Scribd
Upload
129 views5 pages

Checkmarx Plugin for IntelliJ Guide

Uploaded by

stylogroup93
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
129 views5 pages

Checkmarx Plugin for IntelliJ Guide

Uploaded by

stylogroup93
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Checkmarx Certified Engineer

Exercise: Working with the IntelliJ Plugin


Table of Contents
Checkmarx Certified Engineer ...........................................................................................1
Exercise: Working with IDE IntelliJ Plugin .................................................................................. 1
Module 09 Exercise: Working with the IntelliJ Plugin ................................................................ 3
About ...............................................................................................................................................................3
Steps ................................................................................................................................................................3
Learning Outcomes .........................................................................................................................................5

2 | Checkmarx Certified Engineer [Link]


Module 09 Exercise: Working with the IntelliJ Plugin
About
This exercise demonstrates the capabilities of working with Checkmarx IDE Plugins.

Steps
1. Installing the IDE plugin
a. Depending on the IDE, installing the plugin can vary. To learn more about installing the plugins, browse to
[Link] From there, you can navigate to
the different instruction guides for installing a Checkmarx IDE plugin.
b. Downloading the plugins themselves may be done here: [Link]
c. To do this exercise you need to install the IntelliJ IDE. You can follow the instruction to do so in the official part
of IntelliJ [Link]
2. Exploring the IntelliJ Plugin
a. Launch IntelliJ. Once IntelliJ has opened, choose the option Get from VCS, and then select Git. Use the
following Git Repository URL: [Link] Click the Test button to make sure you
can connect to the repo, then click Clone. IntelliJ will ask you if you want to create an IntelliJ IDEA Project, click
Yes.
b. When the Import Project Wizard from IntelliJ launches, keep all the defaults and click Next, Next, … until the
wizard is complete.
c. Now the project will be loaded in IntelliJ. Before we look at using the plugin, we need to first configure it. In
IntelliJ, click File → Settings. When the Settings window is displayed find the CxViewer Preferences on the
menu to the left.

d. In the CxViewer Preferences, we need to specify your Checkmarx server URL; for instance [Link]
Then, click Test Connection. You should receive a Server URL Validated response.
e. Now click on the Advanced menu item beneath CxViewer Preferences. Here, you can specify exclusions for your
IDE scans. These are masks that represent things that you don’t want to scan. In the case of AltoroJ (the project
we just loaded into IntelliJ), there is a bunch of swagger code in there, that we want to exclude.
f. In the Include/Exclude File Patterns, scroll to the bottom, and add the following mask:

3 | Checkmarx Certified Engineer [Link]


g. Click Apply. Click Ok. This will close the Settings window.
h. Now let’s launch a scan of the code base. In the Project Explorer, right-click on the project name (Altoro J 3.x.x).
Towards the bottom of the context menu, you’ll see a Checkmarx Logo beside the Cx Viewer option. Mouse
over it, and then select Scan.

i. If you have not yet logged in, a login window will appear. Use the credentials that were supplied to you for the
lab environment for the username and password. Click on the Login button.
j. The Create or Select a Project dialog will show. If we wanted to include this scan as part of an already existing
project, we would simply select a project from the Project Name drop-down. In our case, we want to create a
new project, so we will leave the Project Name as AltoroJ and Checkmarx will create this project for us.
k. Change the Preset to XSS and SQLi only and the Team to CxServer\SP\CxCE\Alpha. Uncheck Project is private
and Scan is private. Then click Full Scan.
l. You will see the scan launch and can track it in the status bar in IntelliJ. If you were to go to the Checkmarx
Portal, log in, and navigate to Projects & Scans → Queue, you will see the scan’s progress.
m. Note: While we wait for the scan to finish, a little about private scans. Private scans are meant to be used by
developers to check their work. They don’t factor into project reporting or overall risk metrics and are only
visible to the Server Administrator and the user that launched them.
n. Once the scan has been completed, the IntelliJ UI will be updated with components that look like the result
viewer in the Checkmarx Portal.
o. From here, you can do all the same things that you can do in the Checkmarx Result viewer. You can change the
result state, change severity, assign to a user, apply comments, follow vulnerable flows, and so on. The benefit
of doing this in the IDE is that the Checkmarx plugin will take you to the code where a developer can make
changes. The Graph View in the IDE plugin also works as well.
p. Notice that because we selected the XSS and SQLi only preset, our results are only comprised of those
vulnerabilities. If we had selected a broader preset, we would have seen many more results.
q. Scroll down to the fourth (of 14) result for Reflected_XSS_All_Clients. The Source Object is “txtEmail”. This is a
short flow, that’s easy to see as a confirmed XSS vulnerability.

r. Click on the Source Node, and you will be taken in the IntelliJ IDE to [Link]. If we wanted to apply a
fix here, we could by making the following change (be sure to save after you make the change):

s. Now, if we wanted to see if our fix resolved the issue, we could do an incremental scan. To run an incremental
scan, right-click on the Project Name in the Project Explorer (AltoroJ 3.x.x). This time we can leave the Scan is
private checked and click the Incremental Scan button.

4 | Checkmarx Certified Engineer [Link]


t. When the scan completes, you’ll notice the number of Reflected_XSS_All_Clients results has dropped to 13
(because we just fixed one of the findings).
3. Compare the Two Scans
a. Log back into the portal using the same account. Navigate to Projects & Scans → Projects and click on the Scan
List for the AltoroJ project that we created from IntelliJ. You’ll notice two scans in the Scan List. One public
(the first scan we did from IntelliJ) and one private incremental (the second scan we did from IntelliJ).

b. Check the box beside each scan and then click Compare Scans. You’ll notice that one issue shows as resolved
and that the scan time of the incremental scan was a little bit faster than the original full scan.

Learning Outcomes
• You should understand how to configure a Checkmarx IDE plugin.
• You should understand the difference between a public and private scan from the IDE.
• You should be able to launch scans from an IDE plugin.
• You should see the benefit of working with IDE plugins for Checkmarx.

5 | Checkmarx Certified Engineer [Link]

Common questions

Powered by AI

Changing the 'Preset' to 'XSS and SQLi only' during Checkmarx scan setup focuses the scan on detecting Cross-Site Scripting (XSS) and SQL Injection (SQLi) vulnerabilities specifically. This is significant as it allows developers to concentrate on these high-risk vulnerability types, potentially reducing noise from less critical findings and optimizing the scan process for known critical flaws .

Integration of Checkmarx with IntelliJ allows developers to directly view scan results and security vulnerabilities in the same environment where they code. Developers can navigate to the specific code locations of vulnerabilities, change result states, assign issues, and apply comments without leaving the IDE. This streamlines the workflow and encourages immediate fixes, enhanced by features like the Graph View, which visually represents the data flow vulnerabilities .

To conduct a scan using the Checkmarx plugin in IntelliJ, right-click the project name in the Project Explorer, select the Checkmarx logo beside the Cx Viewer option, and choose 'Scan.' Log in using the provided credentials, and either select an existing project or create a new one. Change the Preset to 'XSS and SQLi only,' set the team, and initiate a full scan. This launches the scan, which can be tracked in the IntelliJ status bar and on the Checkmarx Portal .

Pattern masks in the Checkmarx plugin are used to exclude specific files or code components from scans, based on predefined patterns. For example, in the AltoroJ project, Swagger code is excluded using pattern masks. This helps tailor the scan to focus on relevant code blocks, removing noise from auto-generated or non-essential parts, which streamlines the scan process and results .

Incremental scans allow developers to confirm that specific code changes effectively resolved previously identified vulnerabilities without needing a full re-scan. This not only saves time by focusing on altered code blocks but also rapidly validates fixes, ensuring continuous security improvements. It further reinforces the effectiveness of iterative security testing in the development lifecycle .

A full scan with the Checkmarx plugin analyzes the entire codebase for vulnerabilities, while an incremental scan targets only changed code since the last scan. Full scans provide a comprehensive security assessment, albeit with longer duration, whereas incremental scans offer quicker, targeted assessments to verify the impact of recent changes, optimizing time and resource usage .

After installing the Checkmarx IDE plugin in IntelliJ, you configure it by accessing the CxViewer Preferences in the Settings window of IntelliJ. You specify the Checkmarx server URL, test the connection, and set exclusions for scans under the Advanced menu. This allows you to exclude specific code, like the swagger code, by adding file pattern masks. Once settings are configured, they're applied, closing the Settings window .

Engaging with Checkmarx scan results directly within IntelliJ enhances a developer's workflow by integrating security insights into the development environment. This immediacy allows developers to rapidly address vulnerabilities, supported by seamless navigation to code issues, in-app issue management, and graphical data flow views. Such integration facilitates prompt and effective security measures, embedding security considerations into routine coding practices .

Private scans in the Checkmarx Plugin are used by developers to verify their code without impacting project reporting or risk metrics. They are visible only to the server administrator and the user who initiated them. In contrast, public scans are part of project reporting and are visible to a broader audience. Private scans facilitate personal code checks, whereas public scans contribute to the collective assessment of the project's risk .

Comparing public and private scan results in Checkmarx is beneficial as it provides insights into the effectiveness of the incremental changes made during development. Such comparisons can reveal resolved issues and highlight efficiency improvements, such as faster scan times for incremental scans. This comparison helps evaluate the impact of fixes and the ongoing security state of the application, aiding in continuous security improvement .

You might also like