- Checkmarx Documentation
- SAST/SCA Integrations
- CI/CD Plugins
- Bamboo Plugin
- Reviewing Scan Results in Bamboo
Reviewing Scan Results in Bamboo
Scan results activated by Atlassian Bamboo are displayed in Bamboo as well as in the CxSAST. For additional information, refer to Navigating Scan Results in CxSAST.
Notice
Synchronous mode, as defined in configuring a CxSAST scan action enables viewing the scan results in Atlassian Bamboo. If cleared (asynchronous mode), only a link to the scan results in the CxSAST web application is provided with the build results.
In the Build Dashboard window, open a project and select a build. The build results summary is displayed.
A graphical side by side summary of the scan results can be viewed in the Checkmarx Report section of the Build Results Summary dashboard.
The CxSAST Summary provides information about the distribution of security issues for the plan/project and is divided into the following categories:
Status Bar – red lists issues found (exceeded threshold value or violation of one or more policies):
Status Bar – green indicates a passed scan:
Vulnerabilities Status - this graph represents the status and severity of security vulnerabilities discovered during a scan.
Label
Description
Recurrent
The status of a vulnerability is recurrent if it was already discovered in a previous scan.
New
The status of a vulnerability is new if it was discovered for the first time, or if it was re-opened after being resolved in a previous scan.
Default Threshold
Indicates the default threshold setting.
High
Indicates the number of high severity vulnerabilities.
Medium
Indicates the number of medium severity vulnerabilities.
Low
Indicates the number of high low vulnerabilities.
Results
Provides a link to the code viewer in CxSAST. Refer to Navigating Scan Results for additional information.
PDF Report
Provides a link to the CxSAST report in PDF format.
The CxOSA Summary provides information about the distribution of security issues for the plan/project and is divided into the following categories:
Vulnerabilities & Libraries Status - provides a graph with the status of each vulnerability severity and the number of found vulnerability instances for each severity level.
This graph represents the status and severity of security vulnerabilities discovered during a scan as listed in the table below.
Label
Description
Default Threshold
Indicates the default threshold setting.
High
Indicates the number of high severity vulnerabilities.
Medium
Indicates the number of medium severity vulnerabilities.
Low
Indicates the number of high low vulnerabilities.
Notice
CxOSA Summary takes into consideration vulnerability result states. (e.g., Not Exploitable vulnerabilities will not be aggregated in the global summary).
Results – provides a link to the CxOSA Viewer in CxSAST.
Notice
If the build is marked as failed (red), this may be because the number of found vulnerability instances exceeded the configured threshold.
The CxSAST Full Report provides information about the distribution of security issues for the job/project and is divided into the following categories:
Report Criteria - provides the following information:
Start/End – start and end time for the CxSAST scan.
Files – total number of files scanned.
Code Lines – total number of lines of code scanned.
Vulnerability Type - provides a list of the vulnerabilities found, the distribution of the vulnerabilities by type (high, medium and low) and the number of vulnerability instances for each type.
Analyze Results – provides a link to the source code viewer in CxSAST (see Navigating Scan Results).
PDF Report – provides a link to the CxSAST report in PDF format.
The CxOSA Full Report provides information about the distribution of security issues for the job/project and is divided into the following categories:
Report Criteria - provides the following information:
Start/End – start and end time for the CxOSA analysis
Libraries – total number of libraries analyzed
Vulnerability Type - provides a list of the vulnerabilities found, the distribution of the vulnerabilities by type (high, medium and low) and the number of vulnerability instances for each type.
Notice
Not Exploitable vulnerabilities are not aggregated in the global summary. In coordination with this, the CxOSA Full Report now displays Not Exploitable vulnerabilities with a strike-through.
Analysis Results – provides a link to the CxOSA Viewer in CxSAST.
If the build failed due to CxOSA and/or CxSAST policy violations, then a unified report will be displayed showing the following information:
Number of violated policies
Names of violated policies
Names of respective rules violated
Type of scan used
Number of instances of a violated rule
First detection date
A textual summary of the scan results can be viewed in the Logs (Build Results Summary > Logs > View).
Notice
The source repository should be checked out in the same Job as the Checkmarx Task for the CxSAST Bamboo plugin to recognize the checkout folder. Using plan level repositories that are checked out in other Job/Stage is not yet supported. In this case a log message that "repository was not found" is displayed in the logs.
The ‘PDF report location:’ URL provides navigation to the current CxSAST scan results in PDF format:
<BAMBOO_HOME>\xml-data\build-dir\<JOB_KEY>\Checkmarx\Reports\CxSASTReport_<date-time>.pdf