- Checkmarx Documentation
- SAST/SCA Integrations
- CI/CD Plugins
- Maven Plugin
- Setting Up the Maven Plugin
Setting Up the Maven Plugin
The Checkmarx plugin for Maven is simple to configure and run as follows:
Make sure that you have Apache Maven installed on the host used to develop your code. If not installed, go to the Apache Maven download site to download and install it.
Download and configure the Checkmarx Maven plugin as required.
Create a new Maven project and compile it.
For additional information, refer to Frequently Asked Questions .
Prerequisites
Required Application | Version |
---|---|
Apache Maven | 3.2.0 and higher |
CxSAST | 8.9 and higher |
CxOSA | 8.7.0 and higher |
Maven Plugin | 9.00.2 and higher |
Configuring the Checkmarx Maven Plugin
Add the code sequence inside the <plugin> section as illustrated in the code sample below. This code sample is a typical example for a pom.xml file snippet and relevant for both CxSAST & CxOSA scans. It contains the available parameters with sample values.
To include CxSAST & CxOSA with your project, add or modify the parameters in the pom.xml file as illustrated in the code sample and explained in the table below:
Notice
You are unable to start using CxOSA unless the end user license agreement (EULA) has been viewed and accepted.
You can run CxOSA with the CxSAST scan by including the <osaEnabled> tag in the pom.xml file.
You cannot run CxOSA without running the CxSAST scan.
<url>, <username> and <password> are mandatory parameters.
<build> <plugins> <plugin> <groupId>com.checkmarx.maven</groupId> <artifactId>checkmarx-maven-plugin</artifactId> <version>x.xx.x</version> <configuration> <url>http://localhost</url> <username>user@org</username> <password>Org123456</password> <fullTeamPath>CxServer\SP</fullTeamPath> <preset>all</preset> <isIncrementalScan>false</isIncrementalScan> <highSeveritiesThreshold>1</highSeveritiesThreshold> <mediumSeveritiesThreshold>20</mediumSeveritiesThreshold> <lowSeveritiesThreshold>30</lowSeveritiesThreshold> <fileExclusions>file1, file2</fileExclusions> <folderExclusions></folderExclusions> <generatePDFReport>true</generatePDFReport> <isSynchronous>true</isSynchronous> <outputDirectory>c:\users\tmp</outputDirectory> <projectName>Project 22 (Maven)</projectName> <scanTimeoutInMinutes>10</scanTimeoutInMinutes> <disableCertificateVerification>false</disableCertificateVerification> <osaEnabled>false</osaEnabled> <osaHighSeveritiesThreshold>1</osaHighSeveritiesThreshold> <osaMediumSeveritiesThreshold>0</osaMediumSeveritiesThreshold> <osaLowSeveritiesThreshold>0</osaLowSeveritiesThreshold> <osaExclusions>file1, file2</osaExclusions> <osaIgnoreScopes>1</osaIgnoreScopes> <osaGenerateJsonReport>0</osaGenerateJsonReport> <enablePolicyViolations>true</enablePolicyViolations> </configuration> </plugin> </plugins> </build>
You can change the following parameter values as listed in the table below.
Parameter | Type | Scan Type | Default Value | Description |
---|---|---|---|---|
<url> | URL | http:/localhost/ | The hostname of the Checkmarx application. The Maven plugin also supports https:// | |
<username> | string | The username of the user running the scan. | ||
<password> | string | The password of the user running the scan. | ||
<fullTeamPath> | string | CxServer | The full path describing the team thatr the scan belongs to. | |
<outputDirectory> | file | {project.build.directory}\checkmarx | Define an output directory for scan reports. | |
<projectName> | string | ${project.name} | The name of the project being scanned. It is taken from the Maven pom.xml project name, if not provided. | |
<isSynchronous> | Boolean | CxSAST, CxOSA | true | If true, the build waits for the scan to end and displays the results. If false, the build triggers the scan without waiting for the scan to end and the results are not displayed. |
<disableCertificateVerification> | Boolean | CxSAST CxOSA | false | Disables the SSL/TLS certificate validation. |
<highSeveritiesThreshold> | integer | CxSAST | Configure a threshold for the High Severity Vulnerabilities. The build fails, if the number of high severity vulnerabilities exceeds the threshold. Leave empty to ignore the threshold. | |
<mediumSeveritiesThreshold> | integer | CxSAST | Configure a threshold for the medium severity vulnerabilities. The build fails, if the number of medium severity vulnerabilities exceeds the threshold. Leave empty to ignore the threshold. | |
<lowSeveritiesThreshold> | integer | CxSAST | Configure a threshold for the Low Severity Vulnerabilities. The build fails, if the number of low severity vulnerabilities exceeds the threshold. Leave empty to ignore the threshold. | |
<isIncrementalScan> | Boolean | CxSAST | true | If true, an incremental scan is performed, which means that only modified files are scanned. |
<preset> | string | CxSAST | Checkmarx default | Configure this field to scan the project with one of the predefined scan presets or one of your custom presets. |
<fileExclusions> | string | CxSAST | List of files and\or file patterns, which the scan ignores. | |
<folderExclusions> | string | CxSAST | List of folders and\or folder patterns, which the scan ignores. | |
<generatePDFReport> | Boolean | CxSAST | true | If true, a PDF report is generated in the output directory. |
<scanTimeoutInMinutes> | integer | CxSAST | 0 | Defines a timeout (in minutes) for the scan. If the specified time has passed, the build fails. Set to 0 to run the scan without time limit. The scan runs without time limit, if this value is not provided. |
<osaEnabled> | Boolean | CxOSA | false | If true, CxOSA is enabled. |
<osaHighSeveritiesThreshold> | integer | CxOSA | Configure a threshold for the CxOSA High Severity Vulnerabilities. The build fails, if the number of high severity vulnerabilities exceeds than the threshold. Leave empty to ignore the threshold. | |
<osaMediumSeveritiesThreshold> | integer | CxOSA | Configure a threshold for the CxOSA Medium Severity Vulnerabilities. The build fails, if the number of medium severity vulnerabilities exceeds the threshold. Leave empty to ignore the threshold. | |
<osaLowSeveritiesThreshold> | integer | CxOSA | Configure a threshold for the CxOSA Low Severity Vulnerabilities. The build fails, if the number of low severity vulnerabilities exceeds the threshold. Leave empty to ignore the threshold. | |
<osaIgnoreScopes> | string | CxOSA | List of Maven scopes to be ignored in a CxOSA scan. Provided scopes are ignored by default unless configured otherwise. | |
<osaExclusions> | string | CxOSA | List of Maven dependencies that are not included in CxOSA. An exclusion should be of the form groupId.artifactId. NoticeosaExclusions has been deprecated and is not supported anymore. If applied, the following log message is returned: ${param} is not supported in this Maven version. | |
<osaGenerateJsonReport> | Boolean | CxOSA | true | If true, a CxOSA PDF report is generated in the output directory. |
<enablePolicyViolations> | Boolean | CxSAST, CxOSA | false | The build breaks, if either the CxOSA or CxSAST policy is violated. NoticeA policy is assigned to a project from within CxSAST. |