Checkmarx Open Source Analysis (OSA) Connector Guide

How to set up and use the Checkmarx Open Source Analysis (OSA) connector in RiskSense.

Overview

Checkmarx Open Source Analysis (OSA) is a software composition analysis solution that detects and identifies the open source components within an application and provides detailed risk metrics regarding open source vulnerabilities, potential license conflicts, and outdated libraries.

The RiskSense platform provides an API-based connector that integrates with Checkmarx OSA, enabling the customers to bring in their open source findings. It allows the customers to gain visibility into their overall risk due to vulnerabilities in their source code and enable a simpler, more efficient way to manage those vulnerabilities.

Supported Versions

RiskSense supports the following versions of Checkmarx OSA:

  • Version 9.0.0 and above.

User Prerequisites/Checkmarx OSA Setup

Checkmarx OSA is deployed as an on-premises solution. For RiskSense to communicate and pull data the following access is required:

  1. A user account with, at minimum, read access to scan results and vulnerabilities associated with it. The user should also have API access.
  2. RiskSense On-Site Application (ROSA) OVA setup. More information on ROSA is available at https://help.risksense.com/risksense-on-site-application-rosa-overview.

Checkmarx OSA Connector API Calls

The following API calls are performed during a connector run to pull security vulnerabilities from Checkmarx into RiskSense.

API Type

Endpoint

Authentication

cxrestapi/auth/identity/connect/token

List Projects

cxrestapi/projects

List latest scan for each project

cxrestapi/osa/scans?projectId=<projectId>

Fetch vulnerabilities from each scan

cxrestapi/osa/vulnerabilities?scanId=<scanId>

Fetch license risks from each scan

cxrestapi/osa/licenses?scanId=<scanId>

Fetch associated libraries for each scan

cxrestapi/osa/libraries?scanId=<scanId>

Configuring Checkmarx OSA Connector in RiskSense

Navigate to the Automate > Integrations page.

Navigation - Automate - Integrations

Using the search bar in the upper-right corner of the Integrations page, type CxOSA to find the connector.

Checkmarx OSA Connector - Search for Connector

Locate the Checkmarx OSA card on the page and click Configuration.

Checkmarx OSA Connector - Configuration Button Location

In the new window under Connection, complete the required fields, as described below.

  • Name: The connector’s name.
  • URL: The URL to access the Checkmarx OSA instance. Enter the domain name along with the port (if any).
    • For instance, if the login URL for your Checkmarx instance is https://<domain name: port>/CxWebClient/Login.aspx, then the URL for the connector should be just the domain name with port (if applicable): https://<domain name: port>/
  • Username: Username used to access the connected system.
  • Password: Password for the user.
  • SSL: Optional SSL of the instance in base64 format.

Checkmarx OSA Connector - Connector Configuration

Click Test Credentials to verify the credentials are correct and have access to make API calls to the Checkmarx OSA system.

Configure the desired schedule for the connector to retrieve results from the Checkmarx OSA instance and optionally turn on Enable auto URBA (Update Remediation by Assessment). User may specify the oldest scan data pull from the following options: 30 days, 60 days, 90 days, 6 months, or 1 year.

Checkmarx OSA Connector - Complete Connector Configuration

Click the Save button to save the connector’s configuration and create the connector. Once saved, the connector is now visible on the Integrations page under Currently Configured Integrations.

Checkmarx OSA Connector - Configured Checkmarx Connector

Clicking the History button displays the connector details for each pull. The Sync button allows users to perform an on-demand sync. The Edit button allows the user to edit the connector configuration. The Delete button allows the user to delete the connector.

Once files have been processed on the Uploads page, the user can view the ingested data by navigating to the Applications and Application Findings pages.

Mapping Checkmarx OSA fields in RiskSense

This table depicts the high-level mapping of CheckmarxOSA fields in RiskSense.

RiskSense Fields

Checkmarx Fields

Scanner Severity

Severity name in case of Security Risk.

RiskLevel in case of License Risk.

Normalized Severity

Score in case of Security Risk

RiskLevel in case of License Risk.

All these values are converted into scale of 0-10, Please contact the RiskSense support for more details.

Scanner Plugin

SimilarityId

Application Name

ProjectName

Plugin Source Status

State

License Risk (section)

It covers all the license information such as name, copyrightRiskScore, patentRiskScore, copyLeft, linking, royalityFree, url

RiskSense Tags

The following fields from Checkmarx OSA are converted into RiskSense tags. These tags are used for searching, playbook automation, and for better visualization in Dashboards.

  • Outdated Libraries

Note: The tag name is prefixed with the field name to make searches easier.

Common Fields in RiskSense

Here are the default values for the following RiskSense fields as defined for Checkmarx OSA:

  • Scanner Name: CheckmarxOSA
  • Finding Type: OSS
  • Risk Type: Either Security or License, depending on the data type.