SAST Correlation

Correlation enables synchronization of IAST scan results with the results of the latest SAST scan. This synchronization of results is enabled once the SAST server credentials have been provided and a connection between IAST and SAST has been established. Once the IAST scan is complete, the results are analyzed and correlated. The correlated results can then be accessed from the vulnerability details in the IAST web application.

Warning

SAST Correlation is not supported, if SAST is configured for SSO. For additional information, contact Checkmarx Support.
If the latest SAST scan fails, a warning appears and no correlation results show.

Since IAST 3.4.0, every IAST user with the “CXIAST_SAST_CORRELATION_MANAGER” permission may now have his own SAST server URL and set of credentials for use by members of his own team only.

This means that the SAST server URL and the credentials can now only be used by users from the same team. For example, if a user with the “CXIAST_SAST_CORRELATION_MANAGER” permission saves his SAST information and maps his IAST projects to SAST projects, all his team members can see the correlated results.

Note

Projects not assigned to any team are considered part of the default “CxServer” team.

To display SAST Correlations, click Settings and then select SAST Correlation. The SAST Correlation screen has two tabs, the Current Status and the Access Management tabs.

The Current Status tab in the SAST Correlation screen lists the status of each correlation connection for both correlated and non-correlated projects. The SAST Correlation screen includes the parameters as illustrated and listed below.

Parameter

Description

SAST Connection Status

Status of the connection between the IAST and SAST. Possible statuses are Connected or Disconnected.

Server Address

http://<SAST Engine Server name or IP address>:<Port>

The address of the server on which the SAST web application resides.

The address must be a valid URL, for example http://sast-server.
Adding the port is required, if you choose a different port than the default.

User Name

The user name used to log in to the SAST web application.

CxIAST Project Name

The name of the IAST projects.

Correlated CxSAST Project

The name of the correlated SAST projects.

No correlated SAST project defined.

Correlated SAST project defined and active.

Correlated SAST project had been defined, but became unavailable for one of the following reasons:

Connection problems
The last SAST scan failed
No SAST scan could be found.

The SAST correlation failed for one of the reasons specified above.

Enables updating the SAST connection settings. For additional information, refer to Defining SAST Connection Settings below.

The Access Management tab lists additional information related to access for the IAST and SAST users.

Note

The Access Management tab only shows for users with Admin privileges.

Parameter	Description
CxIAST User Name	User name to access the IAST account that is correlated with a SAST account. Viewers may display the correlation according to listed IAST user names in a descending or ascending order.
CxIAST Teams	The IAST team to which the correlated IAST user belongs and whose members are able to view the project correlation (scan) results.
CxSAST User Name	The user name to access the correlated SAST account. Viewers may display the correlation according to listed SAST user names in a descending or ascending order.
CxSAST Server Address	https://<SAST Engine Server name or IP address>:<Port> The address of the server on which the SAST web application resides. Viewers may display the correlation according to the SAST servers in a descending or ascending order. The address must be a valid URL, for example http://sast-server. Adding the port is required, if you choose a different port than the default.
Actions	DELETE: Option to delete the correlation between the two listed accounts.

In order to enable the synchronization of results, SAST server credentials need to be provided and connection settings between IAST and SAST applications need to be defined.

To define SAST connection settings:

In the SAST Correlation screen, do one of the following:
- Click <Add Server Info to Connect> to define the SAST connection settings.
- If you are already connected to a SAST server and you just want to update these connection settings, click <EDIT>.
In both cases, the Edit Connection dialog is displayed.
Define the SAST connection settings as listed and explained in the table below.
Click <TEST> and wait until the SAST server credentials are validated and the connection has been successfully established (Connected ).
Click <UPDATE> to save the settings.

Field	Description
Server URL*	The Checkmarx server address, for example http://<SAST Engine Server name or IP address>:<Port> The address must be a valid URL, for example http://sast-server. Adding the port is required, if you choose a different port than the default.
User Name*	The login username.
Password*	The login password.
Connection Status	Reflects the connection status of the SAST server (Connected or Disconnected).
	Validates the SAST server credentials.
	Updates the settings.

*Required field

In this section:

SAST Correlation

Warning

Note

Note

Search results