Checkmarx SAST-Slim
Introduction
Checkmarx SAST-Slim (SAST-Slim) is a version of Checkmarx SAST (SAST) without distributing the US-based third-party software. SAST-Slim is available from the equivalent SAST 9.5.0 and later, with annual releases. All features and functionality included in SAST are also present in the SAST-Slim version.
SAST-Slim is available for clean installations and for upgrades (from previous SAST versions).
Caution
The customer is responsible for handling the installation and configuration of all the software components required for the proper performance of SAST-Slim.
Caution
M&O is not supported in SAST-Slim.
New installations will not have it; upgrades might have it, but without any guarantee for its functionality.
The following sections describe the requirements and installation procedures for SAST-Slim.
Requirements
Third-Party Product | Version | Comment |
---|---|---|
Active MQ | 5.17.2 | |
.NET Core | 6.0.5 | |
.NET Core Windows Server Hosting | 6.0.5 | |
Java JRE | 17.0.3 (x64) | |
Visual C++ Redistributable (x64) |
| |
MS SQL | SQL Server Express or other versions | |
IIS | v7.0 | |
Windows Environment | Win2012, Win2016, Win2019, Win2022 |
ActiveMQ Required Configuration
Whether it is a clean installation or an upgrade to SAST-Slim, Active MQ (AMQ) must be installed and properly configured by the customer.
Caution
SAST-Slim requires AMQ to be configured with a user and a password.
Anonymous mode must not be used because it will prevent the SAST-Slim suit from functioning correctly.
Make sure a user with the name “cxuser” is defined.
The password must be set; it cannot be left blank.
The password must be without uppercase characters.
The AMQ service must be restarted for configuration changes to take effect.
Defining User and Password using the Authentication Plugin
This can be performed either during installation or afterward, by directly changing the activemq.xml file by adding a section inside the broker element, similar to the following:
<plugins> <simpleAuthenticationPlugin> <users> <authenticationUser username="cxuser" password="your_password" groups="users,admins" /> </users> </simpleAuthenticationPlugin> </plugins>
Notice
Refer to the official AMQ documentation for alternate ways of configuring users and passwords.
Notice
SAST-Slim requires that only one user is defined.
There is no need to define groups and/or permissions under AMQ.
Password Encryption
Refer to the official AMQ documentation about how to use encrypted passwords.
An online external encrypt/decrypt website, such as Jasypt, can also be used. Jasypt is an example of a tool that supports both one-way and two-way password encryption, as well as matching encrypted passwords.
Notice
In any case, the private key (password) that must be used for the encryption algorithm is: CxManager
Relevant AMQ Information
Use the following information when configuring AMQ:
Host Name: refers to the Server/Machine name/IP.
Port: refers to the port in the value of “openwire” attribute, under TransportConnector element of the ActiveMQ.xml file (as shown in the image below):
Password: refers to the password defined. It can be found either in credentials.properties or credentials-enc.properties; or else in the ActiveMQ.xml file under the simpleAuthenticationPlugin entity, described above in "Defining User and Password using the Authentication Plugin" under the ActiveMQ Required Configuration section.
User ID: is hardcoded as “cxuser”, and must exist in the AMQ configuration, either in credentials.properties or credentials-enc.properties or else in ActiveMQ.xml file under the simpleAuthenticationPlugin entity, described above in "Defining User and Password using the Authentication Plugin" under the ActiveMQ Required Configuration section.
SAST-Slim - Clean Installation
Notice
It is important that at this stage all requirements, including AMQ, have been installed!
SAST-Slim can be installed either by the UI installer or the Silent installer. Both installation processes will check that all the requirements are correctly installed in the environment.
UI Installer
The clean installation via UI is similar to SAST (refer to CxSAST documentation for details). During the installation steps, the following screen will appear, requiring the fulfillment of the AMQ configuration fields as referred to above.
Caution
Clicking Test Connection saves the connection configuration parameters, including the password. If you decide, for example, to change the password afterward, you must test the connection again, before continuing!
Notice
SSL Connection is disabled for clean installations. The SSL configuration for Checkmarx SAST-Slim and its companion components must be performed after the installation is completed.
Silent Installer
The silent installer works as SAST (refer to CxSAST documentation for details).
For SAST-Slim to work with AMQ, the following arguments must be passed during the installer execution.
MQPASSWORD = refer to Password in the "Relevant AMQ Information" section above
MQHTTPPORT = refer to Port in the "Relevant AMQ Information" section above
ACTIVEMQ_HOST_NAME = refer to Host Name in the "Relevant AMQ Information" section above
ACTIVEMQ ='1'
SAST-Slim - Upgrade (from 9.3 to 9.4.5)
Notice
In the following procedure, <Checkmarx Home> refers to the path where the original version of SAST is installed. It usually defaults to C:\Program Files\Checkmarx.
Notice
It is important that at this stage all requirements are installed!
In addition:
Java 17+ must be added to the PATH environment variable
Regarding ActiveMQ:
if installed in a different machine, can be installed before starting the upgrade;
if installed in the same machine, install only as indicated in the steps below.
UI Installer
To upgrade with SAST-Slim (from a non-SAST-Slim version) using the UI Installer, perform the following:
Run the SAST-Slim installer and follow the wizard steps.
Note that the original ActiveMQ component will be removed automatically during the installation.
When the ActiveMQ configuration screen appears, install the new AMQ before continuing.
Caution
Do not install AMQ in <Checkmarx Home>.
Make sure to configure it with the username “cxuser” and a password that is non-empty and without uppercase characters.
Caution
Clicking Test Connection saves the connection configuration parameters, including the password. If you decide, for example, to change the password afterwards, you must test the connection again, before continuing!
Silent Installer
To upgrade with SAST-Slim (from a non-SAST-Slim version) using the Silent Installer, perform the following:
Run SAST-Slim silent installer. After a while, it will exit and the following message will appear on the log files within the %temp% folder:
Checkmarx ActiveMQ removed exit from the application. Rerun the silent installation with the External ActiveMQ configuration parameters.
Install the new AMQ before continuing.
Rerun the SAST-Slim silent installer with all the following AMQ parameters:
MQPASSWORD = refer to Password in the "Relevant AMQ Information" section above
MQHTTPPORT = refer to Port in the "Relevant AMQ Information" section above
ACTIVEMQ_HOST_NAME = refer to Host Name in the "Relevant AMQ Information" section above
ACTIVEMQ ='1'
RabbitMQ Configuration (9.6.0 and up)
Note
CxSAST 9.6.0 Slim (with ActiveMQ) must be installed to change the connection to RabbitMQ.
Access the frontend of RabbitMQ (optional)
If RabbitMQ is running on a separate machine, connect to that machine ( for example, via RDP)
Open a web browser and go to http://localhost:15672/ (or to the relevant URL where RabbitMQ is deployed)
Log in with the following credentials (in case you are using the default credentials):
username: guest
password: guest
Define the correct values for the necessary keys inside the Database
Open SQL Server Management Studio (SSMS)
Connect to your SQL Server Instance
Open the following database table: [CxDB].[dbo].[CxComponentConfiguration]
Define ActiveMessageQueueURL = tcp://example:5672 (replace “example” with the hostname or IP address of the machine that has the RabbitMQ deployment).
Note
We do not guarantee that the connection to RabbitMQ with AMQPS or SSL will function correctly.
Define MessageQueueType = RabbitMQ
The value of the key MessageQueuePassword is an encrypted password. Do not change this value.
The value of the key MessageQueueUsername must be equal to cxuser. Currently, the message queue does not function with a different value, because cxuser is hardcoded.
Define the correct values for the necessary system variables:
Open the Edit the system environment variables window
Click Environment Variables
Define ActiveMessageQueueURL and CX_ES_MESSAGE_QUEUE_URL= tcp://example:5672 (replace “example” with the hostname or IP address of the machine that has the RabbitMQ deployment )
Note
We do not guarantee that the connection to RabbitMQ with AMQPS or SSL will function correctly.
Define CX_ENGINE_MESSAGE_QUEUE_TYPE = RabbitMQ
The values of the variables CX_ES_MESSAGE_QUEUE_PASSWORD and MessageQueuePassword are encrypted passwords. Do not change this value.
The values of the variables CX_ES_MESSAGE_QUEUE_USERNAME and MessageQueueUsername must be equal to cxuser. Currently, the message queue does not function with a different value, because cxuser is hardcoded.
Restart Internet Information Service (IIS)
Open IIS manager
Go to the homepage by clicking on the name of your machine (left side panel)
On the right side panel, click stop and then click start
Restart all the Checkmarx services
Open the Services window
Stop and then start these services: CxJobManager, CxSastResults, CxScansManager, CxServicesAvailability , and CxSystemManager
Test if RabbitMQ is functioning correctly
Open a web Browser
Open CxPortal and navigate to the Access Control administration page (if the page is already open, refresh it)
Create a user
Open SSMS
Select all users from the [CxDB].[dbo].[Users] table
Confirm that the user that you created was inserted in the table
Additional Notes
Post-Install Tool
In case the customer installed AMQ in an external environment, attention is required when using the Post-install tool to update endpoints.
As can be seen in the image below, the current state of AMQ URI is different from the current URIs of other components. This is correct, as it refers to the external environment. However, the Post-Install tool assumes the new base URI for all components (as shown in the text fields under the After Update column).
In this situation, it is recommended that you copy the current AMQ URI to the text field under the After Update column.