Skip to main content

Single-Tenant (April 2023)

Checkmarx SCA

Notice

This section relates only to SCA releases that are relevant to users who consume SCA through the Checkmarx One platform. Release notes for the SCA standalone platform are available here.

Support for Unity Package Manager

We added support for Unity package manager.

Unity_logo_PNG10.png

Languages/Frameworks: Unity

Repository: Unity Technologies, Needle-mirror, Open UPM

File Types: none

Supported Package Managers

Exploitable Path

Supply Chain Security (SCS)

Manifest Files (Packages marked with (blue star) are required)

none

x-10366__1_.png

x-10366__1_.png

manifest.json(blue star), packages.json(blue star)

SCA Resolver Releases

We released the following new versions of SCA Resolver:

Notice

The complete changelog, and links to download SCA Resolver are available here.

Version 2.1.5

  • Added support for Unity package manager. For more information, see Unity Package Manager Dependency Resolver.

  • For Bower, fixed issue that dependency resolution was failing when latest version ("*") was specified.

  • For Ivy, fixed issue that unused versions were being resolved despite the fact that a newer version had been specified in the manifest file.

  • ImageResolver updated to version 2.0.43.

Version 2.1.2

  • Added support for authentication via Master Access Control, see Master Access Control Authentication for Checkmarx SCA Resolver.

  • For Sbt, stack overflow is fixed when building the dependency tree.

  • For Gradle, when a submodule is duplicated in a project we now resolve the package only once.

  • ImageResolver was updated to version 2.0.41.

CLI and Plugins Release of April 2023

Version 2.0.46

Status

Item

Description

UPDATED

SCA Realtime errors

Added error handling for SCA Realtime scanner.

Version 2.0.45

Status

Item

Description

NEW

Environment variables

We added a new environment variable, CX_HTTP_PROXY, which can be used to designate a specialized proxy for Checkmarx One. When this is used, it overrides the proxy specified in your general HTTP_PROXY variable.

Notice

We still support use of the HTTP_PROXY variable if you choose to use the same proxy for Checkmarx One as for your other applications.

UPDATED

Branches

We increased the number of branches returned using the project branches command from 20 to 1,000.

Version 2.0.44

Status

Item

Description

NEW

Private packages

You can now designate a scan as a "Private Package" and assign a package version to it using the addtional_params options. Once a private package has been scanned, info about the risks affecting that package will be identified by SCA when that package version is used in any of your projects. You can download an article about private packages here.

NEW

Flags

We added the --exploitable-path flag to the additional_params options. This enables you to designate whether or not Exploitable Path will run on this particular scan. When used, this overrides the designation made in the project settings.

We also added a flag --sca-last-sast-scan-time, which enables you to specify the number of days that SAST scan results are considered valid for use in Exploitable Path (i.e., if there is no current SAST scan, how many days prior to the current SCA scan will Checkmarx One look for a SAST scan to use for analyzing Exploitable Path.)

Warning

The --sca-last-sast-scan-time flag is only supported for single-tenant environments, not for multi-tenant.

NEW

File extensions

Added file extensions go.mod, go.sum, *.dart, and *.plist to the list of included files (when creating the zip archive for scanning).

UPDATED

Memory usage

Improved memory usage when uploading zip files.

FIXED

Contributors count

Fixed issue that was causing index out of range errors for the contributors count command.

FIXED

Sarif reports

Fixed issue that SCA results weren't being included in sarif reports.

CI/CD Plugins

In April we released the following CI/CD plugin versions.

Improvements and Bug Fixes

Status

Item

Platform

Description

NEW

Proxy environment variables

TeamCity

We added a new environment variable, CX_HTTP_PROXY, which can be used to designate a specialized proxy for Checkmarx One. When this is used, it overrides the proxy specified in your general HTTP_PROXY variable.

Notice

We still support use of the HTTP_PROXY variable if you choose to use the same proxy for Checkmarx One as for your other applications.

NEW

Private packages

TeamCity, GitHub Actions, Azure DevOps

You can now designate a scan as a "Private Package" and assign a package version to it using the Additonal parameters options. Once a private package has been scanned, info about the risks affecting that package will be identified by SCA when that package version is used in any of your projects. You can download an article about private packages here.

NEW

Exploitable Path

TeamCity, GitHub Actions, Azure DevOps

We added the --exploitable-path flag to the Additonal parameters options. This enables you to designate whether or not Exploitable Path will run on this particular scan. When used, this overrides the designation made in the project settings.

We also added a flag --sca-last-sast-scan-time, which enables you to specify the number of days that SAST scan results are considered valid for use in Exploitable Path (i.e., if there is no current SAST scan, how many days prior to the current SCA scan will Checkmarx One look for a SAST scan to use for analyzing Exploitable Path.)

Warning

The --sca-last-sast-scan-time flag is not yet fully supported and may not function as designed.

NEW

File extensions

TeamCity, GitHub Actions, Azure DevOps

Added file extensions go.mod, go.sum, *.dart, and *.plist to the list of included files (when creating the zip archive for scanning).

UPDATED

Memory usage

TeamCity, GitHub Actions, Azure DevOps

Improved memory usage when uploading zip files.

FIXED

Additional parameters

TeamCity

Fixed issue that spaces in additional params values had been causing errors.

IDE Plugins

In April we released the following IDE plugin version:

  • VS Code Extension - 2.0.18 (uses CLI v2.0.46)

  • Visual Studio Extension - 2.0.14 (uses CLI v2.0.45)

  • JetBrains Plugin - 2.0.9 (uses CLI v2.0.41)

Improvements and Bug Fixes

Status

Item

Platform

Description

NEW

Proxy environment variable

Visual Studio

We added a new environment variable, CX_HTTP_PROXY, which can be used to designate a specialized proxy for Checkmarx One. When this is used, it overrides the proxy specified in your general HTTP_PROXY variable.

Notice

We still support use of the HTTP_PROXY variable if you choose to use the same proxy for Checkmarx One as for your other applications.

UPDATED

Create Scan button

VS Code

Improved visibility of the Create Scan button by moving it to the header bar of the Checkmarx pane.

UPDATED

Version support

Visual Studio

Added support for earlier versions of Visual Studio 2022. We now support SDK version 17.0 and above.

UPDATED

Memory usage

Visual Studio

Improved memory usage when uploading zip files.

UPDATED

Product name

JetBrains

All references to AST (other than the name of the plugin) have been changed to use the new product name "Checkmarx One".

FIXED

Additional Knowledge link

JetBrains

Fixed issue that SCA Additional Knowledge link had been causing errors when no link was available.

FIXED

Create Scan button

VS Code

Fixed issue that the Create Scan button had been disabled after unexpected shutdown.

FIXED

SCA Realtime results

VS Code

Fixed issue that SCA Realtime wasn't yielding results for users that didn't enter account credentials.

Tip

This is a free tool that does not require a Checkmarx account.

FIXED

Filters

VS Code

Fixed issue that filters hadn't been functioning properly.

FIXED

Additional parameters

Visual Studio, JetBrains

Fixed tooltip for Additional parameters so that link points to new documentation portal.

IDE Plugin Quick Links