Releases of August 2023
Version 2.92.5 | Released on August 21
Jira Feedback App enhancements
Several key enhancements have been implemented to improve the developer experience and bug tracking process within Jira. They provide developers with comprehensive information to effectively remediate findings and streamline the handling of vulnerabilities and security issues.
Each vulnerability is now separated into its own individual Jira ticket. Additionally, each ticket includes a deep link to Checkmarx One.
Across all scanning engines used for vulnerability detection, we have standardized the description format.
A well-defined triage process has been implemented, categorizing vulnerabilities based on severity and impact. This streamlined approach allows for better prioritization and resolution of critical issues.
Support to cascading select capabilities
Cascading select capabilities have been implemented in the Jira Feedback App to support Jira custom fields.
This enhancement enables users to leverage JIRA feedback within a hierarchical framework, where parent and child options allow for more complex categorization.
New SAST scan report
A new SAST Scan report is now available presenting easily readable outcomes of the SAST scan. The report includes essential information such as the Scan Type (whether it's a full or incremental scan), Scan and Project Tags, Scan Initiator, Source Origin, Scanned Lines of Code, Scanned Files, Preset Name, and individual Results. Each result has a link to the corresponding vulnerability's page in Checkmarx One, where you can access comprehensive details like remediation suggestions, risks assessment, and code samples.
To simplify navigation, a link to the Results Viewer on the Checkmarx One web page has also been incorporated into the report. We've also introduced the concept of a Similarity ID, which helps identify similar issues across the scan results.
SCA-related updates
To address the issue of "ignored" vulnerabilities (also referred to as non-exploitable) in Checkmarx One reports, the state field has been included in Checkmarx One results on the sca-worker/handler. This addition allows for proper filtering to exclude such vulnerabilities from the reports, ensuring a more accurate representation of potential security risks in the application's codebase.
To ensure the risk state is accurately reflected in the report, a re-scan is necessary. It's important to note that once a scan is completed, the object of the scan cannot be altered. Any changes made to the risk state will be saved at the project level. Therefore, in a new scan, the correct state will be appropriately displayed in the report.
Fusion updates
Fusion now enables the correlation of results from JavaScript (JS) microservices scanned by SAST. As a result, AppSec Engineers can access JS assets in both the topology view and Bill of Materials (BoM) table view.
This enhancement provides a more comprehensive and consolidated overview of security vulnerabilities in JS microservices, facilitating better analysis and management of potential security risks.
Starting from this release, the Fusion license will be enforced for newly created tenants. This means that only new tenants that are provisioned with the Checkmarx One Professional Package license will be eligible to access Fusion insights.
Version 2.91.1 | Released on August 6
Ability to create a project in an application
This release introduces a feature that allows creating integration projects at the application level. These projects will be automatically assigned to the respective application.
Scan results enhancement: Addressing false negatives caused by configuration filters
In previous versions, scans from SAST, SCA, IaC or API Security would fail due to configuration filters that removed all available code for a specific engine. For instance, if a user set a filter to exclude all Java files and then ran a SAST scan, the scan would fail because there were no files left to analyze.
To eliminate false negatives caused by filters and provide clearer and more reliable scan results, Checkmarx One will mark a scan as successful even if there are no files left after applying filters.
Removal of project and team permissions from tokens
Project and team permissions have been removed from ADO (Azure DevOps) tokens. This means that customers no longer need to re-import projects from the Source Code Management (SCM) system. The process of accessing and managing projects within ADO remains unchanged. This update simplifies the workflow and eliminates the need for any additional re-importing steps.
Improved accuracy and visibility for empty scans
We have updated the way Checkmarx One handles scan status returned by SAST when no files are found to scan. When SAST identifies a scan with no files to scan, it returns a specific code that clearly indicates that the scan is empty because no files were found.
Checkmarx One now treats such scans as successful. As a result, the status of each scan is represented more accurately, providing a reliable overview of the security status across all projects.
SCA Release Notes
New Version of AppSec Knowledge Center
We have released a new version of the AppSec Knowledge Center. The new version maintains the same core functionality as the previous version. However, the look and feel has been completely redone and many improvements have been introduced.
 |
GIF - Searching by Package in AppSec Knowledge Center
The following are some of the main improvements:
The Package page now shows Supply Chain risks, and Licenses associated with the package (in addition to vulnerabilities).
Package selection is now done by entering the package name and then clicking on a marker for a specific version.
The markers representing the package versions are now color coded as follows:
Red with dot - malicious package
Red - high severity
Yellow - medium severity
Gray - low severity or no risk
When you select a package version for viewing, a summary page is shown which gives data for Supply Chain Analysis, as well as aggregated risks.
You can then drill down to view a list of vulnerabilities, supply chain risks and licenses. For vulnerabilities, you can drill down further to show the vulnerability details screen.
The vulnerability details screen has been redesigned.
The info is now divided into the following elements:
Overview - gives general info about the vulnerability including the CVSS score.
Info Pane - shows the description of the vulnerability and CWE and gives references for further research.
Notes - Within the info pane, we have added a section for notes. This section shows notes that were added to a vulnerability by the Checkmarx AppSect team. These notes may explain discrepancies between our data and data shown in NVD, such as when we have confirmed the disputation of a vulnerability. They may also suggest specific mitigation actions such as changing configurations, or offer other helpful insights from our AppSec team.
Detail Tabs - The bottom section gives additional details about the vulnerability and the packages affected by the vulnerability. The info is divided into tabs for Affected Versions, Score and Status.
Improvements and Bug Fixes
Status | Item | Description |
|---|---|---|
UPDATE | Supported manifest files | We added support for resolving Swift dependencies using the |
SCA Resolver Releases
We released the following new versions of SCA Resolver:
Notice
The complete changelog, and links to download SCA Resolver are available here.
Version 2.4.2
For Container Scans, updated ImageResolver to version 3.0.7, which includes the following updates:
In order to run container scans via Resolver, you are now required to have Syft version 0.83 installed on your local machine.
Added support for Podman (in addtion to Docker).
It is no longer required to have Docker installed in order to run container scans on public images. However, if you are scanning private images, then you need to have Docker or Podman installed, and you need to be authenticated for the relevant image registry, e.g., Jfrog, ECR, GCR, Nexus etc.
Improved process for identifying packages and vulnerabilities, yielding more comprehensive results
Version 2.3.3
When multi-module projects cause manifest files to be duplicated in the results, we now merge the results from both manifests so that the scan can complete successfully.
For Poetry, added the flag
--poetry-parametersfor adding custom parameters for Poetry.For Python:
When there is a problem resolving the dependencies from a manifest file, we now correctly show a failure for the resolution of that manifest file.
Added support for pyenv configuration.
For Gradle, fixed issue that despite the
--gradle-include-modulesflag being used, non-included modules were still being scanned.For NPM, improved the method for resolving workspaces, so that it is no longer necessary to change the content of the package-lock file.