Supported Languages and Package Managers
Performing scans from the CxServer, and based on your environment and language, additional package managers should also be installed.
Installing on CxServer (to be used for Zip-Upload scans, for example) can be done quickly by using Chocolatey Package Manager for windows:
//Installing Chocolatey... @"%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))" && SET "PATH=%PATH%;%ALLUSERSPROFILE%\chocolatey\bin" //Installing JDK8 and package managers. Choose only the tools relevant to you. cinst -y jdk8 maven nodejs-lts dotnetcore-sdk nuget.commandline gradle python3 git
If you need to install manually, or having trouble running the utilities, please go to Appendix A below.
Java - Maven
What should be scanned:
Build configuration file: pom.xml
Scan must contain at least 1 file with the following extension: .jar / .java / .war / .ear / .car / .class
What should be installed:
Dependency manager utility: mvn
Installation instructions:
Installing Maven on windows, see https://checkmarx.atlassian.net/wiki/spaces/SD/pages/1035173922
Installing Maven on other platforms - follow https://maven.apache.org/install.html
To test installation run from command line:
mvn -v
Important issues:
If multi module project - run "mvn install" with the main pom.xml file before scanning.
Ignoring "provided" and "test" scoped dependencies in the pom file.
Testing dependency resolution:
Run the following in the project root. You should see a dependency tree. If errors are returned, fix them.
mvn dependency:tree
Fingerprint detection: *.jar files
Java - Gradle (only supported from v8.9)
What should be scanned:
build configuration file: build.gradle
Scan must contain at least 1 file with the following extension: .jar / .java / .war / .ear / .car / .class
What should be installed:
Dependency manager utility: gradle
Installation instructions: https://gradle.org/install/
To test installation run from command line:
gradle -v
Android SDK - only for android development. Make sure ANDROID_HOME environment variable is defined for the user context of CxOSA.
(download from here https://developer.android.com/studio/index.html#downloads the command line tools only)
Testing dependency resolution:Run the following in the project root. You should see a dependency list. If errors are returned, fix them.
gradle dependencies
Fingerprint detection: *.jar files
.Net / C# - NuGet
What should be scanned:
Build configuration file: *.csproj / NuGet.config
Scan must contain at least 1 file with the following extension: .dll / .exe / .nupkg / .cs
What should be installed:
Dependency manager utility: dotnet
Installation instructions: download .NET Core SDK from ttps://dotnet.microsoft.com/download
To test installation run from command line:
dotnet –info
Important issues: Must configure project for dependency resolution! When scanning with CLI, add the flag -executepackagedependency to the command line Before scanning using Zip upload, go to Projects & Scans → Projects → <select your project> → OSA. Make sure "Resolve dependencies..." option is checked.
Testing dependency resolution:
Run the following in the project root. You should see a dependency list. If restore operation failed, fix the errors.
dotnet restore
Fingerprint detection: *.dll files, *.nupkg files
JavaScript - NPM
What should be scanned:
Build configuration file: package.json
Scan must contain at least 1 file with the following extension: .js / .ts
What should be installed:
Dependency manager utility: npm
Installation instructions: download latest NPM with nodejs from https://www.npmjs.com/get-npm
To test installation run from command line:
npm –v
Important issues:Configure project for dependency resolution
When scanning with CLI, add the flag -executepackagedependency to the command line
Before scanning using Zip upload, go to Projects & Scans → Projects → <select your project> → OSA. Make sure "Resolve dependencies..." option is checked.
Testing dependency resolution:
Run the following in the project root. Process should complete with no errors, and a node_modules folder should be created.
npm install
Fingerprint detection: *.js files, *.tar.gz files (npm packages)
Python - pip
What should be scanned:
Build configuration file: requirements.txt
Scan must contain at least 1 file with the following extension: .py
What should be installed:
Dependency manager utility: pip (requires also python)
Installation instructions: https://www.python.org/downloads/ - make sure to tick "pip" when using windows graphical installer
To test installation run from command line:
pip –V
Important issues:Configure project for dependency resolution
When scanning with CLI, add the flag -executepackagedependency to the command line
Before scanning using Zip upload, go to Projects & Scans → Projects → <select your project> → OSA. Make sure "Resolve dependencies..." option is checked.
The relevant python version should be installed for the project (python2 / python3).
Getting some packages requires other installations. It is highly recommended to test dependency resolution prior to scanning
Testing dependency resolution:
Run the following in the project root. Make sure all packages are installed. On error, fix and install again.
pip install -r requirements.txt
Scala - SBT
What should be scanned:
build configuration file: build.sbt
What should be installed:
Dependency manager utility: SBT (requires also java)
Install instructions: https://www.scala-sbt.org/release/docs/Setup.html
To test installation run from command line:
sbt
Important issuesConfigure project for dependency resolution
When scanning with CLI, add the flag -executepackagedependency to the command line
Before scanning using Zip upload, go to Projects & Scans → Projects → <select your project> → OSA. Make sure "Resolve dependencies..." option is ticked
o It is highly recommended to test dependency resolution prior to scanning
o First scans duration might be longer than expected
o Zip scan- available from version 8.9 HF 11
o CLI- available from version 2020.1.12
o Bamboo- available from version 2020.1.12
o Other plugins- will be available soon
Testing dependency resolution: o run the following in the project root. Make sure it creates a ivy report file ends with "-compile.xml" inside the target folder (may contain additional inner folders)
sbt compile
PHP - Composer
What should be scanned:
build configuration file: composer.json
What should be installed:
Dependency manager utility: Composer (requires also php)
Install instructions: https://getcomposer.org/download/
To test installation run from command line:
composer -v
Important issuesConfigure project for dependency resolution
When scanning with CLI, add the flag -executepackagedependency to the command line
Before scanning using Zip upload, go to Projects & Scans → Projects → <select your project> → OSA. Make sure "Resolve dependencies..." option is ticked
o It is highly recommended to test dependency resolution prior to scanning
o Zip scan- available from version 8.9 HF 11
o CLI- available from version 2020.1.12
o Bamboo- available from version 2020.1.12
o Other plugins- will be available soon
Testing dependency resolution:
run the following in the project root. Make sure it creates a ivy report file ends with "composer.lock"
composer install
Appendix A - Installing package managers on CxServer
Install manually only if unable to use Chocolatey script mentioned above.
To install, select the required package manager, and follow "What should be installed" section.
Validating the server can run the utilities
Cx services may run under different user account than administrator.
Find the user account used by CxService
Go to services window (or run "services.msc")
Identify the user account used by Cx services. For example, it is "Network Service" in the picture below
Download psexec utility (https://docs.microsoft.com/en-us/sysinternals/downloads/psexec). Extract to folder.
Open an administrator CMD and CD to the directory where you extracted the utilities above (run "CD <folder path"), and run the following command:
psexec -i -u "nt authority\network service" cmd.exe
**replace "network service" with the account name gathered in step 1.b
This will pop up a new CMD window under the correct user.
Run test / dependency resolution commands in this window for the language you want to check, as documented above in the "Testing dependency resolution" section
For example: "mvn -v" for maven.
To test dependency resolution command, run "cd <project folder>" command, to the project folder path, and then run the command. For instance "mvn dependency:tree" for maven.
On permission issues - see below section on giving permissions
Restarting OSA Services
Recommended after any utility installation
Go to services window (or run "services.msc")
Right click CxScansManager and CxJobsManager and choose restart
Giving permissions to package manager utilities
If you are having "access denied" errors when testing package manager utilities, give the file / folder permissions
To give permissions to a fie / folder, right click it → Properties → Security → Edit→ Add → (type NETWORK SERVICE) → OK. Tick "Modify" permissions if needed, and press OK.
** replace NETWORK SERVICE with the target user account discovered in step 1.b