8.9.0 Hotfixes

Installation Notes

  • Hotfixes and content packs are cumulative and include previous hotfix/content package updates.
  • The relevant hotfix must be installed on the CxManager, CxEngines and the CxAudit stations, unless otherwise indicated. In a distributed environment, the hotfix must also be installed on the Portal station.

Resolved Issues and Changes

CategoryResolved Issues

Log information has been added to the audit trail for cases when a team has been created or deleted or when users have been deleted as a result of deleting a team.

Fixed an issue that broke the link to the GIT integration, if the word 'git' was part of the URL. 


CategoryResolved Issues
HF31Apache Tomcat has been upgraded to version 8.5.57.


CategoryResolved Issues
HF30Fixed an issue that caused SOAP to receive empty results.

Fixed an issue that caused postponed scans to fail. 


CategoryResolved Issues
HF29Fixed issues that caused the source file folder for failed scans to remain although it is expected to be deleted by data retention.

Fixed issues that caused scan folders of current scans to be deleted.

Various improvements have been implemented for ASP Find_Interactive_Inputs coverage.

Various improvements have been implemented for the JavaScript (v2) parsing "async" function.

Various improvements have been implemented for COBOL parsing and execution timeouts.


CategoryResolved Issues
HF28Fixed cases for CxAudit where some projects couldn’t be sorted and were removed from the project list.

Important security issues of private tokens have been fixed. For additional information, refer to https://checkmarx.force.com/CheckmarxCustomerServiceCommunity/s/article/Checkmarx-Security-Updates

Log information has been added to the audit trail for cases in which users are deleted as a result of deleting a team. 

SAML: The user email addresses are now case sensitive.

The performance of the database has been improved. 


CategoryResolved Issues
HF27The performance of the scan reports list in the user interface has been improved.  

An issue has been fixed that prevented users from logging into CxAudit after the session timed out.

Fixed an issue that prevented the data retention from deleting failed scans from the file system and database.

Fixed an issue that prevented source files from being deleted after the scans have been canceled.

Important security fixes have been implemented. For additional information, refer to https://checkmarx.force.com/CheckmarxCustomerServiceCommunity/s/article/Checkmarx-Security-Updates.

Fixed an issue that prevented scan results to be sent to valid email addresses that were listed after an invalid email address. 

The scalability of the CxEngine has been improved.

An audit trail has been added for missing API actions on projects.

Fixed cases where the <Full Scan> button did not show in the user interface.


CategoryResolved Issues
HF26The scan algorithm has been optimized to improve the scan speed.

Fixed the issue that caused users to get logged off from CxAudit.

Added improvements to the Cobol support. This configuration requires CP 96,. which is available upon request.

Fixed the issue that caused a previous hotfix to prevent C# projects from running. 


CategoryResolved Issues
HF25All scan times and dates have been aligned in the Project State screen.

Fixed a user name sync issue that led to a mismatch between user interface and database when the user name was manually changed in the database.

Fixed an issue that led scans to immediately fail due to unsaved pre-scan processes. 

Improved the error message that is returned in case a SAML user does not have permissions to log in.

Added the configuration for user name encryption in the logs.

Fixed the issue that caused the CxARM logs to grow excessively causing low system memory.


CategoryResolved Issues

If the Excluded Files string included a prefix with **, for example Test**, the folder names starting with that prefix, for example folders named Test1 and Test2, were excluded from the scan.

Known Limitation

It is not possible to edit the Exclude Files/Folders string in the user interface, if it includes **. This string will be deleted from the user interface.


CategoryResolved Issues
HF23Repackaged and improved the installation.


CategoryResolved Issues


Improved BitBucket GiT Repository integration when using private keys.

Fixed API for connecting to BitBucket.

Fixed the toolbar button functionality to initiate a full or incremental scan on the View Project Scan page.

The SAST tab editor stopped responding if an illegal string was entered.

Unicode encoding support has been added for Jira integrations.

When submitting a scan result to the Jira cloud, the submission failed if the Reporter field was mandatory.


CategoryResolved Issues
HF21The Reflected_XSS query in Apex has been improved. 

A new mechanism has been introduced to abort scans when the system gets low on memory in an effort to avoid the engine to jam. The configuration keys are the following:

WATCHDOG_ABORT_SCAN_ON_LOW_MEMORY (default: false – disabled)
WATCHDOG_ABORT_SCAN_ON_LOW_MEMORY_MAX_USAGE_PERCENT max limit of used memory to abort (default: 96%)
WATCHDOG_ABORT_SCAN_ON_LOW_MEMORY_MIN_AVAIL_MB minimum free memory in System to start check the condition MAX_USAGE_PERCENT (default: 1024 Mb)
WATCHDOG_ABORT_SCAN_ON_LOW_MEMORY_COUNTER key to prevent scan abort on single memory peek – Low-Memory should persist number of times continuously (default: 5 times)

A new mechanism has been introduced to abort file parsing when the system gets low on memory. To activate and configure it, use the following configuration keys:

ABORT_FILE_PARSING_ON_LOW_MEMORY (default: false - disabled)

Consult with your technical contact or support before enabling this configuration as it may result in inconsistent results for some scans.


CategoryResolved Issues


The automatic comment logic for No Code Changes scans has been improved to include a user comment (if one was entered) to the automatic No Change comment.

Scans are now marked final only after completing the internal processing of the received result.

Fixed a connection issue to the Git repository when creating a new project if the repository path contains the string -b.

Fixed an issue where exporting scan results to a CSV file failed in some cases.

Enabled Jira to handle large json files.

CxOSA detected less libraries when scanning a project with a complex structure.

Fixed cases when the scan manager stops responding and is unable to process additional scans due to a problematic file.


CategoryResolved Issues
HF19This hotfix includes multiple fixes to improve the overall user experience for the ‘All Projects’, ‘Project‘ and ‘All Scans’ areas.

When using a tag in GIT, the scan failed to clone.


CategoryResolved Issues

The max. number of results per query can now be defined using the key in the MAX_NUMBER_OF_RESULTS engine as follows:

  • To allow results without limitations, use the default key setting (“-1”).
  • To define a max. number of results, set the key to that number. For example, to limit the number of results to 100 per query, the key must be set to “100”.


CategoryResolved Issues
HF17The Java Runtime Environment was replaced with OpenJDK 8u242 in the installation package.

Upgraded to the new ActiveMQ version.

The M&O limitation has been fixed. This limitation caused the query to time out and fail while running in high load.


CategoryResolved Issues
HF16Cleaning scan related files occasionally failed, resulting in storage overflow.

Query Description did not appear in the header of a selected result in the Results Viewer.

If there were issues with TFS integration, not all folders were scanned.

In some cases, the CxSAST OData API returned incorrect results when several query updates were performed at the same time.


CategoryResolved Issues

Fix for Global includes on Macro JSON files for Linux environments.


CategoryResolved Issues


Fixed the case where a length of a specific field in CxOSA risk report exceeds a predefined number.

In some cases the result viewer does not display the query name after upgrading to version 8.9.

Mandatory security fix for an unauthenticated remote code execution.

Fix for updated Jira Cloud connection compatibility.


CategoryResolved Issues


Fix for when Results Viewer doesn’t display results when results similarity ID is configured per project (‘RESULT_ATTRIBUTES_PER_SIMILARITY’ flag is set to ‘false’).

Align SimilarityID calculation for XML reports between Portal (REST) and SOAP API.

Improve oData API support for cases when DB password includes special characters.

Fix situations when Engine scan doesn’t complete successfully but is reflected as “Finished” in Portal.


CategoryResolved Issues

Added Kotlin language support for client side only. Note that, to enable it, please contact support as a beta Ruleset Content Pack needs to be installed.

Fixed parsing issue in the support for use of keywords in PLSQL.

Fixed several Scala parsing issues, improving overall support.


CategoryResolved Issues


Fixed plugin authentication concurrency issue.

Improved the performance of the update scan statistics process.

Added the ability to switch on/off the automatic “best fix location” statistics calculation in case of performance issues.

Improved the performance of the “best fix location” statistics calculation..

Fixed issue where the “best fix location” internal calculation caused locks in the DB.

Improved support for setting GIT repository definitions via CxSAST REST API.

Fixed an issue with LDAP user Synchronization that occurred due to case sensitive mismatch between the LDAP team and group properties.

Fixed the issue with filtering out the backslash in case sources are located under a root directory.

Fixed a Post-scan-action issue where changing an email address resulted in sending multiple emails.

Fixed a SimilarityID inconsistency between the Portal and SOAP API.

GIT ssl url now supports hyphens.

Fixed a UI issue that concealed the pre/post action buttons in the Portal UI.

Fixed an issue with login-in via swagger. Login via swagger failed due to issue with cookie security.

Added the version number to the ‘Inventory Libraries’ section in the CxOSA report.

Fixed CxOSA libraries page getting stuck.


CategoryResolved Issues


Fixed issue causing an inconsistency on XPathProvider and CxList for JavaScript.

Fixed issue with Apex Visual Force not displaying the correct location of the result.

Fixed some flow issues in Ruby.

Fixed issue in the scan that was not able to exit in case of failure.


CategoryResolved Issues
HF9Python improvements.


CategoryResolved Issues

[Python] – Improvements in finding flows and definitions when using “self”.

[Python] – Improvements in finding flows between param of function def and its internal use.

Query description and sample code improvements in Japanese and Chinese.

Added an option to the REST-API to allow to force a full scan without code changes.

Application security improvements for handling GIT access tokens.

Fixed potential XSS and Cookie handling vulnerabilities.


CategoryResolved Issues

Fix an issue that caused results to be saved multiple times in case of a database timeout.

For new projects, OSA will, by default, identify scanned libraries using their relevant package managers.


CategoryResolved Issues

OSA – Fixed issue in the unzipping mechanism when a user tries to scan a ZIP file on local drive.

Improved M&O performance, utilizing Tomcat.

Fix for Policy Manager upgrade and complex environments installation.

By default calls to the garbage collection are enabled in order to improve engine performance (e.g. to free up memory). Disabling this option was added to this hotfix for multi-core systems (e.g. to avoid time consuming manual calls on systems with a lot of RAM). To do this, the Engine configuration key ‘MANUAL_CALL_GC_COLLECT’ can be set to ‘false’.

Fix was implemented for when an incremental scan is reverted into a full scan due to a threshold limit, the scan now becomes the new baseline (which is used to check % of changes in any succeeding incremental scan). This is now presented in CxSAST as a full scan.


CategoryResolved Issues

Fix for a security vulnerability.

Fix for issues with export users and team to CSV.

Fix for inaccurate scan details for scans with no code changes.

Fix for temporary files accumulating on the disk.

Updates to Vulnerability descriptions in Chinese.

Improved flow support for member accesses in PHP.

Improved support for variable declarations at class level on Ruby.

PHP - Fix for FP result.

Fix for OSA scan failure in extreme cases when uploading ZIP file in High Availability deployments.

Fix for OSA results viewer when Management and Orchestration is not installed.


CategoryResolved Issues

Fixed OSA scan failures on PHP and GO file extensions.

Fix for SAST scan failures in Kotlin projects.

Numerous JavaScript parsing fixes, subsequently increasing the number of found vulnerabilities for JavaScript projects.


CategoryResolved Issues
HF3A behavior change has been applied to all hotfixes, starting from v8.9 HF3. Refer to Hotfix (HF) Behavior Changes for more information.

Fix for OSA when scanning latest NPM version.

Fix for large OSA scans failing.

Added UI indication on the package manager for each open source library found.

Security fix – Management and Orchestration.


CategoryResolved Issues
HF2CPP, Kotlin, Go and C#.Net – Overall support improvements.

Improvements for queue management.

Improvement for engine start and stop time.

Improvements for incremental scan mechanism.

Fix for error when entering Data Analysis area in high availability environment.

Fix for XML downloads being terminated for files over 800 MB.

Fix for blocked engine after editing unblocked engine scan size.

Fix for M&O Violations tab not being visible.

Fix for report generation failure.

Fix for data retention deletion all logs when performing incremental scan without code change.

Fix for branching API (REST) that didn’t copy preset and other settings over to branch.

Fix for WatchDog implementation for Java script parsing stage.

Fix for UnzipLocalDrive usage, the initially copied zip file not being deleted at the end.

Fix for the temp files not cleaned from the ExtSrc folder when performing incremental scan without code change.

Fix for ActiveMQ restart stuck in sync process.

Fix for GetFullTeamName function returning wrong result.

Fix for overriding queries in different teams showing the overridden queries in the first team only.

Fix for downloaded logs not containing the application logs for configured logs location.

Fix for inability to export to CSV format from the 'Users & Teams' tab in access control.

Fix for scan comment when performing incremental scan without code change.

Fix for scans with no code changes saving incorrect queue time in the TaskScans DB table.

Fix for CxAudit failure to copy filenames that cause the CxAuditSrc directory path to exceed 259 characters.

Added a feature flag to merge NOT_EXPLOITABLE results to Incremental scans from previous full scan.

To activate this feature, go to CxDB, table CxComponentConfiguration,and set the value of key INCREMENTAL_SCAN_MERGE_NOT_EXPLOITABLE_RESULTS to be true.

Fix for vulnerability in CxSAST portal - Telerik security pack applied.


CategoryResolved Issues

Vulnerability descriptions translated to Chinese.
Java: added support for Apache Velocity.
Java: SQL_Injection query improvements.
Fix for incomplete scan process issue.
Minor UI changes and logging improvements for OSA.
NOTE: The following fixes (released for 8.8 HF5 and up) are not included in 8.9 HF1:

If a full scan is executed instead of Incremental scan, UI now presents the correct information.
XML downloads are terminated if over 800 MB.