Release Notes for Engine Pack (EP) 9.4.5 Patches

Version 9.4.5.1014 Date 27-04-2023
Fixed an issue, to avoid a timeout, preventing all queries from being updated/inserted correctly in the database during the upgrade process.

Version 9.4.5.1013 Date 16-04-2023
Improvements in Java parsing to prevent scan failures due to a Stack Overflow error.
Improvements in Java_Medium_Threat\Privacy_Violation query to consider remote inputs.
Improvements in C# parsing to prevent scans from being stuck.
Fixed an error to prevent an exception when running incremental scans for Java language.
Improvements in JavaScript queries to prevent False Positives for: JavaScript_Medium_Threat\Missing_HSTS_Header JavaScript_Low_Visibility\Client_JQuery_Deprecated_Symbols
Improvements in CSharp queries to prevent False Negatives for CSharp_High_Risk\Dangerous_File_Upload
Improvements in MyBatis (Java) to prevent transformation errors when scanning.
Improvements in COBOL parsing to prevent errors when the source code has the COPY statement.
Improvements in the query PLSQL_High_Risk\SQL_Injection for PL/SQL language.
Improvements to prevent a timeout when parsing COBOL source code.
For security fixes, click this link for additional information.

Version 9.4.5.1012 Date 06-02-2023
For security fixes, click this link for additional information.

Version 9.4.5.1011 Date 06-02-2023
Parsing improvements to prevent System.StackOverflowException errors when scanning.
Improvements in PHP to support trailing commas in function calls.
Improvements in MyBatis (Java) support to prevent parsing issues that caused DOM loss.
Improvements in Python queries to prevent False Positives for SQL Injection when using QuerySet in Django.
Improvements in Python queries to prevent False Positives for Python_High_Risk\Reflected_XSS_All_Clients.
Improvements in Go to prevent False Positives for Go_Insecure_Credential_Storage\ PBKDF2_Insufficient_Iteration_Count.
Improvements in CSharp queries to prevent False Positives for CSharp_High_Risk\Second_Order_SQL_Injection.
Improved the CSharp_General -> Find_XSRF_Sanitize query by adding the AutoValidateAntiforgeryToken attribute, to prevent False Positives for Cross-site request forgery (XSRF).
Improvements in CSharp queries to prevent False Positives and False Negatives for CSharp_Medium_Threat\CSRF.
Improvements in PHP support for parsing imported files.
Java support for ESAPI imports has been improved to prevent False Positives for SQL Injection.
Improvements in Python queries to prevent False Positives and False Negatives for JavaScript_High_Risk\Client_DOM_XSS.

Version 9.4.5.1010 Date 28-12-2022
The query JavaScript_High_Risk\Client_DOM_XSS was improved to reduce False Positives when using the DOMPurify as a sanitizer. The comment existing in the Java General query Find_GWT_Server_Input_Methods has been improved to make clear that RpcServlet class is considered as experimental by GWT. Fixed an issue to prevent having an exception when computing the Similarity Id during the scan execution. Improvements in CSharp flows to prevent having False Positive results for the query CSharp_High_Risk\Second_Order_SQL_Injection. Improvement in Java flows to prevent incorrect results for the query Java.Hig\Reflected_XSS_All_Clients. Parsing Cobol improvements to prevent False Positive results for the query Cobol_High_Risk\SQL_Injection. The query Python_High_Risk\Connection_String_Injection has been improved to reduce the number of False Positive results. Improvements in the JavaScript parsing, at the DOM creation stage. CWE for the query CSharp_Medium_Threat\Data_Filter_Injection has been updated from CWE-200 to CWE-943. The queries Java_Medium_Threat.CGI_Reflected_XSS_All_Clients and Java_Medium_Threat.CGI_Stored_XSS have been improved to reduce the number of False Positive results.

Version 9.4.5.1010 Date 28-12-2022

The query JavaScript_High_Risk\Client_DOM_XSS was improved to reduce False Positives when using the DOMPurify as a sanitizer.
The comment existing in the Java General query Find_GWT_Server_Input_Methods has been improved to make clear that RpcServlet class is considered as experimental by GWT.
Fixed an issue to prevent having an exception when computing the Similarity Id during the scan execution.
Improvements in CSharp flows to prevent having False Positive results for the query CSharp_High_Risk\Second_Order_SQL_Injection.
Improvement in Java flows to prevent incorrect results for the query Java.Hig\Reflected_XSS_All_Clients.
Parsing Cobol improvements to prevent False Positive results for the query Cobol_High_Risk\SQL_Injection.
The query Python_High_Risk\Connection_String_Injection has been improved to reduce the number of False Positive results.
Improvements in the JavaScript parsing, at the DOM creation stage.
CWE for the query CSharp_Medium_Threat\Data_Filter_Injection has been updated from CWE-200 to CWE-943.
The queries Java_Medium_Threat.CGI_Reflected_XSS_All_Clients and Java_Medium_Threat.CGI_Stored_XSS have been improved to reduce the number of False Positive results.

Version 9.4.5.1009 Date 16-11-2022
Several parsing issues were fixed in the CPP source code scanning. Fixed an issue in C/CPP macros to prevent using keywords as var names. The query CSharp_High_Risk\SQL_Injection was improved to prevent False Negatives. The query Apex_Force_com_Serious_Security_Risk\Sharing was improved to prevent False Positives. Fixed an issue that occurred when scanning JavaScript to prevent duplicated results.

Version 9.4.5.1009 Date 16-11-2022

Several parsing issues were fixed in the CPP source code scanning.
Fixed an issue in C/CPP macros to prevent using keywords as var names.
The query CSharp_High_Risk\SQL_Injection was improved to prevent False Negatives.
The query Apex_Force_com_Serious_Security_Risk\Sharing was improved to prevent False Positives.
Fixed an issue that occurred when scanning JavaScript to prevent duplicated results.

Version 9.4.5.1008 Date 19-10-2022
Several parsing issues were fixed in the CPP source code scanning. The query CPP_Best_Coding_Practice/Methods_Without_ReturnType has been updated to improve the accuracy in the results. Engine has been improved by reducing memory consumption when running scans and thereby avoiding OutOfMemoryExcepion errors. The query Java_High_Risk\Stored_XSS was improved to prevent False Negatives. Several parsing issues were fixed in the CPP source code scanning.

Version 9.4.5.1008 Date 19-10-2022

Several parsing issues were fixed in the CPP source code scanning.
The query CPP_Best_Coding_Practice/Methods_Without_ReturnType has been updated to improve the accuracy in the results.
Engine has been improved by reducing memory consumption when running scans and thereby avoiding OutOfMemoryExcepion errors.
The query Java_High_Risk\Stored_XSS was improved to prevent False Negatives.
Several parsing issues were fixed in the CPP source code scanning.

Version 9.4.5.1007 Date 16-09-2022
RPG improvements to: Reduce the number of exceptions while parsing the source code Prevent False Negative results

Version 9.4.5.1006 Date 05-09-2022
Improvements in the Go language support to prevent issues when scanning the source code.
Several queries were improved to prevent False Positives: JavaScript_High_Risk\Client_DOM_XSS JavaScript_Low_Visibility\Client_DOM_Open_Redirect JavaScript_Server_Side_Vulnerabilities\Reflected_XSS Java_High_Risk\Reflected_XSS_All_Clients Java_Medium_Threat\HttpOnlyCookies_In_Config JavaScript_Medium_Threat\Client_Potential_XSS
Several queries were improved to prevent False Negatives: JavaScript_General\Find_Inputs JavaScript_Server_Side_Vulnerabilities\SQL_Injection JavaScript_Server_Side_Vulnerabilities\Command_Injection Scala_Medium_Threat\Privacy_Violation
Docker files are updated in the Linux engine (requires Docker version 20.10.10+).

Version 9.4.5.1004 Date 03-08-2022
CxAudit has been improved to use the same environment variable as CxPortal that defines the Source folder.
The query CPP_Buffer_Overflow.Buffer_Overflow_Unbounded_Format has been improved to prevent a StackOverflow error.
Several queries were improved to prevent False Negatives: JavaScript_High_Risk/Client_DOM_Stored_XSS JavaScript_Server_Side_Vulnerabilities/Reflected_XSS CSharp_High_Risk/Reflected_XSS_All_Clients CSharp_High_Risk/Command_Injection CSharp_High_Risk/Connection_String_Injection CSharp_High_Risk/Deserialization_of_Untrusted_Data
Improvements in the confidence level calculation to display the proper value for scans triggered through the Linux engine.

Version 9.4.5.1003 Date 11-07-2022
Improvements in Java parsing to prevent FP (false positive) results for the Reflected XSS All Client query.
Improvements in JSP parsing to prevent FN results.
Improved the React parsing to prevent errors from occurring when HTML elements included keywords.
Improvements in MyBatis (Java) parsing to prevent DOM loss.
Improvements in MyBatis (Java) parsing to prevent an issue that occurred when pre-processed files included single quotes.
Fixed an issue that was causing scans to fail when scanning JavaScript code that included type predicates.

In this section:

Release Notes for Engine Pack (EP) 9.4.5 Patches

Search results