Skip to main content

Installation and Configuration of MID Server for Vulnerability Response Integration with SAST

  1. Create the MID Server user and grant mid_server access; follow the link to create a user in your Instance: Setup MID Server Role.

  2. Download the suitable MID Server file on the host machine with access to SAST and follow the steps to download MID Server here: Download MID Server Files.

  3. Once downloaded, add the instance URL, MID Server username, and password in the config file, then add the name of your MID Server and start it. Check this link for further details: Install MID Server on Windows.

  4. Once MID Server is up and reflected in your instance, validate it. You can check this link for further details: Validate MID Server.

Configuration is done initially and is a one-time activity.

To Configure the Checkmarx Vulnerability Integration:

  1. Navigate to your instance of ServiceNow and log in.

  2. Search for Checkmarx Vulnerability Integration.

  3. Click Configuration.

    Integration_config__original_.png
  4. Provide the information required to complete the Checkmarx configuration.

    Note

    Mandatory fields are marked with red_asterix.png

    Snow.png

    To configure SAST, mark the Import SAST checkbox and add the below details:

    • Checkmarx Server URL: SAST URL

    • Username: Checkmarx SAST Username

    • Password: Checkmarx SAST Password

    • Category Name: Configured as per requirement without adding any default value to this field, it will populate ‘Category Name’  it is getting from SAST

    • Mid_Server: Select your MID Server using the search list.

    • Include First Detection Date: This column will be included in the AVIT table when enabled.

    • Vulnerability Threshold Level: Option to select the threshold level from the following:

      • High: Displays only High vulnerabilities.

      • Medium: Displays High and Medium vulnerabilities.

      • Low: Displays High, Medium, and Low vulnerabilities.

      • Info: Displays Info, High, Medium, and Low vulnerabilities.

    •  Sync Result State: AVIT with the entered Result States will be imported into the AVIT Table.

    • Import Audit Result: Mark the Import Audit Result checkbox to fetch the Audit Results.

    • Filter Project: Select the option from dropdown to filter projects by project ID or name.

    • Enter Project IDs: Enter a maximum of 10 CxSast project IDs to include in the integration run. Add exclude= followed by the Project IDs to exclude any project.

    • Enter Project Names: Enter a maximum of 10 substrings of project names to include in the integration run.

    • Exclude Teams: Enter a maximum of 10 team names to exclude their projects from being imported.

    • List of Project IDs: Only entered SAST projects and their details will be imported.

    To configure SCA, mark the Import SCA checkbox and add the below details:

    • Checkmarx SCA Access Control Server URL: SCA Access control server URL

    • CheckmarxSCA Server URL: SCA API URL

    • SCA Username: Checkmarx SCA Username

    • SCA Password: Checkmarx SCA Password

    • Tenant: SCA Tenant

    • Vulnerability Threshold Level: Option to select the threshold level from the following:

      • High: Displays only High vulnerabilities.

      • Medium: Displays High and Medium vulnerabilities.

      • Low: Displays High, Medium, and Low vulnerabilities.

      • Info: Displays Info, High, Medium, and Low vulnerabilities.

    • List of Project IDs: Only the entered SCA Projects and their details will be imported.

    • Enter SCA project IDs: Enter a maximum of 10 CxSCA project IDs to include in the integration run.

    • Import Exploitable Path: Mark the Import Exploitable Path checkbox to fetch the exploitable path information.

  5. Click Save and Test Credentials.

    The system tests the credentials and confirms if the validation is successful.

    If the authentication is successful, continue to perform the Checkmarx Vulnerability Integration.

Warning

If you are getting any of these errors, follow the steps to solve them:

  • HttpException: Session contains no certificates – Untrusted

    • The Checkmarx Server URL is not on the trusted list. Please add it to the trusted list.

    • Open MID Security Policy in the ServiceNow UI, and disable cert checking for the Intranet zone.

  • The payload size of 24138679 bytes exceeded the maximum of 20000000 bytes

    • Go to MID Server > Properties

    • Verify if the property mid.eccq.max_payload_size exists

    • If the property exists, increase the size of the payload in bytes. If it doesn't exist, create a new one, and specify the payload size in bytes, the default is 20000000 bytes.