Skip to main content

Engine Pack Version 9.7.1

CxSAST Engine

Languages & Frameworks

All supported code Languages & Frameworks versions can be found here

APEX

The following queries have been improved:

  • FLS_Read to support WITH USER_MODE

  • FLS_* queries improved for better results and accuracy

For further details, please see here.

C++

  • Several queries have been updated for better results and accuracy. For further details, please see here.

  • Parsing improvements:

    • C++20 Construct Support: Added support for parsing C++ 20 constructs: requires and concepts:

       template<typename T>
              using Ref = T&;
              
              template<typename T>
              concept C = requires
              {
                  typename T::inner; // required nested member name
                  typename S<T>;     // required class template specialization
                  typename Ref<T>;   // required alias template substitution
              };
    • Enhanced GCC Attribute Parsing: Improved parsing of GCC attributes, ensuring propagation of inline/static and others to proper methods:

      inline __attribute__((force_inline)) ssgRoot *get_taxi_lights_root () const {  }
    • Pro*C Fake Decimal Type: Improved support of the fake decimal type defined by Pro*C:

      decimal(15,4) dbi_dcConsumption_value;   // Here
                                
      decimal(15,4) foo = (decimal(15,4)) x; // here as a cast
    • SQL Statement Handling: Enhanced parsing of SQL statements, which are now converted into empty blocks.

    • Compound Literal Support: Improved the parsing of compound literals for better code analysis:

      bar(1, (float[3]) {1, 2, 3});  // this cast is an example
    • GNU Extension for Compound Statements: Support GNU extension for compound statements:

        for (int i = 0; i < N; i++) { 
            ({ 
                double *point = &points[i*2]; 
                rtree_insert(tr, point, point, (void *)(uintptr_t)(i)); 
                assert(rtree_count(tr) == i + 1); 
            }); 
        }
    • Modifier Support: Support modifiers like __fastcall, __fastdecl, __cdecl, __stdcall, __thiscall

    • Numeric Fields: Numeric fields (int, float, double) for classes had the NoneAbstractValue by default. Now, they default to AnyAbstractValue or a numeric abstract value with an infinite range: [-inf, +inf].

    • Variable Modifiers: Support for variable modifiers after struct type:

      struct { /*...*/ } const static variable[] = { /* ... */ }; 
    • Constructor/Destructor Parsing: Improvement when parsing Constructors/Destructors with empty body:

      GtkSplashScreen::~GtkSplashScreen() { };  
    • Microsoft Exception Handling: Support Microsoft __try and __except, as aliases for try and catch

    • Long Value in Pre-Processor Directives: Enhanced the handling of long values in pre-processor directives.

    • Nested Templates: Optimized parsing of nested templates for faster processing.

    • Header Support: The inttypes.h header added to the macros database to support its built-in macros.

C#

Improved the support for positional pattern matching.

COBOL

  • The following queries have been added:

    • Best Coding Practices

      • Dynamic_SQL_Queries

      • SQL_Select_without_Where

      • Use_of_DISPLAY

    • Low

      • Debug_Enabled

  • Parsing improvements were made to improve the accuracy of results.

Java

  • Java support has been updated up to version 21.

  • The query Mongo_NoSQL_Injection has been renamed to NoSQL_Injection, which includes support for CouchBase in addition to MongoDB.

  • The query Stored_Mongo_NoSQL_Injection has been renamed to Second_Order_NoSQL_Injection, which includes support for CouchBase in addition to MongoDB.

JavaScript

Several queries have been reviewed and refactored to improve the accuracy of the results and reduce the noise by decreasing the FPs.

For further details, please see here.

Compliance Standards

The STIG preset and its corresponding category have been updated to support the version 6.1.

Critical Severity

This version includes the review of queries transitioning from High to Critical severity.

For further details, please see https://docs.checkmarx.com/en/34965-321885-critical-severity-release-plan.html

Engine Pack Supported Code Languages and Frameworks (9.7.1)

Environment and Primary Languages

Secondary Languages

Framework

File extensions

Additional Information

6022007568
  • Java

  • J2SE

  • J2EE

  • JSP

  • JavaScript

  • VBScript

  • PL\SQL

  • HTML5

  • ATG DSP Taglib

  • GWT

  • Hibernate

  • Google Guice

  • Java Server Faces (JSF)

  • JSP

  • JSTL FMT Taglib

  • OWASP ESAPI

  • MyBatis

  • PrimeFaces

  • Spring Boot

  • Spring MVC

  • Spring

  • Struts

  • Velocity

  • .java

  • .jsp

  • .jspf

  • .jsf

  • .tag

  • .tld

  • .mf

  • .xhtml

  • .vm

  • .gradle

  • .properties

  • .jspdsbld

  • .wod

  • .xml

  • .yml

  • .yaml

Java can be configured as a unified language with Scala.

6022007571.png
  • ASP.NET

  • JavaScript

  • VBScript

  • PL\SQL

  • HTML5

  • ASP.NET Core

  • ASP.Net Core Razor

  • ASP.Net MVC framework

  • Enterprise Libraries

  • ComponentArt

  • Entity framework

  • Hibernate.Net

  • Infragistics

  • iBatis

  • Telerik

  • Dapper

  • .Net Core

  • .Net Framework

  • .NET

  • .cs

  • .cshtml

  • .xaml

  • .vb

  • .config

  • .aspx

  • .ascx

  • .asax

  • .tag

  • .master

  • .xml

6022007574.png
  • ASP

  • JavaScript [**]

  • VBScript

  • PL\SQL

  • HTML5

  • ASP.Net MVC framework

  • .asp

  • .inc

6022007577.png
  • VB6

  • .bas

  • .vbp

  • .frm

  • .cls

  • .dsr

  • .ctl

6022007580.png
  • C

  • C++

  • C MISRA

  • C++ MISRA

  • Informix ESQL/C

  • MySQL

  • .cpp

  • .c

  • .cc

  • .c++

  • .cxx

  • .hpp

  • .hh

  • .h++

  • .hxx

  • .h

  • .ec

  • .cmake

  • .pc

  • .pro

  • .ac

  • .am

  • .txt (related to CmakeLists)

  • .ph

64d4d824681bd.svg
  • PHP

JavaScript

  • bWapp

  • CakePHP

  • OWASP ESAPI

  • Kohana

  • Symfony

  • Smarty

  • Zend

  • .php

  • .php3

  • .php4

  • .php5

  • .phtm

  • .phtml

  • .tpl

  • .ctp

  • .twig

  • .inc

  • .cgi

  • .env

  • .ini

6022007586.png
  • Apex

  • VisualForce

  • Lightning (Aura)

  • Lightning Web Components

  • .apex

  • .apexp

  • .apxc

  • .page

  • .component

  • .cls

  • .trigger

  • .tgr

  • .object

  • .report

  • .workflow

  • -meta.xml

  • .xml

This is for Salesforce APEX only.

6022007589.png
  • Ruby

  • Ruby on Rails

  • .rb

  • .rhtml

  • .rxml

  • .rjs

  • .erb

  • .cgi

  • .lock

6022007592.png
  • JavaScript

  • Typescript

  • Ajax

  • Angular

  • AngularJS

  • Backbone

  • Cordova / PhoneGap

  • Handlebars

  • Hapi.JS

  • JQuery

  • Knockout

  • Kony Visualizer

  • Node.js

    • Buffer

    • CryptoJS

    • ExpressJS

    • File System

    • Hapi

    • Mongodb

    • OracleDB

    • Sequelize

  • Pug (Jade)

  • React Native

  • ReactJS

  • SAPUI5

  • VueJS

  • XS (SAP)

  • RequireJS

  • .js

  • .jsx

  • .htm

  • .html

  • .json

  • .ts

  • .tsx

  • .aspx

  • .ascx

  • .xsjs

  • .xsjslib

  • .xsaccess

  • .xsapp

  • .app

  • .evt

  • .cmp

  • .hbs

  • .handlebars

  • .jade

  • .pug

  • .vue

  • .xml

  • .apexp

  • .page

  • .component

  • .cshtml

  • .jsf

  • .xhtml

  • .jsp

  • .jspf

  • .asp

  • .master

  • .php

6022007598.png
  • VBScript

  • .vbs

  • .aspx

  • .ascx

  • .asp

  • .cshtml

  • .html

  • .htm

  • .master

6022007601.png
  • Perl

  • .pl

  • .pm

  • .plx

  • .psgi

  • .cgi

6022007604.png
  • Android (Java)

  • Volley

  • .java

  • .kt

6022007607.png
  • Objective-C

  • Swift

  • .m

  • .h

  • .swift

  • .xib

  • .plist

6022007610.png
  • HTML 5

  • .html

  • .htm

6022007613.png
  • PL/SQL

  • .pls

  • .sql

  • .pkh

  • .pks

  • .pkb

  • .pck

6022007616.png
  • Python

  • JavaScript

  • VB script

  • PL\SQL

  • Django

  • Flask

  • Jinja and DTL

  • Pandas library

  • Marshmallow

  • .py

  • .gtl

  • .csv

  • .latex

  • .tex

  • .html

  • .xml

  • .txt

6022007619.png
  • Groovy

  • JavaScript

  • VB script

  • PL\SQL

  • .groovy

  • .gsh

  • .gvy

  • .gy

  • .gsp

  • .gradle

6022007622.png
  • Scala

  • Akka

  • Finagle

  • Finatra

  • .scala

  • .conf

Scala can be configured as a unified language with Java.

6022007625.png
  • GO Language

  • Protobuf

  • gin-gonic/gin

  • gorilla-mux

  • .go

  • .mod

kotlinlogo.png
  • Kotlin

  • Ktor (Server Side)

  • Vert.x (Server Side)

  • Spring

  • .kt

  • .kts

  • .mustache

  • .ftl

  • .xml

6022007508.jpg
  • Cobol

  • .cbl

  • .cob

  • .eco

  • .pco

  • .sqb

  • .cpy

6994002109.png
  • RPG

  • .rpg

  • .rpg38

  • .sqlrpg

  • .rpgle

  • .sqlrpgle

  • .dspf

6994002106.png
  • Dart

  • Flutter

  • .dart

  • .yaml

6993019381.png
  • Lua

  • OpenResty

  • .lua

  • .conf

Rust.png
  • Rust

  • .rs

Vulnerability Queries 9.7.1

All queries that are executed in version 9.7.1 are available for download  - PDFCSV

New and updated queries in version 9.7.1 are available for download - PDFCSV

Queries associated with predefined query presets are available for download - PDFCSV

New and Changed Queries Details - PDF

All Queries by preset list- CSV

Release Notes for Engine Pack (EP) 9.7.1 Patches

Version 9.7.1.1002 Date 03-04-2025

  • JavaScript

    • Several queries have been reviewed and refactored to improve the accuracy of the results.

  • Go

    • Several queries have been reviewed and refactored to improve the accuracy of the results.

    • Improved and generalized handling of Error Variables as sanitizers.

Version 9.7.1.1001 Date 02-10-2025

  • Improved JavaScript parsing to prevent scanning from getting unintentionally stuck.

  • Improved VBNet support to:

    • Prevent false negatives for SQL Injection.

    • Better handling of Integer type.

  • Improvements to prevent false positives for the Go_Medium_Threat\Privacy_Violation query: Ignored results that pass through the error handling of a method invocation, as the likelihood of a vulnerability is low.

  • Improved the gin/gonic web outputs support regarding io.writer web outputs. Previously, io.writer methods were being added as web outputs regardless of they were part of their intended context, gin-gonic.

  • Improvements to prevent false positives for the:

    • Go_Medium_Threat\Reflected_Absolute_Path_Traversal() and Go_Medium_Threat.Reflected_Relative_Path_Traversal() queries: Removed io.Copy calls that only copy data from one request to another (no file accesses).

    • Go_Insecure_Credential_Storage\Insufficient_Output_Length query: Fixed query that validates the if the value is within a valid range. Query was unable to find the definition of a value in a specific context. Context was added.

    • Go_Insecure_Credential_Storage\PBKDF2_Insufficient_Iteration_Count query: Improved the query to return a flow, meaning, added context to reflect with the entirety of the result, from the insufficient value definition to its use.

    • Go_Low_Visbility\Race_Condition_Concurrent_Instances query: Removed references of casts that cannot be influenced or altered.

    • Go_Medium_Threat\Denial_Of_Service_Resource_Exhaustion