Skip to main content

Checkmarx SAST-Slim

Introduction

Checkmarx SAST-Slim (SAST-Slim) is a version of Checkmarx SAST (SAST) without distributing the US-based third-party software. SAST-Slim is available from the equivalent SAST 9.5.0 and later, with annual releases. All features and functionality included in SAST are also present in the SAST-Slim version.

SAST-Slim is available for clean installations and for upgrades (from previous SAST versions).

Caution

The customer is responsible for handling the installation and the configuration of all the software components required for the proper performance of SAST-Slim.

Caution

M&O is not supported in SAST-Slim.

New installations will not have it; upgrades might have it, but without any guarantee for its functionality .

The following sections describe the requirements and installation procedures for SAST-Slim.

Requirements

Third Party Product

Version

Comment

Active MQ

5.17.2

ActiveMQ

.NET Core

6.0.5

.NET Core Windows Server Hosting

6.0.5

Host ASP.NET Core on Windows with IIS

Java JRE

17.0.3 (x64)

Archive | Adoptium

Visual C++ Redistributable (x64)

  • 2010 - 10.0.40219

  • 2015 - 14.27.29016

MS SQL

SQL Server Express or other version

IIS

v7.0

Windows Environment

Win2012, Win2016, Win2019, Win2022

ActiveMQ Required Configuration

Whether it is a clean installation or an upgrade to SAST-Slim, Active MQ (AMQ) must be installed and properly configured by the customer.

Caution

  • SAST-Slim requires AMQ to be configured with a user and a password.

    Anonymous mode must not be used because it will prevent the SAST-Slim suit from functioning correctly.

  • Make sure a user with the name “cxuser” is defined.

  • The password must be set; it cannot be left blank.

  • The password must be without uppercase characters.

  • The AMQ service must be restarted for configuration changes to take effect.

Defining User and Password using the Authentication Plugin

This can be performed either during installation or afterwards, by directly changing the ActiveMQ.xml file with the addition of a section under entities beans → broker, similar to the following one:

<plugins>
  <simpleAuthenticationPlugin>
    <users>                    
      <authenticationUser username="cxuser" password="your_password" groups="users,admins" />
      </users>
    </simpleAuthenticationPlugin>            
  </plugins> 

Notice

Refer to the official AMQ documentation for alternate ways of configuring users and passwords.

Notice

SAST-Slim requires that only one user is defined.

There is no need to define groups and/or permissions under AMQ.

Password Encryption

Refer to the official AMQ documentation about how to use the encrypted passwords.

An online external encrypt/decrypt website, such as Jasypt, can also be used. Jasypt is an example of a tool that supports both one way and two way password encryption, as well as matching encrypted passwords.

Notice

In any case, the private key (password) that must be used for the encryption algorithm is: CxManager

Relevant AMQ Information

Use the following information when configuring AMQ:

  • Host Name: refers to the Server/Machine name/IP.

  • Port: refers to the port in the value of “openwire” attribute, under TransportConnector element of the ActiveMQ.xml file (as shown in the image below):

    Slim_TransportConnectors_Config.png
  • Password: refers to the password defined. It can be found either in credentials.properties or credentials-enc.properties; or else in the ActiveMQ.xml file under the simpleAuthenticationPlugin entity, described above in "Defining User and Password using the Authentication Plugin" under the ActiveMQ Required Configuration section.

  • User ID: is hardcoded as “cxuser”, and must exist in the AMQ configuration, either in credentials.properties or credentials-enc.properties, or else in ActiveMQ.xml file under the simpleAuthenticationPlugin entity, described above in "Defining User and Password using the Authentication Plugin" under the ActiveMQ Required Configuration section.

SAST-Slim - Clean Installation

Notice

It is important that at this stage all requirements, including AMQ, have been installed!

SAST-Slim can be installed either by the UI installer or the Silent installer. Both installation processes will check that all the requirements are correctly installed in the environment.

UI Installer

The clean installation via UI is similar to SAST (refer to CxSAST documentation for details). During the installation steps, the following screen will appear, requiring the fulfillment of the AMQ configuration fields as referred above.

Slim_AMQ_Config_empty_fields.png

Caution

Clicking Test Connection saves the connection configuration parameters, including the password. If you decide, for example, to change the password afterwards, you must test the connection again, before continuing!

Notice

SSL Connection is disabled for clean installations. The SSL configuration for Checkmarx SAST-Slim and its companion components must be performed after the installation is completed.

Silent Installer

The silent installer works as SAST (refer to CxSAST documentation for details).

For SAST-Slim to work with AMQ, the following arguments must be passed during the installer execution.

  • MQPASSWORD = refer to Password in the "Relevant AMQ Information" section above

  • MQHTTPPORT = refer to Port in the "Relevant AMQ Information" section above

  • ACTIVEMQ_HOST_NAME = refer to Host Name in the "Relevant AMQ Information" section above

  • ACTIVEMQ ='1'

SAST-Slim - Upgrade (from 9.3 to 9.4.5)

Notice

In the following procedure, <Checkmarx Home> refers to the path where the original version of SAST is installed. It usually defaults to C:\Program Files\Checkmarx.

Notice

It is important that at this stage all requirements are installed!

In addition:

  • Java 17+ must be added to the PATH environment variable

  • Regarding ActiveMQ:

    • if installed in a different machine, can be installed before starting the upgrade;

    • if installed in the same machine, install only as indicated in the steps below.

UI Installer

To upgrade with SAST-Slim (from a non-SAST-Slim version) using the UI Installer, perform the following:

  1. Run the SAST-Slim installer and follow the wizard steps.

    Note that the original ActiveMQ component will be removed automatically during the installation.

    Welcome_Slim.png
  2. When the ActiveMQ configuration screen appears, install the new AMQ before continuing.

    Caution

    1. Do not install AMQ in <Checkmarx Home>.

    2. Make sure to configure it with username “cxuser” and a password that is non-empty and without uppercase characters.

    Slim_AMQ_Config_empty_fields.png

    Caution

    Clicking Test Connection saves the connection configuration parameters, including the password. If you decide, for example, to change the password afterwards, you must test the connection again, before continuing!

Silent Installer

To upgrade with SAST-Slim (from a non-SAST-Slim version) using the Silent Installer, perform the following:

  1. Run SAST-Slim silent installer. After a while it will exit and the following message will appear on the log files within the %temp% folder:

    Checkmarx ActiveMQ removed, exit from application. Rerun the silent installation with the External ActiveMQ configuration parameters.

  2. Install the new AMQ before continuing.

  3. Rerun the SAST-Slim silent installer with all the following AMQ parameters:

    • MQPASSWORD = refer to Password in the "Relevant AMQ Information" section above

    • MQHTTPPORT = refer to Port in the "Relevant AMQ Information" section above

    • ACTIVEMQ_HOST_NAME = refer to Host Name in the "Relevant AMQ Information" section above

    • ACTIVEMQ ='1'

Additional Notes

Post-Install Tool

In case the customer installed AMQ in an external environment, attention is required when using the Post-install tool to update endpoints.

As can be seen in the image below, the current state for AMQ URI is different from the current URIs of other components. This is correct, as it refers to the external environment. However, the Post-Install tool assumes the new base URI to all components (as shown in the text fields under the After Update column).

Slim_Updating_Endpoints.png

In this situation, it is recommended that you copy the current AMQ URI to the text field under the After Update column.