Engine Pack Version 9.6.6
CxSAST Engine
Languages & Frameworks
All supported code Languages & Frameworks versions are on the dedicated page Engine Pack Supported Code Languages and Frameworks.
New SAST Engine
Folders and File Exclusions
As a continuation of the improvements for the new SAST engine, which aims to reduce the scan execution time, a new setting has been introduced that excludes a predefined set of folders and files during scans.
This optimization enables quicker identification and resolution of vulnerabilities, enhancing developer productivity by focusing on more relevant code areas to facilitate faster and more frequent deployments.
It is important to note that enabling this option may not be ideal for applications with critical security requirements due to the potential risk of missing vulnerabilities in excluded code areas.
For further details about the list of exclusions, please see File Exclusions Rules.
Warning
For SAST on-premises users only: File Exclusion Rules apply to all projects when enabled and are impossible to enable for individual projects.
This setting (PREDEFINED_FILE_EXCLUSIONS_ENABLED
) can be enabled in the database:
update [CxDB].[Config].[CxEngineConfigurationKeysMeta] set [DefaultValue] = 'true' where [KeyName] = 'PREDEFINED_FILE_EXCLUSIONS_ENABLED';
or via a configuration file with the following content:
<?xml version="1.0" encoding="windows-1252"?> <Root_Element> <Configuration> <Key>PREDEFINED_FILE_EXCLUSIONS_ENABLED</Key> <Value>true</Value> </Configuration> </Root_Element>
Privacy Violation Query Improvements
This engine pack includes performance enhancements to the Privacy Violation query for Java and C# languages.
As a result, query execution time has been reduced by up to 80%.
Rust
The Rust support has been improved by adding additional queries.
The following queries are available as part of this version:
: Rust_High_Risk
Arbitrary_File_Write
Dangerous_File_Inclusion
LDAP_Injection
Observable_Timing_Discrepancy
Sensitive_Information_Exposure_in_Cleartext_Channel
Stored_LDAP_Injection
Unsafe_Archive_Unpacking
: Rust_Medium_Threat
HttpOnly_Cookie_Flag_Not_Set
Insufficiently_Secure_Password_Storage_Algorithm_Parameters
Length_Extension_Attack
Parameter_Tampering
PCI_Data_Exposure
Permission_Manipulation_in_S3
Reliance_on_DNS_Lookups_in_a_Decision
Secret_Leak
Secret_Leak_in_Error_Messages
Secret_Leak_in_Files
Secret_Leak_in_Logs
Secret_Leak_in_URL
Secure_Cookie_Flag_Not_Set
Uncontrolled_Memory_Allocation
Unsafe_Reflection
Use_of_Cryptographically_Weak_PRNG
Using_Referer_Field_for_Authentication
: Rust_Low_Visibility
Cookie_Overly_Broad_Path
Divide_By_Zero
Frameable_Login_Page
Improper_Error_Handling
Improper_Transaction_Handling
Insecure_Value_of_the_SameSite_Cookie_Attribute
Integer_Overflow
Log_Forging
Misconfigured_HSTS
Misconfigured_X_Content_Type_Options
Missing_Content_Security_Policy
Missing_Framing_Policy
Missing_HSTS
PCI_Data_Exposure_in_Error_Messages
PCI_Data_Exposure_in_Files
PCI_Data_Exposure_in_Logs
PCI_Data_Exposure_in_URL
Permissive_Content_Security_Policy
Privacy_Violation_in_Error_Messages
Privacy_Violation_in_URL
Trust_Boundary_Violation_in_Session_Variables
Type_Conversion_Error
Unchecked_Return_Value_to_NULL_Pointer_Dereference
Use_of_Deprecated_API
Use_of_Non_Cryptographic_Random
Use_of_Unsafe_Keyword
Rust_Best_Coding_Practice
Input_Path_Not_Canonicalized
Notice
Technology Preview features provide early access to upcoming product innovations, enabling you to test functionality and provide feedback during development. However, these features are not fully supported, might not be functionally complete, and are not intended for production use.
As Checkmarx considers making future iterations of Technology Preview features generally available, we will attempt to resolve any issues customers experience when using these features.
Engine .NET update
We have updated the engine component to version .NET 8.
The minimum required version to update to this engine pack is 8.0.3
Critical Severity
Warning
Critical severity will be added to the SAST engine's list of severity options in the upcoming major version, 9.7.0.
All queries will be revised and their severity adjusted to include Critical severity.
Details on the affected queries can be found on this page, Queries Severity Revision.
The new severity will only be reflected by new scans executed after upgrading to 9.7.0; older scans and their results will be unaffected.
Engine Pack Supported Code Languages and Frameworks (9.6.6)
Environment and Primary Languages | Secondary Languages | Framework | File extensions | Additional Information | |
---|---|---|---|---|---|
|
|
|
| Java can be configured as a unified language with Scala. | |
|
|
|
| ||
|
|
|
| ||
|
| ||||
|
|
| |||
| JavaScript |
|
| ||
|
|
| This is for Salesforce APEX only. | ||
|
|
| |||
|
|
| |||
|
| ||||
|
| ||||
|
|
| |||
|
| ||||
|
| ||||
|
| ||||
|
|
|
| ||
|
|
| |||
|
|
| Scala can be configured as a unified language with Java. | ||
|
|
| |||
|
|
| |||
|
| ||||
|
| ||||
|
|
| |||
|
|
| |||
|
|
Vulnerability Queries 9.6.6
All queries that are executed in version 9.6.6 are available for download - PDF, CSV
New and updated queries in version 9.6.6 are available for download - PDF, CSV
Queries associated with predefined query presets are available for download - PDF, CSV
New and Changed Queries Details - PDF
Queries Severity Revision
This PDF lists the queries that will have their severity levels updated as part of adding the new Critical severity level in SAST 9.7.0: