Content
Each Ruleset Content Pack includes improvements to queries, and optionally also to presets. Technically, these changes are delivered via DB upgrade scripts, which affect relevant tables.
Detailed information on the content can be found in the table below:
CP.8.9.0.94 | 8.9.0 | 28 January 2020 | Download link: https://www.checkmarx.com/downloads/ This Content Pack (CP) includes improvements for reducing the amount of false positive results. The following improvements ave been introduced for Java queries in addition to the improvements already included with CP 53: - Hard coded cryptographic keys improved
- Connection string password sanitizers improved
- Improved Log outputs
- Secure random values support
- Not encrypted communication channels detection
- Sanitizers support for XSS.
- Support for database outputs when using ORMs
- DOS_by_Sleep sanitizers
- Disconsider Unit Tests as exploitable results
- Improved Code Injection sanitizers
- Improved Command Injection sanitizers
- Refined Clear Text Submission of Sensitive Information sources
- Improved sources for Use of Hardcoded Cryptographic Keys
- Refined the sources for Hardcoded Passwords in Connection String
- Expanded sources for Use of Cryptographic weak PRNG
- Expanded Database query Inputs
- Added Potential Hardcoded Password in Connection String
- Added Potential Use of Hardcoded Cryntographic Key
It is also included the Checkmarx Express preset containing 52 queries: List of queries included in Checkmarx Express Java_GWT.GWT_DOM_XSS Java_GWT.GWT_Reflected_XSS Java_High_Risk.Code_Injection Java_High_Risk.Command_Injection Java_High_Risk.Connection_String_Injection Java_High_Risk.LDAP_Injection Java_High_Risk.Reflected_XSS_All_Clients Java_High_Risk.Resource_Injection Java_High_Risk.Second_Order_SQL_Injection Java_High_Risk.SQL_Injection Java_High_Risk.Stored_XSS Java_High_Risk.XPath_Injection Java_Low_Visibility.Use_Of_Hardcoded_Password Java_Low_Visibility.Log_Forging Java_Low_Visibility.Open_Redirect Java_Low_Visibility.Use_of_Broken_or_Risky_Cryptographic_Algorithm Java_Medium_Threat.DB_Parameter_Tampering Java_Medium_Threat.DoS_by_Sleep Java_Medium_Threat.Use_of_Hard_coded_Cryptographic_Key Java_Medium_Threat.Hardcoded_password_in_Connection_String Java_Medium_Threat.Parameter_Tampering Java_Medium_Threat.Privacy_Violation Java_Medium_Threat.Spring_ModelView_Injection Java_Medium_Threat.SQL_Injection_Evasion_Attack Java_Medium_Threat.Trust_Boundary_Violation Java_Medium_Threat.XSRF Java_Struts.Struts_Incomplete_Validate_Method_Definition Java_Struts.Struts_Form_Does_Not_Extend_Validation_Class Java_Struts.Struts_Validation_Turned_Off Java_Medium_Threat.Absolute_Path_Traversal Java_Medium_Threat.Cleartext_Submission_of_Sensitive_Information Java_Medium_Threat.Plaintext_Storage_of_a_Password Java_Medium_Threat.Stored_LDAP_Injection Java_Medium_Threat.Use_of_Cryptographically_Weak_PRNG Java_Medium_Threat.Use_of_a_One_Way_Hash_with_a_Predictable_Salt Java_Medium_Threat.Use_of_a_One_Way_Hash_without_a_Salt Java_Medium_Threat.Unchecked_Input_for_Loop_Condition Java_Medium_Threat.Session_Fixation Java_Medium_Threat.HttpOnlyCookies Java_Medium_Threat.Unvalidated_Forwards Java_Medium_Threat.Improper_Restriction_of_XXE_Ref Java_Medium_Threat.Heap_Inspection Java_Medium_Threat.Inadequate_Encryption_Strength Java_Medium_Threat.SSRF Java_Medium_Threat.Improper_Restriction_of_Stored_XXE_Ref Java_Low_Visibility.Password_In_Comment Java_High_Risk.Deserialization_of_Untrusted_Data Java_Medium_Threat.Unvalidated_SSL_Certificate_Hostname Java_High_Risk.Expression_Language_Injection_OGNL Java_High_Risk.Deserialization_of_Untrusted_Data_in_JMS Java_Medium_Threat.Missing_HSTS_Header Java_Medium_Threat.Unsafe_Object_Binding Accuracy = TP / ( TP + FP ) Queries affected by the content pack Java.Java_Medium_Threat.Improper_Restriction_of_XXE_Ref Java.Java_Low_Visibility.Information_Leak_Through_Persistent_Cookies Java.Java_Best_Coding_Practice.Unused_Variable Java.Java_Android.Copy_Paste_Buffer_Caching Java.Java_Medium_Threat.DB_Parameter_Tampering Java.Java_Low_Visibility.Improper_Exception_Handling Java.Java_Medium_Threat.Cleartext_Submission_of_Sensitive_Information Java.Java_Medium_Threat.Trust_Boundary_Violation Java.Java_Medium_Threat.Use_of_Cryptographically_Weak_PRNG Java.Java_Low_Visibility.Potential_ReDoS_In_Replace Java.Java_Potential.Potential_Stored_XSS Java.Java_Best_Coding_Practice.Access_Specifier_Manipulation Java.Java_Low_Visibility.Citrus_Developer_Mode_Enabled Java.Java_Low_Visibility.Collapse_of_Data_into_Unsafe_Value Java.Java_Medium_Threat.SSRF Java.Java_Best_Coding_Practice.finalize_Method_Without_super_finalize Java.Java_Low_Visibility.Portability_Flaw_Locale_Dependent_Comparison Java.Java_Low_Visibility.Uncaught_Exception Java.Java_Best_Coding_Practice.Incorrect_Conversion_between_Numeric_Types Java.Java_Medium_Threat.Spring_ModelView_Injection Java.Java_Stored.Stored_HTTP_Response_Splitting Java.Java_Low_Visibility.Use_Of_Hardcoded_Password Java.Java_Low_Visibility.Information_Exposure_Through_Debug_Log Java.Java_Best_Coding_Practice.Comparison_of_Classes_By_Name Java.Java_Medium_Threat.Stored_LDAP_Injection Java.Java_Low_Visibility.Potential_ReDoS_In_Match Java.Java_Heuristic.Heuristic_SQL_Injection Java.Java_Best_Coding_Practice.Reliance_On_Untrusted_Inputs_In_Security_Decision Java.Java_Android.Missing_Rooted_Device_Check Java.Java_Low_Visibility.Use_of_Hard_coded_Security_Constants Java.Java_Medium_Threat.Privacy_Violation Java.Java_Android.Client_Side_Injection Java.Java_Low_Visibility.Exposure_of_System_Data Java.Java_Low_Visibility.Serializable_Class_Containing_Sensitive_Data Java.Java_Low_Visibility.Divide_By_Zero Java.Java_Low_Visibility.Incorrect_Permission_Assignment_For_Critical_Resources Java.Java_Low_Visibility.Logic_Time_Bomb Java.Java_Best_Coding_Practice.clone_Method_Without_super_clone Java.Java_Potential.Potential_I_Reflected_XSS_All_Clients Java.Java_High_Risk.Command_Injection Java.Java_Low_Visibility.Potential_ReDoS_By_Injection Java.Java_Medium_Threat.ReDoS_In_Replace Java.Java_Low_Visibility.Relative_Path_Traversal Java.Java_Low_Visibility.Cookie_Overly_Broad_Path Java.Java_Potential.Potential_Resource_Injection Java.Java_High_Risk.Stored_XSS Java.Java_Medium_Threat.External_Control_of_System_or_Config_Setting Java.Java_Best_Coding_Practice.Portability_Flaw_In_File_Separator Java.Java_Best_Coding_Practice.Uncontrolled_Recursion Java.Java_Low_Visibility.Stored_Log_Forging Java.Java_Low_Visibility.Creation_of_Temp_File_With_Insecure_Permissions Java.Java_Best_Coding_Practice.Potentially_Serializable_Class_With_Sensitive_Data Java.Java_Android.Missing_Certificate_Pinning Java.Java_Medium_Threat.ReDoS_In_Match Java.Java_Best_Coding_Practice.Use_of_Wrong_Operator_in_String_Comparison Java.Java_Android.General_Android_Find_Request_Permissions Java.Java_Best_Coding_Practice.Non_serializable_Object_Stored_in_Session Java.Java_Android.Implicit_Intent_With_Read_Write_Permissions Java.Java_Medium_Threat.ReDoS_In_Pattern Java.Java_Low_Visibility.Leaving_Temporary_File Java.Java_Android.Weak_Encryption Java.Java_Low_Visibility.Suspected_XSS Java.Java_Potential.Potential_IO_Reflected_XSS_All_Clients Java.Java_Low_Visibility.Stored_Relative_Path_Traversal Java.Java_Potential.Potential_UTF7_XSS Java.Java_Low_Visibility.Improper_Transaction_Handling Java.Java_Stored.Stored_Code_Injection Java.Java_Potential.Potential_Parameter_Tampering Java.Java_High_Risk.Resource_Injection Java.Java_Medium_Threat.Frameable_Login_Page Java.Java_Medium_Threat.Input_Path_Not_Canonicalized Java.Java_Low_Visibility.Stored_Absolute_Path_Traversal Java.Java_Potential.Potential_O_Reflected_XSS_All_Clients Java.Java_Android.Poor_Authorization_and_Authentication Java.Java_Potential.Potential_Use_of_Hard_coded_Cryptographic_Key Java.Java_Medium_Threat.Process_Control Java.Java_Low_Visibility.Use_of_Broken_or_Risky_Cryptographic_Algorithm Java.Java_High_Risk.Code_Injection Java.Java_Stored.Stored_XPath_Injection Java.Java_Android.Insecure_Data_Storage Java.Java_Low_Visibility.Use_of_Client_Side_Authentication Java.Java_Low_Visibility.UTF7_XSS Java.Java_Low_Visibility.DB_Control_of_System_or_Config_Setting Java.Java_Best_Coding_Practice.Input_Not_Normalized Java.Java_Low_Visibility.Integer_Underflow Java.Java_Medium_Threat.Dangerous_File_Inclusion Java.Java_Medium_Threat.Use_of_Insufficiently_Random_Values Java.Java_Heuristic.Heuristic_DB_Parameter_Tampering Java.Java_Best_Coding_Practice.Use_of_Obsolete_Functions Java.Java_Android.Keyboard_Cache_Information_Leak Java.Java_Medium_Threat.Absolute_Path_Traversal Java.Java_Low_Visibility.Race_Condition_Format_Flaw Java.Java_Medium_Threat.Use_of_a_One_Way_Hash_with_a_Predictable_Salt Java.Java_Medium_Threat.Multiple_Binds_to_the_Same_Port Java.Java_Low_Visibility.Uncontrolled_Memory_Allocation Java.Java_Low_Visibility.Plaintext_Storage_in_a_Cookie Java.Java_GWT.GWT_Reflected_XSS Java.Java_Low_Visibility.Unsynchronized_Access_To_Shared_Data Java.Java_GWT.GWT_DOM_XSS Java.Java_Medium_Threat.Download_of_Code_Without_Integrity_Check Java.Java_Heuristic.Heuristic_Stored_XSS Java.Java_Low_Visibility.Empty_Password_In_Connection_String Java.Java_Low_Visibility.Unrestricted_File_Upload Java.Java_Low_Visibility.Reversible_One_Way_Hash Java.Java_Medium_Threat.Unchecked_Input_for_Loop_Condition Java.Java_Potential.Potential_GWT_Reflected_XSS Java.Java_Medium_Threat.ReDoS_From_Regex_Injection Java.Java_Low_Visibility.Insufficiently_Protected_Credentials Java.Java_Low_Visibility.Use_Of_getenv Java.Java_Android.Insufficient_Sensitive_Transport_Layer Java.Java_Potential.Potential_Command_Injection Java.Java_Medium_Threat.Inadequate_Encryption_Strength Java.Java_Potential.Potential_Connection_String_Injection Java.Java_Heuristic.Heuristic_XSRF Java.Java_Low_Visibility.Private_Array_Returned_From_A_Public_Method Java.Java_Low_Visibility.Potential_ReDoS_In_Static_Field Java.Java_Low_Visibility.Improper_Resource_Shutdown_or_Release Java.Java_Low_Visibility.Authorization_Bypass_Through_User_Controlled_SQL_PrimaryKey Java.Java_Best_Coding_Practice.Unclosed_Objects Java.Java_High_Risk.Second_Order_SQL_Injection Java.Java_Low_Visibility.Channel_Accessible_by_NonEndpoint Java.Java_Potential.Potential_XPath_Injection Java.Java_Medium_Threat.Improper_Restriction_of_Stored_XXE_Ref Java.Java_Low_Visibility.Missing_Password_Field_Masking Java.Java_Medium_Threat.Uncontrolled_Format_String Java.Java_Best_Coding_Practice.Explicit_Call_to_Finalize Java.Java_High_Risk.Reflected_XSS_All_Clients Java.Java_Potential.Potential_SQL_Injection Java.Java_Medium_Threat.Use_of_Native_Language Java.Java_Medium_Threat.External_Control_of_Critical_State_Data Java.Java_Low_Visibility.Information_Leak_Through_Shell_Error_Message Java.Java_Medium_Threat.Session_Fixation Java.Java_Low_Visibility.ESAPI_Same_Password_Repeats_Twice Java.Java_Medium_Threat.Hardcoded_password_in_Connection_String Java.Java_Low_Visibility.Public_Data_Assigned_to_Private_Array Java.Java_Low_Visibility.Information_Exposure_Through_Server_Log Java.Java_Low_Visibility.Stored_Command_Injection Java.Java_Medium_Threat.Heap_Inspection Java.Java_Best_Coding_Practice.Use_of_System_Output_Stream Java.Java_High_Risk.Deserialization_of_Untrusted_Data_in_JMS Java.Java_Best_Coding_Practice.Hardcoded_Connection_String Java.Java_Android.Android_Improper_Resource_Shutdown_or_Release Java.Java_Medium_Threat.SQL_Injection_Evasion_Attack Java.Java_Low_Visibility.Information_Exposure_Through_an_Error_Message Java.Java_Medium_Threat.XSRF Java.Java_Potential.Potential_Code_Injection Java.Java_High_Risk.Connection_String_Injection Java.Java_Android.Use_of_WebView_AddJavascriptInterface Java.Java_Android.Passing_Non_Encrypted_Data_Between_Activities Java.Java_Android.Side_Channel_Data_Leakage Java.Java_Best_Coding_Practice.ESAPI_Banned_API Java.Java_High_Risk.Expression_Language_Injection_OGNL Java.Java_Low_Visibility.Information_Leak_Through_Comments Java.Java_Potential.Potential_XXE_Injection Java.Java_Stored.Stored_Open_Redirect Java.Java_High_Risk.Expression_Language_Injection_SPEL Java.Java_High_Risk.LDAP_Injection Java.Java_Low_Visibility.Blind_SQL_Injections Java.Java_Android.Insecure_WebView_Usage Java.Java_Low_Visibility.Integer_Overflow Java.Java_Heuristic.Heuristic_2nd_Order_SQL_Injection Java.Java_Low_Visibility.Open_Redirect Java.Java_Medium_Threat.CGI_Reflected_XSS_All_Clients Java.Java_Stored.Stored_Boundary_Violation Java.Java_Heuristic.Heuristic_Parameter_Tampering Java.Java_Medium_Threat.XQuery_Injection Java.Java_Android.Insufficient_Transport_Layer_Protect Java.Java_Low_Visibility.Improper_Resource_Access_Authorization Java.Java_Android.Use_Of_Implicit_Intent_For_Sensitive_Communication Java.Java_High_Risk.XPath_Injection Java.Java_Low_Visibility.Storing_Passwords_in_a_Recoverable_Format Java.Java_Struts.Struts2_Action_Field_Without_Validator Java.Java_Medium_Threat.Cross_Site_History_Manipulation Java.Java_Heuristic.Heuristic_CGI_Stored_XSS Java.Java_Medium_Threat.DoS_by_Sleep Java.Java_Medium_Threat.HttpOnlyCookies Java.Java_Medium_Threat.CGI_Stored_XSS Java.Java_Android.WebView_Cache_Information_Leak Java.Java_Best_Coding_Practice.Dynamic_SQL_Queries Java.Java_Medium_Threat.Plaintext_Storage_of_a_Password Java.Java_Medium_Threat.Unvalidated_Forwards Java.Java_Android.Insecure_Data_Storage_Usage Java.Java_Low_Visibility.Parse_Double_DoS Java.Java_GWT.JSON_Hijacking Java.Java_Android.Unsafe_Permission_Check Java.Java_Medium_Threat.HTTP_Response_Splitting Java.Java_Medium_Threat.Parameter_Tampering Java.Java_Medium_Threat.Direct_Use_of_Unsafe_JNI Java.Java_Low_Visibility.TOCTOU Java.Java_Low_Visibility.Escape_False Java.Java_Low_Visibility.Potential_ReDoS Java.Java_Android.Client_Side_ReDoS Java.Java_Low_Visibility.Log_Forging Java.Java_Potential.Potential_LDAP_Injection Java.Java_Potential.Potential_Hardcoded_password_in_Connection_String In this Ruleset Content Pack the following improvements were done: - At High Risk queries the accuracy on Checkmarx Express Preset is improved by 58%
- At Medium Threat queries the accuracy on Checkmarx Express preset is improved by 97%
- Maintenance on the OWASP Benchmark grade. We now have the score of 72%
This content pack also fixes an issue with HF integration |
.