- Checkmarx Documentation
- Checkmarx SAST
- SAST Release Notes
- Engine Pack Versions and Delivery Model
- Engine Pack Version 9.7.4
Engine Pack Version 9.7.4
CxSAST Engine
Languages & Frameworks
All supported code Languages & Frameworks versions can be found here.
C++
Added support for range-based for loop (C++ 11) and pack expansions in lambda capture groups (C++17).
Hand-crafted tokenizer used during macro expansion for enhanced performance.
Boost and stdlib:
Added support for: "map", "multimap", "unordered_map", "unordered_multimap", "flat_map", "flat_multiset" and "flat_multimap"-
Boost
Extended support for vector initialization and iteration methods
Go
Added new and improved queries, including:
Cryptography
Information Exposure
JWT
File Handling
Password Management
DoS
XSS
SQL Client
Additionally, some general queries were added and refined, expanding detection capabilities and improving overall scan precision.
Optimized Java .properties Files Handling During Scans
Improved handling of .properties
files during SAST scans by skipping their preprocessing and DOM generation. These files are now processed only during query execution using a simpler, more efficient mechanism.
Affected queries are:
Java_Medium_Threat.Use_Of_Hardcoded_Password
Java_Medium_Threat.Use_Of_Hardcoded_Password_In_Config
Java_Low_Visibility.Incorrect_Permission_Assignment_For_File_System_Resources
Java_Best_Coding_Practice.LeftOver_Debug_Code
Java_Best_Coding_Practice.ESAPI_Banned_API
Java_Best_Coding_Practice.Incorrect_Block_Delimitation
Java_Best_Coding_Practice.Potentially_Serializable_Class_With_Sensitive_Data
Java_Best_Coding_Practice.Unused_Variable
Java_Metadata.Get_Values_Assigned_To_Properties
Compliance Standards
PCI has been improved to include queries covering Rule 8.6.2
ASA Premium preset has been updated to include additional queries.
ASA Mobile Premium preset has been updated to include additional queries.
Recommended Exclusions
Added default exclusions for #[test]
and #[cfg(test)]
annotations in Rust to prevent false positives in test code.
Resolved Issues
Ticket number | Description |
---|---|
C# | |
SAST-7357 | A false negative occurred for Code Injection in Type.InvokeMember. |
SAST-6988 | A false positive occurred in Improper_Restriction_of_XXE_Ref. |
SAST-6318 | A false positive occurred in Stored_XSS. |
SAST-5618 | A false positive occurred in Permissive_Content_Security_Policy. |
SAST-2613, SAST-1537 | False negatives and false positives occurred in Missing_HSTS_Header. |
SAST-2552 | A false positive occurred in Cookie_Injection() due to alternative .Replace() sanitization. |
SAST-6136 | DOM node property calculation threw an exception, causing scans to hang. |
SAST-7207 | A false positive occurred in JWT_Excessive_Expiration_Time. |
SAST-4376 | Configurations in Program.cs caused false positives in HttpOnlyCookies and Insecure_Cookie. |
SAST-6952 | A false negative occurred in Use_Of_Hardcoded_Password. |
Apex | |
SAST-7356 | A false negative occurred in SOQL_SOSL_Injection. |
SAST-7172 | A false positive occurred in CRUD_Delete() when run with AccessLevel.USER_MODE. |
SAST-7171 | A false positive occurred in FLS_Create() when using stripInaccessible. |
SAST-7170 | A false positive occurred in FLS_Update() when validated with an IF. |
Python | |
SAST-7165 | A false positive occurred in Second_Order_SQL_Injection. |
SAST-6929 | False positives occurred in Command_Injection, Code_Injection, and Command_Argument_Injection. |
SAST-6898 | The Find_Methods_By_Import query did not scale with a high number of imports. |
Java | |
SAST-7099 | Improved Java parsing to prevent ABSINT timeouts. |
SAST-7094, SAST-7005 | False positives occurred in Second_Order_SQL_Injection. |
SAST-6467 | A false positive occurred in SQL_Injection. |
SAST-4347 | A false positive occurred in SQL_Injection() when using Criterion objects created outside Criteria.add(). |
SAST-7386 | Abstract Interpretation became stuck for three hours. |
SAST-7114, SAST-7088 | A false positive occurred in Use_Of_Hardcoded_Password() with the @Value annotation. |
SAST-5998 | A false positive occurred in Reflected_XSS_All_Clients. |
SAST-5981 | A false positive occurred in Unchecked_Input_for_Loop_Condition(). |
SAST-5838 | CustomFlows in PostPostResolve became stuck for three hours. |
SAST-5745 | A false positive occurred in Open_Redirect. |
SAST-5703 | The Find_Same_Switch_And_Case query failed to execute. |
SAST-4276 | A false negative occurred in SSL_Verification_Bypass() due to an overly broad sanitizer. |
SAST-1896 | A false positive occurred in Use_of_WebView_AddJavascriptInterface due to API version lookup in a specific directory. |
SAST-1842 | A false positive occurred in Direct_Use_of_Unsafe_JNI due to missing sanitization. |
SAST-1835 | A false positive occurred in Input_Path_Not_Canonicalized. |
SAST-2516 | A false positive occurred in Incorrect_Permission_Assignment_For_Critical_Resources. |
C++ | |
SAST-7097 | The off-by-one error query aborted on Front Arena 9.7.2. |
SAST-6908 | A false positive occurred in buffer overflow detection using snprintf with explicit buffer size. |
SAST-6890 | Preprocessing became stuck on .C/.H files in the C++ stage. |
SAST-6867 | Protobuf files were not excluded correctly. |
SAST-6143 | A false positive occurred in Use_of_Uninitialized_Variable. |
SAST-6071 | Query stage performance degraded on small projects. |
SAST-2492 | A false positive occurred in memory management queries (Double_Free, Use_After_Free, Memory_Leak) for the same result. |
SAST-4274 | A false positive occurred in Dangerous_Functions() on _tcslen() usages. |
SAST-1673 | A false positive occurred in Memory_Leak when an object was released in a destructor. |
SAST-1366 | Both false positives and false negatives occurred in Divide_By_Zero. |
SAST-6493 | The Buffer_Size_Literal() query had the wrong description. |
SAST-7082 | Fixed CWE for CSharp_WebConfig\HardcodedCredentials query. |
JavaScript | |
SAST-6307 | A false positive occurred in SQL_Injection. |
SAST-6140 | A false positive occurred in Reflected_XSS. |
SAST-7135 | A false negative occurred in SQL_Injection under Server_Side_Vulnerabilities. |
SAST-6667 | Input was missing for AWSLambda_Find_Inputs. |
SAST-1943 | A false negative occurred in SQL_Injection when snowflake-sdk was not recognized as a DB driver. |
SAST-1989 | A false positive occurred in Unprotected_Cookie when using httpOnly sanitization. |
PHP | |
SAST-7028 | A false positive occurred in Reflected_XSS() due to int sources. |
SAST-2458 | A false positive occurred in Reflected_XSS() on throw statements. |
SAST-2359 | A false positive occurred when include_once files were not resolved. |
SAST-6552 | A false positive occurred in Improper_Exception_Handling. |
SAST-4304 | A false negative occurred in Reflected_XSS. |
COBOL | |
SAST-7250 | A preprocessing error caused Antlr4.Runtime.InputMismatchException. |
SAST-7001 | Parsing issues prevented TP from being detected. |
RPG | |
SAST-4273 | Parsing issues caused a total loss of DOM. |
Dart | |
SAST-6522 | A false negative occurred in Unsafe_Reflection. |
ASP / ASP.NET | |
SAST-1992 | The highlighted flow was incorrect after the Page_Load node. |
SAST-4376 | Configurations in Program.cs caused false positives in HttpOnlyCookies and Insecure_Cookie. |
All languages | |
SAST-6938 | Predefined file exclusions were improved to increase scan coverage. Files up to 6,000 LOC are now included by default when the feature is enabled, ensuring broader and more effective analysis. |
SAST-5616 | Scans failed with zero files when using DefaultConfig. |