Content Pack Version - CP.8.9.0.53 (Java)

Owned by David P (Deactivated)
Last updated: May 11, 2020 by Ismael Vilas Boas
1 min read

Content

Each Ruleset Content Pack includes improvements to queries, and optionally also to presets. Technically, these changes are delivered through DB upgrade scripts which affect relevant tables.

Detailed content descriptions can be found in the table below:

Content Pack Version
Compatible Version
Release Date
Content
CP.8.9.0.538.9.029 October 2019

Download link: https://www.checkmarx.com/downloads/

This Ruleset Content Pack (CP) includes improvements for reducing the amount of false positive results. The following Java queries were updated:

 Queries affected by the content pack

Java.Java_Android.Android_Improper_Resource_Shutdown_or_Release
Java.Java_Android.Client_Side_Injection
Java.Java_Android.Client_Side_ReDoS
Java.Java_Android.Copy_Paste_Buffer_Caching
Java.Java_Android.General_Android_Find_Request_Permissions
Java.Java_Android.Implicit_Intent_With_Read_Write_Permissions
Java.Java_Android.Insecure_Data_Storage
Java.Java_Android.Insecure_Data_Storage_Usage
Java.Java_Android.Insecure_WebView_Usage
Java.Java_Android.Insufficient_Sensitive_Transport_Layer
Java.Java_Android.Insufficient_Transport_Layer_Protect
Java.Java_Android.Keyboard_Cache_Information_Leak
Java.Java_Android.Missing_Certificate_Pinning
Java.Java_Android.Missing_Rooted_Device_Check
Java.Java_Android.Passing_Non_Encrypted_Data_Between_Activities
Java.Java_Android.Poor_Authorization_and_Authentication
Java.Java_Android.Side_Channel_Data_Leakage
Java.Java_Android.Unsafe_Permission_Check
Java.Java_Android.Use_Of_Implicit_Intent_For_Sensitive_Communication
Java.Java_Android.Use_of_WebView_AddJavascriptInterface
Java.Java_Android.Weak_Encryption
Java.Java_Android.WebView_Cache_Information_Leak
Java.Java_Best_Coding_Practice.Access_Specifier_Manipulation
Java.Java_Best_Coding_Practice.clone_Method_Without_super_clone
Java.Java_Best_Coding_Practice.Comparison_of_Classes_By_Name
Java.Java_Best_Coding_Practice.Dynamic_SQL_Queries
Java.Java_Best_Coding_Practice.ESAPI_Banned_API
Java.Java_Best_Coding_Practice.Explicit_Call_to_Finalize
Java.Java_Best_Coding_Practice.finalize_Method_Without_super_finalize
Java.Java_Best_Coding_Practice.Hardcoded_Connection_String
Java.Java_Best_Coding_Practice.Incorrect_Conversion_between_Numeric_Types
Java.Java_Best_Coding_Practice.Input_Not_Normalized
Java.Java_Best_Coding_Practice.Non_serializable_Object_Stored_in_Session
Java.Java_Best_Coding_Practice.Portability_Flaw_In_File_Separator
Java.Java_Best_Coding_Practice.Potentially_Serializable_Class_With_Sensitive_Data
Java.Java_Best_Coding_Practice.Reliance_On_Untrusted_Inputs_In_Security_Decision
Java.Java_Best_Coding_Practice.Unclosed_Objects
Java.Java_Best_Coding_Practice.Uncontrolled_Recursion
Java.Java_Best_Coding_Practice.Unused_Variable
Java.Java_Best_Coding_Practice.Use_of_Obsolete_Functions
Java.Java_Best_Coding_Practice.Use_of_System_Output_Stream
Java.Java_Best_Coding_Practice.Use_of_Wrong_Operator_in_String_Comparison
Java.Java_GWT.GWT_DOM_XSS
Java.Java_GWT.GWT_Reflected_XSS
Java.Java_GWT.JSON_Hijacking
Java.Java_Heuristic.Heuristic_2nd_Order_SQL_Injection
Java.Java_Heuristic.Heuristic_CGI_Stored_XSS
Java.Java_Heuristic.Heuristic_DB_Parameter_Tampering
Java.Java_Heuristic.Heuristic_Parameter_Tampering
Java.Java_Heuristic.Heuristic_SQL_Injection
Java.Java_Heuristic.Heuristic_Stored_XSS
Java.Java_Heuristic.Heuristic_XSRF
Java.Java_High_Risk.Code_Injection
Java.Java_High_Risk.Command_Injection
Java.Java_High_Risk.Connection_String_Injection
Java.Java_High_Risk.Deserialization_of_Untrusted_Data_in_JMS
Java.Java_High_Risk.Expression_Language_Injection_OGNL
Java.Java_High_Risk.Expression_Language_Injection_SPEL
Java.Java_High_Risk.LDAP_Injection
Java.Java_High_Risk.Reflected_XSS_All_Clients
Java.Java_High_Risk.Resource_Injection
Java.Java_High_Risk.Second_Order_SQL_Injection
Java.Java_High_Risk.Stored_XSS
Java.Java_High_Risk.XPath_Injection
Java.Java_Low_Visibility.Authorization_Bypass_Through_User_Controlled_SQL_PrimaryKey
Java.Java_Low_Visibility.Blind_SQL_Injections
Java.Java_Low_Visibility.Channel_Accessible_by_NonEndpoint
Java.Java_Low_Visibility.Citrus_Developer_Mode_Enabled
Java.Java_Low_Visibility.Collapse_of_Data_into_Unsafe_Value
Java.Java_Low_Visibility.Cookie_Overly_Broad_Path
Java.Java_Low_Visibility.Creation_of_Temp_File_With_Insecure_Permissions
Java.Java_Low_Visibility.DB_Control_of_System_or_Config_Setting
Java.Java_Low_Visibility.Divide_By_Zero
Java.Java_Low_Visibility.Empty_Password_In_Connection_String
Java.Java_Low_Visibility.ESAPI_Same_Password_Repeats_Twice
Java.Java_Low_Visibility.Escape_False
Java.Java_Low_Visibility.Exposure_of_System_Data
Java.Java_Low_Visibility.Improper_Exception_Handling
Java.Java_Low_Visibility.Improper_Resource_Access_Authorization
Java.Java_Low_Visibility.Improper_Resource_Shutdown_or_Release
Java.Java_Low_Visibility.Improper_Transaction_Handling
Java.Java_Low_Visibility.Incorrect_Permission_Assignment_For_Critical_Resources
Java.Java_Low_Visibility.Information_Exposure_Through_an_Error_Message
Java.Java_Low_Visibility.Information_Exposure_Through_Debug_Log
Java.Java_Low_Visibility.Information_Exposure_Through_Server_Log
Java.Java_Low_Visibility.Information_Leak_Through_Comments
Java.Java_Low_Visibility.Information_Leak_Through_Persistent_Cookies
Java.Java_Low_Visibility.Information_Leak_Through_Shell_Error_Message
Java.Java_Low_Visibility.Insufficiently_Protected_Credentials
Java.Java_Low_Visibility.Integer_Overflow
Java.Java_Low_Visibility.Integer_Underflow
Java.Java_Low_Visibility.Leaving_Temporary_File
Java.Java_Low_Visibility.Log_Forging
Java.Java_Low_Visibility.Logic_Time_Bomb
Java.Java_Low_Visibility.Missing_Password_Field_Masking
Java.Java_Low_Visibility.Open_Redirect
Java.Java_Low_Visibility.Parse_Double_DoS
Java.Java_Low_Visibility.Plaintext_Storage_in_a_Cookie
Java.Java_Low_Visibility.Portability_Flaw_Locale_Dependent_Comparison
Java.Java_Low_Visibility.Potential_ReDoS
Java.Java_Low_Visibility.Potential_ReDoS_By_Injection
Java.Java_Low_Visibility.Potential_ReDoS_In_Match
Java.Java_Low_Visibility.Potential_ReDoS_In_Replace
Java.Java_Low_Visibility.Potential_ReDoS_In_Static_Field
Java.Java_Low_Visibility.Private_Array_Returned_From_A_Public_Method
Java.Java_Low_Visibility.Public_Data_Assigned_to_Private_Array
Java.Java_Low_Visibility.Race_Condition_Format_Flaw
Java.Java_Low_Visibility.Relative_Path_Traversal
Java.Java_Low_Visibility.Reversible_One_Way_Hash
Java.Java_Low_Visibility.Serializable_Class_Containing_Sensitive_Data
Java.Java_Low_Visibility.Stored_Absolute_Path_Traversal
Java.Java_Low_Visibility.Stored_Command_Injection
Java.Java_Low_Visibility.Stored_Log_Forging
Java.Java_Low_Visibility.Stored_Relative_Path_Traversal
Java.Java_Low_Visibility.Storing_Passwords_in_a_Recoverable_Format
Java.Java_Low_Visibility.Suspected_XSS
Java.Java_Low_Visibility.TOCTOU
Java.Java_Low_Visibility.Uncaught_Exception
Java.Java_Low_Visibility.Uncontrolled_Memory_Allocation
Java.Java_Low_Visibility.Unrestricted_File_Upload
Java.Java_Low_Visibility.Unsynchronized_Access_To_Shared_Data
Java.Java_Low_Visibility.Use_of_Broken_or_Risky_Cryptographic_Algorithm
Java.Java_Low_Visibility.Use_of_Client_Side_Authentication
Java.Java_Low_Visibility.Use_Of_getenv
Java.Java_Low_Visibility.Use_of_Hard_coded_Security_Constants
Java.Java_Low_Visibility.Use_Of_Hardcoded_Password
Java.Java_Low_Visibility.UTF7_XSS
Java.Java_Medium_Threat.Absolute_Path_Traversal
Java.Java_Medium_Threat.CGI_Reflected_XSS_All_Clients
Java.Java_Medium_Threat.CGI_Stored_XSS
Java.Java_Medium_Threat.Cleartext_Submission_of_Sensitive_Information
Java.Java_Medium_Threat.Cross_Site_History_Manipulation
Java.Java_Medium_Threat.Dangerous_File_Inclusion
Java.Java_Medium_Threat.DB_Parameter_Tampering
Java.Java_Medium_Threat.Direct_Use_of_Unsafe_JNI
Java.Java_Medium_Threat.DoS_by_Sleep
Java.Java_Medium_Threat.Download_of_Code_Without_Integrity_Check
Java.Java_Medium_Threat.External_Control_of_Critical_State_Data
Java.Java_Medium_Threat.External_Control_of_System_or_Config_Setting
Java.Java_Medium_Threat.Frameable_Login_Page
Java.Java_Medium_Threat.Hardcoded_password_in_Connection_String
Java.Java_Medium_Threat.Heap_Inspection
Java.Java_Medium_Threat.HTTP_Response_Splitting
Java.Java_Medium_Threat.HttpOnlyCookies
Java.Java_Medium_Threat.Improper_Restriction_of_Stored_XXE_Ref
Java.Java_Medium_Threat.Improper_Restriction_of_XXE_Ref
Java.Java_Medium_Threat.Inadequate_Encryption_Strength
Java.Java_Medium_Threat.Input_Path_Not_Canonicalized
Java.Java_Medium_Threat.Multiple_Binds_to_the_Same_Port
Java.Java_Medium_Threat.Parameter_Tampering
Java.Java_Medium_Threat.Plaintext_Storage_of_a_Password
Java.Java_Medium_Threat.Privacy_Violation
Java.Java_Medium_Threat.Process_Control
Java.Java_Medium_Threat.ReDoS_From_Regex_Injection
Java.Java_Medium_Threat.ReDoS_In_Match
Java.Java_Medium_Threat.ReDoS_In_Pattern
Java.Java_Medium_Threat.ReDoS_In_Replace
Java.Java_Medium_Threat.Session_Fixation
Java.Java_Medium_Threat.Spring_ModelView_Injection
Java.Java_Medium_Threat.SQL_Injection_Evasion_Attack
Java.Java_Medium_Threat.SSRF
Java.Java_Medium_Threat.Stored_LDAP_Injection
Java.Java_Medium_Threat.Trust_Boundary_Violation
Java.Java_Medium_Threat.Unchecked_Input_for_Loop_Condition
Java.Java_Medium_Threat.Uncontrolled_Format_String
Java.Java_Medium_Threat.Unvalidated_Forwards
Java.Java_Medium_Threat.Use_of_a_One_Way_Hash_with_a_Predictable_Salt
Java.Java_Medium_Threat.Use_of_Cryptographically_Weak_PRNG
Java.Java_Medium_Threat.Use_of_Insufficiently_Random_Values
Java.Java_Medium_Threat.Use_of_Native_Language
Java.Java_Medium_Threat.XQuery_Injection
Java.Java_Medium_Threat.XSRF
Java.Java_Potential.Potential_Code_Injection
Java.Java_Potential.Potential_Command_Injection
Java.Java_Potential.Potential_Connection_String_Injection
Java.Java_Potential.Potential_GWT_Reflected_XSS
Java.Java_Potential.Potential_I_Reflected_XSS_All_Clients
Java.Java_Potential.Potential_IO_Reflected_XSS_All_Clients
Java.Java_Potential.Potential_LDAP_Injection
Java.Java_Potential.Potential_O_Reflected_XSS_All_Clients
Java.Java_Potential.Potential_Parameter_Tampering
Java.Java_Potential.Potential_Resource_Injection
Java.Java_Potential.Potential_SQL_Injection
Java.Java_Potential.Potential_Stored_XSS
Java.Java_Potential.Potential_UTF7_XSS
Java.Java_Potential.Potential_XPath_Injection
Java.Java_Potential.Potential_XXE_Injection
Java.Java_Stored.Stored_Boundary_Violation
Java.Java_Stored.Stored_Code_Injection
Java.Java_Stored.Stored_HTTP_Response_Splitting
Java.Java_Stored.Stored_Open_Redirect
Java.Java_Stored.Stored_XPath_Injection
Java.Java_Struts.Struts2_Action_Field_Without_Validator

Details on the queries changed:

  • AWT and Swing controls on cross site scripting.
  • Base 64 encoders and decoders improved for sanitization.
  • Improved Expression Language Injection execution.
  • Refined Command Injection outputs 
  • Code Injection dismissed when loading classes already in the application scope
  • Database Connection strings usage improved

  • Increased support for LDAP safe methods 

  • Increased accuracy on JSP inputs
  • Refined database inputs
  • File inputs support
  • Dismissed JSON APIs on XSS
  • Password related variables improved
  • Expanded the support for SSL sockets on sensitive data information
  • Improved reliability Heap inspection results
  • Hard-coded cryptographic keys refined
  • Hard-coded database credentials improved
  • Property resources considered as sanitizers for inputs
  • Deprecate Query Inadequate_Encryption_Strength
  • CGI html outputs improved

It is also includes a new Preset: Checkmarx Express containing following Java queries which have the accuracy improved:

 Full list of the Checkmarx Express
  • Code_Injection
  • Command_Injection
  • Connection_String_Injection
  • LDAP_Injection
  • Reflected_XSS_All_Clients
  • Resource_Injection
  • Second_Order_SQL_Injection
  • SQL_Injection
  • Stored_XSS
  • XPath_Injection
  • Use_Of_Hardcoded_Password
  • Log_Forging
  • Open_Redirect
  • Use_of_Broken_or_Risky_Cryptographic_Algorithm
  • DB_Parameter_Tampering
  • DoS_by_Sleep
  • Use_of_Hard_coded_Cryptographic_Key
  • Hardcoded_password_in_Connection_String
  • Parameter_Tampering
  • Privacy_Violation
  • Spring_ModelView_Injection
  • SQL_Injection_Evasion_Attack
  • Trust_Boundary_Violation
  • XSRF
  • Struts_Incomplete_Validate_Method_Definition
  • Struts_Form_Does_Not_Extend_Validation_Class
  • Struts_Validation_Turned_Off
  • Absolute_Path_Traversal
  • Cleartext_Submission_of_Sensitive_Information
  • Plaintext_Storage_of_a_Password
  • Stored_LDAP_Injection
  • Use_of_Cryptographically_Weak_PRNG
  • Use_of_a_One_Way_Hash_with_a_Predictable_Salt
  • Use_of_a_One_Way_Hash_without_a_Salt
  • Unchecked_Input_for_Loop_Condition
  • Session_Fixation
  • HttpOnlyCookies
  • Unvalidated_Forwards
  • Improper_Restriction_of_XXE_Ref
  • Heap_Inspection
  • Inadequate_Encryption_Strength
  • SSRF
  • Improper_Restriction_of_Stored_XXE_Ref
  • Password_In_Comment
  • Deserialization_of_Untrusted_Data
  • Unvalidated_SSL_Certificate_Hostname
  • Expression_Language_Injection_OGNL
  • Deserialization_of_Untrusted_Data_in_JMS
  • Missing_HSTS_Header
  • Unsafe_Object_Binding
  • GWT_DOM_XSS
  • GWT_Reflected_XSS

In this CP the following improvements were done:

  • At High Risk queries the accuracy on Checkmarx Express Preset is improved by 31%
  • At Medium Threat queries the accuracy on Checkmarx Express preset is improved by 62%

.


Read More