# Release Notes for Engine Pack 9.5.1

Engine Pack 9.5.1 contains the following engine deliverables and enhancements:

## Installation Notes

### Caution

In a distributed environment, the relevant Engine Pack must also be installed on the CxManager host to update the SQL database.

### Notice

Engine Packs are cumulative and include previous Engine Pack updates.

## CxSAST Engine

### Core

#### Engine Base Docker Image Replaced

The base Docker image, mcr.microsoft.com/dotnet/aspnet:6.0.5-alpine3.14, has been replaced with the following image:

mcr.microsoft.com/dotnet/aspnet:6.0.5- jammy

The new Engine Docker image has been uploaded to Docker Hub.

#### Engine Structured Logs

The logs have been adapted to work with Kibana dashboards.

### Languages and Frameworks

The supported languages and frameworks, in 9.5.1 can be found on the dedicated page.

The content includes the following:

• Support for Finatra, a Scala framework

• Java language support updated to versions 16 and 17

• JSP improvements for supporting concatenation for Include Directives

• Support for ECMA 2021 (ES12) and ECMA 2022 (ES13) for JavaScript

• Support for AWS Lambda for Node.js

• C# and .Net Core improved support available as TechPreview

• C# support updated to versions 9 and 10

• .Net Core support updated to version 5 and 6

• Support for Dart language, available as Alpha version

• Improved several languages (such as Go, Java, JavaScript and C#) by creating new and updating existing queries

• Improved support for the MISRA C 2012 preset and several other presets

• Added a new Best Coding Practice query for detecting SpringShell vulnerable versions

#### Scala

We are introducing brand new support for Finatra. Finatra is a web framework for developing HTTP/Thrift services, built on top of TwitterServer and Finagle.

#### Java

Java language support has been updated to versions 16 and 17. It includes the following:

• Pattern Matching for instanceof

• Records

• Local Interfaces

• Local Enum Classes

• Sealed Classes

#### JavaScript

This version introduces support for the latest versions of EcmaScript for JavaScript, ECMA 2021 (ES12) and ECMA 2022 (ES13).

Support for the following language features was added:

• Local assignment operators (ES12)

• Numeric separators (ES12)

• Private Class methods (ES12)

• .at() and negative indexing (ES13)

• Error clause (ES13)

• Class fields (ES13)

#### JSP

The JSP support has been improved, by adding the support for concatenation for Include Directives

#### AWS Lambdas - Node.js

In 9.5.1 we are adding new support for AWS Lambdas, starting with Node.js.

Since the added support is based on CxQL queries only, there were no changes to the engine capabilities.

DynamoDB and S3 library services are supported through either AWS SDK version 2 or version 3.

The following set of queries has been created under a group called JavaScript_AWS_Lambda:

• Race_Condition_Concurrent_Instances (Medium)

• User_Based_SDK_Configurations (Low)

• Related to DynamoDB

• Related to DynamoDB

• Related to S3 Bucket

• Permission_Manipulation_in_S3 (Medium)

• Unrestricted_Write_S3 (Low)

##### C# and .Net Core (TechPreview)

New C# support was re-written and updated to the latest versions 9 and 10. Support for .Net Core was updated to versions 5 and 6. New support is available as a Technology Preview in CxSAST 9.5.1.

To use the new language support, set the flag USE_NEW_CSHARP to true, by performing one of the following:

• In the SAST database: UPDATE [CxDB].[Config].[CxEngineConfigurationKeysMeta] SET [DefaultValue] = 'true' WHERE KeyName = 'USE_NEW_CSHARP'

• In the DefaultConfig.xml (located inside the folder %programfiles%\Checkmarx\Checkmarx Audit , %programfiles%\Checkmarx\Checkmarx Engine Server):

<Configuration>
<Key>USE_NEW_CSHARP</Key>
<Value>true</Value>
</Configuration>

Support for the following language features was added:

• Out Variables

• Pattern Matching

• Deconstruction

• Local Functions

• Binary Literals

• Digit Separators

• Ref Returns and Locals

• Generalized async return types

• More expression-body members

• More expression-body members

• Pattern matching enhancements

• Using declarations

• Using declarations

• Asynchronous streams

• Indices and ranges

• Null-coalescing assignment

• Stackalloc in nested expressions

• Records

• Init only setters

• Top-level statements

• Pattern matching enhancements

• Performance and interop

• Fit and finish features

• Support for code generators

• Record structs

• Improvements of structure types

• Interpolated string handlers

• Global using directives

• File-scoped namespace declaration

• Extended property patterns

• Allow const interpolated strings

• Improved definite assignment

• Allow both assignment and declaration in the same deconstruction

• Allow AsyncMethodBuilder attribute on methods

• CallerArgumentExpression attribute

• With Expression

### Note

The Technology Preview features provide early access to upcoming product innovations, enabling you to test functionality and provide feedback during the development process. However, these features are not fully supported, might not be functionally complete, and are not intended for production use. Before Checkmarx considers making Technology Preview features generally available, we will attempt to resolve any issues that customers experience with these features.

##### Dart (Alpha)

In 9.5.1 we are adding to the SAST engine brand new support for Dart language.

The following queries are available as part of this version:

• Dart_Mobile_High_Risk/Resource_Updated_By_URL_Data

• Dart_Mobile_Medium_Threat/WebView_JavaScript_Injection_from_URL_Schem

• Dart_Mobile_Low_Visibility/Parameter_Tampering

• Dart_Mobile_Low_Visibility/Self_SQL_Injection

The following language features are supported:

• Declarations

• Imports

• Exports

• Part/Part of

• Variables

• Constant

• Enums

• Mixins

• Classes and Objects

• Class Declaration

• Base types (extends, implements, with)

• Abstract class

• Constructors

• Getter/Setter

• Instance of the class (new)

• Generic class

• Extension methods

• Types

• Generic Types

• Literals: Integer, Double, Boolean, Character, String, Symbol, Null, Maps/Sets/Lists

• Multi-Line Strings

• Functions

• Function Declaration

• Function with Optional Argument

• Function with Default Argument

• Functions with Named Arguments

• Function with Variable Arguments

• Nested Functions

• Anonymous Functions

• Operators: Arithmetic, Relational/Equality, Logical, Bitwise/Shift, Assignment, Test Type, Conditional (ternary/Null-Coalescing)

• Exception Handling

• Try…Catch

• Finally Clause

• Throw Expression

• Control Flow Statements; If, Loop, Break, Continue, Switch and Case, Assert

###### SpringShell

The following new query for detecting unsafe SpringShell vulnerable versions in Java code was added: Java_Best_Coding_Practice/Potential_Usage_of_Vulnerable_Log4J

###### Queries Improvements

Several Go improvements by creating and editing existent queries, such as:

• Updated Queries:

• Go_High_Risk/Command_Injection

• Go_Medium_Threat/Denial_Of_Service_Resource_Exhaustion

• Go_Low_Visibility/Race_Condition_In_Cross_Functionality

• The Go_Medium_Threat/Path_Traversal query was split into the following queries:

• Go_Medium_Threat/Stored_Absolute_Path_Traversal

• Go_Medium_Threat/Reflected_Absolute_Path_Traversal

• Go_Medium_Threat/Stored_Relative_Path_Traversal

• Go_Medium_Threat/Reflected_Relative_Path_Traversal

• New Queries:

• Go_High_Risk/Connection_String_Injection

• Go_High_Risk/Unsafe_Reflection

• Go_Medium_Threat/Parameter_Tampering

Two new queries added to the Java language, to detect NoSQL Injection in MongoDB and to find the Code Injection (RCE) vulnerability with Insecure Bean Validation:

• Java_High_Risk/Mongo_NoSQL_Injection

• Java_High_Risk/Expression_Language_Injection_EL to find the Code Injection (RCE) vulnerability with Insecure Bean Validation

Several JavaScript improvements were made by creating new queries and by updating existent queries, such as the following:

• Updated queries:

• JavaScript_Medium_Threat/Client_ReDoS_From_Regex_Injection

• JavaScript_Medium_Threat/Client_ReDoS_In_Match

• JavaScript_Medium_Threat/Client_ReDoS_In_Replace

• New queries:

• Javascript_Server_Side_Low_Visibility/Information_Exposure_Through_an_Error_Message

• JavaScript_Best_Coding_Practice/Avoid_the_Use_of_FinalizationRegistry

• JavaScript_Best_Coding_Practice/Avoid_the_Use_of_WeakRef

C# queries have been improved for detecting hardcoded credentials in appsettings.json files.

For the complete list of new and updated queries for all the languages, please refer to the Vulnerability Queries for 9.5.1.

###### MISRA C 2012

The improvements to the MISRA C 2012 preset for Coding Standards, added for the C language in 9.4.4, continue with new additional rules.

In this version, the preset contains new and improved queries for the following rules:

• 1.4: The usage of emergent language features is disallowed.

• 2.1, 2.2, 2.4, 2.6 and 2.7: Unused code.

• 3.1: Character sequences /* and // must not be used within a comment.

• 3.2: The continuation char \ for line split must not be used inside a // comment.

• 4.1: Octal and hexadecimal escape sequences must be terminated.

• 4.2: Trigraphs must not be used.

• 8.13: A pointer should point to a const-qualified type whenever possible.

• 8.14: The type qualifier restrict should not be used.

• 9.1: Values from built-in types' variables should not be used before an assignment.

• 9.2 and 9.3: Arrays and Structures initialization must honor declared structure; Arrays must not be partially initialized.

• 10.1: Operands must not be of an inappropriate essential type.

• 10.2: Expressions of essential character type must not be used inappropriately in addition and subtraction.

• 10.3: The value of an expression must not be assigned to an object with a narrower essential type or of a different essential type category.

• 10.4: Operands for binary operators (and second and third operands for ternary operator) should have the same fundamental type.

• 10.5: The value of an expression should not be cast to an inappropriate essential type.

• 10.6: The value of a composite expression must not be assigned to an object with wider essential type.

• 10.7: If a composite expression is used as one operand of an operator in which the usual arithmetic conversions are performed, then the other operand must not have a wider essential type.

• 10.8: The value of a composite expression must not be cast to a different essential type category or a wider essential type.

• 11.3, 11.4, 11.5, 11.6, 11.7 and 11.9: Verify the validity of pointer type conversions including cast expressions.

• 12.1: Expressions should explicitly state the order of operators.

• 12.2: The right-hand operand of a shift operator shall lie in the range zero to one less than the width in bits of the essential type of the left-hand operand.

• 12.3: The comma operator should not be used.

• 12.4: Evaluation of constant expressions should not lead to unsigned integer wraparound.

• 12.5: The sizeof operator shall not have an operand which is a function parameter declared as "array of type".

• 13.1 to 13.6: Side Effects.

• 14.1: A loop counter shall not have essentially floating type.

• 14.2: A for loop shall be well-formed.

• 14.4: The controlling expression of an if statement and the controlling expression of an iteration-statement shall have essentially Boolean type.

• 15.1: Usage of goto is discouraged.

• 15.2: Goto might be used to jump forward in the code, but never backwards.

• 15.3: Goto might be used to jump out of nested blocks, but never to jump into nested blocks. Also, goto should not cross switch case statements.

• 15.4: A single exit point is required for an iteration-statement, whether it is a break or a goto.

• 15.5: Each function should have a single exit point.

• 15.6: The body of an iteration-statement or a selection-statement must be a compound statement.

• 15.7: All if ... else if ... constructs must be terminated with an else statement.

• 16.2: A switch label must not be used unless the most-enclosing compound statement is the body of a switch statement.

• 16.3: Every case block must terminate with an unconditional block. Exception is performed for grouping case statements. Default is not an exception, and therefore, the break is mandatory.

• 16.4: Every switch statement must have a default label. The default label should have at least a command before the break statement. When that is not possible, a comment must be used.

• 16.5: The default clause in a switch statement must be the first or the last one.

• 16.6: Each switch statement must have at least two non-empty clauses.

• 16.7: The switch expression must not be of fundamental Boolean type.

• 17.1: Functions from must not be used.

• 17.2: There must not be any recursive code, neither direct nor indirect.

• 17.3: A function must not be declared implicitly.

• 17.4: Non void functions should have expressions on every exit path.

• 20.1: All #include directives should only be preceded by preprocessor directives or comments.

• 20.3: Include directives must be followed by either a or "filename" sequence.

• 20.5: #undef should not be used.

• 20.10: No # and ## preprocessor operators should be used.

• 20.11: A ## operator should not come immediately after a macro argument that follows a # operator.

• 20.12: Only the # or ## operators can utilize a macro parameter as an operand, since it is itself susceptible to additional macro substitution.

• 20.14: All #if/#else/#elif/#endif commands must reside in the same file.

• 21.1: There must not be any #define or #undef with C Standard Library function names or names starting with an underscore.

• 21.2: There must not be any redefinition of a C Standard Library function, or any C function starting with an underscore.

• 21.3: The <stdlib.h> method for memory handling must not be used (free, malloc, calloc, realloc).

• 21.4: <setjmp.h> and related methods must not be used.

• 21.5: <signal.h> functionalities must not be used.

• 21.6: The input/output functionalities available in <stdio.h> must not be used, nor the names reused by local methods, nor the equivalent methods from for wide char input/output.

• 21.7: The Standard Library functions of atof, atoi, atol and atoll of <stdio.h> must not be used.

• 21.8: The Standard Library functions system, exit and abort of <stdio.h> must not be used.

• 21.9: The Standard Library functions bsearch and qsort of <stdio.h> must not be used.

• 21.10: The standard library <time.h> and associated methods/types must not be used.

• 21.11: The header file <tgmath.h> must not be used.

• 21.12: The exception handling features of <fenv.h> must not be used.

• 21.21: System from <stdlib.h> must not be used.

• 21.13: Calls to functions from <ctype.h> must have as an argument an integer in the range from -1 (EOF) to 255.

• 21.15: Pointers passed to memcpy, memmove, or memcmp must be compatible.

• 21.16: Pointers passed to memcmp must be only for integers, bools, enum or chars.

• 21.18: The size_t parameter for methods memchr, memcmp, memcpy, memmove, memset, strncat, strncmp, strncpy and strxfrm should be smaller than the array size of the supplied pointers.

• 21.19: The results of the localeconv, getenv, setlocale or strerror methods can only be used as pointers to const qualified types.

###### General Preset Alignment

The following CWE-based presets were updated, by adding the new queries created in recent SAST versions, aligning the queries from all the languages, and removing deprecated queries:

• CWE Top 25

• MOIS(KISA) Secure Coding 2021

• OWASP ASVS

• OWASP Top 10 2021

• Sans Top 25

## CxSAST Application

### Vulnerability Queries

There are new and updated vulnerability descriptions, queries, and queries according to presets for this version.

For details, see Vulnerability Queries for 9.5.1.