Checkmarx Connector: API and XML

Checkmarx offers several products within Application Security including SAST, SCA, and IAST. Checkmarx aims to give you the flexibility, accuracy, and coverage to secure your most critical code commits, within your rule sets, at scale. These solutions enable organizations to introduce security into their Software Development Lifecycle (SDLC). The automated scanning technology enables developers and auditors to scan uncompiled/unbuilt code and systematically eliminate software risk.

To import your data from Checkmarx to the Application Security Module, you will need to use the Checkmarx API or XML Connectors under the Static Analysis section of the Cisco Vulnerability Management UI. There are two different Checkmarx Connectors: the API Connector and the XML Connector. To learn about the differences between API and XML connectors, see the information here.

Cisco recommends the API Checkmarx Connector for ease of use via automation.

What Types of Checkmarx Data does Cisco Vulnerability Management Support?

  • SAST scan ingestion

  • SCA scan ingestion (available only via toolkit integrations)

Prerequisites

  • Checkmarx Environments that are on-premises require the Virtual Tunnel.

  • Checkmarx Environments that are Cloud hosted do not require any Agent or Tunnel.

  • You must have API Access if you are leveraging the API Connector.

  • The service account leveraged for the API Connector must have access to all of the reports you want to ingest.

  • You must be a Cisco Vulnerability Management Administrator.

Configuring your Connector in Cisco Vulnerability Management

To set up the Connector, navigate to the Connectors tab in your Cisco Vulnerability Management deployment (you must be a Cisco Vulnerability Management Administrator to do so). On the Connectors page, select Checkmarx (API) or (XML) depending on your organization’s needs.

1. In the Cisco Vulnerability Management UI, click Connectors.
2. Click Add Connector.
3. In the Static Analysis section, click Checkmarx API or Checkmarx XML depending on your organization’s needs.

Checkmarx_API.png

4. On the Checkmarx API screen, enter the following information: 

Checkmarx_API1.png

Name: Enter a name for the connector, or leave it as “Checkmarx”.

Enter the Username and Password for the account you want to use. Cisco recommends using a service account.

Schedule: Select the frequency at which you’d like your Connector to run. (Cisco recommends mirroring the cadence of your Scans).

Asset Inactivity Limit: Enter a time in days for the connector level asset inactivity limit. Cisco recommends 2-3 times the scan cadence of your Scans.

5. Click Save and Verify.

What Checkmarx Items does Cisco Vulnerability Management Import and what API Calls are involved?

Cisco Vulnerability Management will import all of the applications associated with the user leveraged for the connector. 

Fields in Checkmarx

Fields in Cisco Vulnerability Management 

Note

ProjectName

Application Identifier

Search for application_identifer in Cisco Vulnerability Management by using the custom query box and typing application:""

Path > PathNode > FileName

file

Search for file in Cisco Vulnerability Management by using the custom query box and typing file:""

Status

vulnerability Status

 We do not map false positives

Node_id

scanner_id

 

Severity

scanner_score

Informational - 0

Low - 3

Medium - 6

High - 9

QueryVersionCode

Unique Identifier

 

name

scanner_vulnerability in vulnerability

 

cwe_id + name 

Vulnerability Title

 

CWE

CWE

 

(initial) ScanStart

Found On
first_found_on
vulnerability_found
finding_found

Checkmarx doesn’t provide an explicit field, so first ScanStart sent to Cisco Vulnerability Management is used

(latest) ScanStart

last_seen_time
vulnerability_last_seen

 

Description

Description

 

Deep Link

Deep Link in description

 

columns name as tags:
Team
ProjectName
Group
Language

Tags

 

 

 

The Connector does not import the following:

  • Tags

  • False Positive Vulnerabilities

  • Triage States

The API endpoints that Cisco Vulnerability Management leverages (API Connector only) are:

  • …auth/identity/connect/token

  • …/sast/scans

  • …/sast/scans/{id}

What Checkmarx items are turned into Cisco Vulnerability Management Tags?

  • Team

  • Project Name

  • Group

  • Language

Optional Settings

The following settings can be enabled on the backend for Checkmarx Connectors. To have these settings enabled, or for more information, contact Cisco Support, or your Customer Success Engineer.

Exclude Informationals

When you enable this option, Cisco Vulnerability Management will only import vulnerabilities that include a CVE, CWE, or WASC ID.

Skip Tags

This setting enables you to not create any Tags in Cisco Vulnerability Management based on the scanner metadata.

Ignore Scanner Last Seen Time

Select this setting if you do not want the asset last seen time in Cisco Vulnerability Management to be the scanner reported last seen time.

Tag Reset

This setting assists you with keeping your scanner metadata synchronized with Cisco Vulnerability Management. Each time the connector is run, all tags in Cisco Vulnerability Management will be removed and the scanner tag metadata re-created.

If you have created any manual tags or any tags were created from metadata from other connectors, that tag information will be removed and will be refreshed once those other connectors are rerun.

Custom Ordered Locators

Locators (such as IP, Netbios, and FQDN) can be reordered to better deduplicate vulnerabilities on the Connector level or the entire Platform level. For more information, see the help article here.

Common Reasons for Checkmarx Connector Run Failures

  • Bad Credentials. If you enter the incorrect connector credentials during the connector setup, Cisco Vulnerability Management will not have access to the environment to make the API calls.
  • If no reports are found, Cisco Vulnerability Management will abort the Connector run, rather than fail it outright.
  • If an API call fails (no data available, or other reasons).
  • If Cisco Vulnerability Management receives data that is not in the expected format and cannot process it, the connector will fail.
  • If more than 1% of connector payloads fail to import cleanly, Cisco Vulnerability Management will auto-fail the Connector run.

Additional Assistance

Contact Cisco Support if you require any additional assistance with the Checkmarx Connectors.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.