Skip to main content

9.3.0 Content Packs

In order to further optimize the accuracy of CxSAST scan results, Checkmarx introduced the Security Content packs.

Content packs are released regularly to provide added value to released versions in various ways:

  • Remediation focus: Increased 0ut-of-the box accuracy by reducing the False Positive (FP) findings, and increasing the True Positive (TP) ones.

  • API Security: APIs are the de facto communication mean for today’s applications, whether they spring from Microservices, Mobile, IoT, Cloud, Serverless or contexts alike. This content pack focusses on detecting vulnerabilities via specialized API security queries

  • Language enhancements: Many times a fix or an improvement for a language is provided via a hotfix (HF) or via query changes.

    Content Packs are the way to deliver when these improvements are on queries.

  • Presets/Categories: Content packs allow updating or creating new presets and categories.

  • Descriptions: Content packs allow adding or updating query descriptions.

Content packs are cumulative and include previous content pack updates for the same language.

Compatibility and Versioning

Content packs are released for CxSAST product versions, which are already generally available and widely used. Content pack data is compatible with a specific CxSAST product version. Because of this, it uses the CxSAST product version that it is compatible with (3 numbers), and is suffixed by the internal build number (4th number). The compatibility dependency exists due to CxQL and other internal versions. The content of the various content packs is included with the next GA release of CxSAST.

  • In order to see which Content Pack version is installed on your server(s), navigate to Management > Application Settings > Installation Information > Checkmarx Queries Pack from within the CxSAST portal.

  • In the scan logs it can be checked on the configuration flags with the name CHECKMARX_QUERIES_PACK=<version>.

Delivery Mechanism

All Content packs are cumulative for a language, i.e., Content Pack 9.3.0.x for Java is similar to installing all content packs of 9.3.0 prior to 9.3.0.x for Java, by the order of their release. The Content Packs Installer checks the installed version and content pack version of CxSAST and allows for installation if the CxSAST version and the installed content pack are compatible.

Installation

The content pack is installed on the CxManager stations, unless otherwise indicated. In a distributed environment, the content pack does not need to be installed on engine stations, just on the CxManager station, which has access to the database. Once installed, the content pack can be uninstalled with the dedicated uninstaller in the package.

The installer can also be executed in CLI (silent) mode, similarly to hotfix installations.

Content

Each content pack includes improvements to queries and optionally also to presets. Technically, these changes are delivered via DB upgrade scripts, which affect relevant tables.

Detailed content descriptions can be found on the pages listed below: