- Checkmarx Documentation
- Checkmarx One
- Checkmarx One Learning Tracks
- Checkmarx One Learning Tracks - Development
- Consuming Checkmarx One Results
- Understanding results
- Consuming SCA results
Consuming SCA results
It is possible to drill down the scan results page for a specific scan, which shows detailed info about the risks identified in that scan by the SCA scanner. You can also view scan results for specific vulnerable packages and risks. We will guide you through the SCA scan results and look at the Packages, Container, and Risks tabs in detail.
The Packages tab shows detailed information about the packages identified in your source code and their vulnerabilities.
The Container tab shows the container packages identified in your project and their vulnerabilities.
The Risks tab shows information about all of the risks associated with the open-source packages used by your project. It includes vulnerabilities such as CVEs, and supply chain risks such as malicious packages.
From a packages perspective
The Packages tab shows detailed information about the packages identified in your source code and the vulnerabilities found.
The Packages tab contains sub-tabs that show two types of pages:
The All Packages section shows a list of all packages that contain vulnerabilities identified by this scan.
The Package Details section shows detailed info about a specific package.
You can navigate between the various tabs that you have opened. In this video, we will guide you through the Packages tab.
For more details and instructions, please see the following articles.
From a container perspective
The Container section shows the container packages identified in your project and their vulnerabilities.
The Container tab contains two sub-tabs:
The Container Packages tab shows a list of all of the packages identified in the container images.
The Container Vulnerabilities tab shows a list of the vulnerabilities associated with the container packages.
In this video, we will guide you through the container tab.
For more details and instructions, please see the following articles.
From a risks perspective
The Risks tab shows information about the risks associated with the open-source packages used by your project, including vulnerabilities, like CVEs, and supply chain risks, such as malicious packages. The Risks tab contains sub-tabs that show two types of pages:
The All Risks section shows a list of Risks identified by this scan.
The Risk Details section shows detailed info about a specific Risk. You can access this section by clicking on a row in the All Risks tab to access this page.
You can navigate between the various tabs that you have opened. In this video, we will guide you through the Risks tab.
For more details and instructions, please see the following articles.
SCA Resolver
Checkmarx SCA Resolver is an on-prem utility that enables you to resolve and extract dependencies and fingerprints from your source code and send them to the Checkmarx SCA cloud platform for risk analysis. It uses command line interface (CLI) commands to configure and scan your Projects.
Checkmarx SCA Resolver enables you to run a comprehensive SCA scan without the need to send your actual source code to the cloud and to scan private (local) dependencies that aren’t accessible to the Checkmarx SCA cloud platform.
In this video, we will provide you with more details and show you. how the SCA Resolver process works.
For more details see our documentation, Checkmarx SCA Resolver.
SCA Exploitable Path
Prioritizing remediation of the many open source vulnerabilities identified by Checkmarx SCA can be a challenging task because it is not always apparent whether the vulnerable packages are actually being called by your project and whether the vulnerable methods are actually being used by your code. The key question is: Is there a path from your project code into the vulnerable package code, whereby the vulnerable packages could be exploited in your project? If not, then remediation is a much lower priority.
This is where the Exploitable Path feature comes in. Checkmarx SCA leverages SAST’s ability to scan the actual project code itself in parallel with scanning the manifest file, in order to validate whether the vulnerable open source packages are called from your proprietary code and whether the vulnerable methods are actually used by your code. This enables you to focus on the remediation of actively exploitable vulnerabilities.
Exploitable Path also identifies which lines in your project code actually reach the vulnerable method in the vulnerable package and shows you the full path to the vulnerability.
In this video, we will show you where you can find the Exploitable Path feature.
For more details see our documentation, Exploitable Path.