Skip to main content

Previous Checkmarx SCA Release Notes

August 26, 2021

NEW - AppSec Knowledge Center - Our new AppSec Knowledge Center can be accessed via the Checkmarx SCA web portal. The Knowledge Center enables you to search our extensive database for information about specific package versions and vulnerabilities. This enables you to check the open source packages that you want to use in your project in advance to make sure that you won’t be introducing security risks into the project.

The database includes CVEs and also vulnerabilities discovered by the Checkmarx Vulnerability Research Team (“Cx” vulnerabilities).

IMPROVED - The Exploitable Path feature (which checks whether the vulnerable open source packages are called from your proprietary code and whether the vulnerable methods are actually used by your code) now supports JavaScript projects (in addition to existing support for Java and Python). See Exploitable Path.

IMPROVED - Improved ability to identify packages based on file fingerprints (hashes).

NEW VERSIONS - We have released several new versions of Resolver with a wide range of improvements and bug fixes. The most recent release is 1.5.42.

The following are some highlights from the recent releases:

  • Added support for iOS projects using SwiftPM, Carthage and CocoaPods package managers.

  • Added support for providing a proxy to be used for requests via HTTP and HTTPS.

For additional details, see Checkmarx SCA Resolver Changelog.

May 10, 2021

NEW - Exporting Risk Reports - You can now export Risk Reports, showing comprehensive info about the risks identified in each of your Checkmarx SCA Projects. The Risk Report shows the results of a specific scan of a Project, including both overall results as well as detailed info about the risks that were identified. You can export a Risk Report via the Checkmarx SCA web portal by navigating to the Scan Results page for the desired scan and clicking on the Export button at the top of the page. You can specify the desired file format (pdf, xml, json, or csv) as well as which sections to include in the report (Packages, Vulnerabilities, Licenses, or All). For more info, see Scan Reports.

You can also generate Risk Reports via Checkmarx SCA Resolver, see Risk Report Arguments.

NEW – The Bamboo plugin now supports Checkmarx SCA.

IMPROVED – Complex policy conditions - You can now configure complex conditions for security policies. You can create rules that include multiple conditions relating to the packages, vulnerabilities and licenses. Only when all of the conditions are met is the rule considered to be violated.

NEW VERSION - CLI version 1.1.5 (new numbering convention) was released.

  • The new version includes the following new features and improvements.

    • The Exploitable Path feature for identifying attack vectors has been added for Checkmarx SCA scans.

    • The ‘CheckPolicy’ option now enforces Checkmarx SCA policies to break builds, as per policy action configuration.

    • The option to include source code with Checkmarx SCA scans has been added.

    • Private registries and environment variables have been added for Checkmarx SCA scans.

    • Project creation and Team assignment capabilities have been added for Checkmarx SCA scans.

NEW VERSION - Checkmarx SCA Resolver version 1.5.7 was released. Download links are available here.

  • The new version of Checkmarx SCA Resolver, includes the following improvements:

    • Checkmarx SCA Resolver now uses the "--all" flag to force npm to list all dependencies (i.e., revert to version 6 results)

    • For Yarn, general improvements

    • Added support for Ivy package manager

April 22, 2021

NEW VERSION - Checkmarx SCA Resolver version 1.5.4 was released. Download links are available here.

The new version of Checkmarx SCA Resolver, includes the following new features:

  • There is now an option to run Checkmarx SCA Resolver in “Offline” mode. When a scan is run in “Offline” mode, it can then be run in “Upload” mode at a later time to execute the scan.

  • When you run a scan using Checkmarx SCA Resolver, you can now set flags to export a comprehensive Risk Report of the scan results in json, xml, csv, or pdf format.

As well as the following improvements and bug fixes:

  • Improved result parser for Bower

  • Can now handle the exception when trying to extract compressed files that require a password

  • Fixed bug causing scan to get stuck when Maven was not available

  • Pip now resolves Python requirement files which contain an '-r' flag

  • Fixed log name to include the local timezone of the machine (as opposed to showing UTC)

March 25, 2021

NEW VERSION - Checkmarx SCA Resolver version 1.4.41 was released. Download links are available here.

The new version of Checkmarx SCA Resolver, includes the following improvements:

  • Added ability to pass custom parameters Maven

  • Fixed password leak to log

  • Fixed argument parsing while replacing '_' with '-'

  • For npm, transitives of dev dependencies are now tagged as dev

March 12, 2021

NEW VERSION - Checkmarx SCA Resolver version 1.4.34 was released. Download links are available here.

The new version of Checkmarx SCA Resolver includes the following improvements:

  • Added a flag to ignore submodules in Gradle

  • For Gradle, we now detect settings.gradle.kts files

  • For Nuget, we now ignore project references inside of .csproj files

  • For PIP, we now detect files with the following file names: “requirement-*.txt” and “requirements-*.txt”

  • For Composer, the vendor folder is now ignored by the scanner

  • Logs are now saved in ScaResolver path by project name unless a fully qualified path is configured in the "LogsDirectory" configuration

March 7, 2021

IMPROVED - Enhanced Exploitable Path functionality

NEW VERSION - Checkmarx SCA Resolver version 1.4.28 was released. Download links are available here.

The new version of Checkmarx SCA Resolver includes the following improvements:

  • Added ability to pass custom parameters to Bower, Composer, Lerna, NPM, Nuget, Pip, SBT, and Yarn project scans

  • Added ability to disable upload of manifest files

  • SCA scans now extract compressed files of type .zip, .war, .ear. Also, the user can add a flag to specify custom file types for extraction.

  • For Exploitable Path scans, the config file key "OldResultsThresholdMinutes" was added, enabling users to customize the time period for which SAST results are checked. By default, this is now set as two weeks.

  • Changed "Invalid SAST settings" to warning level instead of error

  • Improved Gradle dev-dependencies detection

  • Fixed NPM package-lock.json display error

  • Fixed errors causing scan failures in Gradle, Bower and Maven

  • For Exploitable Path scans, users now have the option of providing the SAST Project name instead of the Project ID

  • Added Gradle dependency parser customizations:

    • Exclude scopes - include all scopes other than the specified exclusions

    • Include scopes - include only the specified scopes

    • Dev scopes - mark specific scopes to be analyzed as dev dependencies

February 1, 2021

NEW - Added the ability to configure a Policy to cause builds to break whenever the specified threshold of security threats is detected, see Policy Management.

FIXED - Fixed agent authentication issue for working with CxServer version 9.3

FIXED - Fixed a bug in the upgrade recommendation logic

NEW VERSION - Checkmarx SCA Resolver version 1.4.14 was released. Download links are available here. The new version, includes the following improvements:

  • Added support of the “Exploitable Path” feature for SAST users. This enables you to identify whether or not there is an exploitable path from your source code to a specific open source vulnerability, see Exploitable Path.

  • Added support for Checkmarx SCA “Policies”. This enables you to cause builds to break whenever the specified threshold of security threats is detected, see Policy Management.

  • Added the ability to pass custom parameters to Gradle project scans

  • Improved Gradle robustness in multi-module projects and Gradle wrapper download

  • Fixed BOM issue in composer.json file

January 17, 2021

NEW - Policy Management is now GA!

NEW - SCA Agent beta is now available in GitHub and DockerHub.

NEW - Support for .Net 5.0.

IMPROVED - Exploitable Path enhancements.

IMPROVED - Checkmarx SCA Resolver CLI allows you to ignore dev dependencies. For more information, see Checkmarx SCA Resolver Configuration.

IMPROVED - Gradle enhancements: Improved robustness; Support for identification of Gradle dev dependencies.

November 12, 2020

IMPROVED - Checkmarx SCA UI improvements

FIXED - Various bug fixes

October 20, 2020

NEW - Added support for specifying the Python version (2 or 3) in the configuration.

NEW - Dependency resolution now supports Nuget packages.config manifest files.

IMPROVED - Checkmarx SCA Resolver CLI Version 1.2.30 released. For more information, see Checkmarx SCA Resolver Download.

IMPROVED - Improved dependency resolution robustness and fixed several issues.

September 30, 2020

NEW - EU Support – Checkmarx SCA is now deployed in a EU datacenter, in addition to the existing NA one.

NEW - Users can now filter their projects based on assigned teams.

NEW - TeamCity plugin is now available.

IMPROVED - Support improved for Dependency Resolution, in addition to some bug fixes.

August 18, 2020

NEW - Support for Java multi-module projects

NEW - Added Account Settings page presenting: Customer license details & Additional account level configurations

NEW - Added the option (for Checkmarx SCA admins) for blocking any source code upload to the Checkmarx SCA cloud (including UI and GitHub scans)

NEW - Plugins now only send the manifest files and fingerprints to the Checkmarx SCA cloud. The following plugins were released to Technical Support only (not yet GA): Jenkins, CLI, & ADO. For more details, please reach out via the CxPM-SCA mailing list.

IMPROVED - Robust dependency resolution coverage for the following package managers: Maven (Java) & Gradle (Java)

IMPROVED - Reporting page performance improved for large scale deployments.

July 21, 2020

NEW - When creating a GitHub project in the Checkmarx SCA cloud, the user can select which repository branch the project will be based.

NEW - The Scan Summary tab, added to the Risk Report page, shows the scan progress timeline and the resolving status of the configuration and manifest files.

NEW - Added support for resolving NPM projects managed with Lerna.

NEW - Added support for resolving NPM projects managed with Yarn Workspaces.

NEW - Projects can now be deleted, either one at a time or in bulk.

IMPROVED - The Risk Report page now displays Legal Risk in a filterable column.

FIXED - Fixed an issue in Gradle multi-module projects, which resulted in failure to parse the settings file.

June 16, 2020

NEW - The Reporting page displays one table containing all the vulnerabilities in all the organization’s projects. The information in the table can be searched, filtered, and exported.

IMPROVED - NPM dependency resolution shows partial results, even if some of the dependencies are missing.

IMPROVED - Any public Git URL, which can be cloned, can be scanned from the Checkmarx SCA Web Application when scanning a General Project.

IMPROVED - A project can be assigned to “All Users,” making it visible to everyone regardless of their team associations.

FIXED - Fixed an issue that prevented filtering vulnerabilities by the Package column from working as expected, if the “Outdated” version option was selected.

June 7, 2020

NEW - The new Jenkins plugin supports the Scan results Dashboard. The plugin is available at https://www.checkmarx.com/plugins/ . For more information, see Checkmarx Plugin for Jenkins.

NEW - Each project can be assigned to one or more teams, and only the members of those teams can view and manage the project.

NEW - The package information on the Reporting page can be sorted and filtered by vulnerability risk levels.

NEW - The package information on the Reporting page can be exported as a CSV file.

FIXED - Child packages of unresolved “Dev” packages are now also marked as “Dev”.

June 2, 2020

NEW - CLI and Jenkins plugins support Checkmarx SCA scanning without any limit on the package size.

NEW - Support for resolving dependencies extended to Gradle Wrapper and multi-module Gradle projects.

IMPROVED - Exported risk report (via Export button) includes more information: scan time, project name, vulnerable package name, and version number. Also removed some possible duplicate entries.

IMPROVED - The UI for creating GitHub projects now displays the account name and the selected projects.

FIXED - Fixed bug that interfered with sorting projects by date when “never scanned” projects were included in the list.

FIXED - Fixed bug causing failures in Scala dependency resolution (SBT).

FIXED - Fixed bug causing .NET manifest files, which had no external dependencies, to be reported as failed.

May 17, 2020

IMPROVED Any private GitHub repository can be searched when importing a project from a private account

IMPROVED Package view enhanced

May 13, 2020

IMPROVED Python dependency resolver enhanced to increase accuracy and remove false positives

IMPROVED The error messages issued when a Git repository scan fails are now more informative

IMPROVED Account name is displayed together with the username

IMPROVED In package view, clicking on the vulnerabilities will open a detailed list of vulnerabilities

FIXED Fixed bug preventing the manifest file from being available after a risk recalculation

FIXED Fixed error causing, in rare situations, a vulnerability to be counted twice

April 27, 2020

NEW Vulnerability tab: including vulnerable package path, references, and CVSS information

NEW Vulnerability package path shows the other vulnerable packages in the path and their risk levels

NEW Reporting page available displaying all packages in all the organization’s projects, providing a company-wide inventory of packages

IMPROVED Risk report page supports multiple tabs for packages and vulnerabilities

IMPROVED Last Scanned/Date column can be toggled to show relative time when last scanned or full date

IMPROVED Added support to Gradle-Kotlin projects with specific memory requirements

FIXED Fixed situation where the search filter disappears while the table remains filtered

FIXED Fixed bug preventing, in some cases, some NPM dependencies from being detected

FIXED Fixed bug causing some YARN scans to fail

FIXED Fixed bug causing some direct Python packages to be displayed as transient packages

April 13, 2020

NEW Checkmarx SCA is now open to the Internet and can be accessed from anywhere

NEW User can extract the Scan ID from the meta data section on the Project and Scan Results pages, and include it when submitting support tickets

NEW Pull Request description includes upgrade content and CVE’s fixed in the upgrade

NEW API to query risk data by package name

IMPROVED Number of table items displayed is now configurable

IMPROVED Scan History page now displays the user who performed the scan

FIXED Cannot create project with duplicate name

FIXED Graph scales are dynamic, and show whole numbers

FIXED Fixed security issue on Git clone command

March 16, 2020

NEW Added permissions and default roles to scan, manage projects, and view results

NEW Remediation: opening pull requests with fixes available for GitHub projects

NEW “Recalculate” button that recalculates results for existing projects on demand, without re-scanning the projects

NEW Jenkins Plugin and Cx Console plugin support Checkmarx SCA! (In beta mode, these plugins do not perform dependency resolution on-prem, but upload the zip file with code to the cloud

IMPROVED SCA CLI (internal) moved to .Net Core 3 and available as single executable

IMPROVED Scan warning issued when a private Artifactory is not accessible

IMPROVED UI - New create project screen

IMPROVED UI - New navigation pane

FIXED Token timeout alerts fixed

FIXED Ignoring a vulnerability no longer refreshes the page