Content
Each Ruleset Content Pack includes improvements to queries, and optionally also to presets. Technically, these changes are delivered via DB upgrade scripts, which affect relevant tables.
Detailed information on the content can be found in the table below:
| CP.8.9.0.94 | 8.9.0 | 28 January 2020 | Download link: https://www.checkmarx.com/downloads/ This Content Pack (CP) includes improvements for reducing the amount of false positive results. The following improvements ave been introduced for Java queries in addition to the improvements already included with CP 53: - Hard coded cryptographic keys improved
- Connection string password sanitizers improved
- Improved Log outputs
- Secure random values support
- Not encrypted communication channels detection
- Sanitizers support for XSS.
- Support for database outputs when using ORMs
- DOS_by_Sleep sanitizers
- Disconsider Unit Tests as exploitable results
- Improved Code Injection sanitizers
- Improved Command Injection sanitizers
- Refined Clear Text Submission of Sensitive Information sources
- Improved sources for Use of Hardcoded Cryptographic Keys
- Refined the sources for Hardcoded Passwords in Connection String
- Expanded sources for Use of Cryptographic weak PRNG
- Expanded Database query Inputs
- Added Potential Hardcoded Password in Connection String
- Added Potential Use of Hardcoded Cryntographic Key
It is also included the Checkmarx Express preset containing 52 queries: List of queries included in Checkmarx Express Java_GWT.GWT_DOM_XSS
Java_GWT.GWT_Reflected_XSS
Java_High_Risk.Code_Injection
Java_High_Risk.Command_Injection
Java_High_Risk.Connection_String_Injection
Java_High_Risk.LDAP_Injection
Java_High_Risk.Reflected_XSS_All_Clients
Java_High_Risk.Resource_Injection
Java_High_Risk.Second_Order_SQL_Injection
Java_High_Risk.SQL_Injection
Java_High_Risk.Stored_XSS
Java_High_Risk.XPath_Injection
Java_Low_Visibility.Use_Of_Hardcoded_Password
Java_Low_Visibility.Log_Forging
Java_Low_Visibility.Open_Redirect
Java_Low_Visibility.Use_of_Broken_or_Risky_Cryptographic_Algorithm
Java_Medium_Threat.DB_Parameter_Tampering
Java_Medium_Threat.DoS_by_Sleep
Java_Medium_Threat.Use_of_Hard_coded_Cryptographic_Key
Java_Medium_Threat.Hardcoded_password_in_Connection_String
Java_Medium_Threat.Parameter_Tampering
Java_Medium_Threat.Privacy_Violation
Java_Medium_Threat.Spring_ModelView_Injection
Java_Medium_Threat.SQL_Injection_Evasion_Attack
Java_Medium_Threat.Trust_Boundary_Violation
Java_Medium_Threat.XSRF
Java_Struts.Struts_Incomplete_Validate_Method_Definition
Java_Struts.Struts_Form_Does_Not_Extend_Validation_Class
Java_Struts.Struts_Validation_Turned_Off
Java_Medium_Threat.Absolute_Path_Traversal
Java_Medium_Threat.Cleartext_Submission_of_Sensitive_Information
Java_Medium_Threat.Plaintext_Storage_of_a_Password
Java_Medium_Threat.Stored_LDAP_Injection
Java_Medium_Threat.Use_of_Cryptographically_Weak_PRNG
Java_Medium_Threat.Use_of_a_One_Way_Hash_with_a_Predictable_Salt
Java_Medium_Threat.Use_of_a_One_Way_Hash_without_a_Salt
Java_Medium_Threat.Unchecked_Input_for_Loop_Condition
Java_Medium_Threat.Session_Fixation
Java_Medium_Threat.HttpOnlyCookies
Java_Medium_Threat.Unvalidated_Forwards
Java_Medium_Threat.Improper_Restriction_of_XXE_Ref
Java_Medium_Threat.Heap_Inspection
Java_Medium_Threat.Inadequate_Encryption_Strength
Java_Medium_Threat.SSRF
Java_Medium_Threat.Improper_Restriction_of_Stored_XXE_Ref
Java_Low_Visibility.Password_In_Comment
Java_High_Risk.Deserialization_of_Untrusted_Data
Java_Medium_Threat.Unvalidated_SSL_Certificate_Hostname
Java_High_Risk.Expression_Language_Injection_OGNL
Java_High_Risk.Deserialization_of_Untrusted_Data_in_JMS
Java_Medium_Threat.Missing_HSTS_Header
Java_Medium_Threat.Unsafe_Object_Binding Accuracy = TP / ( TP + FP ) Queries affected by the content pack Java.Java_Medium_Threat.Improper_Restriction_of_XXE_Ref
Java.Java_Low_Visibility.Information_Leak_Through_Persistent_Cookies
Java.Java_Best_Coding_Practice.Unused_Variable
Java.Java_Android.Copy_Paste_Buffer_Caching
Java.Java_Medium_Threat.DB_Parameter_Tampering
Java.Java_Low_Visibility.Improper_Exception_Handling
Java.Java_Medium_Threat.Cleartext_Submission_of_Sensitive_Information
Java.Java_Medium_Threat.Trust_Boundary_Violation
Java.Java_Medium_Threat.Use_of_Cryptographically_Weak_PRNG
Java.Java_Low_Visibility.Potential_ReDoS_In_Replace
Java.Java_Potential.Potential_Stored_XSS
Java.Java_Best_Coding_Practice.Access_Specifier_Manipulation
Java.Java_Low_Visibility.Citrus_Developer_Mode_Enabled
Java.Java_Low_Visibility.Collapse_of_Data_into_Unsafe_Value
Java.Java_Medium_Threat.SSRF
Java.Java_Best_Coding_Practice.finalize_Method_Without_super_finalize
Java.Java_Low_Visibility.Portability_Flaw_Locale_Dependent_Comparison
Java.Java_Low_Visibility.Uncaught_Exception
Java.Java_Best_Coding_Practice.Incorrect_Conversion_between_Numeric_Types
Java.Java_Medium_Threat.Spring_ModelView_Injection
Java.Java_Stored.Stored_HTTP_Response_Splitting
Java.Java_Low_Visibility.Use_Of_Hardcoded_Password
Java.Java_Low_Visibility.Information_Exposure_Through_Debug_Log
Java.Java_Best_Coding_Practice.Comparison_of_Classes_By_Name
Java.Java_Medium_Threat.Stored_LDAP_Injection
Java.Java_Low_Visibility.Potential_ReDoS_In_Match
Java.Java_Heuristic.Heuristic_SQL_Injection
Java.Java_Best_Coding_Practice.Reliance_On_Untrusted_Inputs_In_Security_Decision
Java.Java_Android.Missing_Rooted_Device_Check
Java.Java_Low_Visibility.Use_of_Hard_coded_Security_Constants
Java.Java_Medium_Threat.Privacy_Violation
Java.Java_Android.Client_Side_Injection
Java.Java_Low_Visibility.Exposure_of_System_Data
Java.Java_Low_Visibility.Serializable_Class_Containing_Sensitive_Data
Java.Java_Low_Visibility.Divide_By_Zero
Java.Java_Low_Visibility.Incorrect_Permission_Assignment_For_Critical_Resources
Java.Java_Low_Visibility.Logic_Time_Bomb
Java.Java_Best_Coding_Practice.clone_Method_Without_super_clone
Java.Java_Potential.Potential_I_Reflected_XSS_All_Clients
Java.Java_High_Risk.Command_Injection
Java.Java_Low_Visibility.Potential_ReDoS_By_Injection
Java.Java_Medium_Threat.ReDoS_In_Replace
Java.Java_Low_Visibility.Relative_Path_Traversal
Java.Java_Low_Visibility.Cookie_Overly_Broad_Path
Java.Java_Potential.Potential_Resource_Injection
Java.Java_High_Risk.Stored_XSS
Java.Java_Medium_Threat.External_Control_of_System_or_Config_Setting
Java.Java_Best_Coding_Practice.Portability_Flaw_In_File_Separator
Java.Java_Best_Coding_Practice.Uncontrolled_Recursion
Java.Java_Low_Visibility.Stored_Log_Forging
Java.Java_Low_Visibility.Creation_of_Temp_File_With_Insecure_Permissions
Java.Java_Best_Coding_Practice.Potentially_Serializable_Class_With_Sensitive_Data
Java.Java_Android.Missing_Certificate_Pinning
Java.Java_Medium_Threat.ReDoS_In_Match
Java.Java_Best_Coding_Practice.Use_of_Wrong_Operator_in_String_Comparison
Java.Java_Android.General_Android_Find_Request_Permissions
Java.Java_Best_Coding_Practice.Non_serializable_Object_Stored_in_Session
Java.Java_Android.Implicit_Intent_With_Read_Write_Permissions
Java.Java_Medium_Threat.ReDoS_In_Pattern
Java.Java_Low_Visibility.Leaving_Temporary_File
Java.Java_Android.Weak_Encryption
Java.Java_Low_Visibility.Suspected_XSS
Java.Java_Potential.Potential_IO_Reflected_XSS_All_Clients
Java.Java_Low_Visibility.Stored_Relative_Path_Traversal
Java.Java_Potential.Potential_UTF7_XSS
Java.Java_Low_Visibility.Improper_Transaction_Handling
Java.Java_Stored.Stored_Code_Injection
Java.Java_Potential.Potential_Parameter_Tampering
Java.Java_High_Risk.Resource_Injection
Java.Java_Medium_Threat.Frameable_Login_Page
Java.Java_Medium_Threat.Input_Path_Not_Canonicalized
Java.Java_Low_Visibility.Stored_Absolute_Path_Traversal
Java.Java_Potential.Potential_O_Reflected_XSS_All_Clients
Java.Java_Android.Poor_Authorization_and_Authentication
Java.Java_Potential.Potential_Use_of_Hard_coded_Cryptographic_Key
Java.Java_Medium_Threat.Process_Control
Java.Java_Low_Visibility.Use_of_Broken_or_Risky_Cryptographic_Algorithm
Java.Java_High_Risk.Code_Injection
Java.Java_Stored.Stored_XPath_Injection
Java.Java_Android.Insecure_Data_Storage
Java.Java_Low_Visibility.Use_of_Client_Side_Authentication
Java.Java_Low_Visibility.UTF7_XSS
Java.Java_Low_Visibility.DB_Control_of_System_or_Config_Setting
Java.Java_Best_Coding_Practice.Input_Not_Normalized
Java.Java_Low_Visibility.Integer_Underflow
Java.Java_Medium_Threat.Dangerous_File_Inclusion
Java.Java_Medium_Threat.Use_of_Insufficiently_Random_Values
Java.Java_Heuristic.Heuristic_DB_Parameter_Tampering
Java.Java_Best_Coding_Practice.Use_of_Obsolete_Functions
Java.Java_Android.Keyboard_Cache_Information_Leak
Java.Java_Medium_Threat.Absolute_Path_Traversal
Java.Java_Low_Visibility.Race_Condition_Format_Flaw
Java.Java_Medium_Threat.Use_of_a_One_Way_Hash_with_a_Predictable_Salt
Java.Java_Medium_Threat.Multiple_Binds_to_the_Same_Port
Java.Java_Low_Visibility.Uncontrolled_Memory_Allocation
Java.Java_Low_Visibility.Plaintext_Storage_in_a_Cookie
Java.Java_GWT.GWT_Reflected_XSS
Java.Java_Low_Visibility.Unsynchronized_Access_To_Shared_Data
Java.Java_GWT.GWT_DOM_XSS
Java.Java_Medium_Threat.Download_of_Code_Without_Integrity_Check
Java.Java_Heuristic.Heuristic_Stored_XSS
Java.Java_Low_Visibility.Empty_Password_In_Connection_String
Java.Java_Low_Visibility.Unrestricted_File_Upload
Java.Java_Low_Visibility.Reversible_One_Way_Hash
Java.Java_Medium_Threat.Unchecked_Input_for_Loop_Condition
Java.Java_Potential.Potential_GWT_Reflected_XSS
Java.Java_Medium_Threat.ReDoS_From_Regex_Injection
Java.Java_Low_Visibility.Insufficiently_Protected_Credentials
Java.Java_Low_Visibility.Use_Of_getenv
Java.Java_Android.Insufficient_Sensitive_Transport_Layer
Java.Java_Potential.Potential_Command_Injection
Java.Java_Medium_Threat.Inadequate_Encryption_Strength
Java.Java_Potential.Potential_Connection_String_Injection
Java.Java_Heuristic.Heuristic_XSRF
Java.Java_Low_Visibility.Private_Array_Returned_From_A_Public_Method
Java.Java_Low_Visibility.Potential_ReDoS_In_Static_Field
Java.Java_Low_Visibility.Improper_Resource_Shutdown_or_Release
Java.Java_Low_Visibility.Authorization_Bypass_Through_User_Controlled_SQL_PrimaryKey
Java.Java_Best_Coding_Practice.Unclosed_Objects
Java.Java_High_Risk.Second_Order_SQL_Injection
Java.Java_Low_Visibility.Channel_Accessible_by_NonEndpoint
Java.Java_Potential.Potential_XPath_Injection
Java.Java_Medium_Threat.Improper_Restriction_of_Stored_XXE_Ref
Java.Java_Low_Visibility.Missing_Password_Field_Masking
Java.Java_Medium_Threat.Uncontrolled_Format_String
Java.Java_Best_Coding_Practice.Explicit_Call_to_Finalize
Java.Java_High_Risk.Reflected_XSS_All_Clients
Java.Java_Potential.Potential_SQL_Injection
Java.Java_Medium_Threat.Use_of_Native_Language
Java.Java_Medium_Threat.External_Control_of_Critical_State_Data
Java.Java_Low_Visibility.Information_Leak_Through_Shell_Error_Message
Java.Java_Medium_Threat.Session_Fixation
Java.Java_Low_Visibility.ESAPI_Same_Password_Repeats_Twice
Java.Java_Medium_Threat.Hardcoded_password_in_Connection_String
Java.Java_Low_Visibility.Public_Data_Assigned_to_Private_Array
Java.Java_Low_Visibility.Information_Exposure_Through_Server_Log
Java.Java_Low_Visibility.Stored_Command_Injection
Java.Java_Medium_Threat.Heap_Inspection
Java.Java_Best_Coding_Practice.Use_of_System_Output_Stream
Java.Java_High_Risk.Deserialization_of_Untrusted_Data_in_JMS
Java.Java_Best_Coding_Practice.Hardcoded_Connection_String
Java.Java_Android.Android_Improper_Resource_Shutdown_or_Release
Java.Java_Medium_Threat.SQL_Injection_Evasion_Attack
Java.Java_Low_Visibility.Information_Exposure_Through_an_Error_Message
Java.Java_Medium_Threat.XSRF
Java.Java_Potential.Potential_Code_Injection
Java.Java_High_Risk.Connection_String_Injection
Java.Java_Android.Use_of_WebView_AddJavascriptInterface
Java.Java_Android.Passing_Non_Encrypted_Data_Between_Activities
Java.Java_Android.Side_Channel_Data_Leakage
Java.Java_Best_Coding_Practice.ESAPI_Banned_API
Java.Java_High_Risk.Expression_Language_Injection_OGNL
Java.Java_Low_Visibility.Information_Leak_Through_Comments
Java.Java_Potential.Potential_XXE_Injection
Java.Java_Stored.Stored_Open_Redirect
Java.Java_High_Risk.Expression_Language_Injection_SPEL
Java.Java_High_Risk.LDAP_Injection
Java.Java_Low_Visibility.Blind_SQL_Injections
Java.Java_Android.Insecure_WebView_Usage
Java.Java_Low_Visibility.Integer_Overflow
Java.Java_Heuristic.Heuristic_2nd_Order_SQL_Injection
Java.Java_Low_Visibility.Open_Redirect
Java.Java_Medium_Threat.CGI_Reflected_XSS_All_Clients
Java.Java_Stored.Stored_Boundary_Violation
Java.Java_Heuristic.Heuristic_Parameter_Tampering
Java.Java_Medium_Threat.XQuery_Injection
Java.Java_Android.Insufficient_Transport_Layer_Protect
Java.Java_Low_Visibility.Improper_Resource_Access_Authorization
Java.Java_Android.Use_Of_Implicit_Intent_For_Sensitive_Communication
Java.Java_High_Risk.XPath_Injection
Java.Java_Low_Visibility.Storing_Passwords_in_a_Recoverable_Format
Java.Java_Struts.Struts2_Action_Field_Without_Validator
Java.Java_Medium_Threat.Cross_Site_History_Manipulation
Java.Java_Heuristic.Heuristic_CGI_Stored_XSS
Java.Java_Medium_Threat.DoS_by_Sleep
Java.Java_Medium_Threat.HttpOnlyCookies
Java.Java_Medium_Threat.CGI_Stored_XSS
Java.Java_Android.WebView_Cache_Information_Leak
Java.Java_Best_Coding_Practice.Dynamic_SQL_Queries
Java.Java_Medium_Threat.Plaintext_Storage_of_a_Password
Java.Java_Medium_Threat.Unvalidated_Forwards
Java.Java_Android.Insecure_Data_Storage_Usage
Java.Java_Low_Visibility.Parse_Double_DoS
Java.Java_GWT.JSON_Hijacking
Java.Java_Android.Unsafe_Permission_Check
Java.Java_Medium_Threat.HTTP_Response_Splitting
Java.Java_Medium_Threat.Parameter_Tampering
Java.Java_Medium_Threat.Direct_Use_of_Unsafe_JNI
Java.Java_Low_Visibility.TOCTOU
Java.Java_Low_Visibility.Escape_False
Java.Java_Low_Visibility.Potential_ReDoS
Java.Java_Android.Client_Side_ReDoS
Java.Java_Low_Visibility.Log_Forging
Java.Java_Potential.Potential_LDAP_Injection
Java.Java_Potential.Potential_Hardcoded_password_in_Connection_String In this Ruleset Content Pack the following improvements were done: - At High Risk queries the accuracy on Checkmarx Express Preset is improved by 58%
- At Medium Threat queries the accuracy on Checkmarx Express preset is improved by 97%
- Maintenance on the OWASP Benchmark grade. We now have the score of 72%
This content pack also fixes an issue with HF integration |
.