Skip to main content

Release Updates (v3.2.x)

The following release updates are available for this CxIAST version. Use the search tool to find a specific subject.

New Features and Changes

CxIAST version 3.2.1 includes the following new features and changes:

Category

Feature

Setup & Configuration

Version upgrade: The upgrade is supported from v3.0.0 and above. Otherwise, it is required to clean the DB and uninstall the version before upgrading to v3.2.1 installation.

Action Ability and Usability

  • Export scan to PDF - Create a PDF report of the all vulnerabilities detected per scan or aggregated scan.

  • Attach CWE to query result – CWE ID is now attached to queries (when applicable) and presented in the query description and on scan export

New Queries

  • XXE ( Java, .NET) - XXE injection occurs when untrusted XML input containing a reference to an external entity is processed by a weakly configured XML parser.

  • Improper_HTTP_Get_Usage (.NET) - A GET request identified as changing data on the server. As best practice, GET should never change data on the server.

  • Debug_Mode_Enabled(.NET) – When Debug Mode is enabled custom error massages may expose sensitive information to untrusted parties.

Node.js

  • Node.js v10 support

  • Major performance improvements - adding a caching mechanism to reduce the parsing of JavaScript loading overhead due to the instrumentation.

  • Accuracy and stability improvements

.NET

  • Accuracy and stability improvements

  • New queries (exists already for Java and Node.js):

    • Blind_SQL_Injection

    • CSRF

    • Failed_Login_Without_Audit

    • Trust_Boundary_Violation

    • File_Upload_To_Unprotected_Directory

    • Successful_Login_Without_Audit

    • Missing_X_Content_Type_Options_Header

    • Missing_X_XSS_Protection_Header

    • Click_Jacking

Java

Accuracy and stability improvements.

Known Limitations

Category

Limitation

.NET Agent

  • C# and ASP.NET only

  • Missing capabilities (compared to Java)

    • Query customization is performed manually (not from the UI)

    • Code Coverage

    • Agent auto upgrade is performed only on agent registration

Node.js Agent

  • Missing capabilities (compared to Java)

    • Code Coverage

    • Application tags

Java Agent

  • On upgrade, application restart is required.

  • Java 11 and higher is not supported.

  • Standalone applications are partially supported.

The release update is also available for download here.

.