Skip to main content

Checkmarx SCA Resolver

Checkmarx SCA Resolver is an on-prem utility that enables you to resolve and extract dependencies and fingerprints from your source code and send them to the Checkmarx SCA cloud platform for risk analysis. The Resolver uses command line interface (CLI) commands to configure and scan your Projects.

Note

Checkmarx SCA Resolver enables you to run a comprehensive SCA scan without the need to send your actual source code to the cloud. It also enables you to scan private (local) dependencies that aren’t accessible to the Checkmarx SCA cloud platform.

Overview of the Checkmarx SCA Resolver Process Flow

This section gives you a quick overview of how the Checkmarx SCA Resolver works.

Stage 1: Run Resolver On-Prem

Run Checkmarx SCA Resolver on your local computer, specifying the path to the source code folder and your Checkmarx SCA credentials.

Image_736.png

Stage 2: Resolver Collects Data

Checkmarx SCA Resolver collects fingerprints and dependency trees, using pre-installed package managers.

Image_737.png

Stage 3: Resolver Sends Data to the Cloud

Checkmarx SCA Resolver sends the collected data to the Checkmarx SCA Cloud and initiates a scan.

Image_738.png

Stage 4: Checkmarx SCA Returns the Scan Results

The scan results, provided by the Checkmarx SCA Cloud, are displayed in the CLI, in the form of a brief Risk Report Summary. You can also view a detailed Risk Report in the Checkmarx SCA web portal.

Image_739.png

What data is sent to the Checkmarx SCA Cloud?

After the File Analysis and Dependency Resolution are completed on-prem, the output of the analysis, the “evidence files”, are sent to the cloud for the final process of Evidence Analysis.

Notice

In Online mode this occurs immediately, and in Offline mode this occurs when the Upload command is run.

  • The project name

  • List of all file names and relative paths (except the ones that were excluded from the scan)

  • Various checksums of the files (SHA-1, SHA-1 on content without spaces, etc.)

  • Manifest files (except for scans run via Resolver with the --no-upload-manifest flag)

Notice

The complete list of files that are sent to the cloud can be seen in Files Used for Manifest Resolution.

  • Names of dependencies extracted from manifest files

  • Scan errors and warnings such as “Failed resolving dependencies”. Each warning message may contain a file path as an argument.

  • SAST Exploitable Path Query result (for Exploitable Path scans)

Technical Details

SCA Resolver is developed using .NET 6

It is packed as a single executable and does not require the .NET framework to be pre-installed in order to work.