Overview
About Checkmarx One
Checkmarx One platform combines the full suite of application security testing (AST) solutions to help you secure your digital transformation across every phase of modern application development and bring your apps to market faster.
Why integrate Checkmarx One into the Vulcan platform?
The Checkmarx One Connector by Vulcan integrates with the Checkmarx One platform to pull and ingest Code Project assets and vulnerability data into your Vulcan Platform. Once the integration is complete, the Vulcan Platform scans the report's findings to correlate, consolidate, and contextualize the ingested data to impact risk and remediation priority.
Checkmarx One Connector Details
Supported products | |
Category | Application Security - SCA/SAST |
Ingested asset type(s) | Code Projects |
Integration type | UNI directional (data is transferred from the Connector to the Vulcan Platform in one direction) |
Supported version and type | SaaS (latest) |
Connector Setup
Prerequisites and user permissions
Before you begin configuring the Connector, make sure you have the following:
Creating a Checkmarx One API User
Login to Checkmarx as Admin.
Navigate to Identity and Access Management.
Go to Users.
Click Add user.
Edit the user you just added.
Go to Role Mappings
In the CxOne Roles, assign the following roles to the user:
view-applications
view-project-params
view-project-params-if-in-group
view-projects
view-projects-if-in-group
view-queries
view-results
view-results-if-in-group
view-scans
view-scans-if-in-group
Example:
Generating Checkmarx One API Key
Logout from the Checkmark admin user and log back in using the user you just created.
Navigate to Identity and Access Management > API Keys.
Click Create Key.
Save the key somewhere safe.
Configuring the Checkmarx One Connector
Log in to your Vulcan Cyber dashboard and go to Connectors.
Click on Add a Connector.
Click on the Checkmarx icon.
Set up the Connector as follows:
Select the Environment (US/EU/Australia/New Zealand), and enter the account name and the Key you generated earlier.
Example:
Click the Test Connectivity button to verify that Vulcan Cyber can connect to your Checkmarx One instance, then click Create (or Save Changes).
Inactive Assets: You can configure a Vulcan rule to consider inactive assets, and Vulcan will remove assets that do not appear in scans within the configured time range.
Allow some time for the sync to complete. Then, you can review the sync status under Log on the Connector's setup page.
To confirm the sync is complete, navigate to the Connectors page. Once the Checkmarx One icon shows Connected, the sync is complete.
Checkmarx One in the Vulcan Platform
Viewing Checkmarx One vulnerabilities in the Vulcan Platform
To view vulnerabilities by Connector/Source:
Go to the Vulnerabilities page.
Use the Search or Filter input box to select the Vulnerability Source or Connector filter.
Select Checkmarx One from the vulnerability source/Connector list to filter results.
Click on any vulnerability for more vulnerability details.
Viewing Checkmarx assets in the Vulcan Platform
To view assets by Connector/Source:
Go to the Assets page.
Click on the relevant asset type tab.
Use the Search or filter input box to select Connector from the drop-down selection.
Select Checkmax One from the Asset source/Connector list to filter results and view all synced assets.
See the complete list of available asset filters per asset type
Taking Action on vulnerabilities and assets detected by Check
To take remediation action on vulnerabilities and assets detected by Checkmarx One:
Go to Vulnerabilities / Assets Page.
Click on the Search and Filter input box and select Connector from the drop-down selection.
Locate the Checkmax One option to view all synced vulnerabilities/assets.
Select the relevant Vulnerability/Asset.
Click Take Action.
Automating remediation actions on vulnerabilities detected by Checkmarx One
Large environments quickly become unmanageable if constant manual attention and effort are necessary to remediate vulnerabilities. You can take advantage of the automation capabilities of Vulcan Cyber and the Checkmarx Connector.
From Checkmarx One to the Vulcan Platform - Data Mapping
The Vulcan Platform integrates with Checkmarx One through API to pull relevant vulnerabilities and assets data and map it into the Vulcan Platform pages and fields.
Code Project - SAST field mapping
Checkmarx One field | Vulcan field | Value Example |
id | Uniqueness criteria |
|
Repository name | Asset Name |
|
Code Projects | Asset type |
|
source file | Asset codebase - Source (SAST) |
|
data.nodes[0].line | Asset codebase - Location (SAST) |
|
project | Asset details |  |
application tags | Asset Tags - Vendor’s tags |
|
application_tags tags | Asset Tags - Additional |
|
updatedAt | Last report |
|
id | Vulnerability instance uniqueness criteria |
|
firstFoundAt | Vulnerability instance first seen |
|
foundAt | Vulnerability instance Last seen |
 |
cvss_score | Vulnerability instance score |
|
sast_file_location | Vulnerability instance location path |
|
id | Unique Vulnerability uniqueness criteria |
|
vulnerability name | Vulnerability title |
 |
severity (map) | Vulnerability score |
|
description | Vulnerability description |
 |
Language | Vulnerability details |
|
cvss_score | CVSS |
|
cwe | CWE |
|
Severity | Vulnerability instance connection- additional information |
|
Fix from checkmarx one | Fix - Title |
|
Recommended version: {{ data.recommendedVersion }} | Fix - Description |
|
read more link | Fix - References |
 |
Code Project - SCA field mapping
Checkmarx One field | Vulcan field | Value Example |
id | Uniqueness criteria |
|
Repository name | Asset Name |
|
Code Projects | Asset type |
|
Container package name | Asset libraries - Name (SCA) |  |
Version | Asset libraries - Version (SCA) |
|
project | Asset details |
|
application tags | Asset Tags - Vendor’s tags |
|
application_tags tags | Asset Tags - Additional |
|
last scan | Last report |
|
id | Vulnerability instance uniqueness criteria |
|
first_seen | Vulnerability instance first seen |
|
last_seen | Vulnerability instance Last seen |
|
CVSS score/ risk level | Vulnerability instance score |  |
package and version | Vulnerability instance location path |  |
id | Unique Vulnerability uniqueness criteria |
|
risk ID | Vulnerability title |  |
information | Vulnerability description |    |
severity | Vulnerability details |  |
status | Vulnerability status |
|
cvss score | CVSS |
|
cve | CVE/S |
|
cwe | CWE |
|
status
| Vulnerability instance connection- additional information |
|
Checmarx One recommendation | Fix - Title |
|
“remediate this vulnerability” | Fix - Description | 
|
additional knowledge | Fix - References | 
|
Code Project - IaC Secuirty
Checkmarx One field | Vulcan field | Value Example |
id | Uniqueness criteria |
|
Repository name | Asset Name |
|
Code Projects | Asset type |
|
project | Asset details |  |
application tags | Asset Tags - Vendor’s tags |
|
application tags | Asset Tags - Additional |
|
last scan | Last report |
|
id | Vulnerability instance uniqueness criteria |
|
firstFoundAt | Vulnerability instance first seen |
|
foundAt | Vulnerability instance Last seen |
|
severity | Vulnerability instance score |  |
File | Vulnerability instance location path |
|
id | Unique Vulnerability uniqueness criteria |
|
Query Name | Vulnerability title |  |
Description | Vulnerability description |
|
Category | Vulnerability details | 
|
status | Vulnerability status |
|
cvss_score | CVSS |
|
cwe | CWE |
|
file | Vulnerability instance connection- additional information |
|
Checmarx One recommendation | Fix - Title |
|
data.expectedValue | Fix - Description |
|
Vulnerability status mapping
Checkmarx Status | Vulcan Status |
URGENT, TO_VERIFY | Vulnerable |
- | Fixed |
- | Ignored - false positive |
CONFIRMED, | Ignored risk acknowledged |
Vulnerability score mapping
Checkmarx score | Vulcan score |
HIGH | 10 |
MEDIUM | 7 |
- | 5 |
LOW | 3 |
INFO | 0 |
Status Update Mechanisms
Every day, the Vulcan Platform syncs with the vendor's platform to receive updates on existing vulnerabilities and assets and to retrieve new ones (if any added).
The table below lists how the status update mechanism works in the Checkmarx connector for the vulnerabilities and assets in the Vulcan Platform.
Update type in Vulcan | Mechanism (When?) |
The asset is archived | - Asset not found on the connector's last sync - Asset not seen for X days according to "Last Seen". |
The vulnerability instance status changes to "Fixed" | - If the vulnerability no longer appears in the scan findings. - Vulnerability status on the connector's side indicates irrelevancy (e.g., "INACTIVE").
|
Note: Asset or vulnerability updates on the vendor side are reflected on the Vulcan Platform only on the next scheduled connector sync (the next day).
API Endpoints in Use
API version: -
API | Use in Vulcan |
Auth | |
{{checkmarx_one_us_base_url}}/api/projects | Assets |
{{checkmarx_one_us_base_url}}/api/projects/last-scan | Vulnerabilities |
{{checkmarx_one_us_base_url}}/api/results?scan-id={{scan_id}} | Vulnerabilities |
{{checkmarx_one_us_base_url}}/api/bfl/?scan-id={{scan_id}} | Vulnerabilities |
{{checkmarx_one_us_base_url}}/api/applications | Solutions |