Using SCA Resolver in Checkmarx One

Checkmarx SCA Resolver

Checkmarx SCA Resolver is an on-prem utility that enables you to resolve and extract dependencies and fingerprints from your source code and send them to the Checkmarx One SCA scanner for risk analysis. This enables you to run a comprehensive SCA scan without the need to send your actual source code to the cloud. It also enables you to scan private (local) dependencies that aren’t accessible to the Checkmarx SCA cloud platform. For Checkmarx One users, Resolver is used in Offline mode for dependency resolution and the results file is then sent for analysis via your Checkmarx One account.

In order to use the SCA Resolver with the Checkmarx One CLI, you need to download the Checkmarx SCA Resolver separately in a location that the Checkmarx One CLI can access. Download links are available below.

To use the SCA Resolver, you need to add the --sca-resolver flag to your command line with an argument with the path to your local installation of the Resolver executable. For example:

./cx scan create --project-name <Project Name> -s <path> --branch <branch name> --sca-resolver <path-to-resolver> --sca-resolver-params <additional-resolver-arguments>

Sample command:

user@laptop:/AST$ ./cx scan create --project-name demo --scan-types sast,sca -s . --sca-resolver /sca/scaResolver --sca-resolver-params "-q -e my_file" --async

Warning

When running a CLI scan that uses SCA Resolver, the source code must be in a local folder, not in a zip archive or a code repository.

The Delta Scan feature will run by default on the CxOne CLI (since version 2.3.44) scans using SCAResolver (since version 2.13.3). To disable this feature, use the --sca-resolver-params flag with the argument --disable-delta-scan. For more information on this feature, see Delta Scans.

To add additional arguments to Checkmarx SCA Resolver, use the flag --sca-resolver-params with any additional arguments that you need. If necessary to use spaces and/or quotes, wrap the arguments in double quotes and use single quotes inside the value. For a complete list of SCA Resolver configuration arguments, see Checkmarx SCA Resolver Configuration Arguments.

Notice

Only arguments that can be used in Offline mode can be applied to scans run via the Checkmarx One CLI Tool and plugins.

There is an alternative method that offers maximum control over the files being sent to the cloud for analysis. This is done by first running a scan using Resolver in offline mode on-prem. You can then run the scan create command in Checkmarx One and provide only the results file for upload. The following procedure describes this method.

Run SCA Resolver in offline mode and save the results to a file named .cxsca-results.json (precise name required) in the root path of your Checkmarx One CLI.
```
./ScaResolver offline -r "./cx-results/.cxsca-results.json" -s "%LOCATION_PATH%"
```
Run the scan create command in Checkmarx One, with the -s argument pointing to the folder where the Resolver results file was saved. For --scan-types, specify only sca.
```
./cx scan create -s "./cx-results/" --project-name "DemoProject" --branch "DemoBranch" --scan-types "sca" 
```

For more information about using SCA Resolver in Checkmarx One CI/CD integrations, see Using SCA Resolver in Checkmarx One CI/CD Integrations.

Checkmarx SCA Resolver Download and Installation

Caution

Versions of SCA Resolver prior to 2.5.15 are no longer supported. Older versions will no longer be able to run Container scans. Download links for newer versions are available here.

We recommend always keeping up to date with the latest version of SCA Resolver, in order to benefit from the latest features as well as ongoing performance improvements and bug fixes.

Download Latest Version of Resolver

Use the relevant link to download the latest version of SCA Resolver.

Notice

The latest version of SCA Resolver is currently 2.13.3.

Use the relevant link to download the checksum for the latest version of Resolver.

Notice

Links to download older versions of Resolver are available at Checkmarx SCA Resolver Changelog.

Installation

Notice

The following procedure is relevant when you download Resolver as a zip archive. When you run the MacOS Installer you just need to follow the prompts to run the installer. The installer saves the Configuration.yml file to /Library/ScaResolver/{version}/Configuration.yml.

To download and Install Checkmarx SCA Resolver:

Use the appropriate link (shown above) to download the correct version of Checkmarx SCA Resolver for your OS.
Extract the compressed archive file.
Install all required resolution utilities, see Installing Supported Package Managers for Resolver

Installation Notes:

On Ubuntu, run the command as root before running, or if you encounter any startup issues.

apt update
apt install ca-certificates libgssapi-krb5-2

On Alpine Linux, run the command as root before running, or if you encounter any startup issues.

apk add libstdc++ 
apk add glib
apk add krb5 pcre
apk add bash

In this section:

Using SCA Resolver in Checkmarx One

Checkmarx SCA Resolver

Warning

Notice

Checkmarx SCA Resolver Download and Installation

Caution

Download Latest Version of Resolver

Notice

Notice

Installation

Notice

Search results