In this article you will find:
Supported product: CxSAST
Supported version: 9.0.0 and higher
Required user roles: Odata API, SAST Reviewer
You can set the user roles under Access Control --> Edit User --> Roles
Required user teams: Make sure the user have access to relevant teams.
You can set the user roles under Access Control --> Edit User --> Teams
for SSL - please make sure that the IIS binding are not restricted for a specific host name, and that SNI is not enabled:
Same as other SAST tools, the vulnerabilities are not associated with CVSS or other numeric score. Checkmarx gives each vulnerability a
Severity, and Vulcan will map those values into a numeric values that will represent their score.
High --> 10
Medium --> 6.5
Low --> 3
Info --> 0
For more information about risk, read this article.
3. Configuring Checkmarx Connector
In the Connectors page, click on Add a Connector.
Click on Checkmarx CxSAST connector.
Fill the following field:
Server URL - URL of your Checkmarx account.
Username - User with required permissions to access the Checkmarx account
Password - Password match to username
Client Secret - A default value on your account. Insert new value only in case you know it was changed by your organization (otherwise, keep the default value).
Choose Result State - Select which Result States you would like Vulcan to pull from Checkmarx. Only checked boxes will be pulled. By default, Vulcan will pull all results.
Note - you can change this setting later, and all current vulnerabilities in the de-selected states will be moved to "Fixed" (and new ones will not be pulled).
Important: If you are using Checkmarx v9.3.0 and above, Vulcan will not be able to pull Custom Result States, as they are not supported at this time. Please contact your customer success manager for more information.
Click on Create.
You can view the connector's progress under the Log tab:
4. Viewing data from Checkmarx in Vulcan
Vulcan provides the option to remediate vulnerabilities from 2 different angels:
The data from Checkmarx will be displayed under Code Projects - This tab gathers all data came from SAST and SCA tools. To filter only Checkmarx data, simply use the Search Bar.
The Project column will indicate the projects you have in Checkmarx.
The Last Report column will indicate the last scanned time in Checkmarx.
The Vulnerabilities column will indicate the number of vulnerabilities that exist in a project (High, Medium and Low)
The Top Risk column will indicate the highest risk-value from all risks that exist in a project.
The Tags column will indicate all the tags that related to projects. Vulcan creates tags out of the value of the Team.
Clicking on each project will open its Asset Card where you can view in detailed the project's data, including - All related vulnerabilities, affected code lines, details of projects and correlated data from other sources.
If you want to view specific vulnerability, click on it and you will get a representation of that vulnerability and its details.
You can view all data from Checkmarx in Vulnerabilities. In order to filter only Checkmarx data, simply use the Search Bar.
You can start the remediation process by clicking on a vulnerability and view all details fetched from your Checkmarx account.
What are the API calls used by the connector?