Content Pack Version - CP.9.2.0.13031 (Java)

Owned by Rui Pereira (Unlicensed)
Last updated: Jan 06, 2021 by Johannes Stark (Unlicensed)
3 min read

Each content pack (CP) for the API Security contains a new or refactored set of Queries targeting API-related vulnerabilities. It aims at reducing the number of FN results in API Projects while keeping the general accuracy of the queries.

This content pack uses the unified installer and includes all previous content packs published for version 9.2. It includes updates for Java, C# and JavaScript.

  • Improvements for reducing the amount of false positive findings in C#, OWASP TOP 10 API support in Java.

    • The changes provided can be found in the next section.

  • This content pack includes OOTB Accuracy content. Checkmarx Express presets should be used to take full advantage of improvements performed by this project.

  • It includes API Security content. OWASP Top 10 API presets should be used to take full advantage of the content pack queries on Java for API Security.

  • As in any CxSAST product release, the content pack also resets the Checkmarx built-in presets to their default query set.

Installation order
This is a cumulative content pack, it can be installed over any of the previous version 9.2 content packs and does not require other content packs.

Dependencies
HotFix 7 is required for this content pack.

This content pack includes improvements in the OWASP TOP 10 API queries.

API Security Content

The following improvements have been made for Java queries (even though not all are related to the API Security Preset):

  • Java_High_Risk.Reflected_XSS_All_Clients
    Updated to remove FP results that appear on API code.

  • Java_Low_Visibility.Use_of_Broken_or_Risky_Cryptographic_Algorithm
    Updated to find results associated with weak types like RC2, RC4, ARCFOUR or Blowfish.

  • Java_Medium_Threat.Excessive_Data_Exposure
    Updated to take annotations like @JsonIgnore, @JsonIgnorePorperties, @JsonFilter, @JsonIgnoreType into account to ignore sensitive data and to disregard hardcoded DTO classes.

  • Java_Medium_Threat.JWT_No_Signature_Verification
    Improved query to consider returns that are influenced by inputs in resolveSignginKeyBytes methods.

  • Java_Medium_Threat.Spring_BCrypt_Insecure_Parameters
    Improved performance only.

  • Java_Medium_Threat.Spring_PBKDF2_Insecure_Parameters
    Improved performance only.

 

The following queries were added to the Java set of queries. For details on each query, refer to their specific description in the CxSAST Portal.

Java_Best_Coding_Practice.Spring_Missing_Object_Level_Authorization
Java_Best_Coding_Practice.Spring_Missing_Function_Level_Authorization
Java_Low_Visibility.Spring_Use_Of_Hardcoded_Password
Java_Low_Visibility.Spring_Use_of_Broken_or_Risky_Cryptographic_Primitive
Java_Low_Visibility.Spring_Overly_Permissive_Cross_Origin_Resource_Sharing_Policy
Java_Low_Visibility.Spring_Missing_X_Content_Type_Options
Java_Low_Visibility.Spring_Missing_XSS_Protection_Header
Java_Low_Visibility.Spring_Missing_X_Frame_Options
Java_Low_Visibility.Spring_Missing_Content_Security_Policy
Java_Low_Visibility.Spring_Permissive_Content_Security_Policy
Java_Low_Visibility.Spring_Missing_Expect_CT_Header
Java_Medium_Threat.JWT_Use_Of_Hardcoded_Secret  
Java_Medium_Threat.Spring_SCrypt_Insecure_Parameters
Java_Medium_Threat.Spring_PBKDF2_Insecure_Parameters
Java_Medium_Threat.Spring_BCrypt_Insecure_Parameters
Java_Medium_Threat.Spring_Argon2_Insecure_Parameters
Java_Medium_Threat.Spring_Comparison_Timing_Attack
Java_Medium_Threat.Excessive_Data_Exposure
Java_Medium_Threat.Spring_XSRF
Java_Medium_Threat.Spring_Missing_HSTS_Header

The following is a list of queries with changes in order to improve results for API Security in general.

Java_High_Risk.Reflected_XSS_All_Clients - although not related to API Security, this query was updated to remove FP results that appear on API code.
Java_Low_Visibility.Use_of_Broken_or_Risky_Cryptographic_Algorithm - the query was updated to find results associated with weak types like RC2, RC4, ARCFOUR, or Blowfish.
Java_Medium_Threat.Excessive_Data_Exposure - the query was updated to take into account annotations like @JsonIgnore, @JsonIgnorePorperties, @JsonFilter, @JsonIgnoreType to ignore sensitive data and disregard hardcoded DTO classes.
Java_Medium_Threat.JWT_No_Signature_Verification - the query now checks returns that are influenced by inputs in resolveSignginKeyBytes methods.
Java_Medium_Threat.Spring_BCrypt_Insecure_Parameters - improved performance, only.
Java_Medium_Threat.Spring_PBKDF2_Insecure_Parameters - improved performance only.

 

API1 - Broken Object Level Authorization

NEW Java_Best_Coding_Practice.Spring_Missing_Object_Level_Authorization

NEW Java_Low_Visbility.Unrestricted_Read_S3

API2 - Broken Authentication

NEW Java_Medium_Threat.JWT_Use_Of_Hardcoded_Secret  

NEW Java_Low_Visibility.Spring_Use_Of_Hardcoded_Password

NEW Java_Medium_Threat.Spring_SCrypt_Insecure_Parameters

NEW Java_Medium_Threat.Spring_PBKDF2_Insecure_Parameters

NEW Java_Medium_Threat.Spring_BCrypt_Insecure_Parameters

NEW Java_Medium_Threat.Spring_Argon2_Insecure_Parameters

NEW Java_Medium_Threat.Spring_Comparison_Timing_Attack

NEW Java_Low_Visibility.Spring_Use_of_Broken_or_Risky_Cryptographic_Primitive

API3 - Excessive Data Exposure

NEW Java_Medium_Threat.Excessive_Data_Exposure

API4 - Lack of Resources and Rate Limiting

No Updates

API5 - Broken Function Level Authentication

NEW Java_Best_Coding_Practice.Spring_Missing_Function_Level_Authorization

API6 - Mass Assignment

No Updates

API7 - Security Misconfiguration

NEW Java_Low_Visibility.Spring_Overly_Permissive_Cross_Origin_Resource_Sharing_Policy

NEW Java_Medium_Threat.Spring_Missing_HSTS_Header

NEW Java_Low_Visibility.Spring_Missing_X_Content_Type_Options

NEW Java_Low_Visibility.Spring_Missing_XSS_Protection_Header

NEW Java_Low_Visibility.Spring_Missing_X_Frame_Options

NEW Java_Low_Visibility.Spring_Missing_Content_Security_Policy

NEW Java_Low_Visibility.Spring_Permissive_Content_Security_Policy

NEW Java_Low_Visibility.Spring_Missing_Expect_CT_Header

API8 - Injection

Java_High_Risk.Xpath_Injection

API9 - Improper Assets Management

No Updates

API10 - Insufficient Logging and Monitoring

No Updates

 

Version Upgrade
These content pack improvements are included with CxSAST version 9.3. You don’t have to install additional content packs after upgrading.

 

Which CxSAST version is this Content Pack for?
As stated in the release notes, this content pack is only compatible with CxSAST v9.2.0.

Which languages were targeted in this Content Pack?
This content pack provides improvements for Java.

Can this Content Pack be installed on top of other Content Packs?
Yes. This content pack is a multi-language content pack. It inherits all the characteristics of previous content packs, i.e. it is cumulative.

Does this Content Pack depend on other Content Packs?
No. There are no dependencies on other Content Packs. All content packs are cumulative, meaning that it can be installed over existing content packs.

Can this Content Pack be used with Content Pack 12 (JavaScript)?
Yes. It can. It will override Content Pack 12 content.

Is there any order of installation between this Content Pack and Content Pack 12 (JavaScript)?
Yes. But there is no need to install other content packs since this content pack includes all the previous ones.

Can this Content Pack be installed in further versions, like CxSAST 9.3?
No. CxSAST 9.3 includes this content.

Does this Content Pack depend on any HotFix?
Yes. The content pack requires HF7 or higher.