CxOSA Frequently Asked Questions
This section of the Checkmarx CxOSA Documentation includes information about frequently asked questions about CxOSA. Use the search tool to find a specific subject.
What are the CxOSA prerequisites?
For information about the required prerequisites for using CxOSA, refer to Preparing the Environment for CxOSA.
What are the prerequisites for initiating a CxOSA scan in the Web portal and resolving dependencies locally?
Ensure you are scanning a supported languages and package manager.
Check Environment Permissions:
The package manger executable file should be permitted to run by the CxSAST processes running user. To avoid complications it is recommended to allow all users to execute the package managers. By default the CxSAST services run as a Network Service which should be allowed to execute the package manager executable.
Check Environment Variables:
To be on the safe side you should check the environment variables set and add the execution file path if it does not already exist in the System Path variable
To validate the permission for executing we can use psexec ( ) https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
Example:
o Run with network service user: psexec -i -u "nt authority\network service" cmd.exe and try to run the relevant package manager command as appears in Supported Languages and Package Managers.
Enable Dependency Resolution:
Under Projects & Scans>Project, select a project, then click the OSA tab. Check the ‘Resolve dependencies by initiating install command for package manager before performing OSA scan’ checkbox for dependency resolution to run via the Web Portal or REST API scan.
Where can I find information about connection settings?
For more information about connection settings, refer to CxOSA Connection Settings.
Which languages/extensions does CxOSA support?
For information about which languages/extensions CxOSA supports, refer to the CxOSA Release Notes.
How does CxOSA detect open source components?
Resolving dependencies from package manager configuration file (e.g., pom.xml for java)
File fingerprints (e.g., name and checksum).
Where can I find information about vulnerabilities?
Our OSA Cloud Service uses NVD (https://nvd.nist.gov). NVD is an authoritative source that provides information only after checking and verifying vulnerabilities. For additional sources, contact Support@checkmarx.com.
Do I need an additional license to use CxOSA?
You can use the same license as for CxSAST, but with CxOSA enabled. The Checkmarx License Importer (CxLicenseImporter.exe) is used to import the updated license into CxSAST. For more information about the CxOSA license details, refer to Updating the CxOSA License.
Is there sample source code I can download to scan?
To download simple source code to scan, go to the Quick Start Guide and download a sample project by clicking on Clone or Download. Unzip it to the folder you want to install the code.
I received 0 or very few results. How can I diagnose this?
Make sure you scanned a supported language and package manager
If scanning from the Web Interface, please see the all prerequisites are fulfilled
Check plugin / ScansManager logs for any errors
Contact Support@checkmarx.com
What are the most common error cases for CxOSA?
Case | Error Log | UI Message |
---|---|---|
No OSA Directory configuration | Open Source Analysis directory isn't configured properly | To configure Open Source Analysis, specify Open Source location in Edit Project |
Failed to connect OSA Cloud Service Server | Failed to send request to OSA Cloud Service Server | Unable to connect to the OSA Server, please contact your Checkmarx Administrator |
OSA Cloud Service Server returns error | Error while executing OSA Cloud Service request | Internal OSA error. Please try again later |
No OSA Files found | No sources for Open source Analysis where found | No files found for Open Source Analysis |
Failure to access OSA directory | Failed to access to Open Source Analysis directories | Cannot access <path>. Please check Open Source location in Edit Project |
Who do I contact for CxOSA support?
CxOSA support is provided by Checkmarx. For support cases, unless it’s a connectivity issue, we use the same logs as for CxSAST. All log files should be zipped and sent to Support@checkmarx.com.