- Checkmarx Documentation
- Checkmarx One
- Checkmarx One User Guide
- API Security
- API Security Language and Framework Support
API Security Language and Framework Support
This section provides relevant information about the current support for API security queries in Java.
Language | Framework | Framework Support Details | Details Needed |
---|---|---|---|
Java | Spring |
|
|
There are nine queries for Java support in SAST. The table below shows the framework with the query, query name, brief description, category in SAST, and the JSON result generated.
Framework | Query Name | Description | Category |
---|---|---|---|
Spring | Java_WebApi_GetApiList | This is the main query and returns the list of endpoint information. | Executable |
Java_WebApi_MethodsWithAnnotation | Retrieves all the endpoints with API annotations. | General | |
Java_WebApi_MethodsNoAnnotation | Retrieves all the endpoints without API annotations but with a defined route template. | General | |
Java_WebApi_Create_Comment | Collects details for every endpoint and provides this information, including the URL, HTTP method, method name, method line, method row, response type, and request type. | General | |
Java_WebApi_RetrieveURLAndMethodInfo | Retrieves the method's route path, name, location, and request type (GET, POST, PUT or DELETE). | General | |
Java_WebApi_RetrieveResponseType | Retrieves method details related to response type, structure, and HTTP status code. | General | |
Java_WebApi_RetrieveRequestInfo | Retrieves method parameters, their name, data type, data structure, and source code location (line and file name), and determines if they serve as framework arguments. | General | |
Java_WebApi_GetType | Retrieves parameter type and its type structure, particularly when dealing with custom classes. | General | |
Java_WebApi_ExtractProperties | Retrieves the fields of an unknown class. | General |
This section aims to detail the limitations of the supported frameworks.
Spring
We only include the path parameter in the
RequestMappingInfo
object if it is a string literal. In situations where where it is an array initializer or a binary expression, it returns an empty string. When searching the method, we only rely on the method name since there is no available information about the controller, only the handler. This approach may lead to incorrect results if two methods have identical names. See example:
RequestMappingInfo info = RequestMappingInfo .paths("/user/{id}").methods(RequestMethod.GET).build(); Method method = UserHandler.class.getMethod("getUser", Long.class); mapping.registerMapping(info, handler, method);
In the Spring framework, for methods without annotations, filter them out based on the following criteria:
Annotations like @PostConstruct, @ExceptionHandler, @Bean, @Scheduled, @InitBinder and @ModelAttribute.
Static methods and classes.
Private classes.
Methods with the @Override annotation.
Methods with the @Value annotation.
Methods with the @Test annotation.
Method Invokes
This section provides relevant information about the current support for API security queries in the C# language.
Language | Framework | Framework Support Details | Details Needed |
---|---|---|---|
CSharp | Web API / MVC |
|
|
There are ten queries for C# support in SAST. The table below provides a brief overview of them.
Framework | Query Name | Description | Category |
---|---|---|---|
Web API / MVC | CSharp_WebApi_GetApiList | This is the main query and returns the list of endpoint information. | Executable |
CSharp_WebApi_MethodAnnotation | Retrieves all the endpoints with API annotations. | General | |
CSharp_WebApi_MethodNoAnnotation | Retrieves all the endpoints without API annotations but with a defined route template. | General | |
CSharp_WebApi_Check_RouteTemplate | Retrieves the method’s parameters that are passed in a route template | ||
CSharp_WebApi_Create_Comment | Collects details for every endpoint and provides this information, including the URL, HTTP method, method name, method line, method row, response type, and request type. | General | |
CSharp_WebApi_RetrieveUrlHttpMethod | Retrieves the method's route path, name, location, and request type (GET, POST, PUT or DELETE). | General | |
CSharp_WebApi_RetrieveResponseType | Retrieves method details related to response type, structure, and HTTP status code. | General | |
CSharp_WebApi_RetrieveRequestInfo | Retrieves method parameters, their name, data type, data structure, and source code location (line and file name), and determines if they serve as framework arguments. | General | |
CSharp_WebApi_GetType | Retrieves parameter type and its type structure, particularly when dealing with custom classes. | General | |
CSharp_WebApi_ExtractProperties | Retrieves the fields of an unknown class. | General |
This section aims to detail the limitations of the supported frameworks.
Web API
At this time, to avoid excessive query performance overhead, if we encounter a class that invokes another class with fields and so forth, we will only fetch the fields during the initial iteration. As an example, see below:
public async Task<ActionResult<int>> Create([FromBody] CreateProductCommand command) public class CreateProductCommand : IRequest<int> { public string ProductName { get; set; } public Category ProductCategory { get; set; } } public class Category { public string CategoryName { get; set; } }
JSON Result
"requestInfo" : [{ "ParamName" : "command", "ParamType" : "CreateProductCommand", "typeStructure" : { "ProductName" : "string", "ProductCategory" : Category" }, "ParamLocation" : "bodyParam" }]
This section provides relevant information about the current support for API security queries in the Python language.
Language | Framework | Framework Support Details | Details Needed |
---|---|---|---|
Python | Django |
| Each call to path/re_path and parameters |
Flask |
| The decoration and its parameter values. The call parameters |
There are 12 queries to support Python in SAST. The table below provides a brief overview of them.
Framework | Query Name | Description | Category |
---|---|---|---|
Django | Python_Django_WebApi_GetApiList | This is the main query and returns the list of endpoint information. | Executable |
Python_WebApi_Django | Retrieves all the endpoints in Django. | General | |
Python_WebApi_Django_CreateComment | Collects details for every endpoint and provides this information, including the URL, HTTP method, method name, method line, method row, response type, and request type. | General | |
Python_WebApi_Django_RetrieveURLAndMethodInfo | Retrieves the method's route path, name, location, and request type (GET, POST, PUT or DELETE). | General | |
Python_WebApi_Django_RetrieveResponseType | Retrieves method details related to response type, structure, and HTTP status code. | General | |
Python_WebApi_Django_RetrieveRequestInfo | Retrieves method parameters, their name, data type, data structure, and source code location (line and file name), and determines if they serve as framework arguments. | General | |
Flask | Python_Flask_WebApi_GetApiList | This is the main query and returns the list of endpoint information. | Executable |
Python_WebApi_Flask | Retrieves all the endpoints in Flask. | General | |
Python_WebApi_Flask_CreateComment | Collects details for every endpoint and provides this information, including the URL, HTTP method, method name, method line, method row, response type, and request type. | General | |
Python_WebApi_Flask_RetrieveRequestInfo | Retrieves method parameters, their name, data type, data structure, and source code location (line and file name), and determines if they serve as framework arguments. | General | |
Python_WebApi_Flask_RetrieveResponseType | Retrieves method details related to response type, structure, and HTTP status code. | General | |
Python_WebApi_Flask_RetrieveURLAndMethodInfo | Retrieves the method's route path, name, location, and request type (GET, POST, PUT or DELETE). | General |
This section aims to detail the limitations of supported frameworks.
Django
Django only considers specific imports, which are
from django.contrib import admin
andfrom rest_framework import routers
.Currently, we don’t support Generics with their own Generics for the method's response type. Therefore, in these cases, the response type is empty, for instance,
"type": ""
. See below example:
@app.route('/signup/', methods=['GET', 'POST']) def signup(arr: List[Union[int, float]]) -> List[Union[int, float]:
This page provides relevant information about the current support for API security queries in the JavaScript language.
Language | Framework | Framework Support Details | Details Needed |
---|---|---|---|
JavaScript | Express |
| The call and parameters |
Six queries support Express in SAST. The table below provides a brief overview of them.
Framework | Query Name | Description | Category |
---|---|---|---|
Express | NodeJS_Express_WebApi_GetApiList | This is the main query and returns the list of endpoint information. | Executable |
NodeJS_WebApi_Express | Returns all the endpoints and their url (e.g., “url“: “api/Home“). | General | |
NodeJS_WebApi_Express_CreateComment | Collects details for every endpoint and provides this information, including the URL, HTTP method, method name, method line, method row, response type, and request type. | General | |
NodeJS_WebApi_Express_RetrieveURLandMethodInfo | Retrieves the method's route path, name, location, and request type (GET, POST, PUT or DELETE). | General | |
NodeJS_WebApi_Express_RetrieveResponseType | Retrieves method details related to response type, structure, and HTTP status code. | General | |
NodeJS_WebApi_Express_RetrieveRequestInfo | Retrieves method parameters, their name, data type, data structure, and source code location (line and file name), and determines if they serve as framework arguments. | General |
Important
Due to a limitation in the SAST scanner, the default value lazy_flow_max_depth_count in projects where a single file contains many endpoints (e.g., 50 endpoints in a single file), endpoints past a certain point will not be shown. Please contact Checkmarx support to configure this default value to suit your needs.