8.9.0 Hotfixes

Fixed an issue that caused postponed scans to fail. 

Fixed issues that caused scan folders of current scans to be deleted.

Important security issues of private tokens have been fixed. For additional information, refer to https://checkmarx.force.com/CheckmarxCustomerServiceCommunity/s/article/Checkmarx-Security-Updates

Important security fixes have been implemented. For additional information, refer to https://checkmarx.force.com/CheckmarxCustomerServiceCommunity/s/article/Checkmarx-Security-Updates.

Fixed an issue that prevented scan results to be sent to valid email addresses that were listed after an invalid email address. 

If the Excluded Files string included a prefix with **, for example Test**, the folder names starting with that prefix, for example folders named Test1 and Test2, were excluded from the scan.

It is not possible to edit the Exclude Files/Folders string in the user interface, if it includes **. This string will be deleted from the user interface.

HF22

Improved BitBucket GiT Repository integration when using private keys.

A new mechanism has been introduced to abort scans when the system gets low on memory in an effort to avoid the engine to jam. The configuration keys are the following:

WATCHDOG_ABORT_SCAN_ON_LOW_MEMORY (default: false – disabled)
WATCHDOG_ABORT_SCAN_ON_LOW_MEMORY_MAX_USAGE_PERCENT max limit of used memory to abort (default: 96%)
WATCHDOG_ABORT_SCAN_ON_LOW_MEMORY_MIN_AVAIL_MB minimum free memory in System to start check the condition MAX_USAGE_PERCENT (default: 1024 Mb)
WATCHDOG_ABORT_SCAN_ON_LOW_MEMORY_COUNTER key to prevent scan abort on single memory peek – Low-Memory should persist number of times continuously (default: 5 times)

A new mechanism has been introduced to abort file parsing when the system gets low on memory. To activate and configure it, use the following configuration keys:

ABORT_FILE_PARSING_ON_LOW_MEMORY (default: false - disabled)
MEMORY_WATCHDOG_MAX_USAGE_PERCENT (default: 95%)
MEMORY_WATCHDOG_MIN_AVAIL_MB (default: 2048Mb)
MEMORY_WATCHDOG_COUNTER (default: 5)

Consult with your technical contact or support before enabling this configuration as it may result in inconsistent results for some scans.

HF20

The automatic comment logic for No Code Changes scans has been improved to include a user comment (if one was entered) to the automatic No Change comment.

Scans are now marked final only after completing the internal processing of the received result.

Fixed a connection issue to the Git repository when creating a new project if the repository path contains the string -b.

Fixed an issue where exporting scan results to a CSV file failed in some cases.

The max. number of results per query can now be defined using the key in the MAX_NUMBER_OF_RESULTS engine as follows:

• To allow results without limitations, use the default key setting (“-1”).
• To define a max. number of results, set the key to that number. For example, to limit the number of results to 100 per query, the key must be set to “100”.

Upgraded to the new ActiveMQ version.

Fix for Global includes on Macro JSON files for Linux environments.

HF14

Fixed the case where a length of a specific field in CxOSA risk report exceeds a predefined number.

In some cases the result viewer does not display the query name after upgrading to version 8.9.

HF13

Fix for when Results Viewer doesn’t display results when results similarity ID is configured per project (‘RESULT_ATTRIBUTES_PER_SIMILARITY’ flag is set to ‘false’).

Align SimilarityID calculation for XML reports between Portal (REST) and SOAP API.

Improve oData API support for cases when DB password includes special characters.

Added Kotlin language support for client side only. Note that, to enable it, please contact support as a beta Ruleset Content Pack needs to be installed.

Fixed parsing issue in the support for use of keywords in PLSQL.

HF11

Fixed plugin authentication concurrency issue.

Improved the performance of the update scan statistics process.

Added the ability to switch on/off the automatic “best fix location” statistics calculation in case of performance issues.

Improved the performance of the “best fix location” statistics calculation..

Fixed issue where the “best fix location” internal calculation caused locks in the DB.

Improved support for setting GIT repository definitions via CxSAST REST API.

Fixed an issue with LDAP user Synchronization that occurred due to case sensitive mismatch between the LDAP team and group properties.

Fixed the issue with filtering out the backslash in case sources are located under a root directory.

Fixed a Post-scan-action issue where changing an email address resulted in sending multiple emails.

Fixed a SimilarityID inconsistency between the Portal and SOAP API.

GIT ssl url now supports hyphens.

Fixed a UI issue that concealed the pre/post action buttons in the Portal UI.

Fixed an issue with login-in via swagger. Login via swagger failed due to issue with cookie security.

Added the version number to the ‘Inventory Libraries’ section in the CxOSA report.

HF10

Fixed issue causing an inconsistency on XPathProvider and CxList for JavaScript.

Fixed issue with Apex Visual Force not displaying the correct location of the result.

Fixed some flow issues in Ruby.

Fixed issue in the scan that was not able to exit in case of failure.

[Python] – Improvements in finding flows and definitions when using “self”.

[Python] – Improvements in finding flows between param of function def and its internal use.

Query description and sample code improvements in Japanese and Chinese.

Added an option to the REST-API to allow to force a full scan without code changes.

Application security improvements for handling GIT access tokens.

Fixed potential XSS and Cookie handling vulnerabilities.

Fix an issue that caused results to be saved multiple times in case of a database timeout.

OSA – Fixed issue in the unzipping mechanism when a user tries to scan a ZIP file on local drive.

Improved M&O performance, utilizing Tomcat.

Fix for Policy Manager upgrade and complex environments installation.

By default calls to the garbage collection are enabled in order to improve engine performance (e.g. to free up memory). Disabling this option was added to this hotfix for multi-core systems (e.g. to avoid time consuming manual calls on systems with a lot of RAM). To do this, the Engine configuration key ‘MANUAL_CALL_GC_COLLECT’ can be set to ‘false’.

Fix was implemented for when an incremental scan is reverted into a full scan due to a threshold limit, the scan now becomes the new baseline (which is used to check % of changes in any succeeding incremental scan). This is now presented in CxSAST as a full scan.

Fix for a security vulnerability.

Fix for issues with export users and team to CSV.

Fix for inaccurate scan details for scans with no code changes.

Fix for temporary files accumulating on the disk.

Updates to Vulnerability descriptions in Chinese.

Improved flow support for member accesses in PHP.

Improved support for variable declarations at class level on Ruby.

PHP - Fix for FP result.

Fix for OSA scan failure in extreme cases when uploading ZIP file in High Availability deployments.

Fixed OSA scan failures on PHP and GO file extensions.

Fix for SAST scan failures in Kotlin projects.

Fix for OSA when scanning latest NPM version.

Added UI indication on the package manager for each open source library found.

Added a feature flag to merge NOT_EXPLOITABLE results to Incremental scans from previous full scan.

To activate this feature, go to CxDB, table CxComponentConfiguration,and set the value of key INCREMENTAL_SCAN_MERGE_NOT_EXPLOITABLE_RESULTS to be true.