Checkmarx One

Checkmarx One is an application security platform used for scanning, prioritizing, and addressing security vulnerabilities in your organization's applications, projects, or source code. You can bring code, project, and application data from Checkmarx One into Brinqa to manage your application security and construct a unified view of your attack surface, thus strengthening your cybersecurity posture.

This document details the information you must provide for the connector to authenticate with Checkmarx One and how to obtain that information from Checkmarx. See create a data integration for step-by-step instructions on setting up the integration.

Required connection settings

When setting up a data integration, select Checkmarx One from the Connector drop-down. If you cannot find the connector in the drop-down, make sure that you have installed it first. You must provide the following information to authenticate Checkmarx One with Brinqa:

• API URL: The Checkmarx One API URL. The default URL is https://ast.checkmarx.net/.

• Client ID and Client secret: The client ID and client secret associated with the Checkmarx One account, which must have permissions to log in to the API server and return data.

• Login URL: The Checkmarx One login URL. The default URL is https://iam.checkmarx.net/.

• Client Realm: The Checkmarx One Realm client configuration. The client realm represents a specific area within the Checkmarx One platform used for managing users, roles, and permissions.

Generate a Checkmarx One client secret

For the Checkmarx One connector to use the Checkmarx One API, you must provide a client secret. Checkmarx One does not allow retrieving the client secret for an existing user, therefore, you must generate a new client secret instead. To do so, follow these steps:

1. Log in to your Checkmarx One portal.

2. On the left-hand side of the page, click Identity and Access Management.

3. Click OAuth Clients, and then click Create Client.

4. Provide a client ID and click Create client.

   The page reloads and your new client ID displays.

5. Click Regenerate.

   A window appears with your new client secret. You cannot view it again. Copy the client secret and save it in a secure location.

6. Click Ok.

7. Scroll down to Role mapping, locate the ast-viewer role, and click Add.

   This permission allows for viewing the Checkmarx One projects, scans, and results.

8. Click Save Client.

note

If you do not have the permissions to create a client secret, contact your Checkmarx One administrator. For additional information, see Checkmarx One documentation.

Obtain your Checkmarx One client realm

There are two ways you can obtain your client realm. You can obtain your Checkmarx One client by following these steps:

1. Log in to your Checkmarx One portal.

2. On the left-hand side of the page, click Identity and Access Management.

3. Once you are on the Identity and Access Management page, locate the {client-realm} value in the URL of the page.

   The Client Realm is an alphanumeric value, and the URL should resemble the following: https://iam.checkmarx.net/auth/admin/{client-realm}/console/#/realms/{client-realm}, where {client-realm} represents the actual Client Realm value that you must use in authenticating Checkmarx One with Brinqa.

You can also obtain your Checkmarx One client realm by following these steps:

1. Log in to your Checkmarx One portal.

2. Click Account Settings, represented by a gear icon.

   The Client Realm displays under the License tab:

   

Additional settings

The Checkmarx One connector contains additional options for specific configuration:

• Page size: The maximum number of records to get per API request. The default setting is 100. It is not recommended to go over 100.

• Parallel requests: The maximum number of parallel API requests. The default setting is 2.

Types of data to retrieve

The Checkmarx One connector can retrieve the following types of data from the Checkmarx One API:

Table 1: Data retrieved from Checkmarx One

Connector Object	Required	Maps to Data Model
Application	Yes	Application
Infrastructure Code As Finding	Yes	Static Code Finding
Open Source Code Finding	Yes	Open Source Code Finding
Open Source Code Finding Definition	Yes	Open Source Code Finding Definition
Package	Yes	Package
Project	Yes	Code Project
Scan	Yes	Assessment
Static Code Finding	Yes	Static Code Finding
Static Code Finding Definition	Yes	Static Code Finding Definition

info

For detailed steps on how to view the data retrieved from Checkmarx One in the Brinqa Platform, see How to view your data.

Attribute mappings

Click the tabs below to view the mappings between the source and the Brinqa data model attributes.

Application

Table 2: Application attribute mappings

Source Field Name	Maps to Attribute
category	categories
createdAt	firstSeen
criticality	criticality
description	description
id	uid
name	name
tags	tags
updatedAt	sourceLastModified

Infrastructure Code As Finding

Table 3: Infrastucture Code As Finding attribute mappings

Source Field Name	Maps to Attribute
ID	uid
actualValue	results
assessment	firstScanID
category	categories
comments	Local variable
description	description
expectedValue	Not mapped
fileName	path
firstFoundAt	firstFound
firstScanID	assessment
foundAt	lastFound
group	Not mapped
issueType	Not mapped
line	path
platform	Local variable
queryID	type, uid
queryName	name
queryURL	Not mapped
searchKey	Not mapped
searchValue	Not mapped
severity	severity, severityScore
similarityID	Local variable
state	Local variable
status	status, statusCategory
type	categories
value	results

Open Source Finding

Table 4: Open Source Finding attribute mappings

Source Field Name	Maps to Attribute
cveName	Not mapped
id	type, uid, cveIds, cveRecords
isIgnored	status
isViolatingPolicy	tags
packageId	targets
packageId	uid
status	status
statusCategory	statusCategory
type	Not mapped

Open Source Finding Definition

Table 5: Open Source Finding Definition attribute mappings

Source Field Name	Maps to Attribute
cwe	cweIds, weaknesses
cvss	Not mapped
cvssList	Use CVSS calculator
description	description
exploitableMethods	Local variable
fixResolutionText	Local variable
id	uid, cveIds, cveRecords
publishDate	publishedDate
recommendations	recommendation
references	references
referencesData	Not mapped
score	Local variable
severity	severity, severityScore
type	Not mapped

Package

Table 6: Package attribute mappings

Source Field Name	Maps to Attribute
confidenceLevel	Local variable
createdOn	firstSeen
highVulnerabilityCount	Local variable
id	uid
ignoredVulnerabilitiesCount	Local variable
isDevelopment	tags
isDirectDependency	tags
isNpmVerified	tags
isPluginDependency	tags
isTestDependency	tags
isViolating	tags
lastUpdate	sourceLastModified
licenseNames	licenses
lowVulnerabilityCount	Local variable
matchType	Not mapped
name	Not mapped
newestVersion	latestVersion
newestVersionReleaseDate	Local variable
numberOfVersionsSinceLastUpdate	Local variable
outdated	outdated
packageId	name
packageRepository	Local variable
projectId	projects
projectName	Local variable
releaseDate	Local variable
riskScore	Local variable
scanId	Local variable
severity	Local variable
tenantId	Local variable
version	currentVersion

Project

Table 7: Project attribute mappings

Source Field Name	Maps to Attribute
applications	applications
createdAt	firstSeen
criticality	criticality
description	description
groups	tags(group:id)
id	uid
mainBranch	Local variable
name	name
repoUrl	Local variable
tags	tags(key:value)
updatedAt	sourceLastModified

Scan

Table 8: Scan attribute mappings

Source Field Name	Maps to Attribute
branch	Local variable
createdAt	startTime
id	uid
initiator	Local variable
loc	linesOfCode
projectId	targets
projectName	Local variable
sourceOrigin	Local variable
sourceType	Local variable
status	status
tags	tags
updated At	endTime

Static Code Finding

Table 9: Static Code Finding attribute mappings

Source Field Name	Maps to Attribute
compliances	Local variable
confidenceLevel	Local variable
firstFoundAt	firstFound
firstScanId	assessment
foundAt	lastFound
group	tags(group:value)
languageName	languages
nodes	results
path	path
pathSystemId	uid
queryId	type
queryName	name
resultHash	uid
similarityId	Local variable
state	Local variable
status	status, statusCategory
uniqueId	Local variable

Static Code Finding Definition

Table 10: Static Code Finding Definition attribute mappings

Source Field Name	Maps to Attribute
cause	description, Local variable
cweID	cweIds, weaknesses
generalRecommendations	recommendation, Local variable
queryDescriptionId	name
queryId	uid
queryName	name
resultDescription	description, Local variable
risk	description, Local variable
samples.code	recommendation
samples.progLanguage	recommendation
samples.title	recommendation
severity	severity, severityScore

info

Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.

Use CVSS calculator indicates that the CVSS (Common Vulnerability Scoring System) vectors and scores aren't directly mapped to a specific attribute on the UDM. Instead, a specialized library calculates the CVSS scores from the provided CVSS vector strings.

Operation options

The Checkmarx One connector supports the following operation options. See connector operation options for information about how to apply them.

Table 11: Checkmarx One connector operation options

Connector Object	Option	All Possible Values	Description	Example
Infrastructure Code Finding	project-ids	Any Checkmarx One project ID number.	A comma-separated list of project ID numbers. You can use this option to retrieve infrastructure code findings from the specified Checkmarx One projects.	Key: project-ids Value: 1d60e327-8c98-42c5-932f-73a4b91f58e3. This key and value combination only retrieves data from Checkmarx One that pertains to the specified project ID.
Infrastructure Code Finding Definition	project-ids	Any Checkmarx One project ID number.	A comma-separated list of project ID numbers. You can use this option to retrieve infrastructure code finding definitions from the specified Checkmarx One projects.	Key: project-ids Value: f9d4bc6a-2e15-4a7c-8b90-1e036cd8e773. This key and value combination only retrieves data from Checkmarx One that pertains to the specified project ID.
Open Source Finding	project-ids	Any Checkmarx One project ID number.	A comma-separated list of project ID numbers. You can use this option to retrieve open source findings from the specified Checkmarx One projects.	Key: project-ids Value: 97c2ba45-0186-4d3d-92e3-e3518f760d32. This key and value combination only retrieves data from Checkmarx One that pertains to the specified project ID.
Open Source Finding Definition	project-ids	Any Checkmarx One project ID number.	A comma-separated list of project ID numbers. You can use this option to retrieve open source finding definitions from the specified Checkmarx One projects.	Key: project-ids Value: 27e3d460-d410-3f98-85c2-2cb541871a9e. This key and value combination only retrieves data from Checkmarx One that pertains to the specified project ID.
Packages	project-ids	Any Checkmarx One project ID number.	A comma-separated list of project ID numbers. You can use this option to retrieve packages from the specified Checkmarx One projects.	Key: project-ids Value: e8c6d4f2-a1b9-4e30-9d6c-75f7c803b520. This key and value combination only retrieves data from Checkmarx One that pertains to the specified project ID.
Static Code Finding	project-ids	Any Checkmarx One project ID number.	A comma-separated list of project ID numbers. You can use this option to retrieve static code findings from the specified Checkmarx One projects.	Key: project-ids Value: 45a2bc89-7613-4e0d-92f5-c378d01256ef. This key and value combination only retrieves data from Checkmarx One that pertains to the specified project ID.
Static Code Finding Definition	project-ids	Any Checkmarx One project ID number.	A comma-separated list of project ID numbers. You can use this option to retrieve static code finding definitions from the specified Checkmarx One projects.	Key: project-ids Value: 83d4fe29-9601-4c3b-81a7-f215b36279de, 45a2bc97-6810-3d4f-92e3-d760f51832ce. This key and value combination only retrieves data from Checkmarx One that pertains to the specified project IDs.

To locate your Checkmarx One project IDs, follow these steps:

1. Log in to your Checkmarx One portal.

2. Click the Projects tab to see a list of projects in your account.

3. Locate the ID column next to the corresponding project name. You'll find an icon in the ID column. Click this icon to obtain the project ID.

   The project ID is an alphanumeric value and is typically in the following format: 45a2bc89-7613-4e0d-92f5-c378d01256ef.

APIs

The Checkmarx One connector uses the Checkmarx One REST API. Specifically, it uses the following endpoints:

Table 12: Checkmarx One REST API Endpoints

Connector Object	API Endpoints
Application	GET https://ast.checkmarx.net/api/applications
Infrastructure Code Finding	GET https://ast.checkmarx.net/api/kics-results?scan-id=
Infrastructure Code Finding Definition	GET https://ast.checkmarx.net/api/kics-results?scan-id=
Project	GET https://ast.checkmarx.net/api/applications
Scans	GET https://ast.checkmarx.net/api/scans?from-date=

The Checkmarx One connector also uses the Checkmarx SCA REST API. Specifically, it uses the following endpoints:

Table 13: Checkmark SCA REST API Endpoints

Connector Object	API Endpoints
Open Source Finding	GET https://ast.checkmarx.net/risk-management/risk-reports/{scan-id}
Open Source Finding Definition	GET https://ast.checkmarx.net/risk-management/risk-reports/{scan-id}
Package	GET https://ast.checkmarx.net/api/sca/risk-management/reporting/packages
Static Code Finding	GET https://ast.checkmarx.net/api/sast-results/?scan-id=
Static Code Finding Definition	GET https://ast.checkmarx.net/api/sast-results/?scan-id=

Changelog

The Checkmarx One connector has undergone the following changes:

3.0.2

• Restructured the code to align with the latest Connector Framework.

3.0.1

• Enhanced the Static Code Finding object to return 'UNKNOWN' when file name is missing in the source.

3.0.0

• Initial Integration+ release.