- Checkmarx Documentation
- Checkmarx SAST
- SAST Configuration Guide
- Configuring CxSAST for Use
- Making Comments Mandatory on Result Severity State Change
Making Comments Mandatory on Result Severity State Change
Checkmarx SAST offers the option to require adding comments when changing the state of a scan result in one of the following two modes:
Changing the state of a scan result to Not Exploitable or Proposed Not Exploitable
Changing the state of a scan result to any state.
This functionality is configured via a flag in your SQL database and disabled by default. If you wish to enable this feature, you have to do so in the respective SQL database table as explained below:
On the host that hosts your database, search for Microsoft SQL Server Management Studio
Log in to the database. The database interface with the Object Explorer appears.
Start a new query by clicking . A new query interface appears.
Copy the query below and paste it into the empty query interface.
To require adding a comment when changing the resulting state to Not Exploitable:
USE [CxDB] GO UPDATE [dbo].[CxComponentConfiguration] SET [Value] = 'true' --use true to enable requiring adding a comment on result state change, or 'false' to disable this feature WHERE [Key] = 'MandatoryCommentOnChangeResultStateToNE' GO
To require adding a comment for any result state change:
USE [CxDB] GO UPDATE [dbo].[CxComponentConfiguration] SET [Value] = 'true' --use 'true' to enable requiring adding a comment on result state change, or 'false' to disable this feature WHERE [Key] = 'MandatoryCommentOnChangeResultState' GO
Once you have pasted the relevant code into the query interface, click to update the database.
Open Microsoft SQL Server Management Studio.
Log in to the database.
Copy the query below and paste it into the empty query interface.
update [CxDB].[dbo].[CxComponentConfiguration] set [Value]='true' where [key]='MandatoryCommentOnChangeResultStateToPNE'
You may change the state of the scan result on CxPortal and Swagger.
Create a project with a scan.
Once the scan completes, navigate to the All Scans page.
Open the Result Viewer for the above scan.
Change the state of a scan result to Proposed Not Exploitable.
Caution
If the MandatoryCommentOnChangeResultStateToPNE flag is enabled and the comment field is empty, then you will get the mandatory comment popup message below -
If the MandatoryCommentOnChangeResultStateToPNE flag is enabled and the comment field is not empty, then the scan result state is set to Proposed Not Exploitable.
If the MandatoryCommentOnChangeResultStateToPNE flag is disabled and the comment field is either empty or not empty, then the scan result state is set to Proposed Not Exploitable.
Open Swagger and navigate to V1.
Under the SAST section, execute the below method with valid input parameters.
Caution
If the MandatoryCommentOnChangeResultStateToPNE flag is enabled and the comment field is empty then you will get the response below -
If the MandatoryCommentOnChangeResultStateToPNE flag is enabled and the comment field is not empty, then the scan result's state is set to Proposed Not Exploitable.
If the MandatoryCommentOnChangeResultStateToPNE flag is disabled and the comment field is either empty or not empty, then the scan result's state is set to Proposed Not Exploitable.
Start a new query again and copy the following query into the query interface.
SELECT [Id] ,[Key] ,[Value] ,[Description] FROM [CxDB].[dbo].[CxComponentConfiguration] WHERE [Key] LIKE 'MandatoryCommentOnChangeResultState%'
.
Click to display the result in the Results tab, as illustrated below.
The screenshot above shows a configuration where the mandatory comment has been turned on for all Result State changes.
In the Object Explorer, expand the Databases folder and CxDB.
Under Tables, navigate to dbo.CxComponentsConfiguration.
Right-click dbo.CxComponentsConfiguration and select Select Top 1000 Rows from the menu.
Navigate to MandatoryCommentOnChangeResultState and MandatoryCommentOnChangeResultStateToNE and check whether the configuration keys' value is set to false or true as desired.
MandatoryCommentOnChangeResultState: When set to true, a comment is required for any result state change.
MandatoryCommentOnChangeResultStateToNE: When set to true, a comment is required when changing the result state to Not Exploitable. All other result state changes do not require a comment.
Save your changes.
To exit the database, navigate to the File menu and select Exit.