Checkmarx8.50.0Minimum Jenkins requirement: 1.579ID: checkmarx
Checkmarx CxSAST is a unique source code analysis solution that provides tools for identifying, tracking, and repairing technical and logical flaws in the source code, such as security vulnerabilities, compliance issues, and business logic problems.
Without needing to build or compile a software project's source code, CxSAST builds a logical graph of the code's elements and flows. CxSAST then queries this internal code graph. CxSAST comes with an extensive list of hundreds of preconfigured queries for known security vulnerabilities for each programming language. Using the CxSAST Auditor tool, you can configure your own additional queries for security, QA, and business logic purposes.
CxSAST provides scan results either as static reports, or in an interactive interface that enables tracking runtime behavior per vulnerability through the code, and provides tools and guidelines for remediation. Results can be customized to eliminate false positives, and various types of workflow metadata can be added to each result instance. These metadata are maintained through subsequent scans, as long as the instance continues to be found.
The input to CxSAST's scanning and analysis is the source code, not binaries, so no building or compiling is required, and no libraries need to be available. The code doesn't even need to be able to compile and link properly. Consequently, CxSAST can run scans and generate security reports at any given point in a software project's development life cycle.
The CxSAST Jenkins plugin enables:
- Automatic code scan on CxSAST server, upon each build triggered by Jenkins
- Ability to run Open Source Analysis (CxOSA) from within Jenkins (v8.1.0 and up)
- Graphical Scan results summary and trends in Jenkins interface
- Links from Jenkins to CxSAST and CxOSA detailed scan results and to PDF report
After setting up the plugin, you can configure any Jenkins job with a build step action to activate a CxSAST scan. When a Job scan (build) is activated, Jenkins sends the job's source code to CxSAST, where it is scanned according to the parameters specified in the build step action. The scan results are stored in the CxSAST project specified in the action, and displayed in the Jenkins job.
CxOSA for Jenkins can be run in cases where open source components are used as part of the development effort. When a CxOSA (build) is activated, Jenkins sends the open source fingerprints to the CxOSA service (note that no customer details or used libraries are passed to the CxOSA service). Using these open source fingerprints, the CxOSA service maps the open source libraries, identifies the vulnerabilities, analyses license risk and compliance, builds the inventory and detects outdated libraries. Comprehensive and summarized reports are generated within the Jenkins interface.
Setup and Configuration
To set up and configure the Jenkins CxSAST plugin:
- From the Jenkins Dashboard, go to Manage Jenkins > Manage Plugins.
- In the Available tab, scroll down and select the Checkmarx Plugin.
- Click Install without restart or Download and install after restart. Jenkins installs the plugin.
- From the Dashboard, go to Manage Jenkins > Configure System.
- Scroll down to Checkmarx Plugin Default Credentials, and provide the Checkmarx Server URL (protocol - http:// or https://, and hostname or IP address) and default credentials (you will be able to later override these for individual jobs):
- Click Test Connection. You may have to wait a while until the credentials are validated and Success status is indicated.
- Define Job status for when CxSAST scan returns an error; Failure defines whether to return a Job error that fails the entire build and Unstable defines whether to return a Job warning that allows the build to proceed normally but provides an unstable status upon completion.
- Enable the Set vulnerability settings for all jobs option in order to set default global settings to all jobs that are not using local settings.
- Define the Build Status (Failure or Unstable) for when the result of scan vulnerabilities exceed threshold for high, medium and low severity types (default is Failure).
- Define the global Vulnerabilities Thresholds (low, medium, high).
- Define the global OSA Vulnerabilities Thresholds (low, medium, high).
- Check the Job scan timeout threshold to enable the option to set the job scan timeout threshold.
- Define the job scan timeout (in minutes).
- Click Save to save the changes.
You can now configure a scan action.
Configure a Scan Action
To configure a scan action:
- In Jenkins, go to the Job page, and click Configure.
- Under Build, click Add build step > Execute Checkmarx Scan. The Scan action configuration fields are displayed.
- Either select to Use default server credentials (see Setting Up the Jenkins Plugin), or clear the checkbox and provide overriding server and credentials.
- Checkmarx project name - begin typing to see a list of available projects from the CxSAST server. Select the relevant project. If the provided project name doesn't exist, CxSAST will create a new project. CxSAST will not use source code defined in the project for this scan; it will scan the code sent to it from Jenkins.
- Select a CxSAST Team and Preset.
- Exclude folders - type comma-separated folder names. Any folders with these names, including their sub-folders, will be excluded from the scan, in addition to certain folder names that are pre-configured to be excluded. To edit these pre-configured exclusions, click Advanced exclude/include settings.
- Incremental: select to enable incremental scans. Scans only new and modified files relative to the CxSAST project's previous scan.
- Source character encoding - define the Source code character encoding (leave as default configuration except for Japanese character code).
- Comment - provide a remark for the scan action (for example, to mark the scan as originating from a Jenkins action).
- Skip scan if triggered by SCM Changes - defines whether or not to perform CxSAST scan when the build is triggered by a SCM change.
- Avoid duplicate project scans in queue - Select to enable. Ensures that if a build is initiated in Jenkins and there is already a scan request for this project in the CxSAST Queue, then do not send another scan request. Note that Open Source Analysis will also not be activated in this case.
- Enable OSA - Enable option to initiate CxOSA for this scan/job. Disabled by default.
- Includes / Excludes - Defines which files to include and exclude from the CxOSA for this job/project.
- Job status when CxSAST scan returns an error - defines how to act when a triggered CxSAST scan in synchronous mode fails and returns an error message (i.e. no scan results). Failure - defines whether to return a Job error that fails the entire build; Unstable - defines whether to return a Job warning that allows the build to proceed normally but provides an unstable status upon completion; Use Global Setting - defines whether this project uses the default setting (Failure or Unstable) defined globally by the CxSAST Jenkins plugin (see Setting Up the Jenkins Plugin)
- Enable synchronous mode - enables the viewing of scan results in Jenkins and the setting of thresholds.
- Generate CxSAST PDF report - Enable the creation of a CxSAST scan result report in PDF. The report is available via a link in the scan results in Jenkins (only available if Enable synchronous option enabled).
- Enable vulnerability threshold - enables the vulnerability threshold setting option
- Build status when results exceed threshold - Define the build status (Unstable or Failure) when the number of severity vulnerabilities exceed the specified threshold (only available if the Enable vulnerability threshold option is enabled).
- Vulnerabilities threshold (high, medium, low) - Define the vulnerability threshold. If set, the threshold is crossed if the number of severity vulnerabilities exceeds it (only available if the Enable vulnerability threshold option is enabled).
- OSA vulnerabilities threshold (high, medium, low) - Define a threshold for the CxOSA vulnerabilities. If set, the threshold is crossed if the number of severity vulnerabilities exceeds it (only available if the Enable vulnerability threshold option is enabled).
- Click Save.
View Scan Results
Scan results activated by Jenkins are displayed in the Jenkins web interface as well as in the CxSAST. The results are saved in Jenkins and, if defined, can also be sent by email as a Jenkins post scan action.
A graphical side by side summary of the CxSAST results can be viewed in the Jenkins Job/Project dashboard.
The CxSAST Summary provides information about the distribution of security issues for the job/project and is divided into the following categories:
- Vulnerabilities Status - provides a graph with the status of each vulnerability severity and the number of found vulnerability instances for each severity level (high, medium and low). Includes the default threshold setting.
- Threshold Status - provides a threshold status indicator (compliant or exceeded).
- CxSAST Report - provides detailed reports (PDF, HTML) that can be generated via the available interactive links.
The CxOSA Summary provides information about the distribution of security issues for the job/project and is divided into the following categories:
- Vulnerable Libraries - distribution of the vulnerable libraries:
- Vulnerable and outdated - includes libraries that have at least one security vulnerability and vulnerable libraries for which a newer version is available
- No vulnerabilities - number of libraries without any known security vulnerabilities
- Vulnerabilities Status - provides a graph with the status of each vulnerability severity and the number of found vulnerability instances for each severity level (high, medium and low). Includes the default threshold setting
- Threshold Status - provides a threshold status indicator (compliant or exceeded).
- CxOSA Report - provides a detailed report, in HTML format, that can be generated via the available interactive link. For details about the information provided in this report, see Generating the Open Source Analysis Report to PDF. This report can also be generated in PDF format for download and print (see Viewing the Open Source Analysis Report).
Click Checkmarx Last Scan Results to display the result for the last scan scan report. The Checkmarx Scan Results provides information about the distribution of security issues for the job/project. A textual summary of the results can be viewed in the Console Output.
For configuring Checkmarx with Jenkins pipeline please refer to this guide on the Checkmarx knowledge center.
Version 8.42.0 (May, 2017)
New Features and Updates
- The CxSAST Jenkins plugin now supports Jenkins Pipeline. Jenkins Pipeline is a suite of plugins which supports implementing and integrating continuous delivery pipelines into Jenkins.
- The latest version of the CxSAST Jenkins plugin has completed its testing phase and now supports Jenkins Server version – 2.64 (regular and pipelines).
- The CxSAST Jenkins plugin now supports additional reporting information and includes the following:
- Unified CxOSA and CxSAST report layout
- Report criteria – scan start and end, number of files/libraries scanned and number of lines of code scanned)
- Direct links to PDF and HTML reports
- User accessible links to CxSAST Code Viewer and Analysis Results
- List of vulnerabilities by type
- The CxSAST Security Vulnerabilities Trend graph that was removed in the previous version has been returned to the Jenkins Job/Project dashboard.
Version 8.41.0 (February, 2017)
- We have greatly enhanced the support to run Open Source Analysis from within Jenkins. Once the Jenkins plugin is setup and configured, you can configure open source analysis for any Jenkins job performing a CxSAST scan action. Configuration is performed from within Jenkins (Job > Configure > Build > Add build step > Execute Checkmarx Scan). CxOSA results can viewed in the Console Output as well as the following output files: CxOSA and CxSAST HTML – side by side summary, CxOSA HTML – detailed report, CxOSA PDF – detailed report. CxOSA results are saved in Jenkins and, if defined, can also be sent by email as a Jenkins post scan action.
- In order to support correct timeout for incremental scans the threshold unit for the Scan timeout (hours) parameter in the Jenkins System Configuration screen (Jenkins Dashboard > Manage Jenkins > Configure System) has been changed from hours to seconds.
- You can now view the CxOSA vulnerabilities summary and libraries scan results in the OSA log file.
Version 8.2.0 (September, 2016)
- CxSAST plugin now supports Jenkins V2.2.
- A new checkbox (Avoid duplicate project scans in queue) has been added to this new version of CxSAST Plugin for Jenkins (Job > Configure >Build > Add Build Step > Execute Checkmarx Scan > Scan Action Configuration). This new checkbox option, if activated, ensures that if a build is initiated in Jenkins and there is already a scan request for this project in the CxSAST Queue, then do not send another scan request. Note that Open Source Analysis will also not be activated in this case.
As for the limitation for previous versions there is now no need to install the Maven Plugin in order for our Jenkins Plugin to work.
Version 8.1.0 (July, 2016)
- CxSAST now supports the option to run Checkmarx’s Open Source Analysis (CxOSA) from Jenkins. Configuration is performed in Jenkins and the results can be viewed in Jenkins as well as the Project State Summary area in CxSAST.
- CxSAST plugin now supports Jenkins V2.2 (see limitations below)
- Special thanks goes out to Eric Lordahl for adding support for the following scan results parameters:
- CXSAST_RESULTS_ MEDIUM
- CXSAST_RESULTS_ INFO
Scheduled periodic scan for combined full / incremental scan doesn't work – Updated scheduler and fixed scanning issue.
The CxSAST plugin for Jenkins is dependent on the Maven. In Jenkins V1.x the Maven plugin was installed by default on the same server that Jenkins was installed. In Jenkins V2.x, this plugin is no longer installed as default.
Clients that install a fresh installation of Jenkins V2.x will need to install the Maven plugin separately in order for the CxSAST to work.
Version 8.0.1 (March, 2016)
The build status and vulnerability threshold can now be configured in the Jenkins, in cases where the CxSAST scan returns an error. Configuration settings can be defined on a global level as well as per job/project.
- Jenkins should not return "Failure" when Scan complete successfully - Reduced the sensitivity of the Jenkins plugin in cases where there are temporary errors in the CxServer.
- Scan does not end / does not provide a response - Fixed issue that caused the Jenkins job to stall in cases where there is no response from the CxServer. In such cases, and after a predefined timeout, an error is issued.