- Checkmarx Documentation
- IAST Documentation
- User Guide
- System Management Settings
- Query Editor
Query Editor
Queries provided by Checkmarx are written using IAST Query Language, as explained under IAST Query Language. These Queries analyze the execution flow and return a results list. Queries written in the IAST Query Language can be customized in the Query Editor by overriding existing queries or creating new ones. The Query Editor is divided into three areas of interest:
Queries - divided into two expandable segments for Queries provided by Checkmarx and Custom Queries.
Lists - open the List tab to view the query lists.
Query Language.
The list of queries contains a combination of methods that defines how the IAST agent collects information. Queries contain the code that uses this information to detect vulnerabilities. The Query Editor dialog displays queries under the Queries tab in a tree format. Each query is represented by the vulnerability that it is associated with.
In both segments, the queries are separated according to their severity. Expanding a severity displays all queries allocated to the selected severity. Selecting a query displays its structure in the Query Language panel to the right.
Click Settings and select Query Editor. The Query Editor dialog appears with the Queries tab open.
To view the vulnerability description, click View Description.
To enable or disable queries, click Enable Projects and check or clear the relevant queries.
In the Query Editor, select the desired language. The default language is set to Java.
Click either side of the query editor and then press <Ctrl> + <F>; a search bar appears.
Perform a search of all queries for the selected language by clicking on any entry in the query tree and pressing <Ctrl> + <F>. Enter a full or partial query name in the search field.
To search the code snippet:
Search the code snippet by clicking the left side of the Query Editor and then pressing <Ctrl> + <F>.
Enter a full or partial name of a vulnerability in the search field. Use the arrows on the search bar to navigate to view the highlighted search results.
Overriding a query simply means using an existing Checkmarx query and customizing it according to your specific requirements. A customized query takes preference over the Checkmarx query unless the customized query is deleted and the original Checkmarx query regains preference. You can also create a new query from scratch and define the specific query structure you require.
To override an existing query:
Click the Queries tab, expand the Checkmarx Queries segment according to the relevant severity, and select the desired query. The selected query structure is displayed in the Query Language panel.
Click <OVERRIDE>. An overwritten query version is displayed in the Query Language panel and the Customer Queries segment according to the selected severity. Once the overridden query is created, a call to the original query is displayed in the Query Language panel. This line can be removed if you ignore the original query logic.
Add your query language structure to the Query Language panel.
Click <VALIDATE> to validate the custom query language structure (optional).
Click <SAVE> to save the customized query.
IAST enables you to create a new query from scratch and define the specific query structure you require. You can also use an existing Cx query structure and customize its structure accordingly.
To create a new query:
Click the Queries tab and expand the Checkmarx Customer segment.
Navigate to the relevant severity and click … for more options.
Click Add New Query. A new query is displayed in the Query Language panel and the Customer Queries segment according to the selected severity.
In the Query Name field, assign a name to the new query.
Note
Query names must be unique and must start with a letter. Only letters, numbers, and underscores are allowed.
Add your new query language structure to the Query Language panel.
You can use the Validate tool to authenticate the new query structure.
Click <SAVE> to save the new query.
Once a custom query is no longer required, you can delete it from IAST.
To delete a custom query:
Click the Queries tab, expand the Checkmarx Customer segment according to the relevant severity, and click … .
Click <DELETE>. The selected custom query is deleted from the system.