Content Pack Version - CP.8.9.0.90212 (multilanguage, C#)
Each Ruleset Content Pack includes improvements to queries, and optionally also to presets. Technically, these changes are delivered through database upgrade scripts, which affect relevant tables.
Installation
This content pack introduces a new unified installer and it includes all the content packs published for version 8.9. It includes also new updates to:
Java
C#
Cobol
Kotlin.
Content
Support for Kotlin
14 new queries were added to the Kotlin_Android group. These queries cover client side validations, improper encryption and exposure of sensitive data on Web Views. Other existing queries were improved.
Support for Cobol
10 new queries were added at High risk, Medium threat and Low visibility groups. These queries cover SQL & command injections, XSS and excessive information exposure issues.
Improvements for reducing the amount of false positive findings in Java.
The changes provided can be found at the release notes page of CP4: Release notes for Content Pack 4 (Java)
Adds support for API Security in Java.
It includes also a new preset (OWASP TOP 10 API).
More improvements were also introduced concerning the API security. They are detailed in the next session.
Improvements for reducing the amount of false positive findings in C#..
The improvements for Content pack 6 can be found on release notes: Release notes for Content Pack 6 (C#)
Some new improvements were also introduced concerning medium threat queries. They are detailed in the next section.
This CP includes OOTB Accuracy content, Checkmarx Express preset should be used in order to take full advantage of improvements done by this project.
It also includes API Security content. OWASP Top 10 API preset should be used in order to take full advantage of the content pack queries on Java for API Security.
As in any CxSAST product release, the Content Pack also resets the Checkmarx built in presets to its default queries set.
Installation order
This is a cumulative content pack, it can be installed over any of the version 8.9 content packs and does not require other content packs.
OOTB Accuracy Content
This Content Pack (CP) includes improvements for reducing the amount of false positive results in C#.
At High Risk queries the accuracy on Checkmarx Express Preset is improved by 98%
At Medium Threat queries the accuracy on Checkmarx Express preset is improved by 33%
The following improvements were also made for C# queries:
Improved support for MVC and json on Reflected_XSS sinks
Improved outputs for LDAP_Injection
Improved Resource_Injection sanitizers and extended support for AbsInt
Improved CGI_XSS sanitizers when using web applications
Rewritten Heap_Inspection support for properties and stack memory allocated elements
Improved support for sources of HttpOnlyCookies
Improved Improper_Restriction_of_XXE_Ref to support improved .NET sanitization
Improved MVC_View_Injection to take advantage of AbsInt
Improved support for MVC annotations on No_Request_Validation
Improved filesystem access support for Path_Traversal
Improved Privacy_Violation sink support
Improved support on Session_Fixation for session creation pages
Improved Stored_LDAP_Injection sink support
Extended support on Use_of_Cryptographically_Weak_PRNG for random number generation and assurance of cryptographic use
Improved detection of .net core on Check_HSTS_Configuration
Extended heuristic for finding passwords
Improved support for decryption code when checking raw text passwords
Improved Log_Forging sanitizers and sinks
Rewritten the Open_Redirect query
Improved Use_Of_Broken_Or_Risky_Cryptographic_Algorithm to support more crypto algorithms
Improved sanitizers on Use_Of_Hardcoded_Password
Added query Use_of_Insufficiently_Random_Values
Improved Log_Forging sanitizers
Rewritten the Open_Redirect query
Improved Use_Of_Broken_Or_Risky_Cryptographic_Algorithm to support more crypto algorithms
Improved sanitizers on Use_Of_Hardcoded_Password
Added query Use_of_Insufficiently_Random_Values
Applied best coding practices on the queries
API Security Content
The following improvements regarding API Security project were also made for Java queries:
Java_High_Risk.Reflected_XSS_All_Clients/Java_High_Risk.Stored_XSS
Isolated Spring API related outputs and sanitizers to reduce web response false positives.Java_Low_Visibility.Unrestricted_File_Upload
Improved support for MultipartFile Spring parameters without dimension limitations.Java_Medium_Threat.Unsafe_Object_Binding
Improved object binding for JpaRepository persistence methods.Java_Best_Coding_Practice.Insufficient_Logging_of_Database_Actions
Improved support for Sprint ORM database query execution which are insufficiently loggedJava_Best_Coding_Practice.Insufficient_Logging_of_Exceptions
Expanded support for missing logging on exception handling for Spring framework.
The OWAST benchmark score card value is maintained at 73.
Version Upgrade
It is mandatory to install at least the same content pack number for newer versions while upgrading (e.g. v8.9 CP9 → v9.0 CP9).
This step will ensure the accuracy of the obtained results is maintained while upgrading.
API1 - Broken Object Level Authorization
Java_Medium_Threat.DB_Parameter_Tampering
Java_Medium_Threat.Heuristic_DB_Parameter_TamperingAPI2 - Broken Authentication
Java_Best_Coding_Practice.Hardcoded_Connection_String
NEWJava_Low_Visibility.JWT_Use_Of_None_Algorithm
NEW Java_Low_Visibility.JWT_Excessive_Expiration_Time
Java_Low_Visibility.Hardcoded_AWS_Credentials
Java_Low_Visibility.Use_of_Broken_or_Risky_Cryptographic_Algorithm
Java_Low_Visibility.Reversible_One_Way_Hash
NEW Java_Medium_Threat.JWT_No_Signature_Verification
NEWJava_Medium_Threat.JWT_Sensitive_Information_Exposure
NEW Java_Medium_Threat.JWT_Lack_Of_ExpirationAPI3 - Excessive Data Exposure
NEW Java_Low_Visibility.Information_Exposure_Through_Query_String
Java_Low_Visibility.Information_Exposure_Through_an_Error_MessageAPI4 - Lack of Resources and Rate Limiting
Java_Low_Visibility.Unrestricted_File_Upload
Java_Service.Unchecked_Input_for_Loop_Condition_via_ServiceAPI5 - Broken Function Level Authentication
Java_Low_Visibility.Improper_Resource_Access_AuthorizationAPI6 - Mass Assignment
Java_Medium_Threat.Unsafe_Object_Binding
API7 - Security Misconfiguration
Java_Best_Coding_Practice.Access_Specifier_Manipulation
Java_GWT.JSON_Hijacking
Java_Low_Visibility.Insufficient_Session_Expiration
Java_Low_Visibility.Sensitive_Cookie_in_HTTPS_Session_Without_Secure_Attribute
Java_Medium_Threat.Unsafe_Permission_Check
Java_Medium_Threat.Cleartext_Submission_of_Sensitive_Information
Java_Medium_Threat.HttpOnlyCookies
Java_Medium_Threat.HttpOnlyCookies_In_Config
Java_Medium_Threat.XSRFAPI8 - Injection
Java_Best_Coding_Practice.Dynamic_SQL_Queries
Java_High_Risk.Second_Order_SQL_Injection
Java_Low_Threat.Stored_Command_Injection
NEW Java_Low_Visibility.Stored_Command_Argument_Injection
NEW Java_Low_Visibility.Command_Argument_Injection
Java_Low_Visibility.Improper_Build_Of_Sql_Mapping
Java_Medium_Threat.Stored_LDAP_Injection
Java_High_Risk.SQL_Injection
Java_High_Risk.Command_Injection
Java_High_Risk.LDAP_Injection
Java_High_Risk.Expression_Language_Injection_OGNL
Java_High_Risk.Expression_Language_Injection_SPEL
Java_High_Risk.SQL_Injection_Evasion_Attack
Java_Low_Visibility.Blind_SQL_InjectionsAPI9 - Improper Assets Management
NEW Java_Best_Coding_Practice.Suspicious_EndpointsAPI10 - Insufficient Logging and Monitoring
Java_Best_Coding_Practice.Insufficient_Logging_of_Database_Actions
Java_Best_Coding_Practice.Insufficient_Logging_of_Exceptions