- Checkmarx Documentation
- Checkmarx SAST
- SAST Release Notes
- Engine Pack Versions
- Previous Engine Pack Versions
- Release Notes for Engine Pack 9.5.3
Release Notes for Engine Pack 9.5.3
Caution
The Checkmarx certificate used for application code signing has been updated, since the previous one has expired.
This might result in error messages depending on the environment settings, but these errors can be safely ignored.
Installation Notes
Caution
In a distributed environment, the relevant Engine Pack must also be installed on the CxManager host to update the SQL database.
Notice
Engine Packs are cumulative and include previous Engine Pack updates.
For more information about Engine Pack installation, see The Engine Pack Delivery Model for Checkmarx SAST.
CxSAST Engine Pack Enhancements
Engine Pack 9.5.3 contains the following engine deliverables and enhancements:
Core
Checkmarx Certificate Update
Since the previous Checkmarx certificate used for application code signing has expired, the Checkmarx certificate has been updated. The updated certificate might cause error messages, depending on the environment settings.
New Flow
Starting with this release only the new flow will be available. The old flow is completely disabled and blocked, with all parameters related to the old flow removed from the database configuration tables and user interface, so that users cannot configure it.
After several development iterations of the new flow process over the past several releases, the difference in scan results between the new flow and the old flow is currently minimal. For customers that did not use the New Flow previously, there can be differences between the previous results and the current results. For customer that already used the New Flow previously, there will usually be no differences between the previous results and the current results, except in rare case where there might be a slight difference in the results.
The following configuration parameters have been removed:
USE_LAZY_FLOW
MATCH_THIS_MEMBERS_BY_NAME
MAX_EDGES_IN_MINI_FLOW
FLOW_END_GROUPS_RADIUS
MAX_DFG_DEPTH
DFG_CREATION_PER_BULK_TIMEOUT_FACTOR
DFG_CREATION_PER_BULK_TIMEOUT_SECONDS
FLOW_CACHE_CLEAR_FREQUENCY
LOAD_CDG_GRAPHS
LOAD_CFG_GRAPHS
LOAD_DFG_GRAPHS
COMPACT_FLOW
CFGTIMEOUT
DFGTIMEOUT
MAX_PARSE_DEPTH
MAX_METHODS_TO_PROCESS
MAX_CFG_SIZE
FLOW_CACHE_LEVEL
SHOW_MEMBERS_IN_PATH
SHRINK_PATH
Structured Logs
The Engine logs have been refactored as Structured Logs, so that they are compatible with Kibana and can be displayed in a dashboard view with information, such as statistics for monitoring, errors and warnings for troubleshooting, and general information about the scans, such as languages. The information that will be displayed depends on the user queries.
Structured Logs is an independent service and is highly beneficial for hosted customers. For more details, see Viewing Structured Logs Using Kibana.
Languages and Frameworks
All supported code Languages & Frameworks versions can be found on the dedicated page.
The content includes the following:
Support for Python language has been updated to version 3.10
Added support for AWS Lambda for Go
New queries added to Dart and Flutter support
Improvements in C/C++ language support
Several changes related to Go, including the following:
Improvements in the language support
Added new support for gin-gonic framework
Added new support for gorilla/mux library
Changes related to JavaScript include the following:
New support for RequireJS
Updated support for Node.js
The following new presets were added:
Top Tier
ASA (AppSec Accelerator) Premium
ASA Mobile Premium
Python
Python language support has been improved to support version 3.10, including the relevant features for the SAST engine support:
AWS Lambdas - Go
In 9.5.3 we are adding new support for AWS Lambdas for Go.
Since the added support is based on CxQL queries only, there were no changes to the engine capabilities.
DynamoDB and S3 library services are supported through the AWS SDK for Go.
The following set of queries has been created under a group called Go_AWS_Lambda:
AWS_Credentials_Leak
Hardcoded_AWS_Credentials
User_Based_SDK_Configurations
Race_Condition_Global_Scope
Related to DynamoDB
DynamoDB_NoSQL_Injection
Related to S3 Bucket
Permission_Manipulation_In_S3
Use_of_Hardcoded_Cryptographic_Key_On_Server
Unrestricted_Read_S3
Unrestricted_Write_S3
The list of all queries can be found at Vulnerability Queries for 9.5.3.
Dart and Flutter (Beta)
The Dart and Flutter support has been improved with the addition of new queries.
The following queries are available as part of this version:
Dart_High_Risk
Sensitive_Information_Through_URL_Scheme
Dart_Mobile_Medium_Threat
Path_Traversal
Dart_Mobile_Low_Visibility
Autocorrection_Keystroke_Logging
Improper_Resource_Shutdown_or_Release
Missing_Device_Lock_Verification
The list of all queries can be found at Vulnerability Queries for 9.5.3.
C/C++
The C/C++ language support has been improved.
Go
Go language support has been improved with the following features:
generics support
scope of type parameters in method declaration
Besides the improvements in the language support, the initiative started in the previous engine pack continued, with additional improvements made with the creation of new and editing of existing queries.
The list of all queries can be found at Vulnerability Queries for 9.5.3.
gin-gonic/gin (TechPreview)
In 9.5.3, brand new support for the gin-gonic/gin framework has been added, as TechPreview.
There was no need to improve the engine, the given support is based on CxQL queries only.
gorilla-mux
In this engine pack, brand new support for the gorilla/mux library has been added.
There was no need to improve the engine, the given support is based on CxQL queries only.
JavaScript
In this engine pack, the JavaScript support has been improved, by adding a new framework and updating an existing one.
Brand new support for RequireJS was added.
The Node.js support was updated.
Presets
The following presets were added:
Top Tier
The new preset is based on the top queries and is designed to be “noise-free” with the highest level of accuracy and reliability when scanning code for vulnerabilities and security risks.
ASA Premium
The ASA Premium preset contains a subset of vulnerabilities that Checkmarx AppSec Accelerator team considers to be the starting point of the Checkmarx AppSec program.
ASA Mobile Premium
The ASA Premium preset contains a subset of vulnerabilities that Checkmarx AppSec Accelerator team considers to be the starting point of the Checkmarx AppSec program when scanning mobile applications.
Vulnerability Queries
There are new and updated vulnerability descriptions, queries, and queries according to presets for this version.
For details, see Vulnerability Queries for 9.5.3.
Supported Code Languages and Frameworks for EP 9.5.3
The following code languages can be scanned using CxSAST Engine Pack v9.5.3:
Environment | Primary Languages | Secondary Languages | Frameworks | File extensions | |
---|---|---|---|---|---|
|
|
|
|
| |
|
|
|
|
| |
|
|
|
|
| |
|
|
| |||
|
|
|
| ||
| JavaScript |
|
| ||
|
|
|
| ||
|
|
|
| ||
|
|
|
| ||
|
|
| |||
|
|
| |||
|
|
|
| ||
|
|
| |||
![]() |
|
| |||
|
|
| |||
|
|
|
|
| |
|
|
|
| ||
|
|
|
| ||
|
|
|
| ||
|
|
|
| ||
|
|
| |||
|
|
| |||
|
|
|
|
Supported Code Languages and Frameworks (CxOSA)
CxOSA analyzes the open sources using the following methods:
Analyzes the open source third parties themselves, supported in the languages list below.
Analyzes the projects' manifest files by resolving their dependencies against customer-defined repositories.
The following open source code analysis languages and package managers can be analyzed using v9.3.0:
Environment | File Extensions | Environment | File Extensions | ||
---|---|---|---|---|---|
Java | Jar files |
.Net | DLL files | ||
JavaScript | .js |
TypeScript | |||
React |
NodeJS | ||||
Angular |
WCF | ||||
WPF |
F# | ||||
C# | DLL files |
Kotlin | |||
Python |
Groovy | ||||
PHP |
Scala | ||||
Package Managers | File Extensions | Package Managers | File Extensions | ||
Gradle |
Maven | ||||
NPM |
Yarn | ||||
NuGet | nupkg files |
Pip | |||
Composer |
SBT | ||||
Bower |
Codebashing - Application Security Training Platform
For supported code for Codebashing, refer to the Codebashing documentation.