- Checkmarx Documentation
- Checkmarx SAST
- SAST Release Notes
- Engine Pack Versions and Delivery Model
- Previous Engine Pack Versions
- Release Notes for Engine Pack 9.5.1
Release Notes for Engine Pack 9.5.1
Engine Pack 9.5.1 contains the following engine deliverables and enhancements:
Installation Notes
Caution
In a distributed environment, the relevant Engine Pack must also be installed on the CxManager host to update the SQL database.
Notice
Engine Packs are cumulative and include previous Engine Pack updates.
For more information about Engine Pack installation, see Engine Pack Versions and Delivery Model.
CxSAST Engine
Core
Engine Base Docker Image Replaced
The base Docker image, mcr.microsoft.com/dotnet/aspnet:6.0.5-alpine3.14, has been replaced with the following image:
mcr.microsoft.com/dotnet/aspnet:6.0.5- jammy
The new Engine Docker image has been uploaded to Docker Hub.
Simplified Engine Pack Rollback Process
For Engine Packs 9.5.1, and later, the procedure for rolling back to the GA release has been simplified.
Simply install CxSAST Engine Pack 9.5.0 and the setup will replace all necessary files and database configurations.
For more information, see Rolling Back Engine Packs.
Languages and Frameworks
The supported languages and frameworks, in 9.5.1 can be found on the dedicated page.
The content includes the following:
Support for Finatra, a Scala framework
Java language support updated to versions 16 and 17
JSP improvements for supporting concatenation for Include Directives
Support for ECMA 2021 (ES12) and ECMA 2022 (ES13) for JavaScript
Support for AWS Lambda for Node.js
C# and .Net Core improved support available as TechPreview
C# support updated to versions 9 and 10
.Net Core support updated to version 5 and 6
Support for Dart language, available as Alpha version
Improved several languages (such as Go, Java, JavaScript and C#) by creating new and updating existing queries
Improved support for the MISRA C 2012 preset and several other presets
Added a new Best Coding Practice query for detecting SpringShell vulnerable versions
Scala
We are introducing brand new support for Finatra. Finatra is a web framework for developing HTTP/Thrift services, built on top of TwitterServer and Finagle.
Java
Java language support has been updated to versions 16 and 17. It includes the following:
Pattern Matching for instanceof
Records
Local Interfaces
Local Enum Classes
Sealed Classes
JavaScript
This version introduces support for the latest versions of EcmaScript for JavaScript, ECMA 2021 (ES12) and ECMA 2022 (ES13).
Support for the following language features was added:
Local assignment operators (ES12)
Numeric separators (ES12)
Private Class methods (ES12)
.at() and negative indexing (ES13)
Error clause (ES13)
Class fields (ES13)
JSP
The JSP support has been improved, by adding the support for concatenation for Include Directives
AWS Lambdas - Node.js
In 9.5.1 we are adding new support for AWS Lambdas, starting with Node.js.
Since the added support is based on CxQL queries only, there were no changes to the engine capabilities.
DynamoDB and S3 library services are supported through either AWS SDK version 2 or version 3.
The following set of queries has been created under a group called JavaScript_AWS_Lambda:
Race_Condition_Concurrent_Instances (Medium)
User_Based_SDK_Configurations (Low)
Related to DynamoDB
Related to DynamoDB
Related to S3 Bucket
Permission_Manipulation_in_S3 (Medium)
Unrestricted_Read_S3 (Low)
Unrestricted_Write_S3 (Low)
C# and .Net Core (TechPreview)
New C# support was re-written and updated to the latest versions 9 and 10. Support for .Net Core was updated to versions 5 and 6. New support is available as a Technology Preview in CxSAST 9.5.1.
To use the new language support, set the flag USE_NEW_CSHARP to true, by performing one of the following:
In the SAST database: UPDATE [CxDB].[Config].[CxEngineConfigurationKeysMeta] SET [DefaultValue] = 'true' WHERE KeyName = 'USE_NEW_CSHARP'
In the DefaultConfig.xml (located inside the folder %programfiles%\Checkmarx\Checkmarx Audit , %programfiles%\Checkmarx\Checkmarx Engine Server):
<Configuration> <Key>USE_NEW_CSHARP</Key> <Value>true</Value> </Configuration>
Support for the following language features was added:
Tuples as Discards
Out Variables
Pattern Matching
Deconstruction
Local Functions
Binary Literals
Digit Separators
Ref Returns and Locals
Generalized async return types
More expression-body members
More expression-body members
Readonly members
Pattern matching enhancements
Using declarations
Using declarations
Asynchronous streams
Indices and ranges
Null-coalescing assignment
Stackalloc in nested expressions
Records
Init only setters
Top-level statements
Pattern matching enhancements
Performance and interop
Fit and finish features
Support for code generators
Record structs
Improvements of structure types
Interpolated string handlers
Global using directives
File-scoped namespace declaration
Extended property patterns
Allow const interpolated strings
Improved definite assignment
Allow both assignment and declaration in the same deconstruction
Allow AsyncMethodBuilder attribute on methods
CallerArgumentExpression attribute
With Expression
Note
The Technology Preview features provide early access to upcoming product innovations, enabling you to test functionality and provide feedback during the development process. However, these features are not fully supported, might not be functionally complete, and are not intended for production use. Before Checkmarx considers making Technology Preview features generally available, we will attempt to resolve any issues that customers experience with these features.
Dart (Alpha)
In 9.5.1 we are adding to the SAST engine brand new support for Dart language.
The following queries are available as part of this version:
Dart_Mobile_High_Risk/Resource_Updated_By_URL_Data
Dart_Mobile_Medium_Threat/WebView_JavaScript_Injection_from_URL_Schem
Dart_Mobile_Low_Visibility/Parameter_Tampering
Dart_Mobile_Low_Visibility/Self_SQL_Injection
The following language features are supported:
Declarations
Imports
Exports
Part/Part of
Variables
Constant
Enums
Mixins
Classes and Objects
Class Declaration
Base types (extends, implements, with)
Abstract class
Constructors
Getter/Setter
Instance of the class (new)
Generic class
Extension methods
Types
Generic Types
Literals: Integer, Double, Boolean, Character, String, Symbol, Null, Maps/Sets/Lists
Multi-Line Strings
Functions
Function Declaration
Function with Optional Argument
Function with Default Argument
Functions with Named Arguments
Function with Variable Arguments
Nested Functions
Anonymous Functions
Operators: Arithmetic, Relational/Equality, Logical, Bitwise/Shift, Assignment, Test Type, Conditional (ternary/Null-Coalescing)
Exception Handling
Try…Catch
Finally Clause
Throw Expression
Control Flow Statements; If, Loop, Break, Continue, Switch and Case, Assert
Generators: Metadata and Typedefs
SpringShell
The following new query for detecting unsafe SpringShell vulnerable versions in Java code was added: Java_Best_Coding_Practice/Potential_Usage_of_Vulnerable_Log4J
Queries Improvements
Several Go improvements by creating and editing existent queries, such as:
Updated Queries:
Go_High_Risk/Command_Injection
Go_Medium_Threat/Denial_Of_Service_Resource_Exhaustion
Go_Low_Visibility/Race_Condition_In_Cross_Functionality
The Go_Medium_Threat/Path_Traversal query was split into the following queries:
Go_Medium_Threat/Stored_Absolute_Path_Traversal
Go_Medium_Threat/Reflected_Absolute_Path_Traversal
Go_Medium_Threat/Stored_Relative_Path_Traversal
Go_Medium_Threat/Reflected_Relative_Path_Traversal
New Queries:
Go_High_Risk/Connection_String_Injection
Go_High_Risk/Unsafe_Reflection
Go_Medium_Threat/Parameter_Tampering
Two new queries added to the Java language, to detect NoSQL Injection in MongoDB and to find the Code Injection (RCE) vulnerability with Insecure Bean Validation:
Java_High_Risk/Mongo_NoSQL_Injection
Java_High_Risk/Expression_Language_Injection_EL to find the Code Injection (RCE) vulnerability with Insecure Bean Validation
Several JavaScript improvements were made by creating new queries and by updating existent queries, such as the following:
Updated queries:
JavaScript_Medium_Threat/Client_ReDoS_From_Regex_Injection
JavaScript_Medium_Threat/Client_ReDoS_In_Match
JavaScript_Medium_Threat/Client_ReDoS_In_Replace
New queries:
Javascript_Server_Side_Low_Visibility/Information_Exposure_Through_an_Error_Message
JavaScript_Best_Coding_Practice/Avoid_the_Use_of_FinalizationRegistry
JavaScript_Best_Coding_Practice/Avoid_the_Use_of_WeakRef
C# queries have been improved for detecting hardcoded credentials in appsettings.json files.
For the complete list of new and updated queries for all the languages, please refer to the Vulnerability Queries for 9.5.1.
MISRA C 2012
The improvements to the MISRA C 2012 preset for Coding Standards, added for the C language in 9.4.4, continue with new additional rules.
In this version, the preset contains new and improved queries for the following rules:
1.4: The usage of emergent language features is disallowed.
2.1, 2.2, 2.4, 2.6 and 2.7: Unused code.
3.1: Character sequences /* and // must not be used within a comment.
3.2: The continuation char \ for line split must not be used inside a // comment.
4.1: Octal and hexadecimal escape sequences must be terminated.
4.2: Trigraphs must not be used.
8.13: A pointer should point to a const-qualified type whenever possible.
8.14: The type qualifier restrict should not be used.
9.1: Values from built-in types' variables should not be used before an assignment.
9.2 and 9.3: Arrays and Structures initialization must honor declared structure; Arrays must not be partially initialized.
10.1: Operands must not be of an inappropriate essential type.
10.2: Expressions of essential character type must not be used inappropriately in addition and subtraction.
10.3: The value of an expression must not be assigned to an object with a narrower essential type or of a different essential type category.
10.4: Operands for binary operators (and second and third operands for ternary operator) should have the same fundamental type.
10.5: The value of an expression should not be cast to an inappropriate essential type.
10.6: The value of a composite expression must not be assigned to an object with wider essential type.
10.7: If a composite expression is used as one operand of an operator in which the usual arithmetic conversions are performed, then the other operand must not have a wider essential type.
10.8: The value of a composite expression must not be cast to a different essential type category or a wider essential type.
11.3, 11.4, 11.5, 11.6, 11.7 and 11.9: Verify the validity of pointer type conversions including cast expressions.
12.1: Expressions should explicitly state the order of operators.
12.2: The right-hand operand of a shift operator shall lie in the range zero to one less than the width in bits of the essential type of the left-hand operand.
12.3: The comma operator should not be used.
12.4: Evaluation of constant expressions should not lead to unsigned integer wraparound.
12.5: The sizeof operator shall not have an operand which is a function parameter declared as "array of type".
13.1 to 13.6: Side Effects.
14.1: A loop counter shall not have essentially floating type.
14.2: A for loop shall be well-formed.
14.4: The controlling expression of an if statement and the controlling expression of an iteration-statement shall have essentially Boolean type.
15.1: Usage of goto is discouraged.
15.2: Goto might be used to jump forward in the code, but never backwards.
15.3: Goto might be used to jump out of nested blocks, but never to jump into nested blocks. Also, goto should not cross switch case statements.
15.4: A single exit point is required for an iteration-statement, whether it is a break or a goto.
15.5: Each function should have a single exit point.
15.6: The body of an iteration-statement or a selection-statement must be a compound statement.
15.7: All if ... else if ... constructs must be terminated with an else statement.
16.2: A switch label must not be used unless the most-enclosing compound statement is the body of a switch statement.
16.3: Every case block must terminate with an unconditional block. Exception is performed for grouping case statements. Default is not an exception, and therefore, the break is mandatory.
16.4: Every switch statement must have a default label. The default label should have at least a command before the break statement. When that is not possible, a comment must be used.
16.5: The default clause in a switch statement must be the first or the last one.
16.6: Each switch statement must have at least two non-empty clauses.
16.7: The switch expression must not be of fundamental Boolean type.
17.1: Functions from must not be used.
17.2: There must not be any recursive code, neither direct nor indirect.
17.3: A function must not be declared implicitly.
17.4: Non void functions should have expressions on every exit path.
20.1: All #include directives should only be preceded by preprocessor directives or comments.
20.3: Include directives must be followed by either a or "filename" sequence.
20.5: #undef should not be used.
20.10: No # and ## preprocessor operators should be used.
20.11: A ## operator should not come immediately after a macro argument that follows a # operator.
20.12: Only the # or ## operators can utilize a macro parameter as an operand, since it is itself susceptible to additional macro substitution.
20.14: All #if/#else/#elif/#endif commands must reside in the same file.
21.1: There must not be any #define or #undef with C Standard Library function names or names starting with an underscore.
21.2: There must not be any redefinition of a C Standard Library function, or any C function starting with an underscore.
21.3: The <stdlib.h> method for memory handling must not be used (free, malloc, calloc, realloc).
21.4: <setjmp.h> and related methods must not be used.
21.5: <signal.h> functionalities must not be used.
21.6: The input/output functionalities available in <stdio.h> must not be used, nor the names reused by local methods, nor the equivalent methods from for wide char input/output.
21.7: The Standard Library functions of atof, atoi, atol and atoll of <stdio.h> must not be used.
21.8: The Standard Library functions system, exit and abort of <stdio.h> must not be used.
21.9: The Standard Library functions bsearch and qsort of <stdio.h> must not be used.
21.10: The standard library <time.h> and associated methods/types must not be used.
21.11: The header file <tgmath.h> must not be used.
21.12: The exception handling features of <fenv.h> must not be used.
21.21: System from <stdlib.h> must not be used.
21.13: Calls to functions from <ctype.h> must have as an argument an integer in the range from -1 (EOF) to 255.
21.15: Pointers passed to memcpy, memmove, or memcmp must be compatible.
21.16: Pointers passed to memcmp must be only for integers, bools, enum or chars.
21.18: The size_t parameter for methods memchr, memcmp, memcpy, memmove, memset, strncat, strncmp, strncpy and strxfrm should be smaller than the array size of the supplied pointers.
21.19: The results of the localeconv, getenv, setlocale or strerror methods can only be used as pointers to const qualified types.
General Preset Alignment
The following CWE-based presets were updated, by adding the new queries created in recent SAST versions, aligning the queries from all the languages, and removing deprecated queries:
CWE Top 25
MOIS(KISA) Secure Coding 2021
OWASP ASVS
OWASP Top 10 2021
Sans Top 25
CxSAST Application
Vulnerability Queries
There are new and updated vulnerability descriptions, queries, and queries according to presets for this version.
For details, see Vulnerability Queries for 9.5.1.