Checkmarx SAST
Checkmarx SAST (Static Application Security Testing) is an application security tool that analyzes your source code for potential vulnerabilities. You can bring application, code project, security finding, and more data from Checkmarx SAST into Brinqa to address security issues, thus strengthening your cybersecurity posture.
This document details the information you must provide for the connector to authenticate with Checkmarx SAST and how to obtain that information from Checkmarx. See create a data integration for step-by-step instructions on setting up the integration.
Required connection settings
When setting up a data integration, select Checkmarx SAST from the Connector drop-down. If you cannot find the connector in the drop-down, make sure that you have installed it first. You must provide the following information to authenticate Checkmarx SAST with Brinqa:
-
Server URL: Your organization's Checkmarx SAST account.
-
Username and Password: The username and password associated with the Checkmarx SAST account, which must have permissions to log in to the API server and return data.
noteThe Checkmarx SAST user must have at least the Reviewer role assigned to them in order to retrieve data from the Checkmarx SAST API, as it is the minimum role required for API access. For additional information on roles and permissions, see Checkmarx SAST documentation.
Additional settings
The Checkmarx SAST connector contains additional options for specific configuration:
-
Page size: The maximum number of records to get per API request. The default setting is 100. It is not recommended to go over 100.
-
Parallel requests: The maximum number of parallel API requests. The default setting is 2.
-
Include project remote setting: Select this option to include Checkmarx SAST project settings that are managed remotely.
-
Skip certificate verification: Select this option to allow for untrusted certificates.
Types of data to retrieve
The Checkmarx SAST connector can retrieve the following types of data from the Checkmarx SAST REST API:
Table 1: Data retrieved from Checkmarx SAST
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Application | No | Application |
| Assessment | Yes | Assessment |
| Code Project | Yes | Code Project |
| Open Source Finding | No | Open Source Finding |
| Open Source Finding Definition | No | Open Source Finding Definition |
| Package | No | Package |
| Static Code Finding | Yes | Static Code Finding |
| Static Code Finding Definition | Yes | Static Code Finding Definition |
| Team | No | Not mapped |
For detailed steps on how to view the data retrieved from Checkmarx SAST in the Brinqa Platform, see How to view your data.
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes.
Application
Table 2: Application attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| CATEGORIES | categories |
| NAME | name |
| UID | uid |
Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.
Assessment
Table 3: Assessment attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| END_TIME | lastStopped |
| NAME | name |
| PROJECT_ID | targets |
| PROJECT_NAME | Local variable |
| SCAN_SCOPE | Local variable |
| SCAN_TYPE | categories |
| START_TIME | lastStarted |
| STATUS | status |
| SYS_ID | uid |
Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.
Code Project
Table 4: Code Project attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| BRANCH | Local variable |
| CX_VERSION | Local variable |
| FAILED_LOC | Local variable |
| FILES_COUNT | Local variable |
| IS_DEPRECATED | Local variable |
| IS_PUBLIC | Local variable |
| LAST_SCANNED | lastSeen |
| LOC | Local variable |
| NAME | name |
| OWNER | owner |
| PATHS | Local variable |
| SYS_ID | uid |
| TEAM_ID | Local variable |
| URL | url |
Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.
Open Source Finding
Table 5: Open Source Finding attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| LAST_FOUND | lastFound |
| LIBRARY_ID | targets |
| PROJECT_ID | Targets/ Local variable |
| SCAN_ID | assessment |
| SCORE | Local variable |
| SOURCE_FILE_NAME | fileName |
| STATE | Local variable |
| STATUS | status, statusCategory |
| SYS_ID | uid |
| TITLE | name, type, cveIds, cveRecords, uid |
| VULNERABILITY_ID | Local variable |
Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.
Open Source Finding Definition
Table 6: Open Source Finding Definition attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| DATE_PUBLISHED | publishedDate |
| DESCRIPTION | description |
| LAST_FOUND | lastFound |
| NAME | name |
| RECOMMENDATION | Recommendation |
| REFERENCES | references |
| SEVERITY | severity, sourceSeverity, severityScore |
| SYS_ID | uid |
| TITLE | name, type, cveIds, cveRecords, uid |
Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.
Package
Table 7: Package attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| LICENSES | licenses |
| LATEST_VERSION | latestVersion |
| MATCH_TYPE | Local variable |
| NAME | name |
| OUT_DATED | outDated |
| PROJECT | projects |
| RELEASE_DATE | firstSeen |
| SYS_ID | uid |
| VERSION | currentVersion |
Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.
Static Code Finding
Table 8: Static Code Finding attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| ASSIGNED_TO | Local variable |
| CATEGORIES | categories |
| CODE_SNIPPET | codeSnippet |
| COMMENTS | Local variable |
| CWE_ID | cweIds, type, uid, weaknesses |
| DEEP_LINK | Local variable |
| DESTINATION_COLUMN | Local variable |
| DESTINATION_FILE | Local variable |
| DESTINATION_LINE | Local variable |
| DESTINATION_METHOD | Local variable |
| FALSE_POSITIVE | Local variable |
| FILE_NAME | fileName |
| LAST_FOUND | lastFound |
| LANGUAGE | Languages |
| PATH_NODES | Local variable |
| PROJECT_ID | targets |
| PROJECT_NAME | Local variable |
| QUERY_CATEGORIES | Local variable |
| QUERY_GROUP | Local variable |
| QUERY_NAME | name |
| RISK | Local variable |
| SCAN_ID | assessment |
| SCAN_TYPE | Local variable |
| SIMILARITY_ID | Local variable |
| SOURCE_COLUMN | Local variable |
| SOURCE_FILE | Local variable |
| SOURCE_LINE | Local variable |
| SOURCE_METHOD | Local variable |
| STATE | Local variable |
| STATUS | status, statusCategory |
| SYS_ID | uid |
Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.
Static Code Finding Definition
Table 9: Static Code Finding Definition attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| ASSIGNED_TO | Local variable |
| CATEGORIES | categories |
| COMMENTS | Local variable |
| CWE_ID | cweIds, type, uid, weaknesses |
| DEEP_LINK | Local variable |
| DESCRIPTION | description |
| DESTINATION_COLUMN | Local variable |
| DESTINATION_FILE | Local variable |
| DESTINATION_LINE | Local variable |
| DESTINATION_METHOD | Local variable |
| FALSE_POSITIVE | Local variable |
| LANGUAGE | languages |
| PATH_NODES | Local variable |
| PROJECT_NAME | Local variable |
| QUERY_CATEGORIES | Local variable |
| QUERY_GROUP | Local variable |
| QUERY_NAME | name |
| RECOMMENDATIONS | recommendation |
| RISK | Local variable |
| SCAN_TYPE | Local variable |
| SEVERITY | severity, sourceSeverity, severityScore |
| SIMILARITY_ID | Local variable |
| SOURCE_COLUMN | Local variable |
| SOURCE_FILE | Local variable |
| SOURCE_LINE | Local variable |
| SOURCE_METHOD | Local variable |
| STATE | Local variable |
Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.
Operation options
The Checkmarx SAST connector supports the following operation options. See connector operation options for information about how to apply them.
Table 10: Checkmarx SAST connector operation options
| Connector Object | Option | All Possible Values | Description | Example |
|---|---|---|---|---|
| Application | TransactionId | Any Checkmarx SAST transaction ID. | A comma-separated list of transaction IDs. Retrieve applications associated with the specified transaction IDs. | Key: TransactionId Value: CxSAST-20230715-123456. This key and value combination only retrieves applications associated with the specified transaction ID. |
| Open Source Finding Definition | TransactionId | Any Checkmarx SAST transaction ID. | A comma-separated list of transaction IDs. Retrieve open source findings associated with the specified transaction IDs. | Key: TransactionId Value: CxSAST-20230715-123456. This key and value combination only retrieves applications associated with the specified transaction ID. |
| Static Code Finding, Static Code Finding Definition | severities | Information, Low, Medium, High | A comma-separated list of severities. Retrieve static code findings with the specified severity, as determined by Checkmarx SAST. | Key: severities Value: Medium,High. This key and value combination only retrieves medium and high issues. |
| TransactionId | Any Checkmarx SAST transaction ID | A comma-separated list of transaction IDs. Retrieve static code findings associated with the specified transaction IDs. | Key: TransactionId Value: CxSAST-20230715-123456. This key and value combination only retrieves static code findings associated with the specified transaction ID. |
The option keys and values are case-sensitive as they are shown in this documentation.
APIs
The Checkmarx SAST connector uses the Checkmarx SAST REST API. Specifically, it uses the following endpoints:
Table 11: Checkmarx SAST REST API Endpoints
| Connector Object | API Endpoints |
|---|---|
| Application | GET /cxrestapi/projects |
| Assessment | GET /cxrestapi/projects GET /cxrestapi/osa/scans GET /cxrestapi/sast/scans |
| Code Project | GET /cxrestapi/projects GET /cxrestapi/project/{project.id}/sourceCode/remoteSettings/{sourceType} GET /cxrestapi/sast/scans |
| Open Source Finding | GET /cxrestapi/projects GET /cxrestapi/osa/scans GET /cxrestapi/osa/vulnerabilities |
| Open Source Finding Definition | GET /cxrestapi/projects GET /cxrestapi/sast/scans GET /cxrestapi/reports/sastScan GET /cxrestapi/reports/sastScan/%s/status GET /cxrestapi/reports/sastScan/%s GET /cxrestapi/osa/vulnerabilities |
| Package | GET /cxrestapi/osa/libraries GET /cxrestapi/osa/licenses GET /cxrestapi/projects GET /cxrestapi/osa/scans |
| Static Code Finding | GET /cxrestapi/projects GET /cxrestapi/sast/scans GET /cxrestapi/reports/sastScan GET /cxrestapi/reports/sastScan/{reportId}/status GET /cxrestapi/reports/sastScan/{reportId} |
| Static Code Finding Definition | GET /cxrestapi/projects GET /cxrestapi/sast/scans GET /cxrestapi/reports/sastScan GET /cxrestapi/reports/sastScan/{reportId}/status GET /cxrestapi/reports/sastScan/{reportId} |
| Team | GET /cxrestapi/auth/teams |
Changelog
The Checkmarx SAST connector has undergone the following changes:
3.0.7
- Made the Open Source Finding, Open Source Finding Definition, and Package object types optional.
3.0.6
- Fixed an issue where all SAST Issues were incorrectly being set to "False Positive".
3.0.5
- No change.
3.0.4
- Changed the IS_DEPRECATED attribute type on the Code Project object from integer to boolean.
3.0.3
- Initial Integration+ release.