Blog

Introducing the Checkmarx One Query Editor

5 min.

November 25, 2024

Accuracy and Flexibility in SAST

One of the big challenges of Static Application Security Testing (SAST) has long been accuracy.  All SAST solutions struggle with accuracy, generating either false positives (unfounded alerts) or false negatives (missed vulnerabilities). This will always be a concern, so choosing the best SAST solution boils down to measuring accuracy.  

At Checkmarx, our SAST tools improve accuracy. Our SAST solution uses queries to facilitate search customization and provide an adaptive scanning engine, real time scanning, AI tools, and auto-remediation

What Are Queries and Why Are They Important?

Queries are the secret sauce of SAST scans. What exactly is a query? A query is a vulnerability rule.  All SAST engines use queries to find vulnerabilities and achieve greater fidelity. 

“Queries are building blocks for identifying potential vulnerabilities and critical for filtering through the noise to avoid sending false positives and false negatives to your developers. Understanding queries enables AppSec teams and developers to prioritize your efforts, and promptly address the most critical issues.”   

All SAST engines use queries to find vulnerabilities. However, most SAST solutions don’t let you customize the rules or modify queries. In those cases, users are chained to the vulnerabilities that the solution chooses to look for. The lack of customization leads to more false positives or missed vulnerabilities.  

Checkmarx SAST is the only solution that provides the flexibility to customize queries, resulting in lower false positives without creating false negatives for more accurate results. 

“Checkmarx SAST includes pre-built queries (and presets) written in the Checkmarx Query Language (CxQL). These identify common security issues such as SQL injection, cross-site scripting, and insecure access controls, providing an easier way to start securing applications out of the box.” 

See how queries work. 

Tailored Presets & Custom Queries


			            
			    

Checkmarx SAST empowers you to customize queries according to your specific needs. As we described in a previous post

A common use case that neatly highlights the benefits of customizing queries can be found in cross-site scripting (XSS) vulnerability findings where a false positive may be occurring due to the use of an in-house sanitizer method that is not included in the Checkmarx One default out-of-the-box query. We can simply add this method to the appropriate CxQL query and rescan the project to remove the FP. 

Introducing the Improved Checkmarx Query Editor

Long time Checkmarx users are probably familiar with CxAudit, our query editor for CxSAST. Our updated Checkmarx Query Editor brings features of CxAudit that were previously missing to Checkmarx One! Built with customer experience in mind, this powerful tool is designed to make query editing even easier.  

What’s New

Our updated Query Editor focuses on enhancing usability and improving workflow efficiency. Here’s a closer look at what’s new: 

  • Friendly and intuitive user interface – We’ve revamped the look and feel of the Query Editor, making it easier to navigate and understand and intuitive to use. The design is modular, allowing users to customize their workspace to suit their needs. You can focus on specific elements or get a broader view of your project. This flexibility ensures that you can work in a way that’s most comfortable for you.
  • Language-specific query view (Edit mode) – Navigating through projects to find specific queries can be time-consuming. That’s why we’ve introduced a language-specific view. Now, you can select a programming language and instantly access all queries related to that language across all projects. This eliminates the need to search through each project individually, saving you valuable time. 
  • Hide empty queries– To further streamline your workflow, we’ve added a new mode that hides empty queries.  This removes any queries that didn’t return results. This will help to declutter your workspace and let you concentrate on the queries that need your attention.  
  • Scan history – Understanding the history of your scans is crucial for tracking progress. Our new scan history feature provides a comprehensive log of past scans. You can easily review past scans, compare results, and identify patterns that inform future decisions.  

How to Access and Use It

Query Editor is accessible and seamlessly integrated into Checkmarx One. Simply navigate to the queries section and start! You can open the Query Editor associated with a project or open it independent of any project. Get the full documentation here

Get Started Today

The new Checkmarx One Query Editor simplifies the process of customizing security scans. With an intuitive interface and features like language-specific views and scan history, it helps you prioritize your focus. By reducing false positives and negatives, the Query Editor helps your complete your work and secure your applications more efficiently. Start using the Checkmarx Query Editor today and enhance your application security with ease and precision. 

Still not on Checkmarx One? Contact us to discuss how to migrate from CxSAST or another vendor to Checkmarx One today.