You will learn

How to create Checkmarx as ThreadFix remote provider, how to obtain Scan data, as well as how data is parsed.

Prerequisites

Audience: IT Professional or End User
Difficulty: Advanced
Time needed: Approximately 10 minutes
Tools required: User must have Server Manager role

For general information & instructions on the use of Remote Providers within ThreadFix, please refer to this page's parent page: Remote Providers.

For information on REST API functionality for Remote Providers, please refer to the following: Remote Providers API

Introduction

Checkmarx's CxSAST is a tool that discovers and documents application layer security vulnerabilities. The following guide is only applicable to version 8.7 or newer.

Checkmarx User Account

Checkmarx requires that a user have Server Manager role to pull scan data from their instance via API.

API Usage

Authentication

ThreadFix authenticates using Checkmarx Token authentication, additional details care be found here.

/cxrestapi/auth/identity/connect/token

Fetch Applications (Versions > 8.7)

Get All Teams with the following:
/cxrestapi/auth/teams
Get Projects with the following:
/cxrestapi/projects

ThreadFix creates remote provider applications based on the results of both Get All Teams and Get Projects. The Remote provider application's name is the combination of the name of the project (from Get Projects) with the corresponding name of the team, i.e. Project Name (Team Name). The remote provider application’s native id is the same as the Checkmarx Project Id.

Get Scans (Version > 8.7) Steps:

Get Scans with the following:
1. Parameters
  1. projectId = remoteProviderApplication.nativeId
  2. scanStatus = "Finished"
  3. last = 1 (Only if the Remote Provider is set to only pull the Most Recent Scan)
2. This endpoint was only introduced in Checkmarx 8.8. To account for this ThreadFix will check if this call returns a 2xx response code. If it does not, ThreadFix will make another call to fetch the scans using the ODATA Get Scans call noted below. If the result is valid it will continue on to Get Scan Stats
3. ODATA Get Scans
  1. Most Recent Only
  2. All Scans
Get Scan Stats with the following:
This call is executed per scan that is found in Get Scans.
Generate Report with the following:
1. Request Body:
  i. reportType: XML
  ii. scanId: Checkmarx Scan Id gathered from Get Scans
Check Report Status with the following:
1. This call executes every 5 seconds until one the following conditions occurs:
  1. Status for a finished report:
    1) Created
  2. Status for a failed report:
    1) Deleted
    2) Failed
  3. ThreadFix has been checking the status of the report for longer than 15 mins, at which point it stops checking and does not import any scans
Get Report with the following:
This report is then parsed and the scan's findings are created from this report.

Get Scan Logic

Using the data from Get Scans and Get Scan Stats:

ThreadFix compares the Engine Finished On date, if it exists otherwise ThreadFix will use the Finished On date, and compare it to the RemoteProviderApplication.lastImportTime.
Uses the statisticsCalculationDate to compare against the latest updated date for Checkmarx scans that have already been imported in the ThreadFix application.

Scan Import Logic

If the Engine Finished On/Finished On date is newer ThreadFix will import the scan
If the Engine Finished On/Finished On date is equal, ThreadFix checks the statisticsCalculationDate
- If the statisticsCalculationDate is newer the scan is imported
- If the statisticsCalculationDate is equal and force last scan is enabled the scan is imported
Otherwise, this scan is ignored
If Bidirectionality is turned on and the above logic has determined there are no new scans to import, ThreadFix will attempt to import a scan to sync the finding status
- This import occurs only if the statisticsCalculationDate is newer, ThreadFix does not check the EngineFinishedOn/FinishedOn dates in this check

Multiple Mapped Remote Provider Applications

In order to make import determinations faster, in the event that a ThreadFix application has multiple Checkmarx Remote Provider Applications mapped, ThreadFix executes the Get Scans and Get Scan Stats calls for each of the mapped remote provider applications. In addition it also applies the above Scan Import Logic to the results. If any of the remote provider applications have scans that need to be imported, ThreadFix will then import for each of the mapped remote provider applications.

Bidirectional Sync Findings Logic

(More info on this functionality here)

The severity and status sync both use the SOAP API with the following body:

ThreadFix replaces the following variables in the SOAP body above:

sessionId is replaced with the sessionId from the result of the SOAP login
- If this variable is null, this means ThreadFix is connecting to a Checkmarx version that is greater than 9, and will apply the appropriate Authorization Header
scanId is gathered from the finding's URL
pathId is gathered from the finding's URL
projectId is gathered from the finding's URL
resultLabelType will be one of two options:
- 2, if ThreadFix is updating the finding's severity
- 3, if ThreadFix is updating the finding's state
data is determined by whether ThreadFix is updating the severity or state
- Severity (Checkmarx = ThreadFix)
  § 0 = Information
  § 1 = Low
  § 2 = Medium
  § 3 = High
- State (Checkmarx = ThreadFix)
  § 1 = False Positive
  § 4 = Contested
  § 2 = Exploitable
  § 2 = Verified
  § 0 = No status

For any questions, please reach out to support@threadfix.it.

1 You will learn
- 1.1 Prerequisites
- 1.2 Introduction
- 1.3 Checkmarx User Account
  - 1.3.1 API Usage
    - 1.3.1.1 Authentication
    - 1.3.1.2 Fetch Applications (Versions > 8.7)
    - 1.3.1.3 Get Scans (Version > 8.7) Steps:
    - 1.3.1.4 Get Scan Logic
    - 1.3.1.5 Scan Import Logic
    - 1.3.1.6 Multiple Mapped Remote Provider Applications
    - 1.3.1.7 Bidirectional Sync Findings Logic
2 Table of Contents

Checkmarx Remote Provider