Data Transformation for Integration
Once the data to be imported is identified, it is retrieved from the Checkmarx SAST and SCA APIs, processed through a set of data sources, and transformed before being loaded into the ServiceNow instance.
The integration uses ServiceNow Transform Maps to map data from temporary import set tables to the target tables in the Vulnerability Response module. You can view these maps by navigating to System Import Sets > Transform Maps .
The primary transform maps are:
Checkmarx App List Transform
Checkmarx Scan Summary Transform
Checkmarx AppVul Item Transform
CheckmarxSAST Vulnerability Closure TransformList1
Checkmarx SCA App List Transform
Checkmarx SCA Scan Summary Transform
Checkmarx SCA AppVul Item Transform
CheckmarxSCA Vulnerability Closure TransformList1
The following tables list the transform map fields by integration.
Table 1. Checkmarx App List transforms map fields:
Source Field (from CxSAST/CxSCA) | Target Field (from SNOW) | Description |
|---|---|---|
id | Source Application ID | SAST: Unique integer project ID. SCA: Unique project UUID with " SCA" suffix for distinction. |
name | Application name | Project name |
teamId, teamName (SAST) assignedTeams (SCA) | Source-assigned teams | Team ID and team name of the project. for SAST, assigned teams for SCA |
businessApplication (from CustomFields) | Business Application | Custom Fields with Business Application keyword present in CxSAST for the given project (SAST only) |
Custom_fields | Source additional info | Custom Fields present in CxSAST for the given project (SAST only) |
Created_at | Description | Project Creation date for CxSCA with 'created at' prefix (SCA only) |
Table 2. Checkmarx Scan Summary transforms map fields:
Source Field (from CxOne CxSAST/CxSCA) | Target Field (from SNOW) | Description |
|---|---|---|
app_name | Discovered Applications | Project Name |
scan_id | Source scan ID | Scan ID of the project. |
scan_id + last_scan_date | Scan summary name | Scan summary with scan ID and last scan date. |
total_no_flaws | Detected Flaw Count | Total number of vulnerabilities (SAST only) |
loc | Static scan size | Number of lines of code present (SAST only) |
Last Scan Date | Last Scan Date | Last Scan Date |
Scan rating | Last scan rating | Scan rating (SAST only) |
prvScanID | Tags | Previous Scan ID information (SAST only) |
Scan Custom Fields | Tags | Scan Custom Fields (SAST only) |
Table 3. Checkmarx AppVul Item transforms map fields:
Source Field (from CxSAST/CxSCA) | Target Field (from SNOW) | Description |
|---|---|---|
app_name | Discovered Applications | Project name (For SCA, appends ' SCA' to the ID) |
scanId, last_scan_date | Scan Summary | Scan ID and last scan date. |
business_application | Business application | Custom Fields with Business Application keyword present in CxSAST for the given project (SAST only) |
vul_state (SAST) riskState (SCA) | Source finding status | State of Vulnerability, like To Verify , Accepted , Confirmed , Not Exploitable , etc. |
Severity | Source severity | Severity of Vulnerability: High, Medium, Low, Info |
SAST: Snippet info (Line, Code, FileName) SCA: Description | Description | SAST : All Path Nodes info, including Line no, Code, and File name SCA : Description from vulnerability report |
categories (SAST) description (SCA) | Vulnerability summary | SAST : Category description SCA : Vulnerability description |
last_scan_date | Last found | Last scan where vulnerabilities are found |
Remediation status (SAST) riskState/riskStatus (SCA) | Source remediation status | Status of Vulnerability: New, Recurrent, and Resolved |
detectionDate | First found | First scan date where vulnerabilities are found |
Line | Line number | The line on which the flaw is found. (SAST only) |
Remark | Source notes | CxSAST Comments (SAST only) |
fileName (SAST) location (SCA) | Location | The location where the flaw is found is mapped. |
DeepLink (SAST) sourcefile (SCA) | Source link | The URL to access vulnerability details in CxSAST is mapped to source_link. |
source_entry_id | Vulnerability | Source entry ID |
category_name | Source additional info | Category Name of vulnerability (SAST only) |
destinationNodeStr | Vulnerable method info | Destination Path Nodes and snippet info including Line no, Code, Column, node ID, File name (SAST only) |
Scan Custom Fields | Source Additional Info | Scan Custom Fields (SAST only) |
pathHash | Source response | Hash value of all Path Nodes info (File Name, Line, Column) (SAST only) |
similarityId (SAST) id (SCA) | Source request | Similarity ID for SAST, CVE ID for SCA |
similarityId, pathHash (SAST) id, package_unique_id (SCA) | Source AVIT ID | SAST : similarityId + '_' + pathHash SCA : CVE ID + package_unique_id |
Scan_type | Scan type | SAST : Static SCA : SCA |
package_name, package_unique_id | Package | SCA : Package name/ Package ID for CxSCA |
Exploitable path | Source Notes | SCA : Exploitable path details (File name, Line no, Exploitable path method ) |
references | Source references | SCA : Reference URLs for the vulnerability |
Table 4. Application Vulnerability Entries Item transforms map fields:
Source Field (from CxSAST/CxSCA) | Target Field (from SNOW) | Description |
|---|---|---|
queryId, cweId (SAST) id (SCA) | Source Entry ID | Primary identifier for vulnerability entries. SAST: "Checkmarx CWE-" + cweId SCA: "Checkmarx-" + id |
category_name | Category name | Vulnerability category name from Checkmarx. SAST: Uses query name SCA: Uses CWE ID |
scan_type | Scan type | Scanner type normalized for ServiceNow. SAST: Maps to "static" SCA: Maps to "sca" |
severity_index (SAST) source_severity (SCA) | Source Severity | Numeric severity value converted from Checkmarx severity strings. CRITICAL: 0 HIGH: 1 MEDIUM: 2 LOW: 3 INFO: 4 Other: 5 |
cvssScore | CVSS Base Score | CVSS base score from Checkmarx vulnerability details. |
cvssVector | CVSS Vector | CVSS vector string from Checkmarx vulnerability details. |
first_found_date | First detection date | Date vulnerability was first detected. |
Owasptop10 | OWASP | JSON object containing OWASP Top 10 classification. Populated for SAST scans only. |
cwe_id (SAST) cweId (SCA) | CWE entry | CWE identifier and related details. SAST: List of CWE ID and query name SCA: CWE ID only |
category_group | Category Group | Vulnerability category group from Checkmarx. |
SANSTop25 | Short description | SANS Top 25 classification. Populated for SAST scans only. |
Checkmarx Transform Map Script Timing and Purpose
The following transform scripts are run during the transformation process.
When the script is run | Purpose |
|---|---|
onComplete (when an import set has completed transformation) | The script processes the data source and updates the count of AVITs created, updated, or unchanged, as well as those imported as part of this integration. This script is for internal use and should not be modified or deleted. |
Viewing Checkmarx Vulnerability Integration Import
You can view the data imported by the integration by navigating to the corresponding tables. For quick access, you can type the following commands directly into the Filter Navigator .
To View | Table Name | Filter Navigator Command | Populated by Integration |
|---|---|---|---|
Imported Projects | Discovered Applications / Application Releases |
| Checkmarx Application List Integration / Checkmarx SCA Application List Integration |
Imported Scan Summaries | Application Vulnerability Scan Summaries |
| Checkmarx Scan Summary Integration / Checkmarx SCA Scan Summary Integration |
Imported Vulnerabilities | Application Vulnerable Items |
| Checkmarx Application Vulnerable Item Integration / Checkmarx SCA Application Vulnerable Item Integration |
Grouped Vulnerability Entries | Application Vulnerability Entries |
| Checkmarx Application Vulnerable Item Integration / Checkmarx SCA Application Vulnerable Item Integration |
To view the Discovered Applications / Application Releases table in Filter Navigator enter sn_vul_app_release_list.do
|
To view the Application Vulnerability Scan Summaries tables in Filter Navigator enter sn_vul_app_vul_scan_summary_list.do
To view the Application Vulnerable Item tables in Filter Navigator enter sn_vul_app_vulnerable_item_list.do
To view the Application Vulnerability Entry tables in Filter Navigator enter sn_vul_app_vul_entry_list.do
Verifying the Property to Produce Closed Vulnerabilities
The behavior for creating records for vulnerabilities that are already closed in Checkmarx is controlled by a ServiceNow system property.
Navigate to
sys_properties.listin the Filter Navigator.Search for the property with the name
sn_vul.create_closed.Review its value:
If
true: The integration will create new AVI records in ServiceNow even if the finding is already in a "Closed" state in Checkmarx.If
false: The integration will not create new records for findings that are already closed. It will only update existing, open AVIs to a "Closed" state.