9.3.0 Enterprise Updates

Owned by Johannes Stark (Unlicensed)
Last updated: Jan 30, 2022 by Eliezer Basner (Unlicensed)
4 min read

Contents for this section:

New Features and Changes

Starting with CxSAST v9.3.0, Access Control and CxEngine parameters in use are now available for viewing and editing via Environment Properties under Windows Properties. This approach provides an interface for reconfiguring Access Control and CxEngine parameters at a later stage for users who wish to do so. For detailed information, see CxSAST Environment Variables (v9.3.0).

CxSAST (Engine)

Category
Feature / Change
Details
Application Security

Engine ConfigurationsScans relevant languages only according to the selected preset.If the preset is relevant for specific languages only, the scan does not parse other languages. The functionality is turned off by default. The flag is 
SCAN_PROJECT_ACCORDING_TO_QUERY_LANGUAGE
Engine DeploymentEngine on LinuxIntroducing CxEngine on Docker Linux. You can now deploy the CxSAST Engine as a Docker container on a Linux host. For additional information and instructions, refer to Installing and Configuring the CxEngine Server on Linux (v9.3.0)
Engine Server

Languages/FrameworksKotlin (Server Side)

This version adds and updates support for the latest versions of the Kotlin Server Side frameworks, Ktor and Vert.X.

Support for the following framework features has been added to Ktor:

  • Routing with FreeMarker Template
  • Split Mustache template engine from the Ktor Framework

Support for the following framework feature has been added to Vertx.X:

  • Queries
  • Type Inferences
  • Resolving Rule link Views with ViewCalls
  • Routing with Template

Additional generic support has been added:

  • Support additional Kotlin constructs required for Spring

Additional information can be found on the dedicated support page at Kotlin for Server Side

Languages/FrameworksApex

This version adds and updates support for the latest versions of Apex that can be activated with the Engine Flag NEW_APEX.

Support for the following language features has been added:

  • Support property setter methods
  • Support DML Statements
  • Support Switch statements (No DOM representation)
  • Support MemberAccess Object.class
  • Support named parameters in ObjectCreate
  • Support multiple statements in getter
  • Support Unary Expressions (DOM Representation)
  • Support Apex in UAST
  • Support List literal declarations (No DOM representation)
  • Support Annotations in Interfaces and Enums
  • Support Associative Arrays
  • Support triggers
  • Support Default Constructor
  • Support Class "Implements" ( No Dom Representation)

Improved the following queries:

  • Reflected_XSS after UAST adoption
  • Stored_XSS after UAST adoption
  • SOQL_SOSL_Injection after UAST adoption
  • Second_Order_SOQL_SOSL_Injection after UAST adoption
  • CRUD_Delete after UAST adoption
  • FLS_Create after UAST adoption
  • FLS_Create_Partial after UAST adoption
  • FLS_Update after UAST adoption
  • FLS_Update_Partial after UAST adoption

Additional information can be found on the dedicated support page at Apex

Languages/FrameworksJavaScript 

This version adds and updates support on EcmaScript for JavaScript support

  • EcmaScript 2017 (ES8)
  • EcmaScript 2018 (ES9)
  • EcmaScript 2019 (ES10)

Additional information can be found on the dedicated support page at EcmaScript 10 (2019) and EcmaScript 9 (2018) 

Languages/FrameworksLogsAdded new metrics in logs for the scans. Scan coverage by lines.
Vulnerability DescriptionsNew and updated vulnerability descriptionsNew and updated vulnerability descriptions for this version – giving more detailed guidance for code remediation. The list is available for download from 9.3.0 Vulnerability Queries.
Vulnerability Queries for PresetsVulnerability Queries according to PresetsVulnerability Queries according to Presets for this version. The list is available for download from 9.3.0 Vulnerability Queries.
Vulnerability Queries (Full List)Vulnerability QueriesVulnerability Queries for this version. The list is available for download from 9.3.0 Vulnerability Queries.
Vulnerability Queries (New and Updated)New and Updated Vulnerability QueriesNew and Updated Vulnerability Queries for this version. The list is available for download from 9.3.0 Vulnerability Queries.

CxSAST (Application)

CategoryFeature / ChangeDetails
CxEnterprise Web Portal InterfaceThe ability to block, unblock and unregister multiple engine servers has been added to the engine server table on the Engine Management page.Enables quick blocking and unregistering multiple engines.

The Engine URL on the Management page is clickable.

Users can enter the engine service screen with one click.


The Engine Management page now displays the engine version.Displays the version for each engine.

New Telerik versionThe Telerik version has been upgraded to 2020.1.114.45 version.

M&O: new Tomcat versionThe Tomcat server version has been upgraded to 8.5.57
CxSAST Projects & Scans

Added an origin URL option when triggering the scan.

Allows users to move to the triggered URL of origin (e.g. Jenkins URL).


The vulnerability detection date has been added to the Portal.The vulnerability detection date has been added to the results in UI&Reports and allows for different notifications, alerts and views.
CxSAST Results ViewerComments are mandatory when changing the result state, if this functionality has been activated.

This functionality is inactive (disabled) by default and can be activated (enabled) in two ways:

  • Requiring a comment when changing the result state to Not Exploitable.
  • Requiring a comment when changing the result state to any different state.
CxSAST ReportsThe STIG category has been added to the reports.

Scan results are categorized by the DISA Application and Development STIG once the STIG post-installation script has been run.

Application SettingsIntroducing a permission to view resultsAdding a permission that allows users to scan projects, but not display certain results. 
SecurityA new encryption mechanism has been added.The encryption key can now be de-activated and is not hard-coded anymore.

CxAudit

CategoryFeature / ChangeDetails

CxQL – Query Language

CxQL changes

Updated according to changes in version 9.3.0

Known Limitations

Category
Limitation
Details
CxEnterprise Installer

CxSAST and M&O

In unique cases, when Checkmarx (SAST) is installed with M&O (Management and Orchestration) selected, then uninstalled, and then re-installed without M&O selected, the user may face difficulties logging into the Checkmarx Portal for the first time. To resolve this issue, clear the portal’s web storage in the browser settings. The following article explains this procedure: https://www.ghacks.net/2015/02/05/how-to-clear-web-storage-in-your-browser-of-choice/
CxEnterprise InstallerCxSAST and M&O

In case Checkmarx (SAST) is installed with M&O (Management and Orchestration) selected, the Management and Orchestration tab is not visible in the Web Portal. To resolve this issue, log out and then log in again. 

.