Critical Severity Release Plan
The new Critical severity level is going to be released gradually, as follows:
Engine Pack 9.7.1
Queries
This version includes the review of queries transitioning from High to Critical severity.
Presets
No new presets will be created or renamed.
High and Medium and Low and High and Medium presets content will be updated:
Both presets will include Critical severity.
Queries reviewed from High to Critical remain as part of the presets.
Although preset will include Critical, they won´t be renamed.
For all other presets, no queries have been added or removed.
Checkmarx One Upgrade
As the majority of the queries transitioning from High to Critical are already available in Checkmarx One, upgrading to engine pack 9.7.1 will have no significant impact.
Only 7 recent Rust queries will be changing from High to Critical in Checkmarx One:
Arbitrary_File_Write
DynamoDB_NoSQL_Injection
Command_Injection
Second_Order_SQL_Injection
SQL_Injection
Stored_Command_Injection
Stored_XSS
Engine Pack 9.7.2
Queries
This version includes the review of queries transitioning to Information, Low, and Medium severity, regardless of whether the change is an increase or decrease.
Examples:
Command_Argument_Injection: Severity transitioning from Low to Medium.
XPath_Injection: Severity transitioning from High to Medium.
Allowed_Backup: Severity transitioning from Information to Low.
Unsafe_Permission_Check: Severity transitioning from Medium to Low.
Presets
No new presets will be created or renamed.
The following presets will be updated:
Old Severity | New Severity | High & Medium & Low Preset | High & Medium Preset |
|---|---|---|---|
High | Medium | Remains on the preset | Remains on the preset |
Low | Remains on the preset | Added to the preset | |
Info | Added to the preset | Added to the preset | |
High | Low | Remains on the preset | Removed from the preset |
Medium | Remains on the preset | Removed from the preset | |
Info | Added to the preset | N/A | |
Medium | Information | Removed from the preset | Removed from the preset |
Low | Removed from the preset | N/A |
For all other presets, no queries have been added or removed; the preset will remain the same, but with updated severities.
Checkmarx One Upgrade
When upgrading Checkmarx One to engine pack 9.7.2, queries transitioning to Information, Low, and Medium severity levels will be updated accordingly.
Engine Pack 9.7.3
Queries
This version includes the review of queries transitioning to High and Critical severity, except for those moving from High to Critical, which were addressed in the previous version 9.7.1.
Examples:
SSRF: Severity transitioning from Medium to High.
Stored_Code_Injection: It was previously classified as Low for some languages and Medium for others. In this version, it will be updated to Critical.
Presets
No new presets will be created or renamed.
The following presets will be updated:
Old Severity | New Severity | High & Medium & Low Preset | High & Medium Preset |
|---|---|---|---|
Medium | Critical | Remains on the preset | Remains on the preset |
Low | Remains on the preset | Remains on the preset | |
Medium | High | Remains on the preset | Remains on the preset |
Low | Remains on the preset | Added to the preset |
For all other presets, no queries have been added or removed; the preset will remain the same, but with updated severities.
Checkmarx One Upgrade
When upgrading Checkmarx One to engine pack 9.7.3, queries transitioning to High and Critical severity levels will be updated accordingly.
Impact of Query Severity Changes on Scans and Result
New severity will be reflected only for new scans executed after upgrading to 9.7.0; older scans and results are not affected.
Affected Queries by Engine Pack
For details on the affected queries per engine pack, please refer to this spreadsheet.
Instructions for applying filters are provided in the file.