Skip to main content

Release Notes for 9.5.0

Version 9.5.0 includes the following updates:

Enterprise Updates for 9.5.0 (New Features and Enhancements)

CxSAST Engine


.NET 6

Since .NET Core 3.1 reaches EOL (end of life) at the end of 2022, Checkmarx SAST has been transitioned to .NET 6.

.NET 6 includes the following benefits:

  • Improved Security

  • Improved Performance

  • Introduces Hot Reload - a faster way to view changes

  • C# 10 with which developers can make code simpler and more expressive

  • Support for three years

With the .Net 6 platform there will a performance increase for either Centralized or Distributed installations, with a corresponding 15-20% increase in memory and CPU usage.

Note: .NET 6 works only on Visual Studio 2022 version and later.

Linux OS - Fedora v33

Since Fedora v33 is not supporting .NET6, Checkmarx SAST Version 9.5.0 will not support Fedora v33.

Linux OS - CentOS 8

Since CentOS 8 has reached EOL (end of life), Checkmarx SAST will phasing out support for CentOS 8 in one of the upcoming Engine Packs.

New Improved Flow

In 9.5.0 the transition to the New Improved Flow is complete, meaning that all languages will be scanned with the New Improved Flow enabled.

Engine Configuration and Logs Refactoring

Engine configuration improvements, we reduced the number of configuration keys by ~10%, renamed some, and added a better description for better maintainability and use.

Engine Modernization

Our ongoing effort for improving the engine in several aspects, including performance, memory usage, and faster scans. We also focus on refactoring the DOM in order to achieve DOM persistency at a later stage.

Check available disk space before scanning

Previously when a new scan was being triggered, the system did not indicate whether the engine machine had enough disk space for executing the scan.

Now the following threshold validations must be met before scanning, otherwise the engine will go offline:

  • The source drive disk space is above the minimum threshold (an absolute value).

  • The scan drive has the minimum required space for the source code including all the files that will be created during the scan, such as logs and results.

Prevent Engine to run with previous version

An engine will be marked as "offline" if the engine version (major, minor and revision)  is not equal to the latest engine pack installed. On the SAST portal, on the Engine Management page, an error message will appear next to a yellow exclamation mark explaining the reason why the engine is offline.

Languages and Frameworks

Regarding supported languages and frameworks, in 9.5.0 we are delivering all the previous content delivered in Engine Packs 9.4.1, 9.4.2, 9.4.3, 9.4.4 and 9.4.5.

The content includes the following:

  • Python frameworks Django and Flask

  • Improved support for preset MISRA C 2012

  • New languages support for RPG and Scala (and Finagle framework)

  • Improved Swift support

  • TypeScript 4.5

  • Angular 11 and 12

  • Kotlin 1.5 and 1.6

  • Java frameworks improvements: Struts, Spring, JSP and JSF

  • Improved C# queries for partial support for the latest version of .NET Core 5 and 6

  • Compliance improvements (presets and standards)

All supported code Languages & Frameworks versions can be found on the dedicated page.

CxSAST Application

Results Viewer Usability Enhancements

The Results Viewer is enhanced with the following features:

  • The Similarity ID is displayed in a new column in the Results Viewer.

  • The Similarity ID is now included in the displayed details.

  • Message is provided indicating that sources were deleted.

See Usability Enhancements.

Assigned to User in the Report Generation

Previously when generating a report through the Checkmarx Portal, the label “Assign to User“ was displayed in the “Data Report Settings”. This label is now “Assigned to User“.

See Generating Scan Result Reports.

Portal User Settings Persistence

The SAST Web Portal user experience has been improved by enhancing several custom user settings with persistence.

Now instead of being reset to their default states each time the pages reload, custom settings in the Scans, Projects, and Results Viewer pages now persist even when switching between pages, closing the browser, or logging off and then logging back again.

See Portal User Settings Persistence.

Permissions for Creating and Updating Project Configurations

Currently, the save-project permission enables the user to create and save a project.

Starting in 9.5.0, the following additional permission are available:

  • create-project: allows creating projects

  • update-project: allows editing projects

Permissions for Managing Custom Result States

It is now possible to add, modify, delete and retrieve custom results state using the following APIs:

  • [GET] /sast/resultStates

  • [POST] /sast/resultStates

  • [PATCH] /sast/resultStates/{id}

  • [DELETE] /sast/resultStates/{id}

Project Branch Details

In case the project is a branch (created through the Checkmarx Portal), additional details with information of the Original Project Name and Branched on Scan Id are displayed in the Project screen on the General tab. These fields are only displayed when viewing the project configuration, and are informative and are not editable. The new fields are not available when creating a project.

Scan Id and Preset Details

Scan Id information is now available in the Checkmarx Portal, from the following views:

  • All Scans List

  • Project Scans List

  • Scan Summary (available from the Project Scans List)

The preset name is now available in All Scan List.

XML Report Improvements

XML reports were improved to provide additional information.

The following query details were added:

  • Risk: What might happen

  • Cause: How does it happen

  • General Recommendations: How to avoid it

  • Source Code Examples

To provide these details, a flag called AddQueryMetaDataToXmlReport must be enabled in the database (CxComponentConfiguration table). By default the value is false.

Additional scope to source code was added. The XML reports generated by SAST application contain the text line of the source code for every vulnerability node. The new feature allows adding not only the specific row but also additional rows above and below that row. A following configuration flag was added to CxComponentConfiguration table, XmlReportSourceLinesRange. By default, the value is 0.

Post Scan Actions Improvements

When defining a “Run post scan action“ in the project settings, is now possible to define the following:

  • Conditional Actions - To set a condition when the post scan action will run, enable the Run only if the scan has new results with a minimal severity of option and select the severity level from the drop-down list. By defining this rule, the post scan action will be triggered only after a successful scan that found new vulnerabilities which did not appear in the previous successful scan. For the first scan executed, the post scan action will run regardless of the Run only if the scan has new results with a minimal severity of condition.

  • Arguments - Optionally, additional arguments to the post scan action can be specified in the Post scan action arguments field. By having this option, you can set arguments which are project specific. These arguments can be added in addition to the ones specified at the post scan action level.

  • API Changes - The following APIs were changed to accommodate the new options:

    • REST API (v4)

      • [POST] sast/scanSettings

        • New fields added as parameters:

          • postScanActionConditions

          • postScanActionArguments

        • Permission needed:

          • save-project or update-project

      • [PUT] sast/scanSettings

        • New fields added as parameters:

          • postScanActionConditions

          • postScanActionArguments

        • Permission needed:

          • save-project or update-project

      • [POST] sast/scanWithSettings

        • New fields added as parameters:

          • runPostScanOnlyWhenNewResults

          • postScanActionArguments

        • Permission needed:

          • save-sast-scan

      • [GET] sast/scanSettings/{projectId} - New fields added in the response:

        • New fields added in the response:

          • postScanActionConditions

          • postScanActionArguments

        • Permission needed:

          • save-project or update-project or save-sast-scan

    • SOAP API

      • Portal - CreateNewProject - Inside the ProjectConfiguration parameter in the ScanActionSettings/ScanAction type, the following new fields are available:

        • PostScanActionConditions

        • PostScanActionArguments

      • Portal - GetProjectProperties - Inside the ProjectConfiguration parameter, the following new fields are available:

        • PostScanActionConditions

        • PostScanActionArguments

Source Pulling Performance Improvement for NAS

During source pulling processing, the source repository is cloned to a temporary CxSrc folder where the JobsManager processes it for data such as LOC (lines of code), exclusions, and deletions.

When the CxSrc is configured to use the NAS (Network Attached Storage) for HA (High Availability) environments or DR (Disaster Recovery) purposes, the cloning and JobsManager processes run directly on the NAS. Running these operations over the NAS consumes a large amount of network bandwidth and disk IOPS (input/output operations per second), and reduces performance and can become a bottleneck for systems using NAS storage.

To reduce this bottleneck, the new Source Pulling Performance Improvement feature provides an optimized way to execute the source control cloning and processing steps locally, instead of over the NAS.

See Source Pulling Performance Improvement - Cloud/NAS.

Parallel Scan Feature

When running multiple scans of the same project on the same source code, users often require that only the newest or oldest scan be kept, and the remaining parallel scans are cancelled. An issued was fixed that caused multiple scans (such as the two oldest scans) to be kept.

In this release:

  • when setting Keep New (Creating Project -> Advanced Actions tab -> Parallel scan cancellation mode) only the newest scan finishes, while other scans are cancelled.

  • when setting Keep Old (Creating Project -> Advanced Actions tab -> Parallel scan cancellation mode) only the oldest scan finishes, while other scans are cancelled.

Forcing Scans for Environmental Changes with No Code Changes

Typically, when a scan is triggered in a schedule or from an API call, the source code files are compared to the previous scan. If no code changes are detected the scan is skipped, and all results are copied from the previous scan. However, even if there are no changes to the code, there might be changes to the environment or configuration that could affect the scan results. The new feature allows scans to be triggered even when the changes do not directly affect the code.

See Forcing Scans for Environmental Changes

Services Availability - SAST Application Dashboard using Prometheus Metrics and Grafana

This release supports monitoring the status of SAST services running on each machine.

See SAST Application Dashboard- Using Prometheus Metrics and Grafana

Log Enhancements with Kibana Dashboards

The capabilities provided by the CxSAST structured logs have been extended with Kibana Dashboards. The following dashboards are now available, improving troubleshooting efforts by providing more detailed information about the various phases of the scans, ultimately resulting in more efficient root cause analysis:

  • Log statistics per application component

  • Scan time duration per stage

See 9.5 Log Enhancements.

Vulnerability Queries

There are new and updated vulnerability descriptions, queries, and queries according to presets for this version.

See Vulnerability Queries for 9.5.0

CxSAST Access Control

Password length

Password length was changed to have at least 10 characters.

This change does not affect existing users, but only new users or when existing users renew their passwords.

Supported Code Languages and Frameworks for 9.5.0

The following code languages can be scanned using CxSAST v9.5.0:


Primary Languages

Secondary Languages


File extensions

  • Java

  • J2SE

  • J2EE

  • JSP

  • JavaScript

  • VBScript

  • PL\SQL

  • HTML5

  • ATG DSP Taglib

  • GWT

  • Hibernate

  • Google Guice

  • Java Server Faces (JSF)

  • JSP

  • JSTL FMT Taglib


  • MyBatis

  • PrimeFaces

  • Sprint Boot

  • Spring MVC

  • Spring

  • Struts

  • Velocity

  • .java

  • .jsp

  • .jspf

  • .jsf

  • .tag

  • .tld

  • .mf

  • .xhtml

  • .vm

  • .gradle

  • .properties

  • .xml

  • C#

  • VB.NET


  • JavaScript

  • VBScript

  • PL\SQL

  • HTML5

  • ASP.NET Core

  • ASP.Net Core Razor

  • ASP.Net MVC framework

  • Enterprise Libraries

  • ComponentArt

  • Entity framework

  • Hibernate.Net

  • Infragistics

  • iBatis

  • Telerik

  • .cs

  • .cshtml

  • .xaml

  • .vb

  • .config

  • .aspx

  • .ascx

  • .asax

  • .tag

  • .master

  • .xml

  • ASP

  • JavaScript [**]

  • VBScript

  • PL\SQL

  • HTML5

  • ASP.Net MVC Framework

  • .asp

  • .inc

  • VB6

  • .bas

  • .vbp

  • .frm

  • .cls

  • .dsr

  • .ctl

  • C/C++


  • C++ MISRA

  • Informix ESQL/C

  • MySQL

  • .cpp

  • .c

  • .cc

  • .c++

  • .cxx

  • .hpp

  • .hh

  • .h++

  • .hxx

  • .h

  • .ec

  • .cmake

  • .pro

  • .ac

  • .am

  • .txt (related to CmakeLists)

  • PHP


  • bWapp

  • CakePHP


  • Kohana

  • Symfony

  • Smarty

  • Zend

  • .php

  • .php3

  • .php4

  • .php5

  • .phtm

  • .phtml

  • .tpl

  • .ctp

  • .twig

  • .inc

  • .cgi

  • Apex

  • VisualForce

  • Lightning (Aura)

  • Lightning Web Components

  • .apex

  • .apexp

  • .apxc

  • .page

  • .component

  • .cls

  • .trigger

  • .tgr

  • .object

  • .report

  • .workflow

  • .-meta.xml

  • .xml

  • Ruby

  • Ruby on Rails

  • .rb

  • .rhtml

  • .rxml

  • .rjs

  • .erb

  • .cgi

  • .lock

  • JavaScript/Typescript

  • Ajax

  • Angular

  • AngularJS

  • Backbone

  • Cordova / PhoneGap

  • Handlebars

  • Hapi.JS

  • JQuery

  • Knockout

  • Kony Visualizer

  • Node.js

    • Buffer

    • CryptoJS

    • ExpressJS

    • File System (Fs)

    • Hapi

    • Mongodb

    • OracleDB

    • Sequelize

  • Pug (Jade)

  • React Native

  • ReactJS

  • SAPUI5

  • VueJS

  • XS (SAP)

  • .js

  • .jsx

  • .htm

  • .html

  • .json

  • .ts

  • .tsx

  • .aspx

  • .ascx

  • .xsjs

  • .xsjslib

  • .xsaccess

  • .xsapp

  • .app

  • .evt

  • .cmp

  • .hbs

  • .handlebars

  • .jade

  • .pug

  • .vue

  • .xml

  • .vbs

  • .aspx

  • .ascx

  • .asp

  • .cshtml

  • .html

  • .htm

  • .master

  • Perl

  • .pl

  • .pm

  • .plx

  • .psgi

  • .cgi

  • Android (Java)

  • Volley

  • .java

  • .kt

  • Objective C

  • Swift

  • .m

  • .h

  • .swift

  • .xib

  • .plist

  • .html

  • .htm

  • .pls

  • .sql

  • .pkh

  • .pks

  • .pkb

  • .pck

  • Python

  • JavaScript

  • VB script

  • PL\SQL

  • Django

  • Flask

  • .py

  • .gtl

  • .csv

  • .latex

  • .tex

  • .html

  • .xml

  • .txt

  • Groovy

  • JavaScript

  • VB script

  • PL\SQL

  • .groovy

  • .gsh

  • .gvy

  • .gy

  • .gsp

  • .gradle

  • Scala

  • Akka

  • Finagle

  • .scala

  • .conf

  • GO Language

  • Protobuf

  • .go

  • Kotlin

  • Ktor (Server Side)

  • Vert.x (Server Side)

  • Spring

  • .kt

  • .kts

  • ,mustache

  • .ftl

  • .xml

  • Cobol

  • .cbl

  • .cob

  • .eco

  • .pco

  • .sqb

  • .cpy

  • RPG

  • .rpg

  • .rpg38

  • .sqlrpg

  • .rpgle

  • .sqlrpgle

  • .dspf

Supported Code Languages and Frameworks (CxOSA)

CxOSA analyzes the open sources using the following methods:

  • Analyzes the open source third parties themselves, supported in the languages list below.

  • Analyzes the projects' manifest files by resolving their dependencies against customer-defined repositories.

The following open source code analysis languages and package managers can be analyzed using v9.3.0:


File Extensions


File Extensions



Jar files



DLL files






Image result for React logo














DLL files











Package Managers

File Extensions

Package Managers

File Extensions







Image result for yarn logo




nupkg files



Image result for composer package manager


Image result for sbt package manager


Image result for bower package manager


Codebashing - Application Security Training Platform

For supported code for Codebashing, refer to the Codebashing documentation.

API Updates for 9.5.0


Table 1. REST API



Get a query version code (for BFL service)

[GET] /queries/queryVersionCode - To get the id and the query version code.

The endpoint receives as input the following parameters:

  • Language

  • Severity

  • Query name

The response will include:

  • queryId

  • queryVersionCode

Lock a scan

[PUT] /sast/lockScan - Enables locking a scan.

The endpoint receives as input the scan id and return as response:

  • Boolean (true in case is now locked, false if request failed)

  • Error message (in case of failure)

Unlock a scan

[PUT] /sast/unLockScan - Enables unlocking a scan.

The endpoint receives as input the scan id and return as response:

  • Boolean (true in case is now unlocked, false if request failed)

  • Error message (in case of failure)

List all scheduled jobs

[GET] /sast/sheduledJobs - To get the list of all scheduled jobs.

As response the endpoint returns details for: project name, project Id, scan frequency, scan days and scan time.

Get the timestamp for result updates

[GET] /sast/resultPathCommentsHistory - Enables getting the comment and timestamp for the result update.

Pull license data

[GET] /serverLicenseData - Enables pulling license data details.

The endpoint does not receive inputs.

The response contains details and information for the following:

  • Edition: SDLC or SecurityGate

  • Expiration Date

  • LOC

  • HID

  • OSA License: Enabled or disabled

  • OSA License Expiration Date

  • Supported Languages

  • Users: Available and In Use

  • Auditors: Available and In Use

  • Projects: Maximum Allowed and In Use

Get branch status

[GET] /projects/branch/{id} - To get the project branching status.

Receives as input the project ID of the branched project.

Returns as response the following information (based on details stored in [CxDB].[dbo].[ProjectBranchTree] table):

  • id: id column from [CxDB].[dbo].[ProjectBranchTree] table

  • originalProjectId: contains the Id of the original project

  • branchedOnScanId: shows the scan Id where the project was branched from the original project

  • branchedProjectId: shows the Id of the branched project

  • timestamp: when branch starts

  • status: composed by Id and value. Possible values are: 0 - started; 1 - In Progress; 2 - Completed; 3 - Failed

  • errorMessage: If an error is returned when creating the branch.

Force Scan on no-code changes

[POST] /projects/{id}/forceScanOnNoCodeChanges - Sets the next scheduled scan for project to bypass the “no code changes” scenario.

See Forcing Scans for Environmental Changes


Table 2. SOAP API



Portal - CreateNewProject

Inside ProjectConfiguration parameter in ScanActionSettings/ScanAction type there are two new fields available:

  • PostScanActionConditions

  • PostScanActionArguments

Portal - GetProjectProperties

Inside ProjectConfiguration parameter, two new fields are available:

  • PostScanActionConditions

  • PostScanActionArguments


Table 3. ODATA API



Tracking the age of vulnerabilities

To track the age of vulnerabilities, the vulnerability detection date was added to each Result metadata in OData. This can be helpful for customers that have internal SLAs and rules where the age of the vulnerabilities determines compliance with their enterprise's policies. It is possible to build queries to get the detection date of specific vulnerabilities.