Checkmarx Connector: API and XML

Checkmarx offers several products within Application Security including SAST, SCA, IAST, etc. Checkmarx aims to give you the flexibility, accuracy, and coverage to secure your most critical code commits, within your rule sets, at scale. These solutions enable organizations to introduce security into their Software Development Lifecycle (SDLC). The automated scanning technology enables developers and auditors to scan uncompiled/unbuilt code and systematically eliminate software risk.

To import your data from Checkmarx to the Kenna.AppSec module, you will need to leverage the Checkmarx API or XML Connectors under the Static Analysis tools. There are two different Checkmarx Connectors: the API Connector and the XML Connector. To learn about the differences between API and XML connectors, please see the help page here.

We recommend the API Checkmarx Connector for ease of use via automation.

What Types of Checkmarx Data does Cisco Vulnerability Management Support?

  • SAST scan ingestion

  • SCA scan ingestion (available only via toolkit integrations)

User Prerequisites/Connector Setup:

  • Checkmarx Environments that are on-premise will require the Kenna Virtual Tunnel.

  • Checkmarx Environments that are Cloud hosted do not need any Agent or Tunnel.

  • You must have API Access if you are leveraging the API Connector.

  • The service account leveraged for the API Connector must have access to all of the reports you wish to ingest.

Configuring your Connector in Cisco Vulnerability Management

To set up the Connector, navigate to the Connectors tab in your Cisco Vulnerability Management deployment (you must be a Cisco Vulnerability Management Administrator to do so). On the Connectors page, select Checkmarx (API) or (XML) depending on your organization’s needs.

Checkmarx_API.png

Once you select the Checkmarx API Connector, the following screen will appear:

Checkmarx_API1.png

  • Enter a name for the connector, or leave it as “Checkmarx”.
  • Enter the Username and Password for the account you are planning to leverage. We recommend using a service account.

  • Schedule the Connector. Select the frequency at which you’d like your Connector to run. (we recommend mirroring the cadence of your Checkmarx Scans).

  • Click "Save and Verify".

  • If you’d like to set a connector level asset inactivity limit, you can do that at this time. We recommend 2-3x the scan cadence of your Checkmarx Scans.

What Checkmarx Items does Cisco Vulnerability Management Import and what API Calls are involved?

Cisco Vulnerability Management will import all of the applications associated with the user leveraged for the connector. We will pull:

Fields in Checkmarx

Fields in Cisco Vulnerability Management 

Note

ProjectName

Application Identifier

Search for application_identifer in Cisco Vulnerability Management by using the custom query box and typing application:""

Path > PathNode > FileName

file

Search for file in Cisco Vulnerability Management by using the custom query box and typing file:""

Status

vulnerability Status

 We do not map false positives

Node_id

scanner_id

 

Severity

scanner_score

Informational - 0

Low - 3

Medium - 6

High - 9

QueryVersionCode

Unique Identifier

 

name

scanner_vulnerability in vulnerability

 

cwe_id + name 

Vulnerability Title

 

CWE

CWE

 

(initial) ScanStart

Found On
first_found_on
vulnerability_found
finding_found

Checkmarx doesn’t provide an explicit field, so first ScanStart sent to Cisco Vulnerability Management is used

(latest) ScanStart

last_seen_time
vulnerability_last_seen

 

Description

Description

 

Deep Link

Deep Link in description

 

columns name as tags:
Team
ProjectName
Group
Language

Tags

 

 

 

The Connector does not pull in the following:

  • Tags

  • False Positive Vulnerabilities

  • Triage States

The API endpoints we leverage (API Connector only) are:

  • …auth/identity/connect/token

  • …/sast/scans

  • …/sast/scans/{id}

What Checkmarx items are turned into Cisco Vulnerability Management Tags?

  • Team

  • Project Name

  • Group

  • Language

Optional Settings

The following settings can be enabled on the backend for Checkmarx Connectors. To have these settings enabled, or for more information, please contact Support, or your Customer Success Engineer.

  • Exclude Informationals

    • When this option is enabled, Cisco Vulnerability Management will not import vulnerabilities that do not include a CVE, CWE, or WASC ID.

  • Skip Tags

    • This setting will allow you to NOT create any Tags within Cisco Vulnerability Management based on scanner metadata.

  • Ignore Scanner Last Seen Time

    • If you do not want the asset last seen time in Cisco Vulnerability Management to be the scanner reported last seen time.

  • Tag Reset

    • This setting will assist in keeping your scanner metadata in sync with Cisco Vulnerability Management . Each time the connector is run, ALL tags within Cisco Vulnerability Management will be removed and the scanner tag metadata re-created.

    • If you have created any manual tags OR any tags were created off of metadata from other connectors that tag info will be removed and will be refreshed once those other connectors are rerun.

  • Custom Ordered Locators

    • Locators (IP, Netbios, FQDN, etc) can be reordered to better deduplicate vulnerabilities on the Connector level or the entire Platform level. For more information see the help article here.

Common Reasons for Checkmarx Connector Run Failures

  • Bad credentials
  • No reports are found, Cisco Vulnerability Management will abort
  • Failed API calls
  • Inability to process unexpected data/format
  • If more than 1% of connector payloads fail, Cisco Vulnerability Management will auto-fail the Connector Run.

Additional Assistance:

Please contact Support should you require any additional assistance with the Checkmarx Connector(s).

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.