9.0.0 Hotfixes

Installation Notes

  • Hotfixes and content packs are cumulative and include previous hotfix/content package updates.
  • The relevant hotfix must be installed on the CxManager, CxEngines and the CxAudit stations, unless otherwise indicated. In a distributed environment, the hotfix must also be installed on the Portal station.
  • After upgrades (major versions or hotfixes) or Content Pack updates, it is highly recommended to first run full scans before running incremental scans.

Resolved Issues and Changes

 For CxSAST 9.0 HF11 and higher, we recommend customizing the listed JavaScript queries.

JavaScript -> General -> JQuery_Sanitize

//Methods that are sanitized in JQuery

CxList Methods = Find_JQuery_Methods();

result = Methods.FindByShortNames(new List<string>{

JavaScript_Medium_Threat -> Client_Potential_Code_Injection

CxList inputs = Find_Potential_Inputs();
new List<string>{"val", "text", "html", "attr", "prop"}));
CxList eval = Find_Outputs_CodeInjection();
CxList sanitize = Sanitize();

CxList lambda = Find_LambdaExpr();
CxList returns = Find_ReturnStmt();


result.Add(eval.FindByType(typeof(Param)) * inputs - sanitize);
result.Add(eval.InfluencedByAndNotSanitized(inputs, sanitize, CxList.InfluenceAlgorithmCalculation.NewAlgorithm));
result.Add(Find_Source_Equals_Sink(inputs, eval));

JavaScript_Medium_Threat -> Client_Potential_XSS

CxList inputs = Find_Potential_Inputs();
  new List<string>{"val", "text", "attr", "prop"}));
CxList outputs = Find_Outputs_XSS();
outputs = outputs - outputs.FindByAssignmentSide(CxList.AssignmentSide.Right);

CxList sanitize = Sanitize();

CxList outMethods = outputs.FindByType(typeof (MethodInvokeExpr));
CxList outParams = All.GetParameters(outMethods);
outParams -= outParams.FindByShortName("Lambda");//anonymus function will double results.
outputs -= outMethods;

CxList outputsParams = All.NewCxList();

CxList toParms = outputsParams.InfluencedByAndNotSanitized(inputs, sanitize, CxList.InfluenceAlgorithmCalculation.NewAlgorithm);

foreach (CxList curPath in toParms.GetCxListByPath())
  CxList lastNode = curPath.GetStartAndEndNodes(CxList.GetStartEndNodesType.EndNodesOnly);
  if ((lastNode * outParams).Count > 0)
    CxList paramMethod = outMethods.FindByParameters(lastNode);
    if (paramMethod.Count == 1)
      result.Add(curPath.ConcatenatePath(paramMethod, false));

result.Add(outParams * inputs - sanitize);
result.Add(Find_Source_Equals_Sink(inputs, outputs) - sanitize);

result = result.ReduceFlow(CxList.ReduceFlowType.ReduceBigFlow);

CategoryResolved Issues

Fixed cases where there is a lower level query override, but when running the queries the higher query is being used.

Improved Apex language recognition in multi-language mode.

Improvements in the query hierarchy mechanism according to the teams.

Added support in ASP and PHP for files with .inc extension.

Improvements in JavaScript (Regex/ReDOS) parsing.

Engine Improvements for preventing unfinished scans when matching regular expression patterns.

Added a new capability in the CxAudit for easily extracting the source code related to a query. To enable, please refer to the CxAudit Guide


CategoryResolved Issues
HF20Fixed cases of misalignment between Access Control and CxSAST caused by a multiple hierarchy in the Teams tree.

Fixed cases where branched project details were irretrievable using the API.

Post-scan actions now have a defined timeout.

Improved performance of the Scan Manager stop/start actions.

Improved the Scanned Languages description on the Scan Summary page when the scan returns zero findings

Fixed cases where the query headline did not appear in the Results Viewer.

Fixed cases where the Results Service failed to start due to a missing SQL configuration in the host file.

Fixed cases where the Results Service failed to start due to a problematic configuration in the Checkmarx path in the registry.


CategoryResolved Issues
HF19Allow customers that use SCA to enable an SCA widget to replace the content of the existing OSA widget, so that it is now possible to display CxSCA scan results in the summary page of CxSAST. For more information, see Displaying CxSCA Scan Results in CxSAST.

The User Manager role is now able to grant roles that it does not have itself. For more information, see Access Control Configuration Guide.

Improved the error message that is displayed when attempts are made to log in with SAML without the proper permissions.


CategoryResolved Issues

Line breaks are now included in scan comments.

Fixed cases where the Engine Service is unable to read the status.xml file.

Fixed misalignment in scan status in cases where the scan status still indicated “scanning” after the scan had already completed.

Performance improvements for Best Fix Location (BFL).

Fixed cases where scanning failed to start due to a problematic location in TFS.

Fixed cases where email notifications were not sent due to a non-existing email address.

Fixed cases where a scan with a pre-scan failed due to a change in the location of the source files.

The CxSAST Portal now displays Git branches in all languages.

Fixed cases where scans fail due to a problematic usage of Git cloning.

Fixed cases where the CxSAST Portal was not displayed due to an issue with loading the configurations.

M&O: Fixed multiple sync issues that caused the ETL to fail.

M&O: Fixed misalignment between the number of projects displayed in the header and the actual number of violated projects on the page.

You can now configure the Global Admin role to exclude the CxAudit permission. For more information, see Access Control Configuration Guide.

Improved performance for fetching a large number of users and teams from the Active Directory.

The Access Control login page now supports logo and background customizations. For details about how to customize the login page, see: https://checkmarx.atlassian.net/wiki/spaces/KC/pages/2509278584/Customizing+the+Access+Control+Web+Interface+v2.1+and+up.


CategoryResolved Issues
HF17Fix situations when Engine scan doesn’t complete successfully but is reflected as “Finished” in Portal.

Improved the response time for opening a Projects page containing a large number of projects.

Fixed an issue that broke the link to the GIT integration, if the word 'git' was part of the URL. 

Improved the response time for opening the Results View for a project with hundreds of results.

Improved performance when working with a large volume of branches and tags in Git.

Fix situations where a IIS reset caused Teams to lose synchronization between Access Control and CxSAST.

The Post Scan Actions field size has been increased to 1000 characters.


CategoryResolved Issues
HF16Log messages have been improved.

Several improvements have been made for Python.

Several improvements have been made for Java SQL Injection queries.

 Overriding the general query Find_Plain_Interactive_Input as part of these improvements
  1. Open CxAudit.
  2. At the top right in CxAudit, select Edit Queries to open the Edit Queries dialog.
  3. Under Choose a Programming Language, select Java. The application loads all queries for Java.
  4. Click the Query tab to view the Query list.
  5. In the Query list, navigate to Java > Cx > Java_General > Find_Plain_Interactive_Inputs.
  6. Double-click Find_Plain_Interactive_Inputs to open the Queries Source window.
  7. Copy the current content of the query from the Queries Source window. You have to paste it at a later step. therefore, make sure to keep it in the clipboard.  
  8. Right-click the Find_Plain_Interactive_Inputs query and select Override > All Projects Under Corp.
  9. Delete the line that appears by default and looks like this:
    result = base.Find_Plain_Interactive_Inputs() ;
  10. Paste the previously copied content of the query.
  11. Navigate to line 111, press <Enter> and then paste the following code.
    CxList cx_virtual = methodDecl.FindByShortName("cx_virtual_getters_setters_loop").GetByAncs(actionFormClasses);
    CxList getterSettters = notResponseWrite.FindByShortName("get*").GetByAncs(cx_virtual);
    CxList fieldsRefs = All.FindAllReferences(Find_Field_Decl().GetByAncs(actionFormClasses));
  12. Press <CTRL>+<S> or use the Save All Queries option to save the new query.  

The image below illustrates the exact location of the new code. The red arrow marks line 111 and the added code is highlighted green.

Several improvements have been made for Swift parsing.

Fixed a performance issue in C++ scans.

Missing Japanese query descriptions have been added.


CategoryResolved Issues
HF15Fixed an issue that caused results being hidden after upgrading CxSAST.

"_" can now be used as part of template names.

Line breaks are now included with scan comments.

Added events for deleting team members, when the entire team is deleted.

The first character of a team name must be an alphanumeric character.

For authentication via LDAP, paging has been added for cases when a large amount of LDAP users is returned.

Added support for a CxSAST cluster and a single Access Control.

Corrected the display of teams to reflect their correct hierarchy.

Fixed an issue that caused scans to fail after attempting to read ScanDetails.xml before this file was created.

Fixed errors that caused incremental scans being logged with a wrong path, causing the scan to get stuck.


CategoryResolved Issues

Introduced a personal access token for Github integration (as part of the deprecation of Github’s basic authentication). 

Previously created webhooks with basic authentication continue to operate. When triggering a previously created webhooks project without setting the PAT, Commit Comment is unavailable. To make Commit Comment available, switch to PAT on all Github related projects.

Triggering a new scan from the plugins does not require 'Create Project' or 'Edit Project' permissions anymore.


CategoryResolved Issues
HF13Improved the ASP queries with Find_Interative_inputs elements.

Fixed an issue that caused the scan to get stuck as a result of the AMQ getting stuck. This was caused by a query that returned a large number of results.


CategoryResolved Issues
HF12Fixed an issue that caused creating new projects to 'hang'.

Fixed the token life time that caused scans initiated from plugins to fail.

Support for opening a Jira ticket has been added for cases when the Security Level field is mandatory.

Fixed an issue that caused postponed scans to fail.

The performance has been improved for handling many CPUs.

The hotfix version is now listed in the engine log.

Added an error message to the log for cases when a CxOSA scan was successful, but returned no results.

Fixed a case where the length of a specific field in the CxOSA risk report exceeds a predefined number.

For new projects, CxOSA identifies now scanned libraries using their relevant package managers by default.

Security fixes, refer to https://checkmarx.force.com/CheckmarxCustomerServiceCommunity/s/article/Checkmarx-Security-Updates for additional information.

Apache Tomcat has been upgraded to version 8.5.57

Group DNs in LDAP Role Mapping are no longer case sensitive.

It is now possible to sort users in Teams tables.

The Team name size has been increased to up to 128 characters.


CategoryResolved Issues
HF11Fixed a JavaScript issue that caused a memory leak.

Improved Client_Potential_XSS and Client_Potential_Code_Injection accuracy regarding JQuery methods.

Improved the import mechanism that caused a false negative in Client_DOM_XSS.

Fixed an issue in Kotlin that caused scan failure.

Fixed an issue with TypeScript to JavaScript database migration.

Fixed a sorting issue that caused some projects not to be displayed in CxAudit.

The performance has been improved for handling many CPUs.

Fixed cases when the scan freezes due to an exception in the query.


CategoryResolved Issues
HF10Access Control. Enhanced SAML support, now allowing team and role mappings with proprietary SAML assertion attribute values.


CategoryResolved Issues
HF9Fixed various issues that affected working with the Security Gate license.

Improved date format alignment across the various components.

Fixed a synchronization issue between CxOSA and M&O.

Security fix, refer to https://checkmarx.force.com/CheckmarxCustomerServiceCommunity/s/article/Checkmarx-Security-Updates for additional information.

Fixed issues that caused users to be moved to 'inactive' after the server restarted.

LDAP mapping is now case insensitive.

Known Limitations

If you are unable to log on to Access Control after installing HF9, clear the browser cache and the browsing history. For further information, refer to Chrome: Clear cache & cookies or How to clear the Firefox cache, depending on the browser in use.


CategoryResolved Issues
HF8Added the ability to select a default role and a default team when using LDAP Advanced mapping. For further information, refer to Settings Tab - LDAP Server Settings (v2.0 and up).

Removed the maximum length limitation for LDAP group mappings.

Fixed cases in which users were assigned to a large amount of teams and could therefore not log in.

SAML: The user email addresses are now case insensitive.

Improved oData API support for cases when the database password includes special characters.

Fixed the OData API call when QueryName is null.

Fixed cases when incremental scans were reverted to full scans, but were still presented as incremental.

Security fix, refer to https://checkmarx.force.com/CheckmarxCustomerServiceCommunity/s/article/Checkmarx-Security-Updates for additional information.

Fixed issues that caused the source file folder for failed scans to remain although it is expected to be deleted by data retention.

Fixed issues that caused scan folders of current scans to be deleted.


CategoryResolved Issues
HF7The scan logs downloaded from the CxSAST portal now include the missing engine service logs.

Fixed an issue that caused specific folders not to be found during the scan cleanup process.

Fixed SSL offloading cases for load balancers.

The SAST tab editor stopped responding, if an illegal string has been entered.

Fixed issues that caused scans to fail due to a location change of the Git repository.

Fixed an issue in Swagger that prevented projects from being scanned.

An issue has been fixed that caused OSA requests to fail with error APIVersionUndefined that froze loading the page.

An issue has been fixed that caused errors in some pages of the portal when using the Security Gate license.


CategoryResolved Issues.
HF6Various cases have been fixed that caused scans to run indefinitely.


CategoryResolved Issues

Introduced a new permission: “view-results”. This permission separates the view-results ability from any other permission and is added to any predefined role.


CategoryResolved Issues

A new mechanism has been introduced to abort scans when the system gets low on memory in an effort to avoid the engine to jam. The configuration keys are the following:

WATCHDOG_ABORT_SCAN_ON_LOW_MEMORY (default: false – disabled)
WATCHDOG_ABORT_SCAN_ON_LOW_MEMORY_MAX_USAGE_PERCENT max limit of used memory to abort (default: 96%)
WATCHDOG_ABORT_SCAN_ON_LOW_MEMORY_MIN_AVAIL_MB minimum free memory in System to start check the condition MAX_USAGE_PERCENT (default: 1024 Mb)
WATCHDOG_ABORT_SCAN_ON_LOW_MEMORY_COUNTER key to prevent scan abort on single memory peek – Low-Memory should persist number of times continuously (default: 5 times)

Improvements for GO support.

Improvements for query override system.

Improved Active-MQ heap configuration.

Improved Active-MQ log configuration, which prevents log clogging.

Various Git/BitBucket integration improvements

Jira cloud integration: Fixed cases in which the system is unable to send the report due to a missing mandatory field.

CxOSA detects more libraries when scanning a project with a complex structure.

New AMQ and FSA versions

Various security fixes for M&O and OSA.

QMA configuration files may be overwritten when installing a hotfix (HF). Therefore, make sure to back this file up before, if changes have been made to it.


CategoryResolved Issues
HF3Access Control version has been added to allow CxSAST to operate in Master Access Control mode and to connect to Multi-Tenant Access Control.

Improved the Chinese translation in the CxSAST portal.

Various security issues have been fixed.

Fixed cases when the scan manager stops responding and is unable to process additional scans due to a problematic file. 

Fixed ODATA calls to ensure that scan results are obtained using Query Group or Query Team. 

Corrected the file size calculations for cases when the file size parameter has been changed to a larger value.

Added a warning during installation about new .NET Core prerequisites (ASP .Net core 2.1.16 is required).


CategoryResolved Issues
HF2Improved CPP parsing for query Integer_Overflow and the JSON file to define global includes under Linux.

Added missing flow in Python.

Providing improved versions of the Apex Refelcted_XSS and Visual Force pre-processed files.

Fixing JavaScript scan aborted and concurrency issues with some Lightning queries.

Improved the App_Transport_Security_Bypass query in Objective-C.

Java now recognizes the Final modifier.

Improved the Handlebars support.

Various internal and log improvements


CategoryResolved Issues

Access Control supports Advanced Role Mapping with a semicolon placed between the roles when active Directory groups are linked to one role.

Fixed a login issue caused by SameSite Cookie recently introduced in Chrome.

Known Limitations

If you use HTTP, Access Control and and CxSAST cannot be hosted on different servers, if SameSite Cookie is enabled.