- Checkmarx Documentation
- Checkmarx SAST
- SAST Release Notes
- Engine Pack Versions and Delivery Model
- Engine Pack Version 9.7.6
Engine Pack Version 9.7.6
CxSAST Engine
Warning
For compliance and security reasons, the CxSAST 9.7.6 Engine Docker image was updated.
The base image was migrated from Wolfi (apk-based) to a Debian-based distribution (apt-based).
If you customize this image or use it as a base image, you may need to adjust the package download (e.g., move from
apk get PACKAGEtoapt get PACKAGE.
Some packages were also updated. The ca-certificates and openssl libraries are now using newer versions (version 3.5.5).
Languages & Frameworks
All supported code Languages & Frameworks versions can be found here.
False Positive Reduction
CxQL Accuracy Gains: Enhancements in False Positive Reduction and New True Positive Coverage
C++
Finalized support for C++ 17, including:
Added aggregate initialization support
Added support for C++ 20, including:
Abbreviated function template
Constraints and concepts
Export/Import module
Coroutines
Removed the requirement to use typename to disambiguate types
Improved dependency computation to prevent result jumping due to file order loss.
Performance improvements to optimize the scanning execution time.
Go
New support and improvements were made to queries: Go - Improvements and New Support
These updates aim to improve accuracy, reduce false positives, and increase coverage for Go code analysis.
JavaScript
Node.js support has been expanded to include file extensions .cjs, .mjs, .mts, and .cts
JSP
Improvements to the flows between different JSP Servlet Scopes, including Page, Request, Session, and Application.
Added dynamic resolution for EL expressions "${ }" in JSP views.
Python
Code Injection query for Pandas has been created.
Fast API support: Python FastAPI Support Enhancements
Post-Quantum Readiness
Proactive preparation is essential to ensure systems remain secure and compliant in the future quantum era while addressing the immediate risk posed by the “Capture now, decrypt later” problem, which makes organization vulnerable now. To support this, the following queries have been added to Java, JavaScript, CSharp, Go and Python:
Weak_Post_Quantum_Cryptography (Low) to identify cryptographic algorithms considered weak in a post-quantum context, meaning they can be intercepted now and potentially decrypted in the future once quantum capabilities are available.
Compliant_Post_Quantum_Cryptography (Info) to identify the use of cryptographic algorithms that are considered safe and aligned with post-quantum security recommendations.
The Weak_Post_Quantum_Cryptography query has been added to the All, Checkmarx Default, High, Medium, and Low presets.
Additionally, a new preset named Post-Quantum Readiness has been created to include this query.
Large Language Model
A new Java query, Privacy_Violation_to_LLM (Medium), has been added to identify privacy risks in source code that interacts with Large Language Models, including both data sent as input to the LLM and data returned as output.