8.9.0 Hotfixes
Installation Notes
- Hotfixes and content packs are cumulative and include previous hotfix/content package updates.
- The relevant hotfix must be installed on the CxManager, CxEngines and the CxAudit stations, unless otherwise indicated. In a distributed environment, the hotfix must also be installed on the Portal station.
Resolved Issues and Changes
Category | Resolved Issues |
---|---|
HF32 | Log information has been added to the audit trail for cases when a team has been created or deleted or when users have been deleted as a result of deleting a team. |
Fixed an issue that broke the link to the GIT integration, if the word 'git' was part of the URL. |
.
Category | Resolved Issues |
---|---|
HF31 | Apache Tomcat has been upgraded to version 8.5.57. |
.
Category | Resolved Issues |
---|---|
HF30 | Fixed an issue that caused SOAP to receive empty results. |
Fixed an issue that caused postponed scans to fail. |
.
Category | Resolved Issues |
---|---|
HF29 | Fixed issues that caused the source file folder for failed scans to remain although it is expected to be deleted by data retention. |
Fixed issues that caused scan folders of current scans to be deleted. | |
Various improvements have been implemented for ASP Find_Interactive_Inputs coverage. | |
Various improvements have been implemented for the JavaScript (v2) parsing "async" function. | |
Various improvements have been implemented for COBOL parsing and execution timeouts. |
.
Category | Resolved Issues |
---|---|
HF28 | Fixed cases for CxAudit where some projects couldn’t be sorted and were removed from the project list. |
Important security issues of private tokens have been fixed. For additional information, refer to https://checkmarx.force.com/CheckmarxCustomerServiceCommunity/s/article/Checkmarx-Security-Updates | |
Log information has been added to the audit trail for cases in which users are deleted as a result of deleting a team. | |
SAML: The user email addresses are now case sensitive. | |
The performance of the database has been improved. |
.
Category | Resolved Issues |
---|---|
HF27 | The performance of the scan reports list in the user interface has been improved. |
An issue has been fixed that prevented users from logging into CxAudit after the session timed out. | |
Fixed an issue that prevented the data retention from deleting failed scans from the file system and database. | |
Fixed an issue that prevented source files from being deleted after the scans have been canceled. | |
Important security fixes have been implemented. For additional information, refer to https://checkmarx.force.com/CheckmarxCustomerServiceCommunity/s/article/Checkmarx-Security-Updates. | |
Fixed an issue that prevented scan results to be sent to valid email addresses that were listed after an invalid email address. | |
The scalability of the CxEngine has been improved. | |
An audit trail has been added for missing API actions on projects. | |
Fixed cases where the <Full Scan> button did not show in the user interface. |
.
Category | Resolved Issues |
---|---|
HF26 | The scan algorithm has been optimized to improve the scan speed. |
Fixed the issue that caused users to get logged off from CxAudit. | |
Added improvements to the Cobol support. This configuration requires CP 96,. which is available upon request. | |
Fixed the issue that caused a previous hotfix to prevent C# projects from running. |
.
Category | Resolved Issues |
---|---|
HF25 | All scan times and dates have been aligned in the Project State screen. |
Fixed a user name sync issue that led to a mismatch between user interface and database when the user name was manually changed in the database. | |
Fixed an issue that led scans to immediately fail due to unsaved pre-scan processes. | |
Improved the error message that is returned in case a SAML user does not have permissions to log in. | |
Added the configuration for user name encryption in the logs. | |
Fixed the issue that caused the CxARM logs to grow excessively causing low system memory. |
.
Category | Resolved Issues |
---|---|
HF24 | If the Excluded Files string included a prefix with **, for example Test**, the folder names starting with that prefix, for example folders named Test1 and Test2, were excluded from the scan. |
Known Limitation | |
It is not possible to edit the Exclude Files/Folders string in the user interface, if it includes **. This string will be deleted from the user interface. |
.
Category | Resolved Issues |
---|---|
HF23 | Repackaged and improved the installation. |
.
Category | Resolved Issues |
HF22 | Improved BitBucket GiT Repository integration when using private keys. |
Fixed API for connecting to BitBucket. | |
Fixed the toolbar button functionality to initiate a full or incremental scan on the View Project Scan page. | |
The SAST tab editor stopped responding if an illegal string was entered. | |
Unicode encoding support has been added for Jira integrations. | |
When submitting a scan result to the Jira cloud, the submission failed if the Reporter field was mandatory. |
.
Category | Resolved Issues |
---|---|
HF21 | The Reflected_XSS query in Apex has been improved. |
A new mechanism has been introduced to abort scans when the system gets low on memory in an effort to avoid the engine to jam. The configuration keys are the following: WATCHDOG_ABORT_SCAN_ON_LOW_MEMORY (default: false – disabled) | |
A new mechanism has been introduced to abort file parsing when the system gets low on memory. To activate and configure it, use the following configuration keys: ABORT_FILE_PARSING_ON_LOW_MEMORY (default: false - disabled) |
.
Category | Resolved Issues |
---|---|
HF20 | The automatic comment logic for No Code Changes scans has been improved to include a user comment (if one was entered) to the automatic No Change comment. |
Scans are now marked final only after completing the internal processing of the received result. | |
Fixed a connection issue to the Git repository when creating a new project if the repository path contains the string -b. | |
Fixed an issue where exporting scan results to a CSV file failed in some cases. | |
Enabled Jira to handle large json files. | |
CxOSA detected less libraries when scanning a project with a complex structure. | |
Fixed cases when the scan manager stops responding and is unable to process additional scans due to a problematic file. |
.
Category | Resolved Issues |
---|---|
HF19 | This hotfix includes multiple fixes to improve the overall user experience for the ‘All Projects’, ‘Project‘ and ‘All Scans’ areas. |
When using a tag in GIT, the scan failed to clone. |
.
Category | Resolved Issues |
---|---|
HF18 | The max. number of results per query can now be defined using the key in the MAX_NUMBER_OF_RESULTS engine as follows:
|
.
Category | Resolved Issues |
---|---|
HF17 | The Java Runtime Environment was replaced with OpenJDK 8u242 in the installation package. |
Upgraded to the new ActiveMQ version. | |
The M&O limitation has been fixed. This limitation caused the query to time out and fail while running in high load. |
.
Category | Resolved Issues |
---|---|
HF16 | Cleaning scan related files occasionally failed, resulting in storage overflow. |
Query Description did not appear in the header of a selected result in the Results Viewer. | |
If there were issues with TFS integration, not all folders were scanned. | |
In some cases, the CxSAST OData API returned incorrect results when several query updates were performed at the same time. |
.
Category | Resolved Issues |
---|---|
HF15 | Fix for Global includes on Macro JSON files for Linux environments. |
.
Category | Resolved Issues |
---|---|
HF14 | Fixed the case where a length of a specific field in CxOSA risk report exceeds a predefined number. |
In some cases the result viewer does not display the query name after upgrading to version 8.9. | |
Mandatory security fix for an unauthenticated remote code execution. | |
Fix for updated Jira Cloud connection compatibility. |
.
Category | Resolved Issues |
---|---|
HF13 | Fix for when Results Viewer doesn’t display results when results similarity ID is configured per project (‘RESULT_ATTRIBUTES_PER_SIMILARITY’ flag is set to ‘false’). |
Align SimilarityID calculation for XML reports between Portal (REST) and SOAP API. | |
Improve oData API support for cases when DB password includes special characters. | |
Fix situations when Engine scan doesn’t complete successfully but is reflected as “Finished” in Portal. |
.
Category | Resolved Issues |
---|---|
HF12 | Added Kotlin language support for client side only. Note that, to enable it, please contact support as a beta Ruleset Content Pack needs to be installed. |
Fixed parsing issue in the support for use of keywords in PLSQL. | |
Fixed several Scala parsing issues, improving overall support. |
.
Category | Resolved Issues |
---|---|
HF11 | Fixed plugin authentication concurrency issue. |
Improved the performance of the update scan statistics process. | |
Added the ability to switch on/off the automatic “best fix location” statistics calculation in case of performance issues. | |
Improved the performance of the “best fix location” statistics calculation.. | |
Fixed issue where the “best fix location” internal calculation caused locks in the DB. | |
Improved support for setting GIT repository definitions via CxSAST REST API. | |
Fixed an issue with LDAP user Synchronization that occurred due to case sensitive mismatch between the LDAP team and group properties. | |
Fixed the issue with filtering out the backslash in case sources are located under a root directory. | |
Fixed a Post-scan-action issue where changing an email address resulted in sending multiple emails. | |
Fixed a SimilarityID inconsistency between the Portal and SOAP API. | |
GIT ssl url now supports hyphens. | |
Fixed a UI issue that concealed the pre/post action buttons in the Portal UI. | |
Fixed an issue with login-in via swagger. Login via swagger failed due to issue with cookie security. | |
Added the version number to the ‘Inventory Libraries’ section in the CxOSA report. | |
Fixed CxOSA libraries page getting stuck. |
.
Category | Resolved Issues |
---|---|
HF10 | Fixed issue causing an inconsistency on XPathProvider and CxList for JavaScript. |
Fixed issue with Apex Visual Force not displaying the correct location of the result. | |
Fixed some flow issues in Ruby. | |
Fixed issue in the scan that was not able to exit in case of failure. |
.
Category | Resolved Issues |
---|---|
HF9 | Python improvements. |
.
Category | Resolved Issues |
---|---|
HF8 | [Python] – Improvements in finding flows and definitions when using “self”. |
[Python] – Improvements in finding flows between param of function def and its internal use. | |
Query description and sample code improvements in Japanese and Chinese. | |
Added an option to the REST-API to allow to force a full scan without code changes. | |
Application security improvements for handling GIT access tokens. | |
Fixed potential XSS and Cookie handling vulnerabilities. |
.
Category | Resolved Issues |
---|---|
HF7 | Fix an issue that caused results to be saved multiple times in case of a database timeout. |
For new projects, OSA will, by default, identify scanned libraries using their relevant package managers. |
.
Category | Resolved Issues |
---|---|
HF6 | OSA – Fixed issue in the unzipping mechanism when a user tries to scan a ZIP file on local drive. |
Improved M&O performance, utilizing Tomcat. | |
Fix for Policy Manager upgrade and complex environments installation. | |
By default calls to the garbage collection are enabled in order to improve engine performance (e.g. to free up memory). Disabling this option was added to this hotfix for multi-core systems (e.g. to avoid time consuming manual calls on systems with a lot of RAM). To do this, the Engine configuration key ‘MANUAL_CALL_GC_COLLECT’ can be set to ‘false’. | |
Fix was implemented for when an incremental scan is reverted into a full scan due to a threshold limit, the scan now becomes the new baseline (which is used to check % of changes in any succeeding incremental scan). This is now presented in CxSAST as a full scan. |
.
Category | Resolved Issues |
---|---|
HF5 | Fix for a security vulnerability. |
Fix for issues with export users and team to CSV. | |
Fix for inaccurate scan details for scans with no code changes. | |
Fix for temporary files accumulating on the disk. | |
Updates to Vulnerability descriptions in Chinese. | |
Improved flow support for member accesses in PHP. | |
Improved support for variable declarations at class level on Ruby. | |
PHP - Fix for FP result. | |
Fix for OSA scan failure in extreme cases when uploading ZIP file in High Availability deployments. | |
Fix for OSA results viewer when Management and Orchestration is not installed. |
.
Category | Resolved Issues |
---|---|
HF4 | Fixed OSA scan failures on PHP and GO file extensions. |
Fix for SAST scan failures in Kotlin projects. | |
Numerous JavaScript parsing fixes, subsequently increasing the number of found vulnerabilities for JavaScript projects. |
.
Category | Resolved Issues |
---|---|
HF3 | A behavior change has been applied to all hotfixes, starting from v8.9 HF3. Refer to Hotfix (HF) Behavior Changes for more information. |
Fix for OSA when scanning latest NPM version. | |
Fix for large OSA scans failing. | |
Added UI indication on the package manager for each open source library found. | |
Security fix – Management and Orchestration. |
.
Category | Resolved Issues |
---|---|
HF2 | CPP, Kotlin, Go and C#.Net – Overall support improvements. |
Improvements for queue management. | |
Improvement for engine start and stop time. | |
Improvements for incremental scan mechanism. | |
Fix for error when entering Data Analysis area in high availability environment. | |
Fix for XML downloads being terminated for files over 800 MB. | |
Fix for blocked engine after editing unblocked engine scan size. | |
Fix for M&O Violations tab not being visible. | |
Fix for report generation failure. | |
Fix for data retention deletion all logs when performing incremental scan without code change. | |
Fix for branching API (REST) that didn’t copy preset and other settings over to branch. | |
Fix for WatchDog implementation for Java script parsing stage. | |
Fix for UnzipLocalDrive usage, the initially copied zip file not being deleted at the end. | |
Fix for the temp files not cleaned from the ExtSrc folder when performing incremental scan without code change. | |
Fix for ActiveMQ restart stuck in sync process. | |
Fix for GetFullTeamName function returning wrong result. | |
Fix for overriding queries in different teams showing the overridden queries in the first team only. | |
Fix for downloaded logs not containing the application logs for configured logs location. | |
Fix for inability to export to CSV format from the 'Users & Teams' tab in access control. | |
Fix for scan comment when performing incremental scan without code change. | |
Fix for scans with no code changes saving incorrect queue time in the TaskScans DB table. | |
Fix for CxAudit failure to copy filenames that cause the CxAuditSrc directory path to exceed 259 characters. | |
Added a feature flag to merge NOT_EXPLOITABLE results to Incremental scans from previous full scan. To activate this feature, go to CxDB, table CxComponentConfiguration,and set the value of key INCREMENTAL_SCAN_MERGE_NOT_EXPLOITABLE_RESULTS to be true. | |
Fix for vulnerability in CxSAST portal - Telerik security pack applied. |
.
Category | Resolved Issues |
---|---|
HF1 | Vulnerability descriptions translated to Chinese. |
Java: added support for Apache Velocity. | |
Java: SQL_Injection query improvements. | |
Fix for incomplete scan process issue. | |
Minor UI changes and logging improvements for OSA. | |
NOTE: The following fixes (released for 8.8 HF5 and up) are not included in 8.9 HF1: | |
If a full scan is executed instead of Incremental scan, UI now presents the correct information. | |
XML downloads are terminated if over 800 MB. |
.