Skip to main content

Engine Pack Version 9.7.2

CxSAST Engine

Languages & Frameworks

All supported code Languages & Frameworks versions can be found here.

APEX

FLS_* queries have been refactored to improve accuracy and scan execution time.

Warning

Due to significant query changes aimed at improving accuracy and FLS query execution time, the queries do not rely on heuristic patterns as previously, so you may notice differences in results.

Similarity ID of results is not expected to change.

For further details on the updated queries, please see here.

C++

  • Added support for Boost and stdlib libraries

  • Several queries have been updated for better results and accuracy. For further details, please see here.

  • Parsing Improvements:

    • Support spaces after continuation line

    • Enhanced distinction between casts of unary expressions and binary operations

      // Cast
int x = (int) * variableAddr;
// Binary expression
int x = (value) * variable;
// Cast of cast
int x = (int)(float) *variableAddr;
// Binary with leftcast
int x = (int)(variable) * value;

// Cast
int x = (int) & variableAddr;
// Binary expression
int x = (value) & variable;
// Cast of cast
int x = (int)(float) &variableAddr;
// Binary with leftcast
int x = (int)(variable) & value;

    • Parsing improvements for __attribute((...)) expressions for function pointer declarations

    • Vector Size Declaration enhancements

    • Added hack to support Pre-Compiled Headers

    • Included common headers in the ProtoDB:

      • Microsoft base headers, winnt.h, windows.h

      • Microsoft Foundation Class Library, afx.h

      • Microsoft Active Template Library, atlbase.h, atlcom.h atlwin.h

    • Flag to force C or C++ parsing

      • The C_AS_CPP_MODE flag controls how .h (and .c) files are interpreted as C++ or C code. It can control three values: c (all .c and .h files are C files); cpp (all .c and .h are C++ files); or auto, where heuristics are used to guess what each file contains.

Go

Go language support has been updated up to version 1.23.

The following general queries were updated:

  • Find_Console_Inputs - New function TextVar from flag package

  • Find_Race_Condition_Sanitizers - New sync/atomic types added : Bool, Int32, Int64, Uint32, Uint64, Uintptr, and Pointer

  • Find_Encode - The url.JoinPath function was added to encode general query (net/url package)

  • Find_Hashing - New functions Bytes and String added to hashing (hash/hashmap package)

  • Find_Integers

  • Find_Log_Outputs

  • Find_HTTP_Requests_Server_Listeners_Methods - The new functions ServeFileFS, FileServerFS, and NewFileTransportFS were added (net/http package)

  • Integer_Overflow - The following two methods were added (reflect package). They can act like sanitizers:

    • Type.OverflowInt

    • Type.OverflowUint

Parsing improvements

  • Update to the most recent version of ANTLR (version 4.13.1)

    • The new version of ANTLR brings performance improvements, particularly in parsing speed and memory usage.

  • Internal optimization of Abstract Syntax Tree (AST)

    • The AST has been optimized to enable faster modifications while minimizing memory usage, ensuring more efficient parsing.

JavaScript

Several queries have been reviewed and refactored to improve the accuracy of the results.

For further details, please see here.

Light Queries

Additional Light Queries are available for JS language:

  • Client_DOM_XSS

  • Client_DOM_Stored_XSS

  • Client_DOM_Code_Injection

  • Client_DOM_Stored_Code_Injection

  • Client_DOM_Code_Injection_from_AJAX

  • Client_DOM_XSS_from_Ajax

T-SQL (BETA)

A new language, SQL, has been introduced to support multiple SQL dialects.

The first supported dialect, T-SQL, is available in Beta and disabled by default. It is controlled by the engine setting USE_NEW_SQL, which can be enabled in the portal database by modifying the flag value or via the DefaultConfig.xml configuration file through Audit.

Note: Since SQL support for T-SQL is still in Beta, PLSQL results will remain unchanged under the PLSQL language.

How SQL and PL/SQL Files Are Distinguished

Notice

A set of regular expressions (regex) is used to identify language-specific features such as keywords, functions, and data types to differentiate between T-SQL (Transact-SQL, used in Microsoft SQL Server) and PL/SQL (Procedural Language/SQL, used in Oracle Database).

These regex patterns help categorize SQL scripts based on distinct language features.

Important

BETA features offer early access to upcoming product innovations, allowing you to test functionality and provide feedback during development. However, these features are not fully supported and may be incomplete.

As Checkmarx evaluates future iterations of Beta features for general availability, we will make an effort to address any issues customers encounter while using them.

Compliance Standards

CWE Top 25 (2024)

The CWE Top 25 preset and its corresponding category have been updated to support version 2024.

OWASP Mobile Top 10 (2024)

A new preset and category for the OWASP Mobile Top 10 compliance standard has been added.

Critical Severity

This version includes the review of queries transitioning to Information, Low, and Medium severity, regardless of whether the change is an increase or decrease.

Note

While most severity changes are applied as expected in Engine Pack 9.7.2, a few exceptions remain and will be introduced in the upcoming Engine Pack 9.7.3:

  • Moving to Medium severity:

    • Insufficiently_Protected_Credentials

  • Moving to Low severity:

    • Client_ReDoS_From_Regex_Injection

    • Client_ReDoS_In_Match

    • Client_ReDos_In_RegExp

    • Client_ReDoS_In_Replace

Similarity ID

A new configuration flag SIMILARITY_ID_WITH_RELATIVE_PATH has been added but is disabled by default.

When this flag is enabled (value changed to true), the similarity ID hash will include the file path relative to the project instead of just the file name. It will also add the number of nodes in the path as a variable to make results even more unique.

This new flag operates independently of the existing SIMILARITY_ID_VERSION, which determines the algorithm for the similarity ID. When SIMILARITY_ID_WITH_RELATIVE_PATH is enabled, the relative path modification applies to the specified SIMILARITY_ID_VERSION.

Engine Pack Supported Code Languages and Frameworks (9.7.2)

Environment and Primary Languages

Secondary Languages

Framework

File extensions

Additional Information

6022007568

  • Java

  • J2SE

  • J2EE

  • JSP

  • JavaScript

  • VBScript

  • PL\SQL

  • HTML5

  • ATG DSP Taglib

  • GWT

  • Hibernate

  • Google Guice

  • Java Server Faces (JSF)

  • JSP

  • JSTL FMT Taglib

  • OWASP ESAPI

  • MyBatis

  • PrimeFaces

  • Spring Boot

  • Spring MVC

  • Spring

  • Struts

  • Velocity

  • .java

  • .jsp

  • .jspf

  • .jsf

  • .tag

  • .tld

  • .mf

  • .xhtml

  • .vm

  • .gradle

  • .properties

  • .jspdsbld

  • .wod

  • .xml

  • .yml

  • .yaml

Java can be configured as a unified language with Scala.

6022007571.png

  • ASP.NET

  • JavaScript

  • VBScript

  • PL\SQL

  • HTML5

  • ASP.NET Core

  • ASP.Net Core Razor

  • ASP.Net MVC framework

  • Enterprise Libraries

  • ComponentArt

  • Entity framework

  • Hibernate.Net

  • Infragistics

  • iBatis

  • Telerik

  • Dapper

  • .Net Core

  • .Net Framework

  • .NET

  • .cs

  • .cshtml

  • .xaml

  • .vb

  • .config

  • .aspx

  • .ascx

  • .asax

  • .tag

  • .master

  • .xml

6022007574.png

  • ASP

  • JavaScript [**]

  • VBScript

  • PL\SQL

  • HTML5

  • ASP.Net MVC framework

  • .asp

  • .inc

6022007577.png

  • VB6

  • .bas

  • .vbp

  • .frm

  • .cls

  • .dsr

  • .ctl

6022007580.png

  • C

  • C++

  • C MISRA

  • C++ MISRA

  • Informix ESQL/C

  • MySQL

  • Boost library

  • stdlib library

  • .cpp

  • .c

  • .cc

  • .c++

  • .cxx

  • .hpp

  • .hh

  • .h++

  • .hxx

  • .h

  • .ec

  • .cmake

  • .pc

  • .pro

  • .ac

  • .am

  • .txt (related to CmakeLists)

  • .ph

64d4d824681bd.svg

  • PHP

JavaScript

  • bWapp

  • CakePHP

  • OWASP ESAPI

  • Kohana

  • Symfony

  • Smarty

  • Zend

  • .php

  • .php3

  • .php4

  • .php5

  • .phtm

  • .phtml

  • .tpl

  • .ctp

  • .twig

  • .inc

  • .cgi

  • .env

  • .ini

6022007586.png

  • Apex

  • VisualForce

  • Lightning (Aura)

  • Lightning Web Components

  • .apex

  • .apexp

  • .apxc

  • .page

  • .component

  • .cls

  • .trigger

  • .tgr

  • .object

  • .report

  • .workflow

  • -meta.xml

  • .xml

This is for Salesforce APEX only.

6022007589.png

  • Ruby

  • Ruby on Rails

  • .rb

  • .rhtml

  • .rxml

  • .rjs

  • .erb

  • .cgi

  • .lock

6022007592.png

  • JavaScript

  • Typescript

  • Ajax

  • Angular

  • AngularJS

  • Backbone

  • Cordova / PhoneGap

  • Handlebars

  • Hapi.JS

  • JQuery

  • Knockout

  • Kony Visualizer

  • Node.js

    • Buffer

    • CryptoJS

    • ExpressJS

    • File System

    • Hapi

    • Mongodb

    • OracleDB

    • Sequelize

  • Pug (Jade)

  • React Native

  • ReactJS

  • SAPUI5

  • VueJS

  • XS (SAP)

  • RequireJS

  • .js

  • .jsx

  • .htm

  • .html

  • .json

  • .ts

  • .tsx

  • .aspx

  • .ascx

  • .xsjs

  • .xsjslib

  • .xsaccess

  • .xsapp

  • .app

  • .evt

  • .cmp

  • .hbs

  • .handlebars

  • .jade

  • .pug

  • .vue

  • .xml

  • .apexp

  • .page

  • .component

  • .cshtml

  • .jsf

  • .xhtml

  • .jsp

  • .jspf

  • .asp

  • .master

  • .php

6022007598.png

  • VBScript

  • .vbs

  • .aspx

  • .ascx

  • .asp

  • .cshtml

  • .html

  • .htm

  • .master

6022007601.png

  • Perl

  • .pl

  • .pm

  • .plx

  • .psgi

  • .cgi

6022007604.png

  • Android (Java)

  • Volley

  • .java

  • .kt

6022007607.png

  • Objective-C

  • Swift

  • .m

  • .h

  • .swift

  • .xib

  • .plist

6022007610.png

  • HTML 5

  • .html

  • .htm

6022007613.png

  • PL/SQL

  • .pls

  • .sql

  • .pkh

  • .pks

  • .pkb

  • .pck

SQL

  • .sql

  • .tsql

6022007616.png

  • Python

  • JavaScript

  • VB script

  • PL\SQL

  • Django

  • Flask

  • Jinja and DTL

  • Pandas library

  • Marshmallow

  • .py

  • .gtl

  • .csv

  • .latex

  • .tex

  • .html

  • .xml

  • .txt

6022007619.png

  • Groovy

  • JavaScript

  • VB script

  • PL\SQL

  • .groovy

  • .gsh

  • .gvy

  • .gy

  • .gsp

  • .gradle

6022007622.png

  • Scala

  • Akka

  • Finagle

  • Finatra

  • .scala

  • .conf

Scala can be configured as a unified language with Java.

6022007625.png

  • GO Language

  • Protobuf

  • gin-gonic/gin

  • gorilla-mux

  • .go

  • .mod

kotlinlogo.png

  • Kotlin

  • Ktor (Server Side)

  • Vert.x (Server Side)

  • Spring

  • .kt

  • .kts

  • .mustache

  • .ftl

  • .xml

6022007508.jpg

  • Cobol

  • .cbl

  • .cob

  • .eco

  • .pco

  • .sqb

  • .cpy

6994002109.png

  • RPG

  • .rpg

  • .rpg38

  • .sqlrpg

  • .rpgle

  • .sqlrpgle

  • .dspf

6994002106.png

  • Dart

  • Flutter

  • .dart

  • .yaml

6993019381.png

  • Lua

  • OpenResty

  • .lua

  • .conf

Rust.png

  • Rust

  • .rs

  • .toml

Vulnerability Queries 9.7.2

All queries that are executed in version 9.7.2 are available for download  - PDFCSV

New and updated queries in version 9.7.2 are available for download - PDFCSV

Queries associated with predefined query presets are available for download - PDFCSV

New and Updated Queries Details - PDF

All Queries by preset list- CSV

Release Notes for Engine Pack (EP) 9.7.2 Patches

Version 9.7.2.1002 Date 04-09-2025

  • Improved Typescript parsing to correctly support complex new expressions

  • Support for HTTPS connections in CxAudit

Version 9.7.2.1001 Date 04-01-2025

  • Parsing improvements for TypeScript

  • Fixed an issue that was preventing DOM creation for .aspx files

In this section: