9.0.0 Hotfixes

Installation Notes

Hotfixes and content packs are cumulative and include previous hotfix/content package updates.
The relevant hotfix must be installed on the CxManager, CxEngines and the CxAudit stations, unless otherwise indicated. In a distributed environment, the hotfix must also be installed on the Portal station.
After upgrades (major versions or hotfixes) or Content Pack updates, it is highly recommended to first run full scans before running incremental scans.

Resolved Issues and Changes

For CxSAST 9.0 HF11 and higher, we recommend customizing the listed JavaScript queries.

JavaScript -> General -> JQuery_Sanitize

//Methods that are sanitized in JQuery

CxList Methods = Find_JQuery_Methods();

result = Methods.FindByShortNames(new List<string>{
    "hasClass","is","height","width","innerHeight",
    "innerWidth","outerHeight","outerWidth","offset",
    "position","scrollTop","scrollLeft","inArray",
    "isArray","isEmptyObject","isNumeric","isPlainObject",
    "isWindow","isXMLDoc","type"});

JavaScript_Medium_Threat -> Client_Potential_Code_Injection

CxList inputs = Find_Potential_Inputs();
inputs.Add(Find_JQuery_Methods().FindByShortNames(
new List<string>{"val", "text", "html", "attr", "prop"}));
CxList eval = Find_Outputs_CodeInjection();
CxList sanitize = Sanitize();

CxList lambda = Find_LambdaExpr();
CxList returns = Find_ReturnStmt();

sanitize.Add(All.FindByFathers(returns).GetByAncs(lambda));

result.Add(eval.FindByType(typeof(Param)) * inputs - sanitize);
result.Add(eval.InfluencedByAndNotSanitized(inputs, sanitize, CxList.InfluenceAlgorithmCalculation.NewAlgorithm));
result.Add(Find_Source_Equals_Sink(inputs, eval));

JavaScript_Medium_Threat -> Client_Potential_XSS

CxList inputs = Find_Potential_Inputs();
inputs.Add(Find_JQuery_Methods().FindByShortNames(
  new List<string>{"val", "text", "attr", "prop"}));
CxList outputs = Find_Outputs_XSS();
outputs = outputs - outputs.FindByAssignmentSide(CxList.AssignmentSide.Right);

CxList sanitize = Sanitize();
sanitize.Add(Find_XSS_Sanitize());

CxList outMethods = outputs.FindByType(typeof (MethodInvokeExpr));
CxList outParams = All.GetParameters(outMethods);
outParams -= outParams.FindByShortName("Lambda");//anonymus function will double results.
outputs -= outMethods;

CxList outputsParams = All.NewCxList();
outputsParams.Add(outParams);
outputsParams.Add(outputs);

CxList toParms = outputsParams.InfluencedByAndNotSanitized(inputs, sanitize, CxList.InfluenceAlgorithmCalculation.NewAlgorithm);

foreach (CxList curPath in toParms.GetCxListByPath())
{
  CxList lastNode = curPath.GetStartAndEndNodes(CxList.GetStartEndNodesType.EndNodesOnly);
  if ((lastNode * outParams).Count > 0)
  {
    CxList paramMethod = outMethods.FindByParameters(lastNode);
    if (paramMethod.Count == 1)
    {
      result.Add(curPath.ConcatenatePath(paramMethod, false));
    }
  }
  else 
  {
    result.Add(curPath);
  }
}

result.Add(outParams * inputs - sanitize);
result.Add(Find_Source_Equals_Sink(inputs, outputs) - sanitize);

result = result.ReduceFlow(CxList.ReduceFlowType.ReduceBigFlow);

Category	Resolved Issues
HF21	Fixed cases where there is a lower level query override, but when running the queries the higher query is being used.
	Improved Apex language recognition in multi-language mode.
	Improvements in the query hierarchy mechanism according to the teams.
	Added support in ASP and PHP for files with .inc extension.
	Improvements in JavaScript (Regex/ReDOS) parsing.
	Engine Improvements for preventing unfinished scans when matching regular expression patterns.
	Added a new capability in the CxAudit for easily extracting the source code related to a query. To enable, please refer to the CxAudit Guide.

.

Category	Resolved Issues
HF20	Fixed cases of misalignment between Access Control and CxSAST caused by a multiple hierarchy in the Teams tree.
	Fixed cases where branched project details were irretrievable using the API.
	Post-scan actions now have a defined timeout.
	Improved performance of the Scan Manager stop/start actions.
	Improved the Scanned Languages description on the Scan Summary page when the scan returns zero findings
	Fixed cases where the query headline did not appear in the Results Viewer.
	Fixed cases where the Results Service failed to start due to a missing SQL configuration in the host file.
	Fixed cases where the Results Service failed to start due to a problematic configuration in the Checkmarx path in the registry.

.

Category	Resolved Issues
HF19	Allow customers that use SCA to enable an SCA widget to replace the content of the existing OSA widget, so that it is now possible to display CxSCA scan results in the summary page of CxSAST. For more information, see Displaying CxSCA Scan Results in CxSAST.
	The User Manager role is now able to grant roles that it does not have itself. For more information, see Access Control Configuration Guide.
	Improved the error message that is displayed when attempts are made to log in with SAML without the proper permissions.

.

Category	Resolved Issues
HF18	Line breaks are now included in scan comments.
	Fixed cases where the Engine Service is unable to read the status.xml file.
	Fixed misalignment in scan status in cases where the scan status still indicated “scanning” after the scan had already completed.
	Performance improvements for Best Fix Location (BFL).
	Fixed cases where scanning failed to start due to a problematic location in TFS.
	Fixed cases where email notifications were not sent due to a non-existing email address.
	Fixed cases where a scan with a pre-scan failed due to a change in the location of the source files.
	The CxSAST Portal now displays Git branches in all languages.
	Fixed cases where scans fail due to a problematic usage of Git cloning.
	Fixed cases where the CxSAST Portal was not displayed due to an issue with loading the configurations.
	M&O: Fixed multiple sync issues that caused the ETL to fail.
	M&O: Fixed misalignment between the number of projects displayed in the header and the actual number of violated projects on the page.
	You can now configure the Global Admin role to exclude the CxAudit permission. For more information, see Access Control Configuration Guide.
	Improved performance for fetching a large number of users and teams from the Active Directory.
	The Access Control login page now supports logo and background customizations. For details about how to customize the login page, see: https://checkmarx.atlassian.net/wiki/spaces/KC/pages/2509278584/Customizing+the+Access+Control+Web+Interface+v2.1+and+up.

.

Category	Resolved Issues
HF17	Fix situations when Engine scan doesn’t complete successfully but is reflected as “Finished” in Portal.
	Improved the response time for opening a Projects page containing a large number of projects.
	Fixed an issue that broke the link to the GIT integration, if the word 'git' was part of the URL.
	Improved the response time for opening the Results View for a project with hundreds of results.
	Improved performance when working with a large volume of branches and tags in Git.
	Fix situations where a IIS reset caused Teams to lose synchronization between Access Control and CxSAST.
	The Post Scan Actions field size has been increased to 1000 characters.

.

Category	Resolved Issues
HF16	Log messages have been improved.
	Several improvements have been made for Python.
	Several improvements have been made for Java SQL Injection queries. Overriding the general query Find_Plain_Interactive_Input as part of these improvements Open CxAudit. At the top right in CxAudit, select Edit Queries to open the Edit Queries dialog. Under Choose a Programming Language, select Java. The application loads all queries for Java. Click the Query tab to view the Query list. In the Query list, navigate to Java > Cx > Java_General > Find_Plain_Interactive_Inputs. Double-click Find_Plain_Interactive_Inputs to open the Queries Source window. Copy the current content of the query from the Queries Source window. You have to paste it at a later step. therefore, make sure to keep it in the clipboard. Right-click the Find_Plain_Interactive_Inputs query and select Override > All Projects Under Corp. Delete the line that appears by default and looks like this: “result = base.Find_Plain_Interactive_Inputs() ;” Paste the previously copied content of the query. Navigate to line 111, press <Enter> and then paste the following code. CxList cx_virtual = methodDecl.FindByShortName("cx_virtual_getters_setters_loop").GetByAncs(actionFormClasses); CxList getterSettters = notResponseWrite.FindByShortName("get").GetByAncs(cx_virtual); CxList fieldsRefs = All.FindAllReferences(Find_Field_Decl().GetByAncs(actionFormClasses)); actionFormParam.Add(fieldsRefs.DataInfluencedBy(getterSettters) .ReduceFlow(CxList.ReduceFlowType.ReduceSmallFlow) .GetStartAndEndNodes(CxList.GetStartEndNodesType.EndNodesOnly)); Press <CTRL*>+<S> or use the Save All Queries option to save the new query. The image below illustrates the exact location of the new code. The red arrow marks line 111 and the added code is highlighted green.
	Several improvements have been made for Swift parsing.
	Fixed a performance issue in C++ scans.
	Missing Japanese query descriptions have been added.

.

Category	Resolved Issues
HF15	Fixed an issue that caused results being hidden after upgrading CxSAST.
	"_" can now be used as part of template names.
	Line breaks are now included with scan comments.
	Added events for deleting team members, when the entire team is deleted.
	The first character of a team name must be an alphanumeric character.
	For authentication via LDAP, paging has been added for cases when a large amount of LDAP users is returned.
	Added support for a CxSAST cluster and a single Access Control.
	Corrected the display of teams to reflect their correct hierarchy.
	Fixed an issue that caused scans to fail after attempting to read ScanDetails.xml before this file was created.
	Fixed errors that caused incremental scans being logged with a wrong path, causing the scan to get stuck.

.

Category

Resolved Issues

HF14

Introduced a personal access token for Github integration (as part of the deprecation of Github’s basic authentication).

Previously created webhooks with basic authentication continue to operate. When triggering a previously created webhooks project without setting the PAT, Commit Comment is unavailable. To make Commit Comment available, switch to PAT on all Github related projects.

Triggering a new scan from the plugins does not require 'Create Project' or 'Edit Project' permissions anymore.

.

Category	Resolved Issues
HF13	Improved the ASP queries with Find_Interative_inputs elements.
	Fixed an issue that caused the scan to get stuck as a result of the AMQ getting stuck. This was caused by a query that returned a large number of results.

.

Category	Resolved Issues
HF12	Fixed an issue that caused creating new projects to 'hang'.
	Fixed the token life time that caused scans initiated from plugins to fail.
	Support for opening a Jira ticket has been added for cases when the Security Level field is mandatory.
	Fixed an issue that caused postponed scans to fail.
	The performance has been improved for handling many CPUs.
	The hotfix version is now listed in the engine log.
	Added an error message to the log for cases when a CxOSA scan was successful, but returned no results.
	Fixed a case where the length of a specific field in the CxOSA risk report exceeds a predefined number.
	For new projects, CxOSA identifies now scanned libraries using their relevant package managers by default.
	Security fixes, refer to https://checkmarx.force.com/CheckmarxCustomerServiceCommunity/s/article/Checkmarx-Security-Updates for additional information.
	Apache Tomcat has been upgraded to version 8.5.57
	Group DNs in LDAP Role Mapping are no longer case sensitive.
	It is now possible to sort users in Teams tables.
	The Team name size has been increased to up to 128 characters.

.

Category	Resolved Issues
HF11	Fixed a JavaScript issue that caused a memory leak.
	Improved Client_Potential_XSS and Client_Potential_Code_Injection accuracy regarding JQuery methods.
	Improved the import mechanism that caused a false negative in Client_DOM_XSS.
	Fixed an issue in Kotlin that caused scan failure.
	Fixed an issue with TypeScript to JavaScript database migration.
	Fixed a sorting issue that caused some projects not to be displayed in CxAudit.
	The performance has been improved for handling many CPUs.
	Fixed cases when the scan freezes due to an exception in the query.

.

Category	Resolved Issues
HF10	Access Control. Enhanced SAML support, now allowing team and role mappings with proprietary SAML assertion attribute values.

.

Category	Resolved Issues
HF9	Fixed various issues that affected working with the Security Gate license.
	Improved date format alignment across the various components.
	Fixed a synchronization issue between CxOSA and M&O.
	Security fix, refer to https://checkmarx.force.com/CheckmarxCustomerServiceCommunity/s/article/Checkmarx-Security-Updates for additional information.
	Fixed issues that caused users to be moved to 'inactive' after the server restarted.
	LDAP mapping is now case insensitive.
	Known Limitations
	If you are unable to log on to Access Control after installing HF9, clear the browser cache and the browsing history. For further information, refer to Chrome: Clear cache & cookies or How to clear the Firefox cache, depending on the browser in use.

.

Category	Resolved Issues
HF8	Added the ability to select a default role and a default team when using LDAP Advanced mapping. For further information, refer to Settings Tab - LDAP Server Settings (v2.0 and up).
	Removed the maximum length limitation for LDAP group mappings.
	Fixed cases in which users were assigned to a large amount of teams and could therefore not log in.
	SAML: The user email addresses are now case insensitive.
	Improved oData API support for cases when the database password includes special characters.
	Fixed the OData API call when QueryName is null.
	Fixed cases when incremental scans were reverted to full scans, but were still presented as incremental.
	Security fix, refer to https://checkmarx.force.com/CheckmarxCustomerServiceCommunity/s/article/Checkmarx-Security-Updates for additional information.
	Fixed issues that caused the source file folder for failed scans to remain although it is expected to be deleted by data retention.
	Fixed issues that caused scan folders of current scans to be deleted.

.

Category	Resolved Issues
HF7	The scan logs downloaded from the CxSAST portal now include the missing engine service logs.
	Fixed an issue that caused specific folders not to be found during the scan cleanup process.
	Fixed SSL offloading cases for load balancers.
	The SAST tab editor stopped responding, if an illegal string has been entered.
	Fixed issues that caused scans to fail due to a location change of the Git repository.
	Fixed an issue in Swagger that prevented projects from being scanned.
	An issue has been fixed that caused OSA requests to fail with error APIVersionUndefined that froze loading the page.
	An issue has been fixed that caused errors in some pages of the portal when using the Security Gate license.

.

Category	Resolved Issues.
HF6	Various cases have been fixed that caused scans to run indefinitely.

.

Category	Resolved Issues
HF5	Introduced a new permission: “view-results”. This permission separates the view-results ability from any other permission and is added to any predefined role.

.

Category	Resolved Issues
HF4	A new mechanism has been introduced to abort scans when the system gets low on memory in an effort to avoid the engine to jam. The configuration keys are the following: WATCHDOG_ABORT_SCAN_ON_LOW_MEMORY (default: false – disabled) WATCHDOG_ABORT_SCAN_ON_LOW_MEMORY_MAX_USAGE_PERCENT max limit of used memory to abort (default: 96%) WATCHDOG_ABORT_SCAN_ON_LOW_MEMORY_MIN_AVAIL_MB minimum free memory in System to start check the condition MAX_USAGE_PERCENT (default: 1024 Mb) WATCHDOG_ABORT_SCAN_ON_LOW_MEMORY_COUNTER key to prevent scan abort on single memory peek – Low-Memory should persist number of times continuously (default: 5 times)
	Improvements for GO support.
	Improvements for query override system.
	Improved Active-MQ heap configuration.
	Improved Active-MQ log configuration, which prevents log clogging.
	Various Git/BitBucket integration improvements
	Jira cloud integration: Fixed cases in which the system is unable to send the report due to a missing mandatory field.
	CxOSA detects more libraries when scanning a project with a complex structure.
	New AMQ and FSA versions
	Various security fixes for M&O and OSA.
	QMA configuration files may be overwritten when installing a hotfix (HF). Therefore, make sure to back this file up before, if changes have been made to it.

.

Category	Resolved Issues
HF3	Access Control version 2.0.1.116 has been added to allow CxSAST to operate in Master Access Control mode and to connect to Multi-Tenant Access Control.
	Improved the Chinese translation in the CxSAST portal.
	Various security issues have been fixed.
	Fixed cases when the scan manager stops responding and is unable to process additional scans due to a problematic file.
	Fixed ODATA calls to ensure that scan results are obtained using Query Group or Query Team.
	Corrected the file size calculations for cases when the file size parameter has been changed to a larger value.
	Added a warning during installation about new .NET Core prerequisites (ASP .Net core 2.1.16 is required).

.

Category	Resolved Issues
HF2	Improved CPP parsing for query Integer_Overflow and the JSON file to define global includes under Linux.
	Added missing flow in Python.
	Providing improved versions of the Apex Refelcted_XSS and Visual Force pre-processed files.
	Fixing JavaScript scan aborted and concurrency issues with some Lightning queries.
	Improved the App_Transport_Security_Bypass query in Objective-C.
	Java now recognizes the Final modifier.
	Improved the Handlebars support.
	Various internal and log improvements

.

Category	Resolved Issues
HF1	Access Control supports Advanced Role Mapping with a semicolon placed between the roles when active Directory groups are linked to one role.
	Fixed a login issue caused by SameSite Cookie recently introduced in Chrome.
	Known Limitations
	If you use HTTP, Access Control and and CxSAST cannot be hosted on different servers, if SameSite Cookie is enabled.

.