Release Notes for Engine Pack 9.5.3

Caution

The Checkmarx certificate used for application code signing has been updated, since the previous one has expired.

This might result in error messages depending on the environment settings, but these errors can be safely ignored.

Installation Notes

Caution

In a distributed environment, the relevant Engine Pack must also be installed on the CxManager host to update the SQL database.

Notice

Engine Packs are cumulative and include previous Engine Pack updates.

For more information about Engine Pack installation, see The Engine Pack Delivery Model for Checkmarx SAST.

CxSAST Engine Pack Enhancements

Engine Pack 9.5.3 contains the following engine deliverables and enhancements:

Core

Checkmarx Certificate Update

Since the previous Checkmarx certificate used for application code signing has expired, the Checkmarx certificate has been updated. The updated certificate might cause error messages, depending on the environment settings.

New Flow

Starting with this release only the new flow will be available. The old flow is completely disabled and blocked, with all parameters related to the old flow removed from the database configuration tables and user interface, so that users cannot configure it.

After several development iterations of the new flow process over the past several releases, the difference in scan results between the new flow and the old flow is currently minimal. For customers that did not use the New Flow previously, there can be differences between the previous results and the current results. For customer that already used the New Flow previously, there will usually be no differences between the previous results and the current results, except in rare case where there might be a slight difference in the results.

The following configuration parameters have been removed:

USE_LAZY_FLOW
MATCH_THIS_MEMBERS_BY_NAME
MAX_EDGES_IN_MINI_FLOW
FLOW_END_GROUPS_RADIUS
MAX_DFG_DEPTH
DFG_CREATION_PER_BULK_TIMEOUT_FACTOR
DFG_CREATION_PER_BULK_TIMEOUT_SECONDS
FLOW_CACHE_CLEAR_FREQUENCY
LOAD_CDG_GRAPHS
LOAD_CFG_GRAPHS
LOAD_DFG_GRAPHS
COMPACT_FLOW
CFGTIMEOUT
DFGTIMEOUT
MAX_PARSE_DEPTH
MAX_METHODS_TO_PROCESS
MAX_CFG_SIZE
FLOW_CACHE_LEVEL
SHOW_MEMBERS_IN_PATH
SHRINK_PATH

Structured Logs

The Engine logs have been refactored as Structured Logs, so that they are compatible with Kibana and can be displayed in a dashboard view with information, such as statistics for monitoring, errors and warnings for troubleshooting, and general information about the scans, such as languages. The information that will be displayed depends on the user queries.

Structured Logs is an independent service and is highly beneficial for hosted customers. For more details, see Viewing Structured Logs Using Kibana.

Languages and Frameworks

All supported code Languages & Frameworks versions can be found on the dedicated page.

The content includes the following:

Support for Python language has been updated to version 3.10
Added support for AWS Lambda for Go
New queries added to Dart and Flutter support
Improvements in C/C++ language support
Several changes related to Go, including the following:
- Improvements in the language support
- Added new support for gin-gonic framework
- Added new support for gorilla/mux library
Changes related to JavaScript include the following:
- New support for RequireJS
- Updated support for Node.js
The following new presets were added:
- Top Tier
- ASA (AppSec Accelerator) Premium
- ASA Mobile Premium

Python

Python language support has been improved to support version 3.10, including the relevant features for the SAST engine support:

Allow writing union types as X | Y (PEP 604)
Parameter Specification Variables (PEP 612)
Explicit Type Aliases (PEP 613)
Structural Pattern Matching (PEP 636)

AWS Lambdas - Go

In 9.5.3 we are adding new support for AWS Lambdas for Go.

Since the added support is based on CxQL queries only, there were no changes to the engine capabilities.

DynamoDB and S3 library services are supported through the AWS SDK for Go.

The following set of queries has been created under a group called Go_AWS_Lambda:

AWS_Credentials_Leak
Hardcoded_AWS_Credentials
User_Based_SDK_Configurations
Race_Condition_Global_Scope
Related to DynamoDB
- DynamoDB_NoSQL_Injection
Related to S3 Bucket
- Permission_Manipulation_In_S3
- Use_of_Hardcoded_Cryptographic_Key_On_Server
- Unrestricted_Read_S3
- Unrestricted_Write_S3

The list of all queries can be found at Vulnerability Queries for 9.5.3.

Dart and Flutter (Beta)

The Dart and Flutter support has been improved with the addition of new queries.

The following queries are available as part of this version:

Dart_High_Risk
- Sensitive_Information_Through_URL_Scheme
Dart_Mobile_Medium_Threat
- Path_Traversal
Dart_Mobile_Low_Visibility
- Autocorrection_Keystroke_Logging
- Improper_Resource_Shutdown_or_Release
- Missing_Device_Lock_Verification

The list of all queries can be found at Vulnerability Queries for 9.5.3.

C/C++

The C/C++ language support has been improved.

Go

Go language support has been improved with the following features:

generics support
scope of type parameters in method declaration

Besides the improvements in the language support, the initiative started in the previous engine pack continued, with additional improvements made with the creation of new and editing of existing queries.

The list of all queries can be found at Vulnerability Queries for 9.5.3.

gin-gonic/gin (TechPreview)

In 9.5.3, brand new support for the gin-gonic/gin framework has been added, as TechPreview.

There was no need to improve the engine, the given support is based on CxQL queries only.

gorilla-mux

In this engine pack, brand new support for the gorilla/mux library has been added.

There was no need to improve the engine, the given support is based on CxQL queries only.

JavaScript

In this engine pack, the JavaScript support has been improved, by adding a new framework and updating an existing one.

Brand new support for RequireJS was added.
The Node.js support was updated.

Presets

The following presets were added:

Top Tier
The new preset is based on the top queries and is designed to be “noise-free” with the highest level of accuracy and reliability when scanning code for vulnerabilities and security risks.
ASA Premium
The ASA Premium preset contains a subset of vulnerabilities that Checkmarx AppSec Accelerator team considers to be the starting point of the Checkmarx AppSec program.
ASA Mobile Premium
The ASA Premium preset contains a subset of vulnerabilities that Checkmarx AppSec Accelerator team considers to be the starting point of the Checkmarx AppSec program when scanning mobile applications.

Vulnerability Queries

There are new and updated vulnerability descriptions, queries, and queries according to presets for this version.

For details, see Vulnerability Queries for 9.5.3.

Supported Code Languages and Frameworks for EP 9.5.3

The following code languages can be scanned using CxSAST Engine Pack v9.5.3:

Environment

Primary Languages

Secondary Languages

Frameworks

File extensions

Java
J2SE
J2EE

JSP
JavaScript
VBScript
PL\SQL
HTML5

ATG DSP Taglib
GWT
Hibernate
Google Guice
Java Server Faces (JSF)
JSP
JSTL FMT Taglib
OWASP ESAPI
MyBatis
PrimeFaces
Sprint Boot
Spring MVC
Spring
Struts
Velocity

.java
.jsp
.jspf
.jsf
.tag
.tld
.mf
.xhtml
.vm
.gradle
.properties
.xml

C#
VB.NET

ASP.NET
JavaScript
VBScript
PL\SQL
HTML5

ASP.NET Core
ASP.Net Core Razor
ASP.Net MVC framework
Enterprise Libraries
ComponentArt
Entity framework
Hibernate.Net
Infragistics
iBatis
Telerik

.cs
.cshtml
.xaml
.vb
.config
.aspx
.ascx
.asax
.tag
.master
.xml

JavaScript [**]
VBScript
PL\SQL
HTML5

ASP.Net MVC Framework

.asp
.inc

.bas
.vbp
.frm
.cls
.dsr
.ctl

C/C++

C MISRA
C++ MISRA
Informix ESQL/C
MySQL

.cpp
.c
.cc
.c++
.cxx
.hpp
.hh
.h++
.hxx
.h
.ec
.cmake
.pro
.ac
.am
.txt (related to CmakeLists)

JavaScript

bWapp
CakePHP
OWASP ESAPI
Kohana
Symfony
Smarty
Zend

.php
.php3
.php4
.php5
.phtm
.phtml
.tpl
.ctp
.twig
.inc
.cgi

Apex

VisualForce
Lightning (Aura)
Lightning Web Components

.apex
.apexp
.apxc
.page
.component
.cls
.trigger
.tgr
.object
.report
.workflow
.-meta.xml
.xml

Ruby

Ruby on Rails

.rb
.rhtml
.rxml
.rjs
.erb
.cgi
.lock

JavaScript
Typescript

Ajax
Angular
AngularJS
Backbone
Cordova / PhoneGap
Handlebars
Hapi.JS
JQuery
Knockout
Kony Visualizer
Node.js
- Buffer
- CryptoJS
- ExpressJS
- File System (Fs)
- Hapi
- Mongodb
- OracleDB
- Sequelize
Pug (Jade)
React Native
ReactJS
SAPUI5
VueJS
XS (SAP)
RequireJS

.js
.jsx
.htm
.html
.json
.ts
.tsx
.aspx
.ascx
.xsjs
.xsjslib
.xsaccess
.xsapp
.app
.evt
.cmp
.hbs
.handlebars
.jade
.pug
.vue
.xml

VBScript

.vbs
.aspx
.ascx
.asp
.cshtml
.html
.htm
.master

Perl

.pl
.pm
.plx
.psgi
.cgi

Android (Java)

Volley

.java
.kt

Objective C
Swift

.m
.h
.swift
.xib
.plist

HTML 5

.html
.htm

PL/SQL

.pls
.sql
.pkh
.pks
.pkb
.pck

Python

JavaScript
VB script
PL\SQL

Django
Flask
Jinja and DTL
Pandas library

.py
.gtl
.csv
.latex
.tex
.html
.xml
.txt

Groovy

JavaScript
VB script
PL\SQL

.groovy
.gsh
.gvy
.gy
.gsp
.gradle

Scala

Akka
Finagle
Finatra

.scala
.conf

GO Language

Protobuf
gin-gonic/gin
gorilla-mux

.go
.mod

Kotlin

Ktor (Server Side)
Vert.x (Server Side)
Spring

.kt
.kts
,mustache
.ftl
.xml

Cobol

.cbl
.cob
.eco
.pco
.sqb
.cpy

.rpg
.rpg38
.sqlrpg
.rpgle
.sqlrpgle

Dart

Flutter

.dart

Supported Code Languages and Frameworks (CxOSA)

CxOSA analyzes the open sources using the following methods:

Analyzes the open source third parties themselves, supported in the languages list below.
Analyzes the projects' manifest files by resolving their dependencies against customer-defined repositories.

The following open source code analysis languages and package managers can be analyzed using v9.3.0:

Environment

File Extensions

Environment

File Extensions