Skip to main content

Azure DevOps Plugin - Changelog (SAST & SCA)

The following table lists the features and changes that have been implemented for the plugin with the relevant version release. To obtain the plugin, go to the plugin download section.

Version

Changes/Features

Additional Information

2023.3.3

  • Introduced the new parameter SCA Resolver Path (in pipeline YAML and UI) for SCA scans. Mention that the SCA Resolver path is available in the pipeline infrastructure to avoid downloading the SCA Resolver tool.

  • If the SCA Resolver Path parameter (using YAML and UI) value is empty or the SCA Resolver tool is not present at the specified path, then it will automatically download the SCA Resolver to the user's default home directory and install it.

  • Fixed an issue where existing project-level custom field values were reset while updating when using the ADO pipeline.

  • Fixed an issue where the plugin failed to use proxy URLs with a username and password for the SCA scan.

  • Certified SAST Versions: 9.4, 9.5, and 9.6.

  • SAML Support: SAST Version:9.4, 9.5, and 9.6

  • OSA Support: N/A

  • SCA Support: Supported

  • Supported Tool Version:

    • Dev Azure (cloud version)

    • Azure DevOps Server (TFS) 2019 and 2020

    • Windows, Linux, and Mac agents.

  • Node JS Version:10 and higher

2023.2.5

  • Introduced the scan Timeout parameter for SCA scans. The plugin will return a timeout error when the scan takes more time than the timeout set.

  • Fixed an issue when canceling a SAST scan from the server where the SAST scan timeout limit was exceeded and the scan failed in the plugin.

  • Enhanced and corrected the logs for Incremental and Vulnerability thresholds.

  • The plugin will ignore invalid post-scan action ID and continue execution.

  • Fixed an issue where the plugin execution was interrupted if the SAST swagger endpoint was not accessible.

  • The plugin will now honor respective proxy settings configured using the plugin parameters supported for SAST and SCA scan settings.

  • Added support to automatically download and install the SCA Resolver tool when the pipeline is designed to use it. The tool downloads from the user’s home directory.

  • Added support for Project and Scan level custom tags in SCA.

  • Added support for configuring additional patterns to identify Manifest files to be added to the ZIP file created for the SCA scan.

  • Added support for configuring additional patterns to identify files where Fingerprint needed to be passed to the SCA service.

  • Supported SAST Versions: 9.3, 9.4, and 9.5.

  • OSA Support: N/A

  • SCA Support: Supported

  • Supported Tool Version:

    • Dev Azure (cloud version)

    • Azure DevOps Server (TFS) 2019 and 2020

    • Windows, Linux, and Mac agents.

  • Node JS Version:10 and higher

2022.4.1

  • Introduced Project Default as a new value for the Preset setting. This indicates that SAST continues using the preset settings for existing projects. If this value is set for a new project, the Checkmarx Default preset settings apply.

  • Fixed an issue that caused a pipeline not to fail in case of a duplicate scan. The pipeline continued with a warning.

  • Fixed an issue that could cause SCA to fail during AWS upload when using the proxy.

  • Fixed an issue that allowed the proxy to be configured independently for SCA and SAST.

  • Fixed an issue that caused a pipeline not to fail in case of a duplicate scan. The pipeline continued with a warning.

  • Fixed an issue that caused Chinese characters in the values of CxOrigin and CxOriginUrl to be placed with empty strings.

  • ScaResolver runtime logs are now captured in plugin logs if the pipeline is executed in Debug mode.

  • ScaResolver now supports Exploitable Path with the Azure DevOps plugin. The .cxsca-results.json and .cxsca-sast-results.json files are zipped and uploaded so that the exploitable path is reflected in the SCA portal.

  • Supported SAST Versions: 9.3, 9.4, 9.5

  • Operating Systems: Windows, Linux, Mac

  • OSA Support: N/A

  • SCA Support: Supported

  • Supported Tool Versions:

    • Dev Azure (cloud version)

    • Azure DevOps Server (TFS) 2019 and 2020

    • Windows and Linux agents

  • Node JS Version: 10 and higher

2022.2.1

  • Fixed an issue that prevented the plugin to install on TFS. The plugin now installs on TFS 2019 and 2020 as well as in the ADO cloud.

  • Fixed an issue that caused errors to appear twice in the logs.

  • Supported SAST Versions: 9.2, 9.3, 9.4

  • OSA Support: N/A

  • SCA Support: Supported

  • Supported Tool Versions:

    • Dev Azure (cloud version)

    • TFS 2019 and 2020

    • Windows and Linux agents

  • Node JS Version: 10 and higher

2022.1.16

  • Fixed an issue that caused the new plugin to fail, if no vulnerability has been detected by CxSAST.

  • Fixed an issue that triggered a full scan when a user attempted to start an incremental scan.

  • Supported SAST Versions: 8.9, 9.0, 9.2, 9.3, 9.4

  • OSA Support: N/A

  • SCA Support: Supported

  • Supported Tool Versions:

    • Dev Azure (cloud version)

    • TFS 2019 and 2020 (plugin installation supported from Marketplace only)

    • Windows and Linux agents

  • Node JS Version: 10 and higher

2022.1.15

  • Added support for CxSAST and CxSCA proxy URLs.

  • Enabled users to download PDF reports on CxSAST scan results.

  • Enabled users to add Project Custom Fields.

  • Enabled users to override project settings like Preset and Engine Configuration ID for CxSAST version 9.3 (Hotfix 11 or higher) and CxSAST 9.4 (Hotfix 8 or higher).

  • Added the presets OWASP TOP 10 – 2021 and OWASP TOP 10 API.

  • Added support for failing the build when additional vulnerabilities have been detected.

  • Upgraded the node requirement from Node 6 to Node 10.

  • Supported SAST Versions: 8.9, 9.0, 9.2, 9.3, 9.4

  • OSA Support: N/A

  • SCA Support: Supported

  • Supported Tool Versions:

    • Dev Azure (cloud version)

    • TFS 2019 and 2020 (plugin installation supported from Marketplace only)

    • Windows and Linux agents

  • Node JS Version: 10 and higher

2022.1.1

  • Added support for the SCA Resolver.

  • Fixed an issue that caused polling to continue even after triggering waitForScanResult when CxSAST returned an internal server error.

  • Supported SAST Versions: 8.9, 9.0, 9.2, 9.3, 9.4

  • OSA Support: N/A

  • SCA Support: Supported

  • Supported Tool Versions:

    • Dev Azure (cloud version)

    • TFS 2019 and 2020

    • Windows and Linux agents

  • Node JS Version: 6.10.3 and higher

2021.4.4

  • Added support for a mechanism that avoids duplicate scans.

  • Added support for scan-level custom fields (for CxSAST 9.4).

  • Enabled users to select the source configuration.

  • Enabled users to select Post Scan Action (for CxSAST 9.3 and higher).

  • Updated the CxSAST Service endpoint point connection to enter Preset and Team to override the parameters stored in the pipeline.

  • Updated the CxSCA Service endpoint connection to enter the Access Control URL, the Web App URL and the CxSCA account.

  • Renamed the CxSAST and CxSCA Service endpoint connections to Checkmarx SAST and Checkmarx SCA respectively.

  • Added support to define periodic full scans after a number of incremental scans that you can specify.

  • Supported SAST Versions: 8.9, 9.0, 9.2, 9.3, 9.4

  • OSA Support: N/A

  • SCA Support: Supported

  • Supported Tool Versions:

    • Dev Azure (cloud version)

    • TFS 2019 and 2020

    • Windows and Linux agents

  • Node JS Version: 6.10.3 and higher

2021.4.3

Added support for self-signed certificates configured in CxSAST. Below are the parameters to configure the SAST and SCA certificate chain path:

  • For CxSAST - sastCaChainFilePath

  • For CxSCA - scaCaChainFilePath

  • Supported SAST Versions: 8.9, 9.0, 9.2, 9.3, 9.4

  • OSA Support: N/A

  • SCA Support: Supported

  • Supported Tool Versions:

    • Dev Azure (cloud version)

    • TFS 2019

    • Windows and Linux agents

  • Node JS Version: 6.10.3 and higher

2021.2.17

CxSCA enhancements and fixes:

  • Added support for project creation

  • Added support for team assignment

  • Added support for Exploitable Path. This utility requires the CxSCA Agent

  • Added support for config files and environment variables. This requires the CxSCA Agent

  • A new option has been added to enforce CxSCA policies and break the build based on violated policies

  • Added support to include the source code

  • The plugin deletes now the zip file from the temporary folder after the scan has been completed

Additional enhancements and fixes:

  • Support for special characters as part of Dev-Azure project names has been added.

  • Added support for CxOriginUrl

  • Added support for OverrideProjectSettings

  • The scan result image is now properly showing the threshold compliance

  • Added the possibility to add a comment to the scan in the logs

  • Elapsed time’ is now indicating the elapsed time. Previously, it indicated the absolute time instead

  • An issue has been fixed that caused the 'origin' header to exceed the maximum length

  • An issue has been corrected that caused the TLS verification to be disabled when logging in

  • Removed support for the older Ado Task versions. Only the latest version of the plugin is now supported.

  • Supported SAST Versions: 8.9, 9.0, 9.2, 9.3

  • OSA Support: N/A

  • SCA Support: Supported

  • Supported Tool Versions:

    • Dev Azure (cloud version)

    • TFS 2019

    • Windows and Linux agents

  • Node JS Version: 6.10.3 and higher

2021.2.13

  • Added support for Proxy Auto Config (PAC) proxy.

  • Enabled proxy configuration from the plugin’s user interface

  • Proxy credentials can be configured as pipeline variables. This does not apply to PAC Proxy.

  • Supported SAST Versions: 8.9, 9.0, 9.2, 9.3, 9.4

  • OSA Support: N/A

  • SCA Support: Supported

  • Supported Tool Versions:

    • Dev Azure (cloud version)

    • TFS 2019

    • Windows and Linux agents

  • Node JS Version: 6.10.3 and higher

2020.4.14

  • Fixed SCA proxy with no authentication

  • Fixed the SAST Origin Value for the local TFS server

  • Fixed the SAST project settings override with regard to creating a new project. This addition is relevant for SAST 9.3.

  • Supported SAST Versions: 8.9, 9.0, 9.2, 9.3

  • OSA Support: N/A

  • SCA Support: Supported

  • Supported Tool Versions:

    • Dev Azure (cloud version)

    • TFS 2019

    • Windows and Linux agents

  • Node JS Version: 6.10.3 and higher

2020.4.10

  • Proxy support

  • Fix for CxSAST project settings override. This is relevant for use with CxSAST 9.3.

  • Updated the original value to include the domain name

  • Fix for CxSCA login scopes

  • Fix for CxSCA project names that are not case sensitive

  • Fixed the link to CxSCA scan results

  • Supports the EU datacenter for CxSCA

  • Supported SAST Versions: 8.9, 9.0, 9.2, 9.3

  • OSA Support: N/A

  • SCA Support: Supported

  • Supported Tool Versions:

    • Dev Azure (cloud version)

    • TFS 2019

    • Windows and Linux agents

  • Node JS Version: 6.10.3 and higher

2020.3.11

  • Prevents source code from being sent to the SCA cloud service.

  • Sending Manifest and Fingerprints only to the SCA cloud service.

  • Causes the build to fail, if the lower threshold is set to zero and a low number of vulnerabilities are found.

  • Fixed cases when scans were aborted, if the SCA URL ended with / , for example, https://sca.cxsca.net/

  • Supported SAST Versions: 8.9, 9.0, 9.2

  • OSA Support: N/A

  • SCA Support: Supported

  • Supported Tool Versions:

    • Dev Azure (cloud version)

    • TFS 2019

    • Windows and Linux agents

  • Node JS Version: 6.10.3 and higher

2020.2.86

  • Added support for CxSCA

  • Displays the CxSCA dashboard

  • Saves the CxSCA responses as JSON files

  • Improved and redesigned the user interface

  • Certified SAST Versions: 8.9, 9.0

  • OSA Support: N/A

  • SCA Support: Supported

  • Supported Tool Versions:

    • Dev Azure (cloud version)

    • TFS 2019

    • Windows and Linux agents

  • Node JS Version: 6.10.3 and higher

2020.2.12

  • Policy Enforcement support

  • Sending Origin as ‘VSTS’ in SAST scan request

  • Task versioning support

  • Fixed the issue that caused the incremental scan to fail without a code change

  • Certified SAST Versions: 8.9, 9.0

  • OSA Support: N/A

  • Supported Tool Version:

    • Dev Azure (cloud version),

    • TFS 2019

    • TFS 2018

    • TFS 2017 (up to version 3.1),

    • Windows and Linux agents.

  • Node JS Version: 6.10.3 and higher.

2019.4.1

  • Ability to break the build according to the OSA policy status

  • Added support for Linux agents

  • The Checkmarx tab is now hidden from build results if the pipeline doesn't contain a Checkmarx task

  • Added support for globstar (**) in 'Include/Exclude Wildcard Patterns' setting for additional flexibility

    - E.g. to exclude .tmp and .bak files at all directory levels, the following pattern should be used: '!**/*.bak, !**/*.tmp'

    - See the help text for this setting for more details.

  • The user running the CxSAST Azure DevOps plugin scan must have both 'Scanner' and 'Reviewer' role permissions.

  • A parameter 'Enable Project’s Policy Enforcement' enables breaking the build by both CxSAST policies upon policy violation. This parameter can now be defined for CxSAST.

  • CxOSA is no longer supported via the Azure DevOps plugin.

  • Certified SAST Versions: 8.9, 9.0

  • OSA Support: N/A

  • Supported Tool Versions:

    • DevAzure (cloud version)

    • TFS 2019

    • TFS 2018

    • TFS 2017 (latest v3.1)

    • Windows and Linux agents

  • Node JS Version: 6.10.3 and higher

8.9.0

  • Ability to break the build according to the OSA policy status

8.8.0

  • The plugin name has been changed from ‘CxSAST MS-VSTS’ to ‘CxSAST Azure DevOps’

  • Report UI displays both New and Recurrent vulnerabilities in the bar chart

  • Ability to abort scan on timeout

  • Ability to deny the creation of new projects

  • Ability to set a scan comment

8.7.0

  • Embed OSA core library into the Checkmarx CI plugins

  • Support scanning of the NPM package.json

  • Support scanning of Maven POM.XML files

8.6.0

  • First release with CxOSA

  • First release with a graphical report (Bar Chart)

    (identical to Bamboo and Teamcity)

8.51

  • Custom Preset

  • Proxy Support