Skip to main content

Previous Checkmarx One Release Notes

Status

Item

Description

NEW

CI/CD tools

To provide support to the key CI/CD tools until official plugins are developed, Checkmarx One CLI scans are now integrated with the following:

  • Bamboo

  • Maven

  • Sonar

  • Gitlab

  • Bitbucket Pipes

A repository with a CLI integration example for each CI/CD tool is available.

NEW

SCM

SCM project settings now support branch configuration.

Release of December 05 2021

This release introduces the ability to configure scanner parameters for the SAST, SCA, and KICS at four different levels, multiple usability enhancements, and other improvements.

Key improvements

Scanners configuration

Scanner parameters for the SAST, SCA, and KICS are now configurable at four different levels that override each one:

  • Environment: Default configuration at the environment level.

  • Tenant: Default configuration for a specific tenant. It is derived from the environment scans configuration and can be overridden by the administrators only.

  • Project: Default configuration for a specific project to be applied to all the scans initiated on this project. The default project configuration is derived from the tenant scans configuration and can be overridden by users with the relevant role.

  • Config-as-Code: Checkmarx YAML file in the source repository (under .checkmarx/config.yml). These parameters are applied at the scan level.

6176932108.png

Risk indicator in the project overview

6176801037.png

A compact but informative risk indicator has been added to the project overview panel.

End-User License Agreement

To simplify and accelerate customer onboarding, the End-User License Agreement (EULA) is now automatically submitted for sign up to all Checkmarx One Cloud users.

6177128889.png

Resolved issues

Status

Item

Description

FIXED

Salesforce

An attempt to create a support ticket would fail with the message Please set your priority even though a priority was selected.

FIXED

UI

Opening the Scanners tab for an empty project could take too long.

FIXED

UI

The scanners shown in the project details panel were listed in a wrong order.

FIXED

UI

The icons order for the KICS scanner in the results viewer has been adjusted to match the order displayed in Checkmarx SAST.

FIXED

Filtering

Fixed a few minor issues in the representation of filtering results in the project overview. The issues were mostly related to label alignment and the indication when selecting all scanners.

FIXED

Scanning

In rare cases, scanning was interrupted before reaching completion.

FIXED

Scanning

An attempt to assign a project to the application could fail with the error message Failed to get all Projects and their last scans.

FIXED

Scanning

Opening the SAST results could trigger an internal error and fail.

Release of November 09 2021

This landmark release introduces the game-changing functionality that enables our customers to fetch their scan results via the UI and use them outside Checkmarx One for intra corporate presentations and analysis. Read on to check out all of the great updates below.

Key improvements

Create scan reports in PDF and JSON format

Users can now generate reports for Completed or Partial scans via the UI. At the user’s discretion, the report may include the following sections: Scan Summary, Executive Summary, and Scan Results. After generating the report, it can be exported in PDF or JSON format.

To create a report, export an existing scan, specify which sections to generate, and then select the target format.

6140789290.png

Azure DevOps SCM support

6142296192.png

Checkmarx One is now able to scan your code base in Github, Gitlab, Bitbucket or Azure DevOps. To access the repository, provide its URL in scan settings.

Mapping Checkmarx One roles to Codebashing roles

In addition to Identity and Access Management (IAM) roles, you can now map Checkmarx One roles to Codebashing (CB) roles. CB roles are fetched from Codebashing and displayed in a separate tab of the Role Mapping dialog.

6142296200.png

Resolved issues

Status

Item

Description

FIXED

Scanning

A slash symbol in the name of a feature branch causes the scan failure.

FIXED

Scan results

Raw errors are displayed when trying to group result by Source/Sink Nodes.

FIXED

Scan results

Incremental CxSAST scan result does not change severity and status.

Release of October 31 2021

Key improvements

Enhancements to the KICS Results Viewer

The KICS Results Viewer now provides the ability to view state and severity changes and add notes to specific items.

6123193376.png

Other improvements

Status

Item

Description

UPDATE

Project Import

The Back button added to every step of the project import workflow allows you to return to a previous step for review or amendments:

6124864370.png

UPDATE

User Management

You can now switch back to Checkmarx One from any inner page by clicking the new Back to Checkmarx One button.

UPDATE

JetBrains plugin

Selecting a project now automatically refreshes the list of available branches, allowing you to retrieve a specific branch and view its previous scans.

Entering a scan ID into the Search field will not only retrieve the results of the provided scan, but also automatically display the associated Project and Branch.

UPDATE

JetBrains plugin

Scan results can now be filtered by Severity, Status, and State.

Release Notes v2.0.29

Introducing Checkmarx One v2.0.29! Read on to check out all of the great updates below.

Key improvements

Activation email

6111363571.png

In previous versions, a tenant owner email with the activation link remained valid for seven days.

Starting from this release, you can resend this email in case the user has not yet completed the activation process. To do it, select Resend Email in the three-dots menu. If the activation process is completed, the option will be greyed out.

Once a new email is sent, the previous link becomes invalid.

Other improvements

Status

Item

Description

NEW

UPDATE

User interface

The following list of minor user interface enhancements and updates is added to keep you apprised of all recent changes:

  • Account name was changed Tenant name

  • Company name was changed to Account name

  • Remove Customer ID was removed from the main table

  • Full country name is now shown instead of a two-letters code

  • Current sorting is automatically applied after switching to another tenant

UPDATE

User details

The Phone number field does not appear any more in user details.

UPDATE

Pagination

The allowed number of items in Application and Projects lists has been increased. You can specify 10, 25, 50, 100 or 200 items per page. The default is 50 items per page.

Fixes

Status

Item

Description

FIXED

Project creation

The project creation workflow has been stabilized to exclude random internal errors.

FIXED

Homepage

Loading the platform homepage could result in an error if no projects are yet defined or all projects have been deleted.

FIXED

SCA integration

Instead of listing Web files only, such as js, js.map, json etc., an sca-webapp container could include some redundant content copied from irrelevant folders.

FIXED

Integrations

In rare cases, scans from CxIntegrations could remain queued for over 15 minutes.

Release Notes v2.0.24

New / Updated Features

Status

Item

Description

NEW

Bitbucket integration

Bitbucket is the third native SCM integration platform supported by Checkmarx One. The integration automatically initiates a scan on a pull or push request.

NEW

Customer data security

To provide an extra layer of data protection, a unique customer master key (CMK) is now used to generate data encryption keys. Checkmarx One will either use the existing CMK, if available, or generate a new one.

UPDATE

Account Settings

To help users to know how to use Checkmarx One legally and correctly, the comprehensive text of the license is now integrated into the platform. To view it, navigate to Account Settings and click License.

UPDATE

User Management

The user details shown in the Users table have been enriched to include the following attributes:

  • Groups: The group(s) the user belongs to.

  • Roles: The roles assigned to the user. If the user is assigned with more than one role, only the first role in the alphabetical order is shown in the column. The rest of the roles are shown as a number, e.g., +12. Clicking the number opens the full list of the user roles.

  • Last Login: The timestamp of the user’s last login.

UPDATE

GitLab Integration

Checkmarx One now provides actionable results of a scan during to a pull request from GitLab by updating the scan result summary in the pull request comment.

UPDATE

GitLab Integration

The imported projects data is now paginated for better user experience.

UPDATE

GitHub Integration

The imported projects data is now paginated for better user experience.

UPDATE

All SCM Integrations

The pull request comment has been redesigned with a scan report summary to provide a better user experience and actionable links.

UPDATE

API

A new API method is implemented to retrieve the scan results from all engines: SAST, SCA, KICS, and so on.

UPDATE

API

A new API attribute allows you to send a generated report to the specified email address.

UPDATE

Logs

Checkmarx One logs are now enriched with the data periodically retrieved from the following services:

  • kics worker

  • sca worker

  • sast results events

  • sast results inc

  • sca results processor

  • kics results processor

  • sca packages processor

  • sast-results

Bug Fixes

Status

Item

Description

FIXED

Scan results

Scan results do not include vulnerability descriptions.

FIXED

API

An attempt to run any API call related to results or result summary on an existing scan returns error 404.

Release Notes v2.0.20 - v2.0.20.3

New / Updated Features

Status

Item

Description

NEW

KICS scans

Added the following missing/Invalid data to KICS scan summary page:

  • totalCounter

  • stateCounters

  • statusCounters

  • Scanned Files counter

  • Counters for platform field (results by platform widget)

NEW

Project → Scan History tab

Added the following columns:

  • Origin - Scan origin

  • Source - Scan source (ZIP, GitHub etc.)

  • Scanner - Scanner type (SAST, SCA, KICS)

  • Severities - Scan severities, divided by High, Medium and Low.

Added an Action Menu icon that includes Delete action:

5842798839.png

NEW

Integration → GitHub pull request

  • Support Checkmarx One SAST results in GitHub pull request comment.

  • Update scan status upon a pull request - When submitting a pull request that contains a Webhook, the pull request status is provided.

    The statuses are:

    • Checkmarx Scan In Progress

    • Checkmarx Scan Completed

Bug Fixes

Status

Item

Description

FIXED

Applications

  • When deleting several Applications at once a 404 redirect error occurs.

  • When clicking twice on the Delete application option, a 404 error occurs.

FIXED

Project Scanners tab

Results are not presented via Project Scanners tab → Widgets view

FIXED

Project Compliance tab

Visualization issue in the following scenario:

  • There is no data in the Project Compliance tab.

  • The “Compliance” section in the Overview tab doesn't look good.

As a solution, the following was disabled in case there is no Compliance data:

  1. Compliance tab is disabled.

  2. The “Compliance” section in the Overview tab.

FIXED

Project scan results

Project Total Results number is miscalculated

FIXED

KICS scan results

Project name is not presented in the KICS Results page title.

FIXED

Scans (All scan types)

Occasionally scans are “stuck” and stay in “Running” status for up to 12 hours.

FIXED

Scans

Occasionally scans are “stuck”.

The scans are created and saved, but don’t proceed.

FIXED

Scans workflow

Occasionally a scan workflow is displayed in a wrong order via the following:

  1. Click on a scan to open the right side panel.

  2. Select a scan type → Actions menu → More Details.

FIXED

Scans workflow → Empty

Occasionally, when a scan workflow is empty, the web portal widget details are messed up.

FIXED

Repository path scans

Only 20 branches are displayed in the following scenario:

  1. Create new Project.

  2. Scan a repository path containing more than 20 branches.

FIXED

Configuration files

Not able to upload a template of a configuration file to the system.

FIXED

Configuration files

Configuration file upload request is missing a “slash” in the request syntax.

FIXED

Security Vulnerabilities

JWT details were being sent and stored in Camunda cloud.

The JWT details contain customer data - Authentication and personal data in the token.

From now on, JWT token is no longer being sent to Camunda.

Release Notes v2.0.19.1

New / Updated Features

Status

Item

Description

NEW

Dynamic Engines

Added a new feature - Dynamic Engines.

  • The feature dynamically creates SAST scan engines upon a scan request, and bring it down upon scan completion.

  • Resource ManagementSAST engines tab isn’t relevant anymore and will be removed in one of the future releases.

  • All the other scan types (SCA, KICS) are not using this functionality, so these scan types are not being performed via Dynamic Engines.

NEW

SAST scan limitation

All SAST scans are limited to 250K Lines Of Code.

Scanning Projects with files containing higher than 250K Lines Of Code will fail.

NEW

Scan Results

Add a new publisher service in order to publish scan results

NEW

Projects Import

Add Groups and Tags enablement to the Import Project wizard

NEW

Integrations - Scanners types support

Added support for different scanner types to Checkmarx One Integrations

Bug Fixes

Status

Item

Description

FIXED

Scan fails on engine restart

Creating a Project and performing an Incremental scan for SAST, SCA, and KICS using a GIT repository URL sometimes fails due to engine restart.

FIXED

Project Compliance data

Compliance data is sometimes not presented when performing the following:

  1. Create a Project.

  2. Scan a file/repository path.

  3. Open Project Overview → Compliance tab

FIXED

User creation

When creating a new user containing special characters in the username, the following occurs:

  1. The action finishes without any error.

  2. The user is not created.

Release Notes v2.0.19

New / Updated Features

Status

Item

Description

NEW

RabbitMQ

  • Update events in Repostore

  • Update events in logs service

  • Send notifications from scan service by RabbitMQ

  • Local Directory Listing via API Request - A user with ast-viewer privileges is able to list the files on the server via the /api/scans/templates/{

    file-name} API endpoint.

  • Adding amqp 1.0 for internal rabbit communication

  • Test that services respond correctly for temporary Rabbit disconnection

NEW

Open a new support ticket

Integration with Salesforce for new tickets opening via Checkmarx One application

NEW

Github integration

Support multiple scanner types - SAST, SCA, KICS

NEW

Github integration

support Incremental scan configuration to import project

NEW

SCM integrations

Auto-fill repo URL when trying to manually scan a project which was imported from SCM

NEW

GitHub integration

Show repositories is not attached to “organization”

Bug Fixes

Status

Item

Description

FIXED

SAST vulnerabilities

  • 2 High severity SAST vulnerabilities in checkmarxdev-oidcauth-master repo.

    The fix validates that the correlation id in the header is a valid uuid, hence preventing the possible XSS vulnerability.

  • 3 High severity SAST vulnerabilities in SAST-METADATA repo

FIXED

SAST Incremental scan

SAST Incremental scan fails when it is the Project’s first scan

FIXED

SAST scans

  • When initiating a new SAST scan, a white screen is presented

  • Missing index on scan_id of ast_scan_results table

FIXED

GitHub scans

GitHub scan fails in case the URL contains hyphen “-” character

FIXED

GitHub scans

GitHub scans failed on 'fetch-sources' failed to compress code

FIXED

GitHub scans

GitHub scans fails when using Webhooks

FIXED

KICS scans

  • KICS repository scans fails

  • KICS failed to scan "Checkmarx One" repository

  • KICS scan fails on "failed to convert IssueType for query"

  • Missing index on scan_id of ast_kics_scan_results table

FIXED

KICS scan results

  • Disable KICS Results buttons in case that there are no results

  • KICS scans results returns wrong KICS results (Some results are duplicated and some results are missing)

  • KICS Scan Results Inaccessible until SAST Scan is Finished

FIXED

KICS Results API

KICS Results API retrieves wrong severity

FIXED

SCA Scans → Download logs

Clicking on “download logs” retrieve 404 error message

FIXED

SCA Results

  • After a successful SCA scan, SCA results retrieve 404 error message

  • SCA scan result button should open SCA application vulnerabilities page instead of Project Overview page

  • When clicking on SCA project results, a different project results are presented

  • Update ast-token value in localStorage on token regeneration

FIXED

Project Scanners Tab

  • After a successful .zip archive scan, Scanners Tab presents a blank page error

  • When KICS/SCA not part of scan, error occurs after clicking on KICS/SCA tab

FIXED

Project Results page

After a successful SAST scan, Project Results page is not rendered when accessed via scanners tab (or using the “eye” icon in Scan History tab)

FIXED

Project Compliance page

After a successful scan, no data is presented in the Project Compliance tab

FIXED

Checkmarx One application crash

Checkmarx One application crashes after performing the following:

  1. Create a new scan.

  2. Click the Project line in the Dashboard to open Project Preview pane (Right side pane).

  3. Click the “More Details” option.

FIXED

config as code

config as code is not working after tenant was enabled

FIXED

A user with ast-viewer privileges is able to list the files on the server via the /api/scans/templates/{

file-name} API endpoint.

FIXED

Checkmarx One Log in

Ability to enumerate tenant names for Checkmarx One application log in mechanism

FIXED

Checkmarx One Log in

Ability to enumerate user names for Checkmarx One application log in mechanism

FIXED

Checkmarx One Log in

Ability to use weak Passwords for Checkmarx One application log in mechanism

FIXED

Checkmarx One Log in

It is possible for a Tenant to list groups from other tenants by querying the affected URL

FIXED

Checkmarx One Log in

Change the new user “Welcome” email to include Checkmarx One URL

FIXED

Back Office

Cannot change admin password due to IAM_PASSWORD not applied during environment startup

FIXED

User Management

Cross-Tenant Group Assigning - Users that had permissions to manage projects could create projects and assign them groups that belonged to other tenants

FIXED

GitHub integration

Several User Interface improvements

Release Notes v2.0.17 - v2.0.18

New / Updated Features

Status

Item

Description

NEW

SCA

Sharing API Keys with SCA web application

NEW

SCA result counters

Integrate SCA result counters using the Summary endpoint

NEW

SCA results service

  • Get SCA project ID using SCA API.

  • Upload updated results service data to minio.

  • Redirect the user to SCA results page.

NEW

SCA - Scanners page

Added SCA scan type to Scanners page - Mock data.

3162473603.png

NEW

New aggregation API’s

Support for new aggregation API’s

NEW

New Scan Wizard

Adding Back option

3150775456.png

NEW

Enable TLS connections for amqp

Extend RabbitUpdater configuration to support TLS connection.

NEW

Project page - Engines tab

Changed “Engines” tab in project page to “Scanners”

3150873759.png

NEW

Project page - Right pane

Added the option to present scan types preview in case that a scan is in running/failed state.

NEW

Results service

Add SCA protobuf to results service

NEW

User Interface - Help menu

Added Documentation option to the Support icon options.

The button redirects the user to the Checkmarx One documentation space.

3164504427.png

NEW

User Interface tests

Adding the following tests to the User interface tests coverage:

  • scans tests

  • Incremental scans tests

  • Exclude to User Interface Login for firefox and chrome browsers

NEW

Maintenance and support

Added buffer for maintenance and support. This item is developed for maintenance and support to all pipeline and test-related items.

NEW

KICS Result

Added the following to KICS Result:

  • Calculate and save KICS results to the DB.

  • Complete KICS Summary data, and save in Redis.

NEW

KICS result counters

Integrate KICS result counters using Summary endpoint

NEW

KICS Results Processing

Performed the following:

  • Get KICS result from minio.

  • Update REDIS with data that is required by the summary API:

    • Severity counters

    • Total results

    • Update persistency

NEW

KICS - Results Viewer

Added KICS results to Result Viewer page

3164864861.png

NEW

KICS Proto-buff

KICS Proto-buff Refactor

NEW

KICS - Quality tests

Creating quality test plan for KICS

NEW

Compliance feature

Add the following to the compliance page:

  • Aging summary graph is mocked at the first stage.

  • There is only one result type: sast (no scan type filter).

  • Results table display only available data.

3164242359.png

NEW

Compliance feature

Add compliance fields automation coverage

NEW

NATS notifications

Deprecate NATS notifications for all services

NEW

RabbitMQ event notifications

Handle the following events notifications in services by RabbitMQ:

  • repo store events

  • sast-queries events

  • sast-metadata events

  • ast-events events

  • logs service events

  • scan service events

NEW

Log in API

“organization” tenant is hardcoded for the log in procedure

NEW

System Tests

Add compliance page fields to system-test

NEW

Webhooks feature

PUT command doesn’t update the webhook active field to In-active state

NEW

Dynamic Engines

Performed the following:

  • Allocation of workers using deployment as a template

  • Node affinity/resources configuration

  • Dynamic job/pod status monitoring using K8s

  • sast-worker service-less mode (run & die)

NEW

Keycloak - Audit logs

Added Audit logs events to Keycloak

NEW

SCM Integrations

  • Added support for Checkmarx One Integrations – GitHub import

  • It is possible to perform the following actions:

    • Connect to GitHub

    • Select an organization

    • Specify the projects

    • Automatically create WebHooks for Pull Request and Push Events

  • Added Import from SCM option → When clicking on New Project (Instead of the removed Integrations Button)

    3182362979.png

Bug Fixes

Status

Item

Description

FIXED

Create a Project and scan a source file

The execution hangs (not consistency, happens from time to time).

FIXED

Assigning projects to applications

English proofing - Wording improvements

FIXED

Assigning projects to applications

Search field doesn't function

FIXED

Results Viewer

Results Viewer improvements

FIXED

Results Viewer

The user needs to see the code section when clicking on a vulnerability in order to see its details.

FIXED

Results Viewer

Cannot open the list of vulnerabilities when filtering by Severity and Source File

FIXED

Projects page - running a scan

Running scan menu triggered from Projects page should be similar to one from Scans page

FIXED

Projects page - results tab

  • Marking a result as Not-Exploitable produces an error

  • When opening the results tab, the /api/scan-summary/aggregate?scan-id=<scanId>&limit=10000 is sent twice.

FIXED

Projects page - results tab

Cannot unselect “new” filter checkbox

FIXED

Projects page - KICS results

KICS results categories don’t fit the screen

FIXED

Project page - Compliance tab

Compliance tab data is empty after system was upgraded

FIXED

Project page - Right pane

When clicking on a project, scans with empty results should not be clickable (Right side pane).

FIXED

Project page - Right pane - Download logs

Clicking the “Download logs” button when there are no results leads to bad redirect.

The button must be greyed out.

FIXED

Project page - Right pane - Download logs

Download scan logs (both for SAST & KICS) - Get 403 Error

FIXED

Project page

Project showing “Assigned to application” even though it isn't

FIXED

Adding project to application

Checkmarx One user interface crashes after adding a new project to an application

FIXED

getProjects API

'Origin' field is missing

FIXED

Project Setting tab - Save button

After performing a change (Add tags, add group) & press Save, the button flicker and stay in "enable" state

FIXED

User Interface - Cosmetics

Several visual issues while resizing web browser window (Texts not aligned, fonts size).

FIXED

User Interface improvements

Long names are not fully displayed in the User Interface for the following:

  • Application name

  • Description of application

  • Project name

  • Webhook name

  • Tag - not limited per characters

  • Naming of system elements when opening them in new browser tabs:

    • Applications - “Applications - Checkmarx One”

    • Projects - “Projects - Checkmarx One”

    • Resource Management - “Resource Management - Checkmarx One”

    • Project - “ProjectName - Checkmarx One”

    • SAST Results - “SAST Results - ProjectName - Checkmarx One”

    • KICS Results - “KICS Results - ProjectName - Checkmarx One”

    • Account Settings - “Account Settings - Checkmarx One”

FIXED

Incremental Scan

Incremental Scan fails in the following scenario:

  • Base scan includes KICS scan type

  • Incremental scan does not include KICS scan type

FIXED

Incremental Scan

Incremental Scan fails in the following scenario:

  • Base scan includes a zip archive file

  • Incremental scan includes path to GIT repository.

  • scan type restart

FIXED

Multi scan types scan

During a scan execution, If the scan is opened from resources/scans it appears as completed.

FIXED

Log in window

User name field in the log in window is case sensitive

FIXED

Log in window

Enter button doesn’t work in tenant login window

FIXED

Scan window

Fetch Branches button is returning a wrong list of branch names

FIXED

Scan service

Scans fail due to result duplications

FIXED

Scan cancel

When canceling a scan, the status does not pass to failed

FIXED

Webhooks feature

Secret field is displayed as blank even when a secret exists

FIXED

User Management

User with if-in-group permissions cannot trigger scans

FIXED

Keycloak

Keycloak fails due to system tests during deployment

FIXED

Log in - Reset password feature

There is an unnecessary text in the reset password email that is being sent to the user

FIXED

BackOffice

During a new Tenant creation, it is not possible to configure alphanumeric symbols in the "Salesforce Account ID" field.

FIXED

BackOffice

After a new Tenant is created, the Email that the user receives has invalid matching between Account Name field and it's value.

Release Notes v2.0.14

New / Updated Features

Status

Item

Description

NEW

Project sidebar

Added new KICS data widget (Mock).

KICS is an open source solution for static code analysis of Infrastructure as Code.

2920513592.png

NEW

KICS engine results viewer

Added new KICS engine results viewer using (Mock data)

2920972450.png

NEW

SAST sidebar widget

Added Download Logs button in the Project sidebar SAST widget.

Once clicking the button, the engine scan logs are downloaded to the client.

2920743081.png

NEW

Back Office

Added support for multiple regions in Back Office

NEW

Back Office

Added the ability to create a special user type for a tenant called “Service User”.

This user has Admin permissions to temporary access the User Management console in order to open new service support cases.

This user will be automatically deleted after 1 day.

The user won’t be visible in the User Management user interface.

Bug Fixes

Status

Item

Description

FIXED

Webhooks feature

Deleting a single webhook is not working

FIXED

Webhooks feature

When opening Project webhook settings an error message pops-up

FIXED

Branching feature

Minor UI uplifts:

  • 3 dots should be aligned to Option icon.

  • When a zip file is scanned, the presented branch is '.unknown'

FIXED

Scan result count

Until a scan is finished there is no need to present a result count

FIXED

Scan History

When scanning a zip file the scan screen presents the branch filter

FIXED

SAST sidebar widget

More Details link is not working from the SAST sidebar widget

Release Notes v2.0.22.3

New / Updated Features

Status

Item

Description

NEW

Integrations

To enhance and enrich the workflow automation, the pull request and push event are now invoked by default upon completion of the project import from a source-control management tool.

Release Notes v2.0.20.4

New / Updated Features

Status

Item

Description

NEW

KICS scans

Added support for “Category” field in the following API’s:

  • Summary API

  • kics-results API

NEW

Scans workflow

Optimize scan workflow/scan mappings keys in Redis

NEW

Projects REST API

Exposed Projects REST API.

Added SCMRepoId in Checkmarx One Projects table for REST API and GRPC support.

NEW

Resource Management

Removed Resource Management → SAST engines tab.

Release Notes v2.0.20 - v2.0.20.3

New / Updated Features

Status

Item

Description

NEW

KICS scans

Added the following missing/Invalid data to KICS scan summary page:

  • totalCounter

  • stateCounters

  • statusCounters

  • Scanned Files counter

  • Counters for platform field (results by platform widget)

NEW

Project → Scan History tab

Added the following columns:

  • Origin - Scan origin

  • Source - Scan source (ZIP, GitHub etc.)

  • Scanner - Scanner type (SAST, SCA, KICS)

  • Severities - Scan severities, divided by High, Medium and Low.

Added an Action Menu icon that includes Delete action:

5842798839.png

NEW

Integration → GitHub pull request

  • Support Checkmarx One SAST results in GitHub pull request comment.

  • Update scan status upon a pull request - When submitting a pull request that contains a Webhook, the pull request status is provided.

    The statuses are:

    • Checkmarx Scan In Progress

    • Checkmarx Scan Completed

Bug Fixes

Status

Item

Description

FIXED

Applications

  • When deleting several Applications at once a 404 redirect error occurs.

  • When clicking twice on the Delete application option, a 404 error occurs.

FIXED

Project Scanners tab

Results are not presented via Project Scanners tab → Widgets view

FIXED

Project Compliance tab

Visualization issue in the following scenario:

  • There is no data in the Project Compliance tab.

  • The “Compliance” section in the Overview tab doesn't look good.

As a solution, the following was disabled in case there is no Compliance data:

  1. Compliance tab is disabled.

  2. The “Compliance” section in the Overview tab.

FIXED

Project scan results

Project Total Results number is miscalculated

FIXED

KICS scan results

Project name is not presented in the KICS Results page title.

FIXED

Scans (All scan types)

Occasionally scans are “stuck” and stay in “Running” status for up to 12 hours.

FIXED

Scans

Occasionally scans are “stuck”.

The scans are created and saved, but don’t proceed.

FIXED

Scans workflow

Occasionally a scan workflow is displayed in a wrong order via the following:

  1. Click on a scan to open the right side panel.

  2. Select a scan type → Actions menu → More Details.

FIXED

Scans workflow → Empty

Occasionally, when a scan workflow is empty, the web portal widget details are messed up.

FIXED

Repository path scans

Only 20 branches are displayed in the following scenario:

  1. Create new Project.

  2. Scan a repository path containing more than 20 branches.

FIXED

Configuration files

Not able to upload a template of a configuration file to the system.

FIXED

Configuration files

Configuration file upload request is missing a “slash” in the request syntax.

FIXED

Security Vulnerabilities

JWT details were being sent and stored in Camunda cloud.

The JWT details contain customer data - Authentication and personal data in the token.

From now on, JWT token is no longer being sent to Camunda.

Release Notes v2.0.19.1

New / Updated Features

Status

Item

Description

NEW

Dynamic Engines

Added a new feature - Dynamic Engines.

  • The feature dynamically creates SAST scan engines upon a scan request, and bring it down upon scan completion.

  • Resource ManagementSAST engines tab isn’t relevant anymore and will be removed in one of the future releases.

  • All the other scan types (SCA, KICS) are not using this functionality, so these scan types are not being performed via Dynamic Engines.

NEW

SAST scan limitation

All SAST scans are limited to 250K Lines Of Code.

Scanning Projects with files containing higher than 250K Lines Of Code will fail.

NEW

Scan Results

Add a new publisher service in order to publish scan results

NEW

Projects Import

Add Groups and Tags enablement to the Import Project wizard

NEW

Integrations - Scanners types support

Added support for different scanner types to Checkmarx One Integrations

Bug Fixes

Status

Item

Description

FIXED

Scan fails on engine restart

Creating a Project and performing an Incremental scan for SAST, SCA, and KICS using a GIT repository URL sometimes fails due to engine restart.

FIXED

Project Compliance data

Compliance data is sometimes not presented when performing the following:

  1. Create a Project.

  2. Scan a file/repository path.

  3. Open Project Overview → Compliance tab

FIXED

User creation

When creating a new user containing special characters in the username, the following occurs:

  1. The action finishes without any error.

  2. The user is not created.

Release Notes v2.0.19

New / Updated Features

Status

Item

Description

NEW

RabbitMQ

  • Update events in Repostore

  • Update events in logs service

  • Send notifications from scan service by RabbitMQ

  • Local Directory Listing via API Request - A user with ast-viewer privileges is able to list the files on the server via the /api/scans/templates/{

    file-name} API endpoint.

  • Adding amqp 1.0 for internal rabbit communication

  • Test that services respond correctly for temporary Rabbit disconnection

NEW

Open a new support ticket

Integration with Salesforce for new tickets opening via Checkmarx One application

NEW

Github integration

Support multiple scanner types - SAST, SCA, KICS

NEW

Github integration

support Incremental scan configuration to import project

NEW

SCM integrations

Auto-fill repo URL when trying to manually scan a project which was imported from SCM

NEW

GitHub integration

Show repositories is not attached to “organization”

Bug Fixes

Status

Item

Description

FIXED

SAST vulnerabilities

  • 2 High severity SAST vulnerabilities in checkmarxdev-oidcauth-master repo.

    The fix validates that the correlation id in the header is a valid uuid, hence preventing the possible XSS vulnerability.

  • 3 High severity SAST vulnerabilities in SAST-METADATA repo

FIXED

SAST Incremental scan

SAST Incremental scan fails when it is the Project’s first scan

FIXED

SAST scans

  • When initiating a new SAST scan, a white screen is presented

  • Missing index on scan_id of ast_scan_results table

FIXED

GitHub scans

GitHub scan fails in case the URL contains hyphen “-” character

FIXED

GitHub scans

GitHub scans failed on 'fetch-sources' failed to compress code

FIXED

GitHub scans

GitHub scans fails when using Webhooks

FIXED

KICS scans

  • KICS repository scans fails

  • KICS failed to scan "Checkmarx One" repository

  • KICS scan fails on "failed to convert IssueType for query"

  • Missing index on scan_id of ast_kics_scan_results table

FIXED

KICS scan results

  • Disable KICS Results buttons in case that there are no results

  • KICS scans results returns wrong KICS results (Some results are duplicated and some results are missing)

  • KICS Scan Results Inaccessible until SAST Scan is Finished

FIXED

KICS Results API

KICS Results API retrieves wrong severity

FIXED

SCA Scans → Download logs

Clicking on “download logs” retrieve 404 error message

FIXED

SCA Results

  • After a successful SCA scan, SCA results retrieve 404 error message

  • SCA scan result button should open SCA application vulnerabilities page instead of Project Overview page

  • When clicking on SCA project results, a different project results are presented

  • Update ast-token value in localStorage on token regeneration

FIXED

Project Scanners Tab

  • After a successful .zip archive scan, Scanners Tab presents a blank page error

  • When KICS/SCA not part of scan, error occurs after clicking on KICS/SCA tab

FIXED

Project Results page

After a successful SAST scan, Project Results page is not rendered when accessed via scanners tab (or using the “eye” icon in Scan History tab)

FIXED

Project Compliance page

After a successful scan, no data is presented in the Project Compliance tab

FIXED

Checkmarx One application crash

Checkmarx One application crashes after performing the following:

  1. Create a new scan.

  2. Click the Project line in the Dashboard to open Project Preview pane (Right side pane).

  3. Click the “More Details” option.

FIXED

config as code

config as code is not working after tenant was enabled

FIXED

A user with ast-viewer privileges is able to list the files on the server via the /api/scans/templates/{

file-name} API endpoint.

FIXED

Checkmarx One Log in

Ability to enumerate tenant names for Checkmarx One application log in mechanism

FIXED

Checkmarx One Log in

Ability to enumerate user names for Checkmarx One application log in mechanism

FIXED

Checkmarx One Log in

Ability to use weak Passwords for Checkmarx One application log in mechanism

FIXED

Checkmarx One Log in

It is possible for a Tenant to list groups from other tenants by querying the affected URL

FIXED

Checkmarx One Log in

Change the new user “Welcome” email to include Checkmarx One URL

FIXED

Back Office

Cannot change admin password due to IAM_PASSWORD not applied during environment startup

FIXED

User Management

Cross-Tenant Group Assigning - Users that had permissions to manage projects could create projects and assign them groups that belonged to other tenants

FIXED

GitHub integration

Several User Interface improvements

Release Notes v2.0.17 - v2.0.18

New / Updated Features

Status

Item

Description

NEW

SCA

Sharing API Keys with SCA web application

NEW

SCA result counters

Integrate SCA result counters using the Summary endpoint

NEW

SCA results service

  • Get SCA project ID using SCA API.

  • Upload updated results service data to minio.

  • Redirect the user to SCA results page.

NEW

SCA - Scanners page

Added SCA scan type to Scanners page - Mock data.

3162473603.png

NEW

New aggregation API’s

Support for new aggregation API’s

NEW

New Scan Wizard

Adding Back option

3150775456.png

NEW

Enable TLS connections for amqp

Extend RabbitUpdater configuration to support TLS connection.

NEW

Project page - Engines tab

Changed “Engines” tab in project page to “Scanners”

3150873759.png

NEW

Project page - Right pane

Added the option to present scan types preview in case that a scan is in running/failed state.

NEW

Results service

Add SCA protobuf to results service

NEW

User Interface - Help menu

Added Documentation option to the Support icon options.

The button redirects the user to the Checkmarx One documentation space.

3164504427.png

NEW

User Interface tests

Adding the following tests to the User interface tests coverage:

  • scans tests

  • Incremental scans tests

  • Exclude to User Interface Login for firefox and chrome browsers

NEW

Maintenance and support

Added buffer for maintenance and support. This item is developed for maintenance and support to all pipeline and test-related items.

NEW

KICS Result

Added the following to KICS Result:

  • Calculate and save KICS results to the DB.

  • Complete KICS Summary data, and save in Redis.

NEW

KICS result counters

Integrate KICS result counters using Summary endpoint

NEW

KICS Results Processing

Performed the following:

  • Get KICS result from minio.

  • Update REDIS with data that is required by the summary API:

    • Severity counters

    • Total results

    • Update persistency

NEW

KICS - Results Viewer

Added KICS results to Result Viewer page

3164864861.png

NEW

KICS Proto-buff

KICS Proto-buff Refactor

NEW

KICS - Quality tests

Creating quality test plan for KICS

NEW

Compliance feature

Add the following to the compliance page:

  • Aging summary graph is mocked at the first stage.

  • There is only one result type: sast (no scan type filter).

  • Results table display only available data.

3164242359.png

NEW

Compliance feature

Add compliance fields automation coverage

NEW

NATS notifications

Deprecate NATS notifications for all services

NEW

RabbitMQ event notifications

Handle the following events notifications in services by RabbitMQ:

  • repo store events

  • sast-queries events

  • sast-metadata events

  • ast-events events

  • logs service events

  • scan service events

NEW

Log in API

“organization” tenant is hardcoded for the log in procedure

NEW

System Tests

Add compliance page fields to system-test

NEW

Webhooks feature

PUT command doesn’t update the webhook active field to In-active state

NEW

Dynamic Engines

Performed the following:

  • Allocation of workers using deployment as a template

  • Node affinity/resources configuration

  • Dynamic job/pod status monitoring using K8s

  • sast-worker service-less mode (run & die)

NEW

Keycloak - Audit logs

Added Audit logs events to Keycloak

NEW

SCM Integrations

  • Added support for Checkmarx One Integrations – GitHub import

  • It is possible to perform the following actions:

    • Connect to GitHub

    • Select an organization

    • Specify the projects

    • Automatically create WebHooks for Pull Request and Push Events

  • Added Import from SCM option → When clicking on New Project (Instead of the removed Integrations Button)

    3182362979.png

Bug Fixes

Status

Item

Description

FIXED

Create a Project and scan a source file

The execution hangs (not consistency, happens from time to time).

FIXED

Assigning projects to applications

English proofing - Wording improvements

FIXED

Assigning projects to applications

Search field doesn't function

FIXED

Results Viewer

Results Viewer improvements

FIXED

Results Viewer

The user needs to see the code section when clicking on a vulnerability in order to see its details.

FIXED

Results Viewer

Cannot open the list of vulnerabilities when filtering by Severity and Source File

FIXED

Projects page - running a scan

Running scan menu triggered from Projects page should be similar to one from Scans page

FIXED

Projects page - results tab

  • Marking a result as Not-Exploitable produces an error

  • When opening the results tab, the /api/scan-summary/aggregate?scan-id=<scanId>&limit=10000 is sent twice.

FIXED

Projects page - results tab

Cannot unselect “new” filter checkbox

FIXED

Projects page - KICS results

KICS results categories don’t fit the screen

FIXED

Project page - Compliance tab

Compliance tab data is empty after system was upgraded

FIXED

Project page - Right pane

When clicking on a project, scans with empty results should not be clickable (Right side pane).

FIXED

Project page - Right pane - Download logs

Clicking the “Download logs” button when there are no results leads to bad redirect.

The button must be greyed out.

FIXED

Project page - Right pane - Download logs

Download scan logs (both for SAST & KICS) - Get 403 Error

FIXED

Project page

Project showing “Assigned to application” even though it isn't

FIXED

Adding project to application

Checkmarx One user interface crashes after adding a new project to an application

FIXED

getProjects API

'Origin' field is missing

FIXED

Project Setting tab - Save button

After performing a change (Add tags, add group) & press Save, the button flicker and stay in "enable" state

FIXED

User Interface - Cosmetics

Several visual issues while resizing web browser window (Texts not aligned, fonts size).

FIXED

User Interface improvements

Long names are not fully displayed in the User Interface for the following:

  • Application name

  • Description of application

  • Project name

  • Webhook name

  • Tag - not limited per characters

  • Naming of system elements when opening them in new browser tabs:

    • Applications - “Applications - Checkmarx One”

    • Projects - “Projects - Checkmarx One”

    • Resource Management - “Resource Management - Checkmarx One”

    • Project - “ProjectName - Checkmarx One”

    • SAST Results - “SAST Results - ProjectName - Checkmarx One”

    • KICS Results - “KICS Results - ProjectName - Checkmarx One”

    • Account Settings - “Account Settings - Checkmarx One”

FIXED

Incremental Scan

Incremental Scan fails in the following scenario:

  • Base scan includes KICS scan type

  • Incremental scan does not include KICS scan type

FIXED

Incremental Scan

Incremental Scan fails in the following scenario:

  • Base scan includes a zip archive file

  • Incremental scan includes path to GIT repository.

  • scan type restart

FIXED

Multi scan types scan

During a scan execution, If the scan is opened from resources/scans it appears as completed.

FIXED

Log in window

User name field in the log in window is case sensitive

FIXED

Log in window

Enter button doesn’t work in tenant login window

FIXED

Scan window

Fetch Branches button is returning a wrong list of branch names

FIXED

Scan service

Scans fail due to result duplications

FIXED

Scan cancel

When canceling a scan, the status does not pass to failed

FIXED

Webhooks feature

Secret field is displayed as blank even when a secret exists

FIXED

User Management

User with if-in-group permissions cannot trigger scans

FIXED

Keycloak

Keycloak fails due to system tests during deployment

FIXED

Log in - Reset password feature

There is an unnecessary text in the reset password email that is being sent to the user

FIXED

BackOffice

During a new Tenant creation, it is not possible to configure alphanumeric symbols in the "Salesforce Account ID" field.

FIXED

BackOffice

After a new Tenant is created, the Email that the user receives has invalid matching between Account Name field and it's value.

Release Notes v2.0.14

New / Updated Features

Status

Item

Description

NEW

Project sidebar

Added new KICS data widget (Mock).

KICS is an open source solution for static code analysis of Infrastructure as Code.

2920513592.png

NEW

KICS engine results viewer

Added new KICS engine results viewer using (Mock data)

2920972450.png

NEW

SAST sidebar widget

Added Download Logs button in the Project sidebar SAST widget.

Once clicking the button, the engine scan logs are downloaded to the client.

2920743081.png

NEW

Back Office

Added support for multiple regions in Back Office

NEW

Back Office

Added the ability to create a special user type for a tenant called “Service User”.

This user has Admin permissions to temporary access the User Management console in order to open new service support cases.

This user will be automatically deleted after 1 day.

The user won’t be visible in the User Management user interface.

Bug Fixes

Status

Item

Description

FIXED

Webhooks feature

Deleting a single webhook is not working

FIXED

Webhooks feature

When opening Project webhook settings an error message pops-up

FIXED

Branching feature

Minor UI uplifts:

  • 3 dots should be aligned to Option icon.

  • When a zip file is scanned, the presented branch is '.unknown'

FIXED

Scan result count

Until a scan is finished there is no need to present a result count

FIXED

Scan History

When scanning a zip file the scan screen presents the branch filter

FIXED

SAST sidebar widget

More Details link is not working from the SAST sidebar widget

Release Notes v2.0.13

New / Updated Features

Status

Item

Description

NEW

Project statistics Engine screen

Added vulnerabilities by severity widget.

2899935779.png

Bug Fixes

Status

Item

Description

FIXED

Results viewer shows no scan after scanning zip source

Project Page shows no scans even though the scan finished successfully (as seen both in Resource Management and in the Projects table).

This occurs only with zip sources, leading to the suspicion that this relates to branching changes.

FIXED

Requests and sub-grouping

Fix requests and sub-grouping for the same vulnerabilities with different severities.

FIXED

Scan fails if results service fails to save results (or any other pipe that needs to fail the scan)

Scan service doesn't notify the workflow in case of the error. In such case there will be a successful scan without results or with partial results.

CLI and Plugins Release of November 2021

Released CLI Version 2.0.4

Key Improvements

Automatic Retry

Users can now configure global flags to enable automatic retry of scans upon initial connection failure. You can specify the maximum number of retry attempts and the delay interval.

Flag

Default

Description

--retry <uint>

3 times

Automatically retry requests to Checkmarx One upon connection failure. Specify the maximum number of retry attempts.

--retry-delay <uint>

3 seconds

Time between retries in seconds. Used together with --retry.

Assign Groups and Add Tags During Scan Creation

Users can now add tags and assign the scan to a Checkmarx One “group” (for user management) as part of the “scan create” command.

./cx scan create -s . --project-name mynewproject --project-groups mygroup

Additional Improvements

Status

Item

Description

UPDATED

Integration tests

Integration tests now have 80% coverage.

UPDATED

Branch flag

Branch flag is now required.

UPDATED

Async mode

The flag for running scans in asynchronous mode was changed from --nowait to --async.

UPDATED

Homebrew

When installing the CLI through homebrew, b rew install checkmarx/ast-cli/ast-cli, auto-completion is done automatically.

Plugin Updates

In November we released the following plugin versions. All current plugin versions use CLI version 2.0.4.

Key Improvements

New Eclipse Plugin

We released a new plugin for Eclipse, enabling you to import results from a Checkmarx One scan directly into your Eclipse IDE. You can view the vulnerabilities that were identified in your source code and navigate directly to the vulnerable code in the editor.

Main Features

  • Import Checkmarx One scan results into your IDE

  • Show results from all scan types (CxSAST, CxSCA, and KICS)

  • Group results by severity or query name

  • Navigate from results directly to the vulnerable code in the editor

  • Vulnerable code is highlighted in the editor

Specify Branch Name

When running scans in our CI/CD plugins, users are now required to specify the branch of the Project in Checkmarx One. This is in addition to specifying the Project name.

Additional Improvements and Bug Fixes

Status

Item

Description

Visual Studio Code Plugin

UPDATED

Output Logs

Shows logs of Checkmarx One results in Output tab

UPDATED

Clear button

Added a Clear button to Projects tab, enabling clearing the current selection and results.

UPDATED

Tests

Added integration tests and UI tests

FIXED

Line and column display

Fixed display of line and column in the Details section to match the line and column shown in the editor

JetBrains Plugin

UPDATED

Filter results

Added buttons in the sidebar of the Checkmarx pane to filter vulnerabilities by severity

FIXED

No repository

Fixed issue when opening a JetBrains project that doesn’t have a repository

Viewing the Scanners Tab (API Security)

The Scanners tab provides a multi-scanner overview on the API Security, SAST, SCA and KICS scanners that have been used for the last completed scan within a project. The results for each scanner type are presented in a separate screen using dedicated widgets for the results analysis. The example illustrated here uses SAST and API Security as scanners.

The first screen image illustrates the SAST scan results and the second one illustrates the API Security scan results.

Scanners_Tab_SAST.png
Scanners_Tab_APISEC.png

The table below lists and explains the respective widgets for the API Security results.

Widget

Description

Detected APIs

The number of detected APIs in the code. This scan detected 8 APIs in the code.

Sensitive Data APIs

The number of APIs with at least one sensitive data attribute. This scan detected sensitive data attributes in 7 out of the 8 detected APIs.

Additional information on sensitive data is available in the table below.

Results by Risk

The number of sensitive data attributes according to their risk.

In the illustrated example, API Security detected 5 vulnerabilities of which 2 were of high risk and 3 of medium risk.

Results_by_Risk.png

Results by Vulnerabilities

A list of sensitive data attributes with an indicator on how often each of these sensitive data attribute was detected.

In the illustrated example, API Security detected Parameter Tampering twice and three more once each.

Results_by_Vulnerability.png

<View Results>

Click to switch to the Risks table.

The Sensitive Data categories and parameters are listed below.

Category

Parameters

Name

firstname, surname, familyname, fullname, name

Personal Data

birthday, dob, dateofbirth, phone, mobile, email, socialsecurity, ssn, driverslicense

Address

address, zipcode

Bank

credit, cardnumber, account

Secrets

credentials, secret, auth, apikey, pass, pwd, password

The Risks table lists the risks and provides additional information as outlined in the table below. Additional information on viewing scan results in depth, refer to Viewing API Results.

Scan_Results_Risk_Table.png

Parameter

Description

Severity Severity.png

Indicates the risk severity as follows:

High_Severity.png High

Medium_Severity.png Medium

Low_Severity.png Low

Risk Name

The name of the risk.

Status

Indicates the status of the risk a follows:

New.png - A newly detected vulnerability.

Recurrent_List.png - The vulnerability has been detected at least once before.

Endpoint Path

The path of the endpoint where the API is located in which the risk was detected.

Method

The method of the API as follows:

GET

HEAD

POST

PUT

DELETE

CONNECT

OPTIONS

TRACE

Data Origin

Indicates where the risk was detected, for example inside the code.

Risk Discovered

The date when the risk was detected.