Release Notes for Engine Pack 9.4.5

Installation Notes

Warning

In a distributed environment, the relevant Engine Pack must also be installed on the CxManager host to update the SQL database.

Notice

Engine Packs are cumulative and include previous Engine Pack updates.

For more information about Engine Pack installation, see The New Delivery Model for Checkmarx SAST.

New Improved Scan Flow Improvements

Groovy language is now supported.

Support now includes the following Java methods: Iterable.iterator and Iterator.next().

Languages and Frameworks

All supported code Languages and Frameworks versions can be found at

Supported Code Languages and Frameworks for Engine Pack 9.4.5.

Scala

Finagle is an extensible RPC system for the JVM, used to construct high-concurrency servers. Finagle implements uniform client and server APIs for several protocols, and is designed for high performance and concurrency.

We are introducing brand new support for Finagle.

CSharp and .Net Core improvements

In 9.4.5 we improved CSharp queries to partially support the latest .NET Core versions 5 and 6:

CSharp_Medium_Threat/Buffer_Overflow
Updated general queries to support new hashing methods. The changes affect the following queries:

Leaving_Temporary_Files
Information_Exposure_Through_an_Error_Message
Improper_Exception_Handling
Blind_SQL_Injections
Stored_Command_Argument_Injection
Stored_Code_Injection
Potential_ReDoS_In_Static_Field
Potential_ReDoS_In_Code
Potential_ReDoS_By_Injection
Potential_ReDoS
Heuristic_Stored_XSS
Heuristic_2nd_Order_SQL_Injection
Shell_Command_Argument_Injection
OS_Command_Argument_Injection
Use_of_RSA_Algorithm_without_OAEP
Trust_Boundary_Violation_in_Session_Variables
Log_Forging
Leaving_Temporary_Files
Improper_Exception_Handling
Impersonation_Issue
Command_Argument_Injection
Blind_SQL_Injections

Updated the general IO (input/output) file queries affecting the following:

RPG Improvements

In 9.4.5 we added support for Display Files and in addition, several parsing exceptions were also fixed.

The following queries were updated mainly for inputs coming from Display Files:

RPG_High_Risk/SQL_Injection
RPG_Medium_Threat/Reflected_Path_Traversal
RPG_Low_Visibility/Integer_Overflow

Presets

OWASP ASVS Compliance

A new preset and a new category for the OWASP ASVS were added, allowing you to track the results and check for compliance.

CWE Top 25

A new preset and a new category for CWE Top 25 were added, allowing you to track the results and check for compliance.

MISRA C 2012

The MISRA C 2012 preset for C Coding Standards, which was added in 9.4.4, has been improved with additional rules. The preset now contains new and improved queries for Rules 6.1 to 6.2, 7.4, 8.1 to 8.8, and 8.10. In the upcoming version, the preset will be improved with additional queries and extended rules coverage.

Component Upgrades

The EngineService was upgrade to .NET Core 6.

Since the Engine Pack installer validates the prerequisites the silent mode upgrade will fail if the .NET Core 6 is not installed.