Skip to main content

CxSAST Application Maintenance Guide

Introduction

Checkmarx CxSAST collects sources, logs and sensitive information and stores it in files and the database. This document describes the backup and recovery, maintenance and cleanup procedures for CxSAST.

CxSAST is comprised of the following main components:

System Manager

- Manages the system services: cleanup, monitoring, etc.

Jobs Manager

- Runs all long management tasks: creates reports, prepares sources, etc.

Scans Manager

- Manages all scans

Engine Server

- Performs the scans

Web Services

- Connects the web clients with the 3rd party systems

Web Portal

- Web interface with CxSAST

Audit

- Client for creating and customizing queries

Database

- Stores scan results and system settings

Backup

CxSAST is composed of files and the database, both should be backed up.

Step 1. Stop the CxServices

  • Stop the CxJobsManager, CxScansManager, CxSystemManager and CxScanEngine services by opening Services, selecting the CxService and clicking <Stop> for each one (this depends on your Checkmarx distributed installation).

Step 2. Stop the Web Server

  • Stop the IIS Web server by opening the IIS Manager, selecting the <server name> and clicking <Stop> in the Actions menu.

Step 3. Back up the Checkmarx Folder

1. Create a new Checkmarx backup folder (recommended to include backup date).

Example: C:\Program Files\Checkmarx - > C:\Program Files\Checkmarx15052016

2. Copy the following items from the Checkmarx folder:

  • Configuration, Executable and Licenses folders and the following configuration files:

  • Checkmarx Audit\CxAudit.exe.config

  • Checkmarx Audit\Config.xml

  • Checkmarx Audit\ExtensionsConfig.xml

  • Checkmarx Audit\Log4Net.config

  • Checkmarx Engine Server\CxEngineAgent.exe.config

  • Checkmarx Engine Server\CxSourceAnalyzerEngine.WinService.exe.config

  • Checkmarx Engine Server\ExtensionsConfig.xml

  • Checkmarx Engine Server\CxEngineLog4Net.config

  • Checkmarx Engine Server\Logs4Net.config

  • Checkmarx Jobs Manager\bin\CxJobsManagerWinService.exe.config

  • Checkmarx Jobs Manager\bin\CxJobsManagerLog4Net.Build.config

  • Checkmarx Jobs Manager\bin\CxJobsManagerLog4Net.config

  • Checkmarx Scans Manager\bin\CxScansManagerWinService.exe.config

  • Checkmarx Scans Manager\bin\CxScansManagerLog4Net.config

  • Checkmarx System Manager\bin\CxSystemManagerService.exe.config

  • Checkmarx System Manager\bin\CxSystemManagerLog4Net.config

  • Checkmarx Web Services\CxWebInterface\Web.config

  • Checkmarx Web Services\CxWebInterface\Log4Net.config

  • Checkmarx WebPortal\Web\Web.config

  • Checkmarx WebPortal\Web\Log4Net.config

  • Configuration\ExtensionsConfig.xml

Step 4. Backup the Database

  • Backup the database using the standard database tools.

Step 5. Backup the Scanned Source Folder

  • Copy the CxSrc folder and rename it as the backup (recommended to include backup date).

    Example: C:\CxSrc - > C:\CxSrc15052016

Step 6. Restart the CxServices

  • Restart the CxJobsManager, CxScansManager, CxSystemManager and CxScanEngine services by opening Services, selecting the CxService and clicking <Restart> for each one (this depends on your Checkmarx distributed installation).

Step 7. Restart the Web Server

  • Restart the IIS Web server by opening the IIS manager, selecting the <server name> and clicking <Start> in the Actions menu.

Recovery

The recovery steps below take into consideration the following; a new installation of CxSAST on your server using the same installation path and CxSAST version that was previously installed when the backup was performed.

Step 1. Stop the CxServices

  • Stop the CxJobsManager, CxScansManager, CxSystemManager and CxScanEngine services by opening Services, selecting the CxService and clicking <Stop> for each one (this depends on your Checkmarx distributed installation).

Step 2. Stop the Web Server

  • Stop the IIS Web server by opening the IIS Manager, selecting the <server name> and clicking <Stop> in the Actions menu.

Step 3. Restore Checkmarx`s Backed up Folders and Configuration Files

  • Restore the Checkmarx folders and configuration files that were previously backed up by copying the files from the backup folder to your newly created folder overwriting the original files:

    Example: C:\Program Files\Checkmarx15052016 - > C:\Program Files\Checkmarx

Step 4. Restore the Scanned Source Folder

  • Copy the CxSrc folder from the backup overwriting the new empty folder:

    Example: C:\CxSrc15052016 - > C:\CxSrc

Step 5. Restore the Database

  • Restore the database that has been previously backed up by overwriting the databases created by the new installation.

Step 6. Restart the CxServices

  • Restart the CxJobsManager, CxScansManager, CxSystemManager and CxScanEngine services by opening Services, selecting the CxService and clicking Restart for each one (this depends on your Checkmarx distributed installation).

Step 7. Restart the Web Server

  • Restart the IIS Web server by opening the IIS Manager, selecting the <server name> and clicking <Start> in the Actions menu.

Step 8. Check the Recovered Version

  • Perform a basic test on the new version to check that everything is up and running:

    • Login

    • View older scan results

    • Run a new small scan

    • View the new scan results

Maintenance and Cleanup

Maintenance and cleanup of Checkmarx CxSAST refers to the following types of data:

Sources

- Source files that are scanned are stored in several locations during the scan

Logs

- Old logs that can simply be deleted, moved or compressed as needed

Reports

- All reports are saved on the disk. If deleted, a new report can be created on request

CxManager

Includes the System Manager, Jobs Manager, Scans Manager and Web Services.

Sources

CxSrc

Default location: C:\CxSrc

This is the main sources location - after the scan is complete CxSAST leaves one copy of the sources to be used by the project viewer and for creating code samples in reports.

The recommended method to clean the CxSrc folder is to use CxSAST’s built-in data retention feature. This allows retention of scanned files in the CxSrc folder (and the DB).

It is also possible to delete old sources from the Checkmarx folder, if required. Deleting the sources will not affect the statistical information saved in the database. Opening the project viewer that does not have sources anymore will only result in an empty code area.

It is also possible to use the Microsoft compressed folder option to save disk space (see Appendix A: Compressing a Folder in Windows) Compressing a folder for a project will save about 90% of the space and only affect performance when accessing the project's viewer.

ExtSrc

Default location: C:\ExtSrc

This is used as a temporary folder to extract the content of Zip files. Any files that remain in this location can be deleted with no implications.

Logs

Default location: C:\Program Files\Checkmarx\Logs

All logs are saved on the disk. Old logs can simply be deleted or compressed as needed

Reports

Default location: C:\CxReports

All reports are saved on the disk. If deleted, a new report can be created on request.

As all created logs are created to this folder but sent to requesting client – the reports that are saved in this folder can be deleted with no implications.

CxEngine

Sources

CxSrc

Default location: C:\CxSrc

Only if the CxEngine is installed on a separate server this folder should be cleaned separately from the CxManager. If it is separate, and only after scans are completed and there are any files that remain in this location, they can be deleted with no implications.

Logs

Default location: C:\Program Files\Checkmarx\Checkmarx Engine Server\Logs

C:\Program Files\Checkmarx\Checkmarx Engine Server\Logs\Trace

All logs are saved on the disk. Old logs can simply be deleted, moved or compressed as needed.

Scans

Default location: C:\Program Files\Checkmarx\Checkmarx Engine Server\Scans

C:\Program Files\Checkmarx\Checkmarx Engine Server\Logs\ScanLogs

All scans are saved on the disk. While the engine is not running, old scans can simply be deleted, moved or compressed as needed.

CxWebPortal

Logs

Default location: C:\Program Files\Checkmarx\Logs\WebClient

C:\Program Files\Checkmarx\Logs\WebClient\Trace

All logs are saved on the disk. Old logs can simply be deleted, moved or compressed as needed.

CxAudit

Sources

CxAuditSrc

Default location:

Cx8.4.2 and below: C:\CxAuditSrc

Cx8.5 and up: %AppData%\..\local\Checkmarx\CxAudit\CxAuditSrc

All sources are saved on the disk. Old sources can simply be deleted, moved or compressed as needed.

Logs

Default location: C:\Program Files\Checkmarx\Checkmarx Audit\Logs

All logs are saved on the disk. Old logs can simply be deleted, moved or compressed as needed.

Database

Checkmarx CxSAST uses two main databases (CxDB and CxActivity). In order to keep the log size small, both databases can be set to Recovery Model = Simple.

Appendix A: Compressing a Folder in Windows

The NTFS file system used by Windows has a built-in compression feature known as NTFS compression. With a few clicks, you can compress files, making them take up less space on your hard drive. Best of all, you can still access the files normally.

Using NTFS compression involves a trade-off between CPU time and disk activity. Compression will work better in certain types of situations and with certain types of files.

Trade-Offs

NTFS compression makes files smaller on your hard drive. You can access these files normally – no need for cumbersome zipping and unzipping. Like with all file compression systems, your computer must use additional CPU time for decompression when it opens the file.

However, this doesn’t necessarily mean it will take any longer to open the file. Modern CPUs are very fast, but disk input/output speeds haven’t improved nearly as much. Consider a 5 MB uncompressed document – when you load it, the computer must transfer 5 MB from the disk to your RAM. If that same file were compressed and took up 4 MB on the disk, the computer would transfer only 4 MB from the disk. The CPU would have to spend some time decompressing the file, but this will happen very quickly – it may even be faster to load the compressed file and decompress it because disk input/output is so slow.

On a computer with a slow hard disk and a fast CPU – such as a laptop with a high-end CPU but a slow, energy efficient physical hard disk, you may see faster file loading times for compressed files.

This is especially true as NTFS compression isn’t very aggressive in its compression. A test by Tom’s Hardware found that it compressed much less than a tool like 7-Zip, which reaches higher compression ratios by using more CPU time.

When to Use and When Not to Use NTFS Compression

NTFS compression is ideal for:

  • Files you rarely access. (If you never access the files, the potential slow-down when accessing them is unnoticeable).

  • Files in uncompressed format. (Office documents, text files, and PDFs may see a significant reduction in file size, while MP3s and videos are already stored in a compressed format and won’t shrink much, if at all).

  • Saving space on small solid state drives. (Warning: Using compression will result in more writes to your solid state drive, potentially decreasing its life span. However, you may gain some more usable space.)

  • Computers with fast CPUs and slow hard disks.

NTFS compression should not be used for:

  • Windows system files and other program files. Using NTFS compression here can reduce your computer’s performance and potentially cause other errors.

  • Servers where the CPU is getting heavy use. On a modern desktop or laptop, the CPU sits in an idle state most of the time, which allows it to decompress the files quickly. If you use NTFS compression on a server with a high CPU load, the server’s CPU load will increase and it will take longer to access files.

  • Files in compressed format. (You won’t see much of an improvement by compressing your music or video collections).

  • Computers with slow CPUs, such as laptops with low-voltage power-saving chips. However, if the laptop has a very slow hard disk, it’s unclear whether compression would help or hurt performance.

How to Use NTFS Compression

Now that you understand which files you should compress, and why you shouldn’t compress your entire hard drive or your Windows system folders, you can start compressing some files. Windows allows you to compress an individual file, a folder, or even an entire drive (although you should not compress your system drive).

1. To get started, right-click the file, folder, or drive you want to compress and select Properties.

2. Under Attributes, click <Advanced>.

3. Check Compress contents to save disk space and click <OK> twice.

4. If you enabled compression for a folder, Windows asks you whether you also want to encrypt subfolders and files.

5. In this example, we saved some space by compressing a folder of text files from 356 KB to 255 KB, about a 40% reduction. Text files are uncompressed, so we saw a big improvement here.

6. Compare the Size on disk field to see how much space you saved.

7. Compressed files and folders are identified by their blue names in Windows Explorer.

8. To extract these files in the future, go back to their advanced attributes and clear Compress.