- Checkmarx Documentation
- SAST/SCA Integrations
- CI/CD Plugins
- SonarQube Plugin
- Reviewing Scan Results in SonarQube
Reviewing Scan Results in SonarQube
Scan results in SonarQube that are related to Checkmarx, are also displayed in the CxSAST. For more information about viewing scan results in CxSAST, refer to the Checkmarx CxSAST Documentation at Navigating SAST Scan Results.
Notice
The user running the SonarQube plugin must have 'Reviewer' role permissions.
Checkmarx scan results can be viewed on the SonarQube Project Space by clicking on the desired project from the Project List. The Project Space is displayed.
The top section of the Project Space (Quality Gate) shows the releasability status of the project and its current state of quality. If the project passes quality, a green all-clear 'Passed' label appers. If not, a red 'Failed' label appears with details and drill-downs that are immediately available to quickly identify what went wrong.
Just below the Quality Gate information shows the numbers of old and new Issues in each area. Checkmarx issues (vulnerabilities) are aggregated as part of the 'Bugs & Vulnerabilities' panel. Clicking on any figure in this panel will take you to a detailed view of the related issue in the Issues page.
Notice
All Checkmarx issues start with the “Checkmarx Vulnerability” prefix. Vulnerability conversion is as follows:
SonarQube Critical = Checkmarx High
SonarQube Major = Checkmarx Medium
SonarQube Minor = Checkmarx Low
Clicking on a Checkmarx issue opens a new page relating to the specific issue chosen.
Code location nodes (version dependent) are highlighted and sorted accordingly. Nodes coming from different files are also indicated.
You can drill-down into 'Vulnerabilities' and show the Checkmarx results by clicking the Measures tab and selecting Overview . A graphical diagram of the Remediation Effort, Lines of Code and Security Vulnerabilities is displayed.
This displays the vulnerabilities' operational risks. The closer a bubble's color is to red, the more severe the worst vulnerabilities are. Bubble size indicates vulnerability volume, and each bubble's vertical position reflects the estimated time to address the vulnerabilities. Small green bubbles on the bottom edge are best. Mouse-over a bubble to display additional information about the issue.
Click Remediation Effort to display the list of security issues that need remediation.
Users can define the time needed (in minutes) to fix a security issue. The value is then calculated and displayed to the user, as seen above.
By scrolling down, a graphical diagram of the Remediation Effort, Lines of Code and Vulnerabilities can also be viewed.
Clicking on one of Checkmarx results, in this case “Checkmarx - High Vulnerabilities”, shows the list of files and the number of detected issues.
Clicking on one of the files opens the code viewer showing the content of the file and the list of found issues.
The code viewer is the heart of SonarQube; it displays the source code of a file and its high-level statistics. The main purpose of the code viewer is to show source code and its effort to fix it.
Clicking on the colored severity icon (version dependent) expands the issue, as seen below.
Clicking on opens the rule description.
Clicking the 'More' tab and then selecting 'Checkmarx Report' opens a graphical side-by-side summary report of the Checkmarx scan results.
The CxSAST Vulnerabilities Status report provides information about the distribution of security issues for the project and is divided into the following categories:
CxSAST Vulnerabilities Status - provides a graph with the status of each vulnerability severity and the number of found vulnerability instances for each severity level (high, medium and low).
Analyze Results (CxSAST) – provides a link to the vulnerability results in CxSAST code viewer. Refer to the Checkmarx CxSAST Documentation at Navigating Scan Results in CxSAST.
Notice
Status changes detected in CxSAST are not reflected in the SonarQube vulnerabilities status reports.
The CxSAST Full Report provides information about the distribution of security issues for the project and is divided into the following categories:
Report Criteria - provides the following information:
Start/End – start and end time for the CxSAST scan
Files – total number of files scanned
Code Lines – total number of lines of code scanned
Vulnerability Type - provides a list of the vulnerabilities found, the distribution of the vulnerabilities by type (high, medium and low) and the number of vulnerability instances for each type.
Analyze Results – provides a link to the vulnerability results in CxSAST code viewer. Refer to the Checkmarx CxSAST Documentation at Navigating Scan Results in CxSAST.