Skip to main content

9.5.0 Hotfixes

Installation Notes


  • Hotfixes and content packs are cumulative and include previous hotfix/content package updates.

  • The relevant hotfix must be installed on the CxManager server(s). In a distributed environment, the hotfix must also be installed on the Web Portal server.

  • After upgrades (major versions or hotfixes) or Content Pack updates, it is highly recommended to first run full scans before running incremental scans.

Resolved Issues and Changes


Resolved Issues


Fixed an issue that caused the old AMQ jar file to be maintained after a hotfix installation.

Fixed an issue that caused the scan to retrieve an incorrect line of code (LOC) and use incorrect sources.

Fixed a REST API call for scheduling that returned a message code ‘500’ instead of ‘200’.

Fixed stuck scans caused by redundant files created in the CxSrc folder during an incremental scan.

Added the engine pack version to the response of the REST API 'GET /system/version’.

2 APIs related to comparing scans have been converted from SOAP to REST:  

  • [GET] /sast/scans/{oldScanId}/compareResultsTo/{newScanId}  

  • [GET] /sast/scans/{oldScanId}/compareSummaryTo/{newScanId}

Resolved an issue that caused the connection with the Jira Server to fail when creating a new project.

Updated the SAST API and removed the usage of a deprecated Jira method.

Fixed an issue in the UI when adding the Jira Server in the issue tracking settings.

The following libraries have been updated: Newtonsoft.Json to version 13.0.2 and jquery to version 3.6.2

Fixed an error message returned with all of the JIRA REST API calls when a JIRA cloud was defined instead of a JIRA server.

A new schema has been added to the database to allow non “db_owner” users to use it. By customers' request, they can now grant access to the Cx tables while limiting access to other parts of the database.

Tomcat version was updated to 8.5.85

A new permission has been added that blocks users from accessing the user interface while maintaining their access to the APIs. This allows technical users, like those using Jenkins in a CI pipeline, to trigger a scan without being able to access the WebPortal.

Added some missing Russian-translated text in the access control pages.

Fixed the date format in the Users table while the browser’s Language is set to English (Australia).

Now, for example, it will display the date: 28/10/2021 instead of 10/28/2021.


Resolved Issues


Fixed an issue with the GET /projects/branch/{id} endpoint from SAST REST API v4, which occurred when the BranchProjectId did not exist.

Fixed an issue where the project branching process validation failed.

Fixed an issue that caused performance degradation in the "Source Pulling & Deployment" stage.

Fixed an issue with the Result Service log that caused an overflow error when the SQL TaskScan table was updated with an out-of-range DateTime value.

Fixed an issue in the View Project Scans page, enabling seconds to be correctly displayed in the SCAN DATE and SCAN COMPLETE columns.

Fixed an issue that prevented the Services Availability from functioning when the SAST Web Portal was secured with SSL (HTTPS).

The license expiration date for the Services Availability can now be validated.

The GetResultPath and GetFileNamesForPath SOAP methods were converted from the SAST Web Portal to the SAST SDK (software development kit).

Access Control is enhanced with a new "Back to SAST" button that directly opens the SAST Web Portal.

Fixed an issue in Access Control that prevented usernames from appearing in the logs for the logging-in and signing-out events.


Resolved Issues


In this Hotfix, the wrapper.xml file from ActiveMQ was replaced. If there were customizations in the old wrapper.xml file, they need to be retrieved from the backup folder and added to the new wrapper.xml file.

Fixed an issue that prevented new teams from being created when the team name length was between 100 and 128 characters. No error messages were displayed in the User Interface to warn the user.

Fixed an issue that prevented a custom description from being uploaded. This occurred when the User Interface was set to Spanish and the user was trying to upload a second time, after the first upload was successful.

Improved performance in the Results Viewer page for loading large numbers of results. In some cases, the loading had failed with a timeout error.

Fixed an issue that prevented a comparison between two public scans from displaying correctly. This occurred if the private scan results of the project were previously marked Not Exploitable.

Fixed an issue with the GetSourceCodeForScan API that occurred when retrieving files with long paths, consisting of 260 or more characters, even when the Long Path option was enabled.

The following features were added to the Audit Trail API:

  • Reasons to help explain failed login attempts (such as invalid username, invalid password, and account inactive)

  • Logoff events, including forced logoffs due to session timeouts

  • Details regarding UserUpdated events to help explain changes to the Active User status

  • Details regarding UserUpdated events to indicate password resets

  • Hostname of Checkmarx components that are included in the Audit Trail record

Added several User Interface translations that were missing from the Access Control Password Complexity panel.

Resolved an issue with Access Control that prevented the Update button from updating the SMTP Settings.

The Apache Shiro library was upgraded to version 1.10.1.


Resolved Issues


Improved the performance of the REST API: GET /sast/scans.

Resolved an issue in the SAST web portal that caused the result status to be incorrectly displayed in the generated CSV reports.

Added support for the Jira "Due date" field.

The performance of the Data Retention procedure has been improved and an additional transaction was added to maintain data integrity when deleting data.

For the Data Retention, a configurable value has been added to the stored procedure to control the timeout length, instead of the fixed 120 seconds.

The following actions were added to the Audit Trail API:

  • Update in Results Status/Severity/Assignee/Add Comment

  • Create/Update/Delete/Import/Export the Preset

  • Create/Update/Delete the Role

  • Create/Update/Delete the Team

The Tomcat version has been upgraded to Apache Tomcat 8.5.83.

Updated Apache Commons Text library.

Fixed an issue in Access Control that caused a SAST Active Directory user with Polish characters to be assigned to a default Team and Role instead of being synchronized with the LDAP.


Resolved Issues


Fixed an issue in the SAST Web Portal interface that caused the breadcrumbs to appear overlapping the main panel instead of in a separate panel.

Fixed an issue that caused the SAST Web Portal to fail with an error on the All Scans page after filtering by either Scan Date or Scan Completed. This occurred when the Locale was set to French in Access Control.

Fixed an issue that prevented loading the CxWebClient logs in PortalAll.log after configuring SAST for Prometheus.

Fixed an issue that caused the Project and Project State pages to be incorrectly displayed, being filtered according to the latest scan dates instead of according to the scan IDs.

Fixed an issue in the REST API GET sast/results/{id}/comments endpoint that caused an empty list to be returned when the author of the comment was not found.

Fixed an issue with PDF scan reports that prevented files from being included under the Scanned Files section of the reports. This occurred for files with long paths.

Fixed an issue in the Results Viewer that caused the Recurrent result state to be displayed incorrectly instead of the New result state. This occurred if the ScanID value of a branched project was larger than the ScanID value of the original project.

Fixed an issue that caused the Query Result tree in the report creation dialog to appear empty.

Fixed an issue in the Results Viewer that caused the Navigation tree to be missing from the Scan Results Severity pane. This occurred when the RESULT_ATTRIBUTES_PER_SIMILARITY key in the CxComponentConfiguration table was set to false.

The following special characters (/ \ , " ' ? <> [ ] { } | ~ : ;) have been added to the list of supported characters to be used in passwords when a user is being created or modified.

Fixed an issue with the POST Teams API that occurred when using the Access Control Swagger, which caused a NULL (instead of the Team ID) to be returned in the response body.

The default value for the Dynamic Password Expiration Date was changed to 0 (days), so that the password never expires. This is beneficial when using automated pipelines.

Resolved an issued so that multi-factor authentication (MFA) is no longer required for LDAP and SAML users.

Resolved an issue in the Access Control GET Teams/{id}/Users API that caused duplicated Role and Team IDs.

Resolved an issued that prevented updating the Job title for an SAML user in the Access Control profile.

Several enhancements have been added to Access Control, allowing the administrator more control of the new security mechanism.

The administrator can now perform the following:

  • enforce multi-factor authentication (MFA) on all users

  • define trusted browsers, eliminating the need to use a one-time password (OTP) for each login (requiring an explicit action only on the first login)

  • set the lockout period for users who have exceeded the threshold of failed login attempts

  • control whether or not the Forgot Password link is displayed

  • set the password expiration period, defining how often each user must update his own password

  • determine how many passwords are saved in the history, controlling the reuse of old passwords

  • exempt specific users from requiring MFA, supporting the automated users required in automated pipelines and CI.

For security fixes, click this link for additional information.


Resolved Issues


Improved the Reflected_XSS_All_Clients query.

Resolved an issue that was causing an error when the Query Viewer page was uploading.

The Tomcat version has been upgraded to Apache Tomcat version 8.5.82.

Resolved an issue that was causing difference in the results when using the GetCompareScanResults and GetScanCompareSummary SOAP API endpoints.

Resolved an issue that was causing the audits of private projects to be displayed in public projects.

Resolved an issue that was causing the ResultsService to fail to recognize overridden queries when the SAST machines were not time-zone aligned.

Resolved an issue that prevented opening scans in the SAST Web Portal.

Resolved an issue that caused the total scan times to be calculated incorrectly when two scans were compared.

The SAST Web Portal now displays the complete Engine Pack (EP) version, installed including the revision number.

Removed the reference to the YUI v2.9.0 vulnerable library.

Implemented a workaround mechanism for displaying the vulnerability description page on a browser that does not fully support CxAudit.

Resolved an issue that prevented SAST from scanning all the files in a multi-language project.

Resolved an issue that was causing failures when the Management and Orchestration (M&O) pages were opened.

Note: Some issues in this Hotfix were resolved with changes in the EngineUtilsCLI.exe. Starting with Engine Pack 9.5.2, EngineUtilsCLI.exe was removed from the Engine Pack and added to the Hotfix, starting with this HF3.

If a customer installs HF3 these issues will be resolved. However, if the customer afterwards installs Engine Pack 9.5.1, the issues will not be fixed.

For security fixes, click this link for additional information.


Resolved Issues


Fixed an issue in the REST API POST /{ProjectId}/sourceCode/remoteSettings/shared that prevented the API from working when a shared folder was set on the manager drive.

Fixed an issue which prevented the viewer from displaying the source code of a file with a long path, even when the long path option was enabled.

Fixed an issue that was causing log information loss.

Fixed the link on the Full Scan Results button, which incorrectly redirected to the Project State page.

Fixed an issue that prevented the selection of Pre and Post Scan actions.

Fixed the Japanese description of a Java High Risk Code Injection query.

Added the version number on the inventory libraries list in the HTML OSA report.

Fixed an issue in the Checkmarx SAST Portal that caused usernames containing special characters to be displayed incorrectly.

Fixed an issue that caused the SAST to SCA integration to fail when the project name contains the ampersand (&) character.

Fixed an issue that caused scans to fail when unzipping the projects from shared folders.

Fixed an issue that allowed unauthorized users access to the following Access Control APIs:

  • GET/AssignableUsers

  • GET/AuthenticationProviders

  • GET/Configurations

  • POST/Users/FirstAdmin

  • GET/LDAPTeamMappings

  • PUT/LDAPServers/{id}/TeamMappings

  • PATCH/LDAPServers/{id}/TeamMappings

  • DELETE/LDAPTeamMappings/{id}

  • POST/Users/ChangePassword

  • POST/Users/ForgotPassword

  • POST/Users/ResetPassword

Fixed an issue in the Access Control API that allowed the API to retrieve privileged information.

Fixed an issue that allowed XSS vulnerabilities in SCA Swagger pages.

The jQuery UI library was upgraded to v1.13.2.

For security fixes, click this link for additional information.


Resolved Issues


Fixed an issue that caused the confidence level to be displayed in the Results Viewer screen incorrectly as 0%. This occurred when the scan was executed for a project that had no source code changes.

Fixed an issue, which occurred when the severity of the OOTB queries was changed, that caused the result states for recurrent results to be incorrectly displayed in the following UI dialogs:

  • Scan Compare\Summary table

  • Scan Compare\Results details

Fixed an issue that caused the report generation to fail.

Fixed a performance issue affecting the Results Viewer that was caused by a previous fix to prevent audits of private projects from being displayed in public projects. The current fix improves the performance, but reverts back to the previous behavior where the comments and results state history of private scans are visible from the public scans.

Improvements were made in the scanning mechanism to prevent displaying incorrect numbers of projects and scans in the Checkmarx Web Portal.

Fixed a performance issue caused in the Results Viewer page, by controlling the query timeout with the CxComponentConfiguration\SqlExecuteCommandTimeout configuration key.

Fixed a performance issue caused in the Results Viewer page, by providing an additional timeout adjustment for backend SOAP calls with the new web.config\CxPriorityWebServicesTimeout configuration key.

Fixed an issue that caused OSA scans to fail when the maximum number of client connections was exceeded.

The following have been added to Access Control:

  • A multifactor authentication (MFA) feature is now available for providing additional security for SAST and SCA application users. When this feature is enabled, a one time password (OTP) is provided during the login process.

  • An IP Whitelisting feature now enables an organization to restrict access to the SAST and SCA application portals using a predefined IP whitelist, which is stored in the database. All other IPs will be blocked.


  • By default, these features are disabled. See Access Control.

  • Hosted customers can contact the Checkmarx CloudOps team to activate and define the features.