Content Pack Version - CP.9.2.0.13031 (Java)
Each content pack (CP) for the API Security contains a new or refactored set of Queries targeting API-related vulnerabilities. It aims at reducing the number of FN results in API Projects while keeping the general accuracy of the queries.
This content pack uses the unified installer and includes all previous content packs published for version 9.2. It includes updates for Java, C# and JavaScript.
Improvements for reducing the amount of false positive findings in C#, OWASP TOP 10 API support in Java.
The changes provided can be found in the next section.
This content pack includes OOTB Accuracy content. Checkmarx Express presets should be used to take full advantage of improvements performed by this project.
It includes API Security content. OWASP Top 10 API presets should be used to take full advantage of the content pack queries on Java for API Security.
As in any CxSAST product release, the content pack also resets the Checkmarx built-in presets to their default query set.
Installation order
This is a cumulative content pack, it can be installed over any of the previous version 9.2 content packs and does not require other content packs.
Dependencies
HotFix 7 is required for this content pack.
This content pack includes improvements in the OWASP TOP 10 API queries.
API Security Content
The following improvements have been made for Java queries (even though not all are related to the API Security Preset):
Java_High_Risk.Reflected_XSS_All_Clients
Updated to remove FP results that appear on API code.Java_Low_Visibility.Use_of_Broken_or_Risky_Cryptographic_Algorithm
Updated to find results associated with weak types like RC2, RC4, ARCFOUR or Blowfish.Java_Medium_Threat.Excessive_Data_Exposure
Updated to take annotations like @JsonIgnore, @JsonIgnorePorperties, @JsonFilter, @JsonIgnoreType into account to ignore sensitive data and to disregard hardcoded DTO classes.Java_Medium_Threat.JWT_No_Signature_Verification
Improved query to consider returns that are influenced by inputs in resolveSignginKeyBytes methods.Java_Medium_Threat.Spring_BCrypt_Insecure_Parameters
Improved performance only.Java_Medium_Threat.Spring_PBKDF2_Insecure_Parameters
Improved performance only.
API1 - Broken Object Level Authorization
NEW Java_Best_Coding_Practice.Spring_Missing_Object_Level_Authorization
NEW Java_Low_Visbility.Unrestricted_Read_S3
API2 - Broken Authentication
NEW Java_Medium_Threat.JWT_Use_Of_Hardcoded_Secret
NEW Java_Low_Visibility.Spring_Use_Of_Hardcoded_Password
NEW Java_Medium_Threat.Spring_SCrypt_Insecure_Parameters
NEW Java_Medium_Threat.Spring_PBKDF2_Insecure_Parameters
NEW Java_Medium_Threat.Spring_BCrypt_Insecure_Parameters
NEW Java_Medium_Threat.Spring_Argon2_Insecure_Parameters
NEW Java_Medium_Threat.Spring_Comparison_Timing_Attack
NEW Java_Low_Visibility.Spring_Use_of_Broken_or_Risky_Cryptographic_Primitive
API3 - Excessive Data Exposure
NEW Java_Medium_Threat.Excessive_Data_Exposure
API4 - Lack of Resources and Rate Limiting
No Updates
API5 - Broken Function Level Authentication
NEW Java_Best_Coding_Practice.Spring_Missing_Function_Level_Authorization
API6 - Mass Assignment
No Updates
API7 - Security Misconfiguration
NEW Java_Low_Visibility.Spring_Overly_Permissive_Cross_Origin_Resource_Sharing_Policy
NEW Java_Medium_Threat.Spring_Missing_HSTS_Header
NEW Java_Low_Visibility.Spring_Missing_X_Content_Type_Options
NEW Java_Low_Visibility.Spring_Missing_XSS_Protection_Header
NEW Java_Low_Visibility.Spring_Missing_X_Frame_Options
NEW Java_Low_Visibility.Spring_Missing_Content_Security_Policy
NEW Java_Low_Visibility.Spring_Permissive_Content_Security_Policy
NEW Java_Low_Visibility.Spring_Missing_Expect_CT_Header
API8 - Injection
Java_High_Risk.Xpath_Injection
API9 - Improper Assets Management
No Updates
API10 - Insufficient Logging and Monitoring
No Updates
Version Upgrade
These content pack improvements are included with CxSAST version 9.3. You don’t have to install additional content packs after upgrading.