Valid since:
XL Release 8.2.0

With the XL Release Checkmarx plugin you can trigger scans in Checkmarx for your application, verify scan results, and check compliance directly from the XL Release user interface.

Features

  • Create a Checkmarx: CxOSA - Check Compliance task
  • Create a Checkmarx: CxSAST - Check Compliance task
  • Create a Checkmarx: CxSAST Scan - Git task
  • Create a Checkmarx: CxSAST Scan - Svn task
  • Configure a CxOSA Scan Summary tile
  • Configure a CxSAST Scan Summary tile

Requirements

The XL Release Checkmarx plugin requires the following:

  • Checkmarx CxSAST version 8.8.0 or later

Set up a Checkmarx server

There are two locations where you can define a Checkmarx: Server configuration:

  • On a global level in Settings > Shared configuration
  • On a folder level in Design > Folders, under the Configuration tab of the desired folder

To set up a connection to a Checkmarx server:

  1. In XL Release, go to one of the two specified locations.
  2. Click Add button next to the Checkmarx: Server.
  3. In the Title field, specify a name for your Checkmarx server.
  4. In the URL field, specify the URL where to connect to the Checkmarx server.
  5. In the Username and Password fields, specify the login user name and password of the user on the server.
  6. If you are using a proxy connection, specify the host, port, username, and password in the Proxy section.
  7. To test the server connection, click Test.
  8. Click Save.

Add Checkmarx Server

Create a Checkmarx: CxSAST - Check Compliance task

The Checkmarx: CxSAST - Check Compliance task type verifies the level of the severity threshold for your project on the Checkmarx server. If the issues count is higher than the configured threshold for a task, the task fails.

To add a Checkmarx: CxSAST - Check Compliance task:

  1. In the release flow view of a release or a template, add a task of the type Checkmarx > CxSAST - Check Compliance.
  2. Open the added task and in the Server field, select the Checkmarx server connection.
  3. In the Project Name field, enter the name of your project from the Checkmarx server.
  4. In the Team field, enter the name of the team from the Checkmarx server.
  5. In the Scan ID field, enter the ID of the project scan for which you want to retrieve the results. If you do not specify the Scan ID, it will retrieve data for latest finished scan.
  6. In the High, Medium, and Low fields, add a maximum value for each severity threshold level.

Add CsSAST Compliance task

Create a Checkmarx: CxOSA - Check Compliance task

The Checkmarx: CxOSA - Check Compliance task type verifies the risk levels of the security and license thresholds for your project open source libraries. If the issues count is higher than the configured threshold for a task, the task fails.

To add a Checkmarx: CxOSA - Check Compliance task:

  1. In the release flow view of a release or a template, add a task of the type Checkmarx > CxOSA - Check Compliance.
  2. Open the added task and in the Server field, select the Checkmarx server connection.
  3. In the Project Name field, enter the name of your project from the Checkmarx server.
  4. In the Team field, enter the name of the team from the Checkmarx server.
  5. In the Scan ID field, enter the ID of the project scan for which you want to retrieve the results. If you do not specify the Scan ID, it will retrieve data for latest finished scan.
  6. In the High, Medium, and Low fields for the Security Risk Threshold, add a maximum value for each security risk threshold level.
  7. In the High, Medium, and Unknown fields for the License Risk Threshold, add a maximum value for each license risk threshold level. If the server cannot find the license for a library, it returns Unknown license type.

Add CxOSA Compliance task

Create a Checkmarx: CxSAST Scan - Git task

The Checkmarx: CxSAST Scan - Git task type triggers a scan on the Checkmarx server for your project from a specified Git repository.

To add a Checkmarx: CxSAST Scan - Git task:

  1. In the release flow view of a release or a template, add a task of the type Checkmarx > CxSAST Scan - Git.
  2. Open the added task and in the Server field, select the Checkmarx server connection.
  3. In the Project Name field, enter the name of your project from the Checkmarx server.
  4. In the Team field, enter the name of the team from the Checkmarx server.
  5. In the Preset field, specify the preset value to use for the scan from the the Checkmarx server.
  6. In the Configuration field, specify the configuration value to use for the scan from the Checkmarx server.
  7. In the URL field, enter the URL of your Git repository.
  8. In the Branch field, enter the Git branch for you project.
  9. In the Username and Password fields, specify the login user name and password to connect to Git.
  10. In the Token field, enter the personal token to connect to Git. Note: If you used the username and password credentials, the token is not required.
  11. In the Timeout field, set the number of minutes for the scan timeout threshold. If the scan task execution time is higher than the threshold, the task fails.

The output property of this task is the Scan ID from the Checkmarx server. You can use this Scan ID to check the compliance of you project.

Add CxSAST Scan task

Create a Checkmarx: CxSAST Scan - SVN task

The Checkmarx: CxSAST Scan - SVN task type triggers a scan on the Checkmarx server for your project from a specified Git repository.

To add a Checkmarx: CxSAST Scan - SVN task:

  1. In the release flow view of a release or a template, add a task of the type Checkmarx > CxSAST Scan - SVN.
  2. Open the added task and in the Server field, select the Checkmarx server connection.
  3. In the Project Name field, enter the name of your project from the Checkmarx server.
  4. In the Team field, enter the name of the team from the Checkmarx server.
  5. In the Preset field, specify the preset value to use for the scan from the the Checkmarx server.
  6. In the Configuration field, specify the configuration value to use for the scan from the Checkmarx server.
  7. In the URL field, enter the URL of your SVN repository.
  8. In the Port field, enter the port to connect to SVN.
  9. In the Branch field, enter the SVN branch for you project.
  10. In the Username and Password fields, specify the login user name and password to connect to SVN.
  11. In the Timeout field, set the number of minutes for the scan timeout threshold. If the scan task execution time is higher than the threshold, the task fails.

The output property of this task is the Scan ID from the Checkmarx server. You can use this Scan ID to check the compliance of you project.

Create a CxSAST Scan Summary tile

The CxSAST Scan Summary tile type creates a dashboard tile that displays the metrics of your selected project configured for a CxSAST scan from the Checkmarx server.

To configure a CxSAST Scan Summary tile:

  1. Go to the release dashboard view of a release or to a custom dashboard from the Dashboards menu.
  2. Click Configure > Add tile > CxSAST Scan Summary.
  3. Click the gear icon to configure the added tile.
  4. In the Server field, select an existing Checkmarx server configuration.
  5. In the Project Name field, enter the name of your project from the Checkmarx server.
  6. In the Team field, enter the name of the project team to retrieve the metrics from the Checkmarx server.
  7. In the Scan ID field, enter the ID of the project scan for which you want to retrieve the metrics. If you do not specify the Scan ID, it will retrieve data for latest finished scan.
  8. Click Save.

The tile displays the metrics of your project configured for a CxSAST scan from the Checkmarx server or an error message if an error occurs.

Create a CxOSA Scan Summary tile

The CxOSA Scan Summary tile type creates a dashboard tile that displays the metrics of your selected project configured for a CxOSA scan from the Checkmarx server.

To configure a CxOSA Scan Summary tile:

  1. Go to the release dashboard view of a release or to a custom dashboard from the Dashboards menu.
  2. Click Configure > Add tile > CxOSA Scan Summary.
  3. Click the gear icon to configure the added tile.
  4. In the Server field, select an existing Checkmarx server configuration.
  5. In the Project Name field, enter the name of your project from the Checkmarx server.
  6. In the Team field, enter the name of the project team to retrieve the metrics from the Checkmarx server.
  7. In the Scan ID field, enter the ID of the project scan for which you want to retrieve the metrics. If you do not specify the Scan ID, it will retrieve data for latest finished scan.
  8. In the Risk Type field, select the type of risk for which you want to display metrics.
  9. Click Save.

The tile displays the metrics of your project configured for a CxOSA scan from the Checkmarx server or an error message if an error occurs.

CxOSA Summary tile

Release notes

XL Release Checkmarx plugin 8.5.0

  • Added compatibility with XL Release 8.5.0
  • Fixed Internet Explorer 11 XL Release Loading Issue