9.3.0 Content Packs
In order to further optimize the accuracy of CxSAST scan results, Checkmarx introduced the Security Content packs.
Content packs are released regularly to provide added value to released versions in various ways:
Remediation focus: Increased 0ut-of-the box accuracy by reducing the False Positive (FP) findings, and increasing the True Positive (TP) ones.
API Security: APIs are the de facto communication mean for today’s applications, whether they spring from Microservices, Mobile, IoT, Cloud, Serverless or contexts alike. This content pack focusses on detecting vulnerabilities via specialized API security queries
Language enhancements: Many times a fix or an improvement for a language is provided via a hotfix (HF) or via query changes.
Content Packs are the way to deliver when these improvements are on queries.
Presets/Categories: Content packs allow updating or creating new presets and categories.
Descriptions: Content packs allow adding or updating query descriptions.
Content packs are cumulative and include previous content pack updates for the same language. |
Compatibility and Versioning
Content packs are released for CxSAST product versions, which are already generally available and widely used. Content pack data is compatible with a specific CxSAST product version. Because of this, it uses the CxSAST product version that it is compatible with (3 numbers), and is suffixed by the internal build number (4th number). The compatibility dependency exists due to CxQL and other internal versions. The content of the various content packs is included with the next GA release of CxSAST.
|
Delivery Mechanism
All Content packs are cumulative for a language, i.e., Content Pack 9.3.0.x for Java is similar to installing all content packs of 9.3.0 prior to 9.3.0.x for Java, by the order of their release. The Content Packs Installer checks the installed version and content pack version of CxSAST and allows for installation if the CxSAST version and the installed content pack are compatible.
Installation
The content pack is installed on the CxManager stations, unless otherwise indicated. In a distributed environment, the content pack does not need to be installed on engine stations, just on the CxManager station, which has access to the database. Once installed, the content pack can be uninstalled with the dedicated uninstaller in the package.
The installer can also be executed in CLI (silent) mode, similarly to hotfix installations.
Content
Each content pack includes improvements to queries and optionally also to presets. Technically, these changes are delivered via DB upgrade scripts, which affect relevant tables.
Detailed content descriptions can be found on the pages listed below:
Content Pack Version - CP.9.3.0.12021 (JavaScript)
Each Ruleset Content Pack includes improvements to queries, and optionally also to presets. Technically, these changes are delivered through database upgrade scripts which affect the relevant tables.
As with any CxSAST product release, the Content Pack resets the Checkmarx built-in presets to the default query set.
This content pack introduces a new unified installer and it includes all the content packs published for version 9.3.0. It includes updates to Apex and JavaScript.
The details about the Apex content included are available at Content Pack 9.3.0.11017 (Apex) release notes.
Notice
Installation order
This is a cumulative content pack, it can be installed over any of the version 9.3.0 Content Packs and does not require other content packs.
This Content Pack requires 9.3.0 Hotfix 3 or higher previously installed on the CxSAST Environment (Manager and Engines).
To take full advantage of improvements of this Content Pack, use the following presets:
Checkmarx Express - for OOTB Accuracy
OWASP Top 10 API - for queries on Java for API Security
This Content Pack (CP) includes the following improvements for reducing the amount of false positive results in JavaScript:
At High Risk queries the accuracy for the Checkmarx Express preset is improved by 350%
At Medium Threat queries the accuracy for the Checkmarx Express preset is improved by 15%
It includes all the changes provided by Content Pack 9 and the following improvements focusing on JavaScript queries:
Improved sanitization for XSS and cryptography on browser and NodeJS
Improved sanitization for AngularJS Filters
Improved support for logging with Node-Bunyan, Winston and PynoHTTP libraries
Improved the list of cdn trustable domains for hardcoded domain
Improved support for CryptoJs and CryptoTS cryptographic libraries
Added support for HmacRIPEMD160 cryptographic algorithm
Improved support for Kony SQLite
Improved support for database accesses under XSRF permissions
Extended the list of personal information related keywords
Improved support for Indexed DB
Improved the support of window object tainted elements
Added support for Path traversal using the Hapi Library
Improved support of NodeJS web page outputs
Improved Mongoose, MongoDB, Sequelize and SQLite database support for NodeJS
Improved support on NodeJS for Open Redirect
Improved support for XPath Injection sanitization
Improved support for Client Resource Injection
Updated the list of JQuery deprecated APIs
Improved support for Remote File Inclusion
Improved support for use of iframes without sandbox
Improved support for Unsafe use of Target Blank
Deprecated query Client Header Manipulation
Improved sanitization support for Regex Denial of Service
Deprecated Client Reflected File Download
Improved programmatic sanitization methods support for Frameable Login Page
Improved support for Code Injection
Improved support for Command Injection
Deprecated query Insecure Direct Object References
Added support for Insecure Storage of Sensitive Data
Improved support for Log Forging
Improved Support for NoSQL Injection
Improved support for Path Traversal
Improved support for Privacy Violation
Deprecated query Security Misconfiguration
Improved support for SSL Verification Bypass
Improved support for Stored XSS
Improved support for Unprotected Cookie
Improved support for Use of Broken or Risky Cryptographic Algorithm
Improved support for Use of Hardcoded Password
Note
Version Upgrade
It is mandatory to install at least the same content pack number for newer versions while upgrading (e.g., v9.2.0 CP12 → v9.3.0 CP12).
This step ensures the accuracy of the results is maintained while upgrading.
Content Pack Version - CP.9.3.0.11017 (Apex)
Each Ruleset Content Pack includes improvements to queries, and optionally also to presets. Technically, these changes are delivered through database upgrade scripts which affect the relevant tables.
As with any CxSAST product release, the Content Pack resets the Checkmarx built-in presets to the default query set.
This content pack introduces a new unified installer.
Notice
Installation order
This Content Pack requires 9.3.0 Hotfix 1 or higher previously installed on the CxSAST Environment (Manager and Engines).
This content pack uses the unified installer and it includes all the content packs published for version 9.3. It includes also new updates to:
Apex
Content
Support for Apex
9 new queries were added and 11 updated queries at High risk, Medium threat and Low visibility groups. These queries cover SQL & command injections, XSS and excessive information exposure issues.
Content Pack Version - CP.9.3.0.14029 (Cobol, Go)
Each Ruleset Content Pack includes improvements to queries, and optionally also to presets. Technically, these changes are delivered through database upgrade scripts which affect the relevant tables.
As with any CxSAST product release, the Content Pack resets the Checkmarx built-in presets to the default query set.
This Content Pack uses a unified installer and it includes all the Content Packs published for version 9.3.0. It includes updates to Apex, JavaScript, C#, Cobol and Go.
The details about the Apex content included are available at Content Pack Version - CP.9.3.0.11017 (Apex).
The details about JavaScript under the OOTBAccuracy Project are available at Content Pack Version - CP.9.3.0.12021 (JavaScript).
Notice
Installation order
This is a cumulative Content Pack, it can be installed over any of the version 9.3.0 Content Packs and does not require other Content Packs.
This Content Pack requires 9.3.0 Hotfix 3 or higher previously installed on the CxSAST Environment (Manager and Engines).
It includes all the changes provided by Content Pack 12 and the following improvements:
Improved the support for the Go language:
Added 15 new queries and improved 13 existing queries
Improved support for SAP OpenUI and XSJS queries
3 queries were improved
Improved some queries on C# Language
2 Queries were improved
Improved support for one Cobol query
Note
Version Upgrade
It is mandatory to install at least the same Content Pack number for newer versions while upgrading (e.g., v9.2.0 CP14 → v9.3.0 CP14).
This step ensures the accuracy of the results is maintained while upgrading.
Content Pack Version - CP.9.3.0.15031 (Java, Python)
Each Ruleset Content Pack includes improvements to queries, and optionally also to presets. Technically, these changes are delivered through database upgrade scripts which affect the relevant tables.
As with any CxSAST product release, the Content Pack resets the Checkmarx built-in presets to the default query set.
This Content Pack uses a unified installer and it includes all the Content Packs published for version 9.3.0. It includes updates to Java and Python.
Notice
Installation order
This is a cumulative Content Pack, it can be installed over any of the version 9.3.0 Content Packs and does not require other Content Packs.
This Content Pack requires 9.3.0 Hotfix 4 or higher previously installed on the CxSAST Environment (Manager and Engines).
It includes all the changes provided by Content Pack 14 and the following improvements:
Added new Preset for SCA content.
Presets/SCA.xml
The above preset contains the following new queries for Java language:
The above preset contains the following new queries for Python language
Note
Version Upgrade
It is mandatory to install at least the same Content Pack number for newer versions while upgrading (e.g., v9.2.0 CP14 → v9.3.0 CP14).
This step ensures the accuracy of the results is maintained while upgrading.
Content Pack Version - CP.9.3.0.18043 (JavaScript, CSharp)
Notice
The content of this Content Pack (CP.9.3.0.18043), will be available for CxSAST version 9.4 in CxSAST Engine Pack version 9.4.2.
Each Ruleset Content Pack includes improvements to queries, and optionally also to presets. Technically, these changes are delivered through database upgrade scripts which affect the relevant tables.
As with any CxSAST product release, the Content Pack resets the Checkmarx built-in presets to the default query set.
This Content Pack uses a unified installer and it includes all the Content Packs published for version 9.3.0. It includes updates to CSharp and JavaScript.
Notice
Installation order
This is a cumulative Content Pack, it can be installed over any of the version 9.3.0 Content Packs and does not require other Content Packs.
This Content Pack requires 9.3.0 Hotfix 15 or higher previously installed on the CxSAST Environment (Manager and Engines).
It includes all the changes provided by Content Pack 16 and the following improvements:
CSharp
JavaScript
Non-ASCII characters removal
Besides the changes mentioned above, several queries in several languages (Apex, CPP, Groovy, Java, JavaScript and Scala) were improved to remove/replace all Non-ASCII characters that cause scans to fail in some installations (depending on collations and OS languages).
Presets Alignment
OWASP TOP 10 (2010, 2013 and 2017) presets aligned for all languages
Other presets (Error Handling, FISMA, HIPPA, JSSEC, PCI, SASN top 25, STIG and XSS and SQLi only) were aligned for all languages.
Note
Version Upgrade
In general, it is mandatory to install at least the same Content Pack number for newer versions while upgrading. However, since v9.3.0 has no CP17, when upgrading from v9.2.0 CP17 it is necessary to upgrade to v9.3.0 CP18. This step ensures the accuracy of the results is maintained while upgrading.
Content Pack Version - CP.9.3.0.16034 (CSharp, VBNet)
Each Ruleset Content Pack includes improvements to queries, and optionally also to presets. Technically, these changes are delivered through database upgrade scripts which affect the relevant tables.
As with any CxSAST product release, the Content Pack resets the Checkmarx built-in presets to the default query set.
This Content Pack uses a unified installer and it includes all the Content Packs published for version 9.3.0. It includes updates to CSharp and VBNet.
Notice
Installation order
This is a cumulative Content Pack, it can be installed over any of the version 9.3.0 Content Packs and does not require other Content Packs.
This Content Pack requires 9.3.0 Hotfix 4 or higher previously installed on the CxSAST Environment (Manager and Engines).
It includes all the changes provided by Content Pack 15 and the following improvements:
CSharp
VBNet
Note
Version Upgrade
It is mandatory to install at least the same Content Pack number for newer versions while upgrading (e.g., v9.2.0 CP14 → v9.3.0 CP14).
This step ensures the accuracy of the results is maintained while upgrading.
Content Pack Version - CP.9.3.0.19046 (CSharp, PLSQL)
Notice
The content of this Content Pack (CP.9.3.0.19046), will be available for CxSAST version 9.4 in CxSAST Engine Pack version 9.4.2.
Each Ruleset Content Pack includes improvements to queries, and optionally also to presets. Technically, these changes are delivered through database upgrade scripts which affect the relevant tables.
As with any CxSAST product release, the Content Pack resets the Checkmarx built-in presets to the default query set.
This Content Pack uses a unified installer and it includes all the Content Packs published for version 9.3.0. It includes updates to CSharp and PLSQL.
Notice
Installation order
This is a cumulative Content Pack, it can be installed over any of the version 9.3.0 Content Packs and does not require other Content Packs.
This Content Pack requires 9.3.0 Hotfix 15 or higher previously installed on the CxSAST Environment (Manager and Engines).
It includes all the changes provided by Content Pack 18 and the following improvements:
CSharp
PLSQL
Presets and Categories Alignment
Preset and Categories for OWASP TOP 10 2021 were added and aligned for all languages
Note
Version Upgrade
In general, it is mandatory to install at least the same Content Pack number for newer versions while upgrading. For instance, when upgrading from v9.2.0 CP19 it is necessary to upgrade to v9.3.0 CP19. This step ensures the accuracy of the results is maintained while upgrading.
Content Pack Version - CP.9.3.0.20047 (Java)
Notice
The content of this Content Pack (CP.9.3.0.20047), will be available for CxSAST version 9.4 in CxSAST Engine Pack version 9.4.3.
Each Ruleset Content Pack includes improvements to queries, and optionally also to presets. Technically, these changes are delivered through database upgrade scripts which affect the relevant tables.
As with any CxSAST product release, the Content Pack resets the Checkmarx built-in presets to the default query set.
This Content Pack uses a unified installer and it includes all the Content Packs published for version 9.3.0. It includes updates to Java.
Notice
Installation order
This is a cumulative Content Pack, it can be installed over any of the version 9.3.0 Content Packs and does not require other Content Packs.
This Content Pack requires 9.3.0 Hotfix 15 or higher previously installed on the CxSAST Environment (Manager and Engines).
It includes all the changes provided by Content Pack 19 and the following improvements:
Java
Note
Version Upgrade
In general, it is mandatory to install at least the same Content Pack number for newer versions while upgrading. For instance, when upgrading from v9.2.0 CP20 it is necessary to upgrade to v9.3.0 CP20. This step ensures the accuracy of the results is maintained while upgrading.
Content Pack Version - CP.9.3.0.21048 (Java, Groovy)
Notice
The content of this Content Pack (CP.9.3.0.21048), will be available for CxSAST version 9.4 in CxSAST Engine Pack version 9.4.3.
Each Ruleset Content Pack includes improvements to queries, and optionally also to presets. Technically, these changes are delivered through database upgrade scripts which affect the relevant tables.
As with any CxSAST product release, the Content Pack resets the Checkmarx built-in presets to the default query set.
This Content Pack uses a unified installer and it includes all the Content Packs published for version 9.3.0. It includes updates to Java, Groovy.
Notice
Installation order
This is a cumulative Content Pack, it can be installed over any of the version 9.3.0 Content Packs and does not require other Content Packs.
This Content Pack requires 9.3.0 Hotfix 15 or higher previously installed on the CxSAST Environment (Manager and Engines).
It includes all the changes provided by Content Pack 20 and the following improvements:
Java, Groovy
Note
Version Upgrade
In general, it is mandatory to install at least the same Content Pack number for newer versions while upgrading. For instance, when upgrading from v9.2.0 CP20 it is necessary to upgrade to v9.3.0 CP20. This step ensures the accuracy of the results is maintained while upgrading.