Engine Pack Version 9.6.3
CxSAST Engine
Languages & Frameworks
All supported code Languages & Frameworks versions are listed here: Engine Pack Supported Code Languages and Frameworks (9.6.3).
Rust
In 9.6.3, we are introducing support for the Rust language as a Technical Preview in the SAST engine, including the following features:
Control Structures: Loop ; While ; For ; If (statement).
Declarations: Functions ; Literals ( Boolean , Char , Number , String ); Variables and constants ; Enums ; Modules ; Paths / Packages ; Tuples ; Arrays ; Structs ; Collections ; Custom Attributes ; Generics ; Impl; Traits ; Type Alias ; Where clauses.
Expressions: Return ; Operators ; Member accesses ; Sprint interpolation ; If (expression) ; If let ; Match expressions ; Range; Lambda ; Pointers ; Imports.
Others: Block scopes ; Macros By Example.
Notice
To overcome licensing issues in CxAudit when scanning Rust, perform the following actions after installing 9.6.3:
Install 9.6 HF5
Obtain a new license that includes the Rust language.
Notice
Technology Preview features provide early access to upcoming product innovations, enabling you to test functionality and provide feedback during development. However, these features are not fully supported and might not be functionally complete.
As Checkmarx considers making future iterations of Technology Preview features generally available, we will attempt to resolve any issues customers experience when using these features.
Fast Scan
To speed up SAST engine scans, a new scan mode is being introduced: Fast Scan.
Fast scan mode decreases the scanning time of projects, making it faster to identify relevant vulnerabilities and enable continuous deployments while ensuring that security standards are followed. This will help relevant personas like developers react much faster to what they need to tackle immediately. While the fast scan mode identifies the most significant and relevant vulnerabilities, the in-depth scan mode offers deeper coverage. For the most critical projects with a zero-vulnerability policy, it is advised also to use our in-depth scan mode. With the introduction of the new scanning mode in addition to the in-depth scan mode, the SAST engine addresses two distinct use cases:
Fast scanning for more relevant vulnerabilities.
Exhaustive and deep scanning for the most mission-critical sensitive projects and applications.
See the Fast Scan bullet here on how to configure this scan.
Presets
Base Preset
A new preset, the Base Preset, has been added to the SAST engine.
It boosts scanning efficiency, prioritizing the swift retrieval of results with pertinent and impactful vulnerabilities. The preset can be used as a starting point and customized to meet your requirements.
For further details, please see Base Preset .
STIG
The STIG preset and its corresponding category have been updated to support the version 5.3.
Scanning Unsupported Files - New Error Code
The error code previously designated as -1 for attempting to scan unsupported files has now been updated to a new code, 60.
Notice
To ensure a seamless transition and prevent potential errors, we strongly recommend to:
Carefully review your existing pipelines and workflows.
Identify whether there are any configurations or dependencies currently relying on the current error code.
Making the necessary configuration adjustments before upgrading to version 9.6.3 is essential. By making these changes, you'll be able to avoid any disruptions caused by the change in error code and ensure the continued smooth operation of your processes.
XML Files Pre-Processing in Java
Until now, when scanning Java, several XML files were translated into the Java DOM through pre-processing (such as AndroidManifest.xml, build.xml, structs-config.xml).
This caused the DOM to become excessively large, offering minimal benefits for less than 1% of queries. To overcome having a huge DOM, the pre-processing of XML has been removed and queries refactored with APIs for navigating through the XML files.
Notice
These changes have discontinued using DOM for XML files during Java scanning. Consequently, if there are customized queries relying on the DOM of these files, they must now be updated to utilize the XML API.
Engine Pack Supported Code Languages and Frameworks (9.6.3)
Environment and Primary Languages | Secondary Languages | Framework | File extensions | Additional Information | |
---|---|---|---|---|---|
|
|
|
| Java can be configured as a unified language with Scala. | |
|
|
|
| ||
|
|
|
| ||
|
| ||||
|
|
| |||
| JavaScript |
|
| ||
|
|
| This is for Salesforce APEX only. | ||
|
|
| |||
|
|
| |||
|
| ||||
|
| ||||
|
|
| |||
|
| ||||
|
| ||||
|
| ||||
|
|
|
| ||
|
|
| |||
|
|
| Scala can be configured as a unified language with Java. | ||
|
|
| |||
|
|
| |||
|
| ||||
|
| ||||
|
|
| |||
|
|
| |||
|
|
Vulnerability Queries 9.6.3
All queries that are executed in version 9.6.3 are available for download - PDF, CSV
New and updated queries in version 9.6.3 are available for download - PDF, CSV
Queries associated with predefined query presets are available for download - PDF, CSV
Release Notes for Engine Pack (EP) 9.6.3 Patches
Version 9.6.3.1001 February 2024 |
---|
|