General: code to scan are .java files (Java EE), dependencies are provided as separate JARs
Goal: How can I provide checkmarx with all the required Java dependencies to build the project to get as sound and complete a scan as possible? I'm not interested in detecting issues in the dependencies themselves and don't want these to be included in the checkmarx report.
Why: The scan without dependencies returns no findings which is slightly unusual for the size and complexity of the code base. I have all the dependencies locally and can build the project in my IDE (idea). I see no way to tell Chekmarx about dependencies (CLI and maven plugin only have options to include or exclude files and directories from the scan) when I zip the folder and upload it via the web interface for a new scan. I haven't used the maven checkmarx plugin as it requires resources which are inaccessible from the Checkmarx scanner machine (including the dependencies).
The approach I'm currently exploring is to explode the dependencies into the project source folder so that imports can be resolved and Checkmarx can build the project. However Some dependency JARs include java source files, others only the class files and it does not look like Checkmarx CxSAST supports scanning class files (nor JARs for that matter). If I can get the code to scan, I can filter out any issues found within the dependencies by marking them in the web interface and excluding them from the report.
