Release Notes for Engine Pack 9.5.4

Caution

The Checkmarx certificate used for application code signing has been updated since the previous one has expired.

This might result in error messages depending on the environment settings, but these errors can be safely ignored.

Installation Notes

Caution

In a distributed environment, the relevant Engine Pack must also be installed on the CxManager host to update the SQL database.

Notice

Engine Packs are cumulative and include previous Engine Pack updates.

For more information about Engine Pack installation, see Engine Pack Versions and Delivery Model.

CxSAST Engine Pack Enhancements

Engine Pack 9.5.4 contains the following engine deliverables and enhancements:

Languages and Frameworks

All supported code Languages & Frameworks versions can be found on the dedicated page.

The content includes the following:

Support for Python language has been updated to version 3.11
Support for C# updated to version 11 (Technical Preview).
C# queries improved for better accuracy and False Positive results reduction.
Dart & Flutter support has been finished (GA).
Support for Java language updated to version 18.
JavaScript: ReactJS and ExpressJS support updated to the latest versions.
Added the ability to identify T-SQL content when scanning PL/SQL and prevent parsing it as PL/SQL.
Added support for AWS Lambdas for Java.
The Top Tier preset, added in the previous engine pack, was improved to include COBOL and Dart queries.

CSharp (Tech Preview)

C# support was updated to the latest version 11 and is included as a part of the Technical Preview.

Notice

Technical Preview provides early access to upcoming product features so you can test their functionality and provide feedback during the development process. However, these features are not fully supported, might not be functionally complete, and are not intended for production use. As Checkmarx considers making future iterations of Technology Preview features generally available, we will attempt to resolve any issues that customers experience when using these features.

Accuracy Improvements

A set of CSharp high queries has been reviewed to improve result accuracy and reduce the noise by decreasing false positive results. The CSharp accuracy will continue to be improved in upcoming versions.

Dart and Flutter (GA)

The Dart and Flutter support has been improved by adding new queries.

The following queries are available as part of this version:

Dart_High_Risk
- Unencrypted_Sensitive_Information_in_Publicly_Accessible_Cloud_Storage
Dart_Mobile_Medium_Threat
- Broken_or_Risky_Encryption_Algorithm
- Broken_or_Risky_Hashing_Function
- Encoding_Used_Instead_of_Encryption
- Insecure_Asymmetric_Cryptographic_Algorithm_Parameters
- Insufficiently_Secure_Password_Storage_Algorithm_Parameters
- Third_Party_Keyboards_On_Sensitive_Field
- Unencrypted_Sensitive_Information_in_External_Storage
- Use_of_Cryptographically_Weak_PRNG
- Use_of_Hardcoded_Cryptographic_IV
- Use_of_Hardcoded_Cryptographic_Key_in_Client
- Use_of_Hardcoded_Salt
Dart_Mobile_Low_Visibility
- App_Transport_Security_Disabled
- Encrypted_Sensitive_Information_in_Publicly_Accessible_Cloud_Storage
- Implicit_Intent_With_Read_Write_Permissions
- Insecure_HTTP_Connections_Enabled
- Missing_Certificate_Pinning
- No_Installer_Verification_Implemented
- Secret_Stored_Outside_of_Keychain
- Unencrypted_Sensitive_Information_in_Internal_Storage
- Unencrypted_Sensitive_Information_in_Temporary_File
- Use_Of_Implicit_Intent_For_Sensitive_Communication
- Use_of_Non_Cryptographic_Random
- User_Information_in_Publicly_Accessible_Storage
Dart_Mobile_Best_Coding_Practice
- Encrypted_Sensitive_Information_in_External_Storage
- Unused_Permission
- Using_Deprecated_Methods
- WebView_Cache_Information_Leak

Java

Java language support has been updated to support version 18.

JavaScript

In this engine pack, the JavaScript support has been improved, by updating existing frameworks.

In 9.5.4, the ReactJS support was updated to version 18.
The ExpressJS support was updated to version 4.18.1.

PL/SQL

The PL/SQL support has been improved to introduce the ability to identify T-SQL content when scanning PL/SQL and prevent parsing it as PL/SQL.

Python

Python language support has been improved to support version 3.11, including the relevant features for the SAST engine support:

Self Type (PEP 673)
Variadic Generics (PEP 646)
Exception Groups and Excepts (PEP 654)

AWS Lambdas - Java

In 9.5.4 we are adding new support for AWS Lambdas for Java.

There was no need to improve other steps of the Engine, the given support with SAST is based on CxQL queries only.

DynamoDB and S3 library services are supported by supporting the AWS SDK for Java.

A new set of queries has been created under a group called Java_AWS_Lambda:

AWS_Credentials_Leak
Hardcoded_AWS_Credentials
User_Based_SDK_Configurations
Race_Condition_Global_Scope
Related to DynamoDB
DynamoDB_NoSQL_Injection
Related to S3 Bucket
- Permission_Manipulation_In_S3
- Use_of_Hardcoded_Cryptographic_Key_On_Server
- Unrestricted_Read_S3
- Unrestricted_Write_S3
- Unrestricted_Delete_S3

Presets

Top Tier

The Top Tier preset, added in the previous engine pack, was improved to include COBOL and Dart queries.

Vulnerability Queries

There are new and updated vulnerability descriptions, queries, and queries according to presets for this version.

For details, see Vulnerability Queries for 9.5.4.

Supported Code Languages and Frameworks for EP 9.5.4

The following code languages can be scanned using CxSAST Engine Pack v9.5.4:

Environment

Primary Languages

Secondary Languages

Frameworks

File extensions

Java
J2SE
J2EE

JSP
JavaScript
VBScript
PL\SQL
HTML5

ATG DSP Taglib
GWT
Hibernate
Google Guice
Java Server Faces (JSF)
JSP
JSTL FMT Taglib
OWASP ESAPI
MyBatis
PrimeFaces
Sprint Boot
Spring MVC
Spring
Struts
Velocity

.java
.jsp
.jspf
.jsf
.tag
.tld
.mf
.xhtml
.vm
.gradle
.properties
.xml

C#
VB.NET

ASP.NET
JavaScript
VBScript
PL\SQL
HTML5

ASP.NET Core
ASP.Net Core Razor
ASP.Net MVC framework
Enterprise Libraries
ComponentArt
Entity framework
Hibernate.Net
Infragistics
iBatis
Telerik

.cs
.cshtml
.xaml
.vb
.config
.aspx
.ascx
.asax
.tag
.master
.xml

JavaScript [**]
VBScript
PL\SQL
HTML5

ASP.Net MVC Framework

.asp
.inc

.bas
.vbp
.frm
.cls
.dsr
.ctl

C/C++

C MISRA
C++ MISRA
Informix ESQL/C
MySQL

.cpp
.c
.cc
.c++
.cxx
.hpp
.hh
.h++
.hxx
.h
.ec
.cmake
.pro
.ac
.am
.txt (related to CmakeLists)

JavaScript

bWapp
CakePHP
OWASP ESAPI
Kohana
Symfony
Smarty
Zend

.php
.php3
.php4
.php5
.phtm
.phtml
.tpl
.ctp
.twig
.inc
.cgi

Apex

VisualForce
Lightning (Aura)
Lightning Web Components

.apex
.apexp
.apxc
.page
.component
.cls
.trigger
.tgr
.object
.report
.workflow
.-meta.xml
.xml

Ruby

Ruby on Rails

.rb
.rhtml
.rxml
.rjs
.erb
.cgi
.lock

JavaScript
Typescript

Ajax
Angular
AngularJS
Backbone
Cordova / PhoneGap
Handlebars
Hapi.JS
JQuery
Knockout
Kony Visualizer
Node.js
- Buffer
- CryptoJS
- ExpressJS
- File System (Fs)
- Hapi
- Mongodb
- OracleDB
- Sequelize
Pug (Jade)
React Native
ReactJS
SAPUI5
VueJS
XS (SAP)
RequireJS

.js
.jsx
.htm
.html
.json
.ts
.tsx
.aspx
.ascx
.xsjs
.xsjslib
.xsaccess
.xsapp
.app
.evt
.cmp
.hbs
.handlebars
.jade
.pug
.vue
.xml

VBScript

.vbs
.aspx
.ascx
.asp
.cshtml
.html
.htm
.master

Perl

.pl
.pm
.plx
.psgi
.cgi

Android (Java)

Volley

.java
.kt

Objective C
Swift

.m
.h
.swift
.xib
.plist

HTML 5

.html
.htm

PL/SQL

.pls
.sql
.pkh
.pks
.pkb
.pck

Python

JavaScript
VB script
PL\SQL

Django
Flask
Jinja and DTL
Pandas library

.py
.gtl
.csv
.latex
.tex
.html
.xml
.txt

Groovy

JavaScript
VB script
PL\SQL

.groovy
.gsh
.gvy
.gy
.gsp
.gradle

Scala

Akka
Finagle
Finatra

.scala
.conf

GO Language

Protobuf
gin-gonic/gin
gorilla-mux

.go
.mod

Kotlin

Ktor (Server Side)
Vert.x (Server Side)
Spring

.kt
.kts
,mustache
.ftl
.xml

Cobol

.cbl
.cob
.eco
.pco
.sqb
.cpy

.rpg
.rpg38
.sqlrpg
.rpgle
.sqlrpgle
.dspf

Dart

Flutter

.dart

Supported Code Languages and Frameworks (CxOSA)

CxOSA analyzes the open sources using the following methods:

Analyzes the open source third parties themselves, supported in the languages list below.
Analyzes the projects' manifest files by resolving their dependencies against customer-defined repositories.

The following open source code analysis languages and package managers can be analyzed using v9.5.0:

Environment

File Extensions

Environment

File Extensions

Java

Jar files

.Net

DLL files

JavaScript

.js

TypeScript

React

NodeJS

Angular

WCF

WPF

DLL files

Kotlin

Python

Groovy

PHP

Scala

Package Managers

File Extensions

Package Managers

File Extensions

Gradle

Maven

NPM

Yarn

NuGet

nupkg files

Pip

Composer

SBT

Bower

Codebashing - Application Security Training Platform

For supported code for Codebashing, refer to the Codebashing documentation.

In this section:

Release Notes for Engine Pack 9.5.4

Caution

Installation Notes

Caution

Notice

CxSAST Engine Pack Enhancements

Languages and Frameworks

CSharp (Tech Preview)

Notice

Accuracy Improvements

Dart and Flutter (GA)

Java

JavaScript

PL/SQL

Python

AWS Lambdas - Java

Presets

Top Tier

Vulnerability Queries

Supported Code Languages and Frameworks for EP 9.5.4

Supported Code Languages and Frameworks (CxOSA)

Search results