Running Exploitable Path Scans Using Resolver
You can run scans using Checkmarx SCA Resolver using the Exploitable Path feature (for Checkmarx SCA Resolver v1.4.14+).
Checkmarx SCA leverages SAST’s ability to scan the actual project code itself in parallel with scanning the manifest file, in order to validate whether the vulnerable open source packages are called from your proprietary code and whether the vulnerable methods are actually used by your code. This enables you to focus on the remediation of actively exploitable vulnerabilities.
Notice
For a full explanation of the Exploitable Path feature, see Exploitable Path.
Prerequisites
Checkmarx SCA Resolver v1.4.14+
Notice
For best results, we recommend installing the latest version of Checkmarx SCA Resolver, see Checkmarx SCA Resolver Download and Installation.
CxServer version 9.0+
Notice
If you are using CxServer version 9.2 HF9+, some additional configuration may be required, see Configuring SAST Queries.
Your Checkmarx SCA Resolver is running on a network where it can communicate with your CxServer instance.
Notice
Checkmarx SCA Resolver v1.4.28+ supports communication via HTTPS (in addition to support for HTTP). To enable HTTPS you need to open the “web.config” file on your SAST machine, set the value for the “httpOnlyCookies” key to “false”, and then do an IIS reset on the SAST machine.
You have completed the Query Configuration, as described in Query Configuration for Exploitable Path with Resolver.
Preparing the Project
Prerequisites
You need to know the following account info:
Checkmarx SAST - server endpoint, username and password.
Checkmarx SCA - tenant account, username and password.
To Prepare a Project:
Create the project in Checkmarx SAST.
Run a SAST scan on the project.
Notice
Resolver uses results from the most recent full scan of the project (incremental scans are not used). By default, Resolver only uses results from scans run in the past day. You can adjust the threshold for how far back to look for results using the config file.
Make a note of the Checkmarx SAST Project ID (or Project name), as you will need it for the Checkmarx SCA Resolver configuration.
If Exploitable Path is activated in your global settings (Configuring Account Settings), then it will run automatically on any new Projects that you create via Checkmarx SCA Resolver. If it is not activated globally, then you need to first create a Project via the web portal with Exploitable Path activated (Creating a General Project) and make a note of the Project name.
Ensure that your source code is available on your Checkmarx SCA Resolver server. You will need to provide the full path to the source code folder.
Running the Exploitable Path Project Using Checkmarx SCA Resolver
Run ScaResolver.exe
(Windows) or ScaResolver
(Linux) with the following mandatory arguments:
-s : path to the folder to scan
-n : to scan an existing Project, enter the name of the Project. OR,
to create a new Project, enter a new name to assign to the Project
-a : your Checkmarx SCA account name
-u : your Checkmarx SCA username
-p : your Checkmarx SCA password
--cxuser : SAST username
--cxserver : SAST server endpoint
Notice
All communication between Resolver and CxServer is done via https, regardless of whether the URL is given as http or https. Please ensure that the relevant https ports are open.
--cxpassword : SAST password
--cxprojectid : SAST Project ID
Notice
In place of the SAST Project ID, you can specify the Project by the Project Name using the following argument:
--cxprojectname : SAST Project name
The following example shows a run command in online mode using the mandatory arguments:
Notice
You can add additional arguments to specify the desired scan configuration, see SCA Resolver Configuration Arguments.