Skip to main content

Supported Components and Operating Systems (9.5.0)

The following operations systems have been tested with CxSAST and CxOSA for v9.5.0:

Operating Systems

CxSAST Engine

CxSAST

CxOSA

Access Control

Management & Orchestration

Windows (64-bit) 10

V

V

Windows (64-bit) 11

V

V

Windows Server 2008R2

V

V

Windows Server 2012

V

V

Windows Server 2012R2

V

V

Windows Server 2016

V

V

Windows Server 2019

V

V

Windows Server 2022

V

V

Linux CentOS 7

V

Linux CentOS 8

V

Linux Ubuntu 18.04

V

Linux Ubuntu 20.04

V

Linux RedHat 8.3

V

Linux Fedora 33

V

Linux Fedora 34

V

Java Version

CxSAST

CxOSA

Access Control

Management & Orchestration

Java 17

V

V

V

Note: If SAST 9.5 is uninstalled and SAST 9.4. is reinstalled, it is necessary to manually downgrade Java back to version 8, because 9.4 is not compatible with JAVA 17 (even though the 9.4 installation wizard indicates that it completed successfully).

Frameworks

CxSAST

CxOSA

Access Control

Management & Orchestration

Microsoft .NET Core 6.0.5 Runtime & Hosting

V

WebServer

CxSAST

CxOSA

Access Control

Management & Orchestration

IIS 7.5-10

V

Supported Browsers

The following browsers have been tested with CxSAST / CxOSA v9.0.0 and Codebashing v3.2.0

Browsers

CxSAST

CxOSA

Access Control

Management & Orchestration

Codebashing

Chrome

Latest

Latest

Edge

Latest

Latest

Safari

Latest

Latest

Firefox

Latest

Latest

Notice

'Latest' is defined by the browser vendors. Check with the respective browser vendor for the latest version available.

Notice

If you are using Chrome version 80 - please refer to the following page.

Accessing the Web Portal from the SAST Server in Chrome

In a default all-in-one setup, the web portal could be directly accessed from the SAST server via http://localhost:80/CxWebClient by clicking a shortcut icon.

If a user clicks this shortcut icon in an attempt to access the web portal, the authentication request is issued to Access Control, usually by using a fully qualified domain name (FQDN), for example:

http://user-laptop.dm.cx/

Localhost and FQDN are treated as different domains, although the web portal and Access Control reside on the same host. Since Chrome (version 80 and higher) has changed its way on how it relates to cookies, using HTTP does not allow switching between product components anymore and prevents the authentication process from completing successfully, which affects SAST applications, as outlined below.

SAST 9.0 and later

Warning

Since February 2020, Google has increased its browser security. Therefore, in Chromium based browsers since Chrome version (80) and Edge version (82) there is a new behavior related to cookies.

This behavior is controlled by the SameSite attribute which affects whether the cookies can be sent to different domains or third-party dependencies.

Checkmarx has adjusted its software to the new situation as much as possible. Nevertheless, this change introduces a limitation when using Checkmarx SAST in a non-secure distributed environment.

With this type of environment, the SameSite default attribute cannot be set to Lax, which allows cookies to be sent only when the domain in the URL of the browser matches the domain of the cookie.

So, in an environment where the Web Portal is on one machine and the Access Control is on another, and there is a non-secure connection between them, where iframes are used in some of the Portal views the cookies cannot be to them, causing an authentication problem on the iframe side.

To overcome this issue, the distributed environment must be secure, using SSL/HTTPS. This allows setting the SameSite attribute to None, with the secure flag option, giving permission to the browser to send the cookies to the iframe, fixing the problem.

In new versions of CxSAST, the portal does not connect to the CxSAST server and errors appear in the web browser console as illustrated below.

6436163170.png

Workaround

This issue can be addressed in the two ways outlined below.

Introducing a new Flag to the Database

New versions, version updates and hotfixes introduce a new flag called SameSiteSecuredFlag in the componentConfiguration table in the Checkmarx database (CxDB). The flag is marked true by default to allow cookies being shared across different domains.

Notice

Currently, this flag is available for all-in-one setups only.

Modifying Cookie Options in Chrome

Another approach is manually disabling Cookie options in Chrome as follows:

  1. Open a new tab in Chrome.

  2. In the address field, enter chrome://flags/. Cookie options appear.

  3. Switch both cookie options from <Enabled> to <Disabled>.

6436163167.png

Supported SQL Servers

The following SQL servers have been tested with CxSAST v9.3.0:

SQL Server

CxSAST

Access Control

Management and Orchestration

2012

V

2012R2

V

2014

V

2016

V

2017

V

2019

V

* AWS RDS can be used (seeAWS RDS section in the Installing CxSAST guidelines).

* Azure Managed Instance DBaaS is supported from CxSAST 9.2.

** SQL Express not supported in production due to throughput and 10GB DB size limits imposed by Microsoft.

Supported Integrations and Plugins

The lists below provide links to information on integrations supported by CxSAST. In addition, plugin support and supported CxSAST versions are listed in the change logs of the respective IDE and CI/CD plugins, which are available by following the respective link below.

IDE Plugins

Follow the respective link to open the change log for the desired IDE plugin.

CI/CD Plugins

Follow the respective link to open the change log for the desired CI/CD plugin.

SCM Integrations

Additional information and instructions on SCM integrations with Git, GitHub, GitHub Actions, GitLab and Atlassian Bitbucket are available under SCM Integrations.

Other Integrations

Additional information and instructions on more supported integrations are available under Other Integrations.