Skip to main content

9.2.0 Enterprise Updates

New Features and Changes

Application

Category

Feature / Change

Installer

The Repair Mode option has been removed from the CxSAST Modification/Uninstallation wizard.

DBaaS

Support for Azure SQL: CxSAST now supports Azure IaaS deployment and connection to Azure SQL Managed Instances.

Engine

Category

Feature / Change

Details

Languages/Frameworks

Generics

Added Generics support for cases where Generic is defined in the class, the base class type and in member methods.

.Net Core

This version introduces new and updated support on the latest versions of .Net Core (version 2.1 and 2.2) for C#.

Support for the following language features has been added:

  • Use_Of_Broken_Or_Risky_Cryptographic_Algorithm - Hash Passwords

  • Use_Of_Broken_Or_Risky_Cryptographic_Algorithm - Cryptography

  • Unsafe_Object_Binding

  • Reflected_XSS_All_Clients

  • Overly_Permissive_Cross_Origin_Resource_Sharing_Policy

  • Open_Redirect

  • Insecure_Cookie

  • Information_Exposure_Through_an_Error_Message

  • Heap_Inspection

  • Hardcoded_Cryptographic_Key

  • Find_XSRF_Sanitize

  • Find_HttpOnlyCookies

  • Find_HSTS_Configuration_In_Code

  • Find_Encrypt

  • Base64 Encode/Decode queries refactor

Languages/Frameworks

Java

This version introduces new and updated support on the latest versions of Java (version 10, 11 and 12)

Support for the following language features has been added:

  • Add SHA-3 Support

  • Input | TIFF Image

  • Support Module System (JPMS)

  • Update Use_Of_Obsolete_Functions Query

  • Update Exception-related queries to support java.lang.SecurityManager Methods

  • Update Exception-related queries to support constructor of MBeanOperationInfo

  • Update Exception-related Queries

  • Support Optional.orElseThrow() in Relevant Queries

  • Support Local-Variable Type Inference (var) - Research and Initial Setup

  • Support Local-Variable Type Inference (var) - Populate inferred types on parsing stage

  • Support Local-Variable Type Inference (var) - Collect symbols using new grammar

  • Support Local-Variable Type Inference (var)

  • Support checkMemberAccess method in Relevant Queries

  • Update Exception-related Queries

  • Update Direct_Use_of_Threads for Removal of Thread.destroy() and Thread.stop() Methods

  • Support Nest Based Access Control in Relevant Queries

  • Support Nest Based Access Control in Exposure_of_Resource_to_Wrong_Sphere

  • Support Local-Variable Syntax for Lambda Expressions

  • Support for the square character for the Japanese new era

  • Add URLClassLoader's constructor to Exception-related queries

  • Add ClassgetAnnotation method to Exception-related queries

  • Support Unicode 11

  • Support the Remove of finalize methods

    • ZipFile Inflator/Deflator

    • FileInput/FileOutputStream

  • Support Switch as Expressions

  • Support for Compact Number Formatting

  • Support Compact Number Formatting - Parse String to Number

Support for the following queries was added/updated:

  • Improper_Exception_Handling

  • Find_Commands_With_Exception

  • Uncaught_Exceptions

  • Use_of_Obsolete_Functions

  • Find_CORBA_Deprecated_Methods

  • Find_Java_Awt_Deprecated_Methods

  • Find_Java_IO_Deprecated_Methods

  • Find_Java_Lang_Deprecated_Methods

  • Find_Java_Net_Deprecated_Methods

  • Find_Java_Rmi_Deprecated_Methods

  • Find_Java_Security_Deprecated_Methods

  • Find_Java_Sql_Deprecated_Methods

  • Find_Java_Util_Deprecated_Methods

  • Find_Javax_Swing_Deprecated_Methods

Languages/Frameworks

Vue.JS

This version introduces new and updated support on Vue.JS framework.

Support for the following language features has been added:

  • Vue.component() - Support Context Object

  • Vue instance - Support Context Object

  • Update CxOutputs to CxEscapedOutputs

  • Transform Templates in ViewDecl and View Call Dom Objects

  • Support X-Templates

  • Support Vue.js Single-File Components

  • Support Vue Router API in Queries

  • Support directive

  • Support tag <template>

  • Support Regular Markups

  • Support Inline Templates

  • Support Html files

  • Support filters

  • Support Context Objects Flattener

  • Support Context Objects

  • Support context computed Directive

  • Support components Invocation

  • Support components declaration

  • Support Associative Array scoped This

  • Update CxOutputs to CxEscapedOutputs

  • Support X-Templates

  • Support Vue Router API in Queries

Support for the following queries was added:

  • Vue_DOM_XSS

Languages/Frameworks

SAPUI5 and Fiori apps

This version introduces new and updated support on SAPUI5 and Fiori.

  • Update XSS sinks

  • OData response affect the custom controls renderers and their connections

  • Sap XML Views - ToUpper() and LastAttribute invocation

  • Parse Fiori XML template views

  • Connect Control View Attributes to set methods in Control

  • Catch hardcoded links from SAP domains in all files

  • Catch ABAP system information exposed in the comments

  • Assigning window.location to Open Redirect and XSS

  • Add XHR Response as an input for Fiori apps

  • Add Input for event handling inputs

  • Add connections between getView().byId("ControlName") and the respective associative array of the Control

  • Add connections between a setProperty of a property of a model and the respective getProperty

Support for the following queries was added:

  • CSV_Injection query

Languages/Frameworks

Kotlin support

This version introduces new and updated support on the latest Kotlin version.

The following language features have been added:

  • Coroutines

  • When Expression (Capturing when subject in a variable)

  • Unsigned integers

  • Smartcasts

The following CxSAST Queries: were added:

  • Find_Integers

CxSAST Type Inference Library:

  • Updated for Kotlin 1.3

Languages/Frameworks

Kotlin Server Side - Ktor support

The following language features have been added:

  • Parsing improvements to deal with Ktor specific issues (kotlinx-html)

  • Improvements in type inference Handling of Ktor routing to template outputs through FrameworkFactory

  • Creation of five new queries and identification of inputs/outputs/sanitizers for relevant queries

  • Support of templates (Mustache.js and kotlinx-html)

The following CxSAST Queries have been added:

  • Reflected_XSS

  • Stored_XSS

  • SQL Injection

  • Code Injection

  • Connection_String_Injection

Languages/Frameworks

GO Lang support

The following language features have been added:

  • GO version supported in CxSAST is 1.8

  • The language support was completely rewritten

  • Scan time improved by ~50%

  • TP rate is also high, but more details to come

The following CxSAST Queries: have been added:

  • Open_Redirect

  • Missing_HttpOnly_Cookie

  • Missing_Secure_Cookie

  • Path_Traversal

  • SQL_Injection

  • Find_Members_By_Import (deprecated)

Languages/Frameworks

Cobol support

The following language features have been added:

  • COBOL support is based on the ANSI85 dialect

  • It was extended to also support IBM Enterprise COBOL for Z/OS up to version 6.2

  • MicroFocus and ILE COBOL have partial coverage only.

  • It supports three formats: Tandem, Variable and Fixed

The following CxSAST Queries have been added:

  • Command_Injection

  • Module_Injection

  • Reflected_XSS_All_Clients

  • Resource_Injection

  • Sql_Injection

  • Ignored_Error_Conditions

  • Path_Traversal

  • Information_Leak_Through_Comments

  • Use_Of_Hardcoded_Passwords

  • Possible_Module_Injection

Languages/Frameworks

Angular support

The following framework features have been added:

  • The full support of Angular was rewritten in 9.2

  • Several features of Angular up to version 9 were included.

Missing features to fully support Angular 9.0:

  • Router Directive – the RouterLinkWithHRef attribute

  • Router Lifecycle events

  • Material UI - Select - (mat-select)

  • Router configs with Dynamic Imports

  • Angular Web Workers

  • Dependency Injection – the ProvidedIn mode

Languages/Frameworks

MyBatis support

MyBatis:

MyBatis has been rewritten using Framework Factory. The supported version is 3.5.3

The following CxSAST Queries have been added:

  • Find_MyBatis_DB_In;

  • Find_MyBatis_DB_Out;

  • Find_MyBatis_Params_Sanitized;

  • Find_MyBatis_Sanitize;

  • Find_MyBatis_DB (depreacted)

Languages/Frameworks

React Native support

This version introduces new and updated support to React Native. The support includes some community packages:

  • React Navigation - In React Navigation, there are several components that can be used to navigate inside the application

  • AsyncStorage - This is an asynchronous, decrypted, persistent, key-value storage system for React Native.

The following new queries have been added:

  • Missing Root Or Jailbreak Check

  • Insecure Text Entry

  • Clipboard Information Leakage

  • Insufficient Transport Layer Security

  • Unencrypted Sensitive Data Storage

Languages/Frameworks

Currently, lambda expressions are only processed by AbsInt if they are invoked somewhere. However, in some cases, we want to process the lambda expressions even when their invocations are not explicit (eg: partial scans).

In order to enable this please search for: ABS_INT_LAMBDAS_IMPLICIT_INVOCATION in: CxSAST Engine Configuration Parameters (v9.2.0 and up)

Vulnerability Descriptions

New and updated vulnerability descriptions

Providing more detailed guidance for code remediation. The list is available for download from 9.2.0 Vulnerability Queries.

Vulnerability Queries for Presets

Vulnerability Queries according to Presets

The list is available for download from 9.2.0 Vulnerability Queries.

Vulnerability Queries

The list is available for download from 9.2.0 Vulnerability Queries.

CxQL API Guide

Updated according to changes and updates for version 9.0.0