Content Pack Version - CP.8.9.0.90212 (multilanguage, C#)

Each Ruleset Content Pack includes improvements to queries, and optionally also to presets. Technically, these changes are delivered through database upgrade scripts, which affect relevant tables.

Installation

This content pack introduces a new unified installer and it includes all the content packs published for version 8.9. It includes also new updates to:

Java
C#
Cobol
Kotlin.

Content

Support for Kotlin
14 new queries were added to the Kotlin_Android group. These queries cover client side validations, improper encryption and exposure of sensitive data on Web Views. Other existing queries were improved.

Kotlin.Kotlin_Android.Allowed_Backup
Kotlin.Kotlin_Android.Client_Side_Injection
Kotlin.Kotlin_Android.Client_Side_ReDoS
Kotlin.Kotlin_Android.Communication_Over_HTTP
Kotlin.Kotlin_Android.Copy_Paste_Buffer_Caching
Kotlin.Kotlin_Android.Failure_to_Implement_Least_Privilege
Kotlin.Kotlin_Android.Improper_Certificate_Validation
Kotlin.Kotlin_Android.Improper_Verification_Of_Intent_By_Broadcast_Receiver
Kotlin.Kotlin_Android.Insecure_WebView_Usage
Kotlin.Kotlin_Android.Non_Encrypted_Data_Storage
Kotlin.Kotlin_Android.Passing_Non_Encrypted_Data_Between_Activities
Kotlin.Kotlin_Android.Privacy_Violation
Kotlin.Kotlin_Android.ProGuard_Obfuscation_Not_In_Use
Kotlin.Kotlin_Android.Reuse_of_Cryptographic_Key
Kotlin.Kotlin_Android.Screen_Caching
Kotlin.Kotlin_Android.Sensitive_Information_Over_HTTP
Kotlin.Kotlin_Android.Unsafe_Permission_Check
Kotlin.Kotlin_Android.Use_Of_Implicit_Intent_For_Sensitive_Communication
Kotlin.Kotlin_Android.WebView_Cache_Information_Leak

Support for Cobol
10 new queries were added at High risk, Medium threat and Low visibility groups. These queries cover SQL & command injections, XSS and excessive information exposure issues.

Cobol.Cobol_Heuristic.Possible_Module_Injection
Cobol.Cobol_High_Risk.Command_Injection
Cobol.Cobol_High_Risk.Module_Injection
Cobol.Cobol_High_Risk.Reflected_XSS_All_Clients
Cobol.Cobol_High_Risk.Resource_Injection
Cobol.Cobol_High_Risk.Sql_Injection
Cobol.Cobol_Low_Visibility.Information_Leak_Through_Comments
Cobol.Cobol_Low_Visibility.Use_Of_Hardcoded_Password
Cobol.Cobol_Medium_Threat.Ignored_Error_Conditions
Cobol.Cobol_Medium_Threat.Path_Traversal

Improvements for reducing the amount of false positive findings in Java.
- The changes provided can be found at the release notes page of CP4: Release notes for Content Pack 4 (Java)
Adds support for API Security in Java.
- It includes also a new preset (OWASP TOP 10 API).
- More improvements were also introduced concerning the API security. They are detailed in the next session.
Improvements for reducing the amount of false positive findings in C#..
- The improvements for Content pack 6 can be found on release notes: Release notes for Content Pack 6 (C#)
- Some new improvements were also introduced concerning medium threat queries. They are detailed in the next section.

This CP includes OOTB Accuracy content, Checkmarx Express preset should be used in order to take full advantage of improvements done by this project.
It also includes API Security content. OWASP Top 10 API preset should be used in order to take full advantage of the content pack queries on Java for API Security.
As in any CxSAST product release, the Content Pack also resets the Checkmarx built in presets to its default queries set.

Installation order
This is a cumulative content pack, it can be installed over any of the version 8.9 content packs and does not require other content packs.

OOTB Accuracy Content

This Content Pack (CP) includes improvements for reducing the amount of false positive results in C#.

At High Risk queries the accuracy on Checkmarx Express Preset is improved by 98%
At Medium Threat queries the accuracy on Checkmarx Express preset is improved by 33%

The following improvements were also made for C# queries:

Improved support for MVC and json on Reflected_XSS sinks
Improved outputs for LDAP_Injection
Improved Resource_Injection sanitizers and extended support for AbsInt
Improved CGI_XSS sanitizers when using web applications
Rewritten Heap_Inspection support for properties and stack memory allocated elements
Improved support for sources of HttpOnlyCookies
Improved Improper_Restriction_of_XXE_Ref to support improved .NET sanitization
Improved MVC_View_Injection to take advantage of AbsInt
Improved support for MVC annotations on No_Request_Validation
Improved filesystem access support for Path_Traversal
Improved Privacy_Violation sink support
Improved support on Session_Fixation for session creation pages
Improved Stored_LDAP_Injection sink support
Extended support on Use_of_Cryptographically_Weak_PRNG for random number generation and assurance of cryptographic use
Improved detection of .net core on Check_HSTS_Configuration
Extended heuristic for finding passwords
Improved support for decryption code when checking raw text passwords
Improved Log_Forging sanitizers and sinks
Rewritten the Open_Redirect query
Improved Use_Of_Broken_Or_Risky_Cryptographic_Algorithm to support more crypto algorithms
Improved sanitizers on Use_Of_Hardcoded_Password
Added query Use_of_Insufficiently_Random_Values
Improved Log_Forging sanitizers
Rewritten the Open_Redirect query
Improved Use_Of_Broken_Or_Risky_Cryptographic_Algorithm to support more crypto algorithms
Improved sanitizers on Use_Of_Hardcoded_Password
Added query Use_of_Insufficiently_Random_Values
Applied best coding practices on the queries

API Security Content

The following improvements regarding API Security project were also made for Java queries:

Java_High_Risk.Reflected_XSS_All_Clients/Java_High_Risk.Stored_XSS
Isolated Spring API related outputs and sanitizers to reduce web response false positives.
Java_Low_Visibility.Unrestricted_File_Upload
Improved support for MultipartFile Spring parameters without dimension limitations.
Java_Medium_Threat.Unsafe_Object_Binding
Improved object binding for JpaRepository persistence methods.
Java_Best_Coding_Practice.Insufficient_Logging_of_Database_Actions
Improved support for Sprint ORM database query execution which are insufficiently logged
Java_Best_Coding_Practice.Insufficient_Logging_of_Exceptions
Expanded support for missing logging on exception handling for Spring framework.

The OWAST benchmark score card value is maintained at 73.

Version Upgrade
It is mandatory to install at least the same content pack number for newer versions while upgrading (e.g. v8.9 CP9 → v9.0 CP9).
This step will ensure the accuracy of the obtained results is maintained while upgrading.

Java_Low_Visibility.JWT_Use_Of_None_Algorithm
Java_Low_Visibility.JWT_Excessive_Expiration_Time
Java_Medium_Threat.JWT_No_Signature_Verification
Java_Medium_Threat.JWT_Sensitive_Information_Exposure
Java_Medium_Threat.JWT_Lack_Of_Expiration
Java_Low_Visibility.Information_Exposure_Through_Query_String
Java_Low_Visibility.Stored_Command_Argument_Injection
Java_Low_Visibility.Command_Argument_Injection
Java_Best_Coding_Practice.Suspicious_Endpoints

The following is a list of queries that had major changes in order to better find results regarding Spring in particular and API Security in general.

Java_High_Risk.Reflected_XSS_All_Clients/Java_High_Risk.Stored_XSS - The query will understand Spring API related outputs (actually, parameters of servlet response outputs like append, write, setContentType, etc.) as sanitizers, therefore ruling out some possible False Positive Results.

Java_Low_Visibility.Unrestricted_File_Upload - The query will recognize MultipartFile parameters annotated with RequestParam Spring annotation which are not sanitized with spring.servlet.multipart.max as an indication of file upload without restrictions.

Java_Medium_Threat.Unsafe_Object_Binding - The query will recognize save methods (save, saveAll, saveFlush) of JpaRepository subclasses as points for Object Binding if they are influenced by request parameters not sanitized.

Java_Best_Coding_Practice.Insufficient_Logging_of_Database_Actions - The query will recognize Spring-specific database actions (save, update, alter, etc.) associated with Spring Hibernate methods like execute, doExecute, etc. that are insufficiently logged.

Java_Best_Coding_Practice.Insufficient_Logging_of_Exceptions - The query will recognize methods annotated with Spring annotation ExceptionHandler as sanitizers.

Moreover, almost all Java queries were improved towards CxQL best coding practices.

API1 - Broken Object Level Authorization
Java_Medium_Threat.DB_Parameter_Tampering
Java_Medium_Threat.Heuristic_DB_Parameter_Tampering
API2 - Broken Authentication
Java_Best_Coding_Practice.Hardcoded_Connection_String
NEWJava_Low_Visibility.JWT_Use_Of_None_Algorithm
NEW Java_Low_Visibility.JWT_Excessive_Expiration_Time
Java_Low_Visibility.Hardcoded_AWS_Credentials
Java_Low_Visibility.Use_of_Broken_or_Risky_Cryptographic_Algorithm
Java_Low_Visibility.Reversible_One_Way_Hash
NEW Java_Medium_Threat.JWT_No_Signature_Verification
NEWJava_Medium_Threat.JWT_Sensitive_Information_Exposure
NEW Java_Medium_Threat.JWT_Lack_Of_Expiration
API3 - Excessive Data Exposure
NEW Java_Low_Visibility.Information_Exposure_Through_Query_String
Java_Low_Visibility.Information_Exposure_Through_an_Error_Message
API4 - Lack of Resources and Rate Limiting
Java_Low_Visibility.Unrestricted_File_Upload
Java_Service.Unchecked_Input_for_Loop_Condition_via_Service
API5 - Broken Function Level Authentication
Java_Low_Visibility.Improper_Resource_Access_Authorization
API6 - Mass Assignment
Java_Medium_Threat.Unsafe_Object_Binding

API7 - Security Misconfiguration
Java_Best_Coding_Practice.Access_Specifier_Manipulation
Java_GWT.JSON_Hijacking
Java_Low_Visibility.Insufficient_Session_Expiration
Java_Low_Visibility.Sensitive_Cookie_in_HTTPS_Session_Without_Secure_Attribute
Java_Medium_Threat.Unsafe_Permission_Check
Java_Medium_Threat.Cleartext_Submission_of_Sensitive_Information
Java_Medium_Threat.HttpOnlyCookies
Java_Medium_Threat.HttpOnlyCookies_In_Config
Java_Medium_Threat.XSRF
API8 - Injection
Java_Best_Coding_Practice.Dynamic_SQL_Queries
Java_High_Risk.Second_Order_SQL_Injection
Java_Low_Threat.Stored_Command_Injection
NEW Java_Low_Visibility.Stored_Command_Argument_Injection
NEW Java_Low_Visibility.Command_Argument_Injection
Java_Low_Visibility.Improper_Build_Of_Sql_Mapping
Java_Medium_Threat.Stored_LDAP_Injection
Java_High_Risk.SQL_Injection
Java_High_Risk.Command_Injection
Java_High_Risk.LDAP_Injection
Java_High_Risk.Expression_Language_Injection_OGNL
Java_High_Risk.Expression_Language_Injection_SPEL
Java_High_Risk.SQL_Injection_Evasion_Attack
Java_Low_Visibility.Blind_SQL_Injections
API9 - Improper Assets Management
NEW Java_Best_Coding_Practice.Suspicious_Endpoints
API10 - Insufficient Logging and Monitoring
Java_Best_Coding_Practice.Insufficient_Logging_of_Database_Actions
Java_Best_Coding_Practice.Insufficient_Logging_of_Exceptions

Which CxSAST version is this Content Pack for?
As stated in the release notes, this Content Pack is only compatible with CxSAST v8.9.0.

Which languages were targeted in this Content Pack?
This Content Pack provides improvements for Java, C#, Kotlin and Cobol.

Can this Content Pack be installed on top of other Content Packs?
Yes, this content pack is a multi-language content pack. It inherits all the characteristics of previous content packs, i.e. it is cumulative.

Does this Content Pack depend on other Content Packs?
No, there are no dependencies on other Content Packs. All content packs are cumulative, meaning that it can be installed over existing content packs.

Can this Content Pack be used with Content Pack 6 (for C#)?
Yes it can. It will override CP6 content.

Is there any order of installation between this Content Pack and Content Pack 6 (for C#)?
Yes. But there is no need to install other Content Packs since this content pack includes all the previous.

Can this Content Pack be installed in further versions, like CxSAST 9.0?
No. CxSAST 9.0 has a Content Pack available.

Does this Content Pack depend on any HotFix?
Yes, HF 16 for CxSAST v8.9.0 is a mandatory installation, even if no Content Packs are installed. The Content Pack enforces the Hotfix equal or superior to HF16 to be installed.