Engine Pack Version 9.7.1

CxSAST Engine

Languages & Frameworks

All supported code Languages & Frameworks versions can be found here

APEX

The following queries have been improved:

FLS_Read to support WITH USER_MODE
FLS_* queries improved for better results and accuracy

For further details, please see here.

C++

Several queries have been updated for better results and accuracy. For further details, please see here.
Parsing improvements:
- C++20 Construct Support: Added support for parsing C++ 20 constructs: requires and concepts:
```
 template<typename T>
        using Ref = T&;
        
        template<typename T>
        concept C = requires
        {
            typename T::inner; // required nested member name
            typename S<T>;     // required class template specialization
            typename Ref<T>;   // required alias template substitution
        };
```
- Enhanced GCC Attribute Parsing: Improved parsing of GCC attributes, ensuring propagation of inline/static and others to proper methods:
```
inline __attribute__((force_inline)) ssgRoot *get_taxi_lights_root () const {  }
```
- Pro*C Fake Decimal Type: Improved support of the fake decimal type defined by Pro*C:
```
decimal(15,4) dbi_dcConsumption_value;   // Here
                          
decimal(15,4) foo = (decimal(15,4)) x; // here as a cast
```
- SQL Statement Handling: Enhanced parsing of SQL statements, which are now converted into empty blocks.
- Compound Literal Support: Improved the parsing of compound literals for better code analysis:
```
bar(1, (float[3]) {1, 2, 3});  // this cast is an example
```
- GNU Extension for Compound Statements: Support GNU extension for compound statements:
```
  for (int i = 0; i < N; i++) { 
      ({ 
          double *point = &points[i*2]; 
          rtree_insert(tr, point, point, (void *)(uintptr_t)(i)); 
          assert(rtree_count(tr) == i + 1); 
      }); 
  }
```
- Modifier Support: Support modifiers like __fastcall, __fastdecl, __cdecl, __stdcall, __thiscall
- Numeric Fields: Numeric fields (int, float, double) for classes had the NoneAbstractValue by default. Now, they default to AnyAbstractValue or a numeric abstract value with an infinite range: [-inf, +inf].
- Variable Modifiers: Support for variable modifiers after struct type:
```
struct { /*...*/ } const static variable[] = { /* ... */ }; 
```
- Constructor/Destructor Parsing: Improvement when parsing Constructors/Destructors with empty body:
```
GtkSplashScreen::~GtkSplashScreen() { };  
```
- Microsoft Exception Handling: Support Microsoft __try and __except, as aliases for try and catch
- Long Value in Pre-Processor Directives: Enhanced the handling of long values in pre-processor directives.
- Nested Templates: Optimized parsing of nested templates for faster processing.
- Header Support: The inttypes.h header added to the macros database to support its built-in macros.

C#

Improved the support for positional pattern matching.

COBOL

The following queries have been added:
- Best Coding Practices
  - Dynamic_SQL_Queries
  - SQL_Select_without_Where
  - Use_of_DISPLAY
- Low
  - Debug_Enabled
Parsing improvements were made to improve the accuracy of results.

Java

Java support has been updated up to version 21.
The query Mongo_NoSQL_Injection has been renamed to NoSQL_Injection, which includes support for CouchBase in addition to MongoDB.
The query Stored_Mongo_NoSQL_Injection has been renamed to Second_Order_NoSQL_Injection, which includes support for CouchBase in addition to MongoDB.

JavaScript

Several queries have been reviewed and refactored to improve the accuracy of the results and reduce the noise by decreasing the FPs.

For further details, please see here.

Compliance Standards

The STIG preset and its corresponding category have been updated to support the version 6.1.

Critical Severity

This version includes the review of queries transitioning from High to Critical severity.

For further details, please see https://docs.checkmarx.com/en/34965-321885-critical-severity-release-plan.html

Engine Pack Supported Code Languages and Frameworks (9.7.1)

Environment and Primary Languages

Secondary Languages

Framework

File extensions

Additional Information

Java
J2SE
J2EE

JSP
JavaScript
VBScript
PL\SQL
HTML5

ATG DSP Taglib
GWT
Hibernate
Google Guice
Java Server Faces (JSF)
JSP
JSTL FMT Taglib
OWASP ESAPI
MyBatis
PrimeFaces
Spring Boot
Spring MVC
Spring
Struts
Velocity

.java
.jsp
.jspf
.jsf
.tag
.tld
.mf
.xhtml
.vm
.gradle
.properties
.jspdsbld
.wod
.xml
.yml
.yaml

Java can be configured as a unified language with Scala.

C#
VB.NET

ASP.NET
JavaScript
VBScript
PL\SQL
HTML5

ASP.NET Core
ASP.Net Core Razor
ASP.Net MVC framework
Enterprise Libraries
ComponentArt
Entity framework
Hibernate.Net
Infragistics
iBatis
Telerik
Dapper
.Net Core
.Net Framework
.NET

.cs
.cshtml
.xaml
.vb
.config
.aspx
.ascx
.asax
.tag
.master
.xml

JavaScript [**]
VBScript
PL\SQL
HTML5

ASP.Net MVC framework

.asp
.inc

.bas
.vbp
.frm
.cls
.dsr
.ctl

C MISRA
C++ MISRA
Informix ESQL/C
MySQL

.cpp
.c
.cc
.c++
.cxx
.hpp
.hh
.h++
.hxx
.h
.ec
.cmake
.pc
.pro
.ac
.am
.txt (related to CmakeLists)
.ph

JavaScript

bWapp
CakePHP
OWASP ESAPI
Kohana
Symfony
Smarty
Zend

.php
.php3
.php4
.php5
.phtm
.phtml
.tpl
.ctp
.twig
.inc
.cgi
.env
.ini

Apex

VisualForce
Lightning (Aura)
Lightning Web Components

.apex
.apexp
.apxc
.page
.component
.cls
.trigger
.tgr
.object
.report
.workflow
-meta.xml
.xml

This is for Salesforce APEX only.

Ruby

Ruby on Rails

.rb
.rhtml
.rxml
.rjs
.erb
.cgi
.lock

JavaScript
Typescript

Ajax
Angular
AngularJS
Backbone
Cordova / PhoneGap
Handlebars
Hapi.JS
JQuery
Knockout
Kony Visualizer
Node.js
- Buffer
- CryptoJS
- ExpressJS
- File System
- Hapi
- Mongodb
- OracleDB
- Sequelize
Pug (Jade)
React Native
ReactJS
SAPUI5
VueJS
XS (SAP)
RequireJS

.js
.jsx
.htm
.html
.json
.ts
.tsx
.aspx
.ascx
.xsjs
.xsjslib
.xsaccess
.xsapp
.app
.evt
.cmp
.hbs
.handlebars
.jade
.pug
.vue
.xml
.apexp
.page
.component
.cshtml
.jsf
.xhtml
.jsp
.jspf
.asp
.master
.php

VBScript

.vbs
.aspx
.ascx
.asp
.cshtml
.html
.htm
.master

Perl

.pl
.pm
.plx
.psgi
.cgi

Android (Java)

Volley

.java
.kt

Objective-C
Swift

.m
.h
.swift
.xib
.plist

HTML 5

.html
.htm

PL/SQL

.pls
.sql
.pkh
.pks
.pkb
.pck

Python

JavaScript
VB script
PL\SQL

Django
Flask
Jinja and DTL
Pandas library
Marshmallow

.py
.gtl
.csv
.latex
.tex
.html
.xml
.txt

Groovy

JavaScript
VB script
PL\SQL

.groovy
.gsh
.gvy
.gy
.gsp
.gradle

Scala

Akka
Finagle
Finatra

.scala
.conf

Scala can be configured as a unified language with Java.

GO Language

Protobuf
gin-gonic/gin
gorilla-mux

.go
.mod

Kotlin

Ktor (Server Side)
Vert.x (Server Side)
Spring

.kt
.kts
.mustache
.ftl
.xml

Cobol

.cbl
.cob
.eco
.pco
.sqb
.cpy

.rpg
.rpg38
.sqlrpg
.rpgle
.sqlrpgle
.dspf

Dart

Flutter

.dart
.yaml

OpenResty

.lua
.conf

Rust

Vulnerability Queries 9.7.1

All queries that are executed in version 9.7.1 are available for download - PDF, CSV

New and updated queries in version 9.7.1 are available for download - PDF, CSV

Queries associated with predefined query presets are available for download - PDF, CSV

New and Changed Queries Details - PDF

All Queries by preset list- CSV

Release Notes for Engine Pack (EP) 9.7.1 Patches

Version 9.7.1.1002 Date 03-04-2025
JavaScript Several queries have been reviewed and refactored to improve the accuracy of the results. Go Several queries have been reviewed and refactored to improve the accuracy of the results. Improved and generalized handling of Error Variables as sanitizers.

Version 9.7.1.1001 Date 02-10-2025
Improved JavaScript parsing to prevent scanning from getting unintentionally stuck. Improved VBNet support to: Prevent false negatives for SQL Injection. Better handling of Integer type. Improvements to prevent false positives for the Go_Medium_Threat\Privacy_Violation query: Ignored results that pass through the error handling of a method invocation, as the likelihood of a vulnerability is low. Improved the gin/gonic web outputs support regarding io.writer web outputs. Previously, io.writer methods were being added as web outputs regardless of they were part of their intended context, gin-gonic. Improvements to prevent false positives for the: Go_Medium_Threat\Reflected_Absolute_Path_Traversal() and Go_Medium_Threat.Reflected_Relative_Path_Traversal() queries: Removed io.Copy calls that only copy data from one request to another (no file accesses). Go_Insecure_Credential_Storage\Insufficient_Output_Length query: Fixed query that validates the if the value is within a valid range. Query was unable to find the definition of a value in a specific context. Context was added. Go_Insecure_Credential_Storage\PBKDF2_Insufficient_Iteration_Count query: Improved the query to return a flow, meaning, added context to reflect with the entirety of the result, from the insufficient value definition to its use. Go_Low_Visbility\Race_Condition_Concurrent_Instances query: Removed references of casts that cannot be influenced or altered. Go_Medium_Threat\Denial_Of_Service_Resource_Exhaustion

Version 9.7.1.1001 Date 02-10-2025

Improved JavaScript parsing to prevent scanning from getting unintentionally stuck.
Improved VBNet support to:
- Prevent false negatives for SQL Injection.
- Better handling of Integer type.
Improvements to prevent false positives for the Go_Medium_Threat\Privacy_Violation query: Ignored results that pass through the error handling of a method invocation, as the likelihood of a vulnerability is low.
Improved the gin/gonic web outputs support regarding io.writer web outputs. Previously, io.writer methods were being added as web outputs regardless of they were part of their intended context, gin-gonic.
Improvements to prevent false positives for the:
- Go_Medium_Threat\Reflected_Absolute_Path_Traversal() and Go_Medium_Threat.Reflected_Relative_Path_Traversal() queries: Removed io.Copy calls that only copy data from one request to another (no file accesses).
- Go_Insecure_Credential_Storage\Insufficient_Output_Length query: Fixed query that validates the if the value is within a valid range. Query was unable to find the definition of a value in a specific context. Context was added.
- Go_Insecure_Credential_Storage\PBKDF2_Insufficient_Iteration_Count query: Improved the query to return a flow, meaning, added context to reflect with the entirety of the result, from the insufficient value definition to its use.
- Go_Low_Visbility\Race_Condition_Concurrent_Instances query: Removed references of casts that cannot be influenced or altered.
- Go_Medium_Threat\Denial_Of_Service_Resource_Exhaustion

In this section:

Engine Pack Version 9.7.1

CxSAST Engine

Languages & Frameworks

APEX

C++

C#

COBOL

Java

JavaScript

Compliance Standards

Critical Severity

Engine Pack Supported Code Languages and Frameworks (9.7.1)

Vulnerability Queries 9.7.1

Release Notes for Engine Pack (EP) 9.7.1 Patches

Search results