Skip to main content

Multi-Tenant (May 2023)

API Security

Status

Description

Version 2.85 (Released on May 14, 2023)

NEW

Identifying and monitoring Shadow APIs - Shadow APIs refer to undocumented APIs found in code that can pose a significant security risk if left unmonitored. Identifying Shadow APIs is crucial to ensure that all APIs are protected, not just the ones that are known and documented. This is where our solution comes in as a key differentiator in the industry. We specialize in finding Shadow APIs to ensure that they are properly secured and protected from potential vulnerabilities.

Without proper identification and monitoring of Shadow APIs, any shift-right solution that only focuses on known APIs is ineffective. That's why we prioritize discovering and securing these hidden APIs, so that our customers can have complete protection and peace of mind.

For more information, refer to this help topic.

NEW

API Inventory - API Security is now able to scan Swagger files to identify all APIs available within an organization. This is a critical step in understanding the scope of APIs that exist in a system and identifying any potential security vulnerabilities.

With an accurate and up-to-date API inventory, organizations can effectively manage their APIs and ensure they are properly secured. Additionally, an API inventory helps in identifying potential duplication or overlap of APIs, which can be optimized to improve efficiency and reduce maintenance costs. It is an essential tool for API governance and can be used to track changes and updates to APIs over time.

For more information, see here.

NEW

API documentation risks can be a serious concern for developers and organizations alike. One way to address this issue is by proactively scanning Swagger files to identify vulnerabilities and risks at an early stage, before they can cause significant problems. This can help ensure that the API documentation accurately reflects the intended functionality and reduces the likelihood of errors or misunderstandings down the line.

In addition to improving the accuracy and completeness of the documentation, scanning Swagger files for potential risks can also improve the overall security of the API and prevent or mitigate potential security breaches.

Refer to this page for more details.

NEW

Identifying sensitive data discrepancies - API Security is now able to identify any discrepancies between the sensitive data parameters in code and those in the Swagger API documentation. This helps users discover any sensitive parameters they may not have been aware of before, allowing them to take action to fix and update their Swagger files. This ensures that the API documentation accurately reflects the current state of the codebase, reducing the risk of data breaches and other security incidents.

For more information, see this page.

NEW

Support for Flask Python queries - The incorporation of Flask Python queries into our API security scanning enables thorough analysis and identification of potential vulnerabilities within Python-based applications. With this expanded support, our customers can confidently ensure the integrity and resilience of their applications, safeguarding them against potential security risks.

Checkmarx SCA

Notice

This section relates only to SCA releases that are relevant to users who consume SCA through the Checkmarx One platform. Release notes for the SCA standalone platform are available here.

SCA Resolver Releases

We released the following new versions of SCA Resolver:

Notice

The complete changelog, and links to download SCA Resolver are available here.

Version 2.2.2

  • Syft is now used automatically whenever the --scan-container flag is used. The --use-syft flag is no longer in use.

    Warning

    This is a breaking change. If you have pipelines that use the --use-syft flag, it needs to be removed.

    Notice

    For syft to run on your scans, you need to have it installed on the machine that is running Resolver, see Prerequisites.

  • For PIP:

    • Added a new argument for including custom manifest files for resolution.

    • Improved detection of the Python version installed on the system.

  • For Gradle, dependencies that were ignored by the package manager are now ignored by Resolver.

  • For NPM, the problem with the decision to run commands for NPM6 or NPM7 has been fixed.

  • Fixed "out of memory" issues that were occurring in some edge cases.

Version 2.1.9

  • For Gradle, added support for dynamic submodule declaration.

  • ImageResolver updated to version 2.0.47.

CLI and Plugins Release of May 2023

Version 2.0.47

Status

Item

Description

FIXED

KICS realtime

When a kics-realtime scan completes successfully and doesn't find any IaC securtiy vulnerabilities, the results are now correctly returned showing "0" IaC security vulnerabilities.

FIXED

BtiBucket contributor count

The contributor count for BitBucket now counts only contributors who have contributed in the past 90 days, as expected.

IDE Plugins

In April we released the following IDE plugin version:

  • Eclipse - 2.0.6 (uses CLI v2.0.45)

  • VS Code Extension - 2.1.0 (uses CLI v2.0.47)

  • JetBrains Plugin - 2.0.11 (uses CLI v2.0.47)

Improvements and Bug Fixes

Status

Item

Platform

Description

NEW

Pre-release versions

VS Code, JetBrains

We now create nightly pre-release versions of this extension whenever we merge new code. Users have the option to update automatically to the latest pre-release version or to update only when a new release version is published.

To automatically install pre-release versions, see VS Code Automatic Updates and JetBrains Automatic Updates

UPDATED

SCA Realtime

VS Code

For SCA Realtime scans that return incomplete results, we now show a Dependency resolution errors section which gives info about manifest files that weren't resolved and the reason for the error (e.g., relevant package managers not installed locally).

UPDATED

Version support

Eclipse

Added support for eclipse version 2019-03 (4.11) and above.

UPDATED

Product name

Eclipse

All references to AST (other than the name of the plugin) have been changed to use the new product name "Checkmarx One".

FIXED

Additional parameters

Eclipse

Fixed tooltip for Additional parameters so that link points to new documentation portal.

IDE Plugin Quick Links