Content Pack Version - CP.9.3.0.18043 (JavaScript, CSharp)

The content of this Content Pack (CP.9.3.0.18043), will be available for CxSAST version 9.4 in CxSAST Engine Pack version 9.4.2.

Each Ruleset Content Pack includes improvements to queries, and optionally also to presets. Technically, these changes are delivered through database upgrade scripts which affect the relevant tables.

As with any CxSAST product release, the Content Pack resets the Checkmarx built-in presets to the default query set.

This Content Pack uses a unified installer and it includes all the Content Packs published for version 9.3.0. It includes updates to CSharp and JavaScript.

Installation order

This is a cumulative Content Pack, it can be installed over any of the version 9.3.0 Content Packs and does not require other Content Packs.
This Content Pack requires 9.3.0 Hotfix 15 or higher previously installed on the CxSAST Environment (Manager and Engines).

It includes all the changes provided by Content Pack 16 and the following improvements:

CSharp

Medium/Use_of_Hard_coded_Cryptographic_Key - The query now looks for CreateEncryptor methods from AES, DES, RC2, Rijndael or TripleDES service providers; supports byte arrays and new sanitizers.
CSharp/CSharp_Low_Visibility/Heap_Inspection - The query now assumes cases like var pass = x.ToString() are possible Heap Inspection attacks. The query infers that the value is of type string and does not discard the case. Previously it discarded such cases.
Low/Heap_Inspection - Improved the way the query looks up for arrays of chars: char[]

JavaScript

Medium/Client_Privacy_Violation - The query was updated to improve Angular ctx outputs.
High/Client_DOM_XSS - Query (sub-queries) was updated to consider extra SAPUI inputs and outputs. Examples of new Inputs:, getModel as in this.getOwnerComponent().getModel(...); oControl as in enderer : function(oRm, oControl) { ... } and its references. Examples of new Outputs: setContent methods as in this.getView().byId(...).setContent(...).

Non-ASCII characters removal
- Besides the changes mentioned above, several queries in several languages (Apex, CPP, Groovy, Java, JavaScript and Scala) were improved to remove/replace all Non-ASCII characters that cause scans to fail in some installations (depending on collations and OS languages).
Presets Alignment
- OWASP TOP 10 (2010, 2013 and 2017) presets aligned for all languages
- Other presets (Error Handling, FISMA, HIPPA, JSSEC, PCI, SASN top 25, STIG and XSS and SQLi only) were aligned for all languages.

Version Upgrade
In general, it is mandatory to install at least the same Content Pack number for newer versions while upgrading. However, since v9.3.0 has no CP17, when upgrading from v9.2.0 CP17 it is necessary to upgrade to v9.3.0 CP18. This step ensures the accuracy of the results is maintained while upgrading.

Which CxSAST version is this Content Pack for?
As stated in the release notes, this Content Pack is only compatible with CxSAST v9.3.0.

Which languages were targeted in this Content Pack?
This Content Pack provides improvements for CSharp and JavaScript, mainly.

Can this Content Pack be installed on top of other Content Packs?
Yes, this Content Pack is a multi-language Content Pack. It inherits all the characteristics of previous Content Packs, in other words, it is cumulative.

Does this Content Pack depend on other Content Packs?
No, there are no dependencies on other Content Packs. All Content Packs are cumulative, meaning that when one Content Pack is installed it includes all the previous Content Packs.

Can this Content Pack be installed over other Content Packs?
Yes it can. It will override its content.

Is there any order of installation between this Content Pack and Content Pack 16?
Yes. But there is no need to install other Content Packs. This Content Pack includes all the previous.

Can this Content Pack be installed in further/previous versions, like CxSAST 9.0?
No.

Does this Content Pack depend on any HotFix?
Yes, It requires the Hotfix 15 previously installed on the environment (manager and engines).