- Checkmarx Documentation
- Checkmarx One
- Release Notes
- Version 3.0
Version 3.0
Multi-Tenant release date: October 29, 2023
New features and enhancements
SAST engine upgrade
The SAST engine in Checkmarx One has been upgraded to version 9.6.1.
All queries that are executed in version 9.6.1 are available for download - PDF , CSV
New and updated queries in version 9.6.1 are available for download - PDF , CSV
Queries associated with predefined query presets are available for download - PDF , CSV
New and changed query details are available for download - PDF
SCA Policy Management
Notice
Checkmarx One Policies enable users to apply customized security rules to their projects in order to easily identify projects that are non-compliant with these self-defined thresholds. Policies can also be configured to automatically break builds upon policy violation.
We added the ability to create custom policy rules based on results identified by the SCA scanner. The following types of SCA conditions can be configured:
Packages Conditions - conditions related to the open source packages used in the project, e.g., malicious packages, outdated packages, specific package names etc.
Vulnerability Conditions - conditions related to the vulnerabilities effecting the open source packages in your project, e.g., severity thresholds, specific CVEs or CWEs, vulnerabilities with an Exploitable Path etc.
Supply Chain Risk Conditions - condition related to identifyin supply chain risks of specified severity thresholds.
License Conditions - conditions related to packages with specific licenses or license risk thresholds.
For more information about the types of SCA conditions that can be created, see SCA Policy Conditions.
For more information about creating Checkmarx One policies, see Policy Management.
Displaying Lines of Code on Scan Management page
We have introduced a new LOC (Lines of Code) column to the Scan Management page, enhancing the scan overview.
This feature is essential for users seeking a comprehensive view of their scans, enabling them to promptly spot gaps or missing data, ensuring a thorough analysis.
CLI version in debug log
Users can now easily identify the running version of the CLI when inspecting debug logs from the CI/CD pipeline. The CLI version is conveniently displayed as the first line in the debug log, making it a valuable aid for troubleshooting CLI-related problems.
Viewing Checkmarx One version via API
Users can access the latest version of the deployed Checkmarx One environment through a new API endpoint ast_version. This is very helpful for various purposes, including system monitoring, ensuring compatibility with other components, and tracking changes or updates in the environment.
SCA Updates
Sysdig Integration
We have implemented a new integration with Sysdig for identifying runtime usage of container packages. This provides important insights for prioritizing remediation activities.
Once the integration has been configured for your account, you will see a new column Runtime Usage in the Containers Packages tab (under SCA results) indicating which packages are used in runtime. In addition, in the Containers Vulnerabilities tab, runtime usage will be shown as a Risk Factor for specific vulnerabilities.
Notice
This integration is only available for accounts that have a Sysdig license. To set up the integration, please contact your account manager and provide them with your Sysdig Risk Spotlight token.
Exploitable Path Queries
We improved the performance of Exploitable Path scans for Java projects. The updated queries yield more complete results while cutting the scan time by as much as half.
SCA Resolver Version 2.4.8
We released a new version of SCA Resolver with the following improvements:
For Yarn, scripts that are defined on package.json are now ignored.
For Swift, lock file version 2 is now supported.
Download the new version here.
CLI and Plugins Release of October 2023
CLI Version 2.0.60
Status | Item | Description |
|---|---|---|
FIXED | Sort results | We now sort results by severity from high to low (instead of low to high). This ensures that even in edge cases that exceed the supported number of results (10k), the most important results won't be missed. |
FIXED | PDF failures | Fixed issue that requesting report status had been causing PDF reports to fail. |
CLI Version 2.0.59
Status | Item | Description |
|---|---|---|
UPDATE | Debug mode | In debug mode, the CLI version is now shown in the logs. |
FIXED | Exploitable path | Fixed issue that when |
FIXED | Contributor count | Fixed issue that running contributor count when empty had been causing an error. |
FIXED | Policy violations | Fixed issue that when checking for policy violations times out it had been causing the scan to fail. |
CLI Version 2.0.58
Status | Item | Description |
|---|---|---|
FIXED | SCA results | Fixed issue that PDF reports hadn't been including SCA results unless specified explicitly. |
FIXED | SummaryJson report | Fixed issue with creating a summaryJson report for a scan that hasn't yet completed. Instead of returning an error, the report is now created with a label indicating that the scan hadn't completed. |
CI/CD Plugins
In October we released the following CI/CD plugin versions.
Improvements and Bug Fixes
Status | Item | Platform | Description |
|---|---|---|---|
NEW | Results summary | GitHub Actions | We now return an unlimited number of results in the results summary (had been limited to 10k). |
NEW | Ignore Proxies | GitHub Actions, TeamCity | Added an environment variable, "CX_IGNORE_PROXY", for ignoring proxies. Mark the variable as true to ensure that all Checkmarx One CLI commands run directly from the local machine. |
NEW | Scan ID | Azure DevOps | Added an output variable |
UPDATE | CLI version | GitHub Actions, TeamCity | Updated CLI code to GO version 1.21.1 in order to remediate a vulnerability. |
UPDATE | Included files | GitHub Actions, TeamCity | Added |
FIXED | Policy violations | Azure DevOps | Fixed issue that when checking for policy violations times out it had been causing the CLI to return a fail status. |
Plugin | Marketplace | Code Repository | Documentation | Changelog |
|---|---|---|---|---|
Azure DevOps | https://marketplace.visualstudio.com/items?itemName=checkmarx.checkmarx-ast-azure-plugin | |||
GitHub Action | https://github.com/marketplace/actions/checkmarx-ast-github-action | |||
TeamCity | https://github.com/CheckmarxDev/checkmarx-ast-teamcity-plugin | |||
Jenkins |
IDE Plugins
In October we released the following IDE plugin version:
VS Code - 2.5.0 (uses CLI v2.0.57)
Improvements and Bug Fixes
Status | Item | Platform | Description |
|---|---|---|---|
FIXED | KICS Auto Scanning | VS Code | Fixed issue that KICS Auto Scanning had been running even when the feature was disabled. |
FIXED | Libraries update | VS Code | Updated for CLI version that uses GO version 1.21.1, in order to remediate a vulnerability. |
IDE Plugin Quick Links
Get Latest Version from Marketplace | Changelog | Documentation |
|---|---|---|