Skip to main content

Checkmarx SAST-Slim

Introduction

Checkmarx SAST-Slim (SAST-Slim) is a version of Checkmarx SAST (SAST) without distributing the US-based third-party software. SAST-Slim is available from the equivalent SAST 9.5.0 and later, with annual releases. All features and functionality included in SAST are also present in the SAST-Slim version.

SAST-Slim is available for clean installations and for upgrades (from previous SAST versions).

Caution

The customer is responsible for handling the installation and configuration of all the software components required for the proper performance of SAST-Slim.

Caution

M&O is not supported in SAST-Slim.

New installations will not have it; upgrades might have it, but without any guarantee for its functionality.

The following sections describe the requirements and installation procedures for SAST-Slim.

Requirements

Third-Party Product

Version

Comment

Active MQ

5.17.2

ActiveMQ

.NET Core

6.0.5

.NET Core Windows Server Hosting

6.0.5

Host ASP.NET Core on Windows with IIS

Java JRE

17.0.3 (x64)

Archive | Adoptium

Visual C++ Redistributable (x64)

  • 2010 - 10.0.40219

  • 2015 - 14.27.29016

MS SQL

SQL Server Express or other versions

IIS

v7.0

Windows Environment

Win2012, Win2016, Win2019, Win2022

ActiveMQ Required Configuration

Whether it is a clean installation or an upgrade to SAST-Slim, Active MQ (AMQ) must be installed and properly configured by the customer.

Caution

  • SAST-Slim requires AMQ to be configured with a user and a password.

    Anonymous mode must not be used because it will prevent the SAST-Slim suit from functioning correctly.

  • Make sure a user with the name “cxuser” is defined.

  • The password must be set; it cannot be left blank.

  • The password must be without uppercase characters.

  • The AMQ service must be restarted for configuration changes to take effect.

Defining User and Password using the Authentication Plugin

This can be performed either during installation or afterward, by directly changing the activemq.xml file by adding a section inside the broker element, similar to the following:

<plugins>
  <simpleAuthenticationPlugin>
    <users>                    
      <authenticationUser username="cxuser" password="your_password" groups="users,admins" />
      </users>
    </simpleAuthenticationPlugin>            
  </plugins> 

Notice

Refer to the official AMQ documentation for alternate ways of configuring users and passwords.

Notice

SAST-Slim requires that only one user is defined.

There is no need to define groups and/or permissions under AMQ.

Password Encryption

Refer to the official AMQ documentation about how to use encrypted passwords.

An online external encrypt/decrypt website, such as Jasypt, can also be used. Jasypt is an example of a tool that supports both one-way and two-way password encryption, as well as matching encrypted passwords.

Notice

In any case, the private key (password) that must be used for the encryption algorithm is: CxManager

Relevant AMQ Information

Use the following information when configuring AMQ:

  • Host Name: refers to the Server/Machine name/IP.

  • Port: refers to the port in the value of “openwire” attribute, under TransportConnector element of the ActiveMQ.xml file (as shown in the image below):

    Slim_TransportConnectors_Config.png
  • Password: refers to the password defined. It can be found either in credentials.properties or credentials-enc.properties; or else in the ActiveMQ.xml file under the simpleAuthenticationPlugin entity, described above in "Defining User and Password using the Authentication Plugin" under the ActiveMQ Required Configuration section.

  • User ID: is hardcoded as “cxuser”, and must exist in the AMQ configuration, either in credentials.properties or credentials-enc.properties or else in ActiveMQ.xml file under the simpleAuthenticationPlugin entity, described above in "Defining User and Password using the Authentication Plugin" under the ActiveMQ Required Configuration section.

SAST-Slim - Clean Installation

Notice

It is important that at this stage all requirements, including AMQ, have been installed!

SAST-Slim can be installed either by the UI installer or the Silent installer. Both installation processes will check that all the requirements are correctly installed in the environment.

UI Installer

The clean installation via UI is similar to SAST (refer to CxSAST documentation for details). During the installation steps, the following screen will appear, requiring the fulfillment of the AMQ configuration fields as referred to above.

Slim_AMQ_Config_empty_fields.png

Caution

Clicking Test Connection saves the connection configuration parameters, including the password. If you decide, for example, to change the password afterward, you must test the connection again, before continuing!

Notice

SSL Connection is disabled for clean installations. The SSL configuration for Checkmarx SAST-Slim and its companion components must be performed after the installation is completed.

Silent Installer

The silent installer works as SAST (refer to CxSAST documentation for details).

For SAST-Slim to work with AMQ, the following arguments must be passed during the installer execution.

  • MQPASSWORD = refer to Password in the "Relevant AMQ Information" section above

  • MQHTTPPORT = refer to Port in the "Relevant AMQ Information" section above

  • ACTIVEMQ_HOST_NAME = refer to Host Name in the "Relevant AMQ Information" section above

  • ACTIVEMQ ='1'

SAST-Slim - Upgrade (from 9.3 to 9.4.5)

Notice

In the following procedure, <Checkmarx Home> refers to the path where the original version of SAST is installed. It usually defaults to C:\Program Files\Checkmarx.

Notice

It is important that at this stage all requirements are installed!

In addition:

  • Java 17+ must be added to the PATH environment variable

  • Regarding ActiveMQ:

    • if installed in a different machine, can be installed before starting the upgrade;

    • if installed in the same machine, install only as indicated in the steps below.

UI Installer

To upgrade with SAST-Slim (from a non-SAST-Slim version) using the UI Installer, perform the following:

  1. Run the SAST-Slim installer and follow the wizard steps.

    Note that the original ActiveMQ component will be removed automatically during the installation.

    Welcome_Slim.png
  2. When the ActiveMQ configuration screen appears, install the new AMQ before continuing.

    Caution

    1. Do not install AMQ in <Checkmarx Home>.

    2. Make sure to configure it with the username “cxuser” and a password that is non-empty and without uppercase characters.

    Slim_AMQ_Config_empty_fields.png

    Caution

    Clicking Test Connection saves the connection configuration parameters, including the password. If you decide, for example, to change the password afterwards, you must test the connection again, before continuing!

Silent Installer

To upgrade with SAST-Slim (from a non-SAST-Slim version) using the Silent Installer, perform the following:

  1. Run SAST-Slim silent installer. After a while, it will exit and the following message will appear on the log files within the %temp% folder:

    Checkmarx ActiveMQ removed exit from the application. Rerun the silent installation with the External ActiveMQ configuration parameters.

  2. Install the new AMQ before continuing.

  3. Rerun the SAST-Slim silent installer with all the following AMQ parameters:

    • MQPASSWORD = refer to Password in the "Relevant AMQ Information" section above

    • MQHTTPPORT = refer to Port in the "Relevant AMQ Information" section above

    • ACTIVEMQ_HOST_NAME = refer to Host Name in the "Relevant AMQ Information" section above

    • ACTIVEMQ ='1'

RabbitMQ Configuration (9.6.0 and up)

Note

CxSAST 9.6.0 Slim (with ActiveMQ) must be installed to change the connection to RabbitMQ.

To replace the ActiveMQ connection with RabbitMQ
  1. Access the frontend of RabbitMQ (optional)

    1. If RabbitMQ is running on a separate machine, connect to that machine ( for example, via RDP)

    2. Open a web browser and go to http://localhost:15672/ (or to the relevant URL where RabbitMQ is deployed)

    3. Log in with the following credentials (in case you are using the default credentials):

      username: guest

      password: guest

  2. Define the correct values for the necessary keys inside the Database

    1. Open SQL Server Management Studio (SSMS)

    2. Connect to your SQL Server Instance

    3. Open the following database table: [CxDB].[dbo].[CxComponentConfiguration]

    4. Define ActiveMessageQueueURL = tcp://example:5672 (replace “example” with the hostname or IP address of the machine that has the RabbitMQ deployment).

      Note

      We do not guarantee that the connection to RabbitMQ with AMQPS or SSL will function correctly.

    5. Define MessageQueueType = RabbitMQ

    6. The value of the key MessageQueuePassword is an encrypted password. Do not change this value.

    7. The value of the key MessageQueueUsername must be equal to cxuser. Currently, the message queue does not function with a different value, because cxuser is hardcoded.

  3. Define the correct values for the necessary system variables:

    1. Open the Edit the system environment variables window

    2. Click Environment Variables

    3. Define ActiveMessageQueueURL and CX_ES_MESSAGE_QUEUE_URL= tcp://example:5672 (replace “example” with the hostname or IP address of the machine that has the RabbitMQ deployment )

      Note

      We do not guarantee that the connection to RabbitMQ with AMQPS or SSL will function correctly.

    4. Define CX_ENGINE_MESSAGE_QUEUE_TYPE = RabbitMQ

    5. The values of the variables CX_ES_MESSAGE_QUEUE_PASSWORD and MessageQueuePassword are encrypted passwords. Do not change this value.

    6. The values of the variables CX_ES_MESSAGE_QUEUE_USERNAME and MessageQueueUsername must be equal to cxuser. Currently, the message queue does not function with a different value, because cxuser is hardcoded.

  4. Restart Internet Information Service (IIS)

    1. Open IIS manager

    2. Go to the homepage by clicking on the name of your machine (left side panel)

    3. On the right side panel, click stop and then click start

  5. Restart all the Checkmarx services

    1. Open the Services window

    2. Stop and then start these services: CxJobManager, CxSastResults, CxScansManager, CxServicesAvailability , and CxSystemManager

  6. Test if RabbitMQ is functioning correctly

    1. Open a web Browser

    2. Open CxPortal and navigate to the Access Control administration page (if the page is already open, refresh it)

    3. Create a user

    4. Open SSMS

    5. Select all users from the [CxDB].[dbo].[Users] table

    6. Confirm that the user that you created was inserted in the table

Additional Notes

Post-Install Tool

In case the customer installed AMQ in an external environment, attention is required when using the Post-install tool to update endpoints.

As can be seen in the image below, the current state of AMQ URI is different from the current URIs of other components. This is correct, as it refers to the external environment. However, the Post-Install tool assumes the new base URI for all components (as shown in the text fields under the After Update column).

Slim_Updating_Endpoints.png

In this situation, it is recommended that you copy the current AMQ URI to the text field under the After Update column.