- Checkmarx Documentation
- Checkmarx SAST
- SAST Release Notes
- Main Releases
- Previous Main Releases
- Release Notes for 9.2.0
- 9.2.0 Content Packs
9.2.0 Content Packs
In order to further optimize the accuracy of CxSAST scan results, Checkmarx introduced the Security Content packs.
Content packs are released regularly to provide added value to released versions in various ways:
Remediation focus: Increased 0ut-of-the box accuracy by reducing the False Positive (FP) findings, and increasing the True Positive (TP) ones.
API Security: APIs are the de facto communication mean for today’s applications, whether they spring from Microservices, Mobile, IoT, Cloud, Serverless or contexts alike. This content pack focusses on detecting vulnerabilities via specialized API security queries
Language enhancements: Many times a fix or an improvement for a language is provided via a hotfix (HF) or via query changes.
Content Packs are the way to deliver when these improvements are on queries.
Presets/Categories: Content packs allow updating or creating new presets and categories.
Descriptions: Content packs allow adding or updating query descriptions.
Content packs are cumulative and include previous content pack updates for the same language. |
Compatibility and Versioning
Content packs are released for CxSAST product versions, which are already generally available and widely used. Content pack data is compatible with a specific CxSAST product version. Because of this, it uses the CxSAST product version that it is compatible with (3 numbers), and is suffixed by the internal build number (4th number). The compatibility dependency exists due to CxQL and other internal versions. The content of the various content packs is included with the next GA release of CxSAST.
|
Delivery Mechanism
All Content packs are cumulative for a language, i.e., Content Pack 9.2.0.x for Java is similar to installing all content packs of 9.2.0 prior to 9.2.0.x for Java, by the order of their release. The Content Packs Installer checks the installed version and content pack version of CxSAST and allows for installation if the CxSAST version and the installed content pack are compatible.
Installation
The content pack is installed on the CxManager stations, unless otherwise indicated. In a distributed environment, the content pack does not need to be installed on engine stations, just on the CxManager station, which has access to the database. Once installed, the content pack can be uninstalled with the dedicated uninstaller in the package.
The installer can also be executed in CLI (silent) mode, similarly to hotfix installations.
Content
Each content pack includes improvements to queries and optionally also to presets. Technically, these changes are delivered via DB upgrade scripts, which affect relevant tables.
Detailed content descriptions can be found on the pages listed below:
Version: |
Content Pack 9.2: Uninstaller
The Content pack uninstaller provides an easy way to uninstall the content installed by the content pack.
It is provided through a dedicated package able run under the CxSAST installed environment machine and provides and easy way to restore the system to the original GA state.
The uninstaller provides the same command line argument option for installation to perform command line exclusive installations.
It does not need any prerequisites further than the correct CxSAST version and can be executed after any content pack installation.
The uninstaller does not affect the existing performed scans neither the customizations applied on the system environment.
Content Pack Version - CP.9.2.0.9017 (C#)
Each Ruleset Content Pack includes improvements to queries, and optionally to presets. Technically, these changes are delivered through database upgrade scripts which affect relevant tables.
This content pack uses the unified installer and includes updates to Java, C#.
New API Security and Checkmarx Express presets in Java
It includes two new presets (OWASP TOP 10 API and Checkmarx Express).
Adds OWASP TOP 10 API category support for API Security in Java
It includes the queries mapping for the OWASP TOP 10 API.
Improvements for reducing the amount of false positive findings in C#
Some new improvements were introduced for high risk and medium threat queries. They are detailed in the next section.
Notice
This CP includes OOTB Accuracy content, Checkmarx Express preset should be used in order to take full advantage of improvements done by this project.
It also includes API Security content. OWASP Top 10 API preset should be used in order to take full advantage of the content pack queries on Java for API Security.
As in any CxSAST product release, the Content Pack also resets the Checkmarx built in presets to its default queries set.
Note
Installation order
This is a cumulative content pack, it can be installed over any of the version 9.2 content packs and does not require other content packs.
This Content Pack (CP) includes improvements for reducing the amount of false positive results in C#.
At High Risk queries the accuracy on Checkmarx Express Preset is improved by 98%
At Medium Threat queries the accuracy on Checkmarx Express preset is improved by 33%
Notice
The formula for the accuracy is calculated based on the following: TP/(TP + FP)
The following improvements were also made for C# queries:
Improve sinks on Code Injection with script and async APIs
Improve Connection String Injection sanitizers to remove static strings
Improve Deserialization of untrusted data sinks to include binary formatters and serialization binders
Improve Resource Injection sanitizers to consider string sanitization methods, encodings and allowlist validation
Improve Stored XSS sanitizers
Improve XPath Injection and Stored XPath Injection sanitizers
Improve Stored Code Injection sanitizers with Compiler Options Output Assembly
Improve DB Parameter Tampering sanitizers with authorization validations
Improve DOS By Sleep sanitizers when using properly configured SpinWait and ThreadSleep APIs
Improve Hardcoded Password in connection string inputs when using variables containing static strings
Improve Heap Inspection to avoid bad results on page views controls
Improve SQL Injection Evasion Attack sanitizers extending with more decoding APIs
Improve Trust Boundary Violation sanitizers with numeric types and sinks with session saves
Improve Use of Hardcoded Cryptographic Key sanitizers to avoid OUID and consider decrypted values as safe
Improve Missing HSTS Header to support further time span APIs when using bad configuration
Improve ASP MVC controller support
Improve ASP MVC/Razor XSRF token support
Improve general sanitization when using allowlist mappings and numeric APIs
Improve Entity Framework APIs support
Improve Database support for async APIs
Improve Database LINQ supported APIs
Improve Salesforce Database supported APIs
Improve support for Safe hashing algorithms
Improve Deserialization of untrusted data
Rewrite Unsafe Object Binding with improved sources and sinks
Improved support for MVC and json on Reflected_XSS sinks
Improved outputs for LDAP_Injection
Improved Resource_Injection sanitizers and extended support for AbsInt
Improved CGI_XSS sanitizers when using web applications
Rewritten Heap_Inspection support for properties and stack memory allocated elements
Improved support for sources of HttpOnlyCookies
Improved Improper_Restriction_of_XXE_Ref to support improved .NET sanitization
Improved MVC_View_Injection to take advantage of AbsInt
Improved support for MVC annotations on No_Request_Validation
Improved filesystem access support for Path_Traversal
Improved Privacy_Violation sink support
Improved support on Session_Fixation for session creation pages
Improved Stored_LDAP_Injection sink support
Extended support on Use_of_Cryptographically_Weak_PRNG for random number generation and assurance of cryptographic use
Improved detection of .net core on Check_HSTS_Configuration
Extended heuristic for finding passwords
Improved support for decryption code when checking raw text passwords
Improved Log_Forging sanitizers and sinks
Rewritten the Open_Redirect query
Improved Use_Of_Broken_Or_Risky_Cryptographic_Algorithm to support more crypto algorithms
Improved sanitizers on Use_Of_Hardcoded_Password
Added query Use_of_Insufficiently_Random_Values
Improved Log_Forging sanitizers
Rewritten the Open_Redirect query
Improved Use_Of_Broken_Or_Risky_Cryptographic_Algorithm to support more crypto algorithms
Improved sanitizers on Use_Of_Hardcoded_Password
Added query Use_of_Insufficiently_Random_Values
Applied best coding practices on the queries
Note
Version Upgrade
This content pack improvements are included in the CxSAST version 9.3. There is no need to install further Content Packs after upgrading.
Which CxSAST version is this Content Pack for?
As stated in the release notes, this Content Pack is only compatible with CxSAST v9.2.0.
Which languages were targeted in this Content Pack?
This Content Pack provides improvements for Java and C#.
Can this Content Pack be installed on top of other Content Packs?
Yes, this content pack is a multi-language content pack. It inherits all the characteristics of previous content packs, i.e, it is cumulative.
Does this Content Pack depend on other Content Packs?
No, there are no dependencies on other Content Packs. All content packs are cumulative, meaning that it can be installed only one, or all.
Can this Content Pack be installed in further versions, like CxSAST 8.9?
No. This content pack can only be installed on CxSAST 9.2. The CxSAST 8.9 and CxSAST 9.0 versions have the Content Pack 9 available too.
Does this Content Pack depend on any HotFix?
No, There is no requirements of hotfixes to install this content pack.
Content Pack Version - CP.9.2.0.12028 (JavaScript)
Each Ruleset Content Pack includes improvements to queries, and optionally also to presets. Technically, these changes are delivered through database upgrade scripts which affect relevant tables.
This content pack introduces a new unified installer and it includes all the content packs published for version 9.2. It includes updates to Java, C# and JavaScript.
Improvements for reducing the amount of false positive findings in C#, OWASP TOP 10 API support in Java.
The changes provided can be found at the release notes page of CP9: Release notes for Content Pack 9 (C#, Java)
Improvements for reducing the amount of false positive findings in JavaScript.
The changes provided can be found in the next section.
Improvements for other JavaScript issues.
Improved the Client_DOM_XSS when using inputs coming from window.location.search.
Improved support forDatabase accesses through MSSql on NodeJS
Notice
This CP includes OOTB Accuracy content, Checkmarx Express preset should be used in order to take full advantage of improvements done by this project.
It also includes API Security content. OWASP Top 10 API preset should be used in order to take full advantage of the content pack queries on Java for API Security.
As in any CxSAST product release, the Content Pack also resets the Checkmarx built in presets to its default queries set.
Notice
Installation order
This is a cumulative content pack, it can be installed over any of the version 9.2 content packs and does not require other content packs.
This Content Pack (CP) includes improvements for reducing the amount of false positive results in JavaScript.
At High Risk queries the accuracy on Checkmarx Express Preset is improved by 350%
At Medium Threat queries the accuracy on Checkmarx Express preset is improved by 15%
It were included all the changes provided for content pack 9 and improvements focusing JavaScript queries.
The following improvements were made for JavaScript queries:
Improved sanitization for XSS and cryptography on browser and NodeJS
Improved sanitization for AngularJS Filters
Improved support for logging with Node-Bunyan, Winston and PynoHTTP libraries
Improved the list of cdn trustable domains for hardcoded domain
Improved support for CryptoJs and CryptoTS cryptographic libraries
Added support for HmacRIPEMD160 cryptographic algorithm
Improved support for Kony SQLite
Improved support for database accesses under XSRF permissions
Extended the list of personal information related keywords
Improved support for Indexed DB
Improved the support of window object tainted elements
Added support for Path traversal using the Hapi Library
Improved support of NodeJS web page outputs
Improved Mongoose, MongoDB, Sequelize and SQLite database support for NodeJS
Improved support on NodeJS for Open Redirect
Improved support for XPath Injection sanitization
Improved support for Client Resource Injection
Updated the list of JQuery deprecated APIs
Improved support for Remote File Inclusion
Improved support for use of iframes without sandbox
Improved support for Unsafe use of Target Blank
Deprecated query Client Header Manipulation
Improved sanitization support for Regex Denial of Service
Deprecated Client Reflected File Download
Improved programmatic sanitization methods support for Frameable Login Page
Improved support for Code Injection
Improved support for Command Injection
Deprecated query Insecure Direct Object References
Added support for Insecure Storage of Sensitive Data
Improved support for Log Forging
Improved Support for NoSQL Injection
Improved support for Path Traversal
Improved support for Privacy Violation
Deprecated query Security Misconfiguration
Improved support for SSL Verification Bypass
Improved support for Stored XSS
Improved support for Unprotected Cookie
Improved support for Use of Broken or Risky Cryptographic Algorithm
Improved support for Use of Hardcoded Password
Note
Version Upgrade
It is mandatory to install the same content pack number for newer versions while upgrading (e.g., v9.0 CP12 → v9.2 CP12).
This step will ensure the accuracy of the obtained results is maintained while upgrading.
Which CxSAST version is this Content Pack for?
As stated in the release notes, this Content Pack is only compatible with CxSAST v9.2.0.
Which languages were targeted in this Content Pack?
This Content Pack provides improvements for Java and C#.
Can this Content Pack be installed on top of other Content Packs?
Yes, this content pack is a multi-language content pack. It inherits all the characteristics of previous content packs, i.e, it is cumulative.
Does this Content Pack depend on other Content Packs?
No, there are no dependencies on other Content Packs. All content packs are cumulative, meaning that it can be installed only one, or all.
Can this Content Pack be installed over other content packs?
Yes it can. It will override its content.
Is there any order of installation between this Content Pack and Content Pack 4/6/9 ?
Yes. But there is no need to install other Content Packs. This content pack includes all the previous.
Can this Content Pack be installed in further versions, like CxSAST 8.9?
No. Version 8.9 will not have a content Pack 12 available. versions 9.2 and 9.3 have a dedicated content pack.
Does this Content Pack depend on any HotFix?
No, There is no requirements on hotfixes to install this content pack.
Content Pack Version - CP.9.2.0.13031 (Java)
Each content pack (CP) for the API Security contains a new or refactored set of Queries targeting API-related vulnerabilities. It aims at reducing the number of FN results in API Projects while keeping the general accuracy of the queries.
This content pack uses the unified installer and includes all previous content packs published for version 9.2. It includes updates for Java, C# and JavaScript.
Improvements for reducing the amount of false positive findings in C#, OWASP TOP 10 API support in Java.
The changes provided can be found in the next section.
Notice
This content pack includes OOTB Accuracy content. Checkmarx Express presets should be used to take full advantage of improvements performed by this project.
It includes API Security content. OWASP Top 10 API presets should be used to take full advantage of the content pack queries on Java for API Security.
As in any CxSAST product release, the content pack also resets the Checkmarx built-in presets to their default query set.
Notice
Installation order
This is a cumulative content pack, it can be installed over any of the previous version 9.2 content packs and does not require other content packs.
Dependencies
HotFix 7 is required for this content pack.
This content pack includes improvements in the OWASP TOP 10 API queries.
API Security Content
The following improvements have been made for Java queries (even though not all are related to the API Security Preset):
Java_High_Risk.Reflected_XSS_All_Clients
Updated to remove FP results that appear on API code.
Java_Low_Visibility.Use_of_Broken_or_Risky_Cryptographic_Algorithm
Updated to find results associated with weak types like RC2, RC4, ARCFOUR or Blowfish.
Java_Medium_Threat.Excessive_Data_Exposure
Updated to take annotations like @JsonIgnore, @JsonIgnorePorperties, @JsonFilter, @JsonIgnoreType into account to ignore sensitive data and to disregard hardcoded DTO classes.
Java_Medium_Threat.JWT_No_Signature_Verification
Improved query to consider returns that are influenced by inputs in resolveSignginKeyBytes methods.
Java_Medium_Threat.Spring_BCrypt_Insecure_Parameters
Improved performance only.
Java_Medium_Threat.Spring_PBKDF2_Insecure_Parameters
Improved performance only.
The following queries were added to the Java set of queries. For details on each query, refer to their specific description in the CxSAST Portal.
Java_Best_Coding_Practice.Spring_Missing_Object_Level_Authorization
Java_Best_Coding_Practice.Spring_Missing_Function_Level_Authorization
Java_Low_Visibility.Spring_Use_Of_Hardcoded_Password
Java_Low_Visibility.Spring_Use_of_Broken_or_Risky_Cryptographic_Primitive
Java_Low_Visibility.Spring_Overly_Permissive_Cross_Origin_Resource_Sharing_Policy
Java_Low_Visibility.Spring_Missing_X_Content_Type_Options
Java_Low_Visibility.Spring_Missing_XSS_Protection_Header
Java_Low_Visibility.Spring_Missing_X_Frame_Options
Java_Low_Visibility.Spring_Missing_Content_Security_Policy
Java_Low_Visibility.Spring_Permissive_Content_Security_Policy
Java_Low_Visibility.Spring_Missing_Expect_CT_Header
Java_Medium_Threat.JWT_Use_Of_Hardcoded_Secret
Java_Medium_Threat.Spring_SCrypt_Insecure_Parameters
Java_Medium_Threat.Spring_PBKDF2_Insecure_Parameters
Java_Medium_Threat.Spring_BCrypt_Insecure_Parameters
Java_Medium_Threat.Spring_Argon2_Insecure_Parameters
Java_Medium_Threat.Spring_Comparison_Timing_Attack
Java_Medium_Threat.Excessive_Data_Exposure
Java_Medium_Threat.Spring_XSRF
Java_Medium_Threat.Spring_Missing_HSTS_Header
The following is a list of queries with changes in order to improve results for API Security in general.
Java_High_Risk.Reflected_XSS_All_Clients - although not related to API Security, this query was updated to remove FP results that appear on API code.
Java_Low_Visibility.Use_of_Broken_or_Risky_Cryptographic_Algorithm - the query was updated to find results associated with weak types like RC2, RC4, ARCFOUR, or Blowfish.
Java_Medium_Threat.Excessive_Data_Exposure - the query was updated to take into account annotations like @JsonIgnore, @JsonIgnorePorperties, @JsonFilter, @JsonIgnoreType to ignore sensitive data and disregard hardcoded DTO classes.
Java_Medium_Threat.JWT_No_Signature_Verification - the query now checks returns that are influenced by inputs in resolveSignginKeyBytes methods.
Java_Medium_Threat.Spring_BCrypt_Insecure_Parameters - improved performance, only.
Java_Medium_Threat.Spring_PBKDF2_Insecure_Parameters - improved performance only.
API1 - Broken Object Level Authorization
NEW Java_Best_Coding_Practice.Spring_Missing_Object_Level_Authorization
NEW Java_Low_Visbility.Unrestricted_Read_S3
API2 - Broken Authentication
NEW Java_Medium_Threat.JWT_Use_Of_Hardcoded_Secret
NEW Java_Low_Visibility.Spring_Use_Of_Hardcoded_Password
NEW Java_Medium_Threat.Spring_SCrypt_Insecure_Parameters
NEW Java_Medium_Threat.Spring_PBKDF2_Insecure_Parameters
NEW Java_Medium_Threat.Spring_BCrypt_Insecure_Parameters
NEW Java_Medium_Threat.Spring_Argon2_Insecure_Parameters
NEW Java_Medium_Threat.Spring_Comparison_Timing_Attack
NEW Java_Low_Visibility.Spring_Use_of_Broken_or_Risky_Cryptographic_Primitive
API3 - Excessive Data Exposure
NEW Java_Medium_Threat.Excessive_Data_Exposure
API4 - Lack of Resources and Rate Limiting
No Updates
API5 - Broken Function Level Authentication
NEW Java_Best_Coding_Practice.Spring_Missing_Function_Level_Authorization
API6 - Mass Assignment
No Updates
API7 - Security Misconfiguration
NEW Java_Low_Visibility.Spring_Overly_Permissive_Cross_Origin_Resource_Sharing_Policy
NEW Java_Medium_Threat.Spring_Missing_HSTS_Header
NEW Java_Low_Visibility.Spring_Missing_X_Content_Type_Options
NEW Java_Low_Visibility.Spring_Missing_XSS_Protection_Header
NEW Java_Low_Visibility.Spring_Missing_X_Frame_Options
NEW Java_Low_Visibility.Spring_Missing_Content_Security_Policy
NEW Java_Low_Visibility.Spring_Permissive_Content_Security_Policy
NEW Java_Low_Visibility.Spring_Missing_Expect_CT_Header
API8 - Injection
Java_High_Risk.Xpath_Injection
API9 - Improper Assets Management
No Updates
API10 - Insufficient Logging and Monitoring
No Updates
Note
Version Upgrade
These content pack improvements are included with CxSAST version 9.3. You don’t have to install additional content packs after upgrading.
Which CxSAST version is this Content Pack for?
As stated in the release notes, this content pack is only compatible with CxSAST v9.2.0.
Which languages were targeted in this Content Pack?
This content pack provides improvements for Java.
Can this Content Pack be installed on top of other Content Packs?
Yes. This content pack is a multi-language content pack. It inherits all the characteristics of previous content packs, i.e., it is cumulative.
Does this Content Pack depend on other Content Packs?
No. There are no dependencies on other Content Packs. All content packs are cumulative, meaning that it can be installed over existing content packs.
Can this Content Pack be used with Content Pack 12 (JavaScript)?
Yes. It can. It will override Content Pack 12 content.
Is there any order of installation between this Content Pack and Content Pack 12 (JavaScript)?
Yes. But there is no need to install other content packs since this content pack includes all the previous ones.
Can this Content Pack be installed in further versions, like CxSAST 9.3?
No. CxSAST 9.3 includes this content.
Does this Content Pack depend on any HotFix?
Yes. The content pack requires HF7 or higher.
Content Pack Version - CP.9.2.0.14051 (Cobol)
Each Ruleset Content Pack includes improvements to queries, and, optionally, also to presets. Technically, these changes are delivered through database upgrade scripts which affect the relevant tables.
As with any CxSAST product release, the Content Pack resets the Checkmarx built-in presets to the default query set.
This content pack uses unified installer and it includes all the content packs published for version 9.2.0. It includes updates to JavaScript, C#, Java and Cobol.
The details about JavaScript under the OOTBAccuracy Project are available at Content Pack Version - CP.9.3.0.12021 (JavaScript).
The details about the Content Pack for Java under the API Security project are available at Content Pack Version - CP.9.2.0.13031 (Java).
Notice
Installation order
This is a cumulative content pack, it can be installed over any of the version 9.2.0 Content Packs and does not require other content packs.
Improved the support for Cobol language:
Improved the following query:
Information_Leak_Through_Comments
Improved support for SAP OpenUI and XSJS queries
3 queries were improved
Improved the following queries:
SAPUI5_Hardcoded_UserId_In_Comments
SAPUI5_Use_Of_Hardcoded_URL
XS_Use_Of_Hardcoded_URL
Improved some queries on Java Language
1 Query was improved
Improved the following queries:
Heap_Inspection
Note
Version Upgrade
It is mandatory to install at least the same content pack number for newer versions while upgrading (e.g., v9.2.0 CP14 → v9.3.0 CP14).
This step ensures the accuracy of the results is maintained while upgrading.
Which CxSAST version is this Content Pack for?
As stated in the release notes, this Content Pack is only compatible with CxSAST v9.2.0.
Which languages were targeted in this Content Pack?
This Content Pack provides improvements for JavaScript.
Can this Content Pack be installed on top of other Content Packs?
Yes, this content pack is a multi-language content pack. It inherits all the characteristics of previous content packs, i.e, it is cumulative.
Does this Content Pack depend on other Content Packs?
No, there are no dependencies on other Content Packs. All Content Packs are cumulative, meaning that when one Content Pack is installed it includes all the previous Content Packs.
Can this Content Pack be installed over other content packs?
Yes it can. It will override its content.
Is there any order of installation between this Content Pack and Content Pack 13 ?
Yes. But there is no need to install other Content Packs. This content pack includes all the previous.
Can this Content Pack be installed in further versions, like CxSAST 9.0?
No. Version 9.0 will not have a content Pack 12 available. Version 9.3 has a dedicated content pack 14.
Does this Content Pack depend on any HotFix?
No, It does not require any previously installed HotFix on the environment.
Content Pack Version - CP.9.2.0.15052 (Java, Python)
Each Ruleset Content Pack includes improvements to queries, and optionally, also to presets. Technically, these changes are delivered through database upgrade scripts which affect the relevant tables.
As with any CxSAST product release, the Content Pack resets the Checkmarx built-in presets to the default query set.
This Content Pack uses a unified installer and it includes all the Content Packs published for version 9.2.0. It includes updates to Java and Python.
Notice
Installation order
This is a cumulative Content Pack, it can be installed over any of the version 9.2.0 Content Packs and does not require other Content Packs.
This Content Pack requires 9.2.0 Hotfix 15 or higher previously installed on the CxSAST Environment (Manager and Engines).
It includes all the changes provided by Content Pack 14 and the following improvements:
Added new Preset for SCA content.
Presets/SCA.xml
The above preset contains the following new queries for Java language:
Added the following queries:
Java_Exploitable_Path/Java_Find_Imports
Java_Exploitable_Path/Java_Find_Methods
The above preset contains the following new queries for Python language
Added the following queries:
Python_Exploitable_Path/Python_Find_Imports
Python_Exploitable_Path/Python_Find_Methods
Note
Version Upgrade
It is mandatory to install at least the same Content Pack number for newer versions while upgrading (e.g., v9.2.0 CP15 → v9.3.0 CP15).
This step ensures the accuracy of the results is maintained while upgrading.
Which CxSAST version is this Content Pack for?
As stated in the release notes, this Content Pack is only compatible with CxSAST v9.2.0.
Which languages were targeted in this Content Pack?
This Content Pack provides improvements for Java and Python.
Can this Content Pack be installed on top of other Content Packs?
Yes, this Content Pack is a multi-language Content Pack. It inherits all the characteristics of previous Content Packs, i.e, it is cumulative.
Does this Content Pack depend on other Content Packs?
No, there are no dependencies on other Content Packs. All Content Packs are cumulative, meaning that when one Content Pack is installed it includes all the previous Content Packs.
Can this Content Pack be installed over other Content Packs?
Yes it can. It will override its content.
Is there any order of installation between this Content Pack and Content Pack 14?
Yes. But there is no need to install other Content Packs. This Content Pack includes all the previous.
Can this Content Pack be installed in further versions, like CxSAST 9.0?
No. Version 9.0 will not have a Content Pack 15 available. Version 9.3 has a dedicated Content Pack 15.
Does this Content Pack depend on any HotFix?
Yes, This Content Pack requires HotFix 15.
Content Pack Version - CP.9.2.0.17055 (JavaScript)
Each Ruleset Content Pack includes improvements to queries, and optionally, also to presets. Technically, these changes are delivered through database upgrade scripts which affect the relevant tables.
As with any CxSAST product release, the Content Pack resets the Checkmarx built-in presets to the default query set.
This Content Pack uses a unified installer and it includes all the Content Packs published for version 9.2.0. It includes updates to JavaScript.
Notice
Installation order
This is a cumulative Content Pack, it can be installed over any of the version 9.2.0 Content Packs and does not require other Content Packs.
This Content Pack requires 9.2.0 Hotfix 19 or higher previously installed on the CxSAST Environment (Manager and Engines).
It includes all the changes provided by Content Pack 15 and the following improvements:
in JavaScript language:
Added the following queries:
JavaScript_Medium_Threat/Client_Privacy_Violation - Improved the Angular support related to outputs
JavaScript_Hight_Risk/Client_DOM_XSS - Corrected report of Angular results when $event is involved
JavaScript_Angular/Angular_Client_DOM_XSS and Angular_Client_Stored_DOM_XSS - removed Angular Mustache interpolation from XSS Outputs
Note
Version Upgrade
It is mandatory to install at least the same Content Pack number for newer versions while upgrading.
This step ensures the accuracy of the results is maintained while upgrading.
Which CxSAST version is this Content Pack for?
As stated in the release notes, this Content Pack is only compatible with CxSAST v9.2.0.
Which languages were targeted in this Content Pack?
This Content Pack provides improvements for JavaScript
Can this Content Pack be installed on top of other Content Packs?
Yes, this Content Pack is a multi-language Content Pack. It inherits all the characteristics of previous Content Packs, i.e, it is cumulative.
Does this Content Pack depend on other Content Packs?
No, there are no dependencies on other Content Packs. All Content Packs are cumulative, meaning that when one Content Pack is installed it includes all the previous Content Packs.
Can this Content Pack be installed over other Content Packs?
Yes it can. It will override its content.
Is there any order of installation between this Content Pack and Content Pack 15?
Yes. But there is no need to install other Content Packs. This Content Pack includes all the previous.
Can this Content Pack be installed in other versions, like CxSAST 9.0?
No. Versions 9.0 and 9.3 will not have a Content Pack 17 available.
Does this Content Pack depend on any HotFix?
Yes, This Content Pack requires HotFix 19.
Content Pack Version - CP.9.2.0.19056 (PLSQL)
Notice
The content of this Content Pack (CP.9.2.0.19056), will be available for CxSAST version 9.3.0 CP19 and for CxSAST version 9.4 in CxSAST Engine Pack version 9.4.2.
Each Ruleset Content Pack includes improvements to queries, and optionally also to presets. Technically, these changes are delivered through database upgrade scripts which affect the relevant tables.
As with any CxSAST product release, the Content Pack resets the Checkmarx built-in presets to the default query set.
This Content Pack uses a unified installer and it includes all the Content Packs published for version 9.2.0. It includes updates to PLSQL.
Notice
Installation order
This is a cumulative Content Pack, it can be installed over any of the version 9.2.0 Content Packs and does not require other Content Packs.
This Content Pack requires 9.2.0 Hotfix 19 or higher previously installed on the CxSAST Environment (Manager and Engines).
It includes all the changes provided by Content Pack 17 and the following improvements:
PLSQL
Low/Default_Definer_Rights_in_Method_Definition - The query was improved by discarding results that appear inside safe methods. This improves the general accuracy of the query.
Presets and Categories Alignment
Preset and Categories for OWASP TOP 10 2021 were added and aligned for all languages
Note
Version Upgrade
It is mandatory to install at least the same Content Pack number for newer versions while upgrading.
This step ensures the accuracy of the results is maintained while upgrading.
Which CxSAST version is this Content Pack for?
As stated in the release notes, this Content Pack is only compatible with CxSAST v9.2.0.
Which languages were targeted in this Content Pack?
This Content Pack provides bug fixing for PLSQL and the introduction of OWASP Top 10 2021 preset and categories, aligned for all the languages.
Can this Content Pack be installed on top of other Content Packs?
Yes, this Content Pack is a multi-language Content Pack. It inherits all the characteristics of previous Content Packs, in other words, it is cumulative.
Does this Content Pack depend on other Content Packs?
No, there are no dependencies on other Content Packs. All Content Packs are cumulative, meaning that when one Content Pack is installed it includes all the previous Content Packs.
Can this Content Pack be installed over other Content Packs?
Yes it can. It will override its content.
Is there any order of installation between this Content Pack and Content Pack 17?
Yes. But there is no need to install other Content Packs. This Content Pack includes all the previous.
Can this Content Pack be installed in further/previous versions, like CxSAST 9.0?
No.
Does this Content Pack depend on any HotFix?
Yes, It requires the Hotfix 19 previously installed on the environment (manager and engines).
Content Pack Version - CP.9.2.0.20057 (Java)
Notice
The content of this Content Pack (CP.9.2.0.20057), will be available for CP.9.3.0.20047 and CxSAST version 9.4 in CxSAST Engine Pack version 9.4.3.
Each Ruleset Content Pack includes improvements to queries, and optionally also to presets. Technically, these changes are delivered through database upgrade scripts which affect the relevant tables.
As with any CxSAST product release, the Content Pack resets the Checkmarx built-in presets to the default query set.
This Content Pack uses a unified installer and it includes all the Content Packs published for version 9.2.0. It includes updates to Java.
Notice
Installation order
This is a cumulative Content Pack, it can be installed over any of the version 9.2.0 Content Packs and does not require other Content Packs.
This Content Pack requires 9.2.0 Hotfix 20 or higher previously installed on the CxSAST Environment (Manager and Engines).
It includes all the changes provided by Content Pack 19 and the following improvements:
Java
Best_Coding_Practice/Unsafe_Bidi_Unicode_Data - This new query finds Bidi characters in the Java source code, as a way of exposing the Trojan Source vulnerability.
Best_Coding_Practice/Unsafe_Homoglyphs_Unicode_Data - This new query finds unsafe homoglyph characters in the Java source code. This query handles another part of the Trojan Source vulnerability.
Note: Common queries were added that could serve as a basis for defining the same queries in other languages.
Note
Version Upgrade
It is mandatory to install at least the same Content Pack number for newer versions while upgrading.
This step ensures the accuracy of the results is maintained while upgrading.
Which CxSAST version is this Content Pack for?
As stated in the release notes, this Content Pack is only compatible with CxSAST v9.2.0.
Which languages were targeted in this Content Pack?
This Content Pack adds new queries in Java, to handle the Trojan Source vulnerability.
Can this Content Pack be installed on top of other Content Packs?
Yes, this Content Pack is a multi-language Content Pack. It inherits all the characteristics of previous Content Packs, in other words, it is cumulative.
Does this Content Pack depend on other Content Packs?
No, there are no dependencies on other Content Packs. All Content Packs are cumulative, meaning that when one Content Pack is installed it includes all the previous Content Packs.
Can this Content Pack be installed over other Content Packs?
Yes it can. It will override its content.
Is there any order of installation between this Content Pack and Content Pack 19?
Yes. But there is no need to install other Content Packs. This Content Pack includes all the previous.
Can this Content Pack be installed in further/previous versions, like CxSAST 9.0?
No.
Does this Content Pack depend on any HotFix?
Yes, It requires the Hotfix 20 previously installed on the environment (manager and engines).
Content Pack Version - CP.9.2.0.21058 (Java, Groovy)
Notice
The content of this Content Pack (CP.9.2.0.21058), will be available for CxSAST version 9.4 in CxSAST Engine Pack version 9.4.3.
Each Ruleset Content Pack includes improvements to queries, and optionally also to presets. Technically, these changes are delivered through database upgrade scripts which affect the relevant tables.
As with any CxSAST product release, the Content Pack resets the Checkmarx built-in presets to the default query set.
This Content Pack uses a unified installer and it includes all the Content Packs published for version 9.2.0. It includes updates to Java, Groovy.
Notice
Installation order
This is a cumulative Content Pack, it can be installed over any of the version 9.2.0 Content Packs and does not require other Content Packs.
This Content Pack requires 9.2.0 Hotfix 20 or higher previously installed on the CxSAST Environment (Manager and Engines).
It includes all the changes provided by Content Pack 20 and the following improvements:
Java, Groovy
Best_Coding_Practice/Usage_of_Vulnerable_Log4J - This new query finds usage of Log4J dependencies, as a way of exposing Apache Log4J Remote Execution.
Note: Common queries were added that could serve as a basis for defining the same queries in other languages.
Note
Version Upgrade
In general, it is mandatory to install at least the same Content Pack number for newer versions while upgrading. For instance, when upgrading from v9.2.0 CP20 it is necessary to upgrade to v9.3.0 CP20. This step ensures the accuracy of the results is maintained while upgrading.
Which CxSAST version is this Content Pack for?
As stated in the release notes, this Content Pack is only compatible with CxSAST v9.2.0.
Which languages were targeted in this Content Pack?
This Content Pack adds new queries in Java and Groovy to handle the Log4J vulnerability.
Can this Content Pack be installed on top of other Content Packs?
Yes, this Content Pack is a multi-language Content Pack. It inherits all the characteristics of previous Content Packs, in other words, it is cumulative.
Does this Content Pack depend on other Content Packs?
No, there are no dependencies on other Content Packs. All Content Packs are cumulative, meaning that when one Content Pack is installed it includes all the previous Content Packs.
Can this Content Pack be installed over other Content Packs?
Yes it can. It will override its content.
Is there any order of installation between this Content Pack and Content Pack 20?
Yes. But there is no need to install other Content Packs. This Content Pack includes all the previous.
Can this Content Pack be installed in further/previous versions, like CxSAST 9.0?
No.
Does this Content Pack depend on any HotFix?
Yes, It requires the Hotfix 20 previously installed on the environment (manager and engines).