Understanding Fusion Insights
An average cloud-native application can have hundreds or even thousands of different components. Any of those can have a number of vulnerabilities that present an expanding attack surface. Instead of merely aggregating scan results, Checkmarx One provides advanced correlation of results from static code scans. This allows development teams to focus on solving the most critical items by prioritizing vulnerabilities according to their real risk and potential.
The Fusion Insights section in application details provides a visual and textual representation of both micro-services and cloud resources together with the relationships between them. The feature currently supports microservices written in the Java or C# programming languages and cloud resources based on Terraform over AWS and CloudFormation frameworks.
The visual representation, referred to as the Topology view (default), shows an intuitive and interactive graph where each node represents a microservice or a consumed cloud resource.
The textual representation, referred to as the Table view, is the inventory of all microservices and cloud resources.
To switch between the views, hover over the View field in Fusion Insights and select the required option.
 |
Prerequisites
Prerequisites for Fusion include the following:
The customer has purchased the license for Checkmarx One Professional Package
One or more projects are associated with an application
Full scan of SAST and/or IaC Security has completed successfully in Checkmarx One.
Supported Languages and Frameworks
In SAST: Java, C#
In IaC Security: Terraform/AWS, CloudFormation
Topology view
The graph in the Topology view shows microservices and cloud resources scanned respectively by SAST and IaC Security and the relationships between them.
The microservices which are based on the projects scanned by SAST are labeled by the JAVA (1) or C# icon. The nodes of cloud resources scanned by IaC Security are labeled with the icon of the cloud resource type, such as S3 bucket. (2).
Connecting lines denote the actions performed on respective entities and the arrows show the action’s direction:
solid line (3) means that the operation on the target entity is Write
dotted line (4) means that the operation on the target entity is Read
Red lines (5) are high-priority connections that pose high contextual risk and potentially present the most critical SAST threats whose remediation must be the first priority. The red shield icon in the middle of a red line displays the number of SAST related vulnerabilities whose combination with the respective cloud resource vulnerability creates a high contextual risk. Clicking on a shield opens the respective vulnerabilities in the SAST Results viewer.
The eye icon above a node (6) labels publicly accessible resources.
For your convenience, there is a legend at the bottom of the screen explaining the meaning of connecting lines and the Public Access icon.
Clicking on a microservice opens a popup with the summary of the associated scan results split by priority.
 |
Clicking on the icon in upper right corner of the popup (highlighted in the screenshot above) opens a side panel with detailed information on the scan results obtained by various scanners and all cloud resource connections. The attributes provided by an IaC Security scan (such as write) are also shown in this panel. In addition, clicking on each Results bar inside the popup (i.e., SAST or SCA) opens the Checkmarx One Results Viewer in a new browser tab.
The timestamp of the latest correlation appears in the upper right corner (9). Correlation is performed automatically upon each scan completion, but you can invoke it manually when necessary by clicking the Correlate icon (10).
Clicking and holding a node allows you to move it across the graph at your convenience without disrupting the connections.
You can zoom in and out of the Fusion Insights graph by doing one of the following:
Use the + and - button to the right of the graph (8)
Use your mouse wheel.
To fit the graph to layout size, click Reset (7).
Table view
The Table view presents the BOM (Bill of Materials) of all microservices and cloud resources in separate tabs. The total number of entities in the grid appears in parentheses next to the Bill of Materials heading. In the screenshots below, the total number is 11 (3 microservices and 8 cloud resources).
Microservices tab
The grid in the Microservices tab shows all microservices grouped by the programming language (Java or C#).
 |
The following information is presented for each microservice:
Microservice Repository - The name of the repository where the microservice resides
Connected Cloud Resource Type - The type of a cloud resource connected to the microservice
Connected Cloud Resource Name - The name of a cloud resource connected to the microservice
Microservice Operation - The action that the microservice performs on the cloud resource: Read or Write
To quickly find a specific microservice, use the Search field.
Notice
The search works only in the currently expanded group.
To filter the grid content by a specific language or cloud resource type, click Add Filter and make the required selection. Multiple filters are also allowed.
To change the number of rows on each page, click on the Rows drop-down list and make the required selection.
Cloud Resources
The grid in the Cloud Resources tab shows all cloud resources grouped by the resource type.
 |
The following information is presented for each microservice:
File - The name of the cloud resource IaC file. To see a full path to a file, hover over its name
Resource Name - The name of the cloud resource.
Category - The cloud resource category, such as Compute, Storage, Queues, etc.
Access - Shows whether the cloud resource is configured as publicly or privately accessible.
Encryption - Shows whether the cloud resource is encrypted or unencrypted.
Shared - Shows whether the cloud resource is used by one (No) or multiple (Yes) microservices.
Consumers - The microservices which consume the cloud resource.
To quickly find a specific cloud resource, use the Search field.
Notice
The search works only in the currently expanded group.
To filter the grid content by resource type, access permission or category click Add Filter and make the required selection. Multiple filters are also allowed.
To change the number of rows on each page, click on the Rows drop-down list and make the required selection.
Exporting a BOM
You can export a BOM to a JSON or CSV file and then manipulate it in an external tool.
To export the currently opened BOM, click the Export icon (highlighted in the screenshot below).
 |
In the popup that appears do the following:
Determine the scope of the exported data by clicking inside the Select Report Sections field and selecting the required option: All Data, Microservices or Cloud Resources. The selected option appears as a tag.
Select the JSON or CSV format.
If one or multiple filters are currently applied, select the Export filtered data option to export only the data shown in the grid. To ignore the filters and export the entire data, deselect Export filtered data.
Click Export.