Versions Compared

Old Version 34

changes.mady.by.user Ismael Vilas Boas

Saved on

compared with

New Version 35

changes.mady.by.user Ismael Vilas Boas

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

We would like to share with you a new and exciting CxSAST capability: Security Content Packs.

...


Content Pack Version
Compatible Version
Release Date
Content
CP.8.9.0.601238.9.017 April 2020

This Content Pack (CP) includes improvements for reducing the amount of false positive results.

Installation order

It is not a cumulative content pack for the Java content, so both content packs should be installed when requiring Java and C# improvements.
The content packs should always be installed in ascending version number.

The following improvements were made for C# queries:

  • Improve sinks on Code Injection with script and async APIs
  • Improve Connection String Injection sanitizers to remove static strings
  • Improve Deserialization of untrusted data sinks to include binary formatters and serialization binders
  • Improve Resource Injection sanitizers to consider string sanitization methods, encodings and white list validation
  • Improve Stored XSS sanitizers
  • Improve XPath Injection and Stored XPath Injection sanitizers
  • Improve Stored Code Injection sanitizers with Compiler Options Output Assembly 
  • Improve DB Parameter Tampering sanitizers with authorization validations
  • Improve DOS By Sleep sanitizers when using properly configured SpinWait and ThreadSleep APIs
  • Improve Hardcoded Password in connection string inputs when using variables containing static strings
  • Improve Heap Inspection to avoid bad results on page views controls
  • Improve SQL Injection Evasion Attack sanitizers extending with more decoding APIs
  • Improve Trust Boundary Violation sanitizers with numeric types and sinks with session saves
  • Improve Use of Hardcoded Cryptographic Key sanitizers to avoid OUID and consider decrypted values as safe
  • Improve Missing HSTS Header to support further time span APIs when using bad configuration
  • Improve ASP MVC controller support
  • Improve ASP MVC/Razor XSRF token support
  • Improve general sanitization when using whitelist mappings and numeric APIs
  • Improve Entity Framework APIs support 
  • Improve Database support for async APIs
  • Improve Database LINQ supported APIs
  • Improve Salesforce Database supported APIs
  • Improve support for Safe hashing algorithms
  • Improve Deserialization of untrusted data 
  • Rewrite Unsafe Object Binding with improved sources and sinks


It is also included an expanded version of the Checkmarx Express containing 38 C# queries:

 List of queries included in the Checkmarx Express Preset






































This content pack includes all the improvements made for C# High Risk queries and some C# Medium threat queries.

The content pack uses a new numbering convention which will ease the readability of the version.

Looking into accuracy improvement, there are some queries that can have differences in the results after the installation of the content pack.

 Click here to see the list of queries improved by the content pack






































































The changes were done over several queries to provide the improvements.

 Click here to see the list of queries changed by the content pack




























































In this Ruleset Content Pack the following improvements were done for the C# language:

  • At High Risk queries the accuracy on Checkmarx Express Preset is improved by 39%
  • At Medium Threat queries the accuracy on Checkmarx Express preset is improved by 2%


...