8.9.0 Release Updates
New Features and Changes
CxSAST (Application)
Category | Features |
---|---|
Dashboard Menu – Data Analysis | The existing Dashboard option (Data Analysis) has been moved from its original location on main dashboard to the Dashboard drop-down menu (Dashboard > Data Analysis). This option opens the Data Analysis screen. |
Dashboard Menu – Policy Management | A new button (Policy Management) has been added to the main dashboard menu. |
Dashboard Menu - Policy Management | Two new menu options (Policy Manager and Policy Violations) have been added to the main dashboard’s Policy Management drop-down menu (Policy Management > Policy Manager/Policy Violations). These options open the Policy Management screen and the Policy Violations screen according to the selected menu. |
New CxSAST Project – Policy Management | The Create New Project wizard (Project & Scan > Create New Project > General) has been updated to include the CxSAST Policy selection. The Policy drop-down select box provides the ability to select a predefined policy for a CxSAST project. Policies and policy rules are defined for CxSAST using the Policy Management interface. |
CxSAST Project Details – Policy Management | The General tab in project settings (Project & Scan > Projects > General) has been updated to include the CxSAST Policy selection. The Policy drop-down select box provides the ability to select a predefined policy for a CxSAST project. Policies and policy rules are defined for CxSAST using the Policy Management interface. |
Policy Management - Synchronize | A new policy synchronization indicator has been added to the Project Details screen. This option provides the capability to manually synchronize all scans for a specific project to the latest policy definition, therefore providing you with the most updated policy status for your project. The ‘Unsynced’ status indicates that synchronization is required. Once synchronization is complete, the status changes to ‘Synced’ with the last sync date and time displayed. |
Results Viewer – Export Scan Results (CSV) | The scan results file (csv), that can be exported from the Results Viewer, has been updated to include Project Name and Date (e.g. Results_<ProjectName>_<YYYY/MM/DD>.csv) |
CxSAST Installer - M&O Layer SQL Server Configuration | For M&O Layer SQL server connectivity, both Dynamic and Static port configurations are now supported. |
CxSAST Installer - Upgrade with M&O | When performing an upgrade for CxSAST that includes Management and Orchestration, all manual changes performed within the Tomcat Server .xml file (see format below) will be reverted on upgrade. The installer will need to manually recreate the changes. A copy of the previous file will be kept in the folder (e.g. C:\Program Files\Checkmarx\Checkmarx Risk Management\Tomcat\conf\) for manual comparison by the installer. The Tomcat ('Server.xml') file is backed up in the following format: serveryyyy.MM.dd.HH.mm.ss.xml (e.g. server2019.03.13.13.56.01.xml) |
CxOSA (Application)
Category | Features |
---|---|
Dashboard Menu - CxOSA Settings | A new settings menu option (OSA Settings) has been added to the main dashboard’s Management drop-down menu (Management > Application Settings > OSA Settings). This option opens the new OSA Settings screen in the CxOSA Viewer. |
CxOSA Viewer – Menu Icon | A new menu icon (OSA Settings) has been added to the menu bar in the CxOSA Viewer. This option opens the new CxOSA Settings screen. |
CxSAST General Settings - CxOSA Settings | The CxOSA Settings panel has been removed from the CxSAST General Settings (Management > Application Settings > General) and has been relocated to its own menu item. (Management > Application Settings > OSA Settings). |
CxOSA Project Details – Resolve Nuget/PythonDependencies | A new option (Resolve Nuget/Python dependencies) has been added to the OSA tab in the Project Details panel (Projects & Scans > Projects > {Project #} > OSA). This new option, once enabled, provides the ability to resolve dependencies by initiating the install command for NET Nuget/Python before performing the CxOSA scan. |
CxOSA Project Details – Policy Management | The OSA Policy drop-down selection box has been removed from the CxOSA properties in the Projects screen (Projects & Scans > Projects > OSA tab) and has been relocated to the General tab. |
CxOSA Viewer – Scan Status | A new indicator (CxOSA scan in progress) has been added to the top bar in the CxOSA Viewer. This indicator notifies you about one or more CxOSA scans in progress for a specific project. |
CxOSA Viewer - CxOSA Settings | The CxOSA Settings screen has been linked to the CxOSA Viewer and can be opened from the main dashboard’s Management drop-down menu (Management > Application Settings > OSA Settings), or from the OSA Settings menu icon in the CxOSA Viewer. |
CxOSA Viewer – CxOSA Settings: | A new health check option (Test Connection) has been added to the CxOSA Settings screen in the CxOSA Viewer. This option enables you to perform a connection/validataion test for the following CxOSA components;
Each tested component will indicate either successful or failed connection/validation. |
CxOSA Viewer – Project Vulnerabilities: | Vulnerable libraries displayed in the Project Vulnerabilities page are now automatically sorted by vulnerability severity/score. This new sorting method also includes vulnerable libraries that have been defined as 'Not Exploitable'. |
CxOSA Viewer and Report | A number of textual changes have been incorporated into the CxOSA Viewer and CxOSA Report:
|
CxAudit
Category | Features |
CxAudit - Workspace | A new look and feel has been introduced to the CxAudit Workspace. The new CxAudit Workspace provides the following:
|
Management and Orchestration
Category | Features |
---|---|
Unified Policy Management | Unified Policy management has been included in this new version, which includes the new Violations dashboard. Unified Policy management now allows you to define policies that apply to CxSAST and CxOSA (with new rule types for CxSAST - 'Vulnerability' and 'Risk Score' - as well as respective new conditions & values), assign multiple policies to projects, and review and track policy violations via the dedicated violations dashboard. |
Policy Violations Dashboard | The Policy Violations Dashboard provides the ability to track policy violations per project, and now supports:
|
Policy Management API -New Functionality | New functionality for the API set has been added to latest Policy Management API library version.
|
Integration & Plugins
Additional information on current plugins is available here.
Category | Features |
---|---|
IntelliJ Plugin | The IntelliJ Plugin Change log has moved to a new location. |
Azure DevOps (MS-VSTS) Plugin | The Azure DevOps (MS-VSTS) Plugin Change log has moved to a new location. |
Eclipse Plugin | The Eclipse Plugin Change log has moved to a new location. |
Visual Studio Plugin | The Visual Studio Plugin Change log has moved to a new location. |
All Common Checkmarx Plugins - End User License Agreement (EULA) | If not already accepted during the CxSAST/CxOSA installation and setup, in order to perform an CxOSA scan from within the plugin, the EULA must be already have been accepted in the CxSAST / CxOSA Web interface. In all Checkmarx plugins the following message is raised; ‘In order to start working with CxOSA, your CxSAST Administrator needs to accept the End User License Agreement (EULA) from the CxSAST / CxOSA web interface.’ Note that you are unable to start using CxOSA unless the end user license agreement (EULA) has been viewed and accepted |
All Common Checkmarx(CxOSA) Plugins – Policy Violation Enforcement | A new parameter (Enable project’s OSA policy enforcement) has been added to this version of all Checkmarx common plugins (Jenkins, TeamCity, Bamboo, etc.) enabling the ability to break the build in cases where a CxOSA Policy is violated. When a build fails on OSA policy violations, the policy violations report displays the names of the libraries that violated the policy with the respective policy names & rules violated. |
All Common Checkmarx(CxOSA) Plugins – Execute Dependencies | Two new parameters (Install Nuget and Python packages) have been added to this version of all Checkmarx common plugins (Jenkins, TeamCity, Bamboo, etc.) enabling the retrieval of all Nuget and Python dependencies before starting the OSA scan. The Checkmarx plugin parameter text has also been updated from ‘Execute NPM and Bower install packages command before Scan’ to ‘Execute dependency managers "install packages" command before Scan’. |
All Common Checkmarx Plugins – Checkmarx Report | A textual change has been implemented to the status bar at the top of Checkmarx Report for all common plugins (Jenkins, TeamCity, Bamboo, etc.) in cases of a failed scan status. Instead of ‘Checkmarx Scan Failed’, a ‘Checkmarx scan found the following issues’ header is displayed with a summarized list of the found issues (e.g. 4 Policies Violated, Exceeded CxSAST Vulnerability Threshold). For CxOSA, icons for libraries (“vulnerable & outdated libraries,” and “no known vulnerability libraries”) are removed from UI. Also, for libraries, the text “<number> Policy Violated Libraries” displays on the UI. If the build failed on CxOSA policy violations, a new section in the report shows this data – the names of the libraries that violated the policy, along with their respective policy names and rules that were violated. |
All Common Checkmarx Plugins – Folder Exclusion | The node_modules" folder is now automatically added to the Folder Exclusion list as default for all common plugins (Jenkins, TeamCity, Bamboo, etc.) and for all new CxSAST installations (v8.9.0 and up). For CxSAST upgrade this setting will need to added manually. |
Checkmarx CLI Plugin (CxOSA) – Execute Dependencies | Two new options (Install Nuget and Python packages) have been added to this version of the Checkmarx CLI plugin enabling the retrieval of all Nuget and Python dependencies before starting the OSA scan. The existing CLI parameter has also been updated from ‘-executeNPMandBowerInstall’ to ‘-executepackagedependency’. |
Checkmarx CLI Plugin (CxOSA) – Policy Violation Enforcement | A new parameter (-CheckPolicy) has been added to this version of all Checkmarx CLI plugins enabling the ability to break the build in cases where a CxOSA Policy is violated. When a build fails on an OSA policy violation, error code/exit code 18 (Policy is Violated) is flagged. |
Checkmarx-Maven Plugin Documentation –v8.7.0 and up | Documentation for the Checkmarx-Maven Plugin for v8.7.0 and up, has been restructured to better accommodate the maven user. |
Checkmarx TeamCity Plugin - CxOSA Scan without CxSAST Scan | For this new version of the Checkmarx TeamCity plugin for CxSAST/CxOSA, you can now run an CxOSA scan without having to first perform a CxSAST scan. |
CxAPI
Category | Features |
---|---|
SOAP API - SOAP to REST Mapping | A new page has been added to the SOAP API section in the Checkmarx Knowledge Center in order to summarize SOAP to REST API mapping. |
CxREST API - REST Summary | A new page has been added to the REST API section in the Checkmarx Knowledge Center in order to summarize the available REST APIs. |
CxREST API - Look & Feel | CxREST API documentation structure in the Checkmarx Knowledge Center has been restructured in accordance with a request from professional services. All REST APIs now conform to the following structure:
|
CxREST API - New Functionality | New functionality for the API set has been added to latest CxREST API library version: CxSAST API - SAST Scan
|
CxREST API - Updated Functionality | The following APIs have been updated in accordance with latest CxREST API library version: CxOSA API - Open Source Analysis (CxOSA)
|
CxREST API - Swagger | To access the Swagger environment navigate to: http://<ServerName>/cxrestapi/help/swagger/ui/index (e.g. http://localhost/cxrestapi/help/swagger/ui/index) |
CxEngine
Category | Features |
---|---|
Application Security | New GO queries:
|
Languages/Frameworks |
|
Content Pack | Content Packs are released regularly, and the aim is to improve the accuracy of the out-of-the-box findings. Refer to 8.9.0 Ruleset Content Packs for more information. |
Known Limitations
Category | Known Limitations |
---|---|
Federal Information Processing Standards (FIPS) Support | Support for FIPS in Version 8.9.0 is temporarily unavailable. |
Policy Management - Findings and Synchronization | If findings (results) attributes changed during a review process (e.g. severity changed from High to Medium) a manual sync of the scan is required in order to view updated policy violations status in management and orchestration. Links to management and orchestration policy violations dashboards require login credentials - planned to be resolved in next release. If a Sync with policy management gets stuck in "syncing" mode for a certain project, a re-scan is required to release the state. If a sync process fails, a manual sync action is needed to sync again using the sync button in the policy management tab in the projects section. |
Jira Integration | The following custom Jira field types are no longer supported:
|
Deployment – Distributed / M&O | For distributed environments, the Management and Orchestration can only be installed on the CxSAST Manager Server. |