Engine Pack Version 9.6.1
CxSAST Engine
Languages & Frameworks
All supported code Languages and Frameworks versions are found here: Engine Pack Supported Code Languages and Frameworks 9.6.1
Lua & OpenResty (GA)
The Lua and OpenResty support have been improved with added queries, and it is now available as GA.
The following queries were introduced in this version:
High
Lua_High_Risk\Deserialization_of_Untrusted_Data
Medium
Lua_Medium_Threat\CSRF
Lua_Medium_Threat\Excessive_Data_Exposure
Lua_Medium_Threat\Hashing_Length_Extension_Attack
Lua_Medium_Threat\Secret_Leak
Lua_Medium_Threat\Secret_Leak_in_JWT
Low
Lua_Low_Visibility\Lua_Low_VisibilityLua_Low_Visibility\Heap_Inspection
Lua_Low_Visibility\Log_Forging
Lua_Low_Visibility\Missing_Content_Security_Policy
Lua_Low_Visibility\Missing_HSTS_Header
Lua_Low_Visibility\PCI_Data_Exposure
Lua_Low_Visibility\PCI_Data_Exposure_in_Error_Messages
Lua_Low_Visibility\PCI_Data_Exposure_in_Files
Lua_Low_Visibility\PCI_Data_Exposure_in_JWT
Lua_Low_Visibility\PCI_Data_Exposure_in_Logs
Lua_Low_Visibility\PCI_Data_Exposure_in_URL
Lua_Low_Visibility\Permissive_Content_Security_Policy
Lua_Low_Visibility\Privacy_Violation_in_Error_Messages
Lua_Low_Visibility\Privacy_Violation_in_Files
Lua_Low_Visibility\Privacy_Violation_in_Logs
Lua_Low_Visibility\Privacy_Violation_in_URL
Lua_Low_Visibility\Secret_Leak_in_Error_Messages
Lua_Low_Visibility\Secret_Leak_in_Files
Lua_Low_Visibility\Secret_Leak_in_Logs
Lua_Low_Visibility\Secret_Leak_in_URL
Lua_Low_Visibility\Server_Information_Exposure
Lua_Low_Visibility\Server_Information_Exposure_via_Misconfiguration
Lua_Low_Visibility\Use_Of_Hardcoded_Password_In_Config
gin/gonic (GA)
Since engine pack 9.5.3, gin/gonic support is available as a Technical Preview.
In 9.6.1, the support is improved and is now available as GA.
The following queries are available in this version:
New
Go_Medium_Threat\Insecure_Value_of_the_SameSite_Cookie_Attribute_in_Code
Go_Medium_Threat\Trust_Proxy_On
Go_Medium_Threat\Unsafe_Object_Binding
Updated
Go_Medium_Threat\Cleartext_Transmission_Of_Sensitive_Information
Go_Medium_Threat\Reflected_Absolute_Path_Traversal
Go_Medium_Threat\Reflected_Relative_Path_Traversal
Go_Low_Visibility\Deprecated_API
Go_Low_Visibility\Open_Redirect
Go_Low_Visibility\Race_Condition_In_Cross_Functionality
C# Accuracy Improvements
A set of CSharp high queries has been reviewed to improve the accuracy of the results and reduce the noise by decreasing false positives.
Dapper
Added support for Dapper, C# library.
Dart Queries Improvements
Dart language support is improved with added and updated queries.
New Queries
Dart_Mobile_Medium_Threat\Absolute_Path_Traversal
Dart_Mobile_Medium_Threat\Insecure_WebSocket_Connection
Updates Queries
Dart_Mobile_High_Risk\Unencrypted_Sensitive_Information_in_Publicly_Accessible_Cloud_Storage
Dart_Mobile_High_Risk\Unsafe_Reflection
Dart_Mobile_Medium_Threat\Improper_Certificate_Validation
Dart_Mobile_Medium_Threat\Information_Exposure_Through_Query_String
Dart_Mobile_Medium_Threat\Relative_Path_Traversal
Dart_Mobile_Medium_Threat\Third_Party_Keyboards_On_Sensitive_Field
Dart_Mobile_Low_Visibility\Encrypted_Sensitive_Information_in_Publicly_Accessible_Cloud_Storage
Dart_Mobile_Low_Visibility\Unencrypted_Sensitive_Information_in_Internal_Storage
Dart_Mobile_Low_Visibility\Unencrypted_Sensitive_Information_in_Temporary_File
Dart_Mobile_Low_Visibility\User_Information_in_Publicly_Accessible_Storage
Scala Queries Alignment
To align Java and Scala, both JVM languages, several queries were incorporated and updated within Scala support.
Users can now experience greater consistency and compatibility between the two languages when scanning. Two queries were updated:
Scala_Medium_Threat
Use_of_a_One_Way_Hash_with_a_Predictable_Salt
Use_of_a_One_Way_Hash_without_a_Salt
Compliance Improvements
PCI 4.0
Added support and a new preset, PCI 4.0, for the latest version of the PCI. A corresponding category, PCI DSS 4.0, has been added too.
Presets Removal
The presets Default and Default 2014 will be removed in version 9.6.2, according to the following rules:
If a preset is not related to any projects, it will be removed.
If a preset is related to a project, it won´t be removed.
Removal of deprecated queries from Presets
Beginning in version 9.6.2, the following actions are planned:
Deprecated queries will be removed from the engine.
Queries from presets can be removed according to compliance standards updates.
All changes will be properly communicated in advance in the Engine Pack release notes.
Warning
When performing the initial cleaning action (9.6.2), we remove the old queries and presets that have been deprecated. This removal is permanent, and once the old queries and presets are deleted, there is no rollback option to restore them.
This means that after upgrading to the version where queries and presets have been removed, downgrading to the previous version will not add back the queries or presets that were previously available. The removal is irreversible.
However, starting from version 9.6.2 and onward, any deletion that can occur is reversible and can be rolled back with the previous engine pack.
To ensure a smooth transition between versions and maintain essential functionalities, it is recommended to thoroughly review release notes and documentation before upgrading to a version that involves removing queries or presets.
Actions to be executed in the upcoming version 9.6.2:
Deprecated queries are going to be removed from the presets, according to the following list:
(Query Id, Query Name)
Scanning unsupported files - New error code
Notice
In the upcoming version 9.6.3, the error code generated when attempting to scan unsupported files will be modified. The current error code, which is denoted as "-1," will be replaced by the new error code, "60."
To ensure a seamless transition and prevent potential errors, we strongly recommend to:
Carefully review your existing pipelines and workflows.
Identify whether there are any configurations or dependencies relying on the current error code.
Ensure you make the necessary configurations prior to upgrading to version 9.6.3 to avoid any disruptions caused by the change in error code and ensure the continued smooth operation of your processes.
Logging Changes
The Audit and Portal logs format has changed to: Query Name | Message | Line | TimeStamp | Log Issuer
Examples:
JavaScript.Cx.General.AngularJS_Concatenate_With_Filters | The query AngularJS_Concatenate_With_Filters is deprecated | 2 | 01/08/2023 15:49:33,021 | JavaScript.Cx.General.AngularJS_Concatenate_With_Filters
CSharp.Cx.CSharp_High_Risk.JWT_No_Signature_Verification | Common - Find_Deserialization_Inputs_Language | 1 | 01/08/2023 15:49:36,022 | Common.Cx.General.Find_Deserialization_Inputs_Language
JavaScript.Cx.JavaScript_High_Risk.Client_Second_Order_Sql_Injection | The query Client_Second_Order_SQL_Injection is deprecated | 2 | 01/08/2023 15:49:36,045 | JavaScript.Cx.JavaScript_High_Risk.Client_Second_Order_Sql_Injection
JavaScript.Cx.Javascript_Kony.Kony_Unsecure_iOSBrowser_Configuration | The query Kony_Unsecure_iOSBrowser_Configuration is deprecated | 2 | 01/08/2023 15:49:36,298 | JavaScript.Cx.Javascript_Kony.Kony_Unsecure_iOSBrowser_Configuration
Engine Pack Supported Code Languages and Frameworks 9.6.1
Environment and Primary Languages | Secondary Languages | Framework | File extensions | Additional Information | |
|---|---|---|---|---|---|
|
|
|
| Java can be configured as a unified language with Scala. | |
|
|
|
| ||
|
|
|
| ||
|
| ||||
|
|
| |||
| JavaScript |
|
| ||
|
|
| This is for Salesforce APEX only. | ||
|
|
| |||
|
|
| |||
|
| ||||
|
| ||||
|
|
| |||
|
| ||||
|
| ||||
|
| ||||
|
|
|
| ||
|
|
| |||
|
|
| Scala can be configured as a unified language with Java. | ||
|
|
| |||
|
|
| |||
|
| ||||
|
| ||||
|
|
| |||
|
|
|
Vulnerability Queries 9.6.1
All queries that are executed in version 9.6.1 are available for download - PDF , CSV
New and updated queries in version 9.6.1 are available for download - PDF , CSV
Queries associated with predefined query presets are available for download - PDF , CSV
Release Notes for Engine Pack (EP) 9.6.1 Patches
Version 9.6.1.1001 Date 22-10-2023 |
|---|
Improved JSP support to prevent scans from becoming stuck when JSP files contain JavaScript code. |