New Features and Changes
...
Category | Features |
---|---|
Unified Policy Management | Unified Policy management has been included in this new version, which includes the new Violations dashboard. Unified Policy management now allows you to define policies that apply to CxSAST and CxOSA (with new rule types for CxSAST - 'Vulnerability' and 'Risk Score' - as well as respective new conditions & values), assign multiple policies to projects, and review and track policy violations via the dedicated violations dashboard. |
Policy Violations Dashboard | The Policy Violations Dashboard provides the ability to track policy violations per project, and now supports:
|
Policy Management API -New Functionality | New functionality for the API set has been added to latest Policy Management API library version.
|
Integration & Plugins
Additional information on current plugins is available here.
Category | Features |
---|---|
IntelliJ Plugin | The IntelliJ Plugin Change log has moved to a new location. |
Azure DevOps (MS-VSTS) Plugin | The Azure DevOps (MS-VSTS) Plugin Change log has moved to a new location. |
Eclipse Plugin | The Eclipse Plugin Change log has moved to a new location. |
Visual Studio Plugin | The Visual Studio Plugin Change log has moved to a new location. |
All Common Checkmarx Plugins - End User License Agreement (EULA) | If not already accepted during the CxSAST/CxOSA installation and setup, in order to perform an CxOSA scan from within the plugin, the EULA must be already have been accepted in the CxSAST / CxOSA Web interface. In all Checkmarx plugins the following message is raised; ‘In order to start working with CxOSA, your CxSAST Administrator needs to accept the End User License Agreement (EULA) from the CxSAST / CxOSA web interface.’ Note that you are unable to start using CxOSA unless the end user license agreement (EULA) has been viewed and accepted |
All Common Checkmarx(CxOSA) Plugins – Policy Violation Enforcement | A new parameter (Enable project’s OSA policy enforcement) has been added to this version of all Checkmarx common plugins (Jenkins, TeamCity, Bamboo, etc.) enabling the ability to break the build in cases where a CxOSA Policy is violated. When a build fails on OSA policy violations, the policy violations report displays the names of the libraries that violated the policy with the respective policy names & rules violated. |
All Common Checkmarx(CxOSA) Plugins – Execute Dependencies | Two new parameters (Install Nuget and Python packages) have been added to this version of all Checkmarx common plugins (Jenkins, TeamCity, Bamboo, etc.) enabling the retrieval of all Nuget and Python dependencies before starting the OSA scan. The Checkmarx plugin parameter text has also been updated from ‘Execute NPM and Bower install packages command before Scan’ to ‘Execute dependency managers "install packages" command before Scan’. |
All Common Checkmarx Plugins – Checkmarx Report | A textual change has been implemented to the status bar at the top of Checkmarx Report for all common plugins (Jenkins, TeamCity, Bamboo, etc.) in cases of a failed scan status. Instead of ‘Checkmarx Scan Failed’, a ‘Checkmarx scan found the following issues’ header is displayed with a summarized list of the found issues (e.g. 4 Policies Violated, Exceeded CxSAST Vulnerability Threshold). For CxOSA, icons for libraries (“vulnerable & outdated libraries,” and “no known vulnerability libraries”) are removed from UI. Also, for libraries, the text “<number> Policy Violated Libraries” displays on the UI. If the build failed on CxOSA policy violations, a new section in the report shows this data – the names of the libraries that violated the policy, along with their respective policy names and rules that were violated. |
All Common Checkmarx Plugins – Folder Exclusion | The node_modules" folder is now automatically added to the Folder Exclusion list as default for all common plugins (Jenkins, TeamCity, Bamboo, etc.) and for all new CxSAST installations (v8.9.0 and up). For CxSAST upgrade this setting will need to added manually. |
Checkmarx CLI Plugin (CxOSA) – Execute Dependencies | Two new options (Install Nuget and Python packages) have been added to this version of the Checkmarx CLI plugin enabling the retrieval of all Nuget and Python dependencies before starting the OSA scan. The existing CLI parameter has also been updated from ‘-executeNPMandBowerInstall’ to ‘-executepackagedependency’. |
Checkmarx CLI Plugin (CxOSA) – Policy Violation Enforcement | A new parameter (-CheckPolicy) has been added to this version of all Checkmarx CLI plugins enabling the ability to break the build in cases where a CxOSA Policy is violated. When a build fails on an OSA policy violation, error code/exit code 18 (Policy is Violated) is flagged. |
Checkmarx-Maven Plugin Documentation –v8.7.0 and up | Documentation for the Checkmarx-Maven Plugin for v8.7.0 and up, has been restructured to better accommodate the maven user. |
Checkmarx TeamCity Plugin - CxOSA Scan without CxSAST Scan | For this new version of the Checkmarx TeamCity plugin for CxSAST/CxOSA, you can now run an CxOSA scan without having to first perform a CxSAST scan. |
...
Category | Features |
---|---|
Application Security | New GO queries:
|
Languages/Frameworks |
|
Content Pack | Content Packs are released regularly, and the aim is to improve the accuracy of the out-of-the-box findings. Refer to 8.9.0 Ruleset Content Packs for more information. |
Known Limitations
Category | Known Limitations |
---|---|
Federal Information Processing Standards (FIPS) Support | Support for FIPS in Version 8.9.0 is temporarily unavailable. |
Policy Management - Findings and Synchronization | If findings (results) attributes changed during a review process (e.g. severity changed from High to Medium) a manual sync of the scan is required in order to view updated policy violations status in management and orchestration. Links to management and orchestration policy violations dashboards require login credentials - planned to be resolved in next release. If a Sync with policy management gets stuck in "syncing" mode for a certain project, a re-scan is required to release the state. If a sync process fails, a manual sync action is needed to sync again using the sync button in the policy management tab in the projects section. |
Jira Integration | The following custom Jira field types are no longer supported:
|
Deployment – Distributed / M&O | For distributed environments, the Management and Orchestration can only be installed on the CxSAST Manager Server. |
...