Skip to main content

Integrating the Checkmarx One Vulnerability Integration

Once all the integrations are activated, scheduled tasks invoke the integrations automatically daily and are chained to run in sequence. Each integration runs in this order, with the next integration triggered only after the previous one is completed. Each Checkmarx One application vulnerability integration is intended to provide complete data retrieval. Running them out of order requires ServiceNow and Application Vulnerability Response expertise and could result in incomplete data.

If the three integrations are not chained for execution, they will need to be run manually in the specific order of:

  1. Checkmarx One Application List Integration

  2. Checkmarx One Scan Summary Integration

  3. Checkmarx One Application Vulnerable Item Integration

Note the following:

  • The SNOW plugin will not import any findings that are marked as Not Exploitable in Checkmarx One. If a finding is already present and later marked as Not Exploitable, it will be labelled Closed in SNOW during the next integration run.

  • If the configuration is Latest Scan Across All Branches, the plugin will compare the old ScanID from ServiceNow with the latest ScanID of the project. Any findings that are resolved will be marked Closed.

  • If the configuration is Latest Scan Each Branch, the plugin will compare the old ScanID for each individual branch (as stored in ServiceNow table) with the latest ScanID for each corresponding branch in the project. Resolved findings for each branch will be marked Closed.

  • If the configuration is Latest Scan of Primary Branch, the plugin will compare the old ScanID of the primary branch (as stored in ServiceNow table) with the latest ScanID of the project's primary branch. Any resolved findings will be marked Closed accordingly.

Checkmarx One Application List Integration

  1. Click Integrations.

    CheckmarxOne_Vulnerability.png

  2. Click Checkmarx One Application List Integration.

    CheckmarxOne_Application_List_Integration_Update.png

  3. Click on the calendar icon to select a date and time. The integration will import project details of those projects created in the CxOne portal after the specified Start Date and Time.

    cxapp2.png

  4. Click Execute Now, if the run is not scheduled and is On Demand or Integration needs to be performed manually.

    Checkmarx_One_App_List_Integration_ExecuteNow.png

    The Application Vulnerability Integrations screen is displayed.

    Vulnerability_IntegrationRuns.png

    When the plugin shows the State and Substate of Complete and Successful respectively, the plugin is connected to the Checkmarx One instance and pulled into the project list. The first time all the project lists are imported, the plugin will ascertain how many scans there are and pull in the latest scans

Note

If a script has been customized and the latest version hasn't been applied, you must revert it to its store version. Follow these steps to revert the script:

  1. In the Application Navigator, search for Script Includes under All.

  2. Under System Definition, select Script Includes.

  3. Search for the modified script (e.g., CheckmarxOneAppVulItemIntegration, CheckmarxOneScanSummaryIntegration, CheckmarxOneUtilBase).

  4. Scroll down to the Version field.

  5. Click on the link for the Store version.

  6. Click Revert to this version.

This is a one-time manual step after the initial update. Future updates will automatically apply without requiring manual reversion. Any project/scan that is deleted on the Checkmarx One side will not be deleted on the ServiceNow side.

Checkmarx One Scan Summary Integration

The steps for integrating the Checkmarx One Scan Summary Integration are similar to the steps above. with one exception, a date can be included.

  1. Click Checkmarx One Scan Summary Integration, as per point 2 above

  2. Click on the calendar icon to select a date and time. The integration will import the scan summary of those scans created in the CxOne portal after the specified start date and time if Run was not scheduled and is On Demand or if the integration must be performed manually.

    cxapp3.png

  3. Click Execute Now.

    Application_Vulnerability_Integration_Date_Execute_Now.png

  4. Navigate to the Settings icon to edit the time zone of Start Time.

    SettingsIcon.png

  5. Select the dropdown list to select the Time zone.

    SystemSettings.png

Note

Selected time from Start Time of the integration will be converted to Coordinated Universal Time (UTC) irrespective of the time zone selected and the converted UTC time will be used by Checkmarx One.

Checkmarx One Application Vulnerable Item Integration

The steps for integrating the Checkmarx One Application Vulnerable Item Integration are the same as those for integrating the Checkmarx One Scan Summary Integration and will import Projects, Scans, and Results of scans created in Checkmarx One after a specified start time (configured on the integration page) during the integration Run.

The SAST and SCA scans Delta API compares the old scanID present in ServiceNow with the project's most recent scanID to get the Fixed findings.

In this section: