Skip to main content

Engine Pack Version 9.6.6

CxSAST Engine

Languages & Frameworks

All supported code Languages & Frameworks versions are on the dedicated page Engine Pack Supported Code Languages and Frameworks.

New SAST Engine

Folders and File Exclusions

As a continuation of the improvements for the new SAST engine, which aims to reduce the scan execution time, a new setting has been introduced that excludes a predefined set of folders and files during scans.

This optimization enables quicker identification and resolution of vulnerabilities, enhancing developer productivity by focusing on more relevant code areas to facilitate faster and more frequent deployments.

It is important to note that enabling this option may not be ideal for applications with critical security requirements due to the potential risk of missing vulnerabilities in excluded code areas.

For further details about the list of exclusions, please see File Exclusions Rules.

Warning

For SAST on-premises users only: File Exclusion Rules apply to all projects when enabled and are impossible to enable for individual projects.

This setting (PREDEFINED_FILE_EXCLUSIONS_ENABLED) can be enabled in the database:

update [CxDB].[Config].[CxEngineConfigurationKeysMeta] set [DefaultValue] = 'true' where [KeyName] = 'PREDEFINED_FILE_EXCLUSIONS_ENABLED';

or via a configuration file with the following content:

<?xml version="1.0" encoding="windows-1252"?>
<Root_Element>
        <Configuration>
                <Key>PREDEFINED_FILE_EXCLUSIONS_ENABLED</Key>
                <Value>true</Value>
        </Configuration>
</Root_Element>

Privacy Violation Query Improvements

This engine pack includes performance enhancements to the Privacy Violation query for Java and C# languages.

As a result, query execution time has been reduced by up to 80%.

Rust

The Rust support has been improved by adding additional queries.

The following queries are available as part of this version:

  • high_risk_icon.png: Rust_High_Risk

    • Arbitrary_File_Write

    • Dangerous_File_Inclusion

    • LDAP_Injection

    • Observable_Timing_Discrepancy

    • Sensitive_Information_Exposure_in_Cleartext_Channel

    • Stored_LDAP_Injection

    • Unsafe_Archive_Unpacking

  • medium_risk_icon.png: Rust_Medium_Threat

    • HttpOnly_Cookie_Flag_Not_Set

    • Insufficiently_Secure_Password_Storage_Algorithm_Parameters

    • Length_Extension_Attack

    • Parameter_Tampering

    • PCI_Data_Exposure

    • Permission_Manipulation_in_S3

    • Reliance_on_DNS_Lookups_in_a_Decision

    • Secret_Leak

    • Secret_Leak_in_Error_Messages

    • Secret_Leak_in_Files

    • Secret_Leak_in_Logs

    • Secret_Leak_in_URL

    • Secure_Cookie_Flag_Not_Set

    • Uncontrolled_Memory_Allocation

    • Unsafe_Reflection

    • Use_of_Cryptographically_Weak_PRNG

    • Using_Referer_Field_for_Authentication

  • low_risk_icon.png: Rust_Low_Visibility

    • Cookie_Overly_Broad_Path

    • Divide_By_Zero

    • Frameable_Login_Page

    • Improper_Error_Handling

    • Improper_Transaction_Handling

    • Insecure_Value_of_the_SameSite_Cookie_Attribute

    • Integer_Overflow

    • Log_Forging

    • Misconfigured_HSTS

    • Misconfigured_X_Content_Type_Options

    • Missing_Content_Security_Policy

    • Missing_Framing_Policy

    • Missing_HSTS

    • PCI_Data_Exposure_in_Error_Messages

    • PCI_Data_Exposure_in_Files

    • PCI_Data_Exposure_in_Logs

    • PCI_Data_Exposure_in_URL

    • Permissive_Content_Security_Policy

    • Privacy_Violation_in_Error_Messages

    • Privacy_Violation_in_URL

    • Trust_Boundary_Violation_in_Session_Variables

    • Type_Conversion_Error

    • Unchecked_Return_Value_to_NULL_Pointer_Dereference

    • Use_of_Deprecated_API

    • Use_of_Non_Cryptographic_Random

    • Use_of_Unsafe_Keyword

  • Rust_Best_Coding_Practice

    • Input_Path_Not_Canonicalized

Notice

Technology Preview features provide early access to upcoming product innovations, enabling you to test functionality and provide feedback during development. However, these features are not fully supported, might not be functionally complete, and are not intended for production use.

As Checkmarx considers making future iterations of Technology Preview features generally available, we will attempt to resolve any issues customers experience when using these features.

Engine .NET update

We have updated the engine component to version .NET 8.

The minimum required version to update to this engine pack is 8.0.3

Critical Severity

Warning

Critical severity will be added to the SAST engine's list of severity options in the upcoming major version, 9.7.0.

  • All queries will be revised and their severity adjusted to include Critical severity.

    Details on the affected queries can be found on this page, Queries Severity Revision.

  • The new severity will only be reflected by new scans executed after upgrading to 9.7.0; older scans and their results will be unaffected.

Engine Pack Supported Code Languages and Frameworks (9.6.6)

Environment and Primary Languages

Secondary Languages

Framework

File extensions

Additional Information

6022007568
  • Java

  • J2SE

  • J2EE

  • JSP

  • JavaScript

  • VBScript

  • PL\SQL

  • HTML5

  • ATG DSP Taglib

  • GWT

  • Hibernate

  • Google Guice

  • Java Server Faces (JSF)

  • JSP

  • JSTL FMT Taglib

  • OWASP ESAPI

  • MyBatis

  • PrimeFaces

  • Spring Boot

  • Spring MVC

  • Spring

  • Struts

  • Velocity

  • .java

  • .jsp

  • .jspf

  • .jsf

  • .tag

  • .tld

  • .mf

  • .xhtml

  • .vm

  • .gradle

  • .properties

  • .jspdsbld

  • .wod

  • .xml

  • .yml

  • .yaml

Java can be configured as a unified language with Scala.

6022007571.png
  • ASP.NET

  • JavaScript

  • VBScript

  • PL\SQL

  • HTML5

  • ASP.NET Core

  • ASP.Net Core Razor

  • ASP.Net MVC framework

  • Enterprise Libraries

  • ComponentArt

  • Entity framework

  • Hibernate.Net

  • Infragistics

  • iBatis

  • Telerik

  • Dapper

  • .cs

  • .cshtml

  • .xaml

  • .vb

  • .config

  • .aspx

  • .ascx

  • .asax

  • .tag

  • .master

  • .xml

6022007574.png
  • ASP

  • JavaScript [**]

  • VBScript

  • PL\SQL

  • HTML5

  • ASP.Net MVC framework

  • .asp

  • .inc

6022007577.png
  • VB6

  • .bas

  • .vbp

  • .frm

  • .cls

  • .dsr

  • .ctl

6022007580.png
  • C

  • C++

  • C MISRA

  • C++ MISRA

  • Informix ESQL/C

  • MySQL

  • .cpp

  • .c

  • .cc

  • .c++

  • .cxx

  • .hpp

  • .hh

  • .h++

  • .hxx

  • .h

  • .ec

  • .cmake

  • .pc

  • .pro

  • .ac

  • .am

  • .txt (related to CmakeLists)

  • .ph

64d4d824681bd.svg
  • PHP

JavaScript

  • bWapp

  • CakePHP

  • OWASP ESAPI

  • Kohana

  • Symfony

  • Smarty

  • Zend

  • .php

  • .php3

  • .php4

  • .php5

  • .phtm

  • .phtml

  • .tpl

  • .ctp

  • .twig

  • .inc

  • .cgi

  • .env

  • .ini

6022007586.png
  • Apex

  • VisualForce

  • Lightning (Aura)

  • Lightning Web Components

  • .apex

  • .apexp

  • .apxc

  • .page

  • .component

  • .cls

  • .trigger

  • .tgr

  • .object

  • .report

  • .workflow

  • -meta.xml

  • .xml

This is for Salesforce APEX only.

6022007589.png
  • Ruby

  • Ruby on Rails

  • .rb

  • .rhtml

  • .rxml

  • .rjs

  • .erb

  • .cgi

  • .lock

6022007592.png
  • JavaScript

  • Typescript

  • Ajax

  • Angular

  • AngularJS

  • Backbone

  • Cordova / PhoneGap

  • Handlebars

  • Hapi.JS

  • JQuery

  • Knockout

  • Kony Visualizer

  • Node.js

    • Buffer

    • CryptoJS

    • ExpressJS

    • File System

    • Hapi

    • Mongodb

    • OracleDB

    • Sequelize

  • Pug (Jade)

  • React Native

  • ReactJS

  • SAPUI5

  • VueJS

  • XS (SAP)

  • RequireJS

  • .js

  • .jsx

  • .htm

  • .html

  • .json

  • .ts

  • .tsx

  • .aspx

  • .ascx

  • .xsjs

  • .xsjslib

  • .xsaccess

  • .xsapp

  • .app

  • .evt

  • .cmp

  • .hbs

  • .handlebars

  • .jade

  • .pug

  • .vue

  • .xml

  • .apexp

  • .page

  • .component

  • .cshtml

  • .jsf

  • .xhtml

  • .jsp

  • .jspf

  • .asp

  • .master

  • .php

6022007598.png
  • VBScript

  • .vbs

  • .aspx

  • .ascx

  • .asp

  • .cshtml

  • .html

  • .htm

  • .master

6022007601.png
  • Perl

  • .pl

  • .pm

  • .plx

  • .psgi

  • .cgi

6022007604.png
  • Android (Java)

  • Volley

  • .java

  • .kt

6022007607.png
  • Objective-C

  • Swift

  • .m

  • .h

  • .swift

  • .xib

  • .plist

6022007610.png
  • HTML 5

  • .html

  • .htm

6022007613.png
  • PL/SQL

  • .pls

  • .sql

  • .pkh

  • .pks

  • .pkb

  • .pck

6022007616.png
  • Python

  • JavaScript

  • VB script

  • PL\SQL

  • Django

  • Flask

  • Jinja and DTL

  • Pandas library

  • Marshmallow

  • .py

  • .gtl

  • .csv

  • .latex

  • .tex

  • .html

  • .xml

  • .txt

6022007619.png
  • Groovy

  • JavaScript

  • VB script

  • PL\SQL

  • .groovy

  • .gsh

  • .gvy

  • .gy

  • .gsp

  • .gradle

6022007622.png
  • Scala

  • Akka

  • Finagle

  • Finatra

  • .scala

  • .conf

Scala can be configured as a unified language with Java.

6022007625.png
  • GO Language

  • Protobuf

  • gin-gonic/gin

  • gorilla-mux

  • .go

  • .mod

kotlinlogo.png
  • Kotlin

  • Ktor (Server Side)

  • Vert.x (Server Side)

  • Spring

  • .kt

  • .kts

  • .mustache

  • .ftl

  • .xml

6022007508.jpg
  • Cobol

  • .cbl

  • .cob

  • .eco

  • .pco

  • .sqb

  • .cpy

6994002109.png
  • RPG

  • .rpg

  • .rpg38

  • .sqlrpg

  • .rpgle

  • .sqlrpgle

  • .dspf

6994002106.png
  • Dart

  • Flutter

  • .dart

  • .yaml

6993019381.png
  • Lua

  • OpenResty

  • .lua

  • .conf

Rust.png
  • Rust

  • .rs

Vulnerability Queries 9.6.6

All queries that are executed in version 9.6.6 are available for download  - PDFCSV

New and updated queries in version 9.6.6 are available for download - PDFCSV

Queries associated with predefined query presets are available for download - PDFCSV

New and Changed Queries Details - PDF

Queries Severity Revision

This PDF lists the queries that will have their severity levels updated as part of adding the new critical_icon.pngCritical severity level in SAST 9.7.0: