8.9.0 Ruleset Content Packs

We would like to share with you a new and exciting CxSAST capability: Security Content Packs.

Out-of-the-box accuracy has always been a key evaluation criteria for CxSAST. In order to maintain our market leadership, we continue to invest significant resources in maintaining and improving the accuracy of CxSAST findings.

Hotfixes and content packs are cumulative and include previous hotfix/content package updates.

Compatibility and Versioning

Ruleset Content Packs are released for CxSAST product versions, which are already generally available and widely used. Ruleset Content Pack data is compatible with a specific CxSAST product version. Because of this, it uses the CxSAST product version it is compatible with (3 numbers), and suffixed by the internal build number (4th number). The compatibility dependency exists due to CxQL and other internal versions. The content of the Ruleset Content Packs is automatically included in the following GA release of CxSAST.

In order to see wich Content Pack version is installed on your server(s), from within the CxSAST portal, navigate to Managment > Application Settings > Installation Information > Checkmarx Queries Pack.

Delivery Mechanism

Out-of-the-box improvements are delivered through a new mechanism called Ruleset Content Pack. All Ruleset Content Packs are cumulative, i.e. Ruleset Content Pack 8.9.0.x is similar to installing all Ruleset Content Packs of 8.9.0 prior to 8.9.0.x, by the order of their release. The Ruleset Content Packs Installer checks the SAST installed version and Ruleset Content Pack version, and allows for installation if there is a compatibility with the SAST version and installed Ruleset Content Pack.

Installation

The Ruleset Content Pack is installed on the CxManager machines, unless otherwise indicated. In a distributed environment, the Ruleset Content Pack does not need to be installed on engine machines, just on the CxManager machine (which has access to the database). Once installed, the content pack can be uninstalled with the dedicated uninstaller in the package.

The installer can also be executed in CLI (silent) mode, similarly to Hotfix installation.

Content

Each Ruleset Content Pack includes improvements to queries, and optionally also to presets. Technically, these changes are delivered through DB upgrade scripts which affect relevant tables.

Content

Each Ruleset Content Pack includes improvements to queries, and optionally also to presets. Technically, these changes are delivered through DB upgrade scripts which affect relevant tables.

Detailed content descriptions can be found in the table below:

Content Pack Version	Compatible Version	Release Date	Content
CP.8.9.0.60123	8.9.0	17 April 2020	This Content Pack (CP) includes improvements for reducing the amount of false positive results. Installation order It is not a cumulative content pack for the Java content, so both content packs should be installed when requiring Java and C# improvements. The content packs should always be installed in ascending version number. The following improvements were made for C# queries: Improve sinks on Code Injection with script and async APIs Improve Connection String Injection sanitizers to remove static strings Improve Deserialization of untrusted data sinks to include binary formatters and serialization binders Improve Resource Injection sanitizers to consider string sanitization methods, encodings and white list validation Improve Stored XSS sanitizers Improve XPath Injection and Stored XPath Injection sanitizers Improve Stored Code Injection sanitizers with Compiler Options Output Assembly Improve DB Parameter Tampering sanitizers with authorization validations Improve DOS By Sleep sanitizers when using properly configured SpinWait and ThreadSleep APIs Improve Hardcoded Password in connection string inputs when using variables containing static strings Improve Heap Inspection to avoid bad results on page views controls Improve SQL Injection Evasion Attack sanitizers extending with more decoding APIs Improve Trust Boundary Violation sanitizers with numeric types and sinks with session saves Improve Use of Hardcoded Cryptographic Key sanitizers to avoid OUID and consider decrypted values as safe Improve Missing HSTS Header to support further time span APIs when using bad configuration Improve ASP MVC controller support Improve ASP MVC/Razor XSRF token support Improve general sanitization when using whitelist mappings and numeric APIs Improve Entity Framework APIs support Improve Database support for async APIs Improve Database LINQ supported APIs Improve Salesforce Database supported APIs Improve support for Safe hashing algorithms Improve Deserialization of untrusted data Rewrite Unsafe Object Binding with improved sources and sinks It is also included an expanded version of the Checkmarx Express containing 38 C# queries: List of queries included in the Checkmarx Express Preset This content pack includes all the improvements made for C# High Risk queries and some C# Medium threat queries. The content pack uses a new numbering convention which will ease the readability of the version. Looking into accuracy improvement, there are some queries that can have differences in the results after the installation of the content pack. Click here to see the list of queries improved by the content pack The changes were done over several queries to provide the improvements. Click here to see the list of queries changed by the content pack In this Ruleset Content Pack the following improvements were done for the C# language: At High Risk queries the accuracy on Checkmarx Express Preset is improved by 39% At Medium Threat queries the accuracy on Checkmarx Express preset is improved by 2%

.

Read More

Detailed content descriptions can be found using the links below:

Version:

.

Read More