Forcing Scans for Environmental Changes
Overview
Typically, when a scan is triggered in a schedule or from an API call, the source code files are compared to the previous scan. If no code changes are detected the scan is skipped, and all results are copied from the previous scan.
However, even if there are no changes to the code, there might be changes to the environment or configuration that could affect the scan results.
For example, frequently, customers make environmental changes because of version upgrades and new security policies. The results from the environmental changes would not be reflected in scans submitted afterward because there are no code changes. This creates confusion and in some cases violates the security policies.
The new feature allows scans to be triggered even when the changes do not directly affect the code.
Projects are scanned after the following environmental changes (which could impact the results even without any code changes):
Queries added or removed from a preset that is associated with a project
Queries modified in a preset that is associated with a project
Exclusion setting changes for a project
Engine configuration setting changes for a project
Upgraded Checkmarx SAST Engine Pack version
For the above changes, a full scan is triggered in the following situations:
Scheduled scan
Invoked from API
Any other situation where a scan can be triggered
As a result, post-scan actions are always run even when there are non-code changes.
Note: Incremental scans continue to check for no code change scenarios.
Details
Every time a configuration changes, the date of that action is stored in a database. Once all the following criteria are met, an engine scan will be forced:
A scan is triggered (via schedule, an API call, or any other method)
The date of the last scan (“LastScanDate“ in dbo.Projects) is smaller than the date of one of the configuration change dates, or the last forced scan requested date (invoked from the API).
Change type | Triggered by | Effected Column | Feature Flag |
---|---|---|---|
EnginePack upgrade | dbo.EnginePacks → UpdatedTime changed | ForceScanWhenNoCodeChanges_EnginePackUpgrade | |
Query is modified | dbo.QueryVersion →When a query associated with the preset is updated in audit | dbo.Presets → QueriesUpdatedTime | ForceScanWhenNoCodeChanges_QueriesChanged |
Preset’s query association has changed | dbo.Preset_Details → A query was added or removed from preset | dbo.Presets → QueriesUpdatedTime | ForceScanWhenNoCodeChanges_QueriesChanged |
Project settings change | dbo.Projects → ConfigurationId changed | dbo.Projects → ConfigurationIdUpdatedTime | ForceScanWhenNoCodeChanges_ProjectSettingsChanged |
Project settings change | dbo.Projects → PresetId changed | dbo.Projects → PresetIdUpdatedTime | ForceScanWhenNoCodeChanges_ProjectSettingsChanged |
Project settings change | dbo.Projects → ExcludeFilesPatterns changed | dbo.Projects → ExcludeFilesPatternsUpdatedTime | ForceScanWhenNoCodeChanges_ProjectSettingsChanged |
Project settings change | dbo.Projects → ExcludeFoldersPatterns changed | dbo.Projects → ExcludeFoldersPatternsUpdatedTime | ForceScanWhenNoCodeChanges_ProjectSettingsChanged |
Bypass of “no code changes” scenario have been requested for a project | Invoked from API | dbo.Projects → ForceScanOnNoCodeChangesRequestedTime |
New APIs
Version: 4.0
Request: [POST] /projects/{id}/forceScanOnNoCodeChanges
{id}: Id of the project
(no parameters and no content)
Description
Set specific project’s next scheduled scan to bypass “no code changes” scenario
The API will update the database field ForceScanOnNoCodeChangesRequestedTime in the table "projects" with the current timestamp.
Return values
200 OK
404 Not Found
Error message: Resource not found
Reasons
Project not found
403 Forbidden
Error message: Access Denied/Forbidden
Reasons
User does not have the relevant role enabled
User does not have permission to modify the project
Permissions
At least one of the roles below is required:
save-project
update-project
save-sast-scan
Additionally, the user initiating the API request must have permission to edit the relevant project (the project must be visible to him in the SAST Web Portal).
New feature flags
New feature flags were added to the CxComponentConfiguration table, by default in “Enabled” state ('true').
Engine scan will be forced for each of the following scenarios:
ForceScanWhenNoCodeChanges_EnginePackUpgrade = true and, the engine pack version was upgraded after the last scan date of the project.
ForceScanWhenNoCodeChanges_ProjectSettingsChanged = true and, one of the relevant project settings changed after the last scan date of the project.
ForceScanWhenNoCodeChanges_QueriesChanged= true and, one of the relevant project’s queries changed after the last scan date of the project.
Logging
Print to JobsManager’s log file in any case where a scan was forced due to a configuration change.
API method print logs in failed/success scenario
API method print audit trail logs in post request