Release Notes for Engine Pack 9.4.1

Engine Pack 9.4.1 contains the following engine deliverables and enhancements:

Installation Notes

In a distributed environment, the relevant Engine Pack must also be installed on the CxManager host to update the SQL database.

Engine Packs are cumulative and include previous Engine Pack updates.

For more information about Engine Pack installation, see https://checkmarx.atlassian.net/wiki/spaces/SAST/pages/5950931131.

New Flow Improvements

  1. Automatically Enabling the New Flow for Specified Languages
    Projects containing the following languages will, by default, be automatically scanned using the New Flow: Apex, Python, Ruby, Cobol, and CPP. The new ‘FORCE_LAZY_FLOW_ON_FOR_LANGUAGES' configuration variable contains this list of languages. Note that if a project contains a language that is on the list, such as Python, and a language that is not on the list, such as JavaScript, the entire project will be scanned using the new flow, so that in this example the JavaScript code will also be scanned using the New Flow.

  2. Support Go Slices
    The New Flow now keeps track of the index when scanning Go language projects, even when the flow is through Go slices.

  3. Support for Swift Dictionaries
    Now many of the Swift dictionary methods are supported. For instance, if the flow enters by key ‘a', it will not exit through key ‘b'. Similarly, if the flow enters by key ‘a’ and then key ‘a’ is removed, the flow will be discontinued.

Incremental Scan Improvements

  1. Improvements to the closure files
    To save scan time, the incremental scan only scans the changed files of the project and the files that are close to the changed files. The files close to the changed files are called the closure files.
    The following changes to the closure files have significantly improved the quality of the incremental scans:

    • The base classes of the closure files are added to the list of classes.

    • For languages that use source and header files, such as C, C++, and ObjC, closure files are expanded to include both file types.

    • Orphan method invocation is supported for the closure files.

    • Class declaration and constructor calls are supported for the closure files.

  2. Incremental Scans Resolving Stage improvements
    An issue in the resolving stage of the incremental scan process reduced the accuracy of the scan results. The issue was fixed, dramatically improving the accuracy of the incremental scan results.

Similarity ID – New Option for Space Sensitivity

The Similarity ID, which is used in processing the scan results, is sensitive to differences in white space. This includes any differences in spaces or tabs in the lines of code of the first and last nodes of the results, or in their encapsulation method signature. Between the scans of the same project, any change in the indentation or the addition of spaces causes the Similarity ID to change.

To make the scan results insensitive to changes in spaces and tabs, a new value was introduced to the existing Similarity ID related configuration key.

The following options are available, depending on how the SIMILARITY_ID_VERSION (Integer) key is set:

  • Original Similarity ID behavior. (Integer = 0)

  • Similarity ID behavior ignores the leading spaces. (Integer = 1)

  • Similarity ID behavior ignores all white space. (Integer = 2)

The new Similarity ID behavior can be turned on in the following ways:

  • For a specific project level, by using the engine configuration set. For further instructions, see Add engine Configuration set.

  • For all projects and all scans, both new ones and existing ones, by modifying the database.

Languages and Frameworks Updates

This release includes several improvements in support of the following languages and frameworks:

Python and the Django and Flask Frameworks

The Python language is now supported up to version 3.9.

Major Improvements

The language support was completely refactored, improving speed and accuracy.

Among the improvements are the following:

  • New Import Mechanism
    Enables the resolution of symbols from imported files and the flows between the symbols.

  • Enhanced Symbol Table
    Enables distinguishing a Method Invoke from an Object Create and distinguishing an Assignment from a Variable Declaration.

  • Tuple Support
    Provides the new TupleCreateExpression object in DOM (Document Object Model), which yields a more accurate representation of tuples.

  • Dictionary Unpacking Flow
    Enables the correct representation of the flow from the dictionary values to the method declaration parameters.

Queries

The following security queries were added:

  • SSL_Verification_Bypass

  • Communication_Over_HTTP

  • Local_File_Inclusion

  • ReDoS_Injection

  • Command_Argument_Injection

  • Store_Command_Argument_Injection

  • Stored_Command_Injection

  • Use_of_Broken_or_Risky_Cryptographic_Algorithm.

The following security queries were improved:

  • Command_Injection

  • Cookie_Poisoning

  • Insecure_Randomness

  • Uncontrolled_Format_String

Frameworks

Support has been extended for the following frameworks:

  • Django, up to version 3.2.2

  • Flask, up to version 1.1.2

  • Jinja and DTL (Django Template Language), up to v1.1.1.

To enrich the Python security queries, the following are supported:

  • Flask-SQLAlchemy

  • Flask-Talisman

  • Flask-WTF

  • SeaSurf

  • Django built-in AuthN and AuthZ features

Java Frameworks: JSP, Spring and Struts

In 9.4.1 we finished the support rewrite of JSP, Spring, Struts1, Struts2.

JSP

JSP (Jakarta Server Pages, formerly JavaServer Pages) is now supported up to version 2.3.

In JSP, the major improvements were on the following:

  • Implicit objects and the respective flows of their getters and setters

  • Support for the forward and include methods of RequestDispatcher and for the representation of the data flows within the framework

  • Complete support for the following tag libraries: JSTL Core, JSTL Functions, JSTL SQL, and DSP ATG

  • Support for JSTL (JavaServer Pages Standard Tag Library) EL (Expression Language)

  • Queries rewritten to accommodate simplified DOM (Document Object Model) syntax and framework security features

Spring

Spring is now supported up to version 5.0.0.

In Spring, improvements to dependency injection (DI) and inversion of control (IoC) include the following:

  • Support of Beans declaration either through an XML configuration or from the Java program

  • Support of Spring DI containers in the code by focusing on ClassPathXmlApplication

  • Support of the following Annotations: @Bean, @ComponentScan, @Component, @Configuration, @Autowired, @Qualifier, @Primary, @Value, @SpringBootApplication

In Spring DI improvements include the following:

  • Support for the Spring MVC (Model–View–Controller), to actually represent flows from the Controller to the View when the return from the Model is a string or a redirect to a specific View

  • Support for the Spring Expression Language (SpEL), based on the JSP EL

  • Support for the spring:eval and form:input tags

Java security – and Spring-specific – queries were rewritten to consider Spring REST API annotations and Spring Security considerations.

Struts

Struts 1 is now supported up to version 1.3.10, and Struts 2 up to version 2.5.26.

In Struts, the major improvements include the following:

  • Support for MVC (Model–View–Controller), to actually represent flows between the Controller and the Views (and vice versa)

  • Support of the following struts-tags.tld tags: Data, Control, Form, Non-Form

  • Support of the following tags-logic.tld tag: Logic

  • Struts-related queries were rewritten to incorporate the redesign strategy and use the CxXPath (Checkmarx XPath) query provider for more accurate results

Typescript

In 9.4.1 Typescript support for version 4.0 was improved by correcting specific bugs and improving its accuracy.