Overview

About Checkmarx One

Checkmarx One platform combines the full suite of application security testing (AST) solutions to help you secure your digital transformation across every phase of modern application development and bring your apps to market faster.

Why integrate Checkmarx One into the Vulcan platform?

The Checkmarx One Connector by Vulcan integrates with the Checkmarx One platform to pull and ingest Code Project assets and vulnerability data into your Vulcan Platform. Once the integration is complete, the Vulcan Platform scans the report's findings to correlate, consolidate, and contextualize the ingested data to impact risk and remediation priority.

Checkmarx One Connector Details

Supported products	Checkmarx One - SAST SCA IaC findings
Category	Application Security - SCA/SAST
Ingested asset type(s)	Code Projects
Integration type	UNI directional (data is transferred from the Connector to the Vulcan Platform in one direction)
Supported version and type	SaaS (latest)

Connector Setup

Prerequisites and user permissions

Before you begin configuring the Connector, make sure you have the following:

Checkmarx user with the appropriate permissions
Checkmarx API Key

Creating a Checkmarx One API User

Login to Checkmarx as Admin.
Navigate to Identity and Access Management.
Go to Users.
Click Add user.
Edit the user you just added.
Go to Role Mappings
In the CxOne Roles, assign the following roles to the user:
1. view-applications
2. view-project-params
3. view-project-params-if-in-group
4. view-projects
5. view-projects-if-in-group
6. view-queries
7. view-results
8. view-results-if-in-group
9. view-scans
10. view-scans-if-in-group
  
  Example:

Generating Checkmarx One API Key

Logout from the Checkmark admin user and log back in using the user you just created.
Navigate to Identity and Access Management > API Keys.
Click Create Key.
Save the key somewhere safe.

Configuring the Checkmarx One Connector

Log in to your Vulcan Cyber dashboard and go to Connectors.
Click on Add a Connector.
Click on the Checkmarx icon.
Set up the Connector as follows:
- Select the Environment (US/EU/Australia/New Zealand), and enter the account name and the Key you generated earlier.
  Example:
Click the Test Connectivity button to verify that Vulcan Cyber can connect to your Checkmarx One instance, then click Create (or Save Changes).
Inactive Assets: You can configure a Vulcan rule to consider inactive assets, and Vulcan will remove assets that do not appear in scans within the configured time range.
Allow some time for the sync to complete. Then, you can review the sync status under Log on the Connector's setup page.
To confirm the sync is complete, navigate to the Connectors page. Once the Checkmarx One icon shows Connected, the sync is complete.

Checkmarx One in the Vulcan Platform

Viewing Checkmarx One vulnerabilities in the Vulcan Platform

To view vulnerabilities by Connector/Source:

Go to the Vulnerabilities page.
Use the Search or Filter input box to select the Vulnerability Source or Connector filter.
See the complete list of available vulnerability filters.
Select Checkmarx One from the vulnerability source/Connector list to filter results.
Click on any vulnerability for more vulnerability details.

Viewing Checkmarx assets in the Vulcan Platform

To view assets by Connector/Source:

Go to the Assets page.
Click on the relevant asset type tab.
Use the Search or filter input box to select Connector from the drop-down selection.
Select Checkmax One from the Asset source/Connector list to filter results and view all synced assets.
See the complete list of available asset filters per asset type

Taking Action on vulnerabilities and assets detected by Check

To take remediation action on vulnerabilities and assets detected by Checkmarx One:

Go to Vulnerabilities / Assets Page.
Click on the Search and Filter input box and select Connector from the drop-down selection.
Locate the Checkmax One option to view all synced vulnerabilities/assets.
Select the relevant Vulnerability/Asset.
Click Take Action.

Automating remediation actions on vulnerabilities detected by Checkmarx One

Large environments quickly become unmanageable if constant manual attention and effort are necessary to remediate vulnerabilities. You can take advantage of the automation capabilities of Vulcan Cyber and the Checkmarx Connector.

Learn all about Automation Playbooks in the Vulcan Cyber Platform.

From Checkmarx One to the Vulcan Platform - Data Mapping

The Vulcan Platform integrates with Checkmarx One through API to pull relevant vulnerabilities and assets data and map it into the Vulcan Platform pages and fields.

Code Project - SAST field mapping

Checkmarx One field	Vulcan field	Value Example
id	Uniqueness criteria
Repository name	Asset Name
Code Projects	Asset type
source file	Asset codebase - Source (SAST)
data.nodes[0].line	Asset codebase - Location (SAST)
project application technologies	Asset details
application tags project tags application name	Asset Tags - Vendor’s tags
application_tags application_name tags	Asset Tags - Additional
updatedAt	Last report
id	Vulnerability instance uniqueness criteria
firstFoundAt	Vulnerability instance first seen
foundAt	Vulnerability instance Last seen
cvss_score	Vulnerability instance score
sast_file_location	Vulnerability instance location path
id	Unique Vulnerability uniqueness criteria
vulnerability name	Vulnerability title
severity (map)	Vulnerability score
description	Vulnerability description
Language	Vulnerability details
cvss_score	CVSS
cwe	CWE
Severity state source node source file sine node ID Branch	Vulnerability instance connection- additional information
Fix from checkmarx one	Fix - Title
Recommended version: {{ data.recommendedVersion }}	Fix - Description
read more link	Fix - References

Code Project - SCA field mapping

Checkmarx One field	Vulcan field	Value Example
id	Uniqueness criteria
Repository name	Asset Name
Code Projects	Asset type
Container package name	Asset libraries - Name (SCA)
Version	Asset libraries - Version (SCA)
project application technologies	Asset details
application tags project tags application name	Asset Tags - Vendor’s tags
application_tags application_name tags	Asset Tags - Additional
last scan	Last report
id	Vulnerability instance uniqueness criteria
first_seen	Vulnerability instance first seen
last_seen	Vulnerability instance Last seen
CVSS score/ risk level	Vulnerability instance score
package and version	Vulnerability instance location path
id	Unique Vulnerability uniqueness criteria
risk ID	Vulnerability title
information publication date category exploitable path ›	Vulnerability description
severity attack complexity user interaction privileges required scope	Vulnerability details
status	Vulnerability status
cvss score	CVSS
cve	CVE/S
cwe	CWE
status	Vulnerability instance connection- additional information
Checmarx One recommendation	Fix - Title
“remediate this vulnerability”	Fix - Description
additional knowledge references	Fix - References

Code Project - IaC Secuirty

Checkmarx One field	Vulcan field	Value Example
id	Uniqueness criteria
Repository name	Asset Name
Code Projects	Asset type
project application technologies Category platform	Asset details
application tags project tags application name	Asset Tags - Vendor’s tags
application tags project tags application name	Asset Tags - Additional
last scan	Last report
id	Vulnerability instance uniqueness criteria
firstFoundAt	Vulnerability instance first seen
foundAt	Vulnerability instance Last seen
severity	Vulnerability instance score
File	Vulnerability instance location path
id	Unique Vulnerability uniqueness criteria
Query Name	Vulnerability title
Description	Vulnerability description
Category issue type	Vulnerability details
status	Vulnerability status
cvss_score	CVSS
cwe	CWE
file actual value expected value	Vulnerability instance connection- additional information
Checmarx One recommendation	Fix - Title
data.expectedValue	Fix - Description

Vulnerability status mapping

Checkmarx Status	Vulcan Status
URGENT, TO_VERIFY	Vulnerable
-	Fixed
-	Ignored - false positive
CONFIRMED, NOT_EXPLOITABLE, PROPOSED_NOT_EXPLOITABLE	Ignored risk acknowledged

Vulnerability score mapping

Checkmarx score	Vulcan score
HIGH	10
MEDIUM	7
-	5
LOW	3
INFO	0

Status Update Mechanisms

Every day, the Vulcan Platform syncs with the vendor's platform to receive updates on existing vulnerabilities and assets and to retrieve new ones (if any added).

The table below lists how the status update mechanism works in the Checkmarx connector for the vulnerabilities and assets in the Vulcan Platform.

Update type in Vulcan	Mechanism (When?)
The asset is archived	- Asset not found on the connector's last sync - Asset not seen for X days according to "Last Seen".
The vulnerability instance status changes to "Fixed"	- If the vulnerability no longer appears in the scan findings. - Vulnerability status on the connector's side indicates irrelevancy (e.g., "INACTIVE").

Note: Asset or vulnerability updates on the vendor side are reflected on the Vulcan Platform only on the next scheduled connector sync (the next day).

API Endpoints in Use

API version: -

API	Use in Vulcan
https://iam.checkmarx.net/auth/realms/vulcan-nfr/protocol/openid-connect/token	Auth
{{checkmarx_one_us_base_url}}/api/projects	Assets
{{checkmarx_one_us_base_url}}/api/projects/last-scan	Vulnerabilities
{{checkmarx_one_us_base_url}}/api/results?scan-id={{scan_id}}	Vulnerabilities
{{checkmarx_one_us_base_url}}/api/bfl/?scan-id={{scan_id}}	Vulnerabilities
{{checkmarx_one_us_base_url}}/api/applications	Solutions

Wiz Connector

Snyk Connector (new revision)

Qualys WAS Connector (new revision)

Checkmarx CxSAST Connector (Rev. November 2023)

GitLab Connector