8.6.0 Release Updates

New Features and Changes

Application

Category	Features
Setup and Configuration	A new Checkmarx License Agreement (EULA) screen has been implemented into the latest version of the CxSAST installation and setup wizard in order to all allow the user to accept/not accept the terms of the Checkmarx License Agreement. For silent installation, via the CxSAST CLI, the option to install CxSAST without the need to accept the license terms is still available.
Setup and Configuration	Long Path Support has been added to CxSAST. Traditionally, older versions of the Windows operating systems didn't support path or filenames with more than 260 characters, then with the release of Windows 10 and Windows Server 2016 provision for this issue was introduced. The following should be performed in order for the Long Path Support to be enabled and fully supported in CxSAST: Enable Long Path Support in Windows 10 and Server 2016 Enable Long Path Support in the CxSAST Application Enable Long Path Support in CxAudit Enable Long Path Support in CxSAST Server Settings Enable Long Path Support in Git In order to use the Long Path Support feature, all Checkmarx components (CxEngines, CxPortal and CxAudit) must be Long Path Support enabled.
Integration - GIT	The Git/Github authentication methodology has been improved in this new version of CxSAST. The user is now able to use one of the following authentication methods for configuration with GIT: No authentication at all (public repository) Credential-based authentication Token-based authentication SSH-based authentication
Profile - Account Information	The default administration email defined during installation/upgrade has been changed from admin@cx to admin@cx.com. This email is displayed on the Account Information panel in the My Profile screen (My Profile > Account Information) and now conforms to our Codebashing email standards.
Management - Application Settings	The Engine Server panel has been removed from the Installation Information screen (Management > Application Settings > Installation Information). This panel has been replaced with the new Engine Management feature (see Engine Management).
Management - Application Settings	A new feature (Engine Sever Management) has been added to CxSAST. TheEngine Server Management feature is installed as part of the CxSAST installation and enables the following functionality: Interface for viewing real-time engine server status information: Number of engine servers in the system (active and offline) Status of each engine server (scanning, idle, blocked, etc.) Location (URL) and scan size of each engine server Direct action options (single) include: Register engine server Edit engine server Unregister engine server Block/unblock engine server The Engine Server panel has been removed from the Installation Information screen (Management > Application Settings > Installation Information) to accommodate this new feature.
Management - Connection Settings	The CxSAST user now has the capability to save the LDAP settings in the LDAP Sever Settings screen (Management > Connection Settings > LDAP Servers) without having to perform and validate the connection test first. Validating the connection can now be performed at a later stage. The Test Connection button has also been moved from its previous location, at the top of the LDAP Servers screen to the bottom of the LDAP Server Settings panel.
Management - Scan Settings	A new preset (OWASP Top 10 2017) have been added to the predefined presets list in the Preset Manager (Management > Scan Settings > Preset Manager). This new preset further enhances the already extensive Checkmarx preset library with regards to OWASP compliance.
Management - Application Settings	The External Services screen (Management > Application Settings > External Services Settings) has been updated in coordination with the implementation of Codebashing into CxSAST. This was added at the end of 8.5.0 The enable non-anonymous data collection (email hashing) option has also been removed from the UI as well as the enablement procedure.
Open Viewer - Scan Results	A new results filtering option (OWASP Top 10 2017) has been added to the Scan Results Severity filter in the Open Code Viewer for CxSAST (Dashboard > Project State > Open Viewer > Scan Results Severity).
Report Generator	A new category (OWASP Top 10 2017) has been added to the Report Generator (Dashboard > Project State > Create Report > Categories).

CxAudit

Category	Features
Setup and Configuration	A new Checkmarx License Agreement (EULA) screen has been implemented into the latest version of the CxAudit installation and setup wizard in order to all allow the user to accept/not accept the terms of the Checkmarx License Agreement.
Audit Workspace	The folders in the Workspace View in CxAudit are now presented in an hierarchical tree structure (like in windows explorer). This makes it easier to navigate and find scanned project files. Configuration Key is CXAUDIT_TREE_VIEW_FLAT and default is set to false (new hierarchical tree structure). True sets the regular TreeView structure.
Authorization - Creating New Queries	A non server manager role users can now create new queries and add them to presets.
CxQL Query Language	New "findInScope" method
	Updated CxXPath methods
	Updated Abstract Interpretation methods
	API updates: "new CxList” has been deprecated and replaced with "Use All.NewCxList()" "CxList.isFrameworkActive" has been deprecated and replaced with "cxScan.IsFrameworkActive" "CxList.getScanProperty" has been deprecated and replaced with "cxScan.GetScanProperty" The following shortcuts has been deprecated and removed: fbn - FindByName fbsn - FindByShortName fbt - FindByType fbma - FindByMemberAccess dib - DataInfluencedBy dio - DataInfluencingOn cib - ControlInfluencedBy cio - ControlInfluencingOn ib - InfluencedBy io - InfluencingOn

Integration & Plugins

Category	Features
IDE Support - Logs	All Checkmarx IDE plugins now add their own version into the log\console using the following syntax: $<plugin name> Plugin Version: $<version>.
Maven - Plugin CxOSA Reports	CxOSA HTML and PDF reports will no longer be supported for Maven in the next version (v8.7.0)
Jenkins - Plugin Support	The Checkmarx Jenkins plugin now supports Jenkins 2.91
Jenkins - Plugin Global and Scan Configuration	A new drop-down selection method (Credentials) has been added to the CxSAST Global Configuration and Scan Settings screen in the CxSAST Jenkins plugin. This method is now mandatory for users that already have Jenkins credentials, as defined in Jenkins, and would like to use the same credentials with the CxSAST Jenkins plugin. The old method may still work for existing jobs.
Jenkins - Plugin Scan Configuration	A new drop-down selection option (Fail the build for new issues of the following severity or higher) has been added to the CxSAST Scan Configuration screen in the CxSAST Jenkins plugin. This new option enables the user to fail the build according to the defined severity (or higher). This options works in addition to the regular thresholds (e.g. if "x" total high issues were found OR at least 1 new issue, fail the build). This option is only available if the "Enable vulnerability threshold" parameter is enabled.
Jenkins - Plugin Scan Results	The scan results in the Checkmarx Jenkins plugin (CxSAST Summary) have been updated to include new and recurrent scan issues. The status of a vulnerability is recurrent if it was already discovered in a previous scan. The status of a vulnerability is new if it was discovered for the first time, or if it was re-opened after being resolved in a previous scan.
Jenkins - Plugin Scan Results	The scan results in Checkmarx Jenkins plugin have been updated in accordance with running a scan in asynchronous mode. A full report has now been added to the Jenkins job for asynchronous scans. The following note has been added for cases where the full report may not be displayed; "Job is configured to run the Checkmarx scan asynchronously. This specific build's scan result cannot be displayed in this mode. Any results displayed are from the previous successful scan"
Jenkins - Plugin Scan Results	The Checkmarx Last Scan Results link and the related scan report have been removed from the CxSAST Jenkins plugin main dashboard. All related scan results are now provided from the CxSAST Summary.
Jenkins - Plugin CxOSA Scan	The Checkmarx Jenkins plugin now creates CxOSA scan by sending SHA1 instead of binaries.
Jenkins - Plugin CxOSA Reports	CxOSA HTML and PDF reports will no longer be supported for Jenkins in the next version (v8.7.0)
Bamboo - Plugin Global Configuration	A new setting parameter (Deny new Checkmarx project creation) has been added to the Global Configuration screen in Bamboo. Enabling this option will prohibit the creation of new projects in Checkmarx, or assigning an existing project to a different team. Disabling this option allows these actions.
Bamboo - Plugin CxOSA Scan	The Checkmarx Bamboo plugin now creates CxOSA scan by sending SHA1 instead of binaries
Bamboo - Plugin CxOSA Reports	CxOSA HTML and PDF reports will no longer be supported for Bamboo in the next version (v8.7.0)
TeamCity - Plugin Scan Results	The Failure result in the TeamCity results summary has been expanded in order to display more information about the actual failure.
TeamCity - Plugin Scan Results	Build failure is now written to the log.
TeamCity - Plugin CxOSA Scan	The Checkmarx TeamCity plugin now creates CxOSA scan by sending SHA1 instead of binaries
TeamCity - Plugin CxOSA Reports	CxOSA HTML and PDF reports will no longer be supported for TeamCity in the next version (v8.7.0)
SonarQube - Plugin Support	The Checkmarx SonarQube plugin now supports SonarQube 6.7 (LTS)
SonarQube - Plugin Apex Support	The Checkmarx SonarQube plugin now supports the Apex coding language.
SonarQube - Plugin Presets	The Checkmarx SonarQube plugin now supports the automatc creation of Checkmarx quality profiles (CxSAST presets). The user that installs the a language plugin for SonarQube will now have an automatically created quality profiles for CxSAST code scanning. Each quality profile created contains all relevant rules for that language.
SonarQube - Plugin Apex Support	The Checkmarx SonarQube plugin now supports the Apex coding language.
SonarQube - Plugin Presets	The Checkmarx SonarQube plugin now supports the automatc creation of Checkmarx quality profiles (CxSAST presets). The user that installs the a language plugin for SonarQube will now have an automatically created quality profiles for CxSAST code scanning. Each quality profile created contains all relevant rules for that language.
SonarQube - Plugin Scan Results	The Checkmarx SonarQube plugin report UI has been updated to correspond with the design and layout of other CxSAST plugins.
SonarQube Plugin - Rules and Presets	Rules & Presets for the SonarQube plugin have been upgraded according to the latest CxSAST engine.
MS-VSTS Plugin - CxOSA Scan	The Checkmarx MS-VSTS plugin has been upgraded in order to support the following: CxOSA scan CxSAST and CxOSA Reports
MS-VSTS Plugin - CxOSA Scan	The Checkmarx MS-VSTS plugin now creates CxOSA scan by sending SHA1 instead of binaries.
MS-VSTS - Plugin Presets	The Checkmarx MS-VSTS plugin has been upgraded in order to support 'Custom Presets'. Custom presets are provided in cases where the desired preset is not available from the Checkmarx presets list. Note that specifying a Custom Preset will override any predefined presets.
MS-VSTS Plugin Supported Environments	The Checkmarx MS-VSTS Plugin now supports both TFS 2015 and TFS 2017
MS-VSTS - Plugin CxOSA Reports	CxOSA HTML and PDF reports will no longer be supported for MS-VSTS in the next version (v8.7.0)
WhiteSource Integration	A new version of the CxOSA-WS utility has been added to WhiteSource integration allowing you to easily register to WhiteSource through CxOSA. You can download the latest version of the CxOSA-WS utility from Checkmarx Utilities.

CLI / API

Category	Features
CxCLI Plugin - Authentication	A token-based authentication and login method has been introduced into the latest version of the CxSAST/CxOSA CLI plugin (v8.60.0 and up).
CxCLI Plugin - Configuration	The CxSAST scan is, by default, run in synchronous mode (Scan). This means that the CLI initiates the scan task and the scan results can be viewed in the CLI and in the log file created. Asynchronous mode was introduced into the last version of the CxSAST/CxOSA CLI plugin. In asynchronous mode (AsyncScan), the scan task ends when the scan request reaches the scan queue, as a result the scan results can only be viewed via the CxSAST web application. This was added at the end of v8.50.0
CxCLI Plugin - Configuration	CLI Exit/Error code were introduced into the last version of the CxSAST/CxOSA CLI plugin. These codes help in identifying and troubleshooting issues. This was added at the end of v8.50.0
CxCLI Plugin - Configuration	Two new parameters have been added to the CxSAST/CxOSA CLI plugin for v8.60.0 enabling the following functionality: -OsaArchiveToExtract <files list> - Comma separated list of file extensions to extract in the OSA scan. For example: -OsaArchiveToExtract *.zip extracts only files with .zip extension (Optional). -OsaScanDepth <OSA analysis unzip depth> - Extraction depth of files to include in the OSA scan (Optional)
CxCLI - Plugin CxOSA Reports	CxOSA HTML and PDF reports will no longer be supported for CxCLI in the next version (v8.7.0)
CxARM-API - CxSAST	A new Risk Management API is now available. The API is based on OData and provides the ability to query the SAST and OSA findings, allowing you to analyze the security status of the projects in the organization. OData allows you to aggregate, filter, count and group all the available data.
CxREST API - Versioning	Versioning has been introduced into to the latest version of the CxREST API. CxSAST is installed with the latest version of the CxREST API (i.e. v=1.0). In order to use other versions of the CxREST API you will need to specify the desired version for each API call. Note that not specifying the version will automatically apply the latest version and may cause your script/code to break.
CxREST API - Authentication	Token-based authentication / login (OAuth 2.0) functionality has been added to the latest version of the CxREST API.
CxREST API - General	New functionality for the General API set has been added to latest CxREST API library: Get All Project Details - GET /projects Create Project with Default Configuration - POST /projects Get All Teams - GET /auth/teams Get Project Details by Id - GET /projects/{projectId} Get Report(s) by Id - GET /reports/sastScan/{reportId} Get Report Status by Id - GET /reports/sastScan/{reportId}/status Register Scan Report - POST /reports/sastScan Upload Source Code Zip File - POST /projects/{projectId}/sourceCode/attachments Set Remote Source Setting to GIT - POST /projects/{projectId}/sourceCode/remoteSettings/git Set Remote Source Setting to TFS - POST /projects/{projectId}/remoteSettings/tfs Set Remote Source Setting to Shared - POST /projects/{projectId}/remoteSettings/shared Set Remote Source Setting to Perforce - POST /projects/{projectId}/remoteSettings/perforce Set Remote Source Setting to GIT using SSH - POST /projects/{projectId}/remoteSettings/git/ssh Set Remote Source Setting to SVN using SSH - POST /projects/{projectId}/remoteSettings/svn/ssh
CxREST API - CxOSA	New functionality for the CxOSA API set has been added to latest CxREST API library: Get All OSA File Extensions - GET /osa/fileextensions (v8.6.0 and up) Get OSA Licenses by Id - GET /osa/licenses (v8.6.0 and up)
CxREST API - CxSAST	New functionality for the Engine Auto Scaling API set has been added to latest CxREST API library: Get Engine Details - GET /sast/engineServers/{id} (v8.6.0 and up) Get All Scan Details in Queue (8.6.0 and up)
CxREST API - CxSAST	New functionality for the CxSAST API set has been added to latest CxREST API library: Get All Preset Details - GET /sast/presets Get SAST Scan Details - GET /sast/scans/{id} Get Preset Details - GET /sast/presets/{presetId} Get All Engine Configurations - GET /sast/engineConfiguration Get Scan Settings - GET /sast/scanSettings/{projectId} Get Engine Configuration - GET /sast/engineConfigurations/{id} Create New Scan – POST /sast/scans Define SAST Scan Settings - POST /sast/scanSettings

Engine

Category	Features
Application Security	New queries for Mobile security (Android and iOS)
	More than 100 query bug fixes related to AppSec research
	New preset for OWASP top 10 2017
Languages/Frameworks	Typescript Native support
	Angular 4 support on top of Typescript Compatible with Angular 2.X +
	.NET Core 1.1
	Google Guice support - dependency injection framework for Java -
General	Ability to resolve Pointers and Aliasing for Object Oriented Languages
General	The engine log now contains extended details regarding languages detected in the scan

Resolved Issues

Category	Resolved Issues
Scan Improvements	Major advances in the engine providing significant reduction in false positives and false negatives across all supported languages.

Known Limitations

Category	Known Limitations
Setup and Configuration	The SQL Express 2008 installation included in CxSAST is not supported by Windows 2016. In this case you will need to install a newer version of SQL Express separately before launching the CxSAST installation.
Setup and Configuration	CxSAST does not work when FIPS is enabled on Windows Server 2016
Scanning Source Code with Long Paths	v8.6.0 introduced support for scanning source code with long paths, however, currently source ZIP files that include files with long paths are not supported. Examples: "C:\temp\...<path longer than 256 characters>…\SourceCode.zip" will be scanned "C:\SourceCode.zip" that includes files with long paths – those files will not be scanned
CxOSA - Plugin Support	Only OSA plugins (v8.5.0 and above) will be supported in the 8.6.0 version of CxSAST. OSA Plugins (8.4.2 and lower) will not be supported.
IDE Plugins - Eclipse	From CxSAST Eclipse plugin v8.6.0 and up, Eclipse 4.5.1 or lower are no longer supported (only 4.6 and up).
IDE Plugins - Eclipse	Checkmarx credentials are not saved after CxSAST Eclipse plugin configuration. You need to reconfigure the plugin every time Eclipse restarts.
TFS 2015 Environment	Due to a Microsoft confirmed issue in TFS 2015, in case you do not use an http proxy, you must still fill-in our proxy field with a string. Suggested string would be the word noproxy.
FIPS/SAML	FIPS configuration does not work with SAML based external services.

The release update is also available for download here - PDF

Read More