Skip to main content

9.4.0 Hotfixes

Installation Notes

Notice

  • Hotfixes and content packs are cumulative and include previous hotfix/content package updates.

  • The relevant hotfix must be installed on the CxManager server(s). In a distributed environment, the hotfix must also be installed on the Web Portal server.

  • After upgrades (major versions or hotfixes) or Content Pack updates, it is highly recommended to first run full scans before running incremental scans.

Resolved Issues and Changes

Category

Resolved Issues

HF20

The source pulling flow step execution time is now improved for cases when using NAS (network attached storage).

Cloning and processing of the repository is performed locally, in a temporary folder, named according to the ScanId. After the files have been processed, they will be copied to the NAS storage, and the local temporary files will be deleted.

The new behavior will be configurable by the following new configuration key: SourcePullingTemporaryPath.

The jQuery UI library was upgraded to v1.13.2.

Checkmarx SAST Portal has been improved with the display of the build version, in addition to displaying the major and minor versions.

Fixed an issue that caused different scan results for SAST machines not configured for the same time zone.

Fixed an issue that allowed unauthorized users access to the following Access Control APIs:

  • GET /AssignableUsers

  • GET /AuthenticationProviders

  • GET /Configurations

  • POST /Users/FirstAdmin

  • GET /LDAPTeamMappings

  • PUT /LDAPServers/{id}/TeamMappings

  • PATCH /LDAPServers/{id}/TeamMappings

  • DELETE /LDAPTeamMappings/{id}

  • POST /Users/ChangePassword

  • POST /Users/ForgotPassword

  • POST /Users/ResetPassword

  • GET /Teams

  • GET /Teams/{id}

  • GET /Users/{id}

For security fixes, click this link for additional information.

Category

Resolved Issues

HF19

Fixed an issue in the REST API POST /{ProjectId}/sourceCode/remoteSettings/shared that prevented the API from working when a shared folder was set on the manager drive.

Fixed an issue that caused scans to fail when unzipping the projects from shared folders.

Fixed an issue which prevented the viewer from displaying the source code of a file with a long path, even when the long path option was enabled.

Fixed the Japanese description of a Java High Risk Code Injection query.

Fixed an issue that prevented the selection of Pre and Post Scan actions.

Fixed an issue that caused incorrect data to be returned from the GetScanCompareSummary SOAP API.

Fixed an issue that resulted in displaying incorrect data for a report of a scan subset.

Fixed an issue that occurred when users with SAST Admin roles were creating presets. An incorrect message was displayed, indicating that they were not authorized, but in fact they do have permission and were able to successfully create the presets.

Fixed an issue in the Checkmarx SAST Portal that caused usernames containing special characters to be displayed incorrectly.

Fixed an issue that caused the SAST to SCA integration to fail when the project name contains the ampersand (&) character.

Fixed the link on the Full Scan Results button, which incorrectly redirected to the Project State page.

The following have been added to Access Control:

  • A multifactor authentication (MFA) feature is now available for providing additional security for SAST and SCA application users. When this feature is enabled, a one time password (OTP) is provided during the login process.

  • An IP Whitelisting feature now enables an organization to restrict access to the SAST and SCA application portals using a predefined IP whitelist, which is stored in the database. All other IPs will be blocked.

Note

  • By default, these features are disabled. See Access Control.

  • Hosted customers can contact the Checkmarx CloudOps team to activate and define the features.

Category

Resolved Issues

HF18

Performance improvements in the Project configuration screen when loading GIT projects containing large numbers of headers and tags.

Improvements in the scanning mechanism designed to prevent displaying an incorrect number of projects and scans in the Checkmarx Web Portal.

Fixed an issue in the REST API GET sast/results/{id}/comments endpoint that caused an empty list to be returned when the author of the comment was not found.

The Project and Project State pages were improved by correctly listing the scans according to the latest scan date.

Fixed an issue that caused encoded characters to be displayed in the scan report filename when the project name contained Chinese characters.

Added the version number on the inventory libraries list in the HTML OSA report.

Category

Resolved Issues

HF17

Fixed an issue which caused the report generation to fail.

Fixed an issue, which occurred when the severity of the OOTB queries was changed, that caused the result states for recurrent results to be incorrectly displayed in the following UI dialogs:

  • Scan Compare\Summary table

  • Scan Compare\Results details

Fixed issues with the Results Viewer that caused the user triages, which were associated with either public or private scans, to be hidden after running the Data Retention purge.

Improved the performance of the Results Viewer page by reducing the results loading time.

Fixed an issue that caused the scan duration to be miscalculated for the scan duration report.

Fixed an issue that caused the confidence level to be displayed in the Results Viewer screen incorrectly as 0%. This occurred when the scan was executed for a project that had no source code changes.

The upgrade process has been improved by deleting unnecessary old Log4j files.

The Tomcat version has been upgraded to Apache Tomcat version 8.5.76. in the Risk Management folder.

Category

Resolved Issues

HF16

Improved the All Scans view by listing failed scans, which have some results, as partial scans.

Fixed an issue that caused the user to be re-directed to the logout page when downloading a report from the client machine.

The following new API is available for getting the project branching status: ([GET] /projects/branch/{id})

Added a new pre-scan validation for verifying that a project branch has already been created.

Fixed an issue that caused Result states and comments to be lost from the Result Viewer after running the Data Retention purge.

Added a new configuration flag, IncrementalScanMergeUseSimilarityIdWithFilePath, that prevents different results, which have the same Similarity IDs, from being merged when comparing the two scans. Since by default the flag is set as false, it must be set to true to prevent the merging.

Fixed an issue that caused the wrong file to be displayed when comparing an incremental scan with a previous full scan.

Category

Resolved Issues

HF15

Fixed an error in the result service log that occurred while calculating the Best Fix Location.

Updated the JavaScript library oidc-client to version 1.11.6 to fix a vulnerability.

Fixed an issue in the parallel scans cancellation mechanism that prevented scans from being cancelled correctly.

Fixed an issue with the /sast/scanWithSettings API endpoint that occurred while uploading a source file that was equal to or greater than 460MB.

Fixed the “Group By” option in the Results Viewer so that it works for all columns.

Fixed a failure in scans from Shared location if the network user's password contained certain special characters.

Fixed an issue that occurred when connecting SAST to the Azure DevOps repository using a PAT (Personal Access Token).

Fixed an issue, which only occurred in HA (High Availability) environments, that caused the scans to stop in the queue at stage #6 (PostScanAction).

The reason was that occasionally the JobsManager service was not synchronized with the ScansManager service. The JobsManager service was selecting and completing PostScanAction tasks before the ScansManager was able to move the ScanRequest to the PostScanAction stage.

Fixed an issue that caused scans to fail where the SAST users did not have permissions to the drive, although they did have permissions to the CxSRC folder.

Fixed the displayed scan result state in OData to be aligned with the Web Portal UI.

In Access Control, updated the JavaScript library oidc-client to version 1.11.6 to fix a vulnerability.

The API calls for GET and POST OIDCClients were optimized. In some cases, where previously a query would run for one full minute, it now runs for only 2 to 3 seconds.

The minimum length for Access Control passwords has been increased to 10 characters. This feature is backward compatible and will affect only new users. Existing users will be affected only when they change their passwords.

.

Category

Resolved Issues

HF14

The following libraries have been updated:

  • tomcat-api was updated from 9.0.48 to 9.0.59

  • spring was updated from 4.3.30 to 5.3.18

During the installation of the Hotfix, the ActiveMQ\conf\activemq.xml file is replaced with the new file and the original file is backed up.

If you implemented a configuration for ActiveMQ different than the default configuration, you may need to implement it again in the new activemq.xml file. Furthermore, if you implemented a configuration for ActiveMQ that involved additional customer created files, you might need to back them up before installing the Hotfix and then restore them after the Hotfix installation.

.

Category

Resolved Issues

HF13

Fixed an issue introduced in HF10 that caused report generation to fail for some projects.

Fixed a failure in the Data Retention process, which occurred when the Engine Scan Logs Path was set to a shared folder. One of the ways that the failure was manifest was that scans that were supposed to be deleted were not deleted.

Fixed an issue that caused scans on existing projects to fail because of empty folders in CxSRC, which resulted from failures in the ZIP extract process. This issue only occurred in HA (High Availability) environments.

Fixed an issue that caused a 404 error page to be displayed in the Results Viewer. This would occur in some cases when users attempted to access information about scanned libraries that were also used in projects that were deleted.

Fixed an issue which caused incremental scans to fail on private projects.

Fixed an issue that caused inconsistent behavior with the Download System Logs management in HA (High Availability) environments. The issue occurred when using non-default log locations.

Fixed an issue in Access Control that prevented the creation of OIDC clients using client credentials.

Optimized a query that was previously causing disconnections between SAST and Access Control.

The minimum length for Access Control passwords has been increased from 8 to 10 characters. The increase affects new users, and when existing users change their passwords.

.

Category

Resolved Issues

HF12

Fixed an issue that prevented the BFL (Best Fit Location) Graph from being displayed where single quotes were used to define the Name and FulllName parameters in the source code.

The System Logs can now be downloaded from user-defined folders instead of only from the predefined folder location.

Fixed an issue that will prevent comments, results, and other updates intended only for private projects from being displayed in public projects.

Email notifications for successful scans now include PDF report attachments where the projects have no defined owners.

Fixed an issue that will prevent errors from being displayed in the CxPortal, when there is a database connection failure.

Implemented changes allowing the Scan Manager service to be automatically re-started after loosing connection to the SAST database. This is applicable in Windows operating systems that are configured for automatically starting the services.

Fixed an issue that will prevent automatic attempts to connect to Access Control when the Access Control service is stopped in the IIS Manager.

Fixed an issue that caused scans to fail where the SAST users did not have permissions to the drive, although they did have permissions to the CxSRC folder.

Fixed an error to prevent CxAudit from failing when very large numbers of projects (> 100,000) are defined.

Category

Resolved Issues

HF11

ActiveMQ has been upgraded to 5.16.4.

During the installation of the Hotfix, the ActiveMQ\conf\activemq.xml file is replaced with the new file and the original file is backed up.

If you implemented a configuration for ActiveMQ different than the default configuration, you may need to implement it again in the new activemq.xml file.

The following libraries have been replaced:

  • log4j-1.2.17 is replaced with reload4j-1.2.19

  • shiro-core-1.5.3 is replaced with shiro-core-1.8.0

  • shiro-spring-1.5.3 is replaced with shiro-spring-1.8.0

  • xstream-1.4.11.1 is replaced with xstream-1.4.19

  • tomcat-servlet-api-9.0.35 is replaced with tomcat-servlet-api-9.0.48

  • tomcat-websocket-api-9.0.35 is replaced with tomcat-websocket-api-9.0.48

Category

Resolved Issues

HF10

Fixed an issue to prevent the following: 1) scanning ObjC source code as Swift and 2) the interpretation of the source code as Swift. The issue occurred when scanning projects containing the Swift language with the new Swift support disabled (the USE_NEW_SWIFT key set to false) and multiple language support enabled (the MULTI_LANGUAGE_MODE key set to 2).

Fixed an issue in the SAST report generation process that caused minified XML source files to be incorrectly handled, resulting in very large reports.

Fixed an issue that occurred in the Viewer when users attempted to access the vulnerability descriptions, but were incorrectly redirected to project state pages.

Fixed an error in the SAST Web Portal to prevent downloading incorrect scan logs when no code changes are detected by the scan.

The Hotfix (HF) version has been added to the PDF reports.

Scans failed to complete after an Engine Pack upgrade installation, if the SAST 9.4.0 was not installed on the default installation path.

A new parameter was added to the [CxComponentConfiguration] table for controlling updates of the redirection URIs. By default it is set to true, and there no behavioral change. The feature, controlled by SPRegistration, is triggered when the System Manager service is restarted.

For updating the redirect URIs for existing SAST and Plugin clients, the feature works as follows:

  • If [AccessControlSupportsMultiClusters] is set to true, the [ClientRedirectUris] table is set to Concatenate Mode, in which new entries are added, without deleting old and no longer relevant entries from the table.

  • If [AccessControlSupportsMultiClusters] is set to false, the [ClientRedirectUris] table is set to Override Mode, in which entries that are no longer relevant, such as IPs that are not registered in the system, are deleted, and new entries are added according to the system’s current state.

Fixed a vulnerability in the YUI JavaScript library version 2.9.0 by upgrading OpenID Connect for client-side support (oidc-client) from version 1.6.1 to 1.11.6.

Fixed an issue in Access Control where users who were able to remove the "SAST Auditor" role from other users, were unable to reassign the role to any other users.

Category

Resolved Issues

HF9

Two new permissions (create-project and update-project) were added to Access Control for SAST users, separating the tasks of creating new projects from updating existing projects into two distinct roles. Previously the save-project permission included both creating new projects and updating existing projects, without the possibility of restricting the permissions to one of these tasks.

Fixed an issue that caused OSA scans to fail due to an excess of client connections.

Removed the Restricted Scan option from the OSA Settings.

The Lodash library was updated from version 4.17.20 to 4.17.21

Category

Resolved Issues

HF8

Fixed an issue that caused the display of incorrect values for the vulnerability status when comparing two scans.

The Scan ID is now displayed on the Scans List and Scan Summary pages in the CxSAST Web Portal GUI.

Fixed a failure executing PostScanAction while using arguments with quotes ("").

jQuery was upgraded from 3.4.1 to 3.6.0

jQuery UI upgraded from 1.12.1/1.12.4 to version 1.13

Fixed an issue that caused results with comments containing the “+” character to be excluded from the CSV reports.

Triggering a new scan from the plugins will no longer require “create project” or “edit project” permissions.

Fixed an issue on the Projects page that caused an error when displaying the Shared Location.

The following additions are related to project branches:

  • The IS_BRANCHED attribute, for indicating if the project was branched from another project (the source/original project).

  • The ORIGINAL_PROJECT_ID attribute, with information about the source/original project. If IS_BRANCHED = False, the value for ORIGINAL_PROJECT_ID is NULL.

  • The BRANCHED_ON_SCAN_ID attribute, with information about the scan ID of the source project. If IS_BRANCHED = False, the value for BRANCHED_ON_SCAN_ID is NULL.

  • A list of related target projects, if the source/original project is the source of multiple branched projects.

The following additions are related to deleted projects:

  • The isDeprecated attribute enables the CxSAST REST API to retrieve deleted projects.

  • In the response body, the new "isDeprecated" field indicates if the project is deleted or not, where True means it is deleted and False means it is still active.

Category

Resolved Issues

HF7

Fixed all known log4j vulnerabilities for Management and Orchestration (M&O) by updating Log4J to version to 2.17.1.

Fixed an issue causing deadlocks in the SAST database in high availability (HA) environments with over 5K projects, 55K scans, and 190M results.

Fixed an issue preventing SAST from parsing PostScanAction arguments with the result that PostScanAction scripts failed to be executed.

Fixed an issue that caused file paths to fail to be decrypted resulting in the following message appearing in the scan log: No dependency contains the given hashed path Parameter name: pathIdentifier. In the past, since this issue did not affect SAST functionality, customers were recommended to ignore the message.

Fixed an issue that caused incorrect error messages to be logged when the data retention option was applied to scans which had previously been deprecated.

Fixed an issue that caused discrepancies between automatically and manually generated scan reports, such that the scan duration times displayed for Scan Time were different.

Fixed an issue that caused false positive (FN) results in incremental scans. This occurred where there were two files with the same name, but in different directories, and only one of these files was modified. If afterwards the scan results were checked in the Viewer, the file that was not modified was marked as 'Fixed', instead of correctly being marked as 'Recurrent'.

Checkmarx SAST now includes Swift as an independent language (up until now it was part of ObjC). This Hotfix (9.4.0 HF7) introduces a known visual issue which makes Swift language unavailable in the Checkmarx Web Portal, under the License Details screen. Nevertheless, the support and language scanning remain available as before. If a customer wants to scan with the new Swift support, the SAST 9.4.3 Engine Pack must be installed and the USE_NEW_SWIFT flag must be activated.

Category

Resolved Issues

HF6

Improved the Incremental scan merge mechanism to avoid classifying, in some edge cases, similar results as two separated results.

Fixed the Post Scan Action which was failing to create reports in LDAP environments.

Square brackets are now supported for filtering projects by name.

Added support to CxRestAPI to correctly parse URLs that begin with the 'failover: url' string. Reproduced in High Availability environments.

Fixed an issue that caused, in rare cases, two files to be created when generating a report: one a normal file and the other an empty file.

Fixed an issue that resulted in misleading response messages from API query requests, which occurred when the queries were missing descriptions.

The specific API request: GET /sast/scans/{id}/results/{pathId}/shortDescription

The misleading message: "Result path Id X does not exist for scan with Id XXXXXX"

Closure files, which were scanned in incremental scans, are now being provided as part of the Results Finished message and the Results service supports receiving these files.

Category

Resolved Issues

HF5

The Engine Pack version is displayed in the application settings. Until now only the major version was displayed.

Fixed an error in the result service log while calculating the Best Fix Location.

Removed the limitation that existed with zip files, Before this fix, a source file zipped with more than 65535 files would fail.

Fixed a bug which caused the system manager to fail to read the engine configuration if the SAST AIO (All-in-One/Centralized) environment was configured to an external URL.

Fixed a bug which prevented the viewer from displaying the source code of a file with a long path, even when the long path option was enabled.

Removed the .txt extension from the number of LOC (lines of code) calculation.

Fixed the REST API to allow running OSA scans.

Fixed a bug which caused the report creation to fail when the Path column, in the Projects table, contained more than one xml node for a subfolder.

The XML report has been enhanced with additional information regarding the ‘Queries Details’ and ‘Source Code’.

Queries Details now contains:

  • Risk: What might happen?

  • Cause: How does it happen?

  • General Recommendations: How to avoid it?

  • Source Code Examples.

Source Code now contains:

  • Num of LOCs (number of lines of code): Before and after the vulnerable line.

  • Method Scope: Brings the entire method of the vulnerable line.

  • File: Brings the entire file that has the vulnerable line.

For these new features, configuration keys were added to the CxComponentConfiguration table in the CxSAST database.

  • To activate the Queries Details feature, set the AddQueryMetaDataToXmlReport configuration key to “true”.

  • To activate the Source Code feature, set the XmlReportSourceLinesRange configuration key to a number larger than 0.

Improved the stability of the incremental scan process where several incremental scans are being triggered in parallel.

The Apache Tomcat version has been upgraded to Apache Tomcat version 8.5.72.

For security fixes, click this link for additional information.

Category

Resolved Issues

HF4

Now when an Engine Pack is installed, the CX VERSION column in the Web Portal indicates the correct version, which includes the main version and Engine Pack version.

The items in the displayed Projects State page can now be sorted independently of the entire list of Projects State items.

Fixed an issue that prevented a user with a non-sysadmin SQL account from performing an upgrade to the CxSAST database.

Fixed a Web Portal issue that caused the Executables Folder field in the Server Settings panel (Settings > Application Settings > General) to be disabled even when the AllowChangeExecutablesFolder flag was set to True in the database.

Fixed a Web Portal issue that prevented the GIT path, Perforce path, and SMTP Host parameters from being updated from the Server Settings panel (Settings > Application Settings > General).

Fixed a Web Portal issue that caused an error message to appear in the Engine State widget located on the Dashboard/Utilization tab.

The option to edit the AllowChangeExecutablesFolder flag using the CxSAST REST API is now blocked.

Category

Resolved Issues

HF3

Fixed an issue in Access Control where by the is_deprecated column value for new users was incorrectly set to NULL instead of 0.

Fixed an issue that occurred when performing an OSA (Open Source Analysis) scan that involved very large numbers of "unresolved libraries". While updating the OpenSourceUnresolvedLibraries table, the database to failed because of the overload, and as a result all the other scans failed.

Fixed an issue that caused some characters, which were typed by users into the scan comments, to be replaced by HTML encoded characters. In some cases, the HTML characters caused the Results Viewer page to lock.

Fixed an issue that prevented the Result States from being changed in the OSA (Open Source Analysis) Viewer.

Fixed an issue that occurred when performing OSA (Open Source Analysis) scans that prevented policy violation information from being displayed in the Policy Violations column in the LIBRARIES tab nor in the POLICY VIOLATIONS tab.

Scan results can be marked to indicate one of the following result states: “To Verify”, “Not Exploitable”, “Confirmed”, “Urgent” or “Proposed Not Exploitable”. In addition, custom result states can also be defined by the user. Previously, users only required permissions for marking scans as "Not Exploitable". Now dedicated permissions are requested for each result state, including the user-defined states.

Limitations:

  • This feature does not apply to OSA vulnerabilities. The behavior for OSA remains the same as before installing this Hotfix.

  • If the 'Manage Result State And Assignee' permission was checked before installing this Hotfix, after the Hotfix installation the result states permissions of the new roles will not be checked.

  • OSA restricted scans cannot be performed.

Category

Resolved Issues

HF2

Fixed the “Group By” option in the Results Viewer so that it works for all columns.

Fixed the displayed Scan Result state in OData so it is aligned with the Web Portal UI.

Fixed the Result Viewer page so that all instances of a selected word are highlighted in the code.

Fixed an issue in the Results Viewer which prevented the total number of active results from being immediately updated after some results are marked as "NOT EXPLOITABLE".

Fixed an issue where team-level query overrides are sometimes saved under incorrect teams.

Fixed an issue in a particular incremental scan which caused a failure in the Results Service (indicated by a ResultsSavingStatus error in the log) preventing the completion of the scan.

Fixed an error which prevented the results of full and incremental scans from merging together.

Added ability to rename the CxServer property to any other name in the Team hierarchy. The renaming must be performed in the database after this Hotfix is applied.

The Origin column, which was part of the audit logs in CxSAST 8.x versions, was added back to CxSAST version 9.4. The values in the Origin column are passed to the login API to populate the CxOrigin and User-Agent headers. The following values are available for the Origin column: WebPortal, cx-CLI, cx-VS, cx-Intelij, Audit, SDK, cx-Eclipse, Sonar, Jenkins, Bamboo, TeamCity, Maven, and Other.

Fixed an issue in the LDAP Settings section of Access Control that prevented users from scrolling through the "Cx Role - LDAP Group DN" mapping entries list in the Advanced Role Mapping window.

A PATCH method was added to the LDAPRoleMappings Access Control REST API, enabling users to add single LDAP role mappings to already existing sets of LDAP role mappings.

Fixed a comma-separated string issue that affected the Okta SAML (Security Assertion Markup Language) integration with Access Control. The issue prevented the IdP (Identity Providers) Authorization and Team Attribute Mapping feature from assigning users to multiple teams. Now it is possible to specify multiple teams names, using comma separators, so that new users are automatically associated with multiple teams.

Category

Resolved Issues

HF1

The Tomcat version has been upgraded to Apache Tomcat version 8.5.69.