8.9.0 Release Updates

Owned by David P (Deactivated)
Last updated: Jul 20, 2020 by Johannes Stark (Unlicensed)
8 min read

New Features and Changes

CxSAST (Application)

CategoryFeatures
Dashboard Menu – Data AnalysisThe existing Dashboard option (Data Analysis) has been moved from its original location on main dashboard to the Dashboard drop-down menu (Dashboard > Data Analysis). This option opens the Data Analysis screen.
Dashboard Menu – Policy ManagementA new button (Policy Management) has been added to the main dashboard menu.
Dashboard Menu - Policy ManagementTwo new menu options (Policy Manager and Policy Violations) have been added to the main dashboard’s Policy Management drop-down menu (Policy Management > Policy Manager/Policy Violations). These options open the Policy Management screen and the Policy Violations screen according to the selected menu.
New CxSAST Project – Policy ManagementThe Create New Project wizard (Project & Scan > Create New Project > General) has been updated to include the CxSAST Policy selection. The Policy drop-down select box provides the ability to select a predefined policy for a CxSAST project. Policies and policy rules are defined for CxSAST using the Policy Management interface.
CxSAST Project Details – Policy ManagementThe General tab in project settings (Project & Scan > Projects > General) has been updated to include the CxSAST Policy selection. The Policy drop-down select box provides the ability to select a predefined policy for a CxSAST project. Policies and policy rules are defined for CxSAST using the Policy Management interface.

Policy Management - Synchronize

A new policy synchronization indicator has been added to the Project Details screen. This option provides the capability to manually synchronize all scans for a specific project to the latest policy definition, therefore providing you with the most updated policy status for your project. The ‘Unsynced’ status indicates that synchronization is required. Once synchronization is complete, the status changes to ‘Synced’ with the last sync date and time displayed.

Results Viewer – Export Scan Results (CSV)The scan results file (csv), that can be exported from the Results Viewer, has been updated to include Project Name and Date (e.g. Results_<ProjectName>_<YYYY/MM/DD>.csv)
CxSAST Installer - M&O Layer SQL Server Configuration

For M&O Layer SQL server connectivity, both Dynamic and Static port configurations are now supported. 

CxSAST Installer - Upgrade with M&OWhen performing an upgrade for CxSAST that includes Management and Orchestration, all manual changes performed within the Tomcat Server .xml file (see format below) will be reverted on upgrade.  The installer will need to manually recreate the changes. A copy of the previous file will be kept in the folder (e.g. C:\Program Files\Checkmarx\Checkmarx Risk Management\Tomcat\conf\) for manual comparison by the installer. 
The Tomcat ('Server.xml') file is backed up in the following format: serveryyyy.MM.dd.HH.mm.ss.xml (e.g. server2019.03.13.13.56.01.xml)

CxOSA (Application)

CategoryFeatures
Dashboard Menu - CxOSA SettingsA new settings menu option (OSA Settings) has been added to the main dashboard’s Management drop-down menu (Management > Application Settings > OSA Settings). This option opens the new OSA Settings screen in the CxOSA Viewer.
CxOSA Viewer – Menu IconA new menu icon (OSA Settings) has been added to the menu bar in the CxOSA Viewer. This option opens the new CxOSA Settings screen.
CxSAST General Settings - CxOSA Settings

The CxOSA Settings panel has been removed from the CxSAST General Settings (Management > Application Settings > General) and has been relocated to its own menu item. (Management > Application Settings > OSA Settings).

CxOSA Project Details – Resolve Nuget/PythonDependenciesA new option (Resolve Nuget/Python dependencies) has been added to the OSA tab in the Project Details panel (Projects & Scans > Projects > {Project #} > OSA). This new option, once enabled, provides the ability to resolve dependencies by initiating the install command for NET Nuget/Python before performing the CxOSA scan.
CxOSA Project Details – Policy Management

The OSA Policy drop-down selection box has been removed from the CxOSA properties in the Projects screen (Projects & Scans > Projects > OSA tab) and has been relocated to the General tab.

CxOSA Viewer – Scan Status

A new indicator (CxOSA scan in progress) has been added to the top bar in the CxOSA Viewer. This indicator notifies you about one or more CxOSA scans in progress for a specific project.

CxOSA Viewer - CxOSA SettingsThe CxOSA Settings screen has been linked to the CxOSA Viewer and can be opened from the main dashboard’s Management drop-down menu (Management > Application Settings > OSA Settings), or from the OSA Settings menu icon in the CxOSA Viewer.
CxOSA Viewer – CxOSA Settings:

A new health check option (Test Connection) has been added to the CxOSA Settings screen in the CxOSA Viewer. This option enables you to perform a connection/validataion test for the following CxOSA components;

  • Connect to CxProxy
  • Connect to CxOSA Engine
  • Validate Organizational Token
  • Connect to CxOSA Services

Each tested component will indicate either successful or failed connection/validation.

CxOSA Viewer – Project Vulnerabilities:Vulnerable libraries displayed in the Project Vulnerabilities page are now automatically sorted by vulnerability severity/score. This new sorting method also includes vulnerable libraries that have been defined as 'Not Exploitable'.
CxOSA Viewer and Report

A number of textual changes have been incorporated into the CxOSA Viewer and CxOSA Report:

  • CxOSA Viewer - ‘Undetected Libraries’ option text has been changed to ‘Unrecognized Libraries’.
  • CxOSA Report - ‘High-Medium Risk Licenses’ report text has been changed to ‘License at Legal Risk'.

CxAudit

CategoryFeatures
CxAudit - Workspace

A new look and feel has been introduced to the CxAudit Workspace. The new CxAudit Workspace provides the following:

  • Ability to search for a project by project name
  • Projects listed according to latest scan
  • Scans sorted by scan date and time
  • Scan results summary
  • Improved performance on page load

Management and Orchestration

CategoryFeatures
Unified Policy Management 

Unified Policy management has been included in this new version, which includes the new Violations dashboard.

Unified Policy management now allows you to define policies that apply to CxSAST and CxOSA (with new rule types for CxSAST - 'Vulnerability' and 'Risk Score' - as well as respective new conditions & values), assign multiple policies to projects, and review and track policy violations via the dedicated violations dashboard.

Policy Violations Dashboard

The Policy Violations Dashboard provides the ability to track policy violations per project, and now supports:

  • Filter by Policy Name
  • Search by Project Name
Policy Management API -New Functionality

New functionality for the API set has been added to latest Policy Management API library version.

  • Get All Projects (v1.0)
  • Create Violations Report for Project by Id (v1.0)
  • Get All Assigned Projects by Policy Id (v1.0)

Integration & Plugins 

Additional information on current plugins is available here.

CategoryFeatures
IntelliJ PluginThe IntelliJ Plugin Change log has moved to a new location.
Azure DevOps (MS-VSTS) Plugin

The Azure DevOps (MS-VSTS) Plugin Change log has moved to a new location.

Eclipse PluginThe Eclipse Plugin Change log has moved to a new location.
Visual Studio PluginThe Visual Studio Plugin Change log has moved to a new location.
All Common Checkmarx Plugins - End User License Agreement (EULA) 

If not already accepted during the CxSAST/CxOSA installation and setup, in order to perform an CxOSA scan from within the plugin, the EULA must be already have been accepted in the CxSAST / CxOSA Web interface. In all Checkmarx plugins the following message is raised; ‘In order to start working with CxOSA, your CxSAST Administrator needs to accept the End User License Agreement (EULA) from the CxSAST / CxOSA web interface.’

Note that you are unable to start using CxOSA unless the end user license agreement (EULA) has been viewed and accepted

All Common Checkmarx(CxOSA) Plugins – Policy Violation Enforcement 

A new parameter (Enable project’s OSA policy enforcement) has been added to this version of all Checkmarx common plugins (Jenkins, TeamCity, Bamboo, etc.) enabling the ability to break the build in cases where a CxOSA Policy is violated.

When a build fails on OSA policy violations, the policy violations report displays the names of the libraries that violated the policy with the respective policy names & rules violated.

All Common Checkmarx(CxOSA) Plugins – Execute Dependencies

Two new parameters (Install Nuget and Python packages) have been added to this version of all Checkmarx common plugins (Jenkins, TeamCity, Bamboo, etc.) enabling the retrieval of all Nuget and Python dependencies before starting the OSA scan.

The Checkmarx plugin parameter text has also been updated from ‘Execute NPM and Bower install packages command before Scan’ to ‘Execute dependency managers "install packages" command before Scan’.

All Common Checkmarx Plugins – Checkmarx Report

A textual change has been implemented to the status bar at the top of Checkmarx Report for all common plugins (Jenkins, TeamCity, Bamboo, etc.) in cases of a failed scan status. Instead of ‘Checkmarx Scan Failed’, a ‘Checkmarx scan found the following issues’ header is displayed with a summarized list of the found issues (e.g. 4 Policies Violated, Exceeded CxSAST Vulnerability Threshold).

For CxOSA, icons for libraries (“vulnerable & outdated libraries,” and “no known vulnerability libraries”) are removed from UI. Also, for libraries, the text “<number> Policy Violated Libraries” displays on the UI.

If the build failed on CxOSA policy violations, a new section in the report shows this data – the names of the libraries that violated the policy, along with their respective policy names and rules that were violated.

All Common Checkmarx Plugins – Folder Exclusion

The node_modules" folder is now automatically added to the Folder Exclusion list as default for all common plugins (Jenkins, TeamCity, Bamboo, etc.) and for all new CxSAST installations (v8.9.0 and up). For CxSAST upgrade this setting will need to added manually.

Checkmarx CLI Plugin (CxOSA) – Execute Dependencies

Two new options (Install Nuget and Python packages) have been added to this version of the Checkmarx CLI plugin enabling the retrieval of all Nuget and Python dependencies before starting the OSA scan.

The existing CLI parameter has also been updated from ‘-executeNPMandBowerInstall’ to ‘-executepackagedependency’.

Checkmarx CLI Plugin (CxOSA) – Policy Violation Enforcement 

A new parameter (-CheckPolicy) has been added to this version of all Checkmarx CLI plugins enabling the ability to break the build in cases where a CxOSA Policy is violated.

When a build fails on an OSA policy violation, error code/exit code 18 (Policy is Violated) is flagged.

Checkmarx-Maven Plugin Documentation v8.7.0 and upDocumentation for the Checkmarx-Maven Plugin for v8.7.0 and up, has been restructured to better accommodate the maven user.
Checkmarx TeamCity Plugin - CxOSA Scan without CxSAST ScanFor this new version of the Checkmarx TeamCity plugin for CxSAST/CxOSA, you can now run an CxOSA scan without having to first perform a CxSAST scan.

CxAPI

CategoryFeatures
SOAP API - SOAP to REST MappingA new page has been added to the SOAP API section in the Checkmarx Knowledge Center in order to summarize SOAP to REST API mapping.
CxREST API - REST SummaryA new page has been added to the REST API section in the Checkmarx Knowledge Center in order to summarize the available REST APIs.
CxREST API - Look & Feel

CxREST API documentation structure in the Checkmarx Knowledge Center has been restructured in accordance with a request from professional services.

All REST APIs now conform to the following structure:

  • Login
  • Projects
  • SAST Scans
  • SAST Scan Results
  • SAST Scan Reports
  • Engines
  • Managing Users
  • Data Retention
  • Open Source Analysis (CxOSA)
CxREST API - New Functionality

New functionality for the API set has been added to latest CxREST API library version:

CxSAST API - SAST Scan

  • Get Data Retention Request Status (v1.1)
  • Publish Last Scan Results to Management and Orchestration by Project Id (v1.0)
  • Get the Publish Last Scan Results to Management and Orchestration Status (v1.0)
CxREST API - Updated Functionality

The following APIs have been updated in accordance with latest CxREST API library version:

CxOSA API - Open Source Analysis (CxOSA)

  • Get OSA Scan Libraries (v2.0)
CxREST API - SwaggerTo access the Swagger environment navigate to: http://<ServerName>/cxrestapi/help/swagger/ui/index (e.g. http://localhost/cxrestapi/help/swagger/ui/index)

CxEngine

Category
Features
Application Security

New GO queries:

  • Hardcoded_Password_in_Connection_String
  • Use_of_Hardcoded_Password
  • Race_Condition_In_Cross_Functionality
Languages/Frameworks
  • Kotlin 1.2 support 
  • Lightning
  • JAVA - Spring Boot framework support
  • Apex - Lightning framework support
  • Ruby - Support to yield statement
  • PHP 7 support
  • Java 9 support
  • C++ parsing and queries improvements
  • Major improvements in VB.NET
    • Added support for interpolated strings
    • Added support for "AddressOf" 
    • Added support for AddHandler, RemoveHandler and RaiseEvent 
    • Added support for generics 
    • Improved support for arrays and literals
    • Improved support for lambda expressions 
    • Improved support for Linq 
    • Improved support for anonymous types
Content PackContent Packs are released regularly, and the aim is to improve the accuracy of the out-of-the-box findings. Refer to 8.9.0 Ruleset Content Packs for more information.

Known Limitations

CategoryKnown Limitations

Federal Information Processing Standards (FIPS) Support

Support for FIPS in Version 8.9.0 is temporarily unavailable.
Policy Management - Findings and Synchronization

If findings (results) attributes changed during a review process (e.g. severity changed from High to Medium) a manual sync of the scan is required in order to view updated policy violations status in management and orchestration.

Links to management and orchestration policy violations dashboards require login credentials - planned to be resolved in next release.

If a Sync with policy management gets stuck in "syncing" mode for a certain project, a re-scan is required to release the state.

If a sync process fails, a manual sync action is needed to sync again using the sync button in the policy management tab in the projects section.

Jira Integration

The following custom Jira field types are no longer supported:

  • Select List (Cascading)
  • Select List (Multiple choices)
  • Number Field
  • Epic Link
Deployment – Distributed / M&OFor distributed environments, the Management and Orchestration can only be installed on the CxSAST Manager Server.



Read More