Skip to main content

9.2.0 Content Packs

In order to further optimize the accuracy of CxSAST scan results, Checkmarx introduced the Security Content packs.

Content packs are released regularly to provide added value to released versions in various ways:

  • Remediation focus: Increased 0ut-of-the box accuracy by reducing the False Positive (FP) findings, and increasing the True Positive (TP) ones.

  • API Security: APIs are the de facto communication mean for today’s applications, whether they spring from Microservices, Mobile, IoT, Cloud, Serverless or contexts alike. This content pack focusses on detecting vulnerabilities via specialized API security queries

  • Language enhancements: Many times a fix or an improvement for a language is provided via a hotfix (HF) or via query changes.

    Content Packs are the way to deliver when these improvements are on queries.

  • Presets/Categories: Content packs allow updating or creating new presets and categories.

  • Descriptions: Content packs allow adding or updating query descriptions.

Content packs are cumulative and include previous content pack updates for the same language.

Compatibility and Versioning

Content packs are released for CxSAST product versions, which are already generally available and widely used. Content pack data is compatible with a specific CxSAST product version. Because of this, it uses the CxSAST product version that it is compatible with (3 numbers), and is suffixed by the internal build number (4th number). The compatibility dependency exists due to CxQL and other internal versions. The content of the various content packs is included with the next GA release of CxSAST.

  • In order to see which Content Pack version is installed on your server(s), navigate to Management > Application Settings > Installation Information > Checkmarx Queries Pack from within the CxSAST portal.

  • In the scan logs it can be checked on the configuration flags with the name CHECKMARX_QUERIES_PACK=<version>.

Delivery Mechanism

All Content packs are cumulative for a language, i.e., Content Pack 9.2.0.x for Java is similar to installing all content packs of 9.2.0 prior to 9.2.0.x for Java, by the order of their release. The Content Packs Installer checks the installed version and content pack version of CxSAST and allows for installation if the CxSAST version and the installed content pack are compatible.

Installation

The content pack is installed on the CxManager stations, unless otherwise indicated. In a distributed environment, the content pack does not need to be installed on engine stations, just on the CxManager station, which has access to the database. Once installed, the content pack can be uninstalled with the dedicated uninstaller in the package.

The installer can also be executed in CLI (silent) mode, similarly to hotfix installations.

Content

Each content pack includes improvements to queries and optionally also to presets. Technically, these changes are delivered via DB upgrade scripts, which affect relevant tables.

Detailed content descriptions can be found on the pages listed below:

Version:

Content Pack 9.2: Uninstaller

The Content pack uninstaller provides an easy way to uninstall the content installed by the content pack.

It is provided through a dedicated package able run under the CxSAST installed environment machine and provides and easy way to restore the system to the original GA state.

The uninstaller provides the same command line argument option for installation to perform command line exclusive installations.

It does not need any prerequisites further than the correct CxSAST version and can be executed after any content pack installation.

The uninstaller does not affect the existing performed scans neither the customizations applied on the system environment.

Content Pack Version - CP.9.2.0.9017 (C#)

Each Ruleset Content Pack includes improvements to queries, and optionally to presets. Technically, these changes are delivered through database upgrade scripts which affect relevant tables.

This content pack uses the unified installer and includes updates to Java, C#.

  • New API Security and Checkmarx Express presets in Java

    • It includes two new presets (OWASP TOP 10 API and Checkmarx Express).

  • Adds OWASP TOP 10 API category support for API Security in Java

    • It includes the queries mapping for the OWASP TOP 10 API.

  • Improvements for reducing the amount of false positive findings in C#

    • Some new improvements were introduced for high risk and medium threat queries. They are detailed in the next section.

Notice

This CP includes OOTB Accuracy content, Checkmarx Express preset should be used in order to take full advantage of improvements done by this project.

It also includes API Security content. OWASP Top 10 API preset should be used in order to take full advantage of the content pack queries on Java for API Security.

As in any CxSAST product release, the Content Pack also resets the Checkmarx built in presets to its default queries set.

Note

Installation order

This is a cumulative content pack, it can be installed over any of the version 9.2 content packs and does not require other content packs.

This Content Pack (CP) includes improvements for reducing the amount of false positive results in C#.

  • At High Risk queries the accuracy on Checkmarx Express Preset is improved by 98%

  • At Medium Threat queries the accuracy on Checkmarx Express preset is improved by 33%

Notice

The formula for the accuracy is calculated based on the following: TP/(TP + FP)

The following improvements were also made for C# queries:

  • Improve sinks on Code Injection with script and async APIs

  • Improve Connection String Injection sanitizers to remove static strings

  • Improve Deserialization of untrusted data sinks to include binary formatters and serialization binders

  • Improve Resource Injection sanitizers to consider string sanitization methods, encodings and allowlist validation

  • Improve Stored XSS sanitizers

  • Improve XPath Injection and Stored XPath Injection sanitizers

  • Improve Stored Code Injection sanitizers with Compiler Options Output Assembly

  • Improve DB Parameter Tampering sanitizers with authorization validations

  • Improve DOS By Sleep sanitizers when using properly configured SpinWait and ThreadSleep APIs

  • Improve Hardcoded Password in connection string inputs when using variables containing static strings

  • Improve Heap Inspection to avoid bad results on page views controls

  • Improve SQL Injection Evasion Attack sanitizers extending with more decoding APIs

  • Improve Trust Boundary Violation sanitizers with numeric types and sinks with session saves

  • Improve Use of Hardcoded Cryptographic Key sanitizers to avoid OUID and consider decrypted values as safe

  • Improve Missing HSTS Header to support further time span APIs when using bad configuration

  • Improve ASP MVC controller support

  • Improve ASP MVC/Razor XSRF token support

  • Improve general sanitization when using allowlist mappings and numeric APIs

  • Improve Entity Framework APIs support

  • Improve Database support for async APIs

  • Improve Database LINQ supported APIs

  • Improve Salesforce Database supported APIs

  • Improve support for Safe hashing algorithms

  • Improve Deserialization of untrusted data

  • Rewrite Unsafe Object Binding with improved sources and sinks

  • Improved support for MVC and json on Reflected_XSS sinks

  • Improved outputs for LDAP_Injection

  • Improved Resource_Injection sanitizers and extended support for AbsInt

  • Improved CGI_XSS sanitizers when using web applications

  • Rewritten Heap_Inspection support for properties and stack memory allocated elements

  • Improved support for sources of HttpOnlyCookies

  • Improved Improper_Restriction_of_XXE_Ref to support improved .NET sanitization

  • Improved MVC_View_Injection to take advantage of AbsInt

  • Improved support for MVC annotations on No_Request_Validation

  • Improved filesystem access support for Path_Traversal

  • Improved Privacy_Violation sink support

  • Improved support on Session_Fixation for session creation pages

  • Improved Stored_LDAP_Injection sink support

  • Extended support on Use_of_Cryptographically_Weak_PRNG for random number generation and assurance of cryptographic use

  • Improved detection of .net core on Check_HSTS_Configuration

  • Extended heuristic for finding passwords

  • Improved support for decryption code when checking raw text passwords

  • Improved Log_Forging sanitizers and sinks

  • Rewritten the Open_Redirect query

  • Improved Use_Of_Broken_Or_Risky_Cryptographic_Algorithm to support more crypto algorithms

  • Improved sanitizers on Use_Of_Hardcoded_Password

  • Added query Use_of_Insufficiently_Random_Values

  • Improved Log_Forging sanitizers

  • Rewritten the Open_Redirect query

  • Improved Use_Of_Broken_Or_Risky_Cryptographic_Algorithm to support more crypto algorithms

  • Improved sanitizers on Use_Of_Hardcoded_Password

  • Added query Use_of_Insufficiently_Random_Values

  • Applied best coding practices on the queries

Note

Version Upgrade

This content pack improvements are included in the CxSAST version 9.3. There is no need to install further Content Packs after upgrading.

Content Pack Version - CP.9.2.0.12028 (JavaScript)

Each Ruleset Content Pack includes improvements to queries, and optionally also to presets. Technically, these changes are delivered through database upgrade scripts which affect relevant tables.

This content pack introduces a new unified installer and it includes all the content packs published for version 9.2. It includes updates to Java, C# and JavaScript.

  • Improvements for reducing the amount of false positive findings in C#, OWASP TOP 10 API support in Java.

  • Improvements for reducing the amount of false positive findings in JavaScript.

    • The changes provided can be found in the next section.

  • Improvements for other JavaScript issues.

    • Improved the Client_DOM_XSS when using inputs coming from window.location.search.

    • Improved support forDatabase accesses through MSSql on NodeJS

Notice

This CP includes OOTB Accuracy content, Checkmarx Express preset should be used in order to take full advantage of improvements done by this project.

It also includes API Security content. OWASP Top 10 API preset should be used in order to take full advantage of the content pack queries on Java for API Security.

As in any CxSAST product release, the Content Pack also resets the Checkmarx built in presets to its default queries set.

Notice

Installation order

This is a cumulative content pack, it can be installed over any of the version 9.2 content packs and does not require other content packs.

This Content Pack (CP) includes improvements for reducing the amount of false positive results in JavaScript.

  • At High Risk queries the accuracy on Checkmarx Express Preset is improved by 350%

  • At Medium Threat queries the accuracy on Checkmarx Express preset is improved by 15%

It were included all the changes provided for content pack 9 and improvements focusing JavaScript queries.

The following improvements were made for JavaScript queries:

  • Improved sanitization for XSS and cryptography on browser and NodeJS

  • Improved sanitization for AngularJS Filters

  • Improved support for logging with Node-Bunyan, Winston and PynoHTTP libraries

  • Improved the list of cdn trustable domains for hardcoded domain

  • Improved support for CryptoJs and CryptoTS cryptographic libraries

  • Added support for HmacRIPEMD160 cryptographic algorithm

  • Improved support for Kony SQLite

  • Improved support for database accesses under XSRF permissions

  • Extended the list of personal information related keywords

  • Improved support for Indexed DB

  • Improved the support of window object tainted elements

  • Added support for Path traversal using the Hapi Library

  • Improved support of NodeJS web page outputs

  • Improved Mongoose, MongoDB, Sequelize and SQLite database support for NodeJS

  • Improved support on NodeJS for Open Redirect

  • Improved support for XPath Injection sanitization

  • Improved support for Client Resource Injection

  • Updated the list of JQuery deprecated APIs

  • Improved support for Remote File Inclusion

  • Improved support for use of iframes without sandbox

  • Improved support for Unsafe use of Target Blank

  • Deprecated query Client Header Manipulation

  • Improved sanitization support for Regex Denial of Service

  • Deprecated Client Reflected File Download

  • Improved programmatic sanitization methods support for Frameable Login Page

  • Improved support for Code Injection

  • Improved support for Command Injection

  • Deprecated query Insecure Direct Object References

  • Added support for Insecure Storage of Sensitive Data

  • Improved support for Log Forging

  • Improved Support for NoSQL Injection

  • Improved support for Path Traversal

  • Improved support for Privacy Violation

  • Deprecated query Security Misconfiguration

  • Improved support for SSL Verification Bypass

  • Improved support for Stored XSS

  • Improved support for Unprotected Cookie

  • Improved support for Use of Broken or Risky Cryptographic Algorithm

  • Improved support for Use of Hardcoded Password

Note

Version Upgrade

It is mandatory to install the same content pack number for newer versions while upgrading (e.g., v9.0 CP12 → v9.2 CP12).

This step will ensure the accuracy of the obtained results is maintained while upgrading.

Content Pack Version - CP.9.2.0.13031 (Java)

Each content pack (CP) for the API Security contains a new or refactored set of Queries targeting API-related vulnerabilities. It aims at reducing the number of FN results in API Projects while keeping the general accuracy of the queries.

This content pack uses the unified installer and includes all previous content packs published for version 9.2. It includes updates for Java, C# and JavaScript.

  • Improvements for reducing the amount of false positive findings in C#, OWASP TOP 10 API support in Java.

    • The changes provided can be found in the next section.

Notice

  • This content pack includes OOTB Accuracy content. Checkmarx Express presets should be used to take full advantage of improvements performed by this project.

  • It includes API Security content. OWASP Top 10 API presets should be used to take full advantage of the content pack queries on Java for API Security.

  • As in any CxSAST product release, the content pack also resets the Checkmarx built-in presets to their default query set.

Notice

Installation order

This is a cumulative content pack, it can be installed over any of the previous version 9.2 content packs and does not require other content packs.

Dependencies

HotFix 7 is required for this content pack.

This content pack includes improvements in the OWASP TOP 10 API queries.

API Security Content

The following improvements have been made for Java queries (even though not all are related to the API Security Preset):

  • Java_High_Risk.Reflected_XSS_All_Clients

    Updated to remove FP results that appear on API code.

  • Java_Low_Visibility.Use_of_Broken_or_Risky_Cryptographic_Algorithm

    Updated to find results associated with weak types like RC2, RC4, ARCFOUR or Blowfish.

  • Java_Medium_Threat.Excessive_Data_Exposure

    Updated to take annotations like @JsonIgnore, @JsonIgnorePorperties, @JsonFilter, @JsonIgnoreType into account to ignore sensitive data and to disregard hardcoded DTO classes.

  • Java_Medium_Threat.JWT_No_Signature_Verification

    Improved query to consider returns that are influenced by inputs in resolveSignginKeyBytes methods.

  • Java_Medium_Threat.Spring_BCrypt_Insecure_Parameters

    Improved performance only.

  • Java_Medium_Threat.Spring_PBKDF2_Insecure_Parameters

    Improved performance only.

API1 - Broken Object Level Authorization

NEW Java_Best_Coding_Practice.Spring_Missing_Object_Level_Authorization

NEW Java_Low_Visbility.Unrestricted_Read_S3

API2 - Broken Authentication

NEW Java_Medium_Threat.JWT_Use_Of_Hardcoded_Secret

NEW Java_Low_Visibility.Spring_Use_Of_Hardcoded_Password

NEW Java_Medium_Threat.Spring_SCrypt_Insecure_Parameters

NEW Java_Medium_Threat.Spring_PBKDF2_Insecure_Parameters

NEW Java_Medium_Threat.Spring_BCrypt_Insecure_Parameters

NEW Java_Medium_Threat.Spring_Argon2_Insecure_Parameters

NEW Java_Medium_Threat.Spring_Comparison_Timing_Attack

NEW Java_Low_Visibility.Spring_Use_of_Broken_or_Risky_Cryptographic_Primitive

API3 - Excessive Data Exposure

NEW Java_Medium_Threat.Excessive_Data_Exposure

API4 - Lack of Resources and Rate Limiting

No Updates

API5 - Broken Function Level Authentication

NEW Java_Best_Coding_Practice.Spring_Missing_Function_Level_Authorization

API6 - Mass Assignment

No Updates

API7 - Security Misconfiguration

NEW Java_Low_Visibility.Spring_Overly_Permissive_Cross_Origin_Resource_Sharing_Policy

NEW Java_Medium_Threat.Spring_Missing_HSTS_Header

NEW Java_Low_Visibility.Spring_Missing_X_Content_Type_Options

NEW Java_Low_Visibility.Spring_Missing_XSS_Protection_Header

NEW Java_Low_Visibility.Spring_Missing_X_Frame_Options

NEW Java_Low_Visibility.Spring_Missing_Content_Security_Policy

NEW Java_Low_Visibility.Spring_Permissive_Content_Security_Policy

NEW Java_Low_Visibility.Spring_Missing_Expect_CT_Header

API8 - Injection

Java_High_Risk.Xpath_Injection

API9 - Improper Assets Management

No Updates

API10 - Insufficient Logging and Monitoring

No Updates

Note

Version Upgrade

These content pack improvements are included with CxSAST version 9.3. You don’t have to install additional content packs after upgrading.

Content Pack Version - CP.9.2.0.14051 (Cobol)

Each Ruleset Content Pack includes improvements to queries, and, optionally, also to presets. Technically, these changes are delivered through database upgrade scripts which affect the relevant tables.

As with any CxSAST product release, the Content Pack resets the Checkmarx built-in presets to the default query set.

This content pack uses unified installer and it includes all the content packs published for version 9.2.0. It includes updates to JavaScript, C#, Java and Cobol.

The details about JavaScript under the OOTBAccuracy Project are available at Content Pack Version - CP.9.3.0.12021 (JavaScript).

The details about the Content Pack for Java under the API Security project are available at Content Pack Version - CP.9.2.0.13031 (Java).

Notice

Installation order

  • This is a cumulative content pack, it can be installed over any of the version 9.2.0 Content Packs and does not require other content packs.

  • Improved the support for Cobol language:

  • Improved support for SAP OpenUI and XSJS queries

    • 3 queries were improved

  • Improved some queries on Java Language

    • 1 Query was improved

Note

Version Upgrade

It is mandatory to install at least the same content pack number for newer versions while upgrading (e.g., v9.2.0 CP14 → v9.3.0 CP14).

This step ensures the accuracy of the results is maintained while upgrading.

Content Pack Version - CP.9.2.0.15052 (Java, Python)

Each Ruleset Content Pack includes improvements to queries, and optionally, also to presets. Technically, these changes are delivered through database upgrade scripts which affect the relevant tables.

As with any CxSAST product release, the Content Pack resets the Checkmarx built-in presets to the default query set.

This Content Pack uses a unified installer and it includes all the Content Packs published for version 9.2.0. It includes updates to Java and Python.

Notice

Installation order

  • This is a cumulative Content Pack, it can be installed over any of the version 9.2.0 Content Packs and does not require other Content Packs.

  • This Content Pack requires 9.2.0 Hotfix 15 or higher previously installed on the CxSAST Environment (Manager and Engines).

It includes all the changes provided by Content Pack 14 and the following improvements:

  • Added new Preset for SCA content.

    • Presets/SCA.xml

  • The above preset contains the following new queries for Java language:

  • The above preset contains the following new queries for Python language

Note

Version Upgrade

It is mandatory to install at least the same Content Pack number for newer versions while upgrading (e.g., v9.2.0 CP15 → v9.3.0 CP15).

This step ensures the accuracy of the results is maintained while upgrading.

Content Pack Version - CP.9.2.0.17055 (JavaScript)

Each Ruleset Content Pack includes improvements to queries, and optionally, also to presets. Technically, these changes are delivered through database upgrade scripts which affect the relevant tables.

As with any CxSAST product release, the Content Pack resets the Checkmarx built-in presets to the default query set.

This Content Pack uses a unified installer and it includes all the Content Packs published for version 9.2.0. It includes updates to JavaScript.

Notice

Installation order

  • This is a cumulative Content Pack, it can be installed over any of the version 9.2.0 Content Packs and does not require other Content Packs.

  • This Content Pack requires 9.2.0 Hotfix 19 or higher previously installed on the CxSAST Environment (Manager and Engines).

It includes all the changes provided by Content Pack 15 and the following improvements:

  • in JavaScript language:

Note

Version Upgrade

It is mandatory to install at least the same Content Pack number for newer versions while upgrading.

This step ensures the accuracy of the results is maintained while upgrading.

Content Pack Version - CP.9.2.0.19056 (PLSQL)

Notice

The content of this Content Pack (CP.9.2.0.19056), will be available for CxSAST version 9.3.0 CP19 and for CxSAST version 9.4 in CxSAST Engine Pack version 9.4.2.

Each Ruleset Content Pack includes improvements to queries, and optionally also to presets. Technically, these changes are delivered through database upgrade scripts which affect the relevant tables.

As with any CxSAST product release, the Content Pack resets the Checkmarx built-in presets to the default query set.

This Content Pack uses a unified installer and it includes all the Content Packs published for version 9.2.0. It includes updates to PLSQL.

Notice

Installation order

  • This is a cumulative Content Pack, it can be installed over any of the version 9.2.0 Content Packs and does not require other Content Packs.

  • This Content Pack requires 9.2.0 Hotfix 19 or higher previously installed on the CxSAST Environment (Manager and Engines).

It includes all the changes provided by Content Pack 17 and the following improvements:

  • PLSQL

  • Presets and Categories Alignment

    • Preset and Categories for OWASP TOP 10 2021 were added and aligned for all languages

Note

Version Upgrade

It is mandatory to install at least the same Content Pack number for newer versions while upgrading.

This step ensures the accuracy of the results is maintained while upgrading.

Content Pack Version - CP.9.2.0.20057 (Java)

Notice

The content of this Content Pack (CP.9.2.0.20057), will be available for CP.9.3.0.20047 and CxSAST version 9.4 in CxSAST Engine Pack version 9.4.3.

Each Ruleset Content Pack includes improvements to queries, and optionally also to presets. Technically, these changes are delivered through database upgrade scripts which affect the relevant tables.

As with any CxSAST product release, the Content Pack resets the Checkmarx built-in presets to the default query set.

This Content Pack uses a unified installer and it includes all the Content Packs published for version 9.2.0. It includes updates to Java.

Notice

Installation order

  • This is a cumulative Content Pack, it can be installed over any of the version 9.2.0 Content Packs and does not require other Content Packs.

  • This Content Pack requires 9.2.0 Hotfix 20 or higher previously installed on the CxSAST Environment (Manager and Engines).

It includes all the changes provided by Content Pack 19 and the following improvements:

  • Java

Note

Version Upgrade

It is mandatory to install at least the same Content Pack number for newer versions while upgrading.

This step ensures the accuracy of the results is maintained while upgrading.

Content Pack Version - CP.9.2.0.21058 (Java, Groovy)

Notice

The content of this Content Pack (CP.9.2.0.21058), will be available for CxSAST version 9.4 in CxSAST Engine Pack version 9.4.3.

Each Ruleset Content Pack includes improvements to queries, and optionally also to presets. Technically, these changes are delivered through database upgrade scripts which affect the relevant tables.

As with any CxSAST product release, the Content Pack resets the Checkmarx built-in presets to the default query set.

This Content Pack uses a unified installer and it includes all the Content Packs published for version 9.2.0. It includes updates to Java, Groovy.

Notice

Installation order

  • This is a cumulative Content Pack, it can be installed over any of the version 9.2.0 Content Packs and does not require other Content Packs.

  • This Content Pack requires 9.2.0 Hotfix 20 or higher previously installed on the CxSAST Environment (Manager and Engines).

It includes all the changes provided by Content Pack 20 and the following improvements:

  • Java, Groovy

Note

Version Upgrade

In general, it is mandatory to install at least the same Content Pack number for newer versions while upgrading. For instance, when upgrading from v9.2.0 CP20 it is necessary to upgrade to v9.3.0 CP20. This step ensures the accuracy of the results is maintained while upgrading.