- Checkmarx Documentation
- SAST/SCA Integrations
- IDE Plugins
- Visual Studio Code Extension Plugin
- Visual Studio Code - Tutorials
- VSCode Tutorial - Settings.json
VSCode Tutorial - Settings.json
Goals
This tutorial is designed to teach the following topics:
How to enable scanning any folder or file from the CxVSCode plugin
How to move to Quiet (silent) mode
How to exclude or include files or folders
How to change the report path
How to configure a proxy
Note
VSCode plugin only supports https SAST server when using a proxy.
Prerequisites
VSCode 1.44 or later
CxSAST 9.0 or higher with known user credentials
Source code available
Checkmarx VSCode extension installed and enabled.
The following tutorials completed:
Login
Scan & Reports
settings.json available in the active workspace inside the .vscode folder.
Procedure – Enabling Avoid Duplicate Project Scans In Queue
On the Extension page, click the Extend icon. The CxVSCode plugin dialog appears.
On the Checkmarx SAST 9.x plugin dialog, click . A dropdown menu appears.
From the dropdown menu, select Extension Settings.
Enable the Avoid Duplicate Project Scans In Queue option.
Verify that the following has been added to the settings.json file:
cx.avoidDuplicateProjectScansInQueue ": true
.Note
If you attempt to create a new project while a scan is either in progress or queued, creating a new scan will be prevented.
Disable the Avoid Duplicate Project Scans In Queue option.
Verify that the settings.json file has been updated and that
cx.avoidDuplicateProjectScansInQueue
has been removed.
Procedure – Enabling Scan any Folder or File
On the Extension page, click the Extend icon. The CxVSCode plugin dialog appears.
On the Checkmarx SAST 9.x plugin dialog, click . A dropdown menu appears.
From the dropdown menu, select Extension Settings.
Enable the Enable Scan Buttons option.
Verify that the following has been added to the settings.json file.
cx.enableScanButtons": true
In the CX PORTAL toolbar, click Scan Any File. You are asked to select a file for scanning.
Select a file to scan and ensure the scan has completed successfully.
Disable the Enable Scan Buttons option.
Verify that the setting.json file has been updated and that
cx.enableScanButtons
has been removed.
To verify that the Enable Scan Buttons option is disabled:
In the CX PORTAL toolbar, click :Scan_any_file:. A warning appears indicating that this option is dsabled.
Procedure – Change to Quiet Mode
Click the Extension button to open the Extensions page.
Under Checkmarx SAST 9.x, click . A dropdown menu appears.
From the dropdown menu, select Extension Settings.
Enable the Quiet mode.
Verify that the following has been added to the settings.json file.
cx.quiet": true
From CX SCAN RESULT, generate a report. No popups appear.
In the CX PORTAL toolbar, click Scan Any File. You are asked to select a file to scan.
Click Extension to open the Extensions page.
Under CxVSCode, click Settings. A dropdown menu appears.
From the dropdown menu, select Extension Setting.
Enable the Quiet mode option.
Verify that the following has been added to the settings.json file.
cx.quiet": true
From CX SCAN RESULT generate a report. No popups appear.
Disable the Quiet mode option.
Verify that settings.json has been updated and the cx.quiet setting has been removed.
Procedure – Change Exclude/Include File or Folder Extensions
Click Extension to open the Extensions page.
Under Checkmarx SAST 9.x, click . A dropdown menu appears.
From the dropdown menu, select Extension Settings.
Enable the Quiet mode option.
Change the File Extensions and Folder Exclusions settings as follows:
Verify that the changes are reflected in the settings.json file.
Notice
Strings starting with an exclamation mark (!) indicate that they must be excluded. Remove the exclamation mark to include the items.
Procedure – Change Report Path
Click Extension to open the Extensions page.
Under Checkmarx SAST 9.x, click . A dropdown menu appears.
From the dropdown menu, select Extension Settings.
Edit the Report Path setting as follows:
Check that the edited report path is reflected in the setting.json file in the cx.reportPath variable as follows:
cx.reportPath": "C:\\Users\\xxxxxx\\OneDrive - yyyyyy\\Documents\\CxFlow\\Report1.json"
Generate a new report and verify that it is available in the correct path.
Procedure – Change the SSL Certificate Path
Click Extension to open the Extensions page.
Under Checkmarx SAST 9.x, click . A dropdown menu appears.
From the dropdown menu, select Extension Settings.
Edit the SSL certificate Path setting as follows:
Check that the SSL certificate path is reflected in the setting.json file in the cx.sslCertificatePath variable as follows:
cx.sslCertificatePath : "d:\certificates\cacert_chain.crt"
Enter the path into the certificate chain file that contains all intermediate and root CA certificates for https connections.
Procedure - Enable User Credentials Login
Click Extension to open the Extensions page.
Under Checkmarx SAST 9.x, click . A dropdown menu appears.
From the dropdown menu, select Extension Settings.
Enable the User Credentials Login setting as follows:
Verify that the modified report path is reflected in the setting.json file in the cx.enableUserCredentialsLogin variable as follows:
cx.enableUserCredentialsLogin: " true"
Select this option for user credentials login.
Procedure – Enabling Workspace Only Scan
Click Extension to open the Extensions page.
Under Checkmarx SAST 9.x, click . A dropdown menu appears.
From the dropdown menu, select Extension Settings.
Select Enable Workspace Only Scan.
Verify in the settings.json file that the following line was added.
cx.enableWorkspaceOnlyScan ": true
In the CX PORTAL, click Scan Any File.
Select a file/folder/workspace to scan and right-click on it. You can scan only on the workspace level, not any file or folder.
Configuring a Proxy
Navigate to File > Preferences > Settings > Application > Proxy. The proxy dialog appears.
Under Proxy, enter the URL of the proxy server, for example http://proxyhost:port.
Under Proxy Support, select Override. All http requests from VSCode Extension are routed via the proxy server.
Assigning Users
You can assign users to vulnerabilities, as explained below.
Open the Result table from the Settings menu.
Select the vulnerability to which you want to assign the user.
Select Assign User and enter the new user's username. The user appears in the Assigned User column of the selected vulnerability.
Working with Comments
You can add and edit comments for one or multiple vulnerabilities. Adding a comment to multiple vulnerabilities is referred to as a bulk comment from this point on.
To add a comment to one or several vulnerabilities (bulk comment):
In the Result table, select at least one vulnerability and click . The Add Comment dialog appears.
Enter the comment and then click <Submit>. The comment for the selected vulnerabilities is added under Comments. Hover over the edit icon to see all of the existing comments.
To make adding comments mandatory:
There are 3 different types and methods to make comments mandatory while updating the result state. Each type and method follows the same procedure.
MandatoryCommentOnChangeResultState - In the CxSAST database, the CxComponentConfiguration table MandatoryCommentOnChangeResultState = true, and then comments are mandatory for all result state updates.
MandatoryCommentOnChangeResultStateToNE - In the CxSAST database CxComponentConfiguration table MandatoryCommentOnChangeResultStateToNE = true, then comments are mandatory while updating the query result state as not exploitable.
MandatoryCommentOnChangeResultStateToPNE - In the CxSAST database CxComponentConfiguration table MandatoryCommentOnChangeResultStateToPNE = true, then comments are mandatory while updating query result state as proposed not exploitable.
If MandatoryCommentOnChangeResultState is enabled at the CxSAST side, updating any result state will get a first-time error message.
Try again, and the Add Comment dialog appears, and you are asked to add a comment.
Once added, the result state and the associated vulnerability are checked in the Results State column and saved, and the comment is viewable by hovering over the edit icon.