- Created by Daniel Colon, last modified on Nov 17, 2021
You are viewing an old version of this page. View the current version.
Compare with Current View Page History
« Previous Version 3 Current »
📙 You will learn
How to create Checkmarx as ThreadFix remote provider, how to obtain Scan data, as well as how data is parsed.
Prerequisites
Audience: IT Professional or End User
Difficulty: Advanced
Time needed: Approximately 10 minutes
Tools required: User must have Server Manager role
For general information & instructions on the use of Remote Providers within ThreadFix, please refer to this page's parent page: Remote Providers.
For information on REST API functionality for Remote Providers, please refer to the following: Remote Providers API
Introduction
Checkmarx's CxSAST is a tool that discovers and documents application layer security vulnerabilities. The following guide is only applicable to version 8.7 or newer.
Checkmarx User Account
Checkmarx requires that a user have Server Manager role to pull scan data from their instance via API.
API Usage
Authentication
ThreadFix authenticates using Checkmarx Token authentication, additional details care be found here.
/cxrestapi/auth/identity/connect/token
Fetch Applications (Versions > 8.7)
Get All Teams with the following:
/cxrestapi/auth/teams
Get Projects with the following:
/cxrestapi/projects
ThreadFix creates remote provider applications based on the results of both Get All Teams and Get Projects. The Remote provider application's name is the combination of the name of the project (from Get Projects) with the corresponding name of the team, i.e. Project Name (Team Name). The remote provider application’s native id is the same as the Checkmarx Project Id.
Get Scans (Version > 8.7) Steps:
Get Scans with the following:
/cxrestapi/sast/scans
Parameters
projectId = remoteProviderApplication.nativeId
scanStatus = "Finished"
last = 1 (Only if the Remote Provider is set to only pull the Most Recent Scan)
This endpoint was only introduced in Checkmarx 8.8. To account for this ThreadFix will check if this call returns a 2xx response code. If it does not, ThreadFix will make another call to fetch the scans using the ODATA Get Scans call noted below. If the result is valid it will continue on to Get Scan Stats
ODATA Get Scans
Most Recent Only
/Cxwebinterface/odata/v1/Projects(<remoteProviderApplication.nativeId>)/Scans?$select=Id,ProjectName,EngineFinishedOn,ScanRequestedOn&$orderby=EngineFinishedOn%20desc&$top=1&$filter=EngineFinishedOn%20gt%20<remoteProviderApplication.lastImportTime>
All Scans
/Cxwebinterface/odata/v1/Projects(<remoteProviderApplication.nativeId>)/Scans?$select=Id,ProjectName,EngineFinishedOn,ScanRequestedOn&$orderby=EngineFinishedOn%20asc&$filter=EngineFinishedOn%20gt%20<remoteProviderApplication.lastImportTime>
Get Scan Stats with the following:
/cxrestapi/sast/scans/<Checkmarx Scan Id>/resultStatistics
This call is executed per scan that is found in Get Scans.
Generate Report with the following:
/cxrestapi/report/sastScan
Request Body:
i. reportType: XML
ii. scanId: Checkmarx Scan Id gathered from Get Scans
Check Report Status with the following:
/cxrestapi/reports/sastScan/<Checkmarx Report Id>/status
This call executes every 5 seconds until one the following conditions occurs:
Status for a finished report:
1) CreatedStatus for a failed report:
1) Deleted
2) FailedThreadFix has been checking the status of the report for longer than 15 mins, at which point it stops checking and does not import any scans
Get Report with the following:
/cxrestapi/reports/sastScan/<Checkmarx Report Id>
This report is then parsed and the scan's findings are created from this report.
Get Scan Logic
Using the data from Get Scans and Get Scan Stats:
ThreadFix compares the Engine Finished On date, if it exists otherwise ThreadFix will use the Finished On date, and compare it to the RemoteProviderApplication.lastImportTime.
Uses the statisticsCalculationDate to compare against the latest updated date for Checkmarx scans that have already been imported in the ThreadFix application.
Scan Import Logic
If the Engine Finished On/Finished On date is newer ThreadFix will import the scan
If the Engine Finished On/Finished On date is equal, ThreadFix checks the statisticsCalculationDate
If the statisticsCalculationDate is newer the scan is imported
If the statisticsCalculationDate is equal and force last scan is enabled the scan is imported
Otherwise, this scan is ignored
If Bidirectionality is turned on and the above logic has determined there are no new scans to import, ThreadFix will attempt to import a scan to sync the finding status
This import occurs only if the statisticsCalculationDate is newer, ThreadFix does not check the EngineFinishedOn/FinishedOn dates in this check
Multiple Mapped Remote Provider Applications
In order to make import determinations faster, in the event that a ThreadFix application has multiple Checkmarx Remote Provider Applications mapped, ThreadFix executes the Get Scans and Get Scan Stats calls for each of the mapped remote provider applications. In addition it also applies the above Scan Import Logic to the results. If any of the remote provider applications have scans that need to be imported, ThreadFix will then import for each of the mapped remote provider applications.
Bi-directional Sync Findings Logic
The severity and status sync both use the SOAP API with the following body:
<soapenv:Envelopexmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\"xmlns:chec=\"http://Checkmarx.com\"> <soapenv:Header/> <soapenv:Body> <chec:UpdateResultState> <!--Optional:--> <chec:sessionID>sessionId</chec:sessionID> <chec:scanId>scanId</chec:scanId> <chec:PathId>pathId</chec:PathId> <chec:projectId>projectId</chec:projectId> <chec:ResultLabelType>resultLabelType</chec:ResultLabelType> <chec:data>data</chec:data> </chec:UpdateResultState> </soapenv:Body> </soapenv:Envelope>
ThreadFix replaces the following variables in the SOAP body above:
sessionId is replaced with the sessionId from the result of the SOAP login
If this variable is null, this means ThreadFix is connecting to a Checkmarx version that is greater than 9, and will apply the appropriate Authorization Header
scanId is gathered from the finding's URL
pathId is gathered from the finding's URL
projectId is gathered from the finding's URL
resultLabelType will be one of two options:
2, if ThreadFix is updating the finding's severity
3, if ThreadFix is updating the finding's state
data is determined by whether ThreadFix is updating the severity or state
Severity (Checkmarx = ThreadFix)
§ 0 = Information
§ 1 = Low
§ 2 = Medium
§ 3 = HighState (Checkmarx = ThreadFix)
§ 1 = False Positive
§ 4 = Contested
§ 2 = Exploitable
§ 2 = Verified
§ 0 = No status
Table of Contents
- No labels