Supported Components and Operating Systems for Previous Versions

The following operations systems have been tested with CxSAST and CxOSA for v9.5.0:

Note: If SAST 9.5 is uninstalled and SAST 9.4. is reinstalled, it is necessary to manually downgrade Java back to version 8, because 9.4 is not compatible with JAVA 17 (even though the 9.4 installation wizard indicates that it completed successfully).

Supported Browsers

The following browsers have been tested with CxSAST / CxOSA v9.0.0 and Codebashing v3.2.0

Browsers	CxSAST	CxOSA	Access Control	Management & Orchestration	Codebashing
Chrome	Latest				Latest
Edge	Latest				Latest
Safari	Latest				Latest
Firefox	Latest				Latest

Notice

'Latest' is defined by the browser vendors. Check with the respective browser vendor for the latest version available.

Notice

If you are using Chrome version 80 - please refer to the following page.

Accessing the Web Portal from the SAST Server in Chrome

In a default all-in-one setup, the web portal could be directly accessed from the SAST server via http://localhost:80/CxWebClient by clicking a shortcut icon.

If a user clicks this shortcut icon in an attempt to access the web portal, the authentication request is issued to Access Control, usually by using a fully qualified domain name (FQDN), for example:

http://user-laptop.dm.cx/

Localhost and FQDN are treated as different domains, although the web portal and Access Control reside on the same host. Since Chrome (version 80 and higher) has changed its way on how it relates to cookies, using HTTP does not allow switching between product components anymore and prevents the authentication process from completing successfully, which affects SAST applications, as outlined below.

SAST 9.0 and later

Warning

Since February 2020, Google has increased its browser security. Therefore, in Chromium based browsers since Chrome version (80) and Edge version (82) there is a new behavior related to cookies.

This behavior is controlled by the SameSite attribute which affects whether the cookies can be sent to different domains or third-party dependencies.

Checkmarx has adjusted its software to the new situation as much as possible. Nevertheless, this change introduces a limitation when using Checkmarx SAST in a non-secure distributed environment.

With this type of environment, the SameSite default attribute cannot be set to Lax, which allows cookies to be sent only when the domain in the URL of the browser matches the domain of the cookie.

So, in an environment where the Web Portal is on one machine and the Access Control is on another, and there is a non-secure connection between them, where iframes are used in some of the Portal views the cookies cannot be to them, causing an authentication problem on the iframe side.

To overcome this issue, the distributed environment must be secure, using SSL/HTTPS. This allows setting the SameSite attribute to None, with the secure flag option, giving permission to the browser to send the cookies to the iframe, fixing the problem.

In new versions of CxSAST, the portal does not connect to the CxSAST server and errors appear in the web browser console as illustrated below.

Workaround

This issue can be addressed in the two ways outlined below.

Introducing a new Flag to the Database

New versions, version updates and hotfixes introduce a new flag called SameSiteSecuredFlag in the componentConfiguration table in the Checkmarx database (CxDB). The flag is marked true by default to allow cookies being shared across different domains.

Notice

Currently, this flag is available for all-in-one setups only.

Modifying Cookie Options in Chrome

Another approach is manually disabling Cookie options in Chrome as follows:

1. Open a new tab in Chrome.

2. In the address field, enter chrome://flags/. Cookie options appear.

3. Switch both cookie options from <Enabled> to <Disabled>.

The following operations systems have been tested with CxSAST / CxOSA v9.3.0:

* Windows Server Core is not supported

* The lowest supported version for Oracle is 8u241. For AdoptOpenJdk, it is 8u242.

.

The following operations systems have been tested with CxSAST / CxOSA v9.2.0:

* Windows Server Core is not supported

* The lowest supported version for Oracle is 8u241. For AdoptOpenJdk, it is 8u242.

The following SQL servers have been tested with CxSAST:

* AWS RDS can be used (see AWS RDS section in the Installing Checkmarx SAST guidelines).

* Azure Managed Instance DBaaS is supported from Checkmarx SAST 9.2.

** SQL Express not supported in production due to throughput and 10GB DB size limits imposed by Microsoft.

The following SQL servers have been tested with Checkmarx SAST/OSA v9.0.0:

* AWS RDS can be used (see AWS RDS section in the Installing Checkmarx SAST guidelines).

* Azure Managed Instance DBaaS is supported from Checkmarx SAST 9.2.

** SQL Express not supported in production due to throughput and 10GB DB size limits imposed by Microsoft.

** For ideal performance we recommend applying MSSQL SP4 when working with MSSQL 2012

The following browsers have been tested with CxSAST / CxOSA v9.0.0 and Codebashing v3.2.0

.