Skip to main content

Reviewing Scan Results in SonarQube

Scan results in SonarQube that are related to Checkmarx, are also displayed in the CxSAST. For more information about viewing scan results in CxSAST, refer to the Checkmarx CxSAST Documentation at Navigating SAST Scan Results.

Notice

The user running the SonarQube plugin must have 'Reviewer' role permissions.

Checkmarx scan results can be viewed on the SonarQube Project Space by clicking on the desired project from the Project List. The Project Space is displayed.

6150294280.jpg

The top section of the Project Space (Quality Gate) shows the releasability status of the project and its current state of quality. If the project passes quality, a green all-clear 'Passed' label appers. If not, a red 'Failed' label appears with details and drill-downs that are immediately available to quickly identify what went wrong.

Just below the Quality Gate information shows the numbers of old and new Issues in each area. Checkmarx issues (vulnerabilities) are aggregated as part of the 'Bugs & Vulnerabilities' panel. Clicking on any figure in this panel will take you to a detailed view of the related issue in the Issues page.

6150294277.jpg

Notice

All Checkmarx issues start with the “Checkmarx Vulnerability” prefix. Vulnerability conversion is as follows:

  • SonarQube Critical = Checkmarx High

  • SonarQube Major = Checkmarx Medium

  • SonarQube Minor = Checkmarx Low

Clicking on a Checkmarx issue opens a new page relating to the specific issue chosen.

6150294274.jpg

Code location nodes 6150294271.png (version dependent) are highlighted and sorted accordingly. Nodes coming from different files are also indicated.

You can drill-down into 'Vulnerabilities' and show the Checkmarx results by clicking the Measures tab and selecting Overview 6150294268.png. A graphical diagram of the Remediation Effort, Lines of Code and Security Vulnerabilities is displayed.

6150294265.jpg

This displays the vulnerabilities' operational risks. The closer a bubble's color is to red, the more severe the worst vulnerabilities are. Bubble size indicates vulnerability volume, and each bubble's vertical position reflects the estimated time to address the vulnerabilities. Small green bubbles on the bottom edge are best. Mouse-over a bubble to display additional information about the issue.

Click Remediation Effort to display the list of security issues that need remediation.

6150294262.jpg

Users can define the time needed (in minutes) to fix a security issue. The value is then calculated and displayed to the user, as seen above.

By scrolling down, a graphical diagram of the Remediation Effort, Lines of Code and Vulnerabilities can also be viewed.

Clicking on one of Checkmarx results, in this case “Checkmarx - High Vulnerabilities”, shows the list of files and the number of detected issues.

6150294259.jpg

Clicking on one of the files opens the code viewer showing the content of the file and the list of found issues.

The code viewer is the heart of SonarQube; it displays the source code of a file and its high-level statistics. The main purpose of the code viewer is to show source code and its effort to fix it.

Clicking on the colored severity icon 6150294256.png (version dependent) expands the issue, as seen below.

6150294253.jpg
6150294250.jpg

Clicking on 6150294247.png opens the rule description.

6150294244.jpg

Clicking the 'More' tab and then selecting 'Checkmarx Report' opens a graphical side-by-side summary report of the Checkmarx scan results.

6150294241.jpg

The CxSAST Vulnerabilities Status report provides information about the distribution of security issues for the project and is divided into the following categories:

  • CxSAST Vulnerabilities Status - provides a graph with the status of each vulnerability severity and the number of found vulnerability instances for each severity level (high, medium and low).

  • Analyze Results (CxSAST) – provides a link to the vulnerability results in CxSAST code viewer. Refer to the Checkmarx CxSAST Documentation at Navigating Scan Results in CxSAST.

Notice

Status changes detected in CxSAST are not reflected in the SonarQube vulnerabilities status reports.

The CxSAST Full Report provides information about the distribution of security issues for the project and is divided into the following categories:

  • Report Criteria - provides the following information:

    • Start/End – start and end time for the CxSAST scan

    • Files – total number of files scanned

    • Code Lines – total number of lines of code scanned

6150294238.jpg
  • Vulnerability Type - provides a list of the vulnerabilities found, the distribution of the vulnerabilities by type (high, medium and low) and the number of vulnerability instances for each type.

  • Analyze Results – provides a link to the vulnerability results in CxSAST code viewer. Refer to the Checkmarx CxSAST Documentation at Navigating Scan Results in CxSAST.