-
Notifications
You must be signed in to change notification settings - Fork 86
Bug Trackers and Feedback Channels
- Understanding the Data
- Understanding the result summary
- Understanding issue creation process
- Jira
- Custom Bug trackers
- Azure DevOps Work Items
- GitLab Issues
- GitLab Security Dashbaord
- GitHub Issues
- Rally Issues
- Sarif
- Service Now
- CxXML
- Json
- CSV
- NONE|WAIT
Checkmarx results are processed according to the following scheme.
The breakdown of the XML includes the following:
Query→ Result→ Path
Issues are filtered based on the criteria found in the main configuration of CxFlow along with any particular overrides (severity, category, cwe, status). From the XML structure, the Source identifier is the main tracking element. The Vulnerability+File path is the key, and as additional line references are found for the same key, it is appended to the same issue reference. See the development section for details on the ScanResults/Issue object structure.
The best fix location would be a more appropriate value to track, which is currently unavailable.
Once scan is finished and the results are retrieved then, cx-flow combines all issues in a single file that have the same category into a single issue, then the provided overrides for filters(severity,cwe,status,category,etc) are applied on those issues and a final list of Xissues is generated. Issues in the provided bug tracker are opened for the generated Xissues.
Example If 12 Medium level issues were found in a file src/authService.js as described below
Sr. No. | Line Number | Issue Category |
---|---|---|
1 | 56 58 | Client HTML5 Insecure Storage\Path 1: -1(Clubbed with 5) |
2 | 54 58 | Client HTML5 Insecure Storage\Path 2: |
3 | 165 167 | Client HTML5 Insecure Storage\Path 3: -1(Clubbed with 6) |
4 | 161 167 | Client HTML5 Insecure Storage\Path 4: |
5 | 56 58 | Client HTML5 Insecure Storage\Path 4: -2(Clubbed with 1) |
6 | 165 167 | Client HTML5 Insecure Storage\Path 4: -2(Clubbed with 3) |
7 | 58 58 | Client HTML5 Insecure Storage\Path 7: |
8 | 167 167 | Client HTML5 Insecure Storage\Path 8: |
9 | 58 58 | Client HTML5 Store Sensitive data In Web Storage\Path 1: -2(Clubbed with 10) |
10 | 58 58 | Client HTML5 Store Sensitive data In Web Storage\Path 2: -1(Clubbed with 9) |
11 | 167 167 | Client HTML5 Store Sensitive data In Web Storage\Path 3: -2(Clubbed with 12) |
12 | 167 167 | Client HTML5 Store Sensitive data In Web Storage\Path 4: -1(Clubbed with 11) |
Issues [1], and [5] are clubbed as the category of the issue and the filename is same. Similarly, issues [3] and [6], [9] and [10], and [11] and [12] are clubbed.
Since the issues are clubbed, the total count of 12 Medium issues is now converted to 8 Medium issues. In the above image the vulnerability count in Cx-SAST Summary and Violation Summary is different because Violation Summary displays all the clubbed and then filtered vulnerabilities count, while Cx-SAST Summary (and Cx-SCA Summary) displays all the vulnerabilities present in a project.
- Initially if a project is scanned with both the scanners enabled(CxSAST and CxSCA), then based on their results issues will be generated in the configured bug-tracker.
- Issues are created with a prefix(
CX
for CxSAST andCX:
for CxSCA) to differentiate the issues of scanners. - Now a subsequent scan is done on the same project with only one scanner enabled, then based on the results only those issues will be updated, closed or reopened which contains the prefix for the configured scanner. Issues which do not contain scanner specific prefix will not be touched(updated/closed/reopened).
- In case of JIRA as a bug tracker, issues created for results of any scanner also contain the prefix like other scanners but this prefix is configurable in JIRA, hence to differentiate results of scanners, a label of scanner with the scanner name is added. example
Scanner:SCA
,Scanner:SAST
. - If both the scanners are enabled to scan a project then issues in JIRA will be created based on the results of the scanner and the issues will be labelled with the scanner name.
- Now any subsequent scan is done on the same project with only one scanner enabled, only those issues will be updated,closed or reopened for which the label
Scanner:
matches with the scanner configured in cxflow during scan.
Jira has the most complex configuration use case as it supports a variety of custom fields, custom workflows and custom transitions.
jira:
url: https://xxxx.atlassian.net
username: xxxx
token: xxxx
project: SS
issue-type: Application Security Bug
label-prefix: < CUSTOM PREFIX NAME >
priorities:
High: High
Medium: Medium
Low: Low
Informational: Lowest
open-transition: In Review
close-transition: Done
open-status:
- To Do
- In Progress
- In Review
closed-status:
- Done
sast-issue-summary-format: "[VULNERABILITY] in [PROJECT] with severity [SEVERITY] @ [FILENAME]"
sast-issue-summary-branch-format: "[VULNERABILITY] in [PROJECT] with severity [SEVERITY] @ [FILENAME][[BRANCH]]"
suppress-code-snippets:
- Hardcoded_Password_in_Connection_String
- Password_In_Comment
- Use_Of_Hardcoded_Password
fields:
# - type: cx #[ cx | static | result ]
# name: Platform # cx custom field name | cx-scan | cwe, category, severity, application, *project*, repo-name, branch, repo-url, namespace, recommendations, loc, site, issueLink, filename, language
# jira-field-name: Application
# jira-field-type: label #[ security | text | label | single-select | multi-select ]
- type: cx
name: cx-scan
jira-field-name: Application
jira-field-type: label
- type: result
name: application
jira-field-name: Application
jira-field-type: label
- type: result
name: cve
jira-field-name: CVEs
jira-field-type: label
- type: result
name: cwe
jira-field-name: CWEs
jira-field-type: label
- type: result
name: category
jira-field-name: Category
- type: result
name: loc
jira-field-name: LOC
jira-field-type: label
jira-default-value: XXXXX
- type: sca-results
name: package-name
jira-field-name: Package Name
jira-field-type: label
- type: sca-results
name: current-version
jira-field-name: Current Version
jira-field-type: label
- type: sca-results
name: fixed-version
jira-field-name: Fixed Version
jira-field-type: label
- type: sca-results
name: newest-version
jira-field-name: Newest Version
jira-field-type: label
- type: sca-results
name: locations
jira-field-name: Locations
jira-field-type: label
- type: sca-results
name: risk-score
jira-field-name: Risk Score
jira-field-type: label
- type: sca-results
name: dev-dependency
jira-field-name: Development
jira-field-type: single-select
- type: sca-results
name: direct-dependency
jira-field-name: Direct
jira-field-type: single-select
- type: sca-results
name: outdated
jira-field-name: Outdated
jira-field-type: single-select
- type: sca-results
name: violates-policy
jira-field-name: Violates Policy
jira-field-type: single-select
If Jira is on-premise, configuration should be as follows
url: <Your url>
username: <Your username>
token: <Your Password in plain text>
label-prefix: < CUSTOM PREFIX NAME >
The label-prefix property is used to set a custom prefix for Jira issues. If this value is not provided then CxFlow will use the default issue prefix "CX".
priorities:
High: High
Medium: Medium
Low: Low
Informational: Lowest
The value on the left side reflects the Checkmarx severity. The value to the right reflects the priority assigned to the respective issue in Jira.
It is very important that issues driven by CxFlow have the ability to transition to and from the open or close transition states regardless of what state the issue is in. In the event that an issue cannot use the appropriate transition defined, it will fail.
open-transition: In Review
close-transition: Done*
open-status:
- To Do
- In Progress
- In Review
closed-status:
- Done
- open-transition → this is the transition to apply to an issue when re-opening an issue
- close-transition → this is the transition to apply to an issue when closing an issue
- open-status → this is a list of the available status an issue can be in that indicate the issue is still in open state according to Jira
- closed-status → this is a list of the available status an issue can be in that indicate the issue is still in closed state according to Jira
Note that CxFlow ignores case when comparing statuses.
-
type
- static: Used for static values (specifically requires a jira-default-value to be provided)
- cx: Used to map specific Checkmarx Custom Field values
- result: Used to map known values from Checkmarx results or repository/scan request details. Refer to the Result values below.
-
name: If cx reflects the type, it is the name of the custom field within Checkmarx.Also, cx-scan is the scan custom fields in type cx.
- If result is provided as type, the name must be one of the following:
application - Command line option --app
project - Command line option --cx-project
namespace - Command line option --namespace
repo-name - Command line option --repo-name
repo-url - Command line option --repo-url
branch - Command line option --branch
severity - Severity of issue in Checkmarx
category - Category of issue in Checkmarx
cwe - CWE of issue in Checkmarx
recommendation - Recommendation details based on Mitre/Custom Wiki
loc - csv of lines of code
issue-link - Direct link to issue within Checkmarx
filename - Filename provided by Checkmarx issue
language - Language provided by Checkmarx issue
similarity-id - Cx Similarity ID
- jira-field-name - Custom field name in Jira (readable name, not Custom field name). NOTE: Configuring the jira-field-name parameter to Labels would affect issue tracking and might result in duplicate bug creation or bugs not closing or opening.
-
jira-field-type - Type of custom field in Jira:
- label (if using static or cx values, the CSV format is used and broken into multiple labels)
- text (applies to many custom field types: url, text box, text, etc
- multi-select (the CSV format is used and broken into multiple select values)
- single-select
- security (used for issue security levels)
- component (used for build in Jira Component/s field)
- jira-default-value - Static value if no value can be determined for the respective field (Optional)
- skip-update: The value is only provided during the initial creation of the ticket and not updated during subsequent iterations
- offset: Used with system-date, the value of offset is added to the system date
Jira tickets can be assigned to a user when they are created. This can be achieved in the following way.
- As a webhook url parameter - The url parameter 'assignee' can be appended to the url in the webhook configuration and a user's email address to whom the tickets should be assigned in cloud and username in on-prim, is provided as the value of the parameter.
#Example for cloud
http://companyname.checkmarx.com?assignee=someUsersEmail@xyz.com
#Example for on-prim
http://companyname.checkmarx.com?assignee=someUsersName
- As CLI Parameter - The CLi parameter --assignee can be used to assign the Jira ticket when they are created. This parameter can be used for scan, project , batch modes
#Example for cloud
java -jar cx-flow-1.6.36.jar --spring.config.location="C:\Cx-Flow\Jar\application.yml" --scan --github --repo-name="someRepoName" --namespace="NameSpace" --repo-url="https://github.com/YourGitURl.git" --cx-project="YourProjectName" --branch="master" --assignee="EmailAddressToAssign"
#Example for on-prim
java -jar cx-flow-1.6.36.jar --spring.config.location="C:\Cx-Flow\Jar\application.yml" --scan --github --repo-name="someRepoName" --namespace="NameSpace" --repo-url="https://github.com/YourGitURl.git" --cx-project="YourProjectName" --branch="master" --assignee="UserName"
- As adding Custom Checkmarx field name 'jira-assignee' and setting value for this field as user's email address to whom the tickets should be assigned in cloud and username in on-prim
The sast-issue-summary-format and sast-issue-summary-branch-format properties can be used to configure the issue summary of the issues that CxFlow creates in Jira for vulnerabilities detected by CxSAST. The following substitutions are performed on the properties’ values to generate the issue summary:
[BASENAME] → The basename of the file in which the vulnerabilities were found
[BRANCH] → The value of the --branch
command line option
[FILENAME] → The full path of the file in which the vulnerabilities were found
[POSTFIX] → The issue summary’s suffix (as specified by the Jira issue-postfix property)
[PREFIX] → The issue summary’s prefix (as specified by the Jira issue-prefix property)
[PROJECT] → The Checkmarx project
[SEVERITY] → The severity of the vulnerability
[VULNERABILTY] → The vulnerability
The default Jira issue summary format (for CxSAST issues) is [PREFIX][VULNERABILITY] @ [FILENAME][POSTFIX]
([PREFIX][VULNERABILITY] @ [FILENAME] [[BRANCH]][POSTFIX]
if the --branch
command line option has been used).
When creating a Jira ticket, CxFlow will add a code snippet to the ticket. Sometimes, it is preferable to suppress the creation of code snippets as they may contain sensitive information (e.g., hard-coded passwords). The suppress-code-snippets property can be used to specify a list of vulnerabilities for which code snippets will not be created. For example:
suppress-code-snippets:
- Hardcoded_Password_in_Connection_String
- Password_In_Comment
- Use_Of_Hardcoded_Password
- Issues in JIRA are tagged with a label of
Scanner
with its value being eitherSCA
orSAST
based on the scanner result for which issue is created. - There will be filtering of issues based on the type of scan (SCA or SAST) and issues will be updated/created/closed based on the type of scanner used to initiate the scan for that project.
- If a scan is initiated for both SCA and SAST, issues of both the scanner types will be created or updated. Re-running scans for either SCA or SAST for the same project id will update issues for that scanner only. Issues of the other type scanner(created before re-run) will not be affected.
Refer to the development section for the implementation approach.
To use one of the Custom Bug Trackers, the cx-flow tag within the application yaml config must have the specified Spring Boot bean under bug-tracker-impl
:
cx-flow:
contact: admin@cx.com
bug-tracker: Json
bug-tracker-impl:
- CxXml
- Csv
- Json
- GitLab
- GitHub
Valid options for bug-tracker-impl
are currently the following ones:
- Azure
- CxXML - Only available for SAST 8.x|9.x
- Csv
- JIRA
- Json
- GitHub
- GitLab
- GitLabDashboard
- Rally
- ServiceNow
- Sarif
Azure DevOps work items only supports an issue body/description. Custom/template field values are not available at present. The available issue-type values are built/tested around issue and impediment (Scrum)
GitLab Issues leverages the same configuration as specified for WebHook listeners → API token (token) and valid urls are required
gitlab:
webhook-token: XXXX
token: xxx
url: https://gitlab.com
api-url: https://gitlab.com/api/v4/
false-positive-label: false-positive
block-merge: true
cx-flow:
bug-tracker: GitLabDashboard
bug-tracker-impl:
- GitLab
- GitLabDashboard
filter-severity:
- High
mitre-url: [https://cwe.mitre.org/data/definitions/%s.html](https://cwe.mitre.org/data/definitions/%s.html)
break-build: true
gitlab:
file-path: ./gl-sast-report.json
gitlab-dashboard-version="2.0" //We are supporting Gitlab Dashboard schema version 14.1.2 which is default version but if we user want to configure to old schema version we are also suporting 2.0.
GitHub Issues leverages the same configuration as specified for WebHook listeners → API token (token) and valid URLs are required.
github:
webhook-token: xxxx
token: xxxx
url: https://github.com
api-url: https://api.github.com/repos/
false-positive-label: false-positive
block-merge: true
Rally Issues require the configuration displayed below. In addition to the API security token the Rally API requires that you provide both a project ID and a work space ID. The Rally plugin uses tags to track defects.
rally:
token: xxxx
rally-project-id: xxxx
rally-workspace-id: xxxx
url: [https://rallydev.com](https://rallydev.com)
api-url: [https://rally1.rallydev.com/slm/webservice/v2.0](https://rally1.rallydev.com/slm/webservice/v2.0)
Locating Rally Project and Workspace IDs can be tricky, but the easiest way to locate the values is by looking up the URLs in your browser as there are not any screens that directly expose the values. To find the Project ID, simply log into Rally and you are taken to your default project. If you look at the URL you see the Projects OID, example:
Remember that projects are associated with workspaces and you can find the workspace setup at the projects screen. Simply go to Setup by clicking the wrench icon in the upper right-hand corner, example:
From the setup screen click on 'Workspaces & Projects', you will see a list of workspaces, example:
Click the workspace that you are are interesting in, in this case Checkmarx. You will be taken to the Workspace setup screen and now you find the associated OID by looking at the URL, for example:
If you are logged in to Rally, you can generate your API token here. To do so, click 'Create New API' on the API Keys screen as illustrated in the example below:
From that dialog box, just name your key and provide it with Full Access:
The API key is created and the token appears on the API Keys screen. Now you have all the required information to configure the Rally bug tracker.
Sarif as a bug tracker is used to generate a sarif report and uploading it to the associated GitHub repository. The default output format for GitHub Action is a SARIF output report stored in the working directory as ./cx.sarif. The file ./cx.sarif is created containing issue details based on the filtering policy of CxFlow.
Integration with Incident records is available by adding the following configuration block:
servicenow:
apiUrl: https://xxxx.service-now.com/api/now/table
username: xxxx
password: xxxx
The bug tracker must be specified as ServiceNow
cx-flow:
# Agreed upon shared API token
token: xxxx
bug-tracker: ServiceNow
bug-tracker-impl:
- ServiceNow
- Json
- GitLab
...
The XML bug-tracker (defined as CxXml) is useful, if you want to retrieve the latest scan results per project (batch mode) from Checkmarx per project, Team, or the entire instance. This is the original XML report provided by Checkmarx. When using CxXML with both CxSAST and CxSCA scanners enabled, two seprate reports will be generated, one for CxSAST report and one for CxSCA report.
CxSCA currently does not support --batch
mode, but retrieving latest scan for a particular project (project mode) is still possible.
When both the scanners are enabled it is a known issue that duplicate CxSAST reports are generated.
Note: The Checkmarx,Sca config blocks must specify preserve-xml
as true
for this feedback type.
checkmarx:
...
...
preserve-xml: true
sca:
....
....
preserve-xml:true
cx-xml:
file-name-format: "[NAMESPACE]-[REPO]-[BRANCH]-[TIME].xml"
data-folder: "C:\\tmp"
The file system path as well as the file naming format is required.
The JSON bug-tracker (defined as Json), is useful if you would like to retrieve all of the latest scan results per project (batch mode) from Checkmarx per project, Team, or entire instance. The CxFlow JSON configuration block requires you to specify the path where reports are created and file name format to when creating reports, example:
json:
file-name-format: "[NAMESPACE]-[REPO]-[BRANCH]-[TIME].xml"
data-folder: "C:\\tmp
The report contents will be a JSON representation of the ScanResults object, which includes issues based on the filtering specified in the main config block (cx-flow). You can determine how results Checkmarx found by looking at the "scanSummary" section, and you can determine how many results CxFlow reported after applying filters by looking at the "flow-summary" section. Each vulnerability found will appear in the "xissues" list.
The "XIssue" item looks like the following sample:
{
// <String> that contains the vulnerability name
"vulnerability": "Vulnerability Name",
// <String> that contains one of the following values:
// 'To Verify'
// 'Not Exploitable'
// 'Confirmed'
// 'Urgent'
// 'Proposed Not Exploitable'
"vulnerabilityStatus": "TO VERIFY",
// <String> that contains Cx calculated similarity ID
"similarityId":"1051653785",
// <String> that contains the CWE ID
"cwe":"829",
// <String> with detailed description of vulnerability
"description": "Example...",
// <String> that indicates the name of the programming language
"language": "Objc",
// <String> that contains one of the following values:
// 'High'
// 'Medium'
// 'Low'
// 'Info'
"severity": "High",
// <String> link back to issue in Checkmarx
"link": "",
// <String> The name of the value
"filename": "",
// <String>
"gitUrl": "",
// <int> How many vulnerabilities are false positive.
"falsePositiveCount": 0,
// The details list is an associative array where vulnerability is found by looking up
// up its line number.
"details": {
// Indicates instance of vulnerability found on line 33
"33": {
// <Boolean> true if marked as false positive
"falsePositive": false,
// <String> The code sample from line where vulnerability was found
"codeSnippet": "...",
// <String> user added comment
"comment": ""
},
// Indicates instance of vulnerability found line 11
"11": {
"falsePositive": false,
"codeSnippet": "...",
"comment": ""
}
},
// <Object> This allows you to track the source and sink locations for each
// instance of the vulnerability. NOTE: In some cases the vulnerability
// occurs more than once on a line and may appear like there are duplicate
// records. You may be able to use the "details" list if you're interested
// in source-to-sink information.
"additionalDetails":{
// <String> contains back to Checkmarx where fix is described.
"recommendedFix": "",
// <String> describes related vulnerability categories.
"categories": "OWASP Mobile Top 10 2016;M10-Extraneous Functionality",
// <Array> the list of results found
"results": [
// A vulnerability instance
{
// <Object> Defines where the vulnerability ends up
"sink": {
// <String> the sink file
"file": "",
// <String> line where the vulnerability occurred
"line":"33",
// <String> column where the vulnerability occurred
"column":"9",
// <String> name of the object involved with the vulnerability
"object":"passwordTextField"
},
// <String> indicates if the vulnerability is reoccurring
"state":"0",
// <Object> Defines where the vulnerability started
"source":{
// <String> the source file
"file":"",
// <String> line where the vulnerability occurred
"line":"33",
// <String> column where the vulnerability occurred
"column":"9",
// <String> name of the object involved with the vulnerability
"object":"passwordTextField"
}
}
]
},
// <Boolean> true if all instances are marked as false positive.
"allFalsePositive": false
}
csv: file-name-format: "[PROJECT]-[TIME].csv" data-folder: "D:\tmp" include-header: true fields: - header: Customer field (Application) name: application default-value: unknown - header: Primary URL name: static default-value: ${tmp.url} - header: severity name: severity - header: Vulnerability ID name: summary prefix: "[APP]:" - header: file name: filename - header: Vulnerability ID name: summary - header: Vulnerability Name name: category - header: Category ID name: cwe - header: Description name: summary prefix: "" postfix: "" - header: Severity name: severity - header: recommendation name: recommendation
The file system path and the file naming format are required.
NOTE: All of the file based outputs have a file-name-format attribute, which allows for dynamic naming substitution. File name follows a substitution pattern with the following elements:
[APP] → Application
[TEAM] → Checkmarx Team ( \ is replaced with _ in the filename)
[PROJECT] → Checkmarx Project [PROJECT] → Checkmarx Project
[NAMESPACE] → Checkmarx Project [PROJECT] → Org/Group/Namespace for the repo (if available)
[REPO] → Checkmarx Project [PROJECT] → Repository name (if available)
[BRANCH] → Checkmarx Project [PROJECT] → Branch name (if available)
[TIMESTAMP] → Current timestamp (yyyyMMdd.HHmmss format)
CxFlow works with SMTP and Sendgrid to notify users through e-mail.
cx-flow:
contact: admin@yourdomain.com
bug-tracker: Email
mail:
host: smtp.gmail.com
port: 587
username: xxx
password: xxx
notification: true # Required if using SendGrid
sendgrid:
api-token: your-sendgrid-token-here
cx-flow.mail.notification
send two e-mail events: Scan Submitted and Scan Completed. The default is false
(no e-mails are sent, even if all parameters are configured).
If cx-flow.mail.notification
is set to true
, by default the scan submitted and the scan completed (summary) e-mails are sent by default. You can disable each one of these events using cx-flow.mail.enabled-notifications
sub-properties:
cx-flow:
contact: admin@yourdomain.com
bug-tracker: Email
mail:
host: smtp.gmail.com
port: 587
username: xxx
password: xxx
notification: true # Required if using SendGrid
enabled-notifications: # if `notification` is true, you can customize the events. The defaults are below.
scan-submitted: false
scan-summary: true
scan-summary-with-empty-results: true
sendgrid:
api-token: your-sendgrid-token-here
When cx-flow.mail.enabled-notifications.scan-summary-with-empty-results
is set to false
, CxFlow checks for the total number of SAST high and medium results. If they are zero, the e-mail is not sent.
If using SMTP, the following fields are required:
cx-flow:
bug-tracker: Email
mail:
host: smtp.gmail.com
port: 587
username: xxx
password: xxx
notification: true
If using Sendgrid, only the notification field and the API Token are required.
cx-flow:
mail:
notification: true # Required if using SendGrid
sendgrid:
api-token: your-sendgrid-token-here
Sendgrid requires a trusted sender. This can be configured at cx-flow.contact
. Otherwise, donotreply@checkmarx.com
will be set as default.
cx-flow:
contact: emailthatsendgridtrusts@yourdomain.com
CxFlow comes with two different e-mail templates, one for each event below:
- Scan submitted to Checkmarx
- Successfully completed scan, showing results.
CxFlow uses Thymeleaf for templating. Templates can be found at /src/main/resources/templates
folder.
If you wish to use your own templates, you can override the following parameters:
cx-flow:
mail:
templates:
scan-submitted: C:\your\folder\my-scan-submitted-notification.html
scan-completed-successfully: C:\your\folder\custom-scan-report.html
The Scan completed successfully report receives the following objects:
repo_fullname
repo
link
-
issues
issue.link
issue.severity
issue.vulnerability
issue.filename
If you want to trigger scans asynchronously, use NONE
If you want to trigger scans, but wait for feedback | summary console output, use WAIT | wait