Skip to main content

Release Notes for Engine Pack 9.4.2

Engine Pack 9.4.2 contains the following engine deliverables and enhancements:

Installation Notes


In a distributed environment, the relevant Engine Pack must also be installed on the CxManager host to update the SQL database.


Engine Packs are cumulative and include previous Engine Pack updates.

For more information about Engine Pack installation, see The New Delivery Model for Checkmarx SAST.The Engine Pack Delivery Model for Checkmarx SAST

Support for OWASP Top 10 2021

A preset query for the OWASP Top 10 2021 is available out-of-the-box with this Engine Pack.

In addition to this new preset, the Engine Pack includes the following enhancements for OWASP Top 10 2021:

  • New Results Viewer category

  • New queries (security rules) which extend our support for the new standard

  • An “OWASP Top 10 2021” report format

For more information, see OWASP Top 10 2021.

New Flow Improvements

New Flow has been improved in the following ways:

  • New Flow now supports the following:

    • Python Kwargs type parameters

    • JS Spread operators on objects and arrays

  • Where multiple classes can implement an interface, New Flow can now keeps track of which concrete type implements the interface, and only enters the methods of that implementation into the flow analysis.

  • The recording of the New Flow statistics has been improved by printing the entire statistics to the log file after the flow is completed. Previously, partial statistics were printed to the log once a minute, while the flow was still running.

Incremental Scan Improvements

In 9.4.2 the incremental scan process is more accurate because of improvements to the closure file build mechanism. By including more data in the method mapping files, the incremental scan process achieves more accurate results.

Languages and Frameworks Updates

This release includes several improvements in support of the following languages and frameworks:

For current information about language and framework support in general, see Supported Code Languages and Frameworks for Engine Pack 9.4.2.

Java Frameworks: JSF, PrimeFaces

In 9.4.2 we finished the support rewrite of JSF.


The JSF (Jakarta Server Faces, formerly JavaServer Faces) framework is now supported up to version 2.3.0

In JSF, the major improvements were on the following:

  • Managed Bean is a regular Java Bean class registered with JSF.

  • Conditional Navigation, making it is possible to define multiple paths, each for different conditions, but all with the same outcome name

  • The tags defined by the JavaServer Faces standard HTML tag library representing HTML form components and other basic HTML elements

The following security queries were added:

  • JSF_Local_File_Inclusion


  • JSF_Managed_Bean_PII_Leak

The following security queries were improved:

  • Reflected_XSS_All_Clients

  • Stored_XSS

  • Client_State_Saving_Method_JSF

  • ReDoS_From_Regex_Injection

  • Expression_Language_Injection_OGNL

  • Open_Redirect

  • Stored_Open_Redirect


PrimeFaces is a popular open-source framework for JavaServer Faces and it’s now partially supported up to version 10.

In PrimeFaces, the major features available are the following:

  • Inputs Tags

  • Output Tags

  • Data Tags

JavaScript Frameworks: Angular

Angular is now supported up to versions 11 and 12.

In Angular, the major improvements were on the following:

  • Nullish Coalescing

  • Updated Deprecated_API

The following security query was improved:

  • Angular_Deprecated_API


In 9.4.2 Python support was improved by correcting specific bugs and improving its accuracy.

Technology Preview: RPG, Scala


Technology Preview features provide early access to upcoming product innovations, enabling you to test functionality and provide feedback during the development process. However, these features are not fully supported, might not be functionally complete, and are not intended for production use.

As Checkmarx considers making future iterations of Technology Preview features generally available, we will attempt to resolve any issues that customers experience when using these features.

The following languages are available as Technology Preview in CxSAST 9.4.2:


RPG is a high-level programming language for business applications. We are introducing brand new language support.


Scala combines object-oriented and functional programming in one concise, high-level language.

Scala will be redesigned using the latest engine technologies and bringing them in line with all other supported languages resulting in improved scan duration and better accuracy.