8.6.0 Release Updates
New Features and Changes
Application
Category | Features |
---|---|
Setup and Configuration | A new Checkmarx License Agreement (EULA) screen has been implemented into the latest version of the CxSAST installation and setup wizard in order to all allow the user to accept/not accept the terms of the Checkmarx License Agreement. For silent installation, via the CxSAST CLI, the option to install CxSAST without the need to accept the license terms is still available. |
Setup and Configuration | Long Path Support has been added to CxSAST. Traditionally, older versions of the Windows operating systems didn't support path or filenames with more than 260 characters, then with the release of Windows 10 and Windows Server 2016 provision for this issue was introduced. The following should be performed in order for the Long Path Support to be enabled and fully supported in CxSAST:
In order to use the Long Path Support feature, all Checkmarx components (CxEngines, CxPortal and CxAudit) must be Long Path Support enabled. |
Integration - GIT | The Git/Github authentication methodology has been improved in this new version of CxSAST. The user is now able to use one of the following authentication methods for configuration with GIT:
|
Profile - Account Information | The default administration email defined during installation/upgrade has been changed from admin@cx to admin@cx.com. This email is displayed on the Account Information panel in the My Profile screen (My Profile > Account Information) and now conforms to our Codebashing email standards. |
Management - Application Settings | The Engine Server panel has been removed from the Installation Information screen (Management > Application Settings > Installation Information). This panel has been replaced with the new Engine Management feature (see Engine Management). |
Management - Application Settings | A new feature (Engine Sever Management) has been added to CxSAST. TheEngine Server Management feature is installed as part of the CxSAST installation and enables the following functionality: Interface for viewing real-time engine server status information:
Direct action options (single) include:
The Engine Server panel has been removed from the Installation Information screen (Management > Application Settings > Installation Information) to accommodate this new feature. |
Management - Connection Settings | The CxSAST user now has the capability to save the LDAP settings in the LDAP Sever Settings screen (Management > Connection Settings > LDAP Servers) without having to perform and validate the connection test first. Validating the connection can now be performed at a later stage. The Test Connection button has also been moved from its previous location, at the top of the LDAP Servers screen to the bottom of the LDAP Server Settings panel. |
Management - Scan Settings | A new preset (OWASP Top 10 2017) have been added to the predefined presets list in the Preset Manager (Management > Scan Settings > Preset Manager). This new preset further enhances the already extensive Checkmarx preset library with regards to OWASP compliance. |
Management - Application Settings | The External Services screen (Management > Application Settings > External Services Settings) has been updated in coordination with the implementation of Codebashing into CxSAST. This was added at the end of 8.5.0 The enable non-anonymous data collection (email hashing) option has also been removed from the UI as well as the enablement procedure. |
Open Viewer - Scan Results | A new results filtering option (OWASP Top 10 2017) has been added to the Scan Results Severity filter in the Open Code Viewer for CxSAST (Dashboard > Project State > Open Viewer > Scan Results Severity). |
Report Generator | A new category (OWASP Top 10 2017) has been added to the Report Generator (Dashboard > Project State > Create Report > Categories). |
CxAudit
Category | Features |
Setup and Configuration | A new Checkmarx License Agreement (EULA) screen has been implemented into the latest version of the CxAudit installation and setup wizard in order to all allow the user to accept/not accept the terms of the Checkmarx License Agreement. |
Audit Workspace | The folders in the Workspace View in CxAudit are now presented in an hierarchical tree structure (like in windows explorer). This makes it easier to navigate and find scanned project files. Configuration Key is CXAUDIT_TREE_VIEW_FLAT and default is set to false (new hierarchical tree structure). True sets the regular TreeView structure. |
Authorization - Creating New Queries | A non server manager role users can now create new queries and add them to presets. |
CxQL Query Language | New "findInScope" method |
Updated CxXPath methods | |
Updated Abstract Interpretation methods | |
API updates:
|
Integration & Plugins
Category | Features |
---|---|
IDE Support - Logs | All Checkmarx IDE plugins now add their own version into the log\console using the following syntax: $<plugin name> Plugin Version: $<version>. |
Maven - Plugin CxOSA Reports | CxOSA HTML and PDF reports will no longer be supported for Maven in the next version (v8.7.0) |
Jenkins - Plugin Support | The Checkmarx Jenkins plugin now supports Jenkins 2.91 |
Jenkins - Plugin Global and Scan Configuration | A new drop-down selection method (Credentials) has been added to the CxSAST Global Configuration and Scan Settings screen in the CxSAST Jenkins plugin. This method is now mandatory for users that already have Jenkins credentials, as defined in Jenkins, and would like to use the same credentials with the CxSAST Jenkins plugin. The old method may still work for existing jobs. |
Jenkins - Plugin Scan Configuration | A new drop-down selection option (Fail the build for new issues of the following severity or higher) has been added to the CxSAST Scan Configuration screen in the CxSAST Jenkins plugin. This new option enables the user to fail the build according to the defined severity (or higher). This options works in addition to the regular thresholds (e.g. if "x" total high issues were found OR at least 1 new issue, fail the build). This option is only available if the "Enable vulnerability threshold" parameter is enabled. |
Jenkins - Plugin Scan Results | The scan results in the Checkmarx Jenkins plugin (CxSAST Summary) have been updated to include new and recurrent scan issues. The status of a vulnerability is recurrent if it was already discovered in a previous scan. The status of a vulnerability is new if it was discovered for the first time, or if it was re-opened after being resolved in a previous scan. |
Jenkins - Plugin Scan Results | The scan results in Checkmarx Jenkins plugin have been updated in accordance with running a scan in asynchronous mode. A full report has now been added to the Jenkins job for asynchronous scans. The following note has been added for cases where the full report may not be displayed; "Job is configured to run the Checkmarx scan asynchronously. This specific build's scan result cannot be displayed in this mode. Any results displayed are from the previous successful scan" |
Jenkins - Plugin Scan Results | The Checkmarx Last Scan Results link and the related scan report have been removed from the CxSAST Jenkins plugin main dashboard. All related scan results are now provided from the CxSAST Summary. |
Jenkins - Plugin CxOSA Scan | The Checkmarx Jenkins plugin now creates CxOSA scan by sending SHA1 instead of binaries. |
Jenkins - Plugin CxOSA Reports | CxOSA HTML and PDF reports will no longer be supported for Jenkins in the next version (v8.7.0) |
Bamboo - Plugin Global Configuration | A new setting parameter (Deny new Checkmarx project creation) has been added to the Global Configuration screen in Bamboo. Enabling this option will prohibit the creation of new projects in Checkmarx, or assigning an existing project to a different team. Disabling this option allows these actions. |
Bamboo - Plugin CxOSA Scan | The Checkmarx Bamboo plugin now creates CxOSA scan by sending SHA1 instead of binaries |
Bamboo - Plugin CxOSA Reports | CxOSA HTML and PDF reports will no longer be supported for Bamboo in the next version (v8.7.0) |
TeamCity - Plugin Scan Results | The Failure result in the TeamCity results summary has been expanded in order to display more information about the actual failure. |
TeamCity - Plugin Scan Results | Build failure is now written to the log. |
TeamCity - Plugin CxOSA Scan | The Checkmarx TeamCity plugin now creates CxOSA scan by sending SHA1 instead of binaries |
TeamCity - Plugin CxOSA Reports | CxOSA HTML and PDF reports will no longer be supported for TeamCity in the next version (v8.7.0) |
SonarQube - Plugin Support | The Checkmarx SonarQube plugin now supports SonarQube 6.7 (LTS) |
SonarQube - Plugin Apex Support | The Checkmarx SonarQube plugin now supports the Apex coding language. |
SonarQube - Plugin Presets | The Checkmarx SonarQube plugin now supports the automatc creation of Checkmarx quality profiles (CxSAST presets). The user that installs the a language plugin for SonarQube will now have an automatically created quality profiles for CxSAST code scanning. Each quality profile created contains all relevant rules for that language. |
SonarQube - Plugin Apex Support | The Checkmarx SonarQube plugin now supports the Apex coding language. |
SonarQube - Plugin Presets | The Checkmarx SonarQube plugin now supports the automatc creation of Checkmarx quality profiles (CxSAST presets). The user that installs the a language plugin for SonarQube will now have an automatically created quality profiles for CxSAST code scanning. Each quality profile created contains all relevant rules for that language. |
SonarQube - Plugin Scan Results | The Checkmarx SonarQube plugin report UI has been updated to correspond with the design and layout of other CxSAST plugins. |
SonarQube Plugin - Rules and Presets | Rules & Presets for the SonarQube plugin have been upgraded according to the latest CxSAST engine. |
MS-VSTS Plugin - CxOSA Scan | The Checkmarx MS-VSTS plugin has been upgraded in order to support the following:
|
MS-VSTS Plugin - CxOSA Scan | The Checkmarx MS-VSTS plugin now creates CxOSA scan by sending SHA1 instead of binaries. |
MS-VSTS - Plugin Presets | The Checkmarx MS-VSTS plugin has been upgraded in order to support 'Custom Presets'. Custom presets are provided in cases where the desired preset is not available from the Checkmarx presets list. Note that specifying a Custom Preset will override any predefined presets. |
MS-VSTS Plugin Supported Environments | The Checkmarx MS-VSTS Plugin now supports both TFS 2015 and TFS 2017 |
MS-VSTS - Plugin CxOSA Reports | CxOSA HTML and PDF reports will no longer be supported for MS-VSTS in the next version (v8.7.0) |
WhiteSource Integration | A new version of the CxOSA-WS utility has been added to WhiteSource integration allowing you to easily register to WhiteSource through CxOSA. You can download the latest version of the CxOSA-WS utility from Checkmarx Utilities. |
CLI / API
Category | Features |
---|---|
CxCLI Plugin - Authentication | A token-based authentication and login method has been introduced into the latest version of the CxSAST/CxOSA CLI plugin (v8.60.0 and up). |
CxCLI Plugin - Configuration | The CxSAST scan is, by default, run in synchronous mode (Scan). This means that the CLI initiates the scan task and the scan results can be viewed in the CLI and in the log file created. Asynchronous mode was introduced into the last version of the CxSAST/CxOSA CLI plugin. In asynchronous mode (AsyncScan), the scan task ends when the scan request reaches the scan queue, as a result the scan results can only be viewed via the CxSAST web application. This was added at the end of v8.50.0 |
CxCLI Plugin - Configuration | CLI Exit/Error code were introduced into the last version of the CxSAST/CxOSA CLI plugin. These codes help in identifying and troubleshooting issues. This was added at the end of v8.50.0 |
CxCLI Plugin - Configuration | Two new parameters have been added to the CxSAST/CxOSA CLI plugin for v8.60.0 enabling the following functionality:
|
CxCLI - Plugin CxOSA Reports | CxOSA HTML and PDF reports will no longer be supported for CxCLI in the next version (v8.7.0) |
CxARM-API - CxSAST | A new Risk Management API is now available. The API is based on OData and provides the ability to query the SAST and OSA findings, allowing you to analyze the security status of the projects in the organization. OData allows you to aggregate, filter, count and group all the available data. |
CxREST API - Versioning | Versioning has been introduced into to the latest version of the CxREST API. CxSAST is installed with the latest version of the CxREST API (i.e. v=1.0). In order to use other versions of the CxREST API you will need to specify the desired version for each API call. Note that not specifying the version will automatically apply the latest version and may cause your script/code to break. |
CxREST API - Authentication | Token-based authentication / login (OAuth 2.0) functionality has been added to the latest version of the CxREST API. |
CxREST API - General | New functionality for the General API set has been added to latest CxREST API library:
|
CxREST API - CxOSA | New functionality for the CxOSA API set has been added to latest CxREST API library:
|
CxREST API - CxSAST | New functionality for the Engine Auto Scaling API set has been added to latest CxREST API library:
|
CxREST API - CxSAST | New functionality for the CxSAST API set has been added to latest CxREST API library:
|
Engine
Category | Features |
---|---|
Application Security | New queries for Mobile security (Android and iOS) |
More than 100 query bug fixes related to AppSec research | |
New preset for OWASP top 10 2017 | |
Languages/Frameworks | Typescript Native support |
Angular 4 support on top of Typescript Compatible with Angular 2.X + | |
.NET Core 1.1 | |
Google Guice support - dependency injection framework for Java - | |
General | Ability to resolve Pointers and Aliasing for Object Oriented Languages |
The engine log now contains extended details regarding languages detected in the scan |
Resolved Issues
Category | Resolved Issues |
---|---|
Scan Improvements | Major advances in the engine providing significant reduction in false positives and false negatives across all supported languages. |
Known Limitations
Category | Known Limitations |
---|---|
Setup and Configuration | The SQL Express 2008 installation included in CxSAST is not supported by Windows 2016. In this case you will need to install a newer version of SQL Express separately before launching the CxSAST installation. |
Setup and Configuration | CxSAST does not work when FIPS is enabled on Windows Server 2016 |
Scanning Source Code with Long Paths | v8.6.0 introduced support for scanning source code with long paths, however, currently source ZIP files that include files with long paths are not supported. Examples:
|
CxOSA - Plugin Support | Only OSA plugins (v8.5.0 and above) will be supported in the 8.6.0 version of CxSAST. OSA Plugins (8.4.2 and lower) will not be supported. |
IDE Plugins - Eclipse | From CxSAST Eclipse plugin v8.6.0 and up, Eclipse 4.5.1 or lower are no longer supported (only 4.6 and up). |
IDE Plugins - Eclipse | Checkmarx credentials are not saved after CxSAST Eclipse plugin configuration. You need to reconfigure the plugin every time Eclipse restarts. |
TFS 2015 Environment | Due to a Microsoft confirmed issue in TFS 2015, in case you do not use an http proxy, you must still fill-in our proxy field with a string. Suggested string would be the word noproxy. |
FIPS/SAML | FIPS configuration does not work with SAML based external services. |
The release update is also available for download here - PDF