Checkmarx One
Checkmarx One is an application security platform used for scanning, prioritizing, and addressing security vulnerabilities in your organization's applications, projects, or source code. You can bring code, project, and application data from Checkmarx One into Brinqa to manage your application security and construct a unified view of your attack surface, thus strengthening your cybersecurity posture.
This document details the information you must provide for the connector to authenticate with Checkmarx One and how to obtain that information from Checkmarx. See create a data integration for step-by-step instructions on setting up the integration.
Required connection settings
When setting up a data integration, select Checkmarx One from the Connector drop-down. If you cannot find the connector in the drop-down, make sure that you have installed it first. You must provide the following information to authenticate Checkmarx One with Brinqa:
-
API URL: The Checkmarx One API URL. The default URL is
https://ast.checkmarx.net/
. -
Client ID and Client secret: The client ID and client secret associated with the Checkmarx One account, which must have permissions to log in to the API server and return data.
-
Login URL: The Checkmarx One login URL. The default URL is
https://iam.checkmarx.net/
. -
Client Realm: The Checkmarx One Realm client configuration. The client realm represents a specific area within the Checkmarx One platform used for managing users, roles, and permissions.
Generate a Checkmarx One client secret
For the Checkmarx One connector to use the Checkmarx One API, you must provide a client secret. Checkmarx One does not allow retrieving the client secret for an existing user, therefore, you must generate a new client secret instead. To do so, follow these steps:
-
Log in to your Checkmarx One portal.
-
On the left-hand side of the page, click Settings, and then click Identity and Access Management.
-
Click OAuth Clients, and then click Create Client.
-
Provide a Client ID and click Create client.
The page reloads and your new client ID displays.
-
Click Regenerate.
A window appears with your new client secret. You cannot view it again. Copy the client secret and save it in a secure location.
-
Click Ok.
-
Scroll down to Role mapping, locate the
ast-viewer
role, and click Add.This permission allows for viewing the Checkmarx One projects, scans, and results.
-
Click Save Client.
If you do not have the permissions to create a client secret, contact your Checkmarx One administrator. For additional information, see Checkmarx One documentation.
Obtain your Checkmarx One client realm
There are two ways you can obtain your client realm. You can obtain your Checkmarx One client by following these steps:
-
Log in to your Checkmarx One portal.
-
On the left-hand side of the page, click Identity and Access Management.
-
Once you are on the Identity and Access Management page, locate the
{client-realm}
value in the URL of the page.The Client Realm is an alphanumeric value, and the URL should resemble the following:
https://iam.checkmarx.net/auth/admin/{client-realm}/console/#/realms/{client-realm}
, where{client-realm}
represents the actual Client Realm value that you must use in authenticating Checkmarx One with Brinqa.
You can also obtain your Checkmarx One client realm by following these steps:
-
Log in to your Checkmarx One portal.
-
Click Account Settings, represented by a gear icon.
The Client Realm displays under the License tab:
Additional settings
The Checkmarx One connector contains additional options for specific configuration:
-
Page size: The maximum number of records to get per API request. The default setting is 100. It is not recommended to go over 100.
-
Parallel requests: The maximum number of parallel API requests. The default setting is 2.
Types of data to retrieve
The Checkmarx One connector can retrieve the following types of data from the Checkmarx One API:
Table 1: Data retrieved from Checkmarx One
Connector Object | Required | Maps to Data Model |
---|---|---|
Application | Yes | Application |
Infrastructure Code As Finding | Yes | Static Code Finding |
Open Source Code Finding | Yes | Open Source Code Finding |
Open Source Code Finding Definition | Yes | Open Source Code Finding Definition |
Package | Yes | Package |
Project | Yes | Code Project |
Scan | Yes | Assessment |
Static Code Finding | Yes | Static Code Finding |
Static Code Finding Definition | Yes | Static Code Finding Definition |
For detailed steps on how to view the data retrieved from Checkmarx One in the Brinqa Platform, see How to view your data.
Attribute mappings
Click the tabs below to view the mappings between the source and the Brinqa data model attributes.
- Application
- Infrastructure Code As Finding
- Open Source Finding
- Open Source Finding Definition
- Package
- Project
- Scan
- Static Code Finding
- Static Code Finding Definition
Table 2: Application attribute mappings
Source Field Name | Maps to Attribute |
---|---|
category | categories |
createdAt | firstSeen |
criticality | criticality |
description | description |
id | uid |
name | name |
tags | tags |
updatedAt | sourceLastModified |
Table 3: Infrastucture Code As Finding attribute mappings
Source Field Name | Maps to Attribute |
---|---|
ID | uid |
actualValue | results |
assessment | firstScanID |
category | categories |
comments | Local variable |
description | description |
expectedValue | Not mapped |
fileName | path |
firstFoundAt | firstFound |
firstScanID | assessment |
foundAt | lastFound |
group | Not mapped |
issueType | Not mapped |
line | path |
platform | Local variable |
queryID | type, uid |
queryName | name |
queryURL | Not mapped |
searchKey | Not mapped |
searchValue | Not mapped |
severity | severity, severityScore |
similarityID | Local variable |
state | Local variable |
status | status, statusCategory |
type | categories |
value | results |
Table 4: Open Source Finding attribute mappings
Source Field Name | Maps to Attribute |
---|---|
cveName | Not mapped |
id | type, uid, cveIds, cveRecords |
isIgnored | status |
isViolatingPolicy | tags |
packageId | targets |
packageId | uid |
status | status |
statusCategory | statusCategory |
type | Not mapped |
Table 5: Open Source Finding Definition attribute mappings
Source Field Name | Maps to Attribute |
---|---|
cwe | cweIds, weaknesses |
cvss | Not mapped |
cvssList | Use CVSS calculator |
description | description |
exploitableMethods | Local variable |
fixResolutionText | Local variable |
id | uid, cveIds, cveRecords |
publishDate | publishedDate |
recommendations | recommendation |
references | references |
referencesData | Not mapped |
score | Local variable |
severity | severity, severityScore |
type | Not mapped |
Table 6: Package attribute mappings
Source Field Name | Maps to Attribute |
---|---|
confidenceLevel | Local variable |
createdOn | firstSeen |
highVulnerabilityCount | Local variable |
id | uid |
ignoredVulnerabilitiesCount | Local variable |
isDevelopment | tags |
isDirectDependency | tags |
isNpmVerified | tags |
isPluginDependency | tags |
isTestDependency | tags |
isViolating | tags |
lastUpdate | sourceLastModified |
licenseNames | licenses |
lowVulnerabilityCount | Local variable |
matchType | Not mapped |
name | Not mapped |
newestVersion | latestVersion |
newestVersionReleaseDate | Local variable |
numberOfVersionsSinceLastUpdate | Local variable |
outdated | outdated |
packageId | name |
packageRepository | Local variable |
projectId | projects |
projectName | Local variable |
releaseDate | Local variable |
riskScore | Local variable |
scanId | Local variable |
severity | Local variable |
tenantId | Local variable |
version | currentVersion |
Table 7: Project attribute mappings
Source Field Name | Maps to Attribute |
---|---|
applications | applications |
createdAt | firstSeen |
criticality | criticality |
description | description |
groups | tags(group:id) |
id | uid |
mainBranch | Local variable |
name | name |
repoUrl | Local variable |
tags | tags(key:value) |
updatedAt | sourceLastModified |
Table 8: Scan attribute mappings
Source Field Name | Maps to Attribute |
---|---|
branch | Local variable |
createdAt | startTime |
id | uid |
initiator | Local variable |
loc | linesOfCode |
projectId | targets |
projectName | Local variable |
sourceOrigin | Local variable |
sourceType | Local variable |
status | status |
tags | tags |
updated At | endTime |
Table 9: Static Code Finding attribute mappings
Source Field Name | Maps to Attribute |
---|---|
compliances | Local variable |
confidenceLevel | Local variable |
firstFoundAt | firstFound |
firstScanId | assessment |
foundAt | lastFound |
group | tags(group:value) |
languageName | languages |
nodes | results |
path | path |
pathSystemId | uid |
queryId | type |
queryName | name |
resultHash | uid |
similarityId | Local variable |
state | Local variable |
status | status, statusCategory |
uniqueId | Local variable |
Table 10: Static Code Finding Definition attribute mappings
Source Field Name | Maps to Attribute |
---|---|
cause | description, Local variable |
cweID | cweIds, weaknesses |
generalRecommendations | recommendation, Local variable |
queryDescriptionId | name |
queryId | uid |
queryName | name |
resultDescription | description, Local variable |
risk | description, Local variable |
samples.code | recommendation |
samples.progLanguage | recommendation |
samples.title | recommendation |
severity | severity, severityScore |
Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.
Use CVSS calculator indicates that the CVSS (Common Vulnerability Scoring System) vectors and scores aren't directly mapped to a specific attribute on the UDM. Instead, a specialized library calculates the CVSS scores from the provided CVSS vector strings.
Operation options
The Checkmarx One connector supports the following operation options. See connector operation options for information about how to apply them.
Table 11: Checkmarx One connector operation options
Connector Object | Option | All Possible Values | Description | Example |
---|---|---|---|---|
Infrastructure Code Finding | project-ids | Any Checkmarx One project ID number. | A comma-separated list of project ID numbers. You can use this option to retrieve infrastructure code findings from the specified Checkmarx One projects. | Key: project-ids Value: 1d60e327-8c98-42c5-932f-73a4b91f58e3 . This key and value combination only retrieves data from Checkmarx One that pertains to the specified project ID. |
Infrastructure Code Finding Definition | project-ids | Any Checkmarx One project ID number. | A comma-separated list of project ID numbers. You can use this option to retrieve infrastructure code finding definitions from the specified Checkmarx One projects. | Key: project-ids Value: f9d4bc6a-2e15-4a7c-8b90-1e036cd8e773 . This key and value combination only retrieves data from Checkmarx One that pertains to the specified project ID. |
Open Source Finding | project-ids | Any Checkmarx One project ID number. | A comma-separated list of project ID numbers. You can use this option to retrieve open source findings from the specified Checkmarx One projects. | Key: project-ids Value: 97c2ba45-0186-4d3d-92e3-e3518f760d32 . This key and value combination only retrieves data from Checkmarx One that pertains to the specified project ID. |
Open Source Finding Definition | project-ids | Any Checkmarx One project ID number. | A comma-separated list of project ID numbers. You can use this option to retrieve open source finding definitions from the specified Checkmarx One projects. | Key: project-ids Value: 27e3d460-d410-3f98-85c2-2cb541871a9e . This key and value combination only retrieves data from Checkmarx One that pertains to the specified project ID. |
Packages | project-ids | Any Checkmarx One project ID number. | A comma-separated list of project ID numbers. You can use this option to retrieve packages from the specified Checkmarx One projects. | Key: project-ids Value: e8c6d4f2-a1b9-4e30-9d6c-75f7c803b520 . This key and value combination only retrieves data from Checkmarx One that pertains to the specified project ID. |
Static Code Finding | project-ids | Any Checkmarx One project ID number. | A comma-separated list of project ID numbers. You can use this option to retrieve static code findings from the specified Checkmarx One projects. | Key: project-ids Value: 45a2bc89-7613-4e0d-92f5-c378d01256ef . This key and value combination only retrieves data from Checkmarx One that pertains to the specified project ID. |
Static Code Finding Definition | project-ids | Any Checkmarx One project ID number. | A comma-separated list of project ID numbers. You can use this option to retrieve static code finding definitions from the specified Checkmarx One projects. | Key: project-ids Value: 83d4fe29-9601-4c3b-81a7-f215b36279de , 45a2bc97-6810-3d4f-92e3-d760f51832ce . This key and value combination only retrieves data from Checkmarx One that pertains to the specified project IDs. |
To locate your Checkmarx One project IDs, follow these steps:
-
Log in to your Checkmarx One portal.
-
Click the Projects tab to see a list of projects in your account.
-
Locate the ID column next to the corresponding project name. You'll find an icon in the ID column. Click this icon to obtain the project ID.
The project ID is an alphanumeric value and is typically in the following format:
45a2bc89-7613-4e0d-92f5-c378d01256ef
.
APIs
The Checkmarx One connector uses the Checkmarx One REST API. Specifically, it uses the following endpoints:
Table 12: Checkmarx One REST API Endpoints
Connector Object | API Endpoints |
---|---|
Application | GET /api/applications |
Infrastructure Code Finding | GET /api/kics-results?scan-id= |
Infrastructure Code Finding Definition | GET /api/kics-results?scan-id= |
Project | GET /api/applications GET /api/projects |
Scans | GET /api/scans?from-date= |
The Checkmarx One connector also uses the Checkmarx SCA REST API. Specifically, it uses the following endpoints:
Table 13: Checkmark SCA REST API Endpoints
Connector Object | API Endpoints |
---|---|
Open Source Finding | GET /api/risk-management/risk-reports/{scan-id} |
Open Source Finding Definition | GET /api/risk-management/risk-reports/{scan-id} |
Package | GET /api/sca/risk-management/reporting/packages |
Static Code Finding | GET /api/sast-results/?scan-id= |
Static Code Finding Definition | GET /api/sast-results/?scan-id= |
Changelog
The Checkmarx One connector has undergone the following changes:
3.0.8
- No change.
3.0.7
- No change.
3.0.6
- No change.
3.0.5
- Changed the CRITICALITY attribute type on the Application object from string to integer.
3.0.4
- No change.
3.0.3
- No change.
3.0.2
- Restructured the code to align with the latest Connector Framework.
3.0.1
- Enhanced the Static Code Finding object to return 'UNKNOWN' when file name is missing in the source.
3.0.0
- Initial Integration+ release.