Skip to main content

Release Notes for Engine Pack 9.5.4

Caution

The Checkmarx certificate used for application code signing has been updated since the previous one has expired.

This might result in error messages depending on the environment settings, but these errors can be safely ignored.

Installation Notes

Caution

In a distributed environment, the relevant Engine Pack must also be installed on the CxManager host to update the SQL database.

Notice

Engine Packs are cumulative and include previous Engine Pack updates.

For more information about Engine Pack installation, see The Engine Pack Delivery Model for Checkmarx SAST.The Engine Pack Delivery Model for Checkmarx SAST

CxSAST Engine Pack Enhancements

Engine Pack 9.5.4 contains the following engine deliverables and enhancements:

Languages and Frameworks

All supported code Languages & Frameworks versions can be found on the dedicated page.

The content includes the following:

  • Support for Python language has been updated to version 3.11

  • Support for C# updated to version 11 (Technical Preview).

  • C# queries improved for better accuracy and False Positive results reduction.

  • Dart & Flutter support has been finished (GA).

  • Support for Java language updated to version 18.

  • JavaScript: ReactJS and ExpressJS support updated to the latest versions.

  • Added the ability to identify T-SQL content when scanning PL/SQL and prevent parsing it as PL/SQL.

  • Added support for AWS Lambdas for Java.

  • The Top Tier preset, added in the previous engine pack, was improved to include COBOL and Dart queries.

CSharp (Tech Preview)

C# support was updated to the latest version 11 and is included as a part of the Technical Preview.

Notice

Technical Preview provides early access to upcoming product features so you can test their functionality and provide feedback during the development process. However, these features are not fully supported, might not be functionally complete, and are not intended for production use. As Checkmarx considers making future iterations of Technology Preview features generally available, we will attempt to resolve any issues that customers experience when using these features.

Accuracy Improvements

A set of CSharp high queries has been reviewed to improve result accuracy and reduce the noise by decreasing false positive results. The CSharp accuracy will continue to be improved in upcoming versions.

Dart and Flutter (GA)

The Dart and Flutter support has been improved by adding new queries.

The following queries are available as part of this version:

  • Dart_High_Risk

    • Unencrypted_Sensitive_Information_in_Publicly_Accessible_Cloud_Storage

  • Dart_Mobile_Medium_Threat

    • Broken_or_Risky_Encryption_Algorithm

    • Broken_or_Risky_Hashing_Function

    • Encoding_Used_Instead_of_Encryption

    • Insecure_Asymmetric_Cryptographic_Algorithm_Parameters

    • Insufficiently_Secure_Password_Storage_Algorithm_Parameters

    • Third_Party_Keyboards_On_Sensitive_Field

    • Unencrypted_Sensitive_Information_in_External_Storage

    • Use_of_Cryptographically_Weak_PRNG

    • Use_of_Hardcoded_Cryptographic_IV

    • Use_of_Hardcoded_Cryptographic_Key_in_Client

    • Use_of_Hardcoded_Salt

  • Dart_Mobile_Low_Visibility

    • App_Transport_Security_Disabled

    • Encrypted_Sensitive_Information_in_Publicly_Accessible_Cloud_Storage

    • Implicit_Intent_With_Read_Write_Permissions

    • Insecure_HTTP_Connections_Enabled

    • Missing_Certificate_Pinning

    • No_Installer_Verification_Implemented

    • Secret_Stored_Outside_of_Keychain

    • Unencrypted_Sensitive_Information_in_Internal_Storage

    • Unencrypted_Sensitive_Information_in_Temporary_File

    • Use_Of_Implicit_Intent_For_Sensitive_Communication

    • Use_of_Non_Cryptographic_Random

    • User_Information_in_Publicly_Accessible_Storage

  • Dart_Mobile_Best_Coding_Practice

    • Encrypted_Sensitive_Information_in_External_Storage

    • Unused_Permission

    • Using_Deprecated_Methods

    • WebView_Cache_Information_Leak

Java

Java language support has been updated to support version 18.

JavaScript

In this engine pack, the JavaScript support has been improved, by updating existing frameworks.

  • In 9.5.4, the ReactJS support was updated to version 18.

  • The ExpressJS support was updated to version 4.18.1.

PL/SQL

The PL/SQL support has been improved to introduce the ability to identify T-SQL content when scanning PL/SQL and prevent parsing it as PL/SQL.

Python

Python language support has been improved to support version 3.11, including the relevant features for the SAST engine support:

AWS Lambdas - Java

In 9.5.4 we are adding new support for AWS Lambdas for Java.

There was no need to improve other steps of the Engine, the given support with SAST is based on CxQL queries only.

DynamoDB and S3 library services are supported by supporting the AWS SDK for Java.

A new set of queries has been created under a group called Java_AWS_Lambda:

  • High_Severity.png AWS_Credentials_Leak

  • Low_Severity.pngHardcoded_AWS_Credentials

  • Low_Severity.pngUser_Based_SDK_Configurations

  • Low_Severity.pngRace_Condition_Global_Scope

  • Related to DynamoDB

    High_Severity.pngDynamoDB_NoSQL_Injection

  • Related to S3 Bucket

    • Medium_Severity.pngPermission_Manipulation_In_S3

    • Medium_Severity.pngUse_of_Hardcoded_Cryptographic_Key_On_Server

    • Low_Severity.pngUnrestricted_Read_S3

    • Low_Severity.pngUnrestricted_Write_S3

    • Low_Severity.pngUnrestricted_Delete_S3

Presets

Top Tier

The Top Tier preset, added in the previous engine pack, was improved to include COBOL and Dart queries.

Vulnerability Queries

There are new and updated vulnerability descriptions, queries, and queries according to presets for this version.

For details, see Vulnerability Queries for 9.5.4.

Supported Code Languages and Frameworks for EP 9.5.4

The following code languages can be scanned using CxSAST Engine Pack v9.5.4:

Environment

Primary Languages

Secondary Languages

Frameworks

File extensions

6478430467.png
  • Java

  • J2SE

  • J2EE

  • JSP

  • JavaScript

  • VBScript

  • PL\SQL

  • HTML5

  • ATG DSP Taglib

  • GWT

  • Hibernate

  • Google Guice

  • Java Server Faces (JSF)

  • JSP

  • JSTL FMT Taglib

  • OWASP ESAPI

  • MyBatis

  • PrimeFaces

  • Sprint Boot

  • Spring MVC

  • Spring

  • Struts

  • Velocity

  • .java

  • .jsp

  • .jspf

  • .jsf

  • .tag

  • .tld

  • .mf

  • .xhtml

  • .vm

  • .gradle

  • .properties

  • .xml

CPPNet.png
  • C#

  • VB.NET

  • ASP.NET

  • JavaScript

  • VBScript

  • PL\SQL

  • HTML5

  • ASP.NET Core

  • ASP.Net Core Razor

  • ASP.Net MVC framework

  • Enterprise Libraries

  • ComponentArt

  • Entity framework

  • Hibernate.Net

  • Infragistics

  • iBatis

  • Telerik

  • .cs

  • .cshtml

  • .xaml

  • .vb

  • .config

  • .aspx

  • .ascx

  • .asax

  • .tag

  • .master

  • .xml

6478430455.png
  • ASP

  • JavaScript [**]

  • VBScript

  • PL\SQL

  • HTML5

  • ASP.Net MVC Framework

  • .asp

  • .inc

6478430413.png
  • VB6

  • .bas

  • .vbp

  • .frm

  • .cls

  • .dsr

  • .ctl

6478430443.png
  • C/C++

  • C MISRA

  • C++ MISRA

  • Informix ESQL/C

  • MySQL

  • .cpp

  • .c

  • .cc

  • .c++

  • .cxx

  • .hpp

  • .hh

  • .h++

  • .hxx

  • .h

  • .ec

  • .cmake

  • .pro

  • .ac

  • .am

  • .txt (related to CmakeLists)

62cae3953e067.svg
  • PHP

JavaScript

  • bWapp

  • CakePHP

  • OWASP ESAPI

  • Kohana

  • Symfony

  • Smarty

  • Zend

  • .php

  • .php3

  • .php4

  • .php5

  • .phtm

  • .phtml

  • .tpl

  • .ctp

  • .twig

  • .inc

  • .cgi

6478430404.png
  • Apex

  • VisualForce

  • Lightning (Aura)

  • Lightning Web Components

  • .apex

  • .apexp

  • .apxc

  • .page

  • .component

  • .cls

  • .trigger

  • .tgr

  • .object

  • .report

  • .workflow

  • .-meta.xml

  • .xml

62cae39987634.png
  • Ruby

  • Ruby on Rails

  • .rb

  • .rhtml

  • .rxml

  • .rjs

  • .erb

  • .cgi

  • .lock

62cae39a47d69.jpg
  • JavaScript

  • Typescript

  • Ajax

  • Angular

  • AngularJS

  • Backbone

  • Cordova / PhoneGap

  • Handlebars

  • Hapi.JS

  • JQuery

  • Knockout

  • Kony Visualizer

  • Node.js

    • Buffer

    • CryptoJS

    • ExpressJS

    • File System (Fs)

    • Hapi

    • Mongodb

    • OracleDB

    • Sequelize

  • Pug (Jade)

  • React Native

  • ReactJS

  • SAPUI5

  • VueJS

  • XS (SAP)

  • RequireJS

  • .js

  • .jsx

  • .htm

  • .html

  • .json

  • .ts

  • .tsx

  • .aspx

  • .ascx

  • .xsjs

  • .xsjslib

  • .xsaccess

  • .xsapp

  • .app

  • .evt

  • .cmp

  • .hbs

  • .handlebars

  • .jade

  • .pug

  • .vue

  • .xml

6478430470.png
  • VBScript

  • .vbs

  • .aspx

  • .ascx

  • .asp

  • .cshtml

  • .html

  • .htm

  • .master

62cae39c42906.jpg
  • Perl

  • .pl

  • .pm

  • .plx

  • .psgi

  • .cgi

6478430425.png
  • Android (Java)

  • Volley

  • .java

  • .kt

6478430437.png
  • Objective C

  • Swift

  • .m

  • .h

  • .swift

  • .xib

  • .plist

6478430428.png
  • HTML 5

  • .html

  • .htm

6478430452.png
  • PL/SQL

  • .pls

  • .sql

  • .pkh

  • .pks

  • .pkb

  • .pck

6478430431.png
  • Python

  • JavaScript

  • VB script

  • PL\SQL

  • Django

  • Flask

  • Jinja and DTL

  • Pandas library

  • .py

  • .gtl

  • .csv

  • .latex

  • .tex

  • .html

  • .xml

  • .txt

Groovy_Logo.png
  • Groovy

  • JavaScript

  • VB script

  • PL\SQL

  • .groovy

  • .gsh

  • .gvy

  • .gy

  • .gsp

  • .gradle

6478430440.png
  • Scala

  • Akka

  • Finagle

  • Finatra

  • .scala

  • .conf

6478430392.jpg
  • GO Language

  • Protobuf

  • gin-gonic/gin

  • gorilla-mux

  • .go

  • .mod

6478430347.jpg
  • Kotlin

  • Ktor (Server Side)

  • Vert.x (Server Side)

  • Spring

  • .kt

  • .kts

  • ,mustache

  • .ftl

  • .xml

6478430344.jpg
  • Cobol

  • .cbl

  • .cob

  • .eco

  • .pco

  • .sqb

  • .cpy

IBM_RPG_logo.png
  • RPG

  • .rpg

  • .rpg38

  • .sqlrpg

  • .rpgle

  • .sqlrpgle

dart.png
  • Dart

  • Flutter

  • .dart

Supported Code Languages and Frameworks (CxOSA)

CxOSA analyzes the open sources using the following methods:

  • Analyzes the open source third parties themselves, supported in the languages list below.

  • Analyzes the projects' manifest files by resolving their dependencies against customer-defined repositories.

The following open source code analysis languages and package managers can be analyzed using v9.5.0:

Environment

File Extensions

Environment

File Extensions

6478430359.png

Java

Jar files

6478430353.png

.Net

DLL files

6478430365.png

JavaScript

.js

6478430362.png

TypeScript

Image result for React logo

React

6478430368.png

NodeJS

6478430473.png

Angular

6478430371.png

WCF

6478430374.png

WPF

6478430356.png

F#

6478430389.jpg

C#

DLL files

6478430347.jpg

Kotlin

476349265

Python

Groovy_Logo.png

Groovy

62cae3953e067.svg

PHP

1317011656

Scala

Package Managers

File Extensions

Package Managers

File Extensions

6478430461.png

Gradle

6478430377.png

Maven

6478430380.png

NPM

Image result for yarn logo

Yarn

6478430383.png

NuGet

nupkg files

6478430464.png

Pip

Image result for composer package manager

Composer

Image result for sbt package manager

SBT

Image result for bower package manager

Bower

Codebashing - Application Security Training Platform

For supported code for Codebashing, refer to the Codebashing documentation.