Skip to main content

Release Notes for Engine Pack 9.5.3

Caution

The Checkmarx certificate used for application code signing has been updated, since the previous one has expired.

This might result in error messages depending on the environment settings, but these errors can be safely ignored.

Installation Notes

Caution

In a distributed environment, the relevant Engine Pack must also be installed on the CxManager host to update the SQL database.

Notice

Engine Packs are cumulative and include previous Engine Pack updates.

For more information about Engine Pack installation, see The Engine Pack Delivery Model for Checkmarx SAST.The Engine Pack Delivery Model for Checkmarx SAST

CxSAST Engine Pack Enhancements

Engine Pack 9.5.3 contains the following engine deliverables and enhancements:

Core

Checkmarx Certificate Update

Since the previous Checkmarx certificate used for application code signing has expired, the Checkmarx certificate has been updated. The updated certificate might cause error messages, depending on the environment settings.

New Flow

Starting with this release only the new flow will be available. The old flow is completely disabled and blocked, with all parameters related to the old flow removed from the database configuration tables and user interface, so that users cannot configure it.

After several development iterations of the new flow process over the past several releases, the difference in scan results between the new flow and the old flow is currently minimal. For customers that did not use the New Flow previously, there can be differences between the previous results and the current results. For customer that already used the New Flow previously, there will usually be no differences between the previous results and the current results, except in rare case where there might be a slight difference in the results.

The following configuration parameters have been removed:

  • USE_LAZY_FLOW

  • MATCH_THIS_MEMBERS_BY_NAME

  • MAX_EDGES_IN_MINI_FLOW

  • FLOW_END_GROUPS_RADIUS

  • MAX_DFG_DEPTH

  • DFG_CREATION_PER_BULK_TIMEOUT_FACTOR

  • DFG_CREATION_PER_BULK_TIMEOUT_SECONDS

  • FLOW_CACHE_CLEAR_FREQUENCY

  • LOAD_CDG_GRAPHS

  • LOAD_CFG_GRAPHS

  • LOAD_DFG_GRAPHS

  • COMPACT_FLOW

  • CFGTIMEOUT

  • DFGTIMEOUT

  • MAX_PARSE_DEPTH

  • MAX_METHODS_TO_PROCESS

  • MAX_CFG_SIZE

  • FLOW_CACHE_LEVEL

  • SHOW_MEMBERS_IN_PATH

  • SHRINK_PATH

Structured Logs

The Engine logs have been refactored as Structured Logs, so that they are compatible with Kibana and can be displayed in a dashboard view with information, such as statistics for monitoring, errors and warnings for troubleshooting, and general information about the scans, such as languages. The information that will be displayed depends on the user queries.

Structured Logs is an independent service and is highly beneficial for hosted customers. For more details, see Viewing Structured Logs Using Kibana.

Languages and Frameworks

All supported code Languages & Frameworks versions can be found on the dedicated page.

The content includes the following:

  • Support for Python language has been updated to version 3.10

  • Added support for AWS Lambda for Go

  • New queries added to Dart and Flutter support

  • Improvements in C/C++ language support

  • Several changes related to Go, including the following:

    • Improvements in the language support

    • Added new support for gin-gonic framework

    • Added new support for gorilla/mux library

  • Changes related to JavaScript include the following:

    • New support for RequireJS

    • Updated support for Node.js

  • The following new presets were added:

    • Top Tier

    • ASA (AppSec Accelerator) Premium

    • ASA Mobile Premium

Python

Python language support has been improved to support version 3.10, including the relevant features for the SAST engine support:

  • Allow writing union types as X | Y (PEP 604)

  • Parameter Specification Variables (PEP 612)

  • Explicit Type Aliases (PEP 613)

  • Structural Pattern Matching (PEP 636)

AWS Lambdas - Go

In 9.5.3 we are adding new support for AWS Lambdas for Go.

Since the added support is based on CxQL queries only, there were no changes to the engine capabilities.

DynamoDB and S3 library services are supported through the AWS SDK for Go.

The following set of queries has been created under a group called Go_AWS_Lambda:

  • High_Severity.png AWS_Credentials_Leak

  • Low_Severity.png Hardcoded_AWS_Credentials

  • Low_Severity.png User_Based_SDK_Configurations

  • Low_Severity.png Race_Condition_Global_Scope

  • Related to DynamoDB

    • High_Severity.png DynamoDB_NoSQL_Injection

  • Related to S3 Bucket

    • Medium_Severity.png Permission_Manipulation_In_S3

    • Medium_Severity.png Use_of_Hardcoded_Cryptographic_Key_On_Server

    • Low_Severity.png Unrestricted_Read_S3

    • Low_Severity.png Unrestricted_Write_S3

The list of all queries can be found at Vulnerability Queries for 9.5.3.

Dart and Flutter (Beta)

The Dart and Flutter support has been improved with the addition of new queries.

The following queries are available as part of this version:

  • Dart_High_Risk

    • Sensitive_Information_Through_URL_Scheme

  • Dart_Mobile_Medium_Threat

    • Path_Traversal

  • Dart_Mobile_Low_Visibility

    • Autocorrection_Keystroke_Logging

    • Improper_Resource_Shutdown_or_Release

    • Missing_Device_Lock_Verification

The list of all queries can be found at Vulnerability Queries for 9.5.3.

C/C++

The C/C++ language support has been improved.

Go

Go language support has been improved with the following features:

  • generics support

  • scope of type parameters in method declaration

Besides the improvements in the language support, the initiative started in the previous engine pack continued, with additional improvements made with the creation of new and editing of existing queries.

The list of all queries can be found at Vulnerability Queries for 9.5.3.

gin-gonic/gin (TechPreview)

In 9.5.3, brand new support for the gin-gonic/gin framework has been added, as TechPreview.

There was no need to improve the engine, the given support is based on CxQL queries only.

gorilla-mux

In this engine pack, brand new support for the gorilla/mux library has been added.

There was no need to improve the engine, the given support is based on CxQL queries only.

JavaScript

In this engine pack, the JavaScript support has been improved, by adding a new framework and updating an existing one.

  • Brand new support for RequireJS was added.

  • The Node.js support was updated.

Presets

The following presets were added:

  • Top Tier

    The new preset is based on the top queries and is designed to be “noise-free” with the highest level of accuracy and reliability when scanning code for vulnerabilities and security risks.

  • ASA Premium

    The ASA Premium preset contains a subset of vulnerabilities that Checkmarx AppSec Accelerator team considers to be the starting point of the Checkmarx AppSec program.

  • ASA Mobile Premium

    The ASA Premium preset contains a subset of vulnerabilities that Checkmarx AppSec Accelerator team considers to be the starting point of the Checkmarx AppSec program when scanning mobile applications.

Vulnerability Queries

There are new and updated vulnerability descriptions, queries, and queries according to presets for this version.

For details, see Vulnerability Queries for 9.5.3.

Supported Code Languages and Frameworks for EP 9.5.3

The following code languages can be scanned using CxSAST Engine Pack v9.5.3:

Environment

Primary Languages

Secondary Languages

Frameworks

File extensions

6478430467.png
  • Java

  • J2SE

  • J2EE

  • JSP

  • JavaScript

  • VBScript

  • PL\SQL

  • HTML5

  • ATG DSP Taglib

  • GWT

  • Hibernate

  • Google Guice

  • Java Server Faces (JSF)

  • JSP

  • JSTL FMT Taglib

  • OWASP ESAPI

  • MyBatis

  • PrimeFaces

  • Sprint Boot

  • Spring MVC

  • Spring

  • Struts

  • Velocity

  • .java

  • .jsp

  • .jspf

  • .jsf

  • .tag

  • .tld

  • .mf

  • .xhtml

  • .vm

  • .gradle

  • .properties

  • .xml

CPPNet.png
  • C#

  • VB.NET

  • ASP.NET

  • JavaScript

  • VBScript

  • PL\SQL

  • HTML5

  • ASP.NET Core

  • ASP.Net Core Razor

  • ASP.Net MVC framework

  • Enterprise Libraries

  • ComponentArt

  • Entity framework

  • Hibernate.Net

  • Infragistics

  • iBatis

  • Telerik

  • .cs

  • .cshtml

  • .xaml

  • .vb

  • .config

  • .aspx

  • .ascx

  • .asax

  • .tag

  • .master

  • .xml

6478430455.png
  • ASP

  • JavaScript [**]

  • VBScript

  • PL\SQL

  • HTML5

  • ASP.Net MVC Framework

  • .asp

  • .inc

6478430413.png
  • VB6

  • .bas

  • .vbp

  • .frm

  • .cls

  • .dsr

  • .ctl

6478430443.png
  • C/C++

  • C MISRA

  • C++ MISRA

  • Informix ESQL/C

  • MySQL

  • .cpp

  • .c

  • .cc

  • .c++

  • .cxx

  • .hpp

  • .hh

  • .h++

  • .hxx

  • .h

  • .ec

  • .cmake

  • .pro

  • .ac

  • .am

  • .txt (related to CmakeLists)

62cae3953e067.svg
  • PHP

JavaScript

  • bWapp

  • CakePHP

  • OWASP ESAPI

  • Kohana

  • Symfony

  • Smarty

  • Zend

  • .php

  • .php3

  • .php4

  • .php5

  • .phtm

  • .phtml

  • .tpl

  • .ctp

  • .twig

  • .inc

  • .cgi

6478430404.png
  • Apex

  • VisualForce

  • Lightning (Aura)

  • Lightning Web Components

  • .apex

  • .apexp

  • .apxc

  • .page

  • .component

  • .cls

  • .trigger

  • .tgr

  • .object

  • .report

  • .workflow

  • .-meta.xml

  • .xml

62cae39987634.png
  • Ruby

  • Ruby on Rails

  • .rb

  • .rhtml

  • .rxml

  • .rjs

  • .erb

  • .cgi

  • .lock

62cae39a47d69.jpg
  • JavaScript

  • Typescript

  • Ajax

  • Angular

  • AngularJS

  • Backbone

  • Cordova / PhoneGap

  • Handlebars

  • Hapi.JS

  • JQuery

  • Knockout

  • Kony Visualizer

  • Node.js

    • Buffer

    • CryptoJS

    • ExpressJS

    • File System (Fs)

    • Hapi

    • Mongodb

    • OracleDB

    • Sequelize

  • Pug (Jade)

  • React Native

  • ReactJS

  • SAPUI5

  • VueJS

  • XS (SAP)

  • RequireJS

  • .js

  • .jsx

  • .htm

  • .html

  • .json

  • .ts

  • .tsx

  • .aspx

  • .ascx

  • .xsjs

  • .xsjslib

  • .xsaccess

  • .xsapp

  • .app

  • .evt

  • .cmp

  • .hbs

  • .handlebars

  • .jade

  • .pug

  • .vue

  • .xml

6478430470.png
  • VBScript

  • .vbs

  • .aspx

  • .ascx

  • .asp

  • .cshtml

  • .html

  • .htm

  • .master

62cae39c42906.jpg
  • Perl

  • .pl

  • .pm

  • .plx

  • .psgi

  • .cgi

6478430425.png
  • Android (Java)

  • Volley

  • .java

  • .kt

6478430437.png
  • Objective C

  • Swift

  • .m

  • .h

  • .swift

  • .xib

  • .plist

6478430428.png
  • HTML 5

  • .html

  • .htm

6478430452.png
  • PL/SQL

  • .pls

  • .sql

  • .pkh

  • .pks

  • .pkb

  • .pck

6478430431.png
  • Python

  • JavaScript

  • VB script

  • PL\SQL

  • Django

  • Flask

  • Jinja and DTL

  • Pandas library

  • .py

  • .gtl

  • .csv

  • .latex

  • .tex

  • .html

  • .xml

  • .txt

Groovy_Logo.png
  • Groovy

  • JavaScript

  • VB script

  • PL\SQL

  • .groovy

  • .gsh

  • .gvy

  • .gy

  • .gsp

  • .gradle

6478430440.png
  • Scala

  • Akka

  • Finagle

  • Finatra

  • .scala

  • .conf

6478430392.jpg
  • GO Language

  • Protobuf

  • gin-gonic/gin

  • gorilla-mux

  • .go

  • .mod

6478430347.jpg
  • Kotlin

  • Ktor (Server Side)

  • Vert.x (Server Side)

  • Spring

  • .kt

  • .kts

  • ,mustache

  • .ftl

  • .xml

6478430344.jpg
  • Cobol

  • .cbl

  • .cob

  • .eco

  • .pco

  • .sqb

  • .cpy

IBM_RPG_logo.png
  • RPG

  • .rpg

  • .rpg38

  • .sqlrpg

  • .rpgle

  • .sqlrpgle

dart.png
  • Dart

  • Flutter

  • .dart

Supported Code Languages and Frameworks (CxOSA)

CxOSA analyzes the open sources using the following methods:

  • Analyzes the open source third parties themselves, supported in the languages list below.

  • Analyzes the projects' manifest files by resolving their dependencies against customer-defined repositories.

The following open source code analysis languages and package managers can be analyzed using v9.3.0:

Environment

File Extensions

Environment

File Extensions

6478430359.png

Java

Jar files

6478430353.png

.Net

DLL files

6478430365.png

JavaScript

.js

6478430362.png

TypeScript

Image result for React logo

React

6478430368.png

NodeJS

6478430473.png

Angular

6478430371.png

WCF

6478430374.png

WPF

6478430356.png

F#

6478430389.jpg

C#

DLL files

6478430347.jpg

Kotlin

476349265

Python

Groovy_Logo.png

Groovy

62cae3953e067.svg

PHP

1317011656

Scala

Package Managers

File Extensions

Package Managers

File Extensions

6478430461.png

Gradle

6478430377.png

Maven

6478430380.png

NPM

Image result for yarn logo

Yarn

6478430383.png

NuGet

nupkg files

6478430464.png

Pip

Image result for composer package manager

Composer

Image result for sbt package manager

SBT

Image result for bower package manager

Bower

Codebashing - Application Security Training Platform

For supported code for Codebashing, refer to the Codebashing documentation.