Skip to main content

Engine Pack Version 9.7.4

CxSAST Engine

Languages & Frameworks

All supported code Languages & Frameworks versions can be found here.

C++

  • Added support for range-based for loop (C++ 11) and pack expansions in lambda capture groups (C++17).

  • Hand-crafted tokenizer used during macro expansion for enhanced performance.

  • Boost and stdlib:

    • Added support for: "map", "multimap", "unordered_map", "unordered_multimap", "flat_map", "flat_multiset" and "flat_multimap"-

  • Boost

    • Extended support for vector initialization and iteration methods

Go

Added new and improved queries, including:

  • Cryptography

  • Information Exposure

  • JWT

  • File Handling

  • Password Management

  • DoS

  • XSS

  • SQL Client

Additionally, some general queries were added and refined, expanding detection capabilities and improving overall scan precision.

Optimized Java .properties Files Handling During Scans

Improved handling of .properties files during SAST scans by skipping their preprocessing and DOM generation. These files are now processed only during query execution using a simpler, more efficient mechanism.

Affected queries are:

  • Java_Medium_Threat.Use_Of_Hardcoded_Password

  • Java_Medium_Threat.Use_Of_Hardcoded_Password_In_Config

  • Java_Low_Visibility.Incorrect_Permission_Assignment_For_File_System_Resources

  • Java_Best_Coding_Practice.LeftOver_Debug_Code

  • Java_Best_Coding_Practice.ESAPI_Banned_API

  • Java_Best_Coding_Practice.Incorrect_Block_Delimitation

  • Java_Best_Coding_Practice.Potentially_Serializable_Class_With_Sensitive_Data

  • Java_Best_Coding_Practice.Unused_Variable

  • Java_Metadata.Get_Values_Assigned_To_Properties

Compliance Standards

  • PCI has been improved to include queries covering Rule 8.6.2

  • ASA Premium preset has been updated to include additional queries.

  • ASA Mobile Premium preset has been updated to include additional queries.

Recommended Exclusions

Added default exclusions for #[test] and #[cfg(test)] annotations in Rust to prevent false positives in test code.

Resolved Issues

Ticket number

Description

C#

SAST-7357

A false negative occurred for Code Injection in Type.InvokeMember.

SAST-6988

A false positive occurred in Improper_Restriction_of_XXE_Ref.

SAST-6318

A false positive occurred in Stored_XSS.

SAST-5618

A false positive occurred in Permissive_Content_Security_Policy.

SAST-2613, SAST-1537

False negatives and false positives occurred in Missing_HSTS_Header.

SAST-2552

A false positive occurred in Cookie_Injection() due to alternative .Replace() sanitization.

SAST-6136

DOM node property calculation threw an exception, causing scans to hang.

SAST-7207

A false positive occurred in JWT_Excessive_Expiration_Time.

SAST-4376

Configurations in Program.cs caused false positives in HttpOnlyCookies and Insecure_Cookie.

SAST-6952

A false negative occurred in Use_Of_Hardcoded_Password.

Apex

SAST-7356

A false negative occurred in SOQL_SOSL_Injection.

SAST-7172

A false positive occurred in CRUD_Delete() when run with AccessLevel.USER_MODE.

SAST-7171

A false positive occurred in FLS_Create() when using stripInaccessible.

SAST-7170

A false positive occurred in FLS_Update() when validated with an IF.

Python

SAST-7165

A false positive occurred in Second_Order_SQL_Injection.

SAST-6929

False positives occurred in Command_Injection, Code_Injection, and Command_Argument_Injection.

SAST-6898

The Find_Methods_By_Import query did not scale with a high number of imports.

Java

SAST-7099

Improved Java parsing to prevent ABSINT timeouts.

SAST-7094, SAST-7005

False positives occurred in Second_Order_SQL_Injection.

SAST-6467

A false positive occurred in SQL_Injection.

SAST-4347

A false positive occurred in SQL_Injection() when using Criterion objects created outside Criteria.add().

SAST-7386

Abstract Interpretation became stuck for three hours.

SAST-7114, SAST-7088

A false positive occurred in Use_Of_Hardcoded_Password() with the @Value annotation.

SAST-5998

A false positive occurred in Reflected_XSS_All_Clients.

SAST-5981

A false positive occurred in Unchecked_Input_for_Loop_Condition().

SAST-5838

CustomFlows in PostPostResolve became stuck for three hours.

SAST-5745

A false positive occurred in Open_Redirect.

SAST-5703

The Find_Same_Switch_And_Case query failed to execute.

SAST-4276

A false negative occurred in SSL_Verification_Bypass() due to an overly broad sanitizer.

SAST-1896

A false positive occurred in Use_of_WebView_AddJavascriptInterface due to API version lookup in a specific directory.

SAST-1842

A false positive occurred in Direct_Use_of_Unsafe_JNI due to missing sanitization.

SAST-1835

A false positive occurred in Input_Path_Not_Canonicalized.

SAST-2516

A false positive occurred in Incorrect_Permission_Assignment_For_Critical_Resources.

C++

SAST-7097

The off-by-one error query aborted on Front Arena 9.7.2.

SAST-6908

A false positive occurred in buffer overflow detection using snprintf with explicit buffer size.

SAST-6890

Preprocessing became stuck on .C/.H files in the C++ stage.

SAST-6867

Protobuf files were not excluded correctly.

SAST-6143

A false positive occurred in Use_of_Uninitialized_Variable.

SAST-6071

Query stage performance degraded on small projects.

SAST-2492

A false positive occurred in memory management queries (Double_Free, Use_After_Free, Memory_Leak) for the same result.

SAST-4274

A false positive occurred in Dangerous_Functions() on _tcslen() usages.

SAST-1673

A false positive occurred in Memory_Leak when an object was released in a destructor.

SAST-1366

Both false positives and false negatives occurred in Divide_By_Zero.

SAST-6493

The Buffer_Size_Literal() query had the wrong description.

SAST-7082

Fixed CWE for CSharp_WebConfig\HardcodedCredentials query.

JavaScript

SAST-6307

A false positive occurred in SQL_Injection.

SAST-6140

A false positive occurred in Reflected_XSS.

SAST-7135

A false negative occurred in SQL_Injection under Server_Side_Vulnerabilities.

SAST-6667

Input was missing for AWSLambda_Find_Inputs.

SAST-1943

A false negative occurred in SQL_Injection when snowflake-sdk was not recognized as a DB driver.

SAST-1989

A false positive occurred in Unprotected_Cookie when using httpOnly sanitization.

PHP

SAST-7028

A false positive occurred in Reflected_XSS() due to int sources.

SAST-2458

A false positive occurred in Reflected_XSS() on throw statements.

SAST-2359

A false positive occurred when include_once files were not resolved.

SAST-6552

A false positive occurred in Improper_Exception_Handling.

SAST-4304

A false negative occurred in Reflected_XSS.

COBOL

SAST-7250

A preprocessing error caused Antlr4.Runtime.InputMismatchException.

SAST-7001

Parsing issues prevented TP from being detected.

RPG

SAST-4273

Parsing issues caused a total loss of DOM.

Dart

SAST-6522

A false negative occurred in Unsafe_Reflection.

ASP / ASP.NET

SAST-1992

The highlighted flow was incorrect after the Page_Load node.

SAST-4376

Configurations in Program.cs caused false positives in HttpOnlyCookies and Insecure_Cookie.

All languages

SAST-6938

Predefined file exclusions were improved to increase scan coverage. Files up to 6,000 LOC are now included by default when the feature is enabled, ensuring broader and more effective analysis.

SAST-5616

Scans failed with zero files when using DefaultConfig.