As we reach the end of September 2024, ThreadFix version 3.x on-premises has officially reached its End-of-Life. Therefore, there is no longer support or updates for this version of the product. We have fully transitioned our product and development teams to focus ThreadFix SaaS and migrating all customers over from the on-premises versions. Our Customer Success and Support teams are here to help you in migrating to ThreadFix SaaS and maximizing the value you see from this improved offering from Coalfire. This is the next phase of ThreadFix and our team is looking forward to continuing to support you on this journey.

Checkmarx One Remote Provider (ThreadFix 3.X)

You will learn

How to create Checkmarx One as ThreadFix remote provider, how to obtain Scan data, as well as how data is parsed.

Prerequisites

Audience: IT Professional or End User
Difficulty: Advanced
Time needed: Approximately 10 minutes
Tools required: User must have Server Manager role

For general information & instructions on the use of Remote Providers within ThreadFix, please refer to this page's parent page: Remote Providers.

For information on REST API functionality for Remote Providers, please refer to the following: Remote Providers API

Introduction

Checkmarx One is an cloud based platform offering a full suite of AST solutions to protect every part of modern applications: 

  • Static Application Security Testing (SAST)

  • Software Composition Analysis (SCA) 

  • Supply Chain Security (SCS) 

  • API Security

  • Dynamic Application Security Testing (DAST) 

  • Container Security

  • Infrastructure as Code (IaC)

ThreadFix currently implements SAST and SCA findings only

Create Provider

The general Create New Provider process can be followed in order to setup Checkmarx One, note example user credentials below.

Note the successfully created remote provider.

API Usage

Authentication

Checkmarx One requires JWT (JSON Web Token) access tokens for authentication of all API calls. Access tokens are generated using the Authentication API.

This API generates a JWT (JSON Web Token) access token which is used for authentication with all Checkmarx One APIs.

There are two methods that can be used to generate an access token:

  • Refresh Token (API Key) - If you have a refresh token, you can submit that with this API in order to receive an access token. To learn how to generate a refresh token, see Generating a Refresh Token (API Key).

  • OAuth2 Client - If you have an OAuth2 Client for Checkmarx One, you can submit your Client ID and Secret with this API in order to receive an access token. To learn how to generate an OAuth2 Client, see Creating an Oauth2 Client.

Curl Sample - Refresh Token

curl --request POST 'https://eu.iam.checkmarx.net/auth/realms/{{TENANT_NAME}}/protocol/openid-connect/token' \ --data "grant_type=refresh_token" \ --data "client_id=ast-app" \ --data "refresh_token={{Your_API_KEY}}"

Curl Sample - OAuth2 Client

curl --request POST 'https://eu.iam.checkmarx.net/auth/realms/{{TENANT_NAME}}/protocol/openid-connect/token' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --header 'Accept: application/json' \ --data-urlencode 'client_id={{your-iam-oauth-client}}' \ --data-urlencode 'grant_type=client_credentials' \ --data-urlencode 'client_secret={{secret_key}}'

 

Retrieve list of projects

We can get info for all Projects from Checkmarx One, or limit results by using pagination and or by filtering by various scan attributes such as Project ID, Project Name, tags etc. ThreadFix creates remote provider applications based on the results of this API. More details about the API is found here.

GET https://ast.checkmarx.net/api/projects

 

Retrieve list of scans (or latest scan)

Get a list of scans, with detailed information about each scan. Can get scans for a particular project we are interested in by passing the project Id.

To get the latest completed scan for a project we can call this API with the below parameters.

sort = [-created_at] (-created_at means sort by created date descending)

limit = 1 (limiting the results to 1, so we get the top result from a list of scans sorted by created date in descending order)

project-id = {project-id} (Checkmarx one Project Id that we want to get the scan for)

More details about the API is found here.

 

Create a report

This call is to initiate a scan report, need to pass the scan ID retrieved from above API.

The POST method is submitted with a JSON payload that specifies the type of report being generated and the format of the report output. The parameters submitted in the payload differ depending on the type of report being generated. More details

 

Download a report

This API will be called to get the details of the report initiated by using the Create a Report API. More details

 

Finding Details Example

Below is an example of a vulnerability’s Finding Details from Checkmarx One.

www.threadfix.it | www.coalfire.com
Copyright © 2024 Coalfire. All rights reserved.

This Information Security Policy is CoalFire - Public: Distribution of this material is not limited.