Release Notes for Engine Pack (EP) 9.4.5 Patches

Version 9.4.5.1010 Date 28-12-2022
The query JavaScript_High_Risk\Client_DOM_XSS was improved to reduce False Positives when using the DOMPurify as a sanitizer. The comment existing in the Java General query Find_GWT_Server_Input_Methods has been improved to make clear that RpcServlet class is considered as experimental by GWT. Fixed an issue to prevent having an exception when computing the Similarity Id during the scan execution. Improvements in CSharp flows to prevent having False Positive results for the query CSharp_High_Risk\Second_Order_SQL_Injection. Improvement in Java flows to prevent incorrect results for the query Java.Hig\Reflected_XSS_All_Clients. Parsing Cobol improvements to prevent False Positive results for the query Cobol_High_Risk\SQL_Injection. The query Python_High_Risk\Connection_String_Injection has been improved to reduce the number of False Positive results. Improvements in the JavaScript parsing, at the DOM creation stage. CWE for the query CSharp_Medium_Threat\Data_Filter_Injection has been updated from CWE-200 to CWE-943. The queries Java_Medium_Threat.CGI_Reflected_XSS_All_Clients and Java_Medium_Threat.CGI_Stored_XSS have been improved to reduce the number of False Positive results.

Version 9.4.5.1010 Date 28-12-2022

The query JavaScript_High_Risk\Client_DOM_XSS was improved to reduce False Positives when using the DOMPurify as a sanitizer.
The comment existing in the Java General query Find_GWT_Server_Input_Methods has been improved to make clear that RpcServlet class is considered as experimental by GWT.
Fixed an issue to prevent having an exception when computing the Similarity Id during the scan execution.
Improvements in CSharp flows to prevent having False Positive results for the query CSharp_High_Risk\Second_Order_SQL_Injection.
Improvement in Java flows to prevent incorrect results for the query Java.Hig\Reflected_XSS_All_Clients.
Parsing Cobol improvements to prevent False Positive results for the query Cobol_High_Risk\SQL_Injection.
The query Python_High_Risk\Connection_String_Injection has been improved to reduce the number of False Positive results.
Improvements in the JavaScript parsing, at the DOM creation stage.
CWE for the query CSharp_Medium_Threat\Data_Filter_Injection has been updated from CWE-200 to CWE-943.
The queries Java_Medium_Threat.CGI_Reflected_XSS_All_Clients and Java_Medium_Threat.CGI_Stored_XSS have been improved to reduce the number of False Positive results.

Version 9.4.5.1009 Date 16-11-2022
Several parsing issues were fixed in the CPP source code scanning. Fixed an issue in C/CPP macros to prevent using keywords as var names. The query CSharp_High_Risk\SQL_Injection was improved to prevent False Negatives. The query Apex_Force_com_Serious_Security_Risk\Sharing was improved to prevent False Positives. Fixed an issue that occurred when scanning JavaScript to prevent duplicated results.

Version 9.4.5.1009 Date 16-11-2022

Several parsing issues were fixed in the CPP source code scanning.
Fixed an issue in C/CPP macros to prevent using keywords as var names.
The query CSharp_High_Risk\SQL_Injection was improved to prevent False Negatives.
The query Apex_Force_com_Serious_Security_Risk\Sharing was improved to prevent False Positives.
Fixed an issue that occurred when scanning JavaScript to prevent duplicated results.

Version 9.4.5.1008 Date 19-10-2022
Several parsing issues were fixed in the CPP source code scanning. The query CPP_Best_Coding_Practice/Methods_Without_ReturnType has been updated to improve the accuracy in the results. Engine has been improved by reducing memory consumption when running scans and thereby avoiding OutOfMemoryExcepion errors. The query Java_High_Risk\Stored_XSS was improved to prevent False Negatives. Several parsing issues were fixed in the CPP source code scanning.

Version 9.4.5.1008 Date 19-10-2022

Several parsing issues were fixed in the CPP source code scanning.
The query CPP_Best_Coding_Practice/Methods_Without_ReturnType has been updated to improve the accuracy in the results.
Engine has been improved by reducing memory consumption when running scans and thereby avoiding OutOfMemoryExcepion errors.
The query Java_High_Risk\Stored_XSS was improved to prevent False Negatives.
Several parsing issues were fixed in the CPP source code scanning.

Version 9.4.5.1007 Date 16-09-2022
RPG improvements to: Reduce the number of exceptions while parsing the source code Prevent False Negative results

Version 9.4.5.1006 Date 05-09-2022
Improvements in the Go language support to prevent issues when scanning the source code.
Several queries were improved to prevent False Positives: JavaScript_High_Risk\Client_DOM_XSS JavaScript_Low_Visibility\Client_DOM_Open_Redirect JavaScript_Server_Side_Vulnerabilities\Reflected_XSS Java_High_Risk\Reflected_XSS_All_Clients Java_Medium_Threat\HttpOnlyCookies_In_Config JavaScript_Medium_Threat\Client_Potential_XSS
Several queries were improved to prevent False Negatives: JavaScript_General\Find_Inputs JavaScript_Server_Side_Vulnerabilities\SQL_Injection JavaScript_Server_Side_Vulnerabilities\Command_Injection Scala_Medium_Threat\Privacy_Violation
Docker files are updated in the Linux engine (requires Docker version 20.10.10+).

Version 9.4.5.1004 Date 03-08-2022
CxAudit has been improved to use the same environment variable as CxPortal that defines the Source folder.
The query CPP_Buffer_Overflow.Buffer_Overflow_Unbounded_Format has been improved to prevent a StackOverflow error.
Several queries were improved to prevent False Negatives: JavaScript_High_Risk/Client_DOM_Stored_XSS JavaScript_Server_Side_Vulnerabilities/Reflected_XSS CSharp_High_Risk/Reflected_XSS_All_Clients CSharp_High_Risk/Command_Injection CSharp_High_Risk/Connection_String_Injection CSharp_High_Risk/Deserialization_of_Untrusted_Data
Improvements in the confidence level calculation to display the proper value for scans triggered through the Linux engine.

Version 9.4.5.1003 Date 11-07-2022
Improvements in Java parsing to prevent FP (false positive) results for the Reflected XSS All Client query.
Improvements in JSP parsing to prevent FN results.
Improved the React parsing to prevent errors from occurring when HTML elements included keywords.
Improvements in MyBatis (Java) parsing to prevent DOM loss.
Improvements in MyBatis (Java) parsing to prevent an issue that occurred when pre-processed files included single quotes.
Fixed an issue that was causing scans to fail when scanning JavaScript code that included type predicates.

In this section:

Search results