Checkmarx offers several products within Application Security including SAST, SCA, IAST, etc. Checkmarx aims to give you the flexibility, accuracy, and coverage to secure your most critical code commits, within your rule sets, at scale. These solutions enable organizations to introduce security into their Software Development Lifecycle (SDLC). The automated scanning technology enables developers and auditors to scan uncompiled/unbuilt code and systematically eliminate software risk.
To import your data from Checkmarx to the Kenna.AppSec module, you will need to leverage the Checkmarx API or XML Connectors under the Static Analysis tools. There are two different Checkmarx Connectors: the API Connector and the XML Connector. To learn about the differences between API and XML connectors, please see the help page here.
We recommend the API Checkmarx Connector for ease of use via automation.
What Types of Checkmarx Data does Cisco Vulnerability Management Support?
-
SAST scan ingestion
-
SCA scan ingestion
User Prerequisites/Connector Setup:
-
Checkmarx Environments that are on-premise will require the Kenna Virtual Tunnel.
-
Checkmarx Environments that are Cloud hosted do not need any Agent or Tunnel.
-
You must have API Access if you are leveraging the API Connector.
-
The service account leveraged for the API Connector must have access to all of the reports you wish to ingest.
Configuring your Connector in Cisco Vulnerability Management
To set up the Connector, navigate to the Connectors tab in your Cisco Vulnerability Management deployment (you must be a Cisco Vulnerability Management Administrator to do so). On the Connectors page, select Checkmarx (API) or (XML) depending on your organization’s needs.

Once you select the Checkmarx API Connector, the following screen will appear:

- Enter a name for the connector, or leave it as “Checkmarx”.
-
Enter the Username and Password for the account you are planning to leverage. We recommend using a service account.
-
Schedule the Connector. Select the frequency at which you’d like your Connector to run. (we recommend mirroring the cadence of your Checkmarx Scans).
-
Click "Save and Verify".
-
If you’d like to set a connector level asset inactivity limit, you can do that at this time. We recommend 2-3x the scan cadence of your Checkmarx Scans.
What Checkmarx Items does Cisco Vulnerability Management Import and what API Calls are involved?
Cisco Vulnerability Management will import all of the applications associated with the user leveraged for the connector. We will pull:
Fields in Checkmarx |
Fields in Cisco Vulnerability Management |
Note |
ProjectName |
Application Identifier |
Search for application_identifer in Cisco Vulnerability Management by using the custom query box and typing application:"" |
Path > PathNode > FileName |
file |
Search for file in Cisco Vulnerability Management by using the custom query box and typing file:"" |
Status |
vulnerability Status |
We do not map false positives |
Node_id |
scanner_id |
|
Severity |
scanner_score |
Informational - 0 Low - 3 Medium - 6 High - 9 |
QueryVersionCode |
Unique Identifier |
|
name |
scanner_vulnerability in vulnerability |
|
cwe_id + name |
Vulnerability Title |
|
CWE |
CWE |
|
(initial) |
Found On |
Checkmarx doesn’t provide an explicit field, so first |
(latest) |
|
|
Description |
Description |
|
Deep Link |
Deep Link in description |
|
columns name as tags: |
Tags
|
|
The Connector does not pull in the following:
-
Tags
-
False Positive Vulnerabilities
-
Triage States
The API endpoints we leverage (API Connector only) are:
-
…auth/identity/connect/token
-
…/sast/scans
-
…/sast/scans/{id}
What Checkmarx items are turned into Cisco Vulnerability Management Tags?
-
Team
-
Project Name
-
Group
-
Language
Optional Settings
The following settings can be enabled on the backend for Checkmarx Connectors. To have these settings enabled, or for more information, please contact Support, or your Customer Success Engineer.
-
Exclude Informationals
-
When this option is enabled, Cisco Vulnerability Management will not import vulnerabilities that do not include a CVE, CWE, or WASC ID.
-
-
Skip Tags
-
This setting will allow you to NOT create any Tags within Cisco Vulnerability Management based on scanner metadata.
-
-
Ignore Scanner Last Seen Time
-
If you do not want the asset last seen time in Cisco Vulnerability Management to be the scanner reported last seen time.
-
-
Tag Reset
-
This setting will assist in keeping your scanner metadata in sync with Cisco Vulnerability Management . Each time the connector is run, ALL tags within Cisco Vulnerability Management will be removed and the scanner tag metadata re-created.
-
If you have created any manual tags OR any tags were created off of metadata from other connectors that tag info will be removed and will be refreshed once those other connectors are rerun.
-
-
Custom Ordered Locators
-
Locators (IP, Netbios, FQDN, etc) can be reordered to better deduplicate vulnerabilities on the Connector level or the entire Platform level. For more information see the help article here.
-
Common Reasons for Checkmarx Connector Run Failures
- Bad credentials
- No reports are found, Cisco Vulnerability Management will abort
- Failed API calls
- Inability to process unexpected data/format
- If more than 1% of connector payloads fail, Cisco Vulnerability Management will auto-fail the Connector Run.
Additional Assistance:
Please contact Support should you require any additional assistance with the Checkmarx Connector(s).
Comments
Please sign in to leave a comment.