Skip to main content

Checkmarx SCA Plugin for JFrog

Warning

Version 1.1.9 and below of this plugin will stop working on Feb. 29. To continue using this plugin, make sure to upgrade to version 1.1.10 before that date.

Overview

The Checkmarx SCA plugin for JFrog Artifactory runs a Checkmarx SCA scan on each of your Jfrog artifacts, and uses the scan results to enrich the properties shown in the JFrog Artifactory UI. This integrates scanning of artifacts into your DevOps workflow, providing easy visibility into possible risks that could make your applications vulnerable.

You can set a risk threshold so that artifacts with risks of a specified severity level will automatically be blocked from download.

When you install the plugin, Checkmarx scans all artifacts currently in your Artifactory. In addition, each time that an artifact is downloaded the plugin runs a Checkmarx SCA scan on that item. In order to avoid redundant scanning of the same artifact, a cache mechanism is used to reuse scan results for a fixed period of time (default: 6 hr).

6434652192.png

Main Features

  • Free tool, no Checkmarx account required

  • View risks in artifact properties

  • Block download of vulnerable artifacts

  • Block download of artifacts that have licenses that aren't included in your "allowed" list

Requirements

  • This plugin is supported only for Self-Hosted instances of JFrog

  • Tested and approved for JFrog Artifactory v7

Notice

This is a free tool provided by Checkmarx for all JFrog users, and does not require the user to submit credentials for a Checkmarx SCA account.

Supported Package Managers

Bower, CocoaPods, Composer, Go, Gradle, Ivy, Maven, Npm, Nuget, Pypi, Sbt

Installing and Configuring the Plugin

  1. Download the plugin using one of the above links.

  2. Extract the archive.

    The extracted folder contains the following items:

    • cxsca-security-plugin.groovy

    • cxsca-security-plugin.properties

    • lib > sca-artifactory-plugin.jar

  3. By default, when an artifact is reused within 6 hours the scan data from the cache is reused instead of triggering a new scan. If you would like to adjust the time span, use the following procedure.

    1. Open the cxsca-security-plugin.properties file.

    2. In the line sca.data.expiration-time=21600, replace 21600with the desired time span for using the cache (in seconds).

      Notice

      The minimum acceptable value for cache expiration is 1800 (30 min.).

  4. You can set a risk threshold so that artifacts with risks of the specified severity level (or above) will be blocked from download. To set a threshold, use the following procedure.

    1. Open the cxsca-security-plugin.properties file.

    2. In the line sca.security.risk.threshold=none, replace nonewith the desired threshold, options are low, medium or high.

      Notice

      Each artifact that has one or more risks of the specified severity level or above will be blocked from download. You can override the threshold for specific artifacts when needed, see below.

  5. You can specify a list of allowed licenses so that artifacts that do not have an allowed license are blocked from download. To set the list of allowed licenses, use the following procedure.

    1. Open the cxsca-security-plugin.properties file.

    2. Add the property sca.licenses.allowed, and add a comma separated list of allowed licenses. For example:

      sca.licenses.allowed=MIT,APACHE

      Notice

      You can override the threshold for specific artifacts when needed, see below.

  6. Put all of the contents of the extracted archive into ${ARTIFACTORY_HOME}/var/etc/artifactory/plugins.

  7. If your JFrog instance is not configured to reload plugins automatically (this is the default configuration), then you will need to manually reload the plugins (e.g., POST http://<JFrogURL>/artifactory/api/plugins/reload).

  8. Log in to your JFrog Artifactory instance and navigate to the System Logs to check that Checkmarx SCA has been installed successfully. The logs should show:

    6434619413.png

Overriding Thresholds

If you have set a threshold for blocking downloads, you can override this threshold for specific artifacts.

Warning

Once you have overridden the threshold, users will be able to download this artifact despite its containing risks of any severity level.

To override the threshold:

  1. Open the properties tab for the desired artifact.

  2. Add a property CxSCA.IgnoreRiskThreshold and set the value to true.

    6435110921.png

Overriding License Limitations

If you have set a limitation to block download of packages with licenses that aren't included in your "allowed" list, you can override this limitation for specific artifacts.

To override the limitation:

  1. Open the properties tab for the desired artifact.

  2. Add a property CxSCA.IgnoreLicenses and set the value to true.

Event Logs

By default the plugin logs are written to the general system logs file. By default the log level is set as INFO.

You can configure the logs to be sent to a dedicated Checkmarx log file. You can also change the log level.

To create a dedicated log file:

  1. Open the ${ARTIFACTORY_HOME}/var/etc/artifactory/logback.xml) file.

  2. Append the following snippet to the file in order to create a dedicated log file.

    <appender name="CXSCA" class="ch.qos.logback.core.rolling.RollingFileAppender">
      <File>${log.dir}/cxsca.log</File>
    
      <rollingPolicy class="org.jfrog.common.logging.logback.rolling.FixedWindowWithDateRollingPolicy">
        <FileNamePattern>${log.dir.archived}/cxsca.%i.log.gz</FileNamePattern>
      </rollingPolicy>
    
      <triggeringPolicy class="org.jfrog.common.logging.logback.triggering.SizeAndIntervalTriggeringPolicy">
        <MaxFileSize>25MB</MaxFileSize>
      </triggeringPolicy>
    
      <encoder class="ch.qos.logback.core.encoder.LayoutWrappingEncoder">
        <layout class="org.jfrog.common.logging.logback.layout.BackTracePatternLayout">   
          <pattern>%date{yyyy-MM-dd'T'HH:mm:ss.SSS, UTC}Z [jfrt ] [%-5p] [%-16X{uber-trace-id}] [%-30.30(%c{3}:%L)] [%-20.20thread] - %m%n</pattern>
        </layout>
      </encoder>
    </appender>
  3. If you would also like to change the log level, add the following code to the file:

    <logger name="com.checkmarx.sca.cxsca-security-plugin" additivity="false" level="DEBUG">
      <appender-ref ref="CXSCA"/>
    </logger>

Notice

The log level can be set as INFO (default), DEBUG or WARN.

Checkmarx Artifact Properties

Once the plugin is enabled and a package has been scanned by Checkmarx SCA, the following properties are added to the properties tab of the artifact.

Property Name

Description

CxSCA.TotalRisks

The total number of vulnerabilities.

CxSCA.LowSeverityRisks

The total number of low severity vulnerabilities.

CxSCA.MediumSeverityRisks

The total number of medium severity vulnerabilities.

CxSCA.HighSeverityRisks

The total number of high severity vulnerabilities.

CxSCA.RiskScore

The overall risk score of the package, from 0 (low) to 10 (high).

CxSCA.RiskLevel

The overall risk level of the package. Possible values are: High, Medium, Low, None

CxSCA.LastScanned

The date and time of the most recent scan was run.

CxSCA.Licenses

The list of licenses associated with this artifact.