In this article you will find:

  1. Pre-requisite
  2. Risk
  3. How to configure Checkmarx CxSAST in Vulcan platform
  4. How to view data from Checkmarx CxSAST in Vulcan platform
  5. FAQ

1. Pre-requisite

Supported product: CxSAST

Supported version: 9.0.0 and higher

Required user roles: Odata API, SAST Reviewer

You can set the user roles under Access Control --> Edit User --> Roles

Required user teams: Make sure the user have access to relevant teams.

You can set the user roles under Access Control --> Edit User --> Teams

2. Risk

Same as other SAST tools, the vulnerabilities are not associated with CVSS or other numeric score. Checkmarx gives each vulnerability a Severity, and Vulcan will map those values into a numeric values that will represent their score.

  • High --> 10
  • Medium --> 6.5
  • Low --> 3
  • Info --> 0

For more information about risk, read this article.

3. Configuring Checkmarx Connector

In the Connectors page, click on Add a Connector.

Click on Checkmarx CxSAST connector.

Fill the following field:

Server URL - URL of your Checkmarx account.

Username - User with required permissions to access the Checkmarx account

Password - Password match to username

Client Secret - A default value on your account. Insert new value only in case you know it was changed by your organization (otherwise, keep the default value).

Click on Create.

You can view the connector's progress under the Log tab:

4. Viewing data from Checkmarx in Vulcan

Vulcan provides the option to remediate vulnerabilities from 2 different angels:

  • Assets
  • Vulnerabilities

Assets

The data from Checkmarx will be displayed under Code Projects - This tab gathers all data came from SAST and SCA tools. To filter only Checkmarx data, simply use the Search Bar.

The Project column will indicate the projects you have in Checkmarx.

The Last Report column will indicate the last scanned time in Checkmarx.

The Vulnerabilities column will indicate the number of vulnerabilities that exist in a project (High, Medium and Low)

The Top Risk column will indicate the highest risk-value from all risks that exist in a project.

The Tags column will indicate all the tags that related to projects. Vulcan creates tags out of the value of the Team.

Clicking on each project will open its Asset Card where you can view in detailed the project's data, including - All related vulnerabilities, affected code lines, details of projects and correlated data from other sources.

If you want to view specific vulnerability, click on it and you will get a representation of that vulnerability and its details.

Vulnerabilities
You can view all data from Checkmarx in Vulnerabilities. In order to filter only Checkmarx data, simply use the Search Bar.

You can start the remediation process by clicking on a vulnerability and view all details fetched from your Checkmarx account.

5.FAQ

What are the API calls used by the connector?

cxrestapi/Queries/<QUERY_ID>/CxDescription
cxrestapi/projects
cxrestapi/auth/teams
cxrestapi/reports/sastScan
cxrestapi/reports/sastScan/<REPORT_ID>
cxrestapi/sast/scans?last=1&scanStatus=7&projectId=<PROJECT_ID>
cxrestapi/reports/sastScan/<REPORT_ID>/status
Cxwebinterface/odata/v1/Scans(<SCAN_ID>)/Results?$expand=Query($select=Id,Name)
Did this answer your question?