previous fix to prevent audits of private projects from being displayed in public projects. The current fix improves the performance, but reverts back to the previous behavior where the comments and results state history of private scans are visible from the public scans.

Improvements were made in the scanning mechanism to prevent displaying incorrect numbers of projects and scans in the Checkmarx Web Portal.

Fixed a performance issue caused in the Results Viewer page, by controlling the query timeout with the CxComponentConfiguration\SqlExecuteCommandTimeout configuration key.

Fixed a performance issue caused in the Results Viewer page, by providing an additional timeout adjustment for backend SOAP calls with the new web.config\CxPriorityWebServicesTimeout configuration key.

Fixed an issue that caused OSA scans to fail when the maximum number of client connections was exceeded.

The following have been added to Access Control:

  • A multifactor authentication (MFA) feature is now available for providing additional security for SAST and SCA application users. When this feature is enabled, a one time password (OTP) is provided during the login process.

  • An IP Authorization feature now enables an organization to restrict access to the SAST and SCA application portals using a predefined IP allowlist, which is stored in the database. All other IPs will be blocked.

Note

  • By default, these features are disabled. See Access Control.

  • Hosted customers can contact the Checkmarx CloudOps team to activate and define the features.