Skip to main content

Release Notes for Engine Pack (EP) 9.4.5 Patches

Version 9.4.5.1007 Date 16-09-2022

RPG improvements to:

  • Reduce the number of exceptions while parsing the source code

  • Prevent False Negative results

Version 9.4.5.1006 Date 05-09-2022

Improvements in the Go language support to prevent issues when scanning the source code.

Several queries were improved to prevent False Positives:

  • JavaScript_High_Risk\Client_DOM_XSS

  • JavaScript_Low_Visibility\Client_DOM_Open_Redirect

  • JavaScript_Server_Side_Vulnerabilities\Reflected_XSS

  • Java_High_Risk\Reflected_XSS_All_Clients

  • Java_Medium_Threat\HttpOnlyCookies_In_Config

  • JavaScript_Medium_Threat\Client_Potential_XSS

Several queries were improved to prevent False Negatives:

  • JavaScript_General\Find_Inputs

  • JavaScript_Server_Side_Vulnerabilities\SQL_Injection

  • JavaScript_Server_Side_Vulnerabilities\Command_Injection

  • Scala_Medium_Threat\Privacy_Violation

Docker files are updated in the Linux engine (requires Docker version 20.10.10+).

Version 9.4.5.1004 Date 03-08-2022

CxAudit has been improved to use the same environment variable as CxPortal that defines the Source folder.

The query CPP_Buffer_Overflow.Buffer_Overflow_Unbounded_Format has been improved to prevent a StackOverflow error.

Several queries were improved to prevent False Negatives:

  • JavaScript_High_Risk/Client_DOM_Stored_XSS

  • JavaScript_Server_Side_Vulnerabilities/Reflected_XSS

  • CSharp_High_Risk/Reflected_XSS_All_Clients

  • CSharp_High_Risk/Command_Injection

  • CSharp_High_Risk/Connection_String_Injection

  • CSharp_High_Risk/Deserialization_of_Untrusted_Data

Improvements in the confidence level calculation to display the proper value for scans triggered through the Linux engine.

Version 9.4.5.1003 Date 11-07-2022

Improvements in Java parsing to prevent FP (false positive) results for the Reflected XSS All Client query.

Improvements in JSP parsing to prevent FN results.

Improved the React parsing to prevent errors from occurring when HTML elements included keywords.

Improvements in MyBatis (Java) parsing to prevent DOM loss.

Improvements in MyBatis (Java) parsing to prevent an issue that occurred when pre-processed files included single quotes.

Fixed an issue that was causing scans to fail when scanning JavaScript code that included type predicates.