Engine Pack Version 9.7.3

CxSAST Engine

Languages & Frameworks

All supported code Languages & Frameworks versions can be found here.

C++

Improved Boost support, with enhancements in the Algorithms library.
Enhanced the Macros support by adding a reverse include mechanism.
Parse integer literals with ticks (example: 3’00’324’32).
Support Microsoft internal and ref keywords.

Go

Go language coverage and accuracy have been improved in this engine pack:

New cryptography-focused queries have been added.
Multiple general queries were added and refined, expanding detection capabilities and improving overall scan precision.

For further details, please see here.

JavaScript

Several queries have been reviewed and refactored to improve the results' accuracy and reduce the noise by decreasing the FPs.

For further details, please see here.

Optimized Handling of CSharp Configuration Files

Optimized Handling of Configuration Files in C# Scans

Previously, when scanning C# projects, several configuration files were pre-processed and translated into the C# DOM. This approach significantly increased the size of the DOM while providing limited value.

To address this, pre-processing of configuration files has been removed, and related queries have been refactored to use APIs that navigate the configuration files directly. The affected queries are under “CSharp_Web_Config.” For further details, please see here.

Key benefits of this enhancement include a reduced DOM size, which improves scan performance, and code snippet highlighting in both the Results Viewer and Audit interface.

Notice

As a result of this change, some findings may now have a different Similarity ID.

The updated queries related to this change are grouped under CSharp_Web_Config.

Compliance Standards

Base Preset

Until now, the Base preset supported queries for C++, CSharp, Java, JavaScript and Python.

With this engine pack, the preset has been enhanced to include support for additional languages: APEX, ASP, Cobol, Dart, Go, Groovy, Kotlin, Lua, ObjectiveC, Perl, PHP, PLSQL, RPG, Ruby, Rust, Scala, SQL, Swift, VB6, and VBNet.

Recommended Exclusions

This feature, previously available on CxOne, is now included for on-premises users. It allows users to further optimize scan performance by focusing on relevant files, helping maximize accuracy while maintaining a similar scan duration.

By default, no files or folders are excluded. To enable exclusions, configure the PREDEFINED_FILE_EXCLUSIONS_MODES setting and specify the files and/or directories excluded from scans. Please see here for more information.

CWEs Updates

A few queries have had their CWE classifications reviewed and updated to remove any CWEs no longer supported or allowed by MITRE.

For more information on the affected queries, please refer to here, filtering by “CWE changed“.

Critical Severity

This engine pack completes the severity review of queries. It includes updates for queries whose severity has been changed from any severity to High or Critical, except those upgraded from High to Critical, which were already addressed in engine pack 9.7.1.

Engine Pack Supported Code Languages and Frameworks (9.7.3)

Environment and Primary Languages

Secondary Languages

Framework

File extensions

Additional Information

Java
J2SE
J2EE

JSP
JavaScript
VBScript
PL\SQL
HTML5

ATG DSP Taglib
GWT
Hibernate
Google Guice
Java Server Faces (JSF)
JSP
JSTL FMT Taglib
OWASP ESAPI
MyBatis
PrimeFaces
Spring Boot
Spring MVC
Spring
Struts
Velocity

.java
.jsp
.jspf
.jsf
.tag
.tld
.mf
.xhtml
.vm
.gradle
.properties
.jspdsbld
.wod
.xml
.yml
.yaml

Java can be configured as a unified language with Scala.

C#
VB.NET

ASP.NET
JavaScript
VBScript
PL\SQL
HTML5

ASP.NET Core
ASP.Net Core Razor
ASP.Net MVC framework
Enterprise Libraries
ComponentArt
Entity framework
Hibernate.Net
Infragistics
iBatis
Telerik
Dapper
.Net Core
.Net Framework
.NET

.cs
.cshtml
.xaml
.vb
.config
.aspx
.ascx
.asax
.tag
.master
.xml

JavaScript [**]
VBScript
PL\SQL
HTML5

ASP.Net MVC framework

.asp
.inc

.bas
.vbp
.frm
.cls
.dsr
.ctl

C MISRA
C++ MISRA
Informix ESQL/C
MySQL
Boost library
stdlib library

.cpp
.c
.cc
.c++
.cxx
.hpp
.hh
.h++
.hxx
.h
.ec
.cmake
.pc
.pro
.ac
.am
.txt (related to CmakeLists)
.ph

JavaScript

bWapp
CakePHP
OWASP ESAPI
Kohana
Symfony
Smarty
Zend

.php
.php3
.php4
.php5
.phtm
.phtml
.tpl
.ctp
.twig
.inc
.cgi
.env
.ini

Apex

VisualForce
Lightning (Aura)
Lightning Web Components

.apex
.apexp
.apxc
.page
.component
.cls
.trigger
.tgr
.object
.report
.workflow
-meta.xml
.xml

This is for Salesforce APEX only.

Ruby

Ruby on Rails

.rb
.rhtml
.rxml
.rjs
.erb
.cgi
.lock

JavaScript
Typescript

Ajax
Angular
AngularJS
Backbone
Cordova / PhoneGap
Handlebars
Hapi.JS
JQuery
Knockout
Kony Visualizer
Node.js
- Buffer
- CryptoJS
- ExpressJS
- File System
- Hapi
- Mongodb
- OracleDB
- Sequelize
Pug (Jade)
React Native
ReactJS
SAPUI5
VueJS
XS (SAP)
RequireJS

.js
.jsx
.htm
.html
.json
.ts
.tsx
.aspx
.ascx
.xsjs
.xsjslib
.xsaccess
.xsapp
.app
.evt
.cmp
.hbs
.handlebars
.jade
.pug
.vue
.xml
.apexp
.page
.component
.cshtml
.jsf
.xhtml
.jsp
.jspf
.asp
.master
.php

VBScript

.vbs
.aspx
.ascx
.asp
.cshtml
.html
.htm
.master

Perl

.pl
.pm
.plx
.psgi
.cgi

Android (Java)

Volley

.java
.kt

Objective-C
Swift

.m
.h
.swift
.xib
.plist

HTML 5

.html
.htm

PL/SQL

.pls
.sql
.pkh
.pks
.pkb
.pck

SQL

.sql
.tsql

Python

JavaScript
VB script
PL\SQL

Django
Flask
Jinja and DTL
Pandas library
Marshmallow

.py
.gtl
.csv
.latex
.tex
.html
.xml
.txt

Groovy

JavaScript
VB script
PL\SQL

.groovy
.gsh
.gvy
.gy
.gsp
.gradle

Scala

Akka
Finagle
Finatra

.scala
.conf

Scala can be configured as a unified language with Java.

GO Language

Protobuf
gin-gonic/gin
gorilla-mux

.go
.mod

Kotlin

Ktor (Server Side)
Vert.x (Server Side)
Spring

.kt
.kts
.mustache
.ftl
.xml

Cobol

.cbl
.cob
.eco
.pco
.sqb
.cpy

.rpg
.rpg38
.sqlrpg
.rpgle
.sqlrpgle
.dspf

Dart

Flutter

.dart
.yaml

OpenResty

.lua
.conf

Rust

.rs
.toml

Vulnerability Queries 9.7.3

All queries that are executed in version 9.7.3 are available for download - PDF, CSV

New and updated queries in version 9.7.3 are available for download - PDF, CSV

Queries associated with predefined query presets are available for download - PDF, CSV

New and Updated Queries Details - PDF

All Queries by preset list- CSV

Release Notes for Engine Pack (EP) 9.7.3 Patches

Version 9.7.3.1002 Date 06-29-2025
Java_Low_Visibility\Log_Forging query has been improved to include additional sanitizers. Java_Medium_Threat\CSRF has been improved to remove SELECT specific database methods. Enhancements on the query CSharp_Medium_Threat\SQL_Injection_Evasion_Attack to perform decoding before sinks. Improvements on the heuristics of CPP\General\Find_Personal_info query.

Version 9.7.3.1001 Date 06-04-2025
Improved performance by skipping unnecessary preprocessing and DOM generation for .properties files. These files are now processed when required during query execution. Improvements on JavaScript parsing.

In this section:

Engine Pack Version 9.7.3

CxSAST Engine

Languages & Frameworks

C++

Go

JavaScript

Optimized Handling of CSharp Configuration Files

Notice

Compliance Standards

Base Preset

Recommended Exclusions

CWEs Updates

Critical Severity

Engine Pack Supported Code Languages and Frameworks (9.7.3)

Vulnerability Queries 9.7.3

Release Notes for Engine Pack (EP) 9.7.3 Patches

Search results