Skip to main content

Jenkins Plugin Change Log

The following table lists the features and changes implemented for the plugin with the relevant version release. To obtain the plugin, go to the plugin download section.

Plugin Version

Changes / Features

Additional Information

2023.4.3

  • Enhanced to use with relevant versions of SAST APIs.

  • Added support to Enable Policy Enforcement for SAST and SCA separately. (These two need to be configured separately)

  • Enhanced the plugin to display the correct error message on the Checkmarx reports screen if SCA scan policies are violated.

  • Added support for SAST Project Level Custom Fields.

  • Added support for SCA Project Custom Tags.

  • Added support for SCA Scan Custom Tags.

  • Allowed special characters in scan and project-level custom fields for SAST and SCA.

  • Allowed special characters in the Jenkins job name.

  • Added support to propagate vulnerability threshold exceeds errors.

  • Enhanced the plugin to support SCA URL in NoProxyHost.

  • Added support for Jenkins Server v2.375.4 and v2.414.3.

  • Fixed deserialization issue for API requests/responses.

  • Upgraded below libraries:

    • com.checkmarx:cx-client-common:2023.4.4

    • org.apache.commons:commons-compress:1.25.0

    • org.json:json:20231013

    • org.eclipse.jgit:org.eclipse.jgit:6.8.0.202311291450-r

    • com.google.guava:guava:32.1.1-jre

  • Supported SAST Versions: 9.4, 9.5, 9.6

  • OSA Support: Supported,  * FSA supported version: 24.0.1

  • SCA Support: Supported

  • Supported Tool Version:* Operating Systems: Windows, Linux* Jenkins versions : 2.164 to LTS 2.414.3

  • Supported Java Version

    • OpenJDK 11, OpenJDK 17

    • Oracle JDK 8

Note

Jenkins server version since 2.357 supports only OpenJDK 11 and OpenJDK 17. The Checkmarx plugin is supported under both configurations.

2023.2.6

  • Added functionality to generate SCA Reports in various formats: PDF, XML, CSV, JSON, cyclonedxjson, and cyclonedxxml.

  • Added functionality to generate reports in the agent's workspace directory.

  • Added functionality to generate SCA/OSA reports in the workspace directory.

  • SCA Resolver integration is enhanced and can reuse SAST-specific parameters like Project Name, Source Code Location, SAST Server URL, Credentials, and Result Path.

    According to the syntax of SCA Resolver arguments, the additional parameters are intended for extra arguments.

  • Provided a new option to select a job status in cases where the CxSAST vulnerability threshold is crossed.

  • The global setting SSL/TLS validation checkbox is enabled by default to enforce TLS/SSL server certificate validation.

  • Set a specific scan retention rate for CxSAST Scan. Added support for CxSAST Scan Retention Settings when creating a project.

  • Upgraded the following libraries:

    org.json:json:20230227

  • Supported SAST Versions: 9.3, 9.4, 9.5

  • OSA Support: Supported,

    * FSA supported version: 23.0.1

  • Supported Tool Version:

    * Operating Systems: Windows, Linux

    * Jenkins versions: 2.164 - LTS 2.387.3

  • Supported Java Version:

    • OpenJDK 11, OpenJDK 17

    • Oracle JDK 8

Note

Jenkins server version since 2.357 supports only OpenJDK 11 and OpenJDK 17. The Checkmarx plugin is supported under both configurations.

2022.4.3

  • Corrected the config-as-code feature. Prior version failed to parse the cx.config file.

  • The overrideProjectSetting plugin parameter indicates whether preset, engineConfigurationId value will be saved on the SAST project.

  • HTTP links to OSA scan results that appear in the plugin logs are corrected

  • Enhanced default include/exclude pattern to exclude SCAResolver’s result files.

  • Introduced ABORTED as a new value for the jobStatusOnError and vulnerabilityThresholdResult parameters. Using this value will stop the pipeline immediately.

  • Fixed an issue that the build was not marked as failed for SCA Policy violations.

  • Upgraded the following libraries: org.apache.logging.log4j:log4j-core:2.17.1 org.apache.commons:commons-compress:1.22 com.google.code.gson:gson:2.8.9           org.yaml:snakeyaml:1.33

  • Supported SAST Versions: 9.3, 9.4, 9.5

  • OSA Support: Supported, *FSA agent supported version: 21.0.5

  • SCA Support: Supported

  • Supported Tool Version: Jenkins 2.164 - LTS 2.361.4, *Operating Systems: Windows, Linux

  • Supported Java Version: OpenJDK 11, OpenJDK 17, Oracle JDK 8

Note

Jenkins server version since 2.357 supports only OpenJDK 11 and OpenJDK 17. The Checkmarx plugin is supported under both configurations.

2022.3.3

  • Fixed an issue that occured in existing scripted pipelines, if ‘customFields’ had not been defined on the scan level. ‘customFields’ is now an optional parameter.

  • Supported SAST Versions: 9.3, 9.4, 9.5

  • OSA Support: Supported, *FSA agent supported version: 21.0.5

  • SCA Support: Supported

  • Supported Tool Version: Jenkins 2.164 - LTS 2.346.3, *Operating Systems: Windows, Linux

  • Supported Java Version: OpenJDK 11, Oracle JDK 8

2022.3.2

  • Benign errors such as duplicate scan errors or timeout errors are suppressed by default. This can be disabled by defining the JVM property as 'suppressBenignErrors=false'.

  • Special characters are now validated in custom fields.

  • Introduced presetId 0 that causes SAST to use the presetid of previous scans in that project. If it is a new project, the preset in SAST gets defaulted to 'Checkmarx Default'.

  • Pipeline scripts can be configured with scaTeamId instead of scaTeamPathscaTeamId takes precedence though.

  • The CxOrigin value now contains the Jenkins plugin version.

  • Supported SAST Versions: 9.3, 9.4, 9.5

  • OSA Support: Supported, *FSA agent supported version: 21.0.5

  • SCA Support: Supported

  • Supported Tool Version: Jenkins 2.164 - LTS 2.346.3, *Operating Systems: Windows, Linux

  • Supported Java Version: OpenJDK 11, Oracle JDK 8

2022.2.3

  • Fixed the CSRF and Permission check security issues that have been documented in the Jenkins Security Advisor 2022-02-15. If Matrix Authorization is enabled, a job or configure role is required to edit the Jenkins job.

  • Proxy can now be enabled for CxSCA communication as well.

  • Fixed the issue that caused dependency scan settings to be accessed from the global configuration instead of the specific job configuration, which resulted in a NullPointerException.

  • Supported SAST Versions: 9.2, 9.3, 9.4

  • OSA Support: Supported, *FSA agent supported version: 21.0.5

  • SCA Support: Supported

  • Supported Tool Version: Jenkins 2.164 - LTS 2.342.1, *Operating Systems: Windows, Linux

  • Supported Java Version: OpenJDK 11, Oracle JDK 8

2022.2.1

  • Fixed an issue that caused CxSCA scans with proxy to fail, if no CxSAST scan is performed.

  • Fixed an issue that caused the ScaResolver to fail in Orchestrator/Worker configuration under Windows and Linux.

  • Upgraded the Spring framework libraries to version 5.3.18.

  • Corrected the scenario where the Postscanaction ID passed as 0 and failed on NullPointerException.

  • PostScanActions now enclose arguments with quotes ("").

  • Duplicated project scans are not queued anymore in the same queue.

  • Supported SAST Versions: 9.2, 9.3, 9.4

  • OSA Support: Supported, *FSA agent supported version: 21.0.1

  • SCA Support: Supported

  • Supported Tool Version: Jenkins 2.164 - LTS 2.342.1, *Operating Systems: Windows, Linux

  • Supported Java Version: OpenJDK 11, Oracle JDK 8

2022.1.3

  • Adressed the CSRF and Permission check security issues that have been documented in the Jenkins Security Advisor 2022-02-15.

  • The Post Scan Action parameter is now optional.

  • Supported SAST Versions: 9.2, 9.3, 9.4

  • OSA Support: Supported, *FSA agent supported version: 21.0.1

  • SCA Support: Supported

  • Supported Tool Version: Jenkins 2.164 - LTS 2.303.1, *Operating Systems: Windows, Linux

  • Supported Java Version: OpenJDK 11, Oracle JDK 8

2022.1.2

  • Added support for the SCA Resolver.

  • Fixed an issue that prevented the use of groupId or teamPath in a pipeline job.

  • Supported SAST Versions: 8.9, 9.0, 9.2, 9.3, 9.4

  • OSA Support: Supported, *FSA agent supported version: 21.0.1

  • SCA Support: Supported

  • Supported Tool Version: Jenkins 2.164 - LTS 2.303.1, *Operating Systems: Windows, Linux

  • Supported Java Version: OpenJDK 11, Oracle JDK 8

2021.4.3

  • Fixed an issue that caused SAST scans to fail with a CxOriginUrl header length limitation by truncating the URL value.

  • The third-party libraries have been upgraded as listed below:

    • Library “org.apache.logging.log4j:log4j-core” to 2.16.0.

    • Library “org.apache.logging.log4j:log4j-api” to 2.16.0.

    • Library “org.apache.logging.log4j:log4j-slf4j-impl” to 2.16.0.

  • Supported SAST Versions: 8.9, 9.0, 9.2, 9.3, 9.4

  • OSA Support: Supported, *FSA agent supported version: 21.0.1

  • SCA Support: Supported

  • Supported Tool Version: Jenkins 2.164 - LTS 2.303.1, *Operating Systems: Windows, Linux

  • Supported Java Version: OpenJDK 11, Oracle JDK 8

2021.4.2

  • Added support for the SCA Scan Timeout mechanism.

  • The SCA teampath regression issue has been fixed.

  • Supported SAST Versions: 8.9, 9.0, 9.2, 9.3, 9.4

  • OSA Support: Supported, *FSA agent supported version: 21.0.1

  • SCA Support: Supported

  • Supported Tool Version: Jenkins 2.164 - LTS 2.303.1, *Operating Systems: Windows, Linux

  • Supported Java Version: OpenJDK 11, Oracle JDK 8

2021.4.1

  • Support has been added for post scan actions for SAST 9.3 and higher.

  • Team names can now be ordered alphabetically.

  • Scan level custom fields have been added for SAST 9.4.

  • Support has been added to force-rescan source code with no changes.

  • It is now possible to continue the build when the SAST scan times out.

  • An interface issue has been fixed that made it impossible to clear Dependency Scan, if globally defined.

  • Fixed an issue that caused tasks in Orchestrator/Worker format to be completed successfully when entering incorrect user credentails.

  • Enable Synchronous Mode has been added to the user interface. It was missing in the user interface of the last version of the plugin, although the functionality was supported.

  • Fixed an issue that caused HTML reports not to be generated for asynchronous scans.

  • Fixed an issue that caused dependencies to conflict during an OSA HTML scan.

  • Fixed an issue that caused multiple OSA scans to fail or logs to get mixed up when running them in parallel at the same agent.

  • Supported SAST Versions: 8.9, 9.0, 9.2, 9.3, 9.4

  • OSA Support: Supported, *FSA agent supported version: 20.0.13

  • SCA Support: Supported

  • Supported Tool Version: Jenkins 2.164 - LTS 2.303.1, *Operating Systems: Windows, Linux

  • Supported Java Version: OpenJDK 11, Oracle JDK 8

2021.3.3

  • Added support for FSA agent version 20.0.13

  • Added support for CxSAST languages in HTML reports

  • Enabled the system to obtain the CxSAST results, if the CxSAST scan is completed before the CxOSA scan.

  • Supported SAST Versions: 9.0, 9.2, 9.3, 9.4

  • OSA Support: Supported, *FSA agent supported version: 20.0.13

  • SCA Support: Supported

  • Supported Tool Version: Jenkins 2.164 - LTS 2.289.1, *Operating Systems: Windows, Linux

  • Supported Java Version: OpenJDK 11, Oracle JDK 8

2021.3.1

  • Fixed an issue that caused the proxy to be used even when it had been disabled when configuring the job. It is now driven by the job level ‘Jenkins Proxy’ setting only.

  • Fixed an issue that caused debug logs to remain hidden during a regression when ‘Hide Debug Logs’ was cleared.

  • Fixed an issue that caused FSA logs to remain hidden during OSA scans.

  • Supported SAST Versions: 8.9, 9.0, 9.2, 9.3, 9.4

  • OSA Support: Supported, *FSA agent supported version: 20.0.11

  • SCA Support: Supported

  • Supported Tool Version: Jenkins 2.164 - LTS 2.277.4, *Operating Systems: Windows, Linux

  • Supported Java Version: OpenJDK 11, Oracle JDK 8

2021.2.96

  • Fixed the error that caused the Deserialization exception that has been triggered with the CxSCA functionalities ‘Break the build’ and ‘Include Source’.

  • Fixed the error that caused the Serialization exception that has been triggered with Jenkins agent-based jobs.

  • An exploitable path/attack vector has been added for CxSCA scans.

  • The “EnablePolicyEnforcement” option now enforces CxSCA Policies in addition to CxSAST & CxOSA policies.

  • An option to include source code with CxSCA scans has been added.

  • Private registries and environment variables have been added for CxSCA scans.

  • Project creation and team assignment capabilities have been added for CxSCA scans.

  • Added an option to the user interface to hide debug/trace logs.

  • Fixed the behavior for “Allow global comment” to concatenate job level and global comment when configured.

  • Added a validation mechanism for SCA credentials.

  • To fix security vulnerabilities, the libraries listed below have been upgraded to newer versions:

    • io.vertx:vertx-web“ to version 3.9.7

    • commons-beanutils:commons-beanutils“ to version 1.9.4

    • org.apache.httpcomponents:httpclient“ to version 4.5.13

    • io.netty:netty-codec-http“ to version 4.1.60.Final

    • commons-io:commons-io“ to version 2.7

  • Supported SAST Versions: 8.9, 9.0, 9.2, 9.3

  • OSA Support: Supported, *FSA agent supported version: 20.0.11

  • SCA Support: Supported

  • Supported Tool Version: Jenkins 2.164 - LTS 2.277.4, *Operating Systems: Windows, Linux

  • Supported Java version: OpenJDK 11, Oracle JDK 8

2021.1.2

  • Support for the config as code functionality

  • Support for the cxOrigin and cxOrigin url functionality

  • Fixed the Project Settings Override functionality

  • Added the ability to remove HTML results for the async mode

  • Fixed various limitations and improved proxy support

  • Supported SAST Versions: 8.9, 9.0, 9.2, 9.3

  • OSA Support: Supported, *FSA agent supported version: 20.0.10

  • SCA Support: Supported

  • Supported Tool Version: Jenkins 2.164 - LTS 2.263.2, *Operating Systems: Windows, Linux

  • Supported Java version: OpenJDK 11, Oracle JDK 8

2020.4.8

  • Enable/Disable proxy support by global/job configuration.

  • Proxy support added for both SAST and SCA.

  • Fixed the SCA async behavior.

  • Fixed resolving dependencies for an OSA scan issue.

  • Fixed displaying zero values on SCA HTML reports.

  • Fixed 'OSADependencies.json file is not generated under workspace' when the job is running on Orchestrator Worker.

  • Added missing classes to the allowlist for security purpose.

  • Added support for FSA custom variables.

  • Supported SAST Versions: 8.9, 9.0, 9.2

  • OSA Support: Supported, *FSA agent supported version: 20.0.9

  • SCA Support: Supported

  • Supported Tool Version: Jenkins LTS 2.249.3, *Operating Systems: Windows, Linux

  • Supported Java version: OpenJDK 11, Oracle JDK 8

2020.4.3

  • SCA login fix

  • Multiple scanners are loosely coupled to run independently. This way, scanners continue to run, if one scanner fails.

  • Supported SAST Versions: 8.9, 9.0, 9.2

  • OSA Support: Supported, *FSA agent supported version: 20.0.8

  • SCA Support: Supported

  • Supported Tool Version: Jenkins LTS 2.249.2, *Operating Systems: Windows, Linux

  • Supported Java version: OpenJDK 11, Oracle JDK 8

2020.3.3

  • Prevents source code from being sent to the SCA cloud.

  • Sending Manifest and Fingerprints to the SCA cloud only.

  • Supported SAST Versions: 8.9, 9.0, 9.2

  • OSA Support: Supported, *FSA agent supported version: 20.0.5

  • SCA Support: Supported

  • Supported Tool Version: Jenkins LTS 2.235.3, *Operating Systems: Windows

  • Supported Java version: OpenJDK 11, Oracle JDK 8

2020.2.20

  • Support for the new SCA dashboard

  • Saving the SCA response as json file

  • Fix for exclude/include field with new lines and spaces

  • Certified SAST Versions: 8.9, 9.0

  • OSA Support: Supported, *FSA agent supported version: 20.0.5

  • SCA Support: Supported

  • Supported Tool Version: Jenkins LTS 2.204.3, *Operating Systems: Windows

  • Supported Java version: OpenJDK 11, Oracle JDK 8

2020.2.5

  • Added support for new CxSCA APIs

  • Exposing CxSAST threshold variables for Jenkins pipeline

  • Fix for Maven Path validation

  • Fix for PDF Link generation

  • The "Tenant" label has been renamed to "Account"

  • The “CxSCA Server URL” has been renamed to “CxSCA API URL”

  • A note has been added that SAML and SSO are not supported to log in to CxSCA

  • The SCA Scan ID is displayed in the log

  • Certified SAST Versions: 8.9, 9.0

  • OSA Support: Supported, *FSA agent supported version: 20.0.5

  • SCA Support: Supported

  • Supported Tool Version: Jenkins LTS 2.204.3, *Operating Systems: Windows

  • Supported Java version: OpenJDK 11, Oracle JDK 8

2020.1.10

  • Support for CxSCA

  • Support OSA for Scala language

  • Support OSA for PHP language

  • OpenJDK 11 support

  • Oracle JDK 8 support

  • Certified SAST Versions: 8.9, 9.0

  • OSA Support: Supported, *FSA agent supported version: 20.030

  • Supported Tool Version: Jenkins 2.164 – 2.204, *Operating Systems: Windows and Linux agents

  • Supported Java version: OpenJDK 11, Oracle JDK 8

2019.4.2

  • Support for CxSCA

  • Support OSA for Scala language

  • Certified SAST Versions: 8.9, 9.0

  • OSA Support: Supported, *FSA agent supported version: 20.0.0

  • SCA Support: Supported

  • Supported Tool Version: Jenkins 2.164 – 2.204, *Operating Systems: Windows and Linux agents

2019.4.1

  • OpenJDK 11 support

  • Certified SAST Versions: 8.9, 9.0

  • OSA Support: Supported, *FSA agent supported version: 18.7.2.4

  • Supported Tool Version: Jenkins 2.164 – 2.204, *Operating Systems: Windows and Linux agents

9.00.5

  • Certified SAST Versions: 8.9, 9.0

  • OSA Support: Supported, *FSA agent supported version: 18.7.2.4

  • Supported Tool Version: Jenkins 2.164 – 2.206, *Operating Systems: Windows and Linux agents

8.90.4 (HF)

  • Fix for a different issue of “Failed to deserialize response to UserRequest” error

8.90.3 (HF)

  • Fix for “Failed to deserialize response to UserRequest” error for Orchestrator/Worker configurations

8.90.0

  • New Top-Bar ("red" scan failed, "green" scan passed)

  • Support OSA scanning of NuGet package files

  • Support OSA scanning of Python 3 package files

  • Ability to break the build according to the OSA policy status

8.80.0

  • Ability to run OSA scan separately from SAST

8.70.0

  • Embed OSA core library into the Checkmarx CI plugins

  • Support OSA scanning of the NPM package.json

  • Support OSA scanning of Maven POM.XML files

8.60.0

  • Display latest scan report when running the scan in asynchronous mode

  • Report chart now shows both Recurrent and New bugs (Currently only CxSAST)

  • Migration to Jenkins Credential Management

8.50.0

  • Updated Report UI

  • Support Team name in pipelines in addition to groupId

8.42.0

  • Support for Jenkins Pipelines

8.8.0

  • Enable connection to CxSAST using SAML login on macOS Mojave (10.14.04)