- Checkmarx Documentation
- Checkmarx SAST
- SAST Release Notes
- Main Releases
- Previous Main Releases
- Release Notes for 9.3.0
- 9.3.0 Content Packs
9.3.0 Content Packs
In order to further optimize the accuracy of CxSAST scan results, Checkmarx introduced the Security Content packs.
Content packs are released regularly to provide added value to released versions in various ways:
Remediation focus: Increased 0ut-of-the box accuracy by reducing the False Positive (FP) findings, and increasing the True Positive (TP) ones.
API Security: APIs are the de facto communication mean for today’s applications, whether they spring from Microservices, Mobile, IoT, Cloud, Serverless or contexts alike. This content pack focusses on detecting vulnerabilities via specialized API security queries
Language enhancements: Many times a fix or an improvement for a language is provided via a hotfix (HF) or via query changes.
Content Packs are the way to deliver when these improvements are on queries.
Presets/Categories: Content packs allow updating or creating new presets and categories.
Descriptions: Content packs allow adding or updating query descriptions.
Content packs are cumulative and include previous content pack updates for the same language. |
Compatibility and Versioning
Content packs are released for CxSAST product versions, which are already generally available and widely used. Content pack data is compatible with a specific CxSAST product version. Because of this, it uses the CxSAST product version that it is compatible with (3 numbers), and is suffixed by the internal build number (4th number). The compatibility dependency exists due to CxQL and other internal versions. The content of the various content packs is included with the next GA release of CxSAST.
|
Delivery Mechanism
All Content packs are cumulative for a language, i.e., Content Pack 9.3.0.x for Java is similar to installing all content packs of 9.3.0 prior to 9.3.0.x for Java, by the order of their release. The Content Packs Installer checks the installed version and content pack version of CxSAST and allows for installation if the CxSAST version and the installed content pack are compatible.
Installation
The content pack is installed on the CxManager stations, unless otherwise indicated. In a distributed environment, the content pack does not need to be installed on engine stations, just on the CxManager station, which has access to the database. Once installed, the content pack can be uninstalled with the dedicated uninstaller in the package.
The installer can also be executed in CLI (silent) mode, similarly to hotfix installations.
Content
Each content pack includes improvements to queries and optionally also to presets. Technically, these changes are delivered via DB upgrade scripts, which affect relevant tables.
Detailed content descriptions can be found on the pages listed below:
Content Pack Version - CP.9.3.0.12021 (JavaScript)
Each Ruleset Content Pack includes improvements to queries, and optionally also to presets. Technically, these changes are delivered through database upgrade scripts which affect the relevant tables.
As with any CxSAST product release, the Content Pack resets the Checkmarx built-in presets to the default query set.
This content pack introduces a new unified installer and it includes all the content packs published for version 9.3.0. It includes updates to Apex and JavaScript.
The details about the Apex content included are available at Content Pack 9.3.0.11017 (Apex) release notes.
Notice
Installation order
This is a cumulative content pack, it can be installed over any of the version 9.3.0 Content Packs and does not require other content packs.
This Content Pack requires 9.3.0 Hotfix 3 or higher previously installed on the CxSAST Environment (Manager and Engines).
To take full advantage of improvements of this Content Pack, use the following presets:
Checkmarx Express - for OOTB Accuracy
OWASP Top 10 API - for queries on Java for API Security
This Content Pack (CP) includes the following improvements for reducing the amount of false positive results in JavaScript:
At High Risk queries the accuracy for the Checkmarx Express preset is improved by 350%
At Medium Threat queries the accuracy for the Checkmarx Express preset is improved by 15%
It includes all the changes provided by Content Pack 9 and the following improvements focusing on JavaScript queries:
Improved sanitization for XSS and cryptography on browser and NodeJS
Improved sanitization for AngularJS Filters
Improved support for logging with Node-Bunyan, Winston and PynoHTTP libraries
Improved the list of cdn trustable domains for hardcoded domain
Improved support for CryptoJs and CryptoTS cryptographic libraries
Added support for HmacRIPEMD160 cryptographic algorithm
Improved support for Kony SQLite
Improved support for database accesses under XSRF permissions
Extended the list of personal information related keywords
Improved support for Indexed DB
Improved the support of window object tainted elements
Added support for Path traversal using the Hapi Library
Improved support of NodeJS web page outputs
Improved Mongoose, MongoDB, Sequelize and SQLite database support for NodeJS
Improved support on NodeJS for Open Redirect
Improved support for XPath Injection sanitization
Improved support for Client Resource Injection
Updated the list of JQuery deprecated APIs
Improved support for Remote File Inclusion
Improved support for use of iframes without sandbox
Improved support for Unsafe use of Target Blank
Deprecated query Client Header Manipulation
Improved sanitization support for Regex Denial of Service
Deprecated Client Reflected File Download
Improved programmatic sanitization methods support for Frameable Login Page
Improved support for Code Injection
Improved support for Command Injection
Deprecated query Insecure Direct Object References
Added support for Insecure Storage of Sensitive Data
Improved support for Log Forging
Improved Support for NoSQL Injection
Improved support for Path Traversal
Improved support for Privacy Violation
Deprecated query Security Misconfiguration
Improved support for SSL Verification Bypass
Improved support for Stored XSS
Improved support for Unprotected Cookie
Improved support for Use of Broken or Risky Cryptographic Algorithm
Improved support for Use of Hardcoded Password
Note
Version Upgrade
It is mandatory to install at least the same content pack number for newer versions while upgrading (e.g., v9.2.0 CP12 → v9.3.0 CP12).
This step ensures the accuracy of the results is maintained while upgrading.
Which CxSAST version is this Content Pack for?
As stated in the release notes, this Content Pack is only compatible with CxSAST v9.3.0.
Which languages were targeted in this Content Pack?
This Content Pack provides improvements for JavaScript.
Can this Content Pack be installed on top of other Content Packs?
Yes, this content pack is a multi-language content pack. It inherits all the characteristics of previous content packs, i.e, it is cumulative.
Does this Content Pack depend on other Content Packs?
No, there are no dependencies on other Content Packs. All content packs are cumulative, meaning that it can be installed only one, or all.
Can this Content Pack be installed over other content packs?
Yes it can. It will override its content.
Is there any order of installation between this Content Pack and Content Pack 11 ?
Yes. But there is no need to install other Content Packs. This content pack includes all the previous.
Can this Content Pack be installed in further versions, like CxSAST 8.9?
No. Version 8.9 will not have a content Pack 12 available. Versions 9.0 and 9.2 have a dedicated content pack.
Does this Content Pack depend on any HotFix?
No, There is no requirements on hotfixes to install this content pack.
What formula is used to calculate the accuracy?
TP/(TP + FP)
Content Pack Version - CP.9.3.0.11017 (Apex)
Each Ruleset Content Pack includes improvements to queries, and optionally also to presets. Technically, these changes are delivered through database upgrade scripts which affect the relevant tables.
As with any CxSAST product release, the Content Pack resets the Checkmarx built-in presets to the default query set.
This content pack introduces a new unified installer.
Notice
Installation order
This Content Pack requires 9.3.0 Hotfix 1 or higher previously installed on the CxSAST Environment (Manager and Engines).
This content pack uses the unified installer and it includes all the content packs published for version 9.3. It includes also new updates to:
Apex
Content
Support for Apex
9 new queries were added and 11 updated queries at High risk, Medium threat and Low visibility groups. These queries cover SQL & command injections, XSS and excessive information exposure issues.
Improved the following queries:
Reflected_XSS
Stored_XSS
SOQL_SOSL_Injection
Second_Order_SOQL_SOSL_Injection
CRUD_Delete
FLS_Create
FLS_Create_Partial
FLS_Update
FLS_Update_Partial
Hardcoding_Of_Trigger_New
Hardcoding_Of_Trigger_Old
Hardcoded_Password
Added the following queries:
Hardcoded_Messages
Dangerous_Methods
Insecure_Cookie
Insecure_Endpoint
Test_Assert_Without_Message
Unused_Variable
Use_of_Hard_Coded_Cryptographic_Key
FLS_Read
Content Pack Version - CP.9.3.0.14029 (Cobol, Go)
Each Ruleset Content Pack includes improvements to queries, and optionally also to presets. Technically, these changes are delivered through database upgrade scripts which affect the relevant tables.
As with any CxSAST product release, the Content Pack resets the Checkmarx built-in presets to the default query set.
This Content Pack uses a unified installer and it includes all the Content Packs published for version 9.3.0. It includes updates to Apex, JavaScript, C#, Cobol and Go.
The details about the Apex content included are available at Content Pack Version - CP.9.3.0.11017 (Apex).
The details about JavaScript under the OOTBAccuracy Project are available at Content Pack Version - CP.9.3.0.12021 (JavaScript).
Notice
Installation order
This is a cumulative Content Pack, it can be installed over any of the version 9.3.0 Content Packs and does not require other Content Packs.
This Content Pack requires 9.3.0 Hotfix 3 or higher previously installed on the CxSAST Environment (Manager and Engines).
It includes all the changes provided by Content Pack 12 and the following improvements:
Improved the support for the Go language:
Added 15 new queries and improved 13 existing queries
Added the following queries:
Password_Privacy_Violation_List
JWT_No_Signature_Verification
Second_Order_SQL_Injection
Empty_Password_In_Connection_String
Log_Forging
Plain_Text_Transport_Layer_in_Server
Use_Of_Broken_Or_Risky_Cryptographic_Algorithm
Use_Of_Unsafe_Package
Cleartext_Transmission_Of_Sensitive_Information
Email_Content_Forgery
Privacy_Violation
Race_Condition_Concurrent_Instances
SSL_Verification_Bypass
Use_of_Cryptographically_Weak_PRNG
Use_of_Weak_RSA_Keys
Improved the following queries:
CGI_XSS
Command_Injection
Stored_XSS_All_Clients
Insecure_Credential_Storage_Mechanism
Insecure_Scrypt_Parameters
Insufficient_Output_Length
Scrypt_Weak_Salt_Value
Improper_Error_Handling
Race_Condition_In_Cross_Functionality
Use_of_Hardcoded_Password
Denial_Of_Service_Resource_Exhaustion
Hardcoded_Password_in_Connection_String
Path_Traversal
Improved support for SAP OpenUI and XSJS queries
3 queries were improved
Improved the following queries:
SAPUI5_Hardcoded_UserId_In_Comments
SAPUI5_Use_Of_Hardcoded_URL
XS_Use_Of_Hardcoded_URL
Improved some queries on C# Language
2 Queries were improved
Improved the following:
XSS queries improved support for .cshtml files
Improvements for Use of Insufficiently Random Values
Improved support for one Cobol query
Improved the following query:
Information_Leak_Through_Comments
Note
Version Upgrade
It is mandatory to install at least the same Content Pack number for newer versions while upgrading (e.g., v9.2.0 CP14 → v9.3.0 CP14).
This step ensures the accuracy of the results is maintained while upgrading.
Which CxSAST version is this Content Pack for?
As stated in the release notes, this Content Pack is only compatible with CxSAST v9.3.0.
Which languages were targeted in this Content Pack?
This Content Pack provides improvements for Cobol and Go.
Can this Content Pack be installed on top of other Content Packs?
Yes, this Content Pack is a multi-language Content Pack. It inherits all the characteristics of previous Content Packs, in other words it is cumulative.
Does this Content Pack depend on other Content Packs?
No, there are no dependencies on other Content Packs. All Content Packs are cumulative, meaning that when one Content Pack is installed it includes all the previous Content Packs.
Can this Content Pack be installed over other Content Packs?
Yes it can. It will override its content.
Is there any order of installation between this Content Pack and Content Pack 14 ?
Yes. But there is no need to install other Content Packs. This Content Pack includes all the previous.
Can this Content Pack be installed in further versions, like CxSAST 9.0?
No. Version 9.0 will not have a Content Pack 14 available. Version 9.2 has a dedicated Content Pack.
Does this Content Pack depend on any HotFix?
Yes, It requires the Hotfix 3 previously installed on the environment (manager and engines).
Content Pack Version - CP.9.3.0.15031 (Java, Python)
Each Ruleset Content Pack includes improvements to queries, and optionally also to presets. Technically, these changes are delivered through database upgrade scripts which affect the relevant tables.
As with any CxSAST product release, the Content Pack resets the Checkmarx built-in presets to the default query set.
This Content Pack uses a unified installer and it includes all the Content Packs published for version 9.3.0. It includes updates to Java and Python.
Notice
Installation order
This is a cumulative Content Pack, it can be installed over any of the version 9.3.0 Content Packs and does not require other Content Packs.
This Content Pack requires 9.3.0 Hotfix 4 or higher previously installed on the CxSAST Environment (Manager and Engines).
It includes all the changes provided by Content Pack 14 and the following improvements:
Added new Preset for SCA content.
Presets/SCA.xml
The above preset contains the following new queries for Java language:
Added the following queries:
Java_Exploitable_Path/Java_Find_Imports
Java_Exploitable_Path/Java_Find_Methods
The above preset contains the following new queries for Python language
Added the following queries:
Python_Exploitable_Path/Python_Find_Imports
Python_Exploitable_Path/Python_Find_Methods
Note
Version Upgrade
It is mandatory to install at least the same Content Pack number for newer versions while upgrading (e.g., v9.2.0 CP14 → v9.3.0 CP14).
This step ensures the accuracy of the results is maintained while upgrading.
Which CxSAST version is this Content Pack for?
As stated in the release notes, this Content Pack is only compatible with CxSAST v9.3.0.
Which languages were targeted in this Content Pack?
This Content Pack provides improvements for Java and Python.
Can this Content Pack be installed on top of other Content Packs?
Yes, this Content Pack is a multi-language Content Pack. It inherits all the characteristics of previous Content Packs, in other words, it is cumulative.
Does this Content Pack depend on other Content Packs?
No, there are no dependencies on other Content Packs. All Content Packs are cumulative, meaning that when one Content Pack is installed it includes all the previous Content Packs.
Can this Content Pack be installed over other Content Packs?
Yes it can. It will override its content.
Is there any order of installation between this Content Pack and Content Pack 14?
Yes. But there is no need to install other Content Packs. This Content Pack includes all the previous.
Can this Content Pack be installed in further versions, like CxSAST 9.0?
No. Version 9.0 will not have a Content Pack 14 available. Version 9.2 has a dedicated Content Pack.
Does this Content Pack depend on any HotFix?
Yes, It requires the Hotfix 4 previously installed on the environment (manager and engines).
Content Pack Version - CP.9.3.0.18043 (JavaScript, CSharp)
Notice
The content of this Content Pack (CP.9.3.0.18043), will be available for CxSAST version 9.4 in CxSAST Engine Pack version 9.4.2.
Each Ruleset Content Pack includes improvements to queries, and optionally also to presets. Technically, these changes are delivered through database upgrade scripts which affect the relevant tables.
As with any CxSAST product release, the Content Pack resets the Checkmarx built-in presets to the default query set.
This Content Pack uses a unified installer and it includes all the Content Packs published for version 9.3.0. It includes updates to CSharp and JavaScript.
Notice
Installation order
This is a cumulative Content Pack, it can be installed over any of the version 9.3.0 Content Packs and does not require other Content Packs.
This Content Pack requires 9.3.0 Hotfix 15 or higher previously installed on the CxSAST Environment (Manager and Engines).
It includes all the changes provided by Content Pack 16 and the following improvements:
CSharp
Medium/Use_of_Hard_coded_Cryptographic_Key - The query now looks for
CreateEncryptormethods from AES, DES, RC2, Rijndael or TripleDES service providers; supports byte arrays and new sanitizers.CSharp/CSharp_Low_Visibility/Heap_Inspection - The query now assumes cases like
var pass = x.ToString()are possible Heap Inspection attacks. The query infers that the value is of type string and does not discard the case. Previously it discarded such cases.Low/Heap_Inspection - Improved the way the query looks up for arrays of chars:
char[]
JavaScript
Medium/Client_Privacy_Violation - The query was updated to improve Angular
ctxoutputs.High/Client_DOM_XSS - Query (sub-queries) was updated to consider extra SAPUI inputs and outputs. Examples of new Inputs:,
getModelas inthis.getOwnerComponent().getModel(...);oControlas inenderer : function(oRm, oControl) { ... }and its references. Examples of new Outputs:setContentmethods as inthis.getView().byId(...).setContent(...).
Non-ASCII characters removal
Besides the changes mentioned above, several queries in several languages (Apex, CPP, Groovy, Java, JavaScript and Scala) were improved to remove/replace all Non-ASCII characters that cause scans to fail in some installations (depending on collations and OS languages).
Presets Alignment
OWASP TOP 10 (2010, 2013 and 2017) presets aligned for all languages
Other presets (Error Handling, FISMA, HIPPA, JSSEC, PCI, SASN top 25, STIG and XSS and SQLi only) were aligned for all languages.
Note
Version Upgrade
In general, it is mandatory to install at least the same Content Pack number for newer versions while upgrading. However, since v9.3.0 has no CP17, when upgrading from v9.2.0 CP17 it is necessary to upgrade to v9.3.0 CP18. This step ensures the accuracy of the results is maintained while upgrading.
Which CxSAST version is this Content Pack for?
As stated in the release notes, this Content Pack is only compatible with CxSAST v9.3.0.
Which languages were targeted in this Content Pack?
This Content Pack provides improvements for CSharp and JavaScript, mainly.
Can this Content Pack be installed on top of other Content Packs?
Yes, this Content Pack is a multi-language Content Pack. It inherits all the characteristics of previous Content Packs, in other words, it is cumulative.
Does this Content Pack depend on other Content Packs?
No, there are no dependencies on other Content Packs. All Content Packs are cumulative, meaning that when one Content Pack is installed it includes all the previous Content Packs.
Can this Content Pack be installed over other Content Packs?
Yes it can. It will override its content.
Is there any order of installation between this Content Pack and Content Pack 16?
Yes. But there is no need to install other Content Packs. This Content Pack includes all the previous.
Can this Content Pack be installed in further/previous versions, like CxSAST 9.0?
No.
Does this Content Pack depend on any HotFix?
Yes, It requires the Hotfix 15 previously installed on the environment (manager and engines).
Content Pack Version - CP.9.3.0.16034 (CSharp, VBNet)
Each Ruleset Content Pack includes improvements to queries, and optionally also to presets. Technically, these changes are delivered through database upgrade scripts which affect the relevant tables.
As with any CxSAST product release, the Content Pack resets the Checkmarx built-in presets to the default query set.
This Content Pack uses a unified installer and it includes all the Content Packs published for version 9.3.0. It includes updates to CSharp and VBNet.
Notice
Installation order
This is a cumulative Content Pack, it can be installed over any of the version 9.3.0 Content Packs and does not require other Content Packs.
This Content Pack requires 9.3.0 Hotfix 4 or higher previously installed on the CxSAST Environment (Manager and Engines).
It includes all the changes provided by Content Pack 15 and the following improvements:
CSharp
CSharp_General/Find_Integers - The query now uses an allowlist to search for C# methods that contain the word "Count" and which actually return integers. Previously it matched any name containing the word "Count".
CSharp/CSharp_Low_Visibility/Heap_Inspection - The query now assumes cases like
var pass = x.ToString()are possible Heap Inspection attacks. The query infers that the value is of type string and does not discard the case. Previously it discarded such cases.
VBNet
VbNet/VbNet_High_Risk/Reflected_XSS_All_Clients - The query now disregards outputs in the context of conditions and considers all other outputs. Previously it only considered outputs that appeared in the LHS of assignments.
Note
Version Upgrade
It is mandatory to install at least the same Content Pack number for newer versions while upgrading (e.g., v9.2.0 CP14 → v9.3.0 CP14).
This step ensures the accuracy of the results is maintained while upgrading.
Which CxSAST version is this Content Pack for?
As stated in the release notes, this Content Pack is only compatible with CxSAST v9.3.0.
Which languages were targeted in this Content Pack?
This Content Pack provides improvements for CSharp and VBNet.
Can this Content Pack be installed on top of other Content Packs?
Yes, this Content Pack is a multi-language Content Pack. It inherits all the characteristics of previous Content Packs, in other words, it is cumulative.
Does this Content Pack depend on other Content Packs?
No, there are no dependencies on other Content Packs. All Content Packs are cumulative, meaning that when one Content Pack is installed it includes all the previous Content Packs.
Can this Content Pack be installed over other Content Packs?
Yes it can. It will override its content.
Is there any order of installation between this Content Pack and Content Pack 15?
Yes. But there is no need to install other Content Packs. This Content Pack includes all the previous.
Can this Content Pack be installed in further/previous versions, like CxSAST 9.0?
No.
Does this Content Pack depend on any HotFix?
Yes, It requires the Hotfix 4 previously installed on the environment (manager and engines).
Content Pack Version - CP.9.3.0.19046 (CSharp, PLSQL)
Notice
The content of this Content Pack (CP.9.3.0.19046), will be available for CxSAST version 9.4 in CxSAST Engine Pack version 9.4.2.
Each Ruleset Content Pack includes improvements to queries, and optionally also to presets. Technically, these changes are delivered through database upgrade scripts which affect the relevant tables.
As with any CxSAST product release, the Content Pack resets the Checkmarx built-in presets to the default query set.
This Content Pack uses a unified installer and it includes all the Content Packs published for version 9.3.0. It includes updates to CSharp and PLSQL.
Notice
Installation order
This is a cumulative Content Pack, it can be installed over any of the version 9.3.0 Content Packs and does not require other Content Packs.
This Content Pack requires 9.3.0 Hotfix 15 or higher previously installed on the CxSAST Environment (Manager and Engines).
It includes all the changes provided by Content Pack 18 and the following improvements:
CSharp
Low/Improper_Exception_Handling - Overriding this query caused unexpected exceptions because the query relied on parameters. It was fixed by adding an extra layer that removes the parameters.
PLSQL
Low/Default_Definer_Rights_in_Method_Definition - The query was improved by discarding results that appear inside safe methods. This improves the general accuracy of the query.
Presets and Categories Alignment
Preset and Categories for OWASP TOP 10 2021 were added and aligned for all languages
Note
Version Upgrade
In general, it is mandatory to install at least the same Content Pack number for newer versions while upgrading. For instance, when upgrading from v9.2.0 CP19 it is necessary to upgrade to v9.3.0 CP19. This step ensures the accuracy of the results is maintained while upgrading.
Which CxSAST version is this Content Pack for?
As stated in the release notes, this Content Pack is only compatible with CxSAST v9.3.0.
Which languages were targeted in this Content Pack?
This Content Pack provides bug fixing for CSharp and PLSQL and the introduction of OWASP Top 10 2021 preset and categories, aligned for all the languages.
Can this Content Pack be installed on top of other Content Packs?
Yes, this Content Pack is a multi-language Content Pack. It inherits all the characteristics of previous Content Packs, in other words, it is cumulative.
Does this Content Pack depend on other Content Packs?
No, there are no dependencies on other Content Packs. All Content Packs are cumulative, meaning that when one Content Pack is installed it includes all the previous Content Packs.
Can this Content Pack be installed over other Content Packs?
Yes it can. It will override its content.
Is there any order of installation between this Content Pack and Content Pack 18?
Yes. But there is no need to install other Content Packs. This Content Pack includes all the previous.
Can this Content Pack be installed in further/previous versions, like CxSAST 9.0?
No.
Does this Content Pack depend on any HotFix?
Yes, It requires the Hotfix 15 previously installed on the environment (manager and engines).
Content Pack Version - CP.9.3.0.20047 (Java)
Notice
The content of this Content Pack (CP.9.3.0.20047), will be available for CxSAST version 9.4 in CxSAST Engine Pack version 9.4.3.
Each Ruleset Content Pack includes improvements to queries, and optionally also to presets. Technically, these changes are delivered through database upgrade scripts which affect the relevant tables.
As with any CxSAST product release, the Content Pack resets the Checkmarx built-in presets to the default query set.
This Content Pack uses a unified installer and it includes all the Content Packs published for version 9.3.0. It includes updates to Java.
Notice
Installation order
This is a cumulative Content Pack, it can be installed over any of the version 9.3.0 Content Packs and does not require other Content Packs.
This Content Pack requires 9.3.0 Hotfix 15 or higher previously installed on the CxSAST Environment (Manager and Engines).
It includes all the changes provided by Content Pack 19 and the following improvements:
Java
Best_Coding_Practice/Unsafe_Bidi_Unicode_Data - This new query finds Bidi characters in the Java source code, as a way of exposing the Trojan Source vulnerability.
Best_Coding_Practice/Unsafe_Homoglyphs_Unicode_Data - This new query finds unsafe homoglyph characters in the Java source code. This query handles another part of the Trojan Source vulnerability.
Note: Common queries were added that could serve as a basis for defining the same queries in other languages.
Note
Version Upgrade
In general, it is mandatory to install at least the same Content Pack number for newer versions while upgrading. For instance, when upgrading from v9.2.0 CP20 it is necessary to upgrade to v9.3.0 CP20. This step ensures the accuracy of the results is maintained while upgrading.
Which CxSAST version is this Content Pack for?
As stated in the release notes, this Content Pack is only compatible with CxSAST v9.3.0.
Which languages were targeted in this Content Pack?
This Content Pack adds new queries in Java, to handle the Trojan Source vulnerability.
Can this Content Pack be installed on top of other Content Packs?
Yes, this Content Pack is a multi-language Content Pack. It inherits all the characteristics of previous Content Packs, in other words, it is cumulative.
Does this Content Pack depend on other Content Packs?
No, there are no dependencies on other Content Packs. All Content Packs are cumulative, meaning that when one Content Pack is installed it includes all the previous Content Packs.
Can this Content Pack be installed over other Content Packs?
Yes it can. It will override its content.
Is there any order of installation between this Content Pack and Content Pack 19?
Yes. But there is no need to install other Content Packs. This Content Pack includes all the previous.
Can this Content Pack be installed in further/previous versions, like CxSAST 9.0?
No.
Does this Content Pack depend on any HotFix?
Yes, It requires the Hotfix 15 previously installed on the environment (manager and engines).
Content Pack Version - CP.9.3.0.21048 (Java, Groovy)
Notice
The content of this Content Pack (CP.9.3.0.21048), will be available for CxSAST version 9.4 in CxSAST Engine Pack version 9.4.3.
Each Ruleset Content Pack includes improvements to queries, and optionally also to presets. Technically, these changes are delivered through database upgrade scripts which affect the relevant tables.
As with any CxSAST product release, the Content Pack resets the Checkmarx built-in presets to the default query set.
This Content Pack uses a unified installer and it includes all the Content Packs published for version 9.3.0. It includes updates to Java, Groovy.
Notice
Installation order
This is a cumulative Content Pack, it can be installed over any of the version 9.3.0 Content Packs and does not require other Content Packs.
This Content Pack requires 9.3.0 Hotfix 15 or higher previously installed on the CxSAST Environment (Manager and Engines).
It includes all the changes provided by Content Pack 20 and the following improvements:
Java, Groovy
Best_Coding_Practice/Usage_of_Vulnerable_Log4J - This new query finds usage of Log4J dependencies, as a way of exposing Apache Log4J Remote Execution.
Note: Common queries were added that could serve as a basis for defining the same queries in other languages.
Note
Version Upgrade
In general, it is mandatory to install at least the same Content Pack number for newer versions while upgrading. For instance, when upgrading from v9.2.0 CP20 it is necessary to upgrade to v9.3.0 CP20. This step ensures the accuracy of the results is maintained while upgrading.
Which CxSAST version is this Content Pack for?
As stated in the release notes, this Content Pack is only compatible with CxSAST v9.3.0.
Which languages were targeted in this Content Pack?
This Content Pack adds new queries in Java and Groovy to handle the Log4J vulnerability.
Can this Content Pack be installed on top of other Content Packs?
Yes, this Content Pack is a multi-language Content Pack. It inherits all the characteristics of previous Content Packs, in other words, it is cumulative.
Does this Content Pack depend on other Content Packs?
No, there are no dependencies on other Content Packs. All Content Packs are cumulative, meaning that when one Content Pack is installed it includes all the previous Content Packs.
Can this Content Pack be installed over other Content Packs?
Yes it can. It will override its content.
Is there any order of installation between this Content Pack and Content Pack 20?
Yes. But there is no need to install other Content Packs. This Content Pack includes all the previous.
Can this Content Pack be installed in further/previous versions, like CxSAST 9.0?
No.
Does this Content Pack depend on any HotFix?
Yes, It requires the Hotfix 15 previously installed on the environment (manager and engines).