9.3.0 Hotfixes

Installation Notes

  • Hotfixes and content packs are cumulative and include previous hotfix/content package updates.
  • The relevant hotfix must be installed on the CxManager, CxEngines and the CxAudit stations, unless otherwise indicated. In a distributed environment, the hotfix must also be installed on the Portal station.
  • To upgrade a Linux engine, please download the Linux Docker engine and and follow these instructions to install it

  • After upgrades (major versions or hotfixes) or Content Pack updates, it is highly recommended to first run full scans before running incremental scans.

Resolved Issues and Changes

CategoryResolved Issues
HF20Fixed all known log4j vulnerabilities for Management and Orchestration (M&O) by updating Log4J to version to 2.17.1.

Fixed an issue in Access Control (AC) that caused a network error when upgrading SAST 9.3GA with Hotfix (HF) 19 to SAST 9.4.

Fixed an issue that caused inconsistent behavior with the Download System Logs management in HA (high availability) environments. The issue occurred when using non-default log locations. 

For security fixes, click this link for additional information.
CategoryResolved Issues

Fixed an error which caused a REST API GET request for a non existent projectName and teamId to return a HTTP 200 OK Success response with an empty body, instead of a HTTP 404 - Not found response.

Fixed an error which caused REST API GET Projects requests to be case sensitive, causing API requests to fail. Now the API GET Projects requests are case insensitive.

Fixed a number of issues in Access Control that were related to User Creation.

Fixed the Result Viewer page so that all instances of a selected word are highlighted in the code.

The items in the displayed Projects State page can now be sorted independently of the entire list of Projects State items

Fixed the “Group By” option in the Results Viewer so that it works for all columns.

Fixed an error in the result service log while calculating the Best Fix Location.

Fixed an issue that caused SOAP API GetProjectsDisplayData requests to fail when users were not assigned to a team.

Fixed an issue in a particular incremental scan which caused a failure in the Results Service (indicated by a ResultsSavingStatus error in the log) preventing the completion of the scan.

The Tomcat version has been upgraded to Apache Tomcat version 8.5.72.

Fixed a bug where in an extreme edge case it was possible, using Swagger, to create duplicated teams with the same exact full name and same path.

Fixed an issue that occurred in the Excel file created when exporting the list of users from Access Control. The file only contained the Team and Role IDs, but not the user names.
CategoryResolved Issues

Fixed an issue that caused the scanning to fail and the client-log.log to record the following error message: "System.ArgumentException: An item with the same key has already been added." 

Fixed an issue so that now a Docker image can be deployed on Linux without root privileges.

Added an option for changing the time zone in the Docker image on Linux.

The default AWS Docker ulimits value has been increased to allow the CxSAST engine to work properly.

Fixed an issue that caused the scanning to fail when using an AbsInt component.

The nullish coalescing operator (??) is now supported when scanning JavaScript.


CategoryResolved Issues

The XML report has been enhanced with additional information regarding the ‘Queries Details’ and ‘Source Code’.

Queries Details now contains:

  • Risk: What might happen?
  • Cause: How does it happen?
  • General Recommendations: How to avoid it?
  • Source Code Examples.

Source Code now contains:

  • Num of LOCs (number of lines of code): Before and after the vulnerable line.
  • Method Scope: Brings the entire method of the vulnerable line.
  • File: Brings the entire file that has the vulnerable line.

For these new features, configuration keys were added to the CxComponentConfiguration table in the CxSAST database.

  • To activate the Queries Details feature, set the AddQueryMetaDataToXmlReport configuration key to “true”. 
  • To activate the Source Code feature, set the XmlReportSourceLinesRange configuration key to a number larger than 0.


CategoryResolved Issues

Fixed an issue which prevented the name of the plugin, which triggered the scan, from being displayed in the ORIGIN column on the Scans page.

Fixed an error which prevented the results of full and incremental scans from merging together.

Fixed an issue which prevented downloading logs from the WebPortal, where the location of the logs were changed from their default log location.

Fixed an issue which prevented the code contained in files with long path names from being displayed in the Results Viewer, 

Fixed an issue where team-level query overrides are sometimes saved under incorrect teams.

Fixed an issue on the Projects page of the WebPortal which prevented items from being displayed in the "Shared Libraries" textbox in the OSA (Open Source Analysis) tab.

Fixed an issue which prevented the Post Scan Action from creating reports when the system was configured for LDAP environments.

Improved the Incremental scan flows mechanism so that the various possible incremental scan results are more consistent with the full scan results.

Fixed an issue which sporadically caused empty scan reports to be generated.

Fixed an issue which occurred when scanning zip files containing more than 65535 files.

Improved the Incremental scan flows mechanism so that incremental scan results are more consistent with the full scan results.

Improved the stability of the incremental scan process where several incremental scans are being triggered in parallel.

For security fixes, click this link for additional information.


CategoryResolved Issues

Fixed an issue that occurred when scanning C# files, which involved the GetHoldByText method call, that prevented the scan flow and definition from being located and displayed.

Fixed an issue which resulted in the loss of the entire scan because of a single file timeout.

Fixed an issue that occurred when scanning JavaScript files, which caused the parsing process to time out, leading to the loss of many scan results.

Fixed an exception in the logs caused by a System.FormatException in the AST2DOM stage.

Improved the scan flow for supporting additional use cases.


CategoryResolved Issues

Users moving to cloud hosted environments, without direct access to the CxSAST database, can now obtain information about project branching and deletion using CxSAST REST API calls.

The following additions are related to project branches:

  • The IS_BRANCHED attribute, for indicating if the project was branched from another project (the source/original project).
  • The ORIGINAL_PROJECT_ID attribute, with information about the source/original project. If IS_BRANCHED = False, the value for ORIGINAL_PROJECT_ID is NULL.
  • The BRANCHED_ON_SCAN_ID attribute, with information about the scan ID of the source project. If IS_BRANCHED = False, the value for BRANCHED_ON_SCAN_ID is NULL.
  • A list of related target projects, if the source/original project is the source of multiple branched projects.

The following additions are related to deleted projects:

  • The isDeprecated attribute enables the CxSAST REST API to retrieve deleted projects.
  • In the response body, the new "isDeprecated" field indicates if the project is deleted or not, where True means it is deleted and False means it is still active.

Fixed an issue in the LDAP Settings section of Access Control that prevented users from scrolling through the "Cx Role - LDAP Group DN" mapping entries list in the Advanced Role Mapping window.

To enable users to add single LDAP role mappings to existing sets of LDAP role mappings, a PATCH method was added to the LDAPRoleMappings Access Control REST API.

Fixed a comma-separated string issue that affected the Okta SAML (Security Assertion Markup Language) integration with Access Control. The issue prevented the IdP (Identity Providers) Authorization and Team Attribute Mapping feature from assigning users to multiple teams. Now it is possible to specify multiple teams names, using comma separators, so that new users are automatically associated with multiple teams.


CategoryResolved Issues

Fixed an issue that occurred when parsing PHP language code. Text with HTML tags containing single quote marks prevented the retrieval of the DOM (Document Object Model), which in turn caused the scan to fail.

Fixed an issue that caused some characters, which were typed by users into the scan comments, to be replaced by HTML encoded characters. In some cases, the HTML characters caused the Results Viewer page to lock.

Fixed an issue in Access Control limiting the User Manager to only being able to grant new users the User Manager role. Now the User Manager can grant new users with one or more of the CxSAST roles that exist in the system, except for the Admin and Access Control Manager roles. 

Fixed an issue in the Results Viewer which prevented the total number of active results from being immediately updated after some results are marked as "Not Exploitable".

Fixed an issue that caused a discrepancy between the CxEngine logs and the user interface (UI) status. The logs indicated that the scanning was completed, but the UI status indicated that the scanning was still in progress. The result was that the CxManager aborted the scan and the scan results were not saved.

Fixed an issue that caused the CxEngine service to respond abnormally slowly to system status API requests.

Scan results can be marked to indicate one of the following result states: “To Verify”, “Not Exploitable”, “Confirmed”, “Urgent” or “Proposed Not Exploitable”. In addition, custom result states can also be defined by the user. Previously, users only required permissions for marking scans as "Not Exploitable".  Now dedicated permissions are requested for each result state, including the user-defined states.

For more information, see the updated Results Summary section in Navigating Scan Results (v9.3.0 and up), and the updated descriptions for the Results Updater and Results Verifier roles in CxSAST / CxOSA Roles and Permissions (v9.0.0 and up).

For details regarding how to create custom result states, see Adding Custom Result States.


  • This feature does not apply to OSA vulnerabilities. The behavior for OSA remains the same as before installing this Hotfix.
  • If the 'Manage Result State And Assignee' permission was checked before installing this Hotfix, after the Hotfix installation the result states permissions of the new roles will not be checked. 
  • OSA restricted scans cannot be performed. 

  • A new configuration key (AllowChangeExecutablesFolder) has been added to the CxSAST database that determines whether or not the destination folder can be changed. The configuration key can only be accessed by the CxSAST administrator
  • Security fix, click this link for additional information.


CategoryResolved Issues

Improved the ‘Find_Inputs’ Query to better handle security checks.

Fixed a bug which caused the scan engine to count the lines of code of text files.

Fixed a bug which in some cases caused scans using the multi-language mode to fail.

Fixed false negative SQL_injection results that occurred when scanning code from the MyBatis Java framework.

Fixed a bug which in some cases caused CxAudit to crash while parsing code from the Kotlin language.

Fixed a bug which caused results with single nodes to be ignored.

Improved the ‘APPLICATION_SECURITY’ Query to better handle security checks.

Fixed false positive DOM XSS results that occurred when scanning code from the Angular Web application framework

Improved the recovery of scans in cases where the scan manager service crashes.

Fixed a bug which caused scans to abort because of security check failures, even though the queries for the security check are not part of the actual scans.

The query security configuration is now updated during installation and upgrading.

Added support for the global memory watchdog on Linux operating systems.

For security fixes, click this link for additional information.


CategoryResolved Issues

Fixed the displayed scan result state in OData to be aligned with the Web Portal UI.

Triggering a new scan from the plugins will no longer require “create  project” or “edit project” permissions.

Improved Engine stability when dealing with large scans.

Improved multiple client connections handling.

Improved queue mechanism which caused some scans to get stuck at 99% completion.

Fixed issue where CxARM fails to connect to the DB after hotfix installation.


CategoryResolved Issues
HF10Fixed an issue that occurred when connecting SAST to the Azure DevOps repository using a PAT (Personal Access Token).

Fixed an issue where some URL’s have been overwritten during upgrades.

Fixed a problem related to the scan request.

Fixed the post scan action used with LDAP environments.

Improved data synchronization in High Availability (HA) mode.

An error message is now logged when an Incremental Scan fails due to a missing or invalid MethodMapping.zip file in the source file.

Fixed an error which caused some scans to fail.

Tomcat was replaced with Apache Tomcat version 8.5.64.

Made improvements in the Java (MyBatis framework) parser.

Fixed an error that caused some engines to get stuck in idle state while scans were waiting in queue

Fixed an error message for the post scan action where scanning is performed via a Git repository.

Improved engine performance in the parsing stage.

Improved manager synchronization in High Availability (HA) mode.

Note: After the hotfix installation, CxARM might fail to connect to the DB. To resolve this, copy the contents of db.backup.properties file to the db.properties file and restart CxARM.


CategoryResolved Issues

Some fixes in this Hotfix require CP16 (9.3). For more information, see Content Pack Version - CP. (CSharp, VBNet).

Improved C# queries by fixing flows that did not go through a method declaration.

Several improvements in C# queries for better result accuracy.

Several improvements in Angular queries for better result accuracy.

Added a definition to the ESC function in Java.

An error message is now logged when an Incremental Scan fails due to a missing or invalid MethodMapping.zip file in the source file.  


CategoryResolved Issues

Improvements in JavaScript parsing support.

Improvements in TypeScript parsing support.

Improvements in APEX to support includeScript.

Improvements in APEX when importing components.

Fixed an error in CxAudit that prevented different users from overriding the same query on a project level.

Improvements in C++ support for macros and makefiles.

Fixed an error in the Linux engine to prevent an error when obtaining free space during a scan.


CategoryResolved Issues

Fixed the Japanese translation for "Not Exploitable" and "Propose not exploitable" result states.

Allow customers that use SCA to enable an SCA widget to replace the content of the existing OSA widget, so that it is now possible to display CxSCA scan results in the summary page of CxSAST. For more information, see Displaying CxSCA Scan Results in CxSAST.


CategoryResolved Issues

M&O: Fixed misalignment between the number of projects displayed in the header and the actual number of violated projects on the page.

Fixed an issue that prevents the Git connection from failing when the password has special characters.

Fixed an issue that caused scan failure when Git projects are configured via API and UserName contains a '+' (plus sign) character.

Changed settings to allow viewing the number of private scans for projects according to the Teams hierarchy.

Fixed the displayed scan result state when similar scanned projects are deleted.

Changed settings to allow triggering scans for private projects according to the Teams hierarchy.

Changed settings to allow the Admin and regular users to view and scan private projects according to the Teams hierarchy.

Limitation: When an Admin is a member of a Team, the Admin user cannot view and scan the private projects of other members of the Team.
However, the Admin can view and scan the private projects of members of the child teams of that Team.


CategoryResolved Issues

Fixed cases where the Results Service failed to start due to a problematic configuration in the Checkmarx path in the registry

Fixed issues that prevented closing the Scan Summary page.

Corrected the name displayed for the scan schedule Initiator.

Improved performance of the Scan Manager stop/start actions.

Fixed an issue that prevents data retention from working due to failed scans in the selected date range.

Fixed an issue that prevents the engine scan folder from being deleted.

Fixed cases when the Results Service fail to start due to a missing SQL configuration in the host file.

Fixed an issue that prevents OSA Viewer from failing when M&O is not installed.

Improved the Scanned Languages description on the Scan Summary page when the scan returns zero findings.


CategoryResolved Issues

Several improvements in Perl parsing support.

Improvements in AngularJS for preventing infinite loops during scanning.  

Improvements in Ruby for preventing exceptions when line breaks are applied to object element definitions.

Implemented improvements in the Query Security mechanism.

Improved Apex language recognition in multi-language mode.

Updated CxPortal to comply with PCI DSS version 3.2.1.


Resolved Issues
  • This version introduces new and updated support on the latest versions of Apex, using the latest CxSAST engine technology.

  • To introduce queries changes that work on top of this Hotfix, it is mandatory to install CP 12. For more information about the queries, see Content Pack Version - CP.

  • The new APEX support includes a new flow calculation algorithm. When working with APEX and additional languages in the same project, the accuracy of the results for the additional languages might be slightly effected. To prevent these changes you can split the projects between APEX and the rest of the languages or disable the new flow algorithm. To learn how to disable the new flow please contact support. 

The following frameworks are now supported:

  • Visualforce Framework

  • Lightning and Lightning Component Framework

  • Metadata Files (XML files)

Updated support for the following frameworks (both created by Salesforce):

  • The Visualforce Framework includes a tag-based markup language, similar to HTML, and a set of server-side “standard controllers” that make basic database operations, such as queries and saves, very simple to perform.

  • The Lightning Component Framework (commonly called Lightning) is a UI framework for developing single page applications.

Additional fixes introduced in this HF:

Engine improvements to prevent unfinished scans when scanning Java projects with several XML files.

Improvements in log information, such as indicating in the scan log when large files, which exceed the maximum limit, are excluded from the scan.

Improvements in VUE.JS parsing support.

Implemented several COBOL improvements and support for MicroFocus extensions.

Several improvements have been made for Swift parsing.

Missing Japanese query descriptions have been added.

Improvements in the query hierarchy mechanism according to the teams.

Memory management improvements in JavaScript.

Improvements to the incremental scans using ActiveMQ are preventing unfinished scans.

Implemented several improvements in the Query Security mechanism.

Improvements in the installer to fix installation directory locations when SAST is installed on a non-default drive.

Added support in ASP and PHP for files with .inc extension.

JavaScript scripts can now be recognized in .ASP files. 

Improvements in C++, allowing the scans to complete successfully. 

XML mapping improvements in MyBatis.

Improvements in type casting handling in VB6.

Improvements in JavaScript for Regex/ReDoS parsing.

Engine Improvements for preventing unfinished scans when matching regular expression patterns.

Added a new capability in the CxAudit for easily extracting the source code related to a query. To enable, please refer to the CxAudit Guide

Improvements in log files to display the queries name that failed in the security check.


CategoryResolved Issues
HF2 Note: HF2 is the first Hotfix for Version 9.3.0.

Fixed an issue that broke the link to the GIT integration, if the word 'git' was part of the URL. 

Fixed misalignment in scan status in cases where the scan status still indicated “scanning” after the scan had already completed.

Fixed cases of misalignment between Access Control and CxSAST caused by a multiple hierarchy in the Teams tree.

Improved the response time for opening a Projects page containing a large number of projects.

Fix situations when Engine scan doesn’t complete successfully but is reflected as “Finished” in Portal.

Performance improvements for loading large repositories in the CxSAST Portal.

The CxSAST Portal now displays Git branches in all languages.

Added the ability to duplicate a user from the UI.

The Access Control login page now supports logo and background customizations. For details about how to customize the login page, see Customizing the Access Control Web Interface (v2.1 and up).

You can now configure the Global Admin role to exclude the CxAudit permission. For more information, see Access Control Configuration Guide.

The User Manager role is now able to grant roles that it does not have itself. For more information, see Access Control Configuration Guide.

Improved the error message when a SAML user is unable to login due to lack of permissions.

The Access Control API for GET Teams (GET /Teams) now returns a new attribute which is the "CreationDate" for each team:

Passwords entered manually in the connection strings (in the DbConnectionString.config file) were not encrypted.

Security fixes, refer to https://checkmarx.force.com/CheckmarxCustomerServiceCommunity/s/article/Checkmarx-Security-Updates for additional information.