- Checkmarx Documentation
- Checkmarx SAST
- SAST Release Notes
- Engine Pack Versions and Delivery Model
- Previous Engine Pack Versions
- Release Notes for Engine Pack 9.5.2
Release Notes for Engine Pack 9.5.2
Engine Pack 9.5.2 contains the following engine deliverables and enhancements:
Installation Notes
Caution
In a distributed environment, the relevant Engine Pack must also be installed on the CxManager host to update the SQL database.
Notice
Engine Packs are cumulative and include previous Engine Pack updates.
For more information about Engine Pack installation, see Engine Pack Versions and Delivery Model.
CxSAST Engine Pack Enhancements
Languages and Frameworks
All supported code Languages & Frameworks versions can be found on the dedicated page.
The content includes the following:
Support for Dart language available as a Beta version
Added support for Flutter, a Dart framework, as a Beta version
The support for the Akka framework has been improved and updated to the latest version, 2.6.20
The Go language support has been updated to version 1.19
Added support for AWS Lambda for Python
C# and .NET improved support are now available as GA
C# queries improvements for detecting hardcoded credentials in appsettings.json filesThe improvements for the MISRA C 2012 standard have been completed
The improvements for the MISRA C 2012 standard have been completed.
Dart and Flutter (Beta)
The Dart support has been improved and we are adding support for the Flutter framework, both as Beta versions.
The following queries are available as part of this version:
Dart_High_Risk
Sensitive_Information_Over_HTTP
Dart_Mobile_High_Risk
Insecure_Android_SDK_Version
Unsafe_Reflection
Dart_Medium_Threat
Communication_Over_HTTP
Information_Exposure_Through_Query_String
Dart_Mobile_Medium_Threat
Improper_Certificate_Validation
Pasteboard_Leakage
Poor_Authorization_and_Authentication
Public_Storage_SQL_Injection
Public_Storage_WebView_JavaScript_Injection
SQL_Injection_from_URL_Scheme_or_Intent
Dart_Mobile_Low_Visibility
Hardcoded_Password_In_Gradle
Missing_Root_Or_Jailbreak_Check
Private_Storage_SQL_Injection
Private_Storage_WebView_JavaScript_Injection
Self_WebView_JavaScript_Injection
Use_of_Native_Language
Scala
The support for the Akka framework has been improved and updated to the latest version, 2.6.20.
Go
Go language support for the following functions has been updated to the version 1.19, and includes the following features:
hash/hashmap package
io/fs interface package
Modules
Besides the improvements in the language support, the initiative started in the previous engine pack continued, with additional improvements made with the creation of new and editing of existing queries.
AWS Lambdas - Python
In 9.5.2 we are adding new support for AWS Lambdas for Python.
Since the added support is based on CxQL queries only, there were no changes to the engine capabilities.
DynamoDB and S3 library services are supported through Boto3, the AWS SDK for Python.
The following set of queries has been created under a group called Python_AWS_Lambda:
AWS_Credentials_Leak
Race_Condition_Concurrent_Instances
Use_of_Hardcoded_Cryptographic_Key_On_Server
User_Based_SDK_Configurations
Hardcoded_AWS_Credentials
Related to DynamoDB
DynamoDB_NoSQL_Injection
Related to S3 Bucket
Permission_Manipulation_in_S3 (Medium)
Unrestricted_Read_S3 (Low)
Unrestricted_Write_S3 (Low)
C# and .NET Core
The new C# and .NET Core support, which was introduced in the previous version, is now enabled by default.
To disable the new language support, set the flag USE_NEW_CSHARP to false, by performing one of the following:
In the SAST database: UPDATE [CxDB].[Config].[CxEngineConfigurationKeysMeta] SET [DefaultValue] = 'false' WHERE KeyName = 'USE_NEW_CSHARP'
In the DefaultConfig.xml (located inside the folder %programfiles%\Checkmarx\Checkmarx Audit , %programfiles%\Checkmarx\Checkmarx Engine Server):
<Configuration> <Key>USE_NEW_CSHARP</Key> <Value>false</Value> </Configuration>
Queries Improvements
The following queries has been improved to detect hardcoded credentials in appsettings.json files:
CSharp_WebConfig\HardcodedCredentials
CSharp_WebConfig\Password_in_Configuration_File
MISRA C 2012
The improvements to the MISRA C 2012 preset for Coding Standards, added for the C language in 9.4.4, continue with new additional rules.
In this version, the preset contains new and improved queries for the following rules:
5.4.& 5.5: Macros names and parameters must be distinct from other macro names.
17.5 &17.8: A function parameter should not be modified.
17.6: Functions with array parameters
17.7: The value returned by a function having non-void return type should be used.
18.4: Pointer arithmetic is forbidden (except increment/decrement).
18.5: Pointers with more than two levels of indirection are forbidden.
18.6: The address of an object with automatic storage should not be copied to another object that persists after the first object has ceased to exist.
18.7 & 18.8: Variable Length and Flexible Arrays
19.1 & 19.2: Overlapping Storage
20.2: The characters ', ", ,(comma), or \ and the /* or // character sequences should not occur in a header filename.
20.4: Macros should not be defined with the same name as a keyword.
20.13: All # characters in the beginning of a line should be a valid C Pre-Processor directive.
22.1 to 22.10: Resources
Vulnerability Queries
There are new and updated vulnerability descriptions, queries, and queries according to presets for this version.
For details, see Vulnerability Queries for 9.5.2.