Skip to main content

Checkmarx SCA Plugin for Nexus

Warning

Version 1.1.5 and below of this plugin are no longer supported. To continue using this plugin, make sure to upgrade to version 1.1.6.

Overview

The Checkmarx SCA plugin for Nexus Repository Manager runs a Checkmarx SCA scan on each of the artifacts in your repository, and uses the scan results to enrich the attributes shown in the Nexus UI. This integrates scanning of artifacts into your DevOps workflow, providing easy visibility into possible risks that could make your applications vulnerable.

You can set a risk threshold so that artifacts with risks of a specified severity level will automatically be blocked from download.

When you install the plugin, Checkmarx scans all artifacts currently in your repository. In addition, each time that an artifact is downloaded, the plugin runs a Checkmarx SCA scan on that artifact. In order to avoid redundant scanning of the same artifact, a cache mechanism is used to reuse scan results for a fixed period of time (default: 6 hr). You can also create a custom task to run scheduled SCA scans.

Main Features

  • Free tool, no Checkmarx account required

  • View risks in artifact properties

  • Block download of vulnerable artifacts

  • Block download of artifacts that have licenses that aren't included in your "allowed" list

Requirements

  • Nexus Pro or Nexus OSS version 3.28.0 and above

  • Nexus is connected to OrientDB database (default)

Notice

This is a free tool provided by Checkmarx for all Nexus users, and does not require the user to submit credentials for a Checkmarx SCA account.

Supported Package Managers

  • Nuget

  • Npm

  • Maven

Installing and Configuring the Plugin

  1. Download the plugin using one of the above links.

  2. Extract the archive.

    The extracted folder contains the file sca-nexus-plugin.kar.

  3. Place the sca-nexus-plugin.kar file in the $NEXUS_HOME/deploy/ folder.

  4. Restart the Nexus Repository Manager.

  5. You can verify that the plugin was installed and activated by going to o to Server administration > System > Bundles, and looking for the SCA Nexus Plugin.

    Image_812.png

Configuring the Plugin - Setting Threshold and License Limitations (Optional)

The plugin comes fully operational and no configuration is required. You can optionally customize the settings according to your needs. Key configuration options are the ability to set a threshold for blocking artifact downloads and setting license limitations for blocking downloads.

  1. Go to Server administration > System > Capabilities and click on Checkmarx SCA Configuration.

  2. Click on the Settings tab.

    The Checkmarx settings form opens showing the default configuration.

    Image_813.png
  3. Under Checkmarx SCA API Url, by default the Base URL of the US environment is shown. You can replace this with the URL for the EU environment (https://eu.api-sca.checkmarx.net) if you prefer.

  4. Under Checkmarx SCA Expiration time, by default the value is set at 21600 seconds. This means that when an artifact is reused within 6 hours, the scan data from the cache is reused instead of triggering a new scan. If you would like to adjust the time span, enter the desired time span (in seconds).

  5. Under Checkmarx SCA Risk Threshold, by default the value is set as None, meaning that SCA risks will not block download of artifacts. You can set a risk threshold so that artifacts with risks of the specified severity level or above will be blocked from download. Options are: None (default), Low, Medium or High.

    Notice

    You can override the threshold for specific artifacts when needed. See Overriding Thresholds

  6. Under Checkmarx SCA Licenses Allowed, by default the value is empty, meaning that SCA licenses won't cause download of artifacts to be blocked. You can add a comma separated list of allowed licenses. Once this has been set, artifacts that have licenses that aren't on the allowed list will be blocked from download. For example, if you add MIT,APACHE, then any artifact that has other licenses will be blocked for download.

    Notice

    You can override the license limitation for specific artifacts when needed. See Overriding License Limitations

Checkmarx Artifact Attributes

Once the plugin is enabled and a package has been scanned by Checkmarx SCA, a series of Checkmarx SCA attributes are are shown in the Attributes tab for that artifact.

NexusPluginAttributes2.png

The following table describes the Checkmarx SCA attributes.

Attribute Name

Description

CxSCA.TotalRisks

The total number of vulnerabilities.

CxSCA.RiskLevel

The overall risk level of the package. Possible values are: High, Medium, Low, None

CxSCA.RiskScore

The overall risk score of the package, from 0 (low) to 10 (high).

CxSCA.LastScanned

The date and time of the most recent scan was run.

CxSCA.LowSeverityRisks

The total number of low severity vulnerabilities.

CxSCA.MediumSeverityRisks

The total number of medium severity vulnerabilities.

CxSCA.HighSeverityRisks

The total number of high severity vulnerabilities.

CxSCA.Licenses

The list of licenses associated with this artifact.

Overriding Thresholds

If you have set a threshold for blocking downloads, you can override this threshold for specific artifacts.

Warning

Once you have overridden the threshold, users will be able to download this artifact despite its containing risks of any severity level.

Notice

Overriding the threshold is done by editing attributes for the relevant packages. This capability is included in Nexus PRO. If you are using Nexus OSS, then you can get this functionality by installing the following open source plugin from GitHub: sahabpardaz/nexus-tag-plugin.

To override the threshold:

  1. Open the attributes for the desired artifact.

  2. Add an attribute CxSCA.IgnoreRiskThreshold and set the value to true.

Overriding License Limitations

If you have set a limitation to block download of packages with licenses that aren't included in your "allowed" list, you can override this limitation for specific artifacts.

Notice

Overriding the license limitation is done by editing attributes for the relevant packages. This capability is included in Nexus PRO. If you are using Nexus OSS, then you can get this functionality by installing the following open source plugin from GitHub: sahabpardaz/nexus-tag-plugin.

To override the threshold:

  1. Open the attributes for the desired artifact.

  2. Add an attribute CxSCA.IgnoreLicenses and set the value to true.

Creating Nexus Tasks to Schedule Scans

When the plugin is installed, it automatically creates a task to run a one-time scan of all artifacts in your repository. The default behavior is that after the initial scan, each time that an artifact is downloaded, a scan is run on that artifact.

You can create custom tasks to schedule additional SCA scans.

To create a new task:

  1. Go to Server administration > System > Tasks and click on the Create task button.

  2. Click on Checkmarx SCA - Repository Scan.

    A form opens for creating a new Checkmarx SCA task.

    Image_814.png
  3. In the Task name field, enter a Name for the task (e.g., Checkmarx SCA Scan).

  4. You can optionally configure notifications.

  5. Under Checkmarx SCA - Repository Scan, select the repos that you would like to scan.

  6. Under Task frequency, specify the frequency that you would like to run this task.

    Notice

    You can set the frequency to Manual, in which case scans will only run when you trigger them manually.

  7. Click Create task.

Event Logs

By default the plugin logs are written to the following general system logs files:

  • Nexus logs - $NEXUS_DATA/log/      

  • Tasks logs - $NEXUS_DATA/log/tasks/

The logs can be viewed in the Nexus UI by going to Server administration > Support > Logs.

By default the log level is set as INFO. You can change the log level and/or create a dedicated Checkmarx log file for the logs.

To change the log level:

  1. Go to Server administration > Support > Logging and click on the Create Logger button.

  2. In the Logger Name field, enter 'com.checkmarx.sca'.

  3. In the Logger Level field, select from the dropdown list the desired logging level.

    Image_815.png
  4. Click Save.

To create a dedicated log file:

The following procedure can be used to create a dedicated Checkmarx logs file named cxsca.log in the folder $NEXUS_HOME/logs/.

Notice

If you would like to change the log location and/or name, you can do so by adjusting the values for this line in the snippet below:

property name="HOME_LOG" value="logs/cxsca.log"

  1. Open the $NEXUS_HOME/etc/logback/ file.

  2. Append the following snippet to the bottom of the file, inside the configuration section.

    <!-- CX SCA Logging Block Begin --> 
    <property name="HOME_LOG" value="logs/cxsca.log"/>
    <appender name="CONSOLE" class="ch.qos.logback.core.ConsoleAppender">
        <layout class="ch.qos.logback.classic.PatternLayout">
            <Pattern>
                %d{HH:mm:ss.SSS} [%t] %-5level %logger{36} - %msg%n
            </Pattern>
        </layout>
    </appender>
    <appender name="FILE-ROLLING" class="ch.qos.logback.core.rolling.RollingFileAppender">
        <file>${HOME_LOG}</file>
        <rollingPolicy class="ch.qos.logback.core.rolling.SizeAndTimeBasedRollingPolicy">
            <fileNamePattern>logs/archived/cxsca.%d{yyyy-MM-dd}.%i.log</fileNamePattern>
            <!-- each archived file, size max 10MB -->
            <maxFileSize>10MB</maxFileSize>
            <!-- total size of all archive files, if total size > 20GB, it will delete old archived file -->
            <totalSizeCap>20GB</totalSizeCap>
            <!-- 60 days to keep -->
            <maxHistory>60</maxHistory>
        </rollingPolicy>
        <encoder>
            <pattern>%d %p %c{1.} [%t] %m%n</pattern>
        </encoder>
    </appender>
    <!-- https://logback.qos.ch/manual/appenders.html#AsyncAppender  -->
    <!-- AsyncAppender will drop events of level TRACE, DEBUG and INFO if its queue is 80% full -->
    <appender name="ASYNC" class="ch.qos.logback.classic.AsyncAppender">
        <appender-ref ref="FILE-ROLLING" />
        <!-- defaulr 256 -->
        <queueSize>512</queueSize>
    </appender>
    <logger name="com.checkmarx.sca" level="info" additivity="false">
        <appender-ref ref="ASYNC"/>
        <appender-ref ref="CONSOLE"/>
    </logger>
    <root level="error">
        <appender-ref ref="CONSOLE"/>
    </root>
    <!-- CX SCA Logging Block End -->
    
  3. If you would also like to change the log level, set level= to the desired level. Options are: INFO (default), OFF, ERROR, WARN, DEBUG or TRACE.