0

I have a bamboo plan with Checkmarx plugin . The CxSAST scan is working fine , scanning the code and giving the scan report, but CxOSA scan is not taking place I guess. The scan for CxOSA says 0 libraries were analyzed though I am using a lot of open source JS libraries like lodash, Jquery , etc. I went through the docs as well , but with little luck. I am pretty new to Checkmarx, any help is appreciated. Here is the CxOSA related config that I am using in my Bamboo PlanSpec.java file : 

.put("cxOsaArchiveIncludePatterns", "*.zip, *.war, *.ear, *.tgz")
.put("osaEnabled", "true")
Kashyap Sharma
  • 109
  • 2
  • 10
  • Do you have the `CxOsa` logs? In the Bamboo console output or somewhere.. – baruchiro Jan 13 '20 at 14:19
  • Hi @baruchiro Yes , ```10-Jan-2020 01:12:16 CxOSA enabled: true 10-Jan-2020 01:12:16 CxOSA filter patterns: null 10-Jan-2020 01:12:16 CxOSA archive include patterns: *.zip, *.war, *.ear, *.tgz 10-Jan-2020 01:12:16 CxOSA thresholds enabled: false 10-Jan-2020 01:12:30 Creating OSA scan 10-Jan-2020 01:12:36 Scanning for CxOSA compatible files 10-Jan-2020 01:12:37 Found 0 Compatible Files for OSA Scan 10-Jan-2020 01:12:37 OSA file list saved to file: [/tmp/CxOSAFileList.json] 10-Jan-2020 01:12:37 Sending OSA scan request 10-Jan-2020 01:12:37 OSA scan created successfully``` – Kashyap Sharma Jan 14 '20 at 05:11
  • So in the bamboo logs of the plan run, there is line which says : ```Found 0 Compatible Files for OSA Scan``` My doubt is , is my project having no such open source vulnerabilities , if yes then the checkmarx config is correct. – Kashyap Sharma Jan 16 '20 at 09:45

2 Answers2

0

I have some experience with CxOSA. When I got 0 results, it happened because I wasn't scanning the correct files (the binaries instead of the code) or because I didn't enable dependency resolution in the OSA scan. I think that is the issue for you, you should add a parameter like ("executepackagedependency", "true"). I'm using the plugin and not PlanSpec.java so I'm not sure the exact parameter name

Jostakino
  • 1
  • Hi @jostakino , thanks for the answer. I have a few questions though. 1) What do you mean when you say "wasn't scanning the correct files (the binaries instead of the code) " ? I guess CxSAST scans the code itself and not the binaries. 2) Can you please share , if possible, the plugin configuration part where you have the execute package dependency set to true ? Beacuse I could find no such option in the plugin . 3) Are you also using Bamboo with Checkmarx? – Kashyap Sharma Jan 22 '20 at 10:51
0

So it seems I have the answer. There are several key value pairs that we need to set as part of checkmarx configuration. Initially, I had deleted some keys whose values were an empty string. And of those key was cxOsaFilterPatterns. When I added this key with an empty string value, Checkmarx started scanning the CxOSA part .

For reference , you can use this piece of code as configuration .

   ("serverCredentialsSection", "globalConfigurationServer")
   ("projectName", "Your project name")
   ("teamPathName", "Your team name")
   ("teamPathId", "Your team id")
   ("serverUrl", "Checkmarx server URL")
   ("username", "Checkmarx username")
   ("password", "Checkmarx password")
   ("presetName", "Checkmarx Default")
   ("cxSastSection", "customConfigurationCxSAST")
   ("folderExclusions", "node_modules")
   ("filterPatterns","!**/_cvs/**/*, !**/.svn/**/*,   !**/.hg/**/*,   !**/.git/**/*,  !**/.bzr/**/*, !**/bin/**/*,!**/obj/**/*,  !**/backup/**/*, !**/.idea/**/*, !**/*.DS_Store)
   ("isIncremental", "true")
   ("generatePDFReport", "true")
   ("intervalBegins", "01:00")
   ("intervalEnds", "04:00")
   ("osaEnabled", "true")
   ("cxOsaFilterPatterns", "")
   ("cxOsaArchiveIncludePatterns", "*.zip, *.war, *.ear, *.tgz")
   ("scanControlSection", "globalConfigurationControl")
   ("isSynchronous", "true")
   ("presetId", "36")
Kashyap Sharma
  • 109
  • 2
  • 10