Engine Pack Version 9.7.2

CxSAST Engine

Languages & Frameworks

All supported code Languages & Frameworks versions can be found here.

APEX

FLS_* queries have been refactored to improve accuracy and scan execution time.

Warning

Due to significant query changes aimed at improving accuracy and FLS query execution time, the queries do not rely on heuristic patterns as previously, so you may notice differences in results.

Similarity ID of results is not expected to change.

For further details on the updated queries, please see here.

C++

Added support for Boost and stdlib libraries

Several queries have been updated for better results and accuracy. For further details, please see here.
Parsing Improvements:
- Support spaces after continuation line
- Enhanced distinction between casts of unary expressions and binary operations
```
// Cast
int x = (int) * variableAddr;
// Binary expression
int x = (value) * variable;
// Cast of cast
int x = (int)(float) *variableAddr;
// Binary with leftcast
int x = (int)(variable) * value;

// Cast
int x = (int) & variableAddr;
// Binary expression
int x = (value) & variable;
// Cast of cast
int x = (int)(float) &variableAddr;
// Binary with leftcast
int x = (int)(variable) & value;
```
- Parsing improvements for __attribute((...)) expressions for function pointer declarations
- Vector Size Declaration enhancements
- Added hack to support Pre-Compiled Headers
- Included common headers in the ProtoDB:
  - Microsoft base headers, winnt.h, windows.h
  - Microsoft Foundation Class Library, afx.h
  - Microsoft Active Template Library, atlbase.h, atlcom.h atlwin.h
- Flag to force C or C++ parsing
  - The C_AS_CPP_MODE flag controls how .h (and .c) files are interpreted as C++ or C code. It can control three values: c (all .c and .h files are C files); cpp (all .c and .h are C++ files); or auto, where heuristics are used to guess what each file contains.

Go

Go language support has been updated up to version 1.23.

The following general queries were updated:

Find_Console_Inputs - New function TextVar from flag package
Find_Race_Condition_Sanitizers - New sync/atomic types added : Bool, Int32, Int64, Uint32, Uint64, Uintptr, and Pointer
Find_Encode - The url.JoinPath function was added to encode general query (net/url package)
Find_Hashing - New functions Bytes and String added to hashing (hash/hashmap package)
Find_Integers
- New function XORBytes XORs two-byte slices together (crypto/subtle package)
- New functions Min and Max added
- New function uint (math/rand package )
Find_Log_Outputs
- The first parameter of slog.Info(), slog.Error() slog.Warn() was added (log/slog package)
- The second parameter of slog.Log() was added (log/slog package)
- The SetCrashOutputfunction was added (runtime/debug package)
Find_HTTP_Requests_Server_Listeners_Methods - The new functions ServeFileFS, FileServerFS, and NewFileTransportFS were added (net/http package)
Integer_Overflow - The following two methods were added (reflect package). They can act like sanitizers:
- Type.OverflowInt
- Type.OverflowUint

Parsing improvements

Update to the most recent version of ANTLR (version 4.13.1)
- The new version of ANTLR brings performance improvements, particularly in parsing speed and memory usage.
Internal optimization of Abstract Syntax Tree (AST)
- The AST has been optimized to enable faster modifications while minimizing memory usage, ensuring more efficient parsing.

JavaScript

Several queries have been reviewed and refactored to improve the accuracy of the results.

For further details, please see here.

Light Queries

Additional Light Queries are available for JS language:

Client_DOM_XSS
Client_DOM_Stored_XSS
Client_DOM_Code_Injection
Client_DOM_Stored_Code_Injection
Client_DOM_Code_Injection_from_AJAX
Client_DOM_XSS_from_Ajax

T-SQL (BETA)

A new language, SQL, has been introduced to support multiple SQL dialects.

The first supported dialect, T-SQL, is available in Beta and disabled by default. It is controlled by the engine setting USE_NEW_SQL, which can be enabled in the portal database by modifying the flag value or via the DefaultConfig.xml configuration file through Audit.

Note: Since SQL support for T-SQL is still in Beta, PLSQL results will remain unchanged under the PLSQL language.

How SQL and PL/SQL Files Are Distinguished

Notice

A set of regular expressions (regex) is used to identify language-specific features such as keywords, functions, and data types to differentiate between T-SQL (Transact-SQL, used in Microsoft SQL Server) and PL/SQL (Procedural Language/SQL, used in Oracle Database).

These regex patterns help categorize SQL scripts based on distinct language features.

Compliance Standards

CWE Top 25 (2024)

The CWE Top 25 preset and its corresponding category have been updated to support version 2024.

OWASP Mobile Top 10 (2024)

A new preset and category for the OWASP Mobile Top 10 compliance standard has been added.

Critical Severity

This version includes the review of queries transitioning to Information, Low, and Medium severity, regardless of whether the change is an increase or decrease.

Similarity ID

A new configuration flag SIMILARITY_ID_WITH_RELATIVE_PATH has been added but is disabled by default.

When this flag is enabled (value changed to true), the similarity ID hash will include the file path relative to the project instead of just the file name. It will also add the number of nodes in the path as a variable to make results even more unique.

This new flag operates independently of the existing SIMILARITY_ID_VERSION, which determines the algorithm for the similarity ID. When SIMILARITY_ID_WITH_RELATIVE_PATH is enabled, the relative path modification applies to the specified SIMILARITY_ID_VERSION.

In this section: