Versions Compared

Old Version 38

changes.mady.by.user Johannes Stark

Saved on

compared with

New Version Current

changes.mady.by.user Johannes Stark

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

New Features and Changes

...

CategoryFeatures
Unified Policy Management 

Unified Policy management has been included in this new version, which includes the new Violations dashboard.

Unified Policy management now allows you to define policies that apply to CxSAST and CxOSA (with new rule types for CxSAST - 'Vulnerability' and 'Risk Score' - as well as respective new conditions & values), assign multiple policies to projects, and review and track policy violations via the dedicated violations dashboard.

Policy Violations Dashboard

The Policy Violations Dashboard provides the ability to track policy violations per project, and now supports:

  • Filter by Policy Name
  • Search by Project Name
Policy Management API -New Functionality

New functionality for the API set has been added to latest Policy Management API library version.

  • Get All Projects (v1.0)
  • Create Violations Report for Project by Id (v1.0)
  • Get All Assigned Projects by Policy Id (v1.0)

Integration & Plugins 

Additional information on current plugins is available here.

CategoryFeatures
IntelliJ PluginThe IntelliJ Plugin Change log has moved to a new location.
Azure DevOps (MS-VSTS) Plugin

The Azure DevOps (MS-VSTS) Plugin Change log has moved to a new location.

Eclipse PluginThe Eclipse Plugin Change log has moved to a new location.
Visual Studio PluginThe Visual Studio Plugin Change log has moved to a new location.
All Common Checkmarx Plugins - End User License Agreement (EULA) 

If not already accepted during the CxSAST/CxOSA installation and setup, in order to perform an CxOSA scan from within the plugin, the EULA must be already have been accepted in the CxSAST / CxOSA Web interface. In all Checkmarx plugins the following message is raised; ‘In order to start working with CxOSA, your CxSAST Administrator needs to accept the End User License Agreement (EULA) from the CxSAST / CxOSA web interface.’

Note that you are unable to start using CxOSA unless the end user license agreement (EULA) has been viewed and accepted

All Common Checkmarx(CxOSA) Plugins – Policy Violation Enforcement 

A new parameter (Enable project’s OSA policy enforcement) has been added to this version of all Checkmarx common plugins (Jenkins, TeamCity, Bamboo, etc.) enabling the ability to break the build in cases where a CxOSA Policy is violated.

When a build fails on OSA policy violations, the policy violations report displays the names of the libraries that violated the policy with the respective policy names & rules violated.

All Common Checkmarx(CxOSA) Plugins – Execute Dependencies

Two new parameters (Install Nuget and Python packages) have been added to this version of all Checkmarx common plugins (Jenkins, TeamCity, Bamboo, etc.) enabling the retrieval of all Nuget and Python dependencies before starting the OSA scan.

The Checkmarx plugin parameter text has also been updated from ‘Execute NPM and Bower install packages command before Scan’ to ‘Execute dependency managers "install packages" command before Scan’.

All Common Checkmarx Plugins – Checkmarx Report

A textual change has been implemented to the status bar at the top of Checkmarx Report for all common plugins (Jenkins, TeamCity, Bamboo, etc.) in cases of a failed scan status. Instead of ‘Checkmarx Scan Failed’, a ‘Checkmarx scan found the following issues’ header is displayed with a summarized list of the found issues (e.g. 4 Policies Violated, Exceeded CxSAST Vulnerability Threshold).

For CxOSA, icons for libraries (“vulnerable & outdated libraries,” and “no known vulnerability libraries”) are removed from UI. Also, for libraries, the text “<number> Policy Violated Libraries” displays on the UI.

If the build failed on CxOSA policy violations, a new section in the report shows this data – the names of the libraries that violated the policy, along with their respective policy names and rules that were violated.

All Common Checkmarx Plugins – Folder Exclusion

The node_modules" folder is now automatically added to the Folder Exclusion list as default for all common plugins (Jenkins, TeamCity, Bamboo, etc.) and for all new CxSAST installations (v8.9.0 and up). For CxSAST upgrade this setting will need to added manually.

Checkmarx CLI Plugin (CxOSA) – Execute Dependencies

Two new options (Install Nuget and Python packages) have been added to this version of the Checkmarx CLI plugin enabling the retrieval of all Nuget and Python dependencies before starting the OSA scan.

The existing CLI parameter has also been updated from ‘-executeNPMandBowerInstall’ to ‘-executepackagedependency’.

Checkmarx CLI Plugin (CxOSA) – Policy Violation Enforcement 

A new parameter (-CheckPolicy) has been added to this version of all Checkmarx CLI plugins enabling the ability to break the build in cases where a CxOSA Policy is violated.

When a build fails on an OSA policy violation, error code/exit code 18 (Policy is Violated) is flagged.

Checkmarx-Maven Plugin Documentation v8.7.0 and upDocumentation for the Checkmarx-Maven Plugin for v8.7.0 and up, has been restructured to better accommodate the maven user.
Checkmarx TeamCity Plugin - CxOSA Scan without CxSAST ScanFor this new version of the Checkmarx TeamCity plugin for CxSAST/CxOSA, you can now run an CxOSA scan without having to first perform a CxSAST scan.

...

Category
Features
Application Security

New GO queries:

  • Hardcoded_Password_in_Connection_String
  • Use_of_Hardcoded_Password
  • Race_Condition_In_Cross_Functionality
Languages/Frameworks
  • Kotlin 1.2 support 
  • Lightning
  • JAVA - Spring Boot framework support
  • Apex - Lightning framework support
  • Ruby - Support to yield statement
  • PHP 7 support
  • Java 9 support
  • C++ parsing and queries improvements
  • Major improvements in VB.NET
    • Added support for interpolated strings
    • Added support for "AddressOf" 
    • Added support for AddHandler, RemoveHandler and RaiseEvent 
    • Added support for generics 
    • Improved support for arrays and literals
    • Improved support for lambda expressions 
    • Improved support for Linq 
    • Improved support for anonymous types
Content PackContent Packs are released regularly, and the aim is to improve the accuracy of the out-of-the-box findings. Refer to 8.9.0 Ruleset Content Packs for more information.

Known Limitations

CategoryKnown Limitations

Federal Information Processing Standards (FIPS) Support

Support for FIPS in Version 8.9.0 is temporarily unavailable.
Policy Management - Findings and Synchronization

If findings (results) attributes changed during a review process (e.g. severity changed from High to Medium) a manual sync of the scan is required in order to view updated policy violations status in management and orchestration.

Links to management and orchestration policy violations dashboards require login credentials - planned to be resolved in next release.

If a Sync with policy management gets stuck in "syncing" mode for a certain project, a re-scan is required to release the state.

If a sync process fails, a manual sync action is needed to sync again using the sync button in the policy management tab in the projects section.

Jira Integration

The following custom Jira field types are no longer supported:

  • Select List (Cascading)
  • Select List (Multiple choices)
  • Number Field
  • Epic Link
Deployment – Distributed / M&OFor distributed environments, the Management and Orchestration can only be installed on the CxSAST Manager Server.

...