9.2.0 Hotfixes

Installation Notes

  • Hotfixes and content packs are cumulative and include previous hotfix/content package updates.
  • The relevant hotfix must be installed on the CxManager, CxEngines and the CxAudit stations, unless otherwise indicated. In a distributed environment, the hotfix must also be installed on the Portal station.
  • After upgrades (major versions or hotfixes) or Content Pack updates, it is highly recommended to first run full scans before running incremental scans.

Resolved Issues and Changes

CategoryResolved Issues
HF31

The following libraries have been updated:

  • tomcat-api was updated from 9.0.48 to 9.0.59

  • spring was updated from 4.3.30 to 5.3.18

During the installation of the Hotfix, the ActiveMQ\conf\activemq.xml file is replaced with the new file and the original file is backed up.
If you implemented a configuration for ActiveMQ different than the default configuration, you might need to implement it again in the new activemq.xml file. Furthermore, if you implemented a configuration for ActiveMQ that involved additional customer created files, you might need to back them up before installing the Hotfix and then restore them after the Hotfix installation.

.

CategoryResolved Issues
HF30

ActiveMQ has been upgraded to 5.16.4.

During the installation of the Hotfix, the ActiveMQ\conf\activemq.xml file is replaced with the new file and the original file is backed up.
If you implemented a configuration for ActiveMQ different than the default configuration, you might need to implement it again in the new activemq.xml file. Furthermore, if you implemented a configuration for ActiveMQ that involved additional customer created files, you might need to back them up before installing the Hotfix and then restore them after the Hotfix installation.


The following libraries have been replaced:

  • log4j-1.2.17 is replaced with reload4j-1.2.19
  • shiro-core-1.5.3 is replaced with shiro-core-1.8.0
  • shiro-spring-1.5.3  is replaced with shiro-spring-1.8.0
  • xstream-1.4.11.1 is replaced with xstream-1.4.19
  • tomcat-servlet-api-9.0.35 is replaced with tomcat-servlet-api-9.0.48
  • tomcat-websocket-api-9.0.35 is replaced with tomcat-websocket-api-9.0.48

.

CategoryResolved Issues
HF29

Square brackets are now supported when filtering projects by name.


Angular was updated to 1.8.2.

Fixed an issue that caused file paths to fail to be decrypted resulting in the following message appearing in the scan log:
No dependency contains the given hashed path Parameter name: pathIdentifier.
In the past, since this issue did not affect SAST functionality, customers were recommended to ignore the message.


Fixed an issue that caused results with comments containing the “+” character to be excluded from the CSV reports.

.

CategoryResolved Issues
HF28

In Management and Orchestration (M&O), upgraded Log4J to version to 2.17.1.

.

CategoryResolved Issues
HF27

In Management and Orchestration (M&O), upgraded Log4J to version to 2.17.0.

.

CategoryResolved Issues
HF26

Fixed issues that resulted in the loss of the DOM because of the following parsing errors:

  • a TypeScript parsing error that occurred where an exclamation mark (definite assignment assertion) appeared at the end of an expression
  • a PHP parsing error that occurred where a single quote sign appeared inside a HTML tag
  • a parsing error that occurred while exporting a sync function
  • a TypeScript parsing error that occurred in some cases where a declaration used a ‘Maybe <T>’ type

Fixed an issue where the memory was not released after a stacked scan was aborted.


Fixed an issue that caused CxAudit to fail in some cases involving an OverflowException.

.

CategoryResolved Issues
HF25

Fixed a bug which caused the report creation to fail when the Path column, in the Projects table, contained more than one xml node for a subfolder.


Fixed a failure in the Data Retention process, which occurred when the Engine Scan Logs Path was set to a shared folder. One of the ways that the failure was manifest was that scans that were supposed to be deleted were not deleted.


Fixed an issue that caused some characters, which were typed by users into the scan comments, to be replaced by HTML encoded characters.

Fixed an issue that caused incorrect error messages to be logged when the data retention option was applied to scans which had previously been deprecated.


Fixed a bug which prevented the viewer from displaying the source code of a file with a long path, even when the long path option was enabled.

Fixed an issue which prevented the Post Scan Action from creating reports when the system was configured for LDAP environments.

Fixed an issue that caused scans on existing projects to fail because of empty folders in CxSRC, which resulted from failures in the ZIP extract process. This issue only occurred in HA (High Availability) environments.

.

CategoryResolved Issues
HF24

The items in the displayed Projects State page can now be sorted independently of the entire list of Projects State items.


Fixed a number of issues in Access Control that were related to User Creation.

Fixed a comma-separated string issue that affected the Okta SAML (Security Assertion Markup Language) integration with Access Control. The issue prevented the IdP (Identity Providers) Authorization and Team Attribute Mapping feature from assigning users to multiple teams or to multiple roles. Now it is possible to specify multiple teams names, using comma separators, so that new users are automatically associated with multiple teams. Similarly, now it is possible to specify multiple roles for users, using comma separators, so that new users are automatically associated with multiple roles.

For security fixes, click this link for additional information.

.

Category
Resolved Issues
HF23

Fixed an issue where team-level query overrides are sometimes saved under incorrect teams.


Improved the CxJobsManager logs, which tended to fill up very quickly, by redefining some log messages to the debug-level.


Fixed an error which prevented the results of full and incremental scans from merging together.


Improved the stability of the incremental scan process where several incremental scans are being triggered in parallel.

.

Category
Resolved Issues
HF22

Fixed an issue that occurred when scanning JavaScript files that caused the parsing process to time-out leading to the loss of many scan results.


Fixed an issue that occurred when scanning Java files that caused a false negative for the Stored_XSS vulnerability when the flow did not connect the input to the output.


Fixed an issue that occurred when scanning C# files that prevented the flow from continuing to the correct overload method in the code.


Fixed an issue that occurred when scanning Go language files with CxAudit. The issue prevented the flow through the getArticlesDistribute and getArticlesDistributeByName extension methods from being located with the mysql.go query.

Fixed an issue that occurred when scanning C# files that involved the GetHoldByText method call that prevented the flow and definition from being found.


Fixed an issue that occurred when scanning C# files that caused the aspx file from being parsed correctly resulting in a false negative for the Stored_XSS vulnerability.

Fixed an issue that occurred if a file name was not specified in the scan causing the CxAudit and CxSAST Web Portal scans to have different numbers of results.

.

CategoryResolved Issues
HF21

Fixed the Result Viewer page so that all instances of a selected word are highlighted in the code.


Fixed the “Group By” option in the Results Viewer so that it works for all columns.


Fixed an issue in the Results Viewer which prevented the total number of active results from being immediately updated after some results are marked as "NOT EXPLOITABLE".


Fixed an issue which prevented the Post Scan Action from sending arguments to LDAP configured environments.

Fixed an issue which sporadically caused empty scan reports to be generated.

Fixed an issue that prevented the use of single quotes in the scan comments.         

.

CategoryResolved Issues
HF20

Fixed the displayed scan result state in OData to be aligned with the Web Portal UI.


Fixed an error message for the post scan action where scanning is performed via a Git repository.

The Scan ID is now displayed on the Scans List and Scan Summary pages in the CxSAST web portal GUI.


Improved scan stability by increasing the result message timeout in AcitveMQ.


Improved stability for OSA scans, so that scans will not fail even when the database has reached its update limits with respect to "unresolved libraries".

Improved multiple client connection handling.

Improved Manager synchronization in High Availability (HA) mode.

.

CategoryResolved Issues
HF19

Angular – fixed query to add additional support for textarea elements.


Kotlin – fixed cases where CxAudit would crash because of parsing issues.

Improved support for MyBatis when working with SELECT, IF, and WHERE SQL statements.

Fixed inconsistent results in JavaScript when performing two consecutive scans.

Angular – fixed false positive DOM XSS results.

Fixed a bug which in some cases caused a scan in multi-language mode to fail.

MyBatis – fixed false negative SQL_injection result.

AngularJS – fixed cases where scans would fail because of incorrect code resolution.

.

CategoryResolved Issues
HF18

Added ability to rename the CxServer property to any other name in the Team hierarchy. The renaming must be performed in the database after this Hotfix is applied.

.

CategoryResolved Issues
HF17

Fixed an issue that occurred when connecting SAST to the Azure DevOps repository using a PAT (Personal Access Token).


Fixed the Results Service retry mechanism.


Fixed an issue that occurred in HA (High Availability) environments when sources for the same scan were sent to two different engines, causing scan failure.


Solved a case where some directories were not scanned in TFS-based scan projects.


Improved the Incremental scan flows mechanism so that the various possible incremental scan results are more consistent with the full scan results.

.

CategoryResolved Issues
HF16

Added support in CxSAST allowing a maximum Team name length of 128 characters.


Fixed an error to prevent dead lock occurring when assigning an CxEngine to a Scan Request.


Fixed an issue that caused scan failure when Git projects are configured via API and UserName contains a '+' (plus sign) character.


Fixed an issue where, after scan folders were unexpectedly deleted, customers were not able to download the logs.  


An error message is now logged when an Incremental Scan fails due to a missing or invalid MethodMapping.zip file in the source file.  

.

CategoryResolved Issues
HF15

Engine improvements to prevent unfinished scans when scanning Java projects with several XML files.


Improved Apex language recognition in multi-language mode.

Added support in C++ for import namespaces.

Added definition to the esc function in Java.


Improvements in Angular support to increase results accuracy. 


Improvements in VUE.JS parsing support.


Updated CxPortal to comply with PCI DSS version 3.2.1.


Added support in ASP and PHP for files with .inc extension.

XML mapping improvements in MyBatis.

Several improvements have been made for Swift parsing.

Internal Engine Improvements.

Improvements in the query security mechanism according to the Teams’ hierarchy.

.

CategoryResolved Issues
HF14Allows CxSCA users to replace the existing OSA widget with a new SCA widget, making it possible to display CxSCA scan results in the CxSAST summary page. For more information, see Displaying CxSCA Scan Results in CxSAST.

Fixed an error that prevents the OSA Viewer from working when M&O is not installed.

.

CategoryResolved Issues
HF13

Fixed an error on the Project Dashboard to prevent highlighting an incorrect project when editing a project.


Fixed an issue that prevents the Git connection from failing when the password has special characters.

Improvements on Engine Service for handling interrupted scans.

Improvements on SOAP APIs to allow viewing and running scans for private projects according to the Teams hierarchy.


Fixed the displayed scan result state when similar scanned projects are deleted.


Fixed cases when the Results Service fail to start due to a missing SQL configuration in the host file.


Changed settings to allow Admin and regular users to view and scan private projects according to the Teams hierarchy.

Limitation: An Admin user cannot view and scan all the private projects, only the private projects according to the hierarchy of the Teams which the Admin belongs to.


Fixed an error to prevent duplicated comments when changing the result state for multiple results.

Changed settings to allow viewing the number of private scans for projects according to the Teams hierarchy.

Changed settings to allow triggering scans for private projects according to the Teams hierarchy.

.

CategoryResolved Issues
HF12

Fixed issues that prevented closing the Scan Summary page.


Fixed an issue with the scan engine to prevent it from going offline when scanning files with special characters. To enable it, see /wiki/spaces/KC/pages/2780497285.


Corrected the name displayed for the scan schedule Initiator.


Improved the Scanned Languages description on the Scan Summary page when the scan returns zero findings.


By default, reverts to the previous runtime security mechanism when executing queries.

Improved the error message that is displayed when attempts are made to log in with SAML without the proper permissions.

.

CategoryResolved Issues
HF11

Fixed cases where the query headline did not appear in the Results Viewer.


Post-scan actions now have a defined timeout.


Fixed cases where branched project details were irretrievable using the API.


Fixed the error message displayed when the SOAP service is down.


Fixed cases where the Results Service failed to start due to a problematic configuration in the Checkmarx path in the registry.


Improved performance of the Scan Manager stop/start actions.


Fixed cases of misalignment between Access Control and CxSAST caused by a multiple hierarchy in the Teams tree.


M&O: Fixed multiple sync issues that caused the ETL to fail.


M&O: Fixed misalignment between the number of projects displayed in the header and the actual number of violated projects on the page.


You can now configure the Global Admin role to exclude the CxAudit permission. For more information, see Access Control Configuration Guide.


Improved performance for fetching a large number of users and teams from the Active Directory.


The Access Control login page now supports logo and background customizations. For details about how to customize the login page, see https://checkmarx.atlassian.net/wiki/spaces/KC/pages/2509278584/Customizing+the+Access+Control+Web+Interface+v2.1+and+up.


The User Manager role is now able to grant roles that it does not have itself. For more information, see Access Control Configuration Guide.

.

CategoryResolved Issues
HF10

Fixed cases where scanning failed to start due to a problematic location in TFS.


Performance improvements for Best Fix Location (BFL).


Fixed cases where email notifications were not sent due to a non-existing email address.


General performance improvements


Fixed incorrect duplication of comments where a result state is changed for multiple results.


Line breaks are now included in scan comments.

Fixed cases where a scan with a pre-scan failed due to a change in the location of the source files.


Performance improvements for loading large repositories in the CxSAST Portal.


Fixed cases where the CxSAST Portal was not displayed due to an issue with loading the configurations.


Fixed cases where the users in CxSAST and the users in Access Control were out of sync due to an IIS reset.


Fixed cases where the Engine Service is unable to read the status.xml file.


Fixed cases where scans fail due to a problematic usage of Git cloning.


The CxSAST Portal now displays Git branches in all languages.


Fixed misalignment in scan status in cases where the scan status still indicated “scanning” after the scan had already completed.

.

CategoryResolved Issues
HF9Fixed cases when an incremental scan got stuck due to wrong path.

Fixed an issue that caused specific folders not to be found during the scan cleanup process.


Improvements in log information.


Improvements in C++, allowing the scans to finish.


Implemented several COBOL improvements and support for MicroFocus extensions.


Missing Japanese query descriptions have been added.


Introducing a new query runtime security mechanism for better and improved security when executing queries.


Added a new capability in the CxAudit for easily extracting the source code related to a query. To enable, please refer to the CxAudit documentation.


Improvements in JavaScript (Regex/ReDOS) parsing.


Fixed cases where there is a lower level query override, but when running the queries the higher query is being used.

.

CategoryResolved Issues
HF8Fixed an issue that broke the link to the GIT integration, if the word 'git' was part of the URL. 

Fixed the case where a length of a specific field in CxOSA risk report exceeds a predefined number.

Improved the response time for opening a Projects page containing a large number of projects.

Fixed cases where a wrong team hierarchy was displayed in the projects details.


For new projects, CxOSA identifies now scanned libraries using their relevant package managers by default.

Fixed an issue that prevented scan results to be sent to valid email addresses that were listed after an invalid email address. 

Fix situations when Engine scan doesn’t complete successfully but is reflected as “Finished” in Portal.

Engine performance improvements when loading results.

.

CategoryResolved Issues
HF7Fixed an issue that caused results being hidden after upgrading CxSAST.

"_" can now be used as part of template names.

The Post Scan Actions field size has been increased to 1000 characters.

Triggering a new scan from the plugins does not require 'Create Project' or 'Edit Project' permissions anymore.

The first character of a team name must be an alphanumeric character.

The LDAP integration has been optimized for cases when a large amount of LDAP users is returned.

Line breaks are now included with scan comments.

Log information has been added to the audit trail for cases when a team has been created or deleted or when users have been deleted as a result of deleting a team.


Introduced a personal access token for Github integration (as part of the deprecation of Github’s basic authentication). 
Previously created webhooks with basic authentication continue to operate. When triggering a previously created webhooks project without setting the PAT, Commit Comment is unavailable. To make Commit Comment available, switch to PAT on all Github related projects.

.

CategoryResolved Issues
HF6JS scripts can now be recognized in .ASP files. 

Engine improvements to prevent scans from failing.

Several Python improvements.

Scan logs now contain a list of the engine's configurations.

Fixed an issue that caused scans to fail after attempting to read ScanDetails.xml before this file was created.


CategoryResolved Issues
HF5The creation and deletion of teams is now logged in the Audit trail.

The user email is now unique across all providers.

Added a new API to allow updating a single team's LDAP mapping.

.

CategoryResolved Issues
HF4Fixed an issue that caused creating new projects to 'hang'.

Fixed the token life time that caused scans initiated from plugins to fail.

Security fixes, refer to https://checkmarx.force.com/CheckmarxCustomerServiceCommunity/s/article/Checkmarx-Security-Updates for additional information.

Apache Tomcat has been upgraded to version 8.5.57

Group DNs in LDAP Role Mapping are no longer case sensitive.

It is now possible to sort users in Teams tables.

The Team name size has been increased to up to 128 characters.

Fixed an issue that caused the scan to get stuck as a result of the AMQ getting stuck. This was happening due to a query that returned a large number of results.

.

CategoryResolved Issues
HF3

Fixed a Java issue with a custom attribute.


Fixed a Java issue that caused parsing to fail.


Fixed GO issues that caused parsing to fail. 


Fixed a Typescript flow issue that caused some properties not to be initialized.


Optimized the memory consumption for JavaScript parsing.


Improved the CSharp queries with Find_Interative_inputs elements.


Improved the import mechanism that caused false negatives in Client_DOM_XSS.

Improved the Client_DOM_XSS accuracy with respect to JQuery methods.


Fixed a Java issue that caused DOM loss.

Improved the Cobol support for the Perform Thru command.

Improved the JavaScript the SQL_INJECTION accuracy regarding database accesses.

Improved the Java sanitizers that caused false negatives in FIND_SQL_INJECTION.

Improved the import of JavaScript modules.


Fixed a GO issue that caused a decline in the performance.

.

CategoryResolved Issues
HF2

Fixed a sorting issue that caused some projects not to be displayed in CxAudit.


Improved merging results from a scan without code change with the results of previous scans.


Fixed an issue where the scan status was mistakenly marked as completed.


Added an option to configure the Day Count parameter before a pending scan times out. This parameter is configured by changing the setting for the MaxDaysForRunningScan parameter.

.

CategoryResolved Issues
HF1 

An EULA screen has been added to the installation wizard (GUI mode). Users have to agree to the conditions and terms of the license agreement before they can continue installing the hotfix. In CLI mode, the variable ACCEPT_EULA=Y must be passed in the command line parameters to install the hotfix as follows:

9.2.0.HF1.exe -cmd ACCEPT_EULA=Y


This hotfix addresses all issues that have been addressed by CxSAST 9.0 HF1-9.


The Cx Engine version and the current hotfix version have been added to the CxEngine Logs.


Improvements in the TypeScript query group when CxSAST is upgraded from version 8.9.


Support for opening a Jira ticket has been added for cases when the Security Level field is mandatory.

Known Limitations

If you are unable to log on to Access Control after installing HF1, clear the browser cache and the browsing history. For further information, refer to Chrome: Clear cache & cookies or How to clear the Firefox cache, depending on the browser in use.

.