Checkmarx SCA Plugin for Nexus
Overview
The Checkmarx SCA plugin for Nexus Repository Manager runs a Checkmarx SCA scan on each of the artifacts in your repository, and uses the scan results to enrich the attributes shown in the Nexus UI. This integrates scanning of artifacts into your DevOps workflow, providing easy visibility into possible risks that could make your applications vulnerable.
You can set a risk threshold so that artifacts with risks of a specified severity level will automatically be blocked from download.
When you install the plugin, Checkmarx scans all artifacts currently in your repository. In addition, each time that an artifact is downloaded, the plugin runs a Checkmarx SCA scan on that artifact. In order to avoid redundant scanning of the same artifact, a cache mechanism is used to reuse scan results for a fixed period of time (default: 6 hr). You can also create a custom task to run scheduled SCA scans.
Main Features
Free tool, no Checkmarx account required
View risks in artifact properties
Block download of vulnerable artifacts
Block download of artifacts that have licenses that aren't included in your "allowed" list
Requirements
Nexus Pro or Nexus OSS version 3.28.0 and above
Notice
This is a free tool provided by Checkmarx for all Nexus users, and does not require the user to submit credentials for a Checkmarx SCA account.
Supported Package Managers
Nuget
Npm
Maven
Download Links
Download latest version:
https://sca-downloads.s3.amazonaws.com/nexus-plugin/latest/sca-nexus-plugin.zip
sha256 checksum - https://sca-downloads.s3.amazonaws.com/nexus-plugin/latest/sca-nexus-plugin.zip.sha256sum
Download version 1.1.2:
https://sca-downloads.s3.amazonaws.com/nexus-plugin/1.1.2/sca-nexus-plugin.zip
sha256 checksum - https://sca-downloads.s3.amazonaws.com/nexus-plugin/1.1.2/sca-nexus-plugin.zip.sha256sum
Installing and Configuring the Plugin
Download the plugin using one of the above links.
Extract the archive.
The extracted folder contains the file
sca-nexus-plugin.kar.Place the
sca-nexus-plugin.karfile in the$NEXUS_HOME/deploy/folder.Restart the Nexus Repository Manager.
You can verify that the plugin was installed and activated by going to o to Server administration > System > Bundles, and looking for the SCA Nexus Plugin.
Configuring the Plugin - Setting Threshold and License Limitations (Optional)
The plugin comes fully operational and no configuration is required. You can optionally customize the settings according to your needs. Key configuration options are the ability to set a threshold for blocking artifact downloads and setting license limitations for blocking downloads.
Go to Server administration > System > Capabilities and click on Checkmarx SCA Configuration.
Click on the Settings tab.
The Checkmarx settings form opens showing the default configuration.
Under Checkmarx SCA API Url, by default the Base URL of the US environment is shown. You can replace this with the URL for the EU environment (https://eu.api-sca.checkmarx.net) if you prefer.
Under Checkmarx SCA Expiration time, by default the value is set at 21600 seconds. This means that when an artifact is reused within 6 hours, the scan data from the cache is reused instead of triggering a new scan. If you would like to adjust the time span, enter the desired time span (in seconds).
Under Checkmarx SCA Risk Threshold, by default the value is set as None, meaning that SCA risks will not block download of artifacts. You can set a risk threshold so that artifacts with risks of the specified severity level or above will be blocked from download. Options are: None (default), Low, Medium or High.
Notice
You can override the threshold for specific artifacts when needed. See Overriding Thresholds
Under Checkmarx SCA Licenses Allowed, by default the value is empty, meaning that SCA licenses won't cause download of artifacts to be blocked. You can add a comma separated list of allowed licenses. Once this has been set, artifacts that have licenses that aren't on the allowed list will be blocked from download. For example, if you add
MIT,APACHE, then any artifact that has other licenses will be blocked for download.Notice
You can override the license limitation for specific artifacts when needed. See Overriding License Limitations
Checkmarx Artifact Attributes
Once the plugin is enabled and a package has been scanned by Checkmarx SCA, a series of Checkmarx SCA attributes are are shown in the Attributes tab for that artifact.
 |
The following table describes the Checkmarx SCA attributes.
Attribute Name | Description |
|---|---|
CxSCA.TotalRisks | The total number of vulnerabilities. |
CxSCA.RiskLevel | The overall risk level of the package. Possible values are: High, Medium, Low, None |
CxSCA.RiskScore | The overall risk score of the package, from 0 (low) to 10 (high). |
CxSCA.LastScanned | The date and time of the most recent scan was run. |
CxSCA.LowSeverityRisks | The total number of low severity vulnerabilities. |
CxSCA.MediumSeverityRisks | The total number of medium severity vulnerabilities. |
CxSCA.HighSeverityRisks | The total number of high severity vulnerabilities. |
CxSCA.Licenses | The list of licenses associated with this artifact. |
Overriding Thresholds
If you have set a threshold for blocking downloads, you can override this threshold for specific artifacts.
Warning
Once you have overridden the threshold, users will be able to download this artifact despite its containing risks of any severity level.
Notice
Overriding the threshold is done by editing attributes for the relevant packages. This capability is included in Nexus PRO. If you are using Nexus OSS, then you can get this functionality by installing the following open source plugin from GitHub: sahabpardaz/nexus-tag-plugin.
To override the threshold:
Open the attributes for the desired artifact.
Add an attribute
CxSCA.IgnoreRiskThresholdand set the value totrue.
Overriding License Limitations
If you have set a limitation to block download of packages with licenses that aren't included in your "allowed" list, you can override this limitation for specific artifacts.
Notice
Overriding the license limitation is done by editing attributes for the relevant packages. This capability is included in Nexus PRO. If you are using Nexus OSS, then you can get this functionality by installing the following open source plugin from GitHub: sahabpardaz/nexus-tag-plugin.
To override the threshold:
Open the attributes for the desired artifact.
Add an attribute
CxSCA.IgnoreLicensesand set the value totrue.
Creating Nexus Tasks to Schedule Scans
When the plugin is installed, it automatically creates a task to run a one-time scan of all artifacts in your repository. The default behavior is that after the initial scan, each time that an artifact is downloaded, a scan is run on that artifact.
You can create custom tasks to schedule additional SCA scans.
To create a new task:
Go to Server administration > System > Tasks and click on the Create task button.
Click on Checkmarx SCA - Repository Scan.
A form opens for creating a new Checkmarx SCA task.
In the Task name field, enter a Name for the task (e.g., Checkmarx SCA Scan).
You can optionally configure notifications.
Under Checkmarx SCA - Repository Scan, select the repos that you would like to scan.
Under Task frequency, specify the frequency that you would like to run this task.
Notice
You can set the frequency to Manual, in which case scans will only run when you trigger them manually.
Click Create task.
Event Logs
By default the plugin logs are written to the following general system logs files:
Nexus logs -
$NEXUS_DATA/log/Tasks logs -
$NEXUS_DATA/log/tasks/
The logs can be viewed in the Nexus UI by going to Server administration > Support > Logs.
By default the log level is set as INFO. You can change the log level and/or create a dedicated Checkmarx log file for the logs.
To change the log level:
Go to Server administration > Support > Logging and click on the Create Logger button.
In the Logger Name field, enter 'com.checkmarx.sca'.
In the Logger Level field, select from the dropdown list the desired logging level.
Click Save.
To create a dedicated log file:
The following procedure can be used to create a dedicated Checkmarx logs file named cxsca.log in the folder $NEXUS_HOME/logs/.
Notice
If you would like to change the log location and/or name, you can do so by adjusting the values for this line in the snippet below:
property name="HOME_LOG" value="logs/cxsca.log"
Open the
$NEXUS_HOME/etc/logback/file.Append the following snippet to the bottom of the file, inside the configuration section.
<!-- CX SCA Logging Block Begin --> <property name="HOME_LOG" value="logs/cxsca.log"/> <appender name="CONSOLE" class="ch.qos.logback.core.ConsoleAppender"> <layout class="ch.qos.logback.classic.PatternLayout"> <Pattern> %d{HH:mm:ss.SSS} [%t] %-5level %logger{36} - %msg%n </Pattern> </layout> </appender> <appender name="FILE-ROLLING" class="ch.qos.logback.core.rolling.RollingFileAppender"> <file>${HOME_LOG}</file> <rollingPolicy class="ch.qos.logback.core.rolling.SizeAndTimeBasedRollingPolicy"> <fileNamePattern>logs/archived/cxsca.%d{yyyy-MM-dd}.%i.log</fileNamePattern> <!-- each archived file, size max 10MB --> <maxFileSize>10MB</maxFileSize> <!-- total size of all archive files, if total size > 20GB, it will delete old archived file --> <totalSizeCap>20GB</totalSizeCap> <!-- 60 days to keep --> <maxHistory>60</maxHistory> </rollingPolicy> <encoder> <pattern>%d %p %c{1.} [%t] %m%n</pattern> </encoder> </appender> <!-- https://logback.qos.ch/manual/appenders.html#AsyncAppender --> <!-- AsyncAppender will drop events of level TRACE, DEBUG and INFO if its queue is 80% full --> <appender name="ASYNC" class="ch.qos.logback.classic.AsyncAppender"> <appender-ref ref="FILE-ROLLING" /> <!-- defaulr 256 --> <queueSize>512</queueSize> </appender> <logger name="com.checkmarx.sca" level="info" additivity="false"> <appender-ref ref="ASYNC"/> <appender-ref ref="CONSOLE"/> </logger> <root level="error"> <appender-ref ref="CONSOLE"/> </root> <!-- CX SCA Logging Block End -->If you would also like to change the log level, set
level=to the desired level. Options are: INFO (default), OFF, ERROR, WARN, DEBUG or TRACE.