Checkmarx SCA Plugin for JFrog
Warning
Version 1.1.9 and below are no longer supported. To continue using this plugin, make sure to upgrade to version 1.1.10.
Overview
The Checkmarx SCA plugin for JFrog Artifactory runs a Checkmarx SCA scan on each of your Jfrog artifacts, and uses the scan results to enrich the properties shown in the JFrog Artifactory UI. This integrates scanning of artifacts into your DevOps workflow, providing easy visibility into possible risks that could make your applications vulnerable.
You can set a risk threshold so that artifacts with risks of a specified severity level will automatically be blocked from download.
When you install the plugin, Checkmarx scans all artifacts currently in your Artifactory. In addition, each time that an artifact is downloaded the plugin runs a Checkmarx SCA scan on that item. In order to avoid redundant scanning of the same artifact, a cache mechanism is used to reuse scan results for a fixed period of time (default: 6 hr).
Main Features
Free tool, no Checkmarx account required
View risks in artifact properties
Block download of vulnerable artifacts
Block download of artifacts that have licenses that aren't included in your "allowed" list
Requirements
This plugin is supported only for Self-Hosted instances of JFrog
Tested and approved for JFrog Artifactory v7
Your system must have access to the SCA Cloud, this may require adding our URLs to your firewall's allowlist, see Connectivity to Checkmarx SCA Cloud
Notice
This is a free tool provided by Checkmarx for all JFrog users, and does not require the user to submit credentials for a Checkmarx SCA account.
Supported Package Managers
Bower, CocoaPods, Composer, Go, Gradle, Ivy, Maven, Npm, Nuget, Pypi, Sbt
Download Links
Download Version 1.1.10:
https://sca-downloads.s3.amazonaws.com/ScaJFrogPlugin/1.1.10/sca-jfrog-plugin.zip
SHA256 checksum: https://sca-downloads.s3.amazonaws.com/ScaJFrogPlugin/1.1.10/sca-jfrog-plugin.zip.sha256sum
Download Latest Version:
https://sca-downloads.s3.amazonaws.com/ScaJFrogPlugin/latest/sca-jfrog-plugin.zip
SHA256 checksum: https://sca-downloads.s3.amazonaws.com/ScaJFrogPlugin/latest/sca-jfrog-plugin.zip.sha256sum
Installing and Configuring the Plugin
Download the plugin using one of the above links.
Extract the archive.
The extracted folder contains the following items:
cxsca-security-plugin.groovy
cxsca-security-plugin.properties
lib
>sca-artifactory-plugin.jar
By default, when an artifact is reused within 6 hours the scan data from the cache is reused instead of triggering a new scan. If you would like to adjust the time span, use the following procedure.
Open the
cxsca-security-plugin.properties
file.In the line
sca.data.expiration-time=21600
, replace21600
with the desired time span for using the cache (in seconds).Notice
The minimum acceptable value for cache expiration is 1800 (30 min.).
You can set a risk threshold so that artifacts with risks of the specified severity level (or above) will be blocked from download. To set a threshold, use the following procedure.
Open the
cxsca-security-plugin.properties
file.In the line
sca.security.risk.threshold=none
, replacenone
with the desired threshold, options arelow
,medium
orhigh
.Notice
Each artifact that has one or more risks of the specified severity level or above will be blocked from download. You can override the threshold for specific artifacts when needed, see below.
You can specify a list of allowed licenses so that artifacts that do not have an allowed license are blocked from download. To set the list of allowed licenses, use the following procedure.
Open the
cxsca-security-plugin.properties
file.Add the property
sca.licenses.allowed
, and add a comma separated list of allowed licenses. For example:sca.licenses.allowed=MIT,APACHE
Notice
You can override the threshold for specific artifacts when needed, see below.
Put all of the contents of the extracted archive into
${ARTIFACTORY_HOME}/var/etc/artifactory/plugins
.If your JFrog instance is not configured to reload plugins automatically (this is the default configuration), then you will need to manually reload the plugins (e.g., POST http://<JFrogURL>/artifactory/api/plugins/reload).
Log in to your JFrog Artifactory instance and navigate to the System Logs to check that Checkmarx SCA has been installed successfully. The logs should show:
Overriding Thresholds
If you have set a threshold for blocking downloads, you can override this threshold for specific artifacts.
Warning
Once you have overridden the threshold, users will be able to download this artifact despite its containing risks of any severity level.
To override the threshold:
Open the properties tab for the desired artifact.
Add a property
CxSCA.IgnoreRiskThreshold
and set the value totrue
.
Overriding License Limitations
If you have set a limitation to block download of packages with licenses that aren't included in your "allowed" list, you can override this limitation for specific artifacts.
To override the limitation:
Open the properties tab for the desired artifact.
Add a property
CxSCA.IgnoreLicenses
and set the value totrue
.
Event Logs
By default the plugin logs are written to the general system logs file. By default the log level is set as INFO.
You can configure the logs to be sent to a dedicated Checkmarx log file. You can also change the log level.
To create a dedicated log file:
Open the
${ARTIFACTORY_HOME}/var/etc/artifactory/logback.xml
) file.Append the following snippet to the file in order to create a dedicated log file.
<appender name="CXSCA" class="ch.qos.logback.core.rolling.RollingFileAppender"> <File>${log.dir}/cxsca.log</File> <rollingPolicy class="org.jfrog.common.logging.logback.rolling.FixedWindowWithDateRollingPolicy"> <FileNamePattern>${log.dir.archived}/cxsca.%i.log.gz</FileNamePattern> </rollingPolicy> <triggeringPolicy class="org.jfrog.common.logging.logback.triggering.SizeAndIntervalTriggeringPolicy"> <MaxFileSize>25MB</MaxFileSize> </triggeringPolicy> <encoder class="ch.qos.logback.core.encoder.LayoutWrappingEncoder"> <layout class="org.jfrog.common.logging.logback.layout.BackTracePatternLayout"> <pattern>%date{yyyy-MM-dd'T'HH:mm:ss.SSS, UTC}Z [jfrt ] [%-5p] [%-16X{uber-trace-id}] [%-30.30(%c{3}:%L)] [%-20.20thread] - %m%n</pattern> </layout> </encoder> </appender>
If you would also like to change the log level, add the following code to the file:
<logger name="com.checkmarx.sca.cxsca-security-plugin" additivity="false" level="DEBUG"> <appender-ref ref="CXSCA"/> </logger>
Notice
The log level can be set as INFO (default), DEBUG or WARN.
Checkmarx Artifact Properties
Once the plugin is enabled and a package has been scanned by Checkmarx SCA, the following properties are added to the properties tab of the artifact.
Property Name | Description |
---|---|
CxSCA.TotalRisks | The total number of vulnerabilities. |
CxSCA.LowSeverityRisks | The total number of low severity vulnerabilities. |
CxSCA.MediumSeverityRisks | The total number of medium severity vulnerabilities. |
CxSCA.HighSeverityRisks | The total number of high severity vulnerabilities. |
CxSCA.RiskScore | The overall risk score of the package, from 0 (low) to 10 (high). |
CxSCA.RiskLevel | The overall risk level of the package. Possible values are: High, Medium, Low, None |
CxSCA.LastScanned | The date and time of the most recent scan was run. |
CxSCA.Licenses | The list of licenses associated with this artifact. |