Skip to main content

Release Notes for Engine Pack 9.5.2

Engine Pack 9.5.2 contains the following engine deliverables and enhancements:

Installation Notes

Caution

In a distributed environment, the relevant Engine Pack must also be installed on the CxManager host to update the SQL database.

Notice

Engine Packs are cumulative and include previous Engine Pack updates.

For more information about Engine Pack installation, see Engine Pack Versions and Delivery Model.

CxSAST Engine Pack Enhancements

Languages and Frameworks

All supported code Languages & Frameworks versions can be found on the dedicated page.

The content includes the following:

  • Support for Dart language available as a Beta version

  • Added support for Flutter, a Dart framework, as a Beta version

  • The support for the Akka framework has been improved and updated to the latest version, 2.6.20

  • The Go language support has been updated to version 1.19

  • Added support for AWS Lambda for Python

  • C# and .NET improved support are now available as GA

  • C# queries improvements for detecting hardcoded credentials in appsettings.json filesThe improvements for the MISRA C 2012 standard have been completed

  • The improvements for the MISRA C 2012 standard have been completed.

Dart and Flutter (Beta)

The Dart support has been improved and we are adding support for the Flutter framework, both as Beta versions.

The following queries are available as part of this version:

  • Dart_High_Risk

    • Sensitive_Information_Over_HTTP

  • Dart_Mobile_High_Risk

    • Insecure_Android_SDK_Version

    • Unsafe_Reflection

  • Dart_Medium_Threat

    • Communication_Over_HTTP

    • Information_Exposure_Through_Query_String

  • Dart_Mobile_Medium_Threat

    • Improper_Certificate_Validation

    • Pasteboard_Leakage

    • Poor_Authorization_and_Authentication

    • Public_Storage_SQL_Injection

    • Public_Storage_WebView_JavaScript_Injection

    • SQL_Injection_from_URL_Scheme_or_Intent

  • Dart_Mobile_Low_Visibility

    • Hardcoded_Password_In_Gradle

    • Missing_Root_Or_Jailbreak_Check

    • Private_Storage_SQL_Injection

    • Private_Storage_WebView_JavaScript_Injection

    • Self_WebView_JavaScript_Injection

    • Use_of_Native_Language

Scala

The support for the Akka framework has been improved and updated to the latest version, 2.6.20.

Go

Go language support for the following functions has been updated to the version 1.19, and includes the following features:

  • hash/hashmap package

  • io/fs interface package

  • Modules

Besides the improvements in the language support, the initiative started in the previous engine pack continued, with additional improvements made with the creation of new and editing of existing queries.

AWS Lambdas - Python

In 9.5.2 we are adding new support for AWS Lambdas for Python.

Since the added support is based on CxQL queries only, there were no changes to the engine capabilities.

DynamoDB and S3 library services are supported through Boto3, the AWS SDK for Python.

The following set of queries has been created under a group called Python_AWS_Lambda:

  • High_Severity.png AWS_Credentials_Leak

  • Medium_Severity.png Race_Condition_Concurrent_Instances

  • Medium_Severity.png Use_of_Hardcoded_Cryptographic_Key_On_Server

  • Low_Severity.png User_Based_SDK_Configurations

  • Low_Severity.png Hardcoded_AWS_Credentials

  • Related to DynamoDB

    • High_Severity.pngDynamoDB_NoSQL_Injection

  • Related to S3 Bucket

    • Medium_Severity.png Permission_Manipulation_in_S3 (Medium)

    • Low_Severity.png Unrestricted_Read_S3 (Low)

    • Low_Severity.png Unrestricted_Write_S3 (Low)

C# and .NET Core

The new C# and .NET Core support, which was introduced in the previous version, is now enabled by default.

To disable the new language support, set the flag USE_NEW_CSHARP to false, by performing one of the following:

  • In the SAST database: UPDATE [CxDB].[Config].[CxEngineConfigurationKeysMeta] SET [DefaultValue] = 'false' WHERE KeyName = 'USE_NEW_CSHARP'

  • In the DefaultConfig.xml (located inside the folder %programfiles%\Checkmarx\Checkmarx Audit , %programfiles%\Checkmarx\Checkmarx Engine Server):

    <Configuration>
        <Key>USE_NEW_CSHARP</Key>
        <Value>false</Value> 
    </Configuration>

Queries Improvements

The following queries has been improved to detect hardcoded credentials in appsettings.json files:

  • CSharp_WebConfig\HardcodedCredentials

  • CSharp_WebConfig\Password_in_Configuration_File

MISRA C 2012

The improvements to the MISRA C 2012 preset for Coding Standards, added for the C language in 9.4.4, continue with new additional rules.

In this version, the preset contains new and improved queries for the following rules:

  • 5.4.& 5.5: Macros names and parameters must be distinct from other macro names.

  • 17.5 &17.8: A function parameter should not be modified.

  • 17.6: Functions with array parameters

  • 17.7: The value returned by a function having non-void return type should be used.

  • 18.4: Pointer arithmetic is forbidden (except increment/decrement).

  • 18.5: Pointers with more than two levels of indirection are forbidden.

  • 18.6: The address of an object with automatic storage should not be copied to another object that persists after the first object has ceased to exist.

  • 18.7 & 18.8: Variable Length and Flexible Arrays

  • 19.1 & 19.2: Overlapping Storage

  • 20.2: The characters ', ", ,(comma), or \ and the /* or // character sequences should not occur in a header filename.

  • 20.4: Macros should not be defined with the same name as a keyword.

  • 20.13: All # characters in the beginning of a line should be a valid C Pre-Processor directive.

  • 22.1 to 22.10: Resources

Vulnerability Queries

There are new and updated vulnerability descriptions, queries, and queries according to presets for this version.

For details, see Vulnerability Queries for 9.5.2.