# Checkmarx SCA Resolver Changelog

## Improvements in Version 1.15.2

• Parameter values are now case insensitive.

• Added a new flag to cause the scan to fail and return exit code 9 when resolution fails for one or more of the manifest files.

• For PIP, fixed problem with the file path when using the -r flag inside a requirements.txt file.

## Previous Versions

Version

Checksums

Changes from last version

1.14.8

• For Maven, improved log messages.

• For Poetry, added support for version 1.2.

• For Container Scans, updated ImageResolver to version 2.0.1, which includes the following updates:

• For Dockerfile, we now support scanning of base images from private repositories.

• Scanning built images using Syft is now fully supported, even when pulling images from private repositories.

1.14.2

• We changed the format of the configuration file from .ini to .yml.

### Warning

We temporarily continue to support .ini format. However, once version 2.0 is released (scheduled for end of February) this format won't be supported. Please make sure to migrate the configuration files in all of your environments to the yaml format by that time.

• Added Syft integration. Use the --use-syft flag in order to use Syft for container image resolution.

• Uses image resolver version 1.0.11.

• Enable adding tags to projects (--project-tags) and scans (--scan-tags).

• The project teams flag (-t | --project-teams) flag can now be used to update the teams assigned to an existing project. (Previously, it could only assign teams to a new project.)

1.13.4

• For container scan:

• Uses image resolver version 1.0.7.

• Added support for resolution of image files without using Dockerfile.

• For Carthage, added authentication for private repositories based on .netrc file.

• For Gradle, improved sub-module resolution.

• For Python, users are now able to specify the version of pipdeptree to be used.

1.12.2

• For Python, Resolver now has a consistent behavior for installing pipdeptree. For Python 2, it installs version 2.2.1; for Python 3 it installs 2.3.1.

• Added support for project method in settings.gradle.

• Resolver now ignores the IncludeBuild method in gradle.settings file.

• Improved the way we get the Gradle wrapper version from the distribution URL.

-

• Container Scan - Resolver now scans containers via a dedicated Container CLI. When you extract the downloaded archive, it now contains an additional executable ImageResolverCli.exe.

### Note

The new architecture does not affect the functionality in any way. When you extract the downloaded archive, it now contains an image resolver executable (in addition to the Resolver executable).

1.11.3

• For Gradle, improved results by preventing Gradle from resolving multiple projects simultaneously.

• For Python:

• Added support for Poetry package manager

• Added support for PIP to resolve dependencies from the following files: pyproject.toml, setup.cfg and setup.py.

• For Composer, we now attempt to resolve dependencies without running the install command.

1.10.4

For NPM, fixed bug related to workspaces.

1.10.2

• Added the --Sca-app-url flag for specifying the url of the web application. Previously this could only be done via the config file.

• Added the ability to include the password in the config file. Previously this could only be done via the CLI command.

### Tip

It isn't recommended to include a password in clear text in the config file. Instead, you can use an environment variable for the password. Resolver first checks for an environment variable of the specified name, and uses the plain text value only if no variable is found.

• Added the --override-default-excludes flag, for disabling the default file exclusions.

1.9.10

• For Yarn, general improvements in dependency resolution.

• For NPM, added support for NPM workspaces.

• Fixed problems caused by duplicate values for environment variables by overriding saved values when a new value is submitted.

1.9.8

• Fixed issues for SAML authentication on MacOS.

• For NPM, added support for NPM 8.

• Added the ability to skip file analysis when the file is in use.

1.9.2

• For Ivy, added the option to specify the target name and todir, which determine where the reports are written to when resolving dependencies in Ivy.

1.8.15

• We now provide a sha256sum file for each SCA Resolver download, enabling users to verify the integrity and authenticity of the SCA Resolver.

• Added support for resolving Git repositories in Carthage.

• Added support for Yarn lock version 2.

• Fixed problem that KTS files weren’t being resolved for Gradle multi module projects.

• Fixed issue with folder excludes, so that when a folder is excluded, all files inside the folder and all of its sub-folders are excluded.

• In order to prevent scan failures, we no longer change the gradlew and gradlew.bat line endings.

1.8.9

• Container Scan - added support for container images hosted on Microsoft Container Registry (MCR) (e.g., mcr.microsoft.com/dotnet/sdk:latest). See Container Scans

• Exploitable Path - you can now use the "--proxies" flag with Exploitable Path scans in order to send the traffic through a proxy.

• Added additional Debug logs for commands that are taking too long to execute.

1.8.5

• Container Scan - added support for build arguments in Dockerfile FROM statements using a .env_cxsca-container-build-args file . For more information, see Container Scans

• Performance improvements for Pip, Sbt, Maven, Bower, Gradle

• For MacOS - fixed path for virtual environment in Pip

1.8.3

1.7.3

• We now allow scanning with SAST using offline mode and then uploading the SAST results file using upload mode.

• Improved multi-module resolution. The origin of dependencies is now specified by the corresponding module.

• Added support for flat multi-module project structure.

1.6.8

• Improved security by fixing path traversal problem when creating logs file.

• For Carthage, fixed documentation for using GitHub API for resolution. See Installing Supported Package Managers for Resolver | Limitations

• For Sbt, improved method for finding dependency graph.

• For Gradle, fixed the error that caused the default JVM arguments to be used in Checkmarx SCA Resolver. Now these arguments are ignored.

1.6.3

• For NuGet, users can now specify the path to the NuGet CLI executable that they would like to use.

• For Sbt, improved the Sbt multi-module support when using coursier to resolve the dependencies.

1.5.71

• When Checkmarx SCA Resolver runs a scan with Exploitable Path, the Project settings are automatically updated to activate Exploitable Path on the Project level. (Previously, EP needed to be activated for the Project before it could be run in Checkmarx SCA Resolver.)

• For sbt, we no longer change the .sbtopts file in order to force dependency resolution through Ivy. Dependencies will be resolved using the customer’s sbt resolver.

1.5.68

• For Composer, no longer generates autoload files when installing the dependencies.

• For Bower:

• Improved identification of direct dependencies.

• Removed the project being scanned from the results.

• For sbt:

• Changed the command used to identify if sbt is installed to sbt --script-version.

• Improved dependency resolution in solutions with multiple projects.

• For Carthage, minor improvements in dependency resolution.

1.5.66

• For Carthage, minor improvement in Carthage resolution.

• For Carthage, we implemented a client balancer to support more Github tokens.

• Container Scan - Checkmarx SCA Resolver is now capable of scanning containers (i.e., Docker image files) on which your source code runs. Checkmarx SCA identifies each of the Docker files being used, extracts all layers of each image file and identifies the packages used by each layer. To run the containers scan, you need to add the --scan-containers flag to the run command.

1.5.62

• For Gradle, the "-Dorg.gradle.jvmargs=-Xmx1g" parameter is no longer used by default in the command executed by gradle. If you would like to add this parmeter, you can do so using the following custom gradle parameter --gradle-parameters '-Dorg.gradle.jvmargs=-Xmx1g'.

• Nuget projects can now be resolved through Nuget CLI when resolution through dotnet is not available.

• For Yarn, parsing of the yarn.lock files now allows properties inside quotation marks.

1.5.57

• General improvements for NPM/Lerna

• The “--ignore-dev-dependencies” flag now supports ignoring dev dependencies for Yarn

• Improved error message when a project is assigned to a team that is not accessible or does not exist

1.5.52

• Windows binaries are now signed by Checkmarx

• Added ability to export an SBOM report (CycloneDx format)

• Improved package resolution for Carthage

• Fixed issues with package manager proxies

• Fixed container scan default namespace for dockerhub

1.5.45

• Nuget scans now support multiple “nuget.config” files in a project.

• The Checkmarx SCA Resolver installation files are created using a new method that adds the necessary dependencies to the zip for execution.

1.5.42

• PIP

• Nuget

• SwiftPM

• SBT

• Carthage

• Fixed issue so that disabling code uploads no longer interferes with Resolver’s ability to send scan results to the cloud.

1.5.38

• Added support for providing a proxy to be used for requests. It is supported for the following package managers:

• Maven

• Ivy

• Bower

• Composer

• NPM

• Yarn

• CocoaPods

• For Ivy, Checkmarx SCA Resolver no longer creates temporary folder

• Added support for scanning projects using SwiftPM

• Added support for scanning projects using CocoaPods

• Added support for scanning projects using Carthage

1.5.29

• Resolver now identifies “test” dependencies by path

• For Gradle wrapper projects, fixed issue for handling packages when the system doesn’t have Gradle installed

• Fixed issue that the “extract compressed folder” feature had been deleting paths that were previously extracted

1.5.27

• Adjusted the default exclusion patterns to more precisely match the desired folder names

• For NPM, can now handle invalid file exceptions

• For Ivy, now copies all files to a temporary folder

1.5.25

• For Ivy, general improvements

• Improved scan performance for large projects

1.5.23

• For Gradle, fixed handling of orphan packages

• For Ivy, added ability to pass custom parameter

1.5.20

• For Gradle, fixed submodule identification

• Fixed issue with scans failing when policy violation couldn’t be evaluated

• Checkmarx SCA Resolver version is now always included in logs

• Added a flag to bypass Checkmarx SCA Resolver exit code when an error occurs

1.5.12

• For Gradle, added flag to tag dependency group as plugin, and other general improvements

• For Nuget, fixed exception when package.config is empty

• For NPM, added support for Shrinkwrap files

• For Yarn, improved workspace search

• For Composer, general improvements

• Fixed deserialization exception in “Upload” mode

• Fixed async error handling for “create scan”

• The auto-generated file for “Offline” mode now uses new naming conventions

• General improvements in Checkmarx SCA Resolver UX

1.5.7

• Checkmarx SCA Resolver now uses the "--all" flag to force npm to list all dependencies (i.e., revert to version 6 results)

• For Yarn, general improvements

• Added support for Ivy package manager

1.5.4

New features in 1.5.4

• There is now an option to run Checkmarx SCA Resolver in “Offline” mode. When a scan is run in “Offline” mode, it can then be run in “Upload” mode at a later time to execute the scan.

• When you run a scan using Checkmarx SCA Resolver, you can now set flags to export a comprehensive Risk Report of the scan results in json, xml, csv, or pdf format.

Improvements and bug fixes in 1.5.4

• Improved result parser for Bower

• Can now handle the exception when trying to extract compressed files that require a password

• Fixed bug causing scan to get stuck when Maven was not available

• Pip now resolves Python requirement files which contain an '-r' flag

• Fixed log name to include the local timezone of the machine (as opposed to showing UTC)

1.4.41

• Added ability to pass custom parameters Maven

• Fixed password leak to log

• Fixed argument parsing while replacing '_' with '-'

• For npm, transitives of dev dependencies are now tagged as dev

1.4.34

• For Nuget, we now ignore project references inside of .csproj files

• For PIP, we now detect files with the following file names: “requirement-*.txt” and “requirements-*.txt”

• For Composer, the vendor folder is now ignored by the scanner

• Logs are now saved in ScaResolver path by project name unless a fully qualified path is configured in the "LogsDirectory" configuration

1.4.28

• For Exploitable Path scans, users now have the option of providing the SAST Project name instead of the Project ID

• Exclude scopes - include all scopes other than the specified exclusions

• Include scopes - include only the specified scopes

• Dev scopes - mark specific scopes to be analyzed as dev dependencies

1.4.23

• Added ability to pass custom parameters to Bower, Composer, Lerna, NPM, Nuget, Pip, Sbt, and Yarn project scans

• SCA scans now extract compressed files of type .zip, .war, .ear. Also, the user can add a flag to specify custom file types for extraction.

• For Exploitable Path scans, the config file key "OldResultsThresholdMinutes" was added, enabling users to customize the time period for which SAST results are checked. By default, this is now set a

• Changed "Invalid SAST settings" to warning level instead of error

• Fixed NPM package-lock.json display error

• Fixed errors causing scan failures in Gradle, Bower and Maven

1.4.14

• Added support of the “Exploitable Path” feature for SAST users. This enables you to identify whether or not there is an exploitable path from your source code to a specific open source vulnerability, see Exploitable Path.

• Added support for Checkmarx SCA “Policies”. This enables you to cause builds to break whenever the specified threshold of security threats is detected, see Policy Management.

• Added the ability to pass custom parameters to Gradle project scans

• Fixed BOM issue in composer.json file

1.3.5

• NPM: Fixed a package relationship issue

• Improved Dev Dependencies

• CLI: Added a flag to exclude Dev Dependencies in a pre-scan stage (e.g., -i or --ignore-dev-dependencies)

1.2.41

• Fixed an identification metadata (metrics)

1.2.40

• Using a more generic method for grabbing the Gradle wrapper version

• Improved npm robustness in the Linux CLI

• Support for the Gradle findProject directive

1.2.38

• Fixed a bug that occurred when running Gradle under Windows.

• Fixed a bug that occurred when running NuGet under Windows.

1.2.34

• Various bug fixes implemented.

1.2.30

• Dependency resolution now supports Python requirement.txt files.

• Dependency resolution now supports Nuget packages.config manifest files.

• Added support for specifying the Python version in the configuration.

• Several bug fixes implemented for the dependency resolution.

1.2.3

• Minor dependency resolution bug fixes

• -v shows the version

1.1.13

• Rename to SCA resolver. Printing ScanID and showing URL to the risk report.

1.1.8