Content Pack Version - CP.9.3.0.12021 (JavaScript)
Each Ruleset Content Pack includes improvements to queries, and optionally also to presets. Technically, these changes are delivered through database upgrade scripts which affect the relevant tables.
As with any CxSAST product release, the Content Pack resets the Checkmarx built-in presets to the default query set.
This content pack introduces a new unified installer and it includes all the content packs published for version 9.3.0. It includes updates to Apex and JavaScript.
The details about the Apex content included are available at Content Pack 9.3.0.11017 (Apex) release notes.
Installation order
This is a cumulative content pack, it can be installed over any of the version 9.3.0 Content Packs and does not require other content packs.
This Content Pack requires 9.3.0 Hotfix 3 or higher previously installed on the CxSAST Environment (Manager and Engines).
To take full advantage of improvements of this Content Pack, use the following presets:
Checkmarx Express - for OOTB Accuracy
OWASP Top 10 API - for queries on Java for API Security
This Content Pack (CP) includes the following improvements for reducing the amount of false positive results in JavaScript:
At High Risk queries the accuracy for the Checkmarx Express preset is improved by 350%
At Medium Threat queries the accuracy for the Checkmarx Express preset is improved by 15%
It includes all the changes provided by Content Pack 9 and the following improvements focusing on JavaScript queries:
Improved sanitization for XSS and cryptography on browser and NodeJS
Improved sanitization for AngularJS Filters
Improved support for logging with Node-Bunyan, Winston and PynoHTTP libraries
Improved the list of cdn trustable domains for hardcoded domain
Improved support for CryptoJs and CryptoTS cryptographic libraries
Added support for HmacRIPEMD160 cryptographic algorithm
Improved support for Kony SQLite
Improved support for database accesses under XSRF permissions
Extended the list of personal information related keywords
Improved support for Indexed DB
Improved the support of window object tainted elements
Added support for Path traversal using the Hapi Library
Improved support of NodeJS web page outputs
Improved Mongoose, MongoDB, Sequelize and SQLite database support for NodeJS
Improved support on NodeJS for Open Redirect
Improved support for XPath Injection sanitization
Improved support for Client Resource Injection
Updated the list of JQuery deprecated APIs
Improved support for Remote File Inclusion
Improved support for use of iframes without sandbox
Improved support for Unsafe use of Target Blank
Deprecated query Client Header Manipulation
Improved sanitization support for Regex Denial of Service
Deprecated Client Reflected File Download
Improved programmatic sanitization methods support for Frameable Login Page
Improved support for Code Injection
Improved support for Command Injection
Deprecated query Insecure Direct Object References
Added support for Insecure Storage of Sensitive Data
Improved support for Log Forging
Improved Support for NoSQL Injection
Improved support for Path Traversal
Improved support for Privacy Violation
Deprecated query Security Misconfiguration
Improved support for SSL Verification Bypass
Improved support for Stored XSS
Improved support for Unprotected Cookie
Improved support for Use of Broken or Risky Cryptographic Algorithm
Improved support for Use of Hardcoded Password
Version Upgrade
It is mandatory to install at least the same content pack number for newer versions while upgrading (e.g. v9.2.0 CP12 → v9.3.0 CP12).
This step ensures the accuracy of the results is maintained while upgrading.