Engine Pack Version 9.6.3

CxSAST Engine

Languages & Frameworks

All supported code Languages & Frameworks versions are listed here: Engine Pack Supported Code Languages and Frameworks (9.6.3).

Rust

In 9.6.3, we are introducing support for the Rust language as a Technical Preview in the SAST engine, including the following features:

Control Structures: Loop ; While ; For ; If (statement).
Declarations: Functions ; Literals ( Boolean , Char , Number , String ); Variables and constants ; Enums ; Modules ; Paths / Packages ; Tuples ; Arrays ; Structs ; Collections ; Custom Attributes ; Generics ; Impl; Traits ; Type Alias ; Where clauses.
Expressions: Return ; Operators ; Member accesses ; Sprint interpolation ; If (expression) ; If let ; Match expressions ; Range; Lambda ; Pointers ; Imports.
Others: Block scopes ; Macros By Example.

Notice

To overcome licensing issues in CxAudit when scanning Rust, perform the following actions after installing 9.6.3:

Install 9.6 HF5
Obtain a new license that includes the Rust language.

Notice

Technology Preview features provide early access to upcoming product innovations, enabling you to test functionality and provide feedback during development. However, these features are not fully supported and might not be functionally complete.

As Checkmarx considers making future iterations of Technology Preview features generally available, we will attempt to resolve any issues customers experience when using these features.

Fast Scan

To speed up SAST engine scans, a new scan mode is being introduced: Fast Scan.

Fast scan mode decreases the scanning time of projects, making it faster to identify relevant vulnerabilities and enable continuous deployments while ensuring that security standards are followed. This will help relevant personas like developers react much faster to what they need to tackle immediately. While the fast scan mode identifies the most significant and relevant vulnerabilities, the in-depth scan mode offers deeper coverage. For the most critical projects with a zero-vulnerability policy, it is advised also to use our in-depth scan mode. With the introduction of the new scanning mode in addition to the in-depth scan mode, the SAST engine addresses two distinct use cases:

Fast scanning for more relevant vulnerabilities.
Exhaustive and deep scanning for the most mission-critical sensitive projects and applications.

See the Fast Scan bullet here on how to configure this scan.

Presets

Base Preset

A new preset, the Base Preset, has been added to the SAST engine.

It boosts scanning efficiency, prioritizing the swift retrieval of results with pertinent and impactful vulnerabilities. The preset can be used as a starting point and customized to meet your requirements.

For further details, please see Base Preset .

STIG

The STIG preset and its corresponding category have been updated to support the version 5.3.

Scanning Unsupported Files - New Error Code

The error code previously designated as -1 for attempting to scan unsupported files has now been updated to a new code, 60.

Notice

To ensure a seamless transition and prevent potential errors, we strongly recommend to:

Carefully review your existing pipelines and workflows.
Identify whether there are any configurations or dependencies currently relying on the current error code.

Making the necessary configuration adjustments before upgrading to version 9.6.3 is essential. By making these changes, you'll be able to avoid any disruptions caused by the change in error code and ensure the continued smooth operation of your processes.

XML Files Pre-Processing in Java

Until now, when scanning Java, several XML files were translated into the Java DOM through pre-processing (such as AndroidManifest.xml, build.xml, structs-config.xml).

This caused the DOM to become excessively large, offering minimal benefits for less than 1% of queries. To overcome having a huge DOM, the pre-processing of XML has been removed and queries refactored with APIs for navigating through the XML files.

Notice

These changes have discontinued using DOM for XML files during Java scanning. Consequently, if there are customized queries relying on the DOM of these files, they must now be updated to utilize the XML API.

Engine Pack Supported Code Languages and Frameworks (9.6.3)

Environment and Primary Languages

Secondary Languages

Framework

File extensions

Additional Information

Java
J2SE
J2EE

JSP
JavaScript
VBScript
PL\SQL
HTML5

ATG DSP Taglib
GWT
Hibernate
Google Guice
Java Server Faces (JSF)
JSP
JSTL FMT Taglib
OWASP ESAPI
MyBatis
PrimeFaces
Spring Boot
Spring MVC
Spring
Struts
Velocity

.java
.jsp
.jspf
.jsf
.tag
.tld
.mf
.xhtml
.vm
.gradle
.properties
.jspdsbld
.wod
.xml
.yml
.yaml

Java can be configured as a unified language with Scala.

C#
VB.NET

ASP.NET
JavaScript
VBScript
PL\SQL
HTML5

ASP.NET Core
ASP.Net Core Razor
ASP.Net MVC framework
Enterprise Libraries
ComponentArt
Entity framework
Hibernate.Net
Infragistics
iBatis
Telerik
Dapper

.cs
.cshtml
.xaml
.vb
.config
.aspx
.ascx
.asax
.tag
.master
.xml

JavaScript [**]
VBScript
PL\SQL
HTML5

ASP.Net MVC framework

.asp
.inc

.bas
.vbp
.frm
.cls
.dsr
.ctl

C MISRA
C++ MISRA
Informix ESQL/C
MySQL

.cpp
.c
.cc
.c++
.cxx
.hpp
.hh
.h++
.hxx
.h
.ec
.cmake
.pro
.ac
.am
.txt (related to CmakeLists)
.ph

JavaScript

bWapp
CakePHP
OWASP ESAPI
Kohana
Symfony
Smarty
Zend

.php
.php3
.php4
.php5
.phtm
.phtml
.tpl
.ctp
.twig
.inc
.cgi
.env
.ini

Apex

VisualForce
Lightning (Aura)
Lightning Web Components

.apex
.apexp
.apxc
.page
.component
.cls
.trigger
.tgr
.object
.report
.workflow
-meta.xml
.xml

This is for Salesforce APEX only.

Ruby

Ruby on Rails

.rb
.rhtml
.rxml
.rjs
.erb
.cgi
.lock

JavaScript
Typescript

Ajax
Angular
AngularJS
Backbone
Cordova / PhoneGap
Handlebars
Hapi.JS
JQuery
Knockout
Kony Visualizer
Node.js
- Buffer
- CryptoJS
- ExpressJS
- File System
- Hapi
- Mongodb
- OracleDB
- Sequelize
Pug (Jade)
React Native
ReactJS
SAPUI5
VueJS
XS (SAP)
RequireJS

.js
.jsx
.htm
.html
.json
.ts
.tsx
.aspx
.ascx
.xsjs
.xsjslib
.xsaccess
.xsapp
.app
.evt
.cmp
.hbs
.handlebars
.jade
.pug
.vue
.xml
.apexp
.page
.component
.cshtml
.jsf
.xhtml
.jsp
.jspf
.asp
.master
.php

VBScript

.vbs
.aspx
.ascx
.asp
.cshtml
.html
.htm
.master

Perl

.pl
.pm
.plx
.psgi
.cgi

Android (Java)

Volley

.java
.kt

Objective-C
Swift

.m
.h
.swift
.xib
.plist

HTML 5

.html
.htm

PL/SQL

.pls
.sql
.pkh
.pks
.pkb
.pck

Python

JavaScript
VB script
PL\SQL

Django
Flask
Jinja and DTL
Pandas library
Marshmallow

.py
.gtl
.csv
.latex
.tex
.html
.xml
.txt

Groovy

JavaScript
VB script
PL\SQL

.groovy
.gsh
.gvy
.gy
.gsp
.gradle

Scala

Akka
Finagle
Finatra

.scala
.conf

Scala can be configured as a unified language with Java.

GO Language

Protobuf
gin-gonic/gin
gorilla-mux

.go
.mod

Kotlin

Ktor (Server Side)
Vert.x (Server Side)
Spring

.kt
.kts
.mustache
.ftl
.xml

Cobol

.cbl
.cob
.eco
.pco
.sqb
.cpy

.rpg
.rpg38
.sqlrpg
.rpgle
.sqlrpgle
.dspf

Dart

Flutter

.dart
.yaml

OpenResty

.lua
.conf

Rust

Vulnerability Queries 9.6.3

All queries that are executed in version 9.6.3 are available for download - PDF, CSV

New and updated queries in version 9.6.3 are available for download - PDF, CSV

Queries associated with predefined query presets are available for download - PDF, CSV

New and Changed Queries Details

Release Notes for Engine Pack (EP) 9.6.3 Patches

Version 9.6.3.1001 February 2024
Enhancements made in the following Ruby queries to prevent false positives: Ruby_High_Risk\Stored_XSS Ruby_High_Risk\SQL_Injection

In this section:

Engine Pack Version 9.6.3

CxSAST Engine

Languages & Frameworks

Rust

Notice

Notice

Fast Scan

Presets

Base Preset

STIG

Scanning Unsupported Files - New Error Code

Notice

XML Files Pre-Processing in Java

Notice

Engine Pack Supported Code Languages and Frameworks (9.6.3)

Vulnerability Queries 9.6.3

Release Notes for Engine Pack (EP) 9.6.3 Patches

Search results