Checkmarx offers several products within Application Security including SAST, SCA, and IAST. Checkmarx aims to give you the flexibility, accuracy, and coverage to secure your most critical code commits, within your rule sets, at scale. These solutions enable organizations to introduce security into their Software Development Lifecycle (SDLC). The automated scanning technology enables developers and auditors to scan uncompiled/unbuilt code and systematically eliminate software risk.
To import your data from Checkmarx to the Application Security Module, you will need to use the Checkmarx API or XML Connectors under the Static Analysis section of the Cisco Vulnerability Management UI. There are two different Checkmarx Connectors: the API Connector and the XML Connector. To learn about the differences between API and XML connectors, see the information here.
Cisco recommends the API Checkmarx Connector for ease of use via automation.
What Types of Checkmarx Data does Cisco Vulnerability Management Support?
-
SAST scan ingestion
-
SCA scan ingestion (available only via toolkit integrations)
Prerequisites
-
Checkmarx Environments that are on-premises require the Virtual Tunnel.
-
Checkmarx Environments that are Cloud hosted do not require any Agent or Tunnel.
-
You must have API Access if you are leveraging the API Connector.
-
The service account leveraged for the API Connector must have access to all of the reports you want to ingest.
- You must be a Cisco Vulnerability Management Administrator.
Configuring your Connector in Cisco Vulnerability Management
To set up the Connector, navigate to the Connectors tab in your Cisco Vulnerability Management deployment (you must be a Cisco Vulnerability Management Administrator to do so). On the Connectors page, select Checkmarx (API) or (XML) depending on your organization’s needs.
1. In the Cisco Vulnerability Management UI, click Connectors.
2. Click Add Connector.
3. In the Static Analysis section, click Checkmarx API or Checkmarx XML depending on your organization’s needs.
4. On the Checkmarx API screen, enter the following information:
- Name: Enter a name for the connector, or leave it as “Checkmarx”.
- Enter the Username and Password for the account you want to use. Cisco recommends using a service account.
- Schedule: Select the frequency at which you’d like your Connector to run. (Cisco recommends mirroring the cadence of your Scans).
- Asset Inactivity Limit: Enter a time in days for the connector level asset inactivity limit. Cisco recommends 2-3 times the scan cadence of your Scans.
5. Click Save and Verify.
What Checkmarx Items does Cisco Vulnerability Management Import and what API Calls are involved?
Cisco Vulnerability Management will import all of the applications associated with the user leveraged for the connector.
Fields in Checkmarx |
Fields in Cisco Vulnerability Management |
Note |
ProjectName |
Application Identifier |
Search for application_identifer in Cisco Vulnerability Management by using the custom query box and typing application:"" |
Path > PathNode > FileName |
file |
Search for file in Cisco Vulnerability Management by using the custom query box and typing file:"" |
Status |
vulnerability Status |
We do not map false positives |
Node_id |
scanner_id |
|
Severity |
scanner_score |
Informational - 0 Low - 3 Medium - 6 High - 9 |
QueryVersionCode |
Unique Identifier |
|
name |
scanner_vulnerability in vulnerability |
|
cwe_id + name |
Vulnerability Title |
|
CWE |
CWE |
|
(initial) |
Found On |
Checkmarx doesn’t provide an explicit field, so first |
(latest) |
|
|
Description |
Description |
|
Deep Link |
Deep Link in description |
|
columns name as tags: |
Tags
|
|
The Connector does not import the following:
-
Tags
-
False Positive Vulnerabilities
-
Triage States
The API endpoints that Cisco Vulnerability Management leverages (API Connector only) are:
-
…auth/identity/connect/token
-
…/sast/scans
-
…/sast/scans/{id}
What Checkmarx items are turned into Cisco Vulnerability Management Tags?
-
Team
-
Project Name
-
Group
-
Language
Optional Settings
The following settings can be enabled on the backend for Checkmarx Connectors. To have these settings enabled, or for more information, contact Cisco Support, or your Customer Success Engineer.
Exclude Informationals
When you enable this option, Cisco Vulnerability Management will only import vulnerabilities that include a CVE, CWE, or WASC ID.
Skip Tags
This setting enables you to not create any Tags in Cisco Vulnerability Management based on the scanner metadata.
Ignore Scanner Last Seen Time
Select this setting if you do not want the asset last seen time in Cisco Vulnerability Management to be the scanner reported last seen time.
Tag Reset
This setting assists you with keeping your scanner metadata synchronized with Cisco Vulnerability Management. Each time the connector is run, all tags in Cisco Vulnerability Management will be removed and the scanner tag metadata re-created.
If you have created any manual tags or any tags were created from metadata from other connectors, that tag information will be removed and will be refreshed once those other connectors are rerun.
Custom Ordered Locators
Locators (such as IP, Netbios, and FQDN) can be reordered to better deduplicate vulnerabilities on the Connector level or the entire Platform level. For more information, see the help article here.
Common Reasons for Checkmarx Connector Run Failures
- Bad Credentials. If you enter the incorrect connector credentials during the connector setup, Cisco Vulnerability Management will not have access to the environment to make the API calls.
- If no reports are found, Cisco Vulnerability Management will abort the Connector run, rather than fail it outright.
- If an API call fails (no data available, or other reasons).
- If Cisco Vulnerability Management receives data that is not in the expected format and cannot process it, the connector will fail.
- If more than 1% of connector payloads fail to import cleanly, Cisco Vulnerability Management will auto-fail the Connector run.
Additional Assistance
Contact Cisco Support if you require any additional assistance with the Checkmarx Connectors.
Comments
Please sign in to leave a comment.