8.1.0 Release Updates
New Features and Changes
Application
| Category | Features |
|---|---|
| Dashboard | A new visual indicator has been added to the CxSAST System Dashboard and is positioned underneath the Checkmarx logo/version. This indicator specifies the expiry date of the current CxSAST license. The indicator appears 90 days (defined in the DB) before the actual license expiry date and an email notification is automatically sent to the CxSAST System Administrator. |
| Dashboard | A navigation link has been added to the Dashboard screen in this version of CxSAST (Dashboard > Project State > Project Name). This link provides direct access to the new Project State Summary screen. An additional navigation link displayed on the Dashboard Risk panel also takes you to the new Project State Summary screen. Projects that have not yet had scans performed on them are now displayed in the Project State window with the "No SAST Scans performed" message. |
| Project State Summary | A new Project State Summary screen has been added to this version of CxSAST (Dashboard > Project State > Project Name). The Project State Summary screen provides additional information about the status of the project. You are provided with the option to perform a full SAST scan, an Incremental scan as well as additional actions (i.e. edit project, open scan summary and open viewer). |
| Project State Summary | The new Project State Summary screen displays the SAST Vulnerabilities Status and SAST Vulnerabilities Progress Status. This provides a set of graphs with the status of each vulnerability severity as well as the progress status of each vulnerability severity. |
| Open Source Analysis (CxOSA) | Checkmarx Open Source Analysis (CxOSA) allows organizations to manage, control and prevent the security risks and legal implications introduced by open source components used as part of the development effort. Checkmarx CxOSA supports all the most common programming languages, enabling organizations to secure all their open source components in addition to the in-house developed code analysis coverage; Java, .NET, Ruby, Python, C/CPP, JavaScript, PHP, C#, Npm, Scala, Clojure, Groovy, ObjectiveC, Swift and ActiveSscript files. |
| Project State Summary | The new Project State Summary screen displays the Open Source Analysis (CxOSA) Status. This provides analysis results for predefined open source libraries associated with this project. You can also perform a new Open Source Analysis by clicking Run CxOSA. A process indicator is displayed and you can view the analysis results upon completion. |
| Project State Summary | To accompany the new Open Source Analysis feature, an additional report has been added to CxSAST. Once the analysis is complete, you can view the analysis results by clicking the View Analysis Results link or by opening the CxOSA tab. The Open Source Analysis report displays all the results of the last analysis. This report can also be generated to PDF format. |
| Project State Summary | In cases where the Open Source Analysis license has not yet been enabled for CxSAST, a “CxOSA license is not enabled” message is displayed. For those who are interested in the new Open Source Analysis feature a linked option to view a sample of a generated Open Source Analysis report is available. Once open, this report also contains a link to the Open Source Analysis web page (https://www.checkmarx.com/Open-Source-Analysis) on the Checkmarx website. |
| Project State Summary | The Open Source Analysis report can also be generated to PDF format by clicking the Download PDF button. It is highly recommended that you generate the PDF version straight after creating the Open Source Analysis report in order to ensure accuracy and consistency. |
| Projects & Scans | A new tab (CxOSA) has been added to the Edit Project panel (Projects & Scans > Projects > CxOSA). This tab provides the option to define the location path for the project’s open source libraries in order for CxSAST to initiate the analysis. This is similar to the Shared folder on the location tab for creating and configuring CxSAST projects. |
| Management | A new status indicator (CxOSA License) has been added to the General panel in the License Details screen (Management > Application Settings > License Information). This indicator specifies the status of the Open Source Analysis license. Open Source Analysis license status can be enabled, disabled or conditional with expiration date. |
| Management | LDAP Server registration and authentication now supports paged results. This allows the requested search results to be split into pages of a specified size, instead of all the data in one block. This is useful in situations when potentially large result sets are expected. When paged results is enabled (default), the definition of a user search can now be specific to that user (i.e. using Full User DN). |
| Management | The LDAP Server Configuration fields "Additional User DN" and "Additional Group DN" are no longer mandatory. This allows LDAP users and groups to be assembled under the "Base DN". |
| Management | New functionality has been applied to the LDAP User Configuration fields “User First Name”, “User Last Name” and “User Email”. If any of these values are not filled, the default values are used when an LDAP user is created, e.g. User First Name: DavidK, User Last Name: DavidK, User Email: DavidK@org. |
| FIPS Support | CxSAST now supports Federal Information Processing Standards (FIPS) to conform to US Government Institutions that require FIPS compliance. CxServer and CxEngine components can now be installed and operated on a Windows FIPS Compliant hosts. CxSAST plugins are expected to be supported in an upcoming version. |
Integration & Plugins
| Category | Features |
| Integration - Jenkins | CxSAST now supports the option to run Open Source Analysis from Jenkins. Configuration is performed from within Jenkins (Job > Configure > Build > Add build step > Execute Checkmarx Scan > Open Source Analysis > Includes / Excludes) and the results can be viewed in Jenkins as well as the Open Source Analysis in the Project State screen. |
| Integration - Jenkins | In this new version of CxSAST .war and .ear files are now excluded (by default) from all vulnerability scans originating from Jenkins. |
| Perforce - Integration | Perforce integration improvements include smoother deployment process for customers using Perforce as source repository. |
| Integration - TFS | TFS plugin for CxSAST (v7.1.0) has been approved and now supports Team Foundation Server 2015 repository and build manager. |
Engine
Category | Features |
|---|---|
CxSAST Utilities | Due to file extension configuration being located in the DB rather that in a configuration file, a new File Extension Script Generator tool has been developed and added to the Checkmarx Utilities library. This tool can be used to convert ExtensionsConfig.xml files to executable scripts. These scripts can then be executed in Microsoft SQL Server Management Studio in order to synchronize and update the file extension tables in older versions of CxSAST. |
| Supported Code Languages and Frameworks | Added support in the CxEngine for scanning of Hapi.JS. This provides the ability to scan JavaScript projects that use the Hapi.JS framework and therefore providing more accurate results. |
Resolved Issues
Category | Resolved Issues |
|---|---|
| Application | Improvements and fixes for Java queries |
| Application | Improvements in the CxSAST upgrade process |
| Application | Synchronization improvements between Application and CxEngine |
| CxEclipse Plugin | Adjusted height and width of Login dialog in CxEclipse plugin |
| Jenkins Integration | Improved scheduler and fixed periodic scanning issue in Jenkins plugin |
GitHub integration | Improvements and fixes for GitHub integration |
| Engine | Improvements and fixes for the following languages:
|
Known Limitations
| Category | Known Limitations |
|---|---|
| Languages | There is currently no translation for languages other than English for the Open Source Analysis report (web and PDF versions) in the Project State screen. Full translation is planned in future CxSAST versions. |
| Localization | Due to Open Source Analysis being performed via WhiteSource, there is currently no localization of CxOSA reports. All date/time information in CxOSA is provided by the locale of the CxSAST Server and not the CxSAST Client. |
| Open Source Analysis | Open Source Analysis requests initiated manually from the User Interface will continue as intended, even if the user navigates to a different page or closes the browser. However, upon returning to the Project State Summary screen there will be no indication of the analysis process. In this case, the Open Source Analysis results will only become available for viewing upon completion of the analysis process. |
| Open Source Analysis | An Open Source Analysis request that takes longer than 30 minutes will be automatically timed out. |
| Integration - Jenkins | The CxSAST plugin for Jenkins is dependent on the Maven. In Jenkins V1.x the Maven plugin was installed by default on the same server that Jenkins was installed. In Jenkins V2.x, this plugin is no longer installed as default. Clients that install a fresh installation of Jenkins V2.x will need to install the Maven plugin separately in order for the CxSAST to work. |
| Scan Limitations | CxSAST does not support scanning two files with the same name or files with special characters that are not supported in Windows. |
The release update is also available for download - PDF
See also:
- 8.1.0 Release Updates
- 8.1.0 Supported Environments
- 8.1.0 Supported Code Languages and Frameworks
- 8.1.0 Vulnerability Queries