Skip to main content

Preset Manager

Presets are predefined sets of queries you can select when Creating, Configuring, and Branching Projects. Predefined presets are provided by Checkmarx, and you can configure your own. You can also import and export presets.

To open the Preset Manager:

Go to Settings > Scan Settings > Preset Manager. The Presets Manager window is displayed.

6436177676.jpg

Notice

You can quickly create a new preset based on an existing one (duplicate) by selecting a Preset from the Preset pane and clicking 6436177700.png.

Creating a New Preset

To create a new preset:

  1. From the Preset Manager, click Create New Preset. The Create New Presets window is displayed.

    6436177691.jpg
  2. Enter a preset Name and click <Create>.

  3. Select a Coding Language.

  4. Select the Queries to be included in the preset.

  5. Click <Save>.

Modifying an Existing Preset

To modify an existing preset:

  1. From the Preset Manager, select a Preset from the Preset pane and click <Edit>.

  2. Select a Coding Language.

  3. Select the Queries to be included in the preset.

    Notice

    You can edit a single language, such as Java, selecting and deselecting the queries as needed, and then press Synchronize for all related queries in all languages to be selected.

  4. Click <Save>.

Importing a Preset

To import a preset:

  1. From the Preset Manager, click Import Preset. The Import Preset window is displayed.

    6436177694.jpg
  2. Click <Select>. navigate to the preset (.XML file) and click <Open>.

    Notice

    If the imported preset has the same name as an existing one, the existing preset will be overridden.

  3. Click <Import>. The Preset is displayed in the Preset pane.

Exporting a Preset

To export a preset:

From the Preset Manager, click <Export Preset> and save the exported preset (.XML file).

Deleting a Preset

To delete a preset:

From the Preset Manager, select a Preset from the Preset pane and click 6436177703.png.

Predefined Presets

The following is a list of all the predefined presets provided by Checkmarx with the recommended usage and which vulnerability queries are included:

Preset

Usage

Includes vulnerability queries for...

All

For all application security risks

Apex, ASP, Cobol, CPP, CSharp, Dart, Go, Groovy, Java, JavaScript, Kotlin, ObjectiveC, Perl, PHP, PLSQL, Python, RPG, Ruby, Scala, Swift, Typescript, VB6, VbNet and VbScript coding languages

Android

For Android-related application security risks

Groovy, Java, and Kotlin coding languages

Apple Secure Coding Guide

For IOS-related application security risks

ObjectiveC and Swift coding language

ASA Mobile Premium

The ASA Mobile Premium preset contains a subset of vulnerabilities that the Checkmarx AppSec Accelerator team considers to be the starting point of the Checkmarx AppSec program when scanning mobile applications.

The preset might change in future versions. The AppSec Accelerator team will continuously remove old/deprecated queries or include new and improved ones.

CSharp, Java, JavaScript, Kotlin, ObjectiveC, and Swift coding languages

ASA Premium

The ASA Premium preset contains a subset of vulnerabilities that the Checkmarx AppSec Accelerator team considers the starting point of the Checkmarx AppSec program.

The preset might change in future versions. The AppSec Accelerator team will continuously remove old/deprecated queries or include new and improved ones.

Apex, ASP, Cobol, CPP, CSharp, Go, Groovy, Java, JavaScript, Kotlin (non-mobile only), Perl, PHP, PLSQL, Python, RPG, Ruby, Scala, VB6, VbNet, and VbScript coding languages

Base Preset

The Base Preset is designed to boost scanning efficiency, prioritizing the swift retrieval of results with pertinent and impactful vulnerabilities. The preset can be used as a starting point and customized to meet your requirements.

Cobol, CPP, CSharp, Go, Groovy, Java, JavaScrip, Perl, PLSQL, Python, RPG, Ruby, VbNet

Checkmarx Default

The Checkmarx Default preset contains all the vulnerabilities that Checkmarx recommends to scan when unsure which preset to use.

Apex, ASP, Cobol, CPP, CSharp, Dart, Go, Groovy, Java, JavaScript, Kotlin, ObjectiveC, Perl, PHP, PLSQL, Python, RPG, Ruby, Scala, Swift, Typescript, VB6, VbNet and VbScript coding languages

Checkmarx Express

The Checkmarx preset contains a curated set of High and Medium Java, C#, and JS queries improved by Cx accuracy initiatives.

CSharp, Java, and JavaScript languages

CWE Top 25

The Common Weakness Enumeration Top 25 contains the most common and impactful software weaknesses.

Apex, ASP, Cobol, CPP, CSharp, Dart, Go, Groovy, Java, JavaScript, Kotlin, ObjectiveC, Perl, PHP, PLSQL, Python, RPG, Ruby, Scala, Swift, Typescript, VB6, VbNet and VbScript coding languages

Empty Preset

Empty preset with no vulnerability queries. This can be used to create a new preset from scratch.

Empty

Error Handling

For error handling related application security risks

Apex, ASP, CPP, CSharp, Groovy, Java, ObjectiveC, Perl, PHP, PLSQL, Python, Ruby, VB6, and VbNet coding languages

FISMA

For homeland security application risks according to the 'Federal Information Security Modernization Act' compliance guidelines

Apex, ASP, Cobol, CPP, CSharp, Go, Groovy, Java, JavaScript, Kotlin, ObjectiveC, Perl, PHP, PLSQL, Python, Ruby, Scala, Swift, Typescript, VB6, VbNet and VbScript coding languages

High and Medium

For high and medium-related application security risks

Apex, ASP, Cobol, CPP, CSharp, Dart, Go, Groovy, Java, JavaScript, Kotlin, ObjectiveC, Perl, PHP, PLSQL, Python, RPG, Ruby, Scala, Swift, Typescript, VB6, VbNet and VbScript coding languages

High, Medium, and Low

For high, medium, and low-related application security risks

Apex, ASP, Cobol, CPP, CSharp, Dart, Go, Groovy, Java, JavaScript, Kotlin, ObjectiveC, Perl, PHP, PLSQL, Python, RPG, Ruby, Scala, Swift, Typescript, VB6, VbNet and VbScript coding languages

HIPAA

For sensitive patient data-related security risks according to the HIPAA (Health Insurance Portability and Accountability Act) compliance guidelines

Apex, ASP, Cobol, CPP, CSharp, Go, Groovy, Java, JavaScript, Kotlin, ObjectiveC, Perl, PHP, PLSQL, Python, Ruby, Scala, Swift, Typescript, VB6, VbNet and VbScript coding languages

ISO/IEC TS 17961 2013/2016

For C++ coding standards

C++ coding language

JSSEC

For Android-related application security risks, according to the JSSEC (Japan's Smartphone Security Association) compliance guidelines

Groovy and Java coding languages

MISRA_C

For C-related application security risks according to the MISRA (Motor Industry Software Reliability Association) compliance guidelines

C++ coding language

MISRA C 2012

This preset aims to be an improved version of the preset MISRA_C, and it has a set of queries covering the standard C coding guidelines for the Motor Industry.

The preset is not fully completed yet; we will continuously include new and improved queries in the next versions.

C coding language

MISRA_CPP

For C++ related application security risks according to the MISRA (Motor Industry Software Reliability Association) compliance guidelines

C++ coding language

Mobile

For mobile-related application security risks

CSharp, Groovy, Java, JavaScript, Kotlin, ObjectiveC, and Swift coding languages

MOIS(KISA) Secure Coding 2021

MOIS (KISA) Software Secure Coding 2021 from the Ministry of the Interior and Safety (MOIS) and Korea Internet & Security Agency (KISA)

Apex, ASP, Cobol, CPP, CSharp, Dart, Go, Groovy, Java, JavaScript, Kotlin, ObjectiveC, Perl, PHP, PLSQL, Python, RPG, Ruby, Scala, Swift, VB6, VbNet and VbScript languages

NIST

For the application security risks according to the 'National Institute of Standards and Technology' compliance guidelines.

Apex, ASP, CPP, CSharp, Go, Groovy, Java, JavaScript, Perl, PHP, PLSQL, Python, Ruby, Scala, Typescript, VB6, VbNet, and VbScript coding languages

OWASP ASVS

This preset provides a basis for testing web application technical security controls and provides developers with a list of requirements for secure development.

Apex, ASP, Cobol, CPP, CSharp, Go, Groovy, Java, JavaScript, Kotlin, ObjectiveC, Perl, PHP, PLSQL, Python, RPG, Ruby, Scala, Swift, VB6, VbNet and VbScript coding languages

OWASP Mobile TOP 10-2016

For the top 10 web application security risks according to the OWASP (Open Web Application Security Project) compliance guidelines for 2016

CSharp, Groovy, Java, JavaScript, Kotlin, and ObjectiveC coding languages

OWASP TOP 10-2010

For the top 10 web application security risks according to the OWASP (Open Web Application Security Project) compliance guidelines for 2010

Apex, ASP, CPP, CSharp, Go, Groovy, Java, JavaScript, ObjectiveC, Perl, PHP, PLSQL, Python, Ruby, Typescript, VB6, VbNet and VbScript coding languages

OWASP TOP 10-2013

For the top 10 web application security risks according to the OWASP (Open Web Application Security Project) compliance guidelines for 2013

Apex, ASP, CPP, CSharp, Go, Groovy, Java, JavaScript, ObjectiveC, Perl, PHP, PLSQL, Python, Ruby, Scala, Typescript, VB6, VbNet and VbScript coding languages

OWASP TOP 10-2017

For the top 10 web application security risks according to the OWASP (Open Web Application Security Project) compliance guidelines for 2017

Apex, ASP, CPP, CSharp, Go, Groovy, Java, JavaScript, Perl, PHP, PLSQL, Python, Ruby, Scala, Typescript, VB6, VbNet and VbScript coding languages

OWASP TOP 10-2021

For the top 10 web application security risks according to the OWASP (Open Web Application Security Project) compliance guidelines for 2021

Apex, ASP, CPP, CSharp, Go, Groovy, Java, JavaScript, Perl, PHP, PLSQL, Python, Ruby, Scala, Typescript, VB6, VbNet and VbScript coding languages

OWASP TOP 10 API 2019

For understanding and mitigating the unique vulnerabilities and security risks of Application Programming Interfaces (APIs) according to the OWASP (Open Web Application Security Project) compliance guidelines for 2019.

CSharp, Java, JavaScript, and PHP coding languages

OWASP TOP 10 API 2023

For understanding and mitigating the unique vulnerabilities and security risks of Application Programming Interfaces (APIs) according to the OWASP (Open Web Application Security Project) compliance guidelines for 2023.

Apex, ASP, Cobol, CPP, CSharp, Dart, Go, Groovy, Java, JavaScript, Kotlin, Lua, Perl, PHP, PLSQL, Python, RPG, Ruby, Scala, Typescript, VB6, VbNet and VbScript coding languages

PCI

For credit card payment application security risks according to the PCI (Payment Card Industry) compliance guidelines

Apex, ASP, Cobol, CPP, CSharp, Go, Groovy, Java, JavaScript, ObjectiveC, Perl, PHP, PLSQL, Python, Ruby, Scala, Typescript, VB6, VbNet, and VbScript coding languages

SANS Top 25

For the top 25 web application security risks according to the SANS Technology Institute’s compliance guidelines

Apex, ASP, CPP, CSharp, Go, Groovy, Java, JavaScript, ObjectiveC, Perl, PHP, PLSQL, Python, Ruby, Scala, Typescript, VB6, VbNet and VbScript coding languages

SEI CERT

For C++ coding standards

C++ coding language

STIG

For the application security risks according to the 'Security Technical Implementation Guide' compliance guidelines

Apex, ASP, Cobol, CPP, CSharp, Go, Groovy, Java, JavaScript, Perl, PHP, PLSQL, Python, Ruby, Scala, Typescript, VB6, VbNet and VbScript coding languages

Top Tier

This preset is designed to be “noise-free” with the highest accuracy and reliability when scanning code for vulnerabilities and security risks. The "Top Tier" is based on the top queries with the highest accuracy.

Apex, ASP, CPP, CSharp, Go, Groovy, Java, JavaScript, Kotlin, ObjectiveC, Perl, PHP, PLSQL, Python, RPG, Ruby, Scala, Swift, VB6 and VbNet coding languages

WordPress

For WordPress-related web application security risks

PHP coding language

XS

For XS SAP-related application security risks

JavaScript coding language

XSS and SQLi only

When scanning a new project, The recommended best practice is to focus on the most important vulnerabilities first.

Apex, ASP, Cobol, CPP, CSharp, Go, Groovy, Java, JavaScript, Kotlin, ObjectiveC, Perl, PHP, PLSQL, Python, Ruby, Scala VB6, VbNet and VbScript coding languages

Base Preset

The Base preset is composed of the following queries:

Language

Package

Query

CWE

Query Id

Cobol

Cobol_Medium_Threat

Medium_Severity.png Ignored_Error_Conditions

703

6190

CPP

CPP_Buffer_Overflow

High_Severity.png Improper_Null_Termination

170

5578

CPP_High_Risk

High_Severity.png LDAP_Injection

90

4022

High_Severity.png Command_Injection

77

285

High_Severity.png Connection_String_Injection

99

286

High_Severity.png Process_Control

114

287

High_Severity.png SQL_Injection

89

289

CPP_Insecure_Credential_Storage

Medium_Severity.png PBKDF2_Weak_Salt_Value

522

5503

CPP_Medium_Threat

Medium_Severity.png Divide_By_Zero

369

1216

Medium_Severity.png Path_Traversal

22

321

Medium_Severity.png Hardcoded_password_in_Connection_String

547

323

CPP_Low_Visibility

Low_Severity.png Privacy_Violation

359

1213

CSharp

CSharp_High_Risk

High_Severity.png Connection_String_Injection

99

425

High_Severity.pngLDAP_Injection

90

426

High_Severity.pngSecond_Order_SQL_Injection

89

429

High_Severity.png SQL_Injection

89

430

High_Severity.png Stored_XSS

79

431

High_Severity.png XPath_Injection

643

433

CSharp_Medium_Threat

Medium_Severity.png Path_Traversal

22

468

Medium_Severity.png Privacy_Violation

359

475

Medium_Severity.png CSRF

352

483

Medium_Severity.png Improper_Restriction_of_XXE_Ref

611

3685

Medium_Severity.png Missing_HSTS_Header

346

5375

Go

Go_Insecure_Credential_Storage

Medium_Severity.png Insecure_Credential_Storage_Mechanism

522

4650

Go_Medium_Threat

Medium_Severity.png Denial_Of_Service_Resource_Exhaustion

400

4679

Groovy

Groovy_Medium_Threat

Medium_Severity.png Privacy_Violation

359

3387

Java

Java_High_Risk

High_Severity.pngCommand_Injection

77

588

High_Severity.pngConnection_String_Injection

99

589

High_Severity.png LDAP_Injection

90

590

High_Severity.png Second_Order_SQL_Injection

89

593

High_Severity.png SQL_Injection

89

594

High_Severity.png Stored_XSS

79

595

Java_Medium_Threat

Medium_Severity.png Missing_HSTS_Header

346

5370

Medium_Severity.png Improper_Restriction_of_XXE_Ref

611

3522

Medium_Severity.png Improper_Restriction_of_Stored_XXE_Ref

611

4447

Medium_Severity.png Privacy_Violation

359

639

Medium_Severity.png CSRF

352

648

Medium_Severity.png Absolute_Path_Traversal

36

1670

Java_Low_Visibility

Low_Severity.png Use_Of_Hardcoded_Password_In_Config

260

5876

JavaScript

JavaScript_Angular

Low_Severity.png Angular_Usage_of_Unsafe_DOM_Sanitizer

116

5266

JavaScript_High_Risk

High_Severity.png Client_DOM_Stored_XSS

79

2560

JavaScript_Medium_Threat

Medium_Severity.png Client_HTML5_Insecure_Storage

312

2725

Medium_Severity.png Missing_HSTS_Header

346

5404

JavaScript_Server_Side_Vulnerabilities

Medium_Severity.png Relative_Path_Traversal

23

2980

High_Severity.png Second_Order_SQL_Injection

89

2983

High_Severity.png SQL_Injection

89

2984

High_Severity.png Stored_XSS

79

2987

Perl

Perl_Medium_Threat

Medium_Severity.png Use_Of_Hardcoded_Password

259

2061

Medium_Severity.png Privacy_Violation

359

2107

PLSQL

PLSQL_Medium_Threat

Medium_Severity.png Dangling_Database_Cursor

619

2678

Medium_Severity.pngDefault_Definer_Rights_in_Package_or_Object_Definition

265

2626

PLSQL_Low_Visibility

Low_Severity.png Use_Of_Hardcoded_Password

259

2642

Python

Python_High_Risk

High_Severity.png Command_Injection

77

3101

High_Severity.png Connection_String_Injection

99

3102

High_Severity.png Second_Order_SQL_Injection

89

3105

High_Severity.png Stored_XSS

79

3106

High_Severity.png SQL_Injection

89

3424

Python_Medium_Threat

Medium_Severity.png Path_Traversal

22

3115

Medium_Severity.png Privacy_Violation

359

3116

RPG

RPG_High_Risk

High_Severity.png Buffer_Overrun

126

6965

RPG_Low_Visibility

Low_Severity.png Use_Of_Hardcoded_Password

259

6964

Ruby

Ruby_Medium_Threat

Medium_Severity.png Privacy_Violation

359

2121

Ruby_Medium_Threat

Medium_Severity.png Dangerous_Send

77

2710

Ruby_Low_Visibility

Low_Severity.png Use_Of_Hardcoded_Password

259

1517

VbNet

VbNet_High_Risk

High_Severity.png XPath_Injection

643

778

VbNet_Medium_Threat

Medium_Severity.png Path_Traversal

22

809

VbNet_Medium_Threat

Medium_Severity.png CSRF

352

821