Using SCA Resolver in Checkmarx One
Checkmarx SCA Resolver
Checkmarx SCA Resolver is an on-prem utility that enables you to resolve and extract dependencies and fingerprints from your source code and send them to the Checkmarx One SCA scanner for risk analysis. This enables you to run a comprehensive SCA scan without the need to send your actual source code to the cloud. It also enables you to scan private (local) dependencies that aren’t accessible to the Checkmarx SCA cloud platform. For Checkmarx One users, Resolver is used in Offline mode for dependency resolution and the results file is then sent for analysis via your Checkmarx One account.
In order to use the SCA Resolver with the Checkmarx One CLI, you need to download the Checkmarx SCA Resolver separately in a location that the Checkmarx One CLI can find. Find the latest download at Checkmarx SCA Resolver Download and Installation.
To use the SCA Resolver, you need to add the --sca-resolver flag to your command line with an argument with the path to your local installation of the Resolver executable. For example:
./cx scan create --project-name <Project Name> -s <path> --branch <branch name> --sca-resolver <path-to-resolver> --sca-resolver-params <additional-resolver-arguments>
Sample command:
user@laptop:/AST$ ./cx scan create --project-name demo --scan-types sast,sca -s . --sca-resolver /sca/scaResolver --sca-resolver-params "-q -e my_file" --async
Warning
When running a CLI scan that uses SCA Resolver, the source code must be in a local folder, not in a zip archive or a code repository.
The Delta Scan feature will run by default on the CxOne CLI (since version 2.3.44) scans using SCAResolver (since version 2.13.3). To disable this feature, use the --sca-resolver-params flag with the argument --disable-delta-scan. For more information on this feature, see Delta Scans.
To add additional arguments to Checkmarx SCA Resolver, use the flag --sca-resolver-params with any additional arguments that you need. If necessary to use spaces and/or quotes, wrap the arguments in double quotes and use single quotes inside the value. For a complete list of SCA Resolver configuration arguments, see Checkmarx SCA Resolver Configuration Arguments.
Notice
Only arguments that can be used in Offline mode can be applied to scans run via the Checkmarx One CLI Tool and plugins.
For more information about using SCA Resolver in Checkmarx One CI/CD integrations, see Using SCA Resolver in Checkmarx One CI/CD Integrations.
Checkmarx SCA Resolver Download and Installation
Caution
Versions of SCA Resolver prior to 2.5.15 are no longer supported. Older versions will no longer be able to run Container scans. Download links for newer versions are available here.
We recommend always keeping up to date with the latest version of SCA Resolver, in order to benefit from the latest features as well as ongoing performance improvements and bug fixes.
Download Latest Version of Resolver
Use the relevant link to download the latest version of SCA Resolver.
Notice
The latest version of SCA Resolver is currently 2.13.3.
Use the relevant link to download the checksum for the latest version of Resolver.
Notice
Links to download older versions of Resolver are available at Checkmarx SCA Resolver Changelog.
Installation
Notice
The following procedure is relevant when you download Resolver as a zip archive. When you run the MacOS Installer you just need to follow the prompts to run the installer. The installer saves the Configuration.yml file to /Library/ScaResolver/{version}/Configuration.yml.
To download and Install Checkmarx SCA Resolver:
Use the appropriate link (shown above) to download the correct version of Checkmarx SCA Resolver for your OS.
Extract the compressed archive file.
Notice
The Configuration.yml file, which is included in the zip archive, is a mandatory part of the installation and must be placed in the same folder as the ScaResolver binary.
The
ServerUrl,AuthenticationServerUrlandScaAppUrlin the .yml file are set by default for the US environment. If you are using the EU environment, then you must change these to the appropriate values for the EU as specified here.Install all required resolution utilities, see Installing Supported Package Managers for Resolver
Installation Notes:
On Ubuntu, run the command as root before running, or if you encounter any startup issues.
apt update apt install ca-certificates libgssapi-krb5-2
On Alpine Linux, run the command as root before running, or if you encounter any startup issues.
apk add libstdc++ apk add glib apk add krb5 pcre apk add bash
Installing Supported Package Managers for Resolver
To successfully resolve dependencies with Checkmarx SCA Resolver, you need to install the relevant package managers and other prerequisites in the environment where you will be running Resolver. You also need to prepare the project for package resolution by making sure that it is in a buildable state and that the relevant manifest files are included in the project directory.
When you run a scan, Checkmarx SCA uses your installed package managers to build a list of dependencies.
The following sections explain how to prepare your environment to run scans using Resolver. Documentation is provided separately for each supported package manager.
Notice
The documentation also provides test commands that can be run as part of your troubleshooting process in order to ensure that dependency resolution can succeed.
Java Support in Checkmarx SCA
Maven Dependency Resolver
Manifest files: pom.xml
Package Manager used: Maven
Prerequisites:
JDK installed under the JAVA_HOME environment variable
Make sure that any additional SDK needed for resolving dependencies in your project (e.g., Android SDK) is available in your local environment
Installation
Debian install command:
apt-get install maven
To ensure Maven is installed, run: mvn --version inside the project directory
If Maven is correctly installed, you should receive a message indicating which version is installed on your machine.
Dependency Resolution
Checkmarx SCA Resolver uses Maven to extract the dependency graph.
This process downloads the dependencies to the local cache folder (usually .m2 ) and inspects the pom.xml files of the dependencies recursively to construct the graph.
It requires connectivity to a Maven repository to download those dependencies. By default, Maven uses the Central Maven repo but other repositories may be configured in a settings.xml file in the project root or in the global Maven folder in the local machine.
Notice
If you want to apply the settings in your settings.xml file to all pom.xml resolution, you can add the settings.xml file to a .cxsca.configurations folder in the root of the project. In this case, Checkmarx SCA will apply these settings to each module and sub-module in the project, overriding the local settings.xml settings.
Testing Dependency Resolution
You can test whether the dependency tree can be extracted successfully, by running the following command inside the folder where the manifest exists:
mvn dependency:tree
Troubleshooting
The following command can be used to troubleshoot problems with the dependency resolution.
mvn install -DskipTests
Dev Dependencies
Any dependency marked with <scope>test</scope> is considered a Dev dependency in Checkmarx SCA
Multi-Module Maven project
A multi-module project has a root pom.xml file and multiple modules, each in a sub-directory.
The root pom.xml has the following structure:
<modules>
<module>module1</module>
<module>module2</module>
</modules>To successfully resolve dependencies, the project needs to be in a "buildable" state.
Notice
If your multi-module code fails the dependency tree generation, try building it first and then executing the dependency tree command. If it succeeds post-build, it is possible that one of your modules is missing an explicit dependency statement for a dependency that is fulfilled due to module build order.
If SCA Resolver is not being run “post build”, please run the following command before invoking the Resolver scan.
mvn install -DskipTests
Notice
When running Resolver via a third party plugin, make sure that Resolver is executed only for the parent module and not for each of the sub-modules.
For example, for the exec-maven-plugin, the exec:exec profile that runs the SCA command needs the --projects . argument, with the . indicating that only the parent module is compiled, e.g., mvn -f <PATH_TO_PARENT_PROJECT_POM.XML> -s <ABSOLUTE_PATH_TO_settings.xml> exec:exec --activate-profiles sca --errors --projects .
Gradle Dependency Resolver
Manifest files: build.gradle , build.gradle.kts
Package Manager used: gradle
Prerequisites:
JDK installed under the JAVA_HOME environment variable
Make sure that any additional SDK needed for resolving dependencies in your project (e.g., Android SDK) is available in your local environment
Installation
Debian install command:
apt-get install gradle
To ensure Gradle is installed, run: gradle --version inside the project directory
Dependency Resolution
The dependency resolution process downloads the dependencies to the local cache folder (usually .gradle )
It requires connectivity to a java repository to download those dependencies. By default, the Maven Central is used (link) but other repositories may be configured in a build.gradle file, or in global Gradle settings.
Each Gradle scope that contains the word "test" or "development" is defaulted to dev scope.
Run this command inside the folder where the manifest exists, to test whether the dependency tree can be extracted successfully:
gradle dependencies -q --no-daemon -Dorg.gradle.jvmargs=-Xmx1g
Multi-Module Gradle project
A multi-module project has a settings.gradle file with list of included modules. Each module resides in a sub-directory.
Checkmarx SCA Resolver recognizes this file, and resolves the modules of the project one-by-one using the main settings, calling the following command in the root folder per module (give by modulename):
gradle modulename:dependencies -q --no-daemon -Dorg.gradle.jvmargs=-Xmx1g
Gradle Wrapper
Gradle is commonly shipped with a wrapper script, called gradlew in the root directory of the project.
Checkmarx SCA Resolver detects the wrapper and uses the script instead of the global “gradle” command.
For example:
./gradlew dependencies -q --no-daemon -Dorg.gradle.jvmargs=-Xmx1g
Invoking the gradlew script may download and compile a desired Gradle version, usually within the gradle/wrapper/gradle-wrapper.properties file. Gradle Wrapper requires JRE to run and install Gradle.
To learn more, visit https://docs.gradle.org/current/userguide/gradle_wrapper.html
Ivy Dependency Resolver
Manifest files: build.xml, ivy.xml
Package Manager used: Apache Ivy
Prerequisites: JDK installed under the JAVA_HOME environment variable
Installation
Debian:
Download Apache Ant from https://downloads.apache.org/ant/binaries/ (version 1.10.x is tested and approved).
Uncompress the downloaded file into a directory (ANT_HOME).
Set the
ANT_HOMEenvironment variable to the directory where the uncompressed Apache Ant files were saved.Add
${ANT_HOME}/binto thePATHenvironment variable.Download Apache Ivy from https://downloads.apache.org/ant/ivy/ (version 2.5.x is tested and approved).
Uncompress the downloaded file into a directory.
Copy
apache-ivy-2.5.x/ivy-2.5.x.jarfrom the Apache directory to${ANT_HOME}/lib.To ensure Apache Ant is installed, run
ant -versionTo ensure Apache Ivy is installed, run ant inside your Ivy project folder
Dependency Resolution
Each ivy.xml file will tentatively be associated with a build.xml file. For each ivy.xml file, configurations will be fetched. Each corresponding build.xml file will be modified to contain a specific target which will download the dependencies to the local cache folder (usually .ivy2) and generate XML report files based on the configurations fetched from ivy.xml.
The XML report files will be used to construct the dependency tree.
This process requires connectivity to a repository to download those dependencies. By default, Apache Ivy uses the Central Maven repo (https://repo.maven.apache.org/maven2/ ) but other repositories may be configured in an ivysettings.xml file.
At the end of the process, build.xml files which were modified will be restored back to their original content.
Test
Check the configurations for a particular ivy.xml.
Add the following target to the corresponding build.xml (inside <project> tag), ensuring that {CONFS} contains a comma separated list of the configurations from ivy.xml.
<target name="generateIvyReportsforDependencyScan" description="Generate Ivy report files">
<ivy:resolve />
<ivy:report graph="false" xsl="false" xml="true" conf="{CONFS}" todir="./ivyReports" />
</target>Run ant generateIvyReportsforDependencyScan in build.xml location and check that the ivyReports folder was created and contains one .xml file per specified configuration.
.NET Support in Checkmarx SCA
NuGet Dependency Resolver
Manifest files: *.csproj, packages.config, *.vbproj
Package Manager used: dotnet cli or nuget cli
For dotnet cli, the minimum required SDK version is 2.1.816.
It is required to have either dotnet cli or nuget cli installed. If, due to your project requirements, you have both package managers installed, dotnet cli will be tried first and only if it fails will nuget cli be used.
Installation
Install dotnet cli or nuget cli, according to your project requirements.
To test dotnet installation, run the following command:
dotnet --version
To test nuget installation, run the following command:
nuget
Dependency Resolution
NuGet restore command downloads the dependencies to the local machine. The nuget.config file is used to configure custom repositories to be used.
Checkmarx SCA Resolver uses NuGet to create a lock file and parses it to extract the full dependency graph.
Notice
If you want to apply the settings in your nuget.config file to all *.csproj resolution, you can add the nuget.config file to a .cxsca.configurations folder in the root of the project. In this case, Checkmarx SCA will apply these settings to each module and sub-module in the project, overriding the local nuget.config settings.
Test
Checkmarx SCA Resolver requires the project to be in a ‘buildable’ state for the packages to be resolved.
Depending on which package manager you are using, run the appropriate command inside the folder where the manifest exists. A file named package.lock.json is created with the dependency tree.
For dotnet cli, run:
dotnet restore --force-evaluate --use-lock-file
For nuget cli, run:
nuget restore -Force -UseLockFile
JavaScript Support in Checkmarx SCA
NPM Dependency Resolver
Manifest files: package.json(required), package-lock.json
Package Manager used: npm
Installation
Requirements:
NPM package manager version 6.x or version 8 from 8.18.0 and above
Git client (some npm packages are directly pulled from a Git repo)
Optional: Lerna - for Lerna projects (see below)
Debian install command:
apt-get install npm git npm -g install npm@8.11.0 npm install -g lerna
Alpine install command:
apk add --update npm git npm -g install npm@8.11.0 npm install -g lerna
To ensure NPM is installed, run: npm --version
Dependency Resolution
Checkmarx SCA Resolver uses NPM to parse the lock file (package-lock.json) and to extract the dependency graph. If the lock file does not exist, the Resolver creates it.
When creating a lock file, NPM connects to the NPM registry to collect metadata.
Checkmarx SCA Resolver attempts to create a lock file without installing dependencies, by using the --package-lock-only flag to the npm install command - this is the default behavior.
In some specific cases where package-lock creation is disabled by the project configuration, the Resolver runs a regular install which downloads the dependencies to a node_modules folder.
Custom NPM registries may be configured inside the package.json file, or in project / global configurations, usually .npmrc files.
Notice
If you want to apply the settings in your .npmrc file to all package.json resolution, you can add the .npmrc file to a .cxsca.configurations folder in the root of the project. In this case, Checkmarx SCA will apply these settings to each module and sub-module in the project, overriding the local .npmrc settings.
Test
To generate a lock file, run the following command inside the project directory (a package-lock.json file is created):
npm i --package-lock-only
If creating a lock file is disabled by the NPM configuration, run the following command:
npm install --ignore-scripts instead.
If the file already exists, or created in the step above, run the following command to extract the dependency graph:
npm ls --json
Dev Dependencies
Any dependency under devDependencies section is considered Dev.
To generate a list of dev dependencies, Checkmarx SCA Resolver runs the following command on the lock file.
For NPM version 6:
npm ls --json --dev
For NPM version 7 or higher:
npm ls --json --include dev
Monorepo Projects using Lerna
This project structure uses Lerna build tool to manage multiple NPM modules inside one project.
The root folder of the project has a lerna.json file defining the modules.
Simply resolving each module individually will be inaccurate since peer modules reference each other.
Checkmarx SCA Resolver recognizes the use of Lerna, and uses it to extract the complete dependency graph.
The command used is:
lerna bootstrap --hoist
This creates a lock file in the root folder with the complete project dependencies.
Yarn Dependency Resolver
Manifest files: package.json(required), yarn.lock(required)
Package Manager used: yarn
Installation
Requirements:
Yarn
Git client (some npm packages are directly pulled from a Git repo)
Debian install command:
apt-get install yarn git
To ensure Yarn is installed, run: yarn --version
Dependency Resolution
Checkmarx SCA Resolver parses the lock file (yarn.lock) and to extract the dependency graph. If the lock file does not exist, the Resolver creates it.
When creating a lock file, Yarn connects to the NPM registry to collect metadata and downloads the dependencies to the local machine
Custom NPM registries may be configured inside the package.json file, or in project / global configurations, usually .yarnrcfiles.
Test
To generate a lock file, run the following command inside the project directory. A yarn.lock file is created.
yarn install --ignore-scripts
Dev Dependencies
Any dependency under devDependencies in the package.json file is considered as a dev dependency.
Yarn Workspaces
This project structure uses Yarn feature to manage multiple modules inside one project.
The package.json file has a workspaces section that lists the local paths of modules
Checkmarx SCA Resolver recognizes the use of Yarn Workspaces, and installs the dependencies from the root folder location only, running yarn install --ignore-scripts
This creates a lock file in the root folder with the complete project dependencies.
Bower Dependency Resolver
Manifest files: bower.json
Package Manager used: bower
Installation
Requirements:
NPM
Bower
Debian install command:
apt-get install npm npm install -g bower
Alpine install command:
apk add –update npm npm install -g bower
To ensure Bower is installed, run: bower --version
Dependency Resolution
Checkmarx SCA Resolver uses the bower-dependency-tree module to generate a tree of dependencies.
This is an NPM module. In case it is not installed, Checkmarx SCA Resolver installs it using NPM.
Test
Ensure installation of the bower-dependency-tree module with the following command:
npm install -g bower-dependency-tree
Then, using the following command, run it to generate the dependency tree inside the project root folder:
bower-dependency-tree
Python Support in Checkmarx SCA
PIP Dependency Resolver
Manifest files: requirements.txt, requirements-*.txt, requirement.txt, requirement-*.txt, pyproject.toml. setup.cfg, and setup.py
Package Manager used: pip
Installation
Requirements:
Python
PIP
Debian install command:
apt-get install python python-pip
Alpine install command:
apk add --update py-pip py3-setuptools
To ensure pip is installed, run: pip -V
Notice
You also need to have virtualenv installed on your machine. You can install virtualenv by running:
- pip install virtualenv pipdeptree graphvizOR
- pip3 install virtualenv pipdeptree graphviz
You can verify the installation by running:
virtualenv --version
Dependency Resolution
Checkmarx SCA Resolver ensures the installations of the dependencies in manifest, and uses pipdeptree utility to construct the dependency graph
The Resolver creates a temporary virtual environment to install the dependencies, using the command:
python -m virtualenv random-name
Then, all commands are run in the virtual environment and the pipdeptree utility is temporarily installed there. For example, this is an install command on Linux:
source random-name/bin/activate && python -m pip install -r requirements.txt
Test
Checkmarx SCA Resolver requires the dependencies to be installed to extract the full tree. Use the following command:
python -m pip install -r requirements.txt
The full flow of extracting dependencies is this for Linux
python -m virtualenv random-name source random-name/bin/activate && python -m pip install -r requirements.txt source random-name/bin/activate && python -m pip install pipdeptree source random-name/bin/activate && python -m pipdeptree --graph-output dot -e pipdeptree,setuptools,wheel,graphviz
* on Windows, the command line for virtual environment activation is
random-name\Scripts\activate
Python 2 vs Python 3
When Python 3 is installed, Checkmarx SCA Resolver may execute the Python commands python3 and pip3.
Checkmarx SCA Resolver first attempts to run python3, and if it is not found, it attempts to run python.
You can use the --python-version flag or PythonVersion configuration argument to explicitly specify which Python version to use for the manifest file resolution.
Poetry Dependency Resolver
Manifest files: pyproject.toml (required). poetry.lock
Package Manager used: Poetry
Installation
Requirements:
Python
Linux, macOS, Windows (WSL) install command:
curl -sSL https://install.python-poetry.org | python3 –apt-get install python python-pip
To ensure Poetry is installed, run:
poetry --version
Dependency Resolution
Checkmarx SCA Resolver ensures the installations of the dependencies in manifest to extract the dependency tree of the project.
Test
Use the following command to install dependencies::
poetry install
Use the following command to extract the dependency tree:
poetry show --tree
PHP support in Checkmarx SCA
Composer Dependency Resolver
Manifest files: composer.json(required),composer.lock
Package Manager used: composer
Installation
Requirements:
PHP CLI
composer
Optional: PHP packages required to install dependencies: php-curl
Debian install command:
apt-get install php-cli php-curl composer
Alpine install command:
apk add –update php-cli php-curl composer
To ensure composer is installed, run: composer --version
Dependency Resolution
Checkmarx SCA Resolver install the dependencies using composer. Composer installs and downloads the dependencies to the local machine.
Afterwards, Composer is used to the detect dependencies
Test
Checkmarx SCA Resolver requires the dependencies to be installed to extract the full tree. Use the following command:
composer install composer show --tree --format json
Dev Dependencies
Dependencies under require-dev are considered as dev by Checkmarx SCA.
Scala Support in Checkmarx SCA
SBT Dependency Resolver
Manifest files: build.sbt
Package Manager used: sbt
Installation
Requirements: sbt
To install, visit: https://www.scala-sbt.org/download.html
To make sure sbt is installed correctly, make sure you can invoke sbt inside the project folder by running the following command:
sbt --script-version
Dependency Resolution
The dependency resolution process involves downloading and building the scala project using the sbt "compile" command. Checkmarx SCA Resolver uses the IVY reports generated during the build process to gather the dependency graph.
They can be found under the target/scala-*/reports/*.xml, where scala-* can be any Scala version used, such as scala-2.13.
Those XML files are parsed to generate the tree of dependencies.
Test
Run the following command in the project root:
sbt "compile"
After a successful build, validate that XML files are generated inside the target/scala-*/reports/*.xml folders, where scala-* can be any Scala version used, such as scala-2.13.
iOS Support in Checkmarx SCA
SwiftPm Dependency Resolver
Manifest files: Package.swift
Package Manager used: SwiftPm
Installation
Debian:
Use the following procedure to ensure that version 5.3.3 of SwiftPm is installed as well as other necessary tools.
Install dependencies:
apt install -y clang libicu-dev libtinfo5 libncurses5 libxml2Download SwiftPM:
wget https://swift.org/builds/swift-5.3.3-release/ubuntu1804/swift-5.3.3-RELEASE/swift-5.3.3-RELEASE-ubuntu18.04.tar.gzExtract:
tar -xvzf swift-5.3.3-RELEASE-ubuntu18.04.tar.gz && rm -f swift-5.3.3-RELEASE-ubuntu18.04.tar.gzUpdate path environment variable:
export PATH=$PATH:{extractedPath}/usr/bin, with{extractedPath}representing the path where you ran the previous command.To ensure SwiftPm is installed correctly, open a console and run the following command:
swift package –-versionIf the swift package manager is correctly installed, you should receive a message indicating which version is installed on your machine.
Dependency Resolution
The dependency resolution process uses SwiftPm’s capabilities to calculate all the dependencies.
If a Package.swift file exists, then Checkmarx SCA Resolver uses that to calculate the dependencies. It also checks if the folders declared on the manifest file, .target and .testTarget, are present on the project.
If there is only a Package.resolved file, then the package resolution is done from that file, without executing any commands.
Test
Run the following command in the project root:
swift package show-dependencies
After a successful build, check if the output contains the dependencies for the project.
Carthage Dependency Resolver
Manifest files: Cartfile(required), Cartfile.private, Cartfile.resolved
Notice
At least one .private or .resolved file must be included.
Package Manager used: none
Requirements: none
Note
Officially, Carthage has a hard dependency on MacOS and XCode. However, Checkmarx SCA uses custom handling and resolution of the manifest files to suppress this requirement. This approach provides a platform independent resolution without any installation prerequisites.
Installation: no installation needed
Dependency Resolution
The dependency resolution process involves downloading the manifest files from GitHub via API.
Checkmarx SCA Resolver uses Cartfile, Cartfile.private and Cartfile.resolved files to gather the info needed to generate the set of dependencies. When the dependencies repository includes the Cartfile.resolved files, these are used to avoid resolving the versions again.
Test: no testing needed
Notice
Since there are no specific requirements for the package manager, there is no need to perform any prerequisite test before using Carthage in Checkmarx SCA.
Limitations
Carthage resolution uses GitHub API to resolve the packages. GitHub limits unauthenticated users to 300 requests per hour. This may affect the resolution capabilities. To bypass this limitation, on Checkmarx SCA Resolver you can define the GithubToken environment variable with up to 4 tokens (separated by “-”) obtained from a GitHub account.
Repositories that are referenced as “git sources” aren’t considered for resolution unless they are hosted on GitHub.
CocoaPods Dependency Resolver
Manifest files: Podfile(required), Podfile.lock
Package Manager used: CocoaPods
Installation
Debian install command:
apt -q install ruby-full -y && apt-get install -y --no-install-recommends ruby ruby-dev make gcc libcurl4 libc6-dev git && gem install cocoapods
This command will install the latest available version of CocoaPods, Ruby and other necessary tools.
To ensure that CocoaPods is installed, run pod --version --allow-root
Dependency Resolution
If Podfile.lock does not exist, dependencies from Podfile will be installed and the Podfile.lock file will be generated. This file will then be parsed, creating the dependency tree.
Test
Run the following command where Podfile is located:
pod install --allow-root
After running successfully, check if Podfile.lock file was created.
Go Support in Checkmarx SCA
Go Modules Dependency Resolver
Manifest files: go.mod(required), go.sum
Package Manager used: GoModules
Installation
Debian:
Use the following procedure to install Go version 1.16.6 and other necessary tools.
Download Go:
wget https://golang.org/dl/go1.16.6.linux-amd64.tar.gzExtract:
tar -xvzf go1.16.6.linux-amd64.tar.gz && rm -f go1.16.6.linux-amd64.tar.gzUpdate path environment variable:
export PATH=$PATH:{extractedPath}/go/bin. {extractedPath} should be replaced by the path where you ran the previous command.To ensure Go is installed correctly, open a console and run the following command:
go version.If Go is correctly installed, you should receive a message indicating which version is installed on your machine.
Dependency Resolution
If “go.sum” does not exist, dependencies from “go.mod” will be installed and “go.sum” file will be generated. Then a dependency graph will be generated that is used to build the dependency tree.
Test
Run the following command where go.mod is located:
go mod downloadAfter running successfully, check if go.sum file is created. Then run the following command:
go mod graphAfter a successful build, check if the output contains the dependencies for the project.
Container Scan in Checkmarx SCA
Manifest files: Dockerfile*
Package Manager used: none
Installation
No Installation needed
Dependency Resolution
The dependency resolution process involves downloading the manifest files from Docker Hub via API.
Checkmarx SCA Resolver uses Dockerfile* files information to collect and generate the set of dependencies based on docker layers.
Test
Since there are no package manager specific requirements, there is no need to perform any prerequisite test before using container scans in Checkmarx SCA.
Limitations
Authentication
Docker Hub API has restrictions for anonymous requests. We offer the possibility to authenticate your requests through these environment variables:
DOCKERHUBUSERNAME
DOCKERHUBTOKEN
Notice
Authenticating with Docker Hub also enables Resolver to access your private repositories.
Build Arguments
Some projects may contain build arguments that are required for layer resolution.
Checkmarx SCA Resolver supports the use of a .env_cxsca-container-build-args file, which can be added to repository code to provide custom build-arguments to Dockerfile FROM instructions. We recommend using this file when the docker is present and the build process requires arguments in order to enhance the docker layer resolution and improve results.
For more info about using custom build arguments, see Container Scans.
RubyGems Dependency Resolver
Manifest files: gemfile (required), gemfile.lock
Package Manager used: RubyGems
Installation
Debian install command:
apt -q install ruby-full -y && gem install bundler
This command will install the latest available version of Ruby, RubyGems and Bundler.
To ensure that RubyGems is installed, run gem --version
To ensure that Bundler is installed, run bundler --version
Dependency Resolution
If gemfile.lock does not exist, dependencies from gemfile will be installed and the gemfile.lock file will be generated. This file will then be parsed, creating the dependency tree.
Test
Run the following command where gemfile is located:
bundler
After running successfully, check if gemfile.lock file was created.
Unity Package Manager Dependency Resolver
Manifest files: manifest.json(required), package.json (required)
Package Manager used: none
Requirements: none
Note
Unity’s SDK, although cross platform, has a hard dependency on .NET framework, which requires Mono to be supported on all the supported platforms. Checkmarx uses custom handling and resolution of the manifest files in order to suppress this requirement. This approach provides platform agnostic resolution without any installation prerequisites.
Installation
No Installation needed
Dependency Resolution
The dependency resolution process involves two elements, determining the package version (which is found in the manifest.json) and determining which Unity version is in use (which is found in the package.json).
Test: none
Notice
Since there are no specific requirements for the package manager, there is no need to perform a prerequisite test before using Unity in Checkmarx SCA.
Limitations
Since Checkmarx SCA Resolver doesn’t use the Unity Package Manager, it is possible that some transitive dependencies may be left out if the packages are not included in the scan.
Perl Support in Checkmarx SCA
Cpan Dependency Resolver
Manifest files: cpanfile (required), cpanfile.snapshot (optional)
Package Manager used: cpan and carton
Installation
Debian install command:
apt -q install perl -y && cpan install Carton
This command will install the latest available version of Perl, Cpan and Carton.
To ensure that Cpan is installed, run cpan --version
To ensure that Carton is installed, run carton --version
Dependency Resolution
If cpanfile.snapshot does not exist, dependencies from cpanfile will be installed and the cpanfile.snapshot file will be generated. This file will then be processed to create the dependencies tree.
Test:
Run the following command where cpanfile is located:
carton
After running successfully, check if cpanfile.snapshot file was created.
Limitations
Many Cpan packages must be compiled as part of the resolution process. The environment where the scan is performed must be able to compile these dependencies. Otherwise, the resolution will fail.
Cpan does not support development and testing packages. This is done to improve scan speeds.
Pub Support in Checkmarx SCA
Pub Dependency Resolver
Manifest files: pubspec.lock (required)
Package Manager used: none
Requirements: none
Installation: no installation needed
Dependency Resolution
The dependency resolution process involves downloading the manifest files.
Checkmarx SCA Resolver uses the pubspec.lock file to gather the info needed to generate the set of dependencies.
Test: no testing needed
Limitations
We only identify direct dependencies in Pub, not transitive dependecies.
We only identify Malicious Packages in Pub, not packages with vulnerabilities.
Checkmarx SCA Resolver Configuration Arguments
Most Checkmarx SCA Resolver configuration parameters can be submitted either as command line arguments or by editing the configuration.yml file.
Notice
Certain parameters must be submitted via the config file. Therefore, it is mandatory to include the configuration.yml file (which is included in the Checkmarx SCA Resolver download) in the same folder as the ScaResolver binary.
Note
The info provided on this page relates to running Resolver as a standalone tool. If you are running Resolver via an external platform such as the Checkmarx One CLI tool or plugins, or the CxSAST/CxSCA CLI tool or plugins, then only Offline arguments can be used. In addition, the mandatory arguments differ for different platforms. See the relevant SAST/SCA Integrations documentation for details.
Configuration.yml file Specifications
Warning
As of version 2.0, Configuration.ini format is no longer supported. It is now mandatory to include the Configuration.yml file containing your config data.
The configuration file must be located in the same folder as the ScaResolver binary.
The configuration file has the format of KeyName: Value.
The file must follow the yaml file format specification.
Connecting to your SCA Environment
The config file includes parameters for configuring the connectivity to your SCA environment. By default these values are set for the US environment. If you are using the EU environment, you will need to adjust these values accordingly.
Configuration Arguments - Tables and Samples
The following tables describe the supported arguments that can be used in Resolver. You can submit --help to get the list of supported parameters.
Argument | Name | Config file key | Description | Used in mode | Default value |
|---|---|---|---|---|---|
-a| --account | Account | Account | Your SCA account a name. | Online, Upload | - |
--authentication-server-url | Authentication Server URL1 | AuthenticationServerUrl | The URL of the SCA Access Control server. | Online, Upload | |
--logs-path | Logs Directory2] | LogsDirectory | The default name assigned the logs directory. | logs | |
-p| --password | Password3] | Password | The password for your SCA user account. TipYou can configure a custom Environment Variable to use for the password. This is preferable to including a password in clear text in the config file. | Online, Upload | - |
--containers-result-path | Path to read container results | ContainersResultPath | Specify the path to the file of the saved containers results that you are uploading. TipMandatory for container scans. | Upload | - |
-r|--resolver-result-path | Path to read ScaResolver results | ResolverResultPath | Specify the path to the file of the saved resolver results that you are uploading. | Upload | - |
--containers-result-path | Path to save container results | ContainersResultPath | Specify the path to the directory/file where the containers results will be saved (for future upload). TipMandatory for container scans, | Offline | - |
-r|--resolver-result-path | Path to save ScaResolver results | ResolverResultPath | Specify the path to the directory/file where the resolver results will be saved (for future upload). | Offline | - |
-n| --project-name | Project Name | ProjectName | To scan an existing SCA Project, enter the Project name. Alternatively, you can enter a new Project name in order to create a new Project in SCA. | All | - |
--sso-provider | Provider name3] | SsoProviderName | The name of your SSO provider. Alternatively, you can give the name of your Master Access Control instance. For more info see SAML Authentication for Checkmarx SCA Resolver | Online, Upload | - |
--sca-app-url | SCA Application URL3] | ScaAppUrl | The URL of the SCA web application. | Online, Upload | |
-s| --scan-path | Scan Path | N/A | Path to the folder to be scanned. NoteThis must be the path to a local folder that contains the source code, not to a zip archive or a code repository. | Online, Offline | - |
--server-url | Server URL1] | ServerUrl | The URL of the SCA API server. | Online, Upload | |
-u| --username | Username3] | Username | Your username for the SCA account. | Online, Upload | - |
1] The default values for Server URL and Authentication Server URL are preconfigured in the config file, making it unnecessary to submit these arguments in the CLI.
2] The default value for Logs Directory is preconfigured in the config file. There is no argument for adjusting this value in the CLI.
3] Authentication is done either using your Checkmarx SCA credentials, or via your SSO provider. Therefore, you are required to submit either -u| --username and -p| --password or --sso-provider but not both.
Samples using mandatory arguments:
Linux/MacOS
./ScaResolver -s /home/jack/src/MyApp -n MyApp -a Checkmarx -u jack -p 'demo123!'
Windows
./ScaResolver.exe -s C:\home\jack\src\MyApp -n MyApp -a Checkmarx -u jack -p "demo123!"
Argument | Name | Config file key | Description | Used in mode | Default value |
|---|---|---|---|---|---|
N/A | Additional Manifest Patterns | AdditionalManifestPatterns | Allows the user to specify additional patterns to detect as manifest. TipCurrently supported only for pip. Syntax: AdditionalManifestPatterns:
pip:
- example-*.txt | Online, Offline | N/A |
--project-tags | Add tags to project | N/A | Comma-separated tags to be assigned to the project. Tags can be a simple string or a key:value. | Online, Upload | None |
--scan-tags | Add tags to scan | N/A | Comma-separated tags to be assigned per scan. Tags can be a simple string or a key:value. | Online, Upload | None |
--break-on-manifest-failure | Break on manifest failure | BreakOnManifestFailure | When this flag is used, the scan will fail and error code 9 will be returned when resolution fails for one or more of the manifest files. | Online, Offline | False |
--bypass-exitcode | Bypass exit code | BypassExitCode | If set as “true”, exit code will be overridden and set as 0, enabling it to pass through the CI/CD pipeline. | All | False |
-c| --config-path | Change configuration file | N/A | Changes the cofig file used for the scan. | All | Configuration.yml |
--netrc-path | Custom NetRc path | NetRcPath | Specify the path to the NetRc file to be used. | Online, Offline | None |
--override-default-excludes | Disable default exclusions | OverrideDefaultExcludes | When this is set, only the folders and files specified in the --excludes flag are excluded. | Online, Offline | false |
--disable-delta-scan | Disable delta scan | DisableDeltaScan | Override the default behavior of running Delta scans when using Resolver in Checkmarx One. Note: For SCA standalone users, Resolver does not run Delta scans. Therefore, this flag is not relevant for standalone users. | Offline | False |
--no-upload-manifest | Disable manifest upload | N/A | When this argument is set, the manifest files are not uploaded to Checkmarx SCA Cloud. TipPreventing manifest uploads doesn’t affect the scan's effectiveness, but it may limit Checkmarx SCA’s ability to suggest precise mitigation actions. | Online | False (i.e., manifest files are uploaded) |
--disable-parameter-sanitization | Disable parameters sanitization | DisableParameterSanitization | Disable sanitization of package managers' additional parameters. | Online, Offline | False |
-e| --excludes | Excludes | ExcludePatterns | Specify file and folder patterns to exclude from the zip file being scanned. See examples below. TipUsing this argument adds to the list of exclusions; it does not override the default exclusions. | Online, Offline | Default excluded folders: node_modules, bower_components, .git, vendor, Carthage |
--extract-archives | Extensions to be extracted | N/A | Submit comma-separated archives extensions to be extracted. TipWhen you use the argument to add custom file types, that overrides the default types. If you want these types to be extracted, you must include them in the comma-separated list. | Online, Offline | “.zip, .ear, .war,.gz” Notice.gz is only supported for archives with a .tar folder inside. |
--extract-depth | Extraction depth level | N/A | The depth level of file extraction. TipIncreasing the depth level improves the accuracy of the results but significantly increases the scan time. TipThis flag is relevant only for packages identified by unpacking archive files (e.g., .jars, .wars etc.), not for those identified via manifest files. | Online, Offline | 1 |
--gradle-dev-scopes | Gradle Dev Scopes | N/A | Gradle user-defined dev dependencies scopes. | Online, Offline | None |
--gradle-ignore-modules | Gradle Excluded Submodules | N/A | Ignore Gradle sub-modules. | Online, Offline | None |
--gradle-exclude-scopes | Gradle Exclude Scopes | N/A | Gradle dependencies excluded scopes. | Online, Offline | None |
--gradle-include-modules | Gradle Include Modules | N/A | Gradle includes only the desired project submodules. | Online, Offline | None |
--gradle-include-scopes | Gradle Include Scopes | N/A | Gradle dependencies included scopes. | Online, Offline | None |
--gradle-plugin-scopes | Gradle Plugin Scopes | N/A | Gradle user-defined plugin scopes. | Online, Offline | None |
--help | Help | N/A | Shows a list of supported arguments for SCA Resolver in the console output. | All | N/A |
--ignore-dev-dependencies | Ignore Dev Dependencies | IgnoreDevDependencies | Ignores dev dependencies in the pre-scan stage. | Online, Offline | False |
--ignore-test-dependencies | Ignore Test Dependencies | IgnoreTestDependencies | Ignores test dependencies in the pre-scan stage | Online, Offline | False |
--images | Images to scan | N/A | Specify the container images to be scanned as a comma-separated list. TipWhen this flag is used, the | Online, Offline | None |
--ivy-report-target | Ivy report target | N/A | Specify the TipIf this flag is used, the “Path to save Ivy reports” flag must also be set. | Online, Offline | False |
--log-level | Log Level | LogLevel | This value sets the lowest threshold for log messages. Enter one of the following enum values: Verbose, Debug, Information, Warning, Error, Fatal | All | Information |
N/A | Maximum attempts to check scan status | ScanReportMaxRetries | The maximum number of requests sent to check the status of the scan. | All | 2147483647 |
--containers-cache-path | Path to cache containers image | ContainersImagesCacheDirectory | Path to the directory where containers images cache will be written. TipOnly used when containers scan is enabled. | Online, Offline | Cache |
--nugetcli-path | Path to nuget CLI executable | NugetCliPat | Specify the path to the NuGet CLI executable to use. | Online, Offline | False |
--manifests-path | Path to project’s manifest | ManifestsPath | When this argument is set, the manifest file in the specified path is uploaded to Checkmarx SCA Cloud. | Upload | When this flag isn’t used, no manifest file is uploaded. |
--ivy-report-files-dir | Path to save Ivy reports | N/A | Specify the TipIf this flag is used, the “Ivy report target” flag must also be set. | Online, Offline | False |
--private-dependency-name | Private dependency name | PrivateDependencyName | The name of the private package. This flag must be used in conjunction with TipYou can designate a scan as a "Private Package" and assign a package version to it. Once a private package has been scanned, SCA will identify the risks affecting that package when that package version is used in any of your projects. You can download an article about private packages here. | Online, Offline | False |
--private-dependency-type | Private dependency type | PrivateDependencyType | The package manager used for accessing the private package. For example, Go, Nuget, Npm, maven etc. TipThe complete list of supported types is available via the Resolver help command. | Online, Offline | False |
--private-dependency-version | Private dependency version | PrivateDependencyVersion | The version of the package. | Online, Offline | False |
-t| --project-teams | Project Teams | N/A | Comma-separated list of teams to assign to a newly created project. If the project exists, this is ignored. The full team hierarchy should be given, e.g: Team path should be prefixed by a forward slash: | Online, Upload | Project will be accessible to all users |
--proxies | Proxy | N/A | The proxy to use for internet requests. You can enter comma-separated proxies for HTTP and HTTPS. You can also include authentication credentials for HTTPS. See Proxy Scans | Online, Offline | None |
--python-version | Python version | PythonVersion | Specify the Python version to be used for package resolution. Enter one of the following enum values: V2 or V3 | Online, Offline | V3 |
-q| --quiet | Quiet mode | N/A | When this flag is used, logs aren't returned to the console output. However, the logs are still written to the log files. | Online | False |
--scan-containers | Run containers scan | N/A | Scan the Dockerfiles in your project to identify the container images it uses. See Container Scans TipRequires installation of Syft v0.83.1 on the machine where you are running Resolver. Download here | Online, Offline | False |
--containers-result-path | Save containers result output | N/A | Save containers results, which is helpful for troubleshooting. You need to specify the path to the directory where you want the output to be saved. TipIn Offline mode, this is a mandatory parameter. It is also mandatory when scanning via Checkmarx One CLI. For Checkmarx One CLI, the path must be set as
| Online | None |
--save-evidence-path | Save resolved dependency output | N/A | Saves evidence of the resolved dependencies, which is helpful for troubleshooting. You need to specify the path to the directory where you want the output to be saved. | Online | None |
--severity-threshold | Severity Threshold | SeverityThreshold | The vulnerability severity level from which to return an error exit code. Enter one of the following enum values: Low, Medium, High or None (do not test) | Online, Upload | None |
N/A | Time between scan report requests | ScanReportWaitForFinishDelayInSeconds | Time in seconds before resending the request for the scan’s risk report. | Online, Upload | 5 |
Version | N/A | Prints the version to the console output. | All | N/A | |
N/A | Version of Graphviz | GraphvizVersion | Specify the version of Graphviz to be used for package resolution. | Online, Offline | N/A |
N/A | Version of pipdeptree | PipDepTreeVersion | Specify the version of pipdeptree to be used for package resolution. | Online, Offline | None |
Samples using some optional arguments:
Linux/MacOS
./ScaResolver -s /home/jack/src/MyApp -n MyApp -a Checkmarx -u jack -p 'demo123!' --log-level Debug --save-evidence-path ./evidences.json --extract-archives zip,ear --extract-depth 3 --gradle-exclude-scopes api,testCompile
Windows
./ScaResolver.exe -s C:\home\jack\src\MyApp -a Checkmarx -u jack -p “demo123!” --log-level Debug --save-evidence-path ./evidences.json --extract-archives zip,ear --extract-depth 3 --gradle-exclude-scopes api,testCompile
Sample of folder exclusions:
Notice
The syntax shown below excludes only folders with the precise name that is specified. If you would like to exclude all folders that have the specified string anywhere in the file path, then you need to omit the backslashes, like this: *project2*.
Linux/MacOS
./ScaResolver -s /home/jack/src/MyApp -n MyApp -a Checkmarx -u jack -p 'demo123!' -e '*\project2\*,*\project 3\*'
Windows
./ScaResolver.exe -s C:\home\jack\src\MyApp -a Checkmarx -u jack -p “demo123!” -e "*\project2\*,*\project 3\*"
Sample of file exclusions:
Linux/MacOS
./ScaResolver -s /home/jack/src/MyApp -n MyApp -a Checkmarx -u jack -p 'demo123!' -e '*.ext1,*file name.ext2'
Windows
./ScaResolver.exe -s C:\home\jack\src\MyApp -a Checkmarx -u jack -p “demo123!” -e "*.ext1,*file name.ext2"
Sample of tags:
Linux/MacOS
./ScaResolver -s /home/jack/src/MyApp -n MyApp -a Checkmarx -u jack -p 'demo123!' --project-tags "Dev" --scan-tags "version:0.2"-e '*.ext1,*file name.ext2'
Windows
./ScaResolver.exe -s C:\home\jack\src\MyApp -a Checkmarx -u jack -p “demo123!” --project-tags "Dev" --scan-tags "version:0.2"
Sample of private packages:
Linux/MacOS
./ScaResolver -s /home/jack/src/MyApp -n MyApp -a Checkmarx -u jack -p 'demo123!' --private-dependency-name 'my-private-package' --private-dependency-version '1.0.0' --private-dependency-type 'Npm'
Windows
./ScaResolver.exe -s C:\home\jack\src\MyApp -a Checkmarx -u jack -p “demo123!” --private-dependency-name 'my-private-package' --private-dependency-version '1.0.0' --private-dependency-type 'Npm'
Notice
The custom parameters enable you to add additional parameters to the scan command. They do not override the package manager flag commands that are built into the Checkmarx SCA Resolver.
Warning
Certain special characters aren't supported for use in the arguments sent to the package managers. The following is the list of allowed characters:
Numbers and letters (lower and upper case)
Blank characters (space, tab, new line, etc)
_ - = + * . , : @ ' " / \
It is possible to bypass our sanitization process and allow all characters to pass by adding the --disable-parameters-sanitization flag.
Argument | Name | Config file key | Description | Used in mode |
|---|---|---|---|---|
--bower-parameters | Bower Custom Parameters | None | Parameters to be appended to bower package manager directly | Online, Offline |
--cocoapods-parameters | CocoaPods Custom Parameters | None | Parameters to be appended to CocoaPods package manager directly | Online, Offline |
--composer-parameters | Composer Custom Parameters | None | Parameters to be appended to composer package manager directly | Online, Offline |
--gradle-parameters | Gradle Custom Parameters | None | Parameters to be appended to Gradle package manager directly | Online, Offline |
--ivy-parameters | Ivy Custom Parameters | None | Parameters to be appended to Ivy package manager directly | Online, Offline |
--lerna-parameters | Lerna Custom Parameters | None | Parameters to be appended to lerna package manager directly | Online, Offline |
--maven-parameters | Maven Custom Parameters | None | Parameters to be appended to maven package manager directly | Online, Offline |
--npm-parameters | NPM Custom Parameters | None | Parameters to be appended to npm package manager directly | Online, Offline |
--nuget-parameters | Nuget Custom Parameters | None | Parameters to be appended to nuget package manager directly | Online, Offline |
--pip-parameters | Pip Custom Parameters | None | Parameters to be appended to pip package manager directly | Online, Offline |
--poetry-parameters | Poetry Custom Parameters | None | Parameters to be passed to Poetry package manager directly | Online, Offline |
--sbt-parameters | Sbt Custom Parameters | None | Parameters to be appended to sbt package manager directly | Online, Offline |
--yarn-parameters | Yarn Custom Parameters | None | Parameters to be appended to yarn package manager directly | Online, Offline |
Notice
All custom parameters are not mandatory.
Sample using custom arguments:
Linux/MacOS
./ScaResolver -s /home/jack/src/MyApp -n MyApp -a Checkmarx -u jack -p 'demo123!' --gradle-parameters='-PUSERNAME=abc -PPASSWORD=cba'
Windows
./ScaResolver.exe -s C:\home\jack\src\MyApp -n MyApp -a Checkmarx -u jack -p “demo123!” --gradle-parameters="-PUSERNAME=abc -PPASSWORD=cba"
Argument | Name | Config file key | Description | Enums | Used in mode | Default value |
|---|---|---|---|---|---|---|
--report-content | Report Content | None | Specify the type of content that will be included in the report. |
| Online, Upload | All |
--report-extension | Report Extension | None | Specify the file type of report. Note: You can specify multiple (comma separated) extension types in order to generate files of each type. Note: CycloneDx reports must be in Json or Xml format. |
| Online, Upload | Json |
--report-path | Report Path | None | Specify the path to the location where the Report will be saved. | - | Online, Upload | reports |
--report-type | Report Type | None | You can use this flag to generate a report. There are two types of reports:
|
| Online, Upload | None |
Risk Report sample:
Linux/MacOS
./ScaResolver -s /Users/DemoUser/MyApp -n MyApp -a Checkmarx -u jack -p 'demo123!' --report-extension Pdf,Json,Csv --report-type Risk
Windows
./ScaResolver.exe -s C:\Users\DemoUser\MyApp -n MyApp -a Checkmarx -u jack -p "demo123!" --report-extension Pdf,Json,Csv --report-type Risk
You can generate an SBOM Report in json or xml format when running a scan using Checkmarx SCA Resolver (version 1.5.52+).
SBOM Report sample:
Linux/MacOS
./ScaResolver -s /Users/DemoUser/MyApp -n MyApp -a Checkmarx -u jack -p 'demo123!' --report-extension Xml,Json --report-type CycloneDx
Windows
./ScaResolver.exe -s C:\Users\DemoUser\MyApp -n MyApp -a Checkmarx -u jack -p "demo123!" --report-extension Xml,Json --report-type CycloneDx
To run a scan using the Exploitable Path feature, in addition to the regular mandatory arguments, you also need to add the following arguments, see Exploitable Path.
Note
Attributes marked as Mandatory in this table, are mandatory only when running an Exploitable Path scan. When running an Exploitable Path scan in Upload mode, you can either include the attributes that specify the account and Project info or the path to the result file.
Argument | Name | Config file key | Description | Mandatory | Used in | Default value |
|---|---|---|---|---|---|---|
--sast-result-path | Path to read SAST results | SastResultPath | Specify the path to the file of the saved SAST results that you are uploading. | For Upload mode, either this attribute with the path to the result file or info about the account and Project is mandatory. | Upload | false |
--sast-result-path | Path to save SAST results | SastResultPath | Specify the path to the directory/file where the SAST results will be saved (for future upload). | YES (for Offline mode) | Offline | false |
--cxpassword | SAST Authentication server password | SastPassword | Your password for the SAST Authentication server | YES | All | - |
--cxuser | SAST Authentication server username | SastUserName | Your username for the SAST Authentication server | YES | All | - |
--cxprojectid | SAST Project ID | SastProjectId | The ProjectId of the Project that you created in SAST for running the SCA Exploitable Path feature. | Either the Project ID or the Project name is mandatory. | All | - |
--cxprojectname | SAST Project name | SastProjectName | The Project name of the Project that you created in SAST for running the SCA Exploitable Path feature. | Either the Project ID or the Project name is mandatory. | All | - |
--cxserver | SAST Server endpoint | SastServer | Your CxServer endpoint. e.g., https://checkmarxServer/ | YES | All | - |
N/A | Timeout for receiving response from SAST | EngineResultsReceiveTimeOutMinutes | Maximum time to wait to receive the results from the SAST engine. | NO | All | 15 min. |
N/A | Timeout for sending request to SAST | EngineResultsReceiveTimeOutMinutes | Maximum time to wait to send the request to the SAST engine. | NO | All | 2 min. |
N/A | Time period to check for SAST results | OldResultsThresholdMinutes | The time period for which SAST results will be checked. If multiple results exist, the most recent will be used. TipExploitable Path is based on results from the most recent full SAST scan of the project, results from incremental scans aren't considered. TipThere is no CLI argument for this parameter, so it must be set in the config file. | NO | All | 1 day |
Sample using Exploitable Path:
Linux/MacOS
./ScaResolver -s /home/jack/src/MyApp -n MyApp -a Checkmarx -u jack -p 'demo123!' --cxuser bob --cxpassword 'demoabc!' --cxprojectname DemoCxProject --cxserver 'https://checkmarxServer'
Windows
./ScaResolver.exe -s C:\home\jack\src\MyApp -a Checkmarx -u jack -p "demo123!" --cxuser bob --cxpassword "demoabc!" --cxprojectname DemoCxProject --cxserver "https://checkmarxServer"