- Checkmarx Documentation
- Checkmarx SAST
- SAST Set Up Guide
- Hardware & Software Requirements
- Supported Environments
- Supported Components and Operating Systems for Previous Versions
Supported Components and Operating Systems for Previous Versions
Supported Components and Operating Systems (9.5.0)
The following operations systems have been tested with CxSAST and CxOSA for v9.5.0:
Operating Systems | CxSAST | CxSAST Engine | CxOSA | Access Control | Management & Orchestration |
---|---|---|---|---|---|
Windows (64-bit) 10 | V | V | V | ||
Windows (64-bit) 11 | V | V | V | ||
Windows Server 2012 | V | V | V | ||
Windows Server 2012R2 | V | V | V | ||
Windows Server 2016 | V | V | V | ||
Windows Server 2019 | V | V | V | ||
Windows Server 2022 | V | V | V | ||
Linux CentOS 7 | V | ||||
Linux CentOS 8 | V | ||||
Linux Ubuntu 18.04 | V | ||||
Linux Ubuntu 20.04 | V | ||||
Linux RedHat 8.3 | V | ||||
Linux Fedora 33 | V | ||||
Linux Fedora 34 | V |
Java Version | CxSAST | CxOSA | Access Control | Management & Orchestration |
---|---|---|---|---|
Java 17 | V | V | V |
Note: If SAST 9.5 is uninstalled and SAST 9.4. is reinstalled, it is necessary to manually downgrade Java back to version 8, because 9.4 is not compatible with JAVA 17 (even though the 9.4 installation wizard indicates that it completed successfully).
Frameworks | CxSAST & CxSAST Engine | CxOSA | Access Control | Management & Orchestration |
---|---|---|---|---|
Microsoft .NET Core 6.0.5 Runtime & Hosting | V |
WebServer | CxSAST | CxOSA | Access Control | Management & Orchestration |
---|---|---|---|---|
IIS 7.5-10 | V |
Supported Browsers
The following browsers have been tested with CxSAST / CxOSA v9.0.0 and Codebashing v3.2.0
Browsers | CxSAST | CxOSA | Access Control | Management & Orchestration | Codebashing |
---|---|---|---|---|---|
Chrome | Latest | Latest | |||
Edge | Latest | Latest | |||
Safari | Latest | Latest | |||
Firefox | Latest | Latest |
Notice
'Latest' is defined by the browser vendors. Check with the respective browser vendor for the latest version available.
Notice
If you are using Chrome version 80 - please refer to the following page.
Accessing the Web Portal from the SAST Server in Chrome
In a default all-in-one setup, the web portal could be directly accessed from the SAST server via http://localhost:80/CxWebClient by clicking a shortcut icon.
If a user clicks this shortcut icon in an attempt to access the web portal, the authentication request is issued to Access Control, usually by using a fully qualified domain name (FQDN), for example:
http://user-laptop.dm.cx/
Localhost and FQDN are treated as different domains, although the web portal and Access Control reside on the same host. Since Chrome (version 80 and higher) has changed its way on how it relates to cookies, using HTTP does not allow switching between product components anymore and prevents the authentication process from completing successfully, which affects SAST applications, as outlined below.
SAST 9.0 and later
Warning
Since February 2020, Google has increased its browser security. Therefore, in Chromium based browsers since Chrome version (80) and Edge version (82) there is a new behavior related to cookies.
This behavior is controlled by the SameSite attribute which affects whether the cookies can be sent to different domains or third-party dependencies.
Checkmarx has adjusted its software to the new situation as much as possible. Nevertheless, this change introduces a limitation when using Checkmarx SAST in a non-secure distributed environment.
With this type of environment, the SameSite default attribute cannot be set to Lax, which allows cookies to be sent only when the domain in the URL of the browser matches the domain of the cookie.
So, in an environment where the Web Portal is on one machine and the Access Control is on another, and there is a non-secure connection between them, where iframes are used in some of the Portal views the cookies cannot be to them, causing an authentication problem on the iframe side.
To overcome this issue, the distributed environment must be secure, using SSL/HTTPS. This allows setting the SameSite attribute to None, with the secure flag option, giving permission to the browser to send the cookies to the iframe, fixing the problem.
In new versions of CxSAST, the portal does not connect to the CxSAST server and errors appear in the web browser console as illustrated below.
![]() |
Workaround
This issue can be addressed in the two ways outlined below.
Introducing a new Flag to the Database
New versions, version updates and hotfixes introduce a new flag called SameSiteSecuredFlag in the componentConfiguration table in the Checkmarx database (CxDB). The flag is marked true by default to allow cookies being shared across different domains.
Notice
Currently, this flag is available for all-in-one setups only.
Modifying Cookie Options in Chrome
Another approach is manually disabling Cookie options in Chrome as follows:
Open a new tab in Chrome.
In the address field, enter chrome://flags/. Cookie options appear.
Switch both cookie options from <Enabled> to <Disabled>.
![]() |
Supported SQL Servers
The following SQL servers have been tested with CxSAST:
SQL Server | CxSAST | Access Control | Management and Orchestration |
---|---|---|---|
2012 | V | ||
2012R2 | V | ||
2014 | V | ||
2016 | V | ||
2017 | V | ||
2019 | V |
* AWS RDS can be used (seeAWS RDS section in the Installing CxSAST guidelines).
* Azure Managed Instance DBaaS is supported from CxSAST 9.2.
** SQL Express not supported in production due to throughput and 10GB DB size limits imposed by Microsoft.
Supported Integrations and Plugins
The lists below provide links to information on integrations supported by CxSAST. In addition, plugin support and supported CxSAST versions are listed in the change logs of the respective IDE and CI/CD plugins, which are available by following the respective link below.
IDE Plugins
Follow the respective link to open the change log for the desired IDE plugin.
CI/CD Plugins
Follow the respective link to open the change log for the desired CI/CD plugin.
SCM Integrations
Additional information and instructions on SCM integrations with Git, GitHub, GitHub Actions, GitLab and Atlassian Bitbucket are available under SCM Integrations.
Other Integrations
Additional information and instructions on more supported integrations are available under Other Integrations.
9.4.0 Supported Components and Operating Systems
The following operations systems have been tested with CxSAST and CxOSA:
Operating Systems | CxSAST | CxSAST Engine | CxOSA | Access Control | Management & Orchestration | |
---|---|---|---|---|---|---|
Windows (64-bit) 10 | V | V | ||||
Windows Server 2008R2 | V | V | ||||
Windows Server 2012 | V | V | ||||
Windows Server 2012R2 | V | V | ||||
Windows Server 2016 | V | V | ||||
Linux (CentOS, Ubuntu, Fedora) | V |
Java Version | CxSAST | CxOSA | Access Control | Management & Orchestration |
---|---|---|---|---|
Java 1.8 (Oracle or AdoptOpenJdk) | V | V | V |
* The lowest supported version for Oracle is 8u241. For AdoptOpenJdk, it is 8u282.
Frameworks | CxSAST | CxOSA | Access Control | Management & Orchestration |
---|---|---|---|---|
Microsoft .NET Framework 4.7.1 | V | |||
Microsoft .NET Core 3.1 Runtime & Hosting | V |
WebServer | CxSAST | CxOSA | Access Control | Management & Orchestration |
---|---|---|---|---|
IIS 7.5-10 | V |
9.3.0 Supported Components and Operating Systems
The following operations systems have been tested with CxSAST / CxOSA v9.3.0:
Operating Systems | CxSAST | CxSAST Engine | CxOSA | Access Control | Management & Orchestration | |
---|---|---|---|---|---|---|
Windows (64-bit) 10 | V | V | ||||
Windows Server 2008R2 | V | V | ||||
Windows Server 2012 | V | V | ||||
Windows Server 2012R2 | V | V | ||||
Windows Server 2016 | V | V | ||||
Linux (CentOS, Ubuntu, Fedora, RHEL) | V |
* Windows Server Core is not supported
Java Version | CxSAST | CxOSA | Access Control | Management & Orchestration |
---|---|---|---|---|
Java 1.8 (Oracle or AdoptOpenJdk) | V | V | V |
* The lowest supported version for Oracle is 8u241. For AdoptOpenJdk, it is 8u242.
Frameworks | CxSAST | CxOSA | Access Control | Management & Orchestration |
---|---|---|---|---|
Microsoft .NET Framework 4.7.1 | V | |||
Microsoft .NET Core 2.1.16 Runtime & Hosting | V |
WebServer | CxSAST | CxOSA | Access Control | Management & Orchestration |
---|---|---|---|---|
IIS 7.5-10 | V |
.
9.2.0 Supported Components and Operating Systems
The following operations systems have been tested with CxSAST / CxOSA v9.2.0:
Operating Systems | CxSAST | CxOSA | Access Control | Management &Orchestration |
---|---|---|---|---|
Windows (64-bit) 10 | V | |||
Windows Server 2008R2 | V | |||
Windows Server 2012 | V | |||
Windows Server 2012R2 | V | |||
Windows Server 2016 | V |
* Windows Server Core is not supported
Java Version | CxSAST | CxOSA | Access Control | Management & Orchestration |
---|---|---|---|---|
Java 1.8 (Oracle or AdoptOpenJdk) | V | V | V |
* The lowest supported version for Oracle is 8u241. For AdoptOpenJdk, it is 8u242.
Frameworks | CxSAST | CxOSA | Access Control | Management & Orchestration |
---|---|---|---|---|
Microsoft .NET Framework 4.7.1 | V | |||
Microsoft .NET Core 2.1.16 Runtime & Hosting | V |
WebServer | CxSAST | CxOSA | Access Control | Management & Orchestration |
---|---|---|---|---|
IIS 7.5-10 | V |
Supported SQL Servers (v9.3.0 and later)
The following SQL servers have been tested with CxSAST:
SQL Server | CxSAST | Access Control | Management and Orchestration |
---|---|---|---|
2012 | V | ||
2012R2 | V | ||
2014 | V | ||
2016 | V | ||
2017 | V | ||
2019 | V |
* AWS RDS can be used (see AWS RDS section in the Installing Checkmarx SAST guidelines).
* Azure Managed Instance DBaaS is supported from Checkmarx SAST 9.2.
** SQL Express not supported in production due to throughput and 10GB DB size limits imposed by Microsoft.
Supported SQL Servers (v9.0.0 to v9.2.0)
The following SQL servers have been tested with Checkmarx SAST/OSA v9.0.0:
SQL Server | CxSAST | CxOSA | Access Control | Management and Orchestration |
---|---|---|---|---|
2012 | V | |||
2012R2 | V | |||
2014 | V | |||
2016 | V | |||
2017 | V |
* AWS RDS can be used (see AWS RDS section in the Installing Checkmarx SAST guidelines).
* Azure Managed Instance DBaaS is supported from Checkmarx SAST 9.2.
** SQL Express not supported in production due to throughput and 10GB DB size limits imposed by Microsoft.
** For ideal performance we recommend applying MSSQL SP4 when working with MSSQL 2012
Supported Browsers (v9.2.0 and later)
The following browsers have been tested with CxSAST / CxOSA v9.0.0 and Codebashing v3.2.0
Browsers | CxSAST | CxOSA | Access Control | Management & Orchestration | Codebashing |
---|---|---|---|---|---|
Chrome | Latest | Latest | |||
Edge | Latest | Latest | |||
Safari | Latest | Latest | |||
Firefox | Latest | Latest |
Notice
'Latest' is defined by the browser vendors. Check with the respective browser vendor for the latest version available.
Notice
If you are using Chrome version 80 - please refer to Accessing the Web Portal from the SAST Server in Chrome.
.
Supported Integrations and Plugins (v9.2.0 and later)
Integration
Jira | 5.0 - 8.x |
---|---|
Jira Cloud | Latest |
SonarQube (Widget) | 4.5.4 - 6.1 |
SonarQube (Plugin) | 6.3 - 7.9 (Sonar Scanner 4.0) |
Apache Maven | 3.0 - 3.25, 3.3.9 |
SVN | 1.8.x |
IDE Plugins
For updates and changes, refer to IDE Plugins.
CI/CD Plugins
For updates and changes, refer to CI/CD Plugins.
.