Skip to main content

Query Editor

Overview

Checkmarx Audit complements Checkmarx SAST by enabling you to easily and intuitively customize SAST’s analysis queries or configure your own additional queries for:

  • Security

  • Application logic purposes.

Audit can be used to adapt SAST’s basic security functionality to non-standard code. This helps in eliminating false positives and ensuring that all real vulnerabilities are identified. Audit can also be used for expanding SAST’s functionality to include queries for supporting specific QA or application logic needs.

For more information, see Audit Overview.

Note

In the Query Browser, the queries included in the Common category cannot be edited.

Accessing Query Editor

The first two methods described below open the Query Editor associated with a project. The last method opens the Query Editor independent of any project.

To access Audit, perform one of the following:

From Applications and Projects

  1. From the Applications and Projects list, navigate to the project that you want to examine.

  2. Click on the Action icon on the right end of the project row.

    Edit_Query_App_Projects_B_Red.png
  3. From the drop-down menu, click Edit Queries.

    Edit_Query_Action_Buttons_and_Menu.png
  4. The Query Editor opens. Wait for the scanning to finish.

    Edit_Query_Scanning_Bord.png
  5. If you prefer a dark screen, you can toggle Night Mode.

    6302236913.png

From the Project Panel

  1. From the Applications and Projects list, navigate to the project that you want to work on.

  2. Click anywhere in the project row. The right panel appears.

    Edit_Query_Right_Panel_Red_Boxes.png
  3. In the SAST section of the panel, hover over the Actions icon, located to the left of the Overview and Results buttons.

  4. Click on Audit Scan in the drop-down menu.

  5. The Query Editor opens. After the Query Editor completes scanning the project, it is ready to use.

From the Left Navigation Bar

  1. In the left navigation bar, click on the Scan Management icon.

    QueryEditorScanMan.gif
  2. From the sub-menu that appears, click on Query Editor.

  3. The Query Editor opens. It is not associated with any project.

Viewing the Project Code

To view the project code, perform the following:

  1. In the Project area, you can drill down to see the packages contained in the project and the code snippets in the packages.

    6302826650.png
  2. To see the code, click on the filename in the hierarchy. A tab opens displaying the code.

    6302236939.png

Viewing the Query Code

To view the query code, perform the following:

  1. In the lower section of the screen, on the Queries tab, you can open the list of languages relevant to the project by expanding Query Browser.

    6302302482.png
  2. Drill down to see the individual queries relevant to the project.

    6302695621.png
  3. To see the query source code, click on the query name in the hierarchy. A tab opens displaying the query source code.

    6303023278.png
  4. If there are many lines of code, use the query code scroller on the right to quickly navigate to a particular section in the code.

    6302499052.png

Running a Query

When you first open the Audit page, the Results tab is blank. It will remain blank, until you run a query that returns results with vulnerabilities in the project code.

6301090490.png

To run a query, perform the following:

  1. Select the Queries tab and then select the query from the hierarchy that you want to run on the project, and click Run Query.

    6301876456.png
  2. Wait for the query to finish running.

    6303285261.png
  3. After the query finishes, the Results tab is displayed in one of the following modes:

    • If no results are found, a zero (0) is displayed after the name of the query and the No results found message is displayed in the first line of the Results sub-tab.

      6300271473.png
    • If results are found, the number of results are displayed after the name of the query and the line numbers where the vulnerabilities occur are displayed in the Vulnerabilities tab. In the Project pane, the vulnerable lines of code are displayed.

      2_Results.png

Creating an Override Query

Notice

Checkmarx queries are not editable. They are listed under the Cx folder and marked in the tab with the Checkmarx logo as shown below:

Cx_Queries.png

Instead, an option is available for creating override queries based on any of the Checkmarx queries, except for the Common queries. When you create a override query, its source code is copied from the selected Checkmarx query. You can then modify the source code. An override query can be applied to scanning at the project or tenant levels.

To create an override query, perform the following:

  1. Click on the query in the Queries tab.

  2. Right-click on the query source code and from the pop-up menu select the scope of the override, which can be either Tenant or Project.

    Audit_Override_Tenant.png
  3. A new query is added to the tab panel with a pre-filled source that calls the base query, as shown below. Because the queries share the same name, the Checkmarx logo is replaced with either a tenant icon or a project icon.

    Tenant Override:

    Tenant_override.png

    Project Override:

    Project_override.png
  4. Edit the query code in the tab.

    For example, a user is increasing the maxValue to 150000, as shown:

    6304268289.png

    The asterisk in front of the query name in the tab title, indicates that the query has been changed, but not saved.

  5. Save the override queries, by clicking 6274154540.png . The Save modified queries panel opens. Select the modified queries and click Save or click Save all modified.

    Save_modified_queries.png

    The left panel is updated with the new queries.

    Left_Panel_Updated_with_Overrides.png
  6. To check the effects of the changes, click Run Query.

    Now, when the project is re-scanned the modified query will be used.

  7. After modifying one or more queries, click Rescan to rescan the project with the modified queries and check the results of the changes.

    6304268305.png

Creating a New Query

New queries can be created using the Query Editor.

To create a new query, perform the following:

  1. Select the Queries tab.

    Query_Editor_Blank_with_Create_New_Button_Highlighted_.png
  2. Click on the New Query Create_New_Query_Button.pngbutton. The Properties panel opens at the right of the screen.

    Query_Editor_Properties_Panel.png
  3. Enter the following information in the Properties panel.

    • Name of new query

    • Severity

    • Language

    • CWE ID (Optional)

    • Level

    • Group Name

    • Presets (Select one from the drop-down list of customized presets.)

    • Executable

    • Description ID (Optional)

  4. Close the panel to save the information. The information can be edited later by opening the Properties panel with the Properties Query_Editor_Properties_Button.png button.

  5. Enter the new query code in the tab, labeled with the name of the new query.

  6. Test the new query and make changes, if necessary.

  7. Click Query_Editor_Save_Button_Blue.png to save the new query. The new query will be listed in the Query list under the language and group name, which you specified in the Properties panel.

Changing the Severity of a Scan

By following these steps, you can change the severity of a new and overridden query and view the updated severity flags in the query results after running a scan.

  1. Open the desired query: Access the queries editor or the list of queries and locate the specific query you want to modify.

  2. Open the query in the editor: Select the query you want to change and open it in the query editor. This allows you to view and modify the query details.

  3. Click on Properties to access the properties of the query.

  4. Click on the Severity dropdown and select the severity that accurately represents the query.

    Scan_Severity.png
  5. Save the modified query: After changing the Severity value, save the modified query to apply the changes.

  6. Exit the Queries Editor: Once the query is saved, exit the queries editor by closing the editor window.

  7. Run a regular SAST scan: Perform a regular SAST scan using the updated query configurations.

  8. Check the query results: After the scan is completed, review the results to see the impact of the modified query. The findings of vulnerabilities identified by the query will be flagged with the updated severity level that you assigned.