Skip to main content

Release Notes for Engine Pack 9.4.3

Engine Pack 9.4.3 contains the following engine deliverables and enhancements:

Installation Notes


In a distributed environment, the relevant Engine Pack must also be installed on the CxManager host to update the SQL database.


Engine Packs are cumulative and include previous Engine Pack updates.

For more information about Engine Pack installation, see The New Delivery Model for Checkmarx SAST.The Engine Pack Delivery Model for Checkmarx SAST

Log4J Updates

The following new query detects vulnerable Log4J versions:

  • Best_Coding_Practice/Potential_Usage_of_Vulnerable_Log4J - This new query finds usage of Log4J dependencies, as a way of exposing Apache Log4J Remote Execution.

The new query was added to the following languages:

  • Java

  • Kotlin

  • Groovy

  • Scala


Common queries were added that could serve as a basis for defining the same queries in other languages.

New Flow Improvements

The following languages have been added to work with New Flow by default:

  • VB.Net

  • C#

  • RPG

  • Scala

In addition, Swift is a new language that was added to work with New Flow.

Languages and Frameworks Updates

This release includes several improvements in support of the following languages and frameworks:

For current information about language and framework support in general, see Supported Code Languages and Frameworks for Engine Pack 9.4.3.

For current information about the latest vulnerability queries, see Vulnerability Queries for 9.4.3.

OOTB Accuracy Content Pack

Engine Pack 9.4.3 includes, right out of the box, improved queries for PLSQL and C-Sharp.


RPG is now included in Engine Pack 9.4.3 with new and improved queries, improved support, and more features.


Scala support availability continues to be delivered as a Technology Preview. CxSAST 9.4.3 includes new and improved queries, with a new set of features.

To run scans using the Technology Preview version, set the new support flag, USE_NEW_SCALA, in the [CxDB].[Config].[CxEngineConfigurationKeysMeta] table to true.

Only project files with the .scala file extension determine that the project will be scanned for Scala files. The .conf file extension (used for Scala HOCON) is no longer a criteria for scanning Scala projects.

Beginning with CxSAST 9.4.3, the .conf configuration files will no longer be included in the LOC (lines of code) count of a scan. Therefore, even without any change in the project’s source code, a project scanned with CxSAST 9.4.3 might result in less LOC than a previous version of CxSAST. However, the .conf files will still be parsed and interpreted as in the previous versions.


Swift support is available as a Technology Preview in CxSAST 9.4.3.

To use the new language support, do the following:

  1. Install 9.4 HF7.

  2. License for new support (for CxAudit).

  3. Set the new support flag, USE_NEW_SWIFT, in the [CxDB].[Config].[CxEngineConfigurationKeysMeta] table to true.

Trojan Source Vulnerability

Two new queries added for Java language to prevent the Trojan Source vulnerability:

  • Best_Coding_Practice/Unsafe_Bidi_Unicode_Data - This new query finds Bidi characters in the Java source code, as a way of exposing the Trojan Source vulnerability.

  • Best_Coding_Practice/Unsafe_Homoglyphs_Unicode_Data - This new query finds unsafe homoglyph characters in the Java source code. This query handles another part of the Trojan Source vulnerability.


Common queries were added that could serve as a basis for defining the same queries in other languages.

KISA Secure Coding

A new preset is available in CxSAST 9.4.3 for Korean Security Standards, called the MOIS (KISA) Software Secure Coding 2021 from the Ministry of the Interior and Safety (MOIS) and Korea Internet & Security Agency (KISA).


Common queries were added that could serve as a basis for defining the same queries in other languages.

New Presets for C++ Coding Standards

Two new presets are available for C++ language:


  • ISO/IEC TS 17961 2013/2016.

Log Improvements

Where the number of DOM Objects are displayed in the log, the log line now will be labeled Resolving (instead of “Unspecified”).