Supported Languages and Package Managers

Performing scans from the CxServer, and based on your environment and language, additional package managers should also be installed.

Installing on CxServer (to be used for Zip-Upload scans, for example) can be done quickly by using Chocolatey Package Manager for windows:

//Installing Chocolatey...
@"%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))" && SET "PATH=%PATH%;%ALLUSERSPROFILE%\chocolatey\bin"

//Installing JDK8 and package managers. Choose only the tools relevant to you.
cinst -y jdk8 maven nodejs-lts dotnetcore-sdk nuget.commandline gradle python3 git

If you need to install manually, or having trouble running the utilities, please go to Appendix A below.

Java - Maven

What should be scanned:
- Build configuration file: pom.xml
- Scan must contain at least 1 file with the following extension: .jar / .java / .war / .ear / .car / .class
What should be installed:
- Dependency manager utility: mvn
  - Installation instructions:
    Installing Maven on windows, see https://checkmarx.atlassian.net/wiki/spaces/SD/pages/1035173922
    Installing Maven on other platforms - follow https://maven.apache.org/install.html
  - To test installation run from command line:
    mvn -v

Important issues:
- If multi module project - run "mvn install" with the main pom.xml file before scanning.
- Ignoring "provided" and "test" scoped dependencies in the pom file.
Testing dependency resolution:
Run the following in the project root. You should see a dependency tree. If errors are returned, fix them.
```
mvn dependency:tree
```

Fingerprint detection: *.jar files

Java - Gradle (only supported from v8.9)

What should be scanned:
- build configuration file: build.gradle
- Scan must contain at least 1 file with the following extension: .jar / .java / .war / .ear / .car / .class
What should be installed:
- Dependency manager utility: gradle
- Installation instructions: https://gradle.org/install/
- To test installation run from command line:
```
gradle -v
```
- Android SDK - only for android development. Make sure ANDROID_HOME environment variable is defined for the user context of CxOSA.
  (download from here https://developer.android.com/studio/index.html#downloads the command line tools only)

Testing dependency resolution:Run the following in the project root. You should see a dependency list. If errors are returned, fix them.
```
gradle dependencies
```

Fingerprint detection: *.jar files

.Net / C# - NuGet

What should be scanned:
- Build configuration file: *.csproj / NuGet.config
- Scan must contain at least 1 file with the following extension: .dll / .exe / .nupkg / .cs
What should be installed:
- Dependency manager utility: dotnet
- Installation instructions: download .NET Core SDK from ttps://dotnet.microsoft.com/download
- To test installation run from command line:
```
dotnet –info
```

Important issues: Must configure project for dependency resolution! When scanning with CLI, add the flag -executepackagedependency to the command line Before scanning using Zip upload, go to Projects & Scans → Projects → <select your project> → OSA. Make sure "Resolve dependencies..." option is checked.

Testing dependency resolution:
Run the following in the project root. You should see a dependency list. If restore operation failed, fix the errors.
```
dotnet restore
```

Fingerprint detection: *.dll files, *.nupkg files

JavaScript - NPM

What should be scanned:
- Build configuration file: package.json
- Scan must contain at least 1 file with the following extension: .js / .ts
What should be installed:
- Dependency manager utility: npm
- Installation instructions: download latest NPM with nodejs from https://www.npmjs.com/get-npm
- To test installation run from command line:
```
npm –v
```

Important issues:Configure project for dependency resolution
When scanning with CLI, add the flag -executepackagedependency to the command line
Before scanning using Zip upload, go to Projects & Scans → Projects → <select your project> → OSA. Make sure "Resolve dependencies..." option is checked.

Testing dependency resolution:
Run the following in the project root. Process should complete with no errors, and a node_modules folder should be created.
```
npm install
```

Fingerprint detection: *.js files, *.tar.gz files (npm packages)

Python - pip

What should be scanned:
- Build configuration file: requirements.txt
- Scan must contain at least 1 file with the following extension: .py
What should be installed:
- Dependency manager utility: pip (requires also python)
- Installation instructions: https://www.python.org/downloads/ - make sure to tick "pip" when using windows graphical installer
- To test installation run from command line:
```
pip –V
```
Important issues:Configure project for dependency resolution
When scanning with CLI, add the flag -executepackagedependency to the command line
Before scanning using Zip upload, go to Projects & Scans → Projects → <select your project> → OSA. Make sure "Resolve dependencies..." option is checked.
The relevant python version should be installed for the project (python2 / python3).
Getting some packages requires other installations. It is highly recommended to test dependency resolution prior to scanning
Testing dependency resolution:
Run the following in the project root. Make sure all packages are installed. On error, fix and install again.
```
pip install -r requirements.txt
```

Scala - SBT

What should be scanned:
- build configuration file: build.sbt
What should be installed:
- Dependency manager utility: SBT (requires also java)
- Install instructions: https://www.scala-sbt.org/release/docs/Setup.html
- To test installation run from command line:
```
sbt
```
Important issuesConfigure project for dependency resolution
When scanning with CLI, add the flag -executepackagedependency to the command line
Before scanning using Zip upload, go to Projects & Scans → Projects → <select your project> → OSA. Make sure "Resolve dependencies..." option is ticked
o It is highly recommended to test dependency resolution prior to scanning
o First scans duration might be longer than expected
o Zip scan- available from version 8.9 HF 11
o CLI- available from version 2020.1.12
o Bamboo- available from version 2020.1.12
o Other plugins- will be available soon
Testing dependency resolution: o run the following in the project root. Make sure it creates a ivy report file ends with "-compile.xml" inside the target folder (may contain additional inner folders)
```
sbt compile
```

PHP - Composer

What should be scanned:
- build configuration file: composer.json
What should be installed:
- Dependency manager utility: Composer (requires also php)
- Install instructions: https://getcomposer.org/download/
- To test installation run from command line:
```
composer -v
```
Important issuesConfigure project for dependency resolution
When scanning with CLI, add the flag -executepackagedependency to the command line
Before scanning using Zip upload, go to Projects & Scans → Projects → <select your project> → OSA. Make sure "Resolve dependencies..." option is ticked
o It is highly recommended to test dependency resolution prior to scanning
o Zip scan- available from version 8.9 HF 11
o CLI- available from version 2020.1.12
o Bamboo- available from version 2020.1.12
o Other plugins- will be available soon
Testing dependency resolution:
- run the following in the project root. Make sure it creates a ivy report file ends with "composer.lock"
```
composer install
```

Appendix A - Installing package managers on CxServer

Install manually only if unable to use Chocolatey script mentioned above.

To install, select the required package manager, and follow "What should be installed" section.

Validating the server can run the utilities

Cx services may run under different user account than administrator.

Find the user account used by CxService
1. Go to services window (or run "services.msc")
2. Identify the user account used by Cx services. For example, it is "Network Service" in the picture below
Download psexec utility (https://docs.microsoft.com/en-us/sysinternals/downloads/psexec). Extract to folder.
Open an administrator CMD and CD to the directory where you extracted the utilities above (run "CD <folder path"), and run the following command:
psexec -i -u "nt authority\network service" cmd.exe
**replace "network service" with the account name gathered in step 1.b
This will pop up a new CMD window under the correct user.
Run test / dependency resolution commands in this window for the language you want to check, as documented above in the "Testing dependency resolution" section
For example: "mvn -v" for maven.
- To test dependency resolution command, run "cd <project folder>" command, to the project folder path, and then run the command. For instance "mvn dependency:tree" for maven.
On permission issues - see below section on giving permissions

Restarting OSA Services

Recommended after any utility installation

Go to services window (or run "services.msc")
Right click CxScansManager and CxJobsManager and choose restart

Giving permissions to package manager utilities

If you are having "access denied" errors when testing package manager utilities, give the file / folder permissions

To give permissions to a fie / folder, right click it → Properties → Security → Edit→ Add → (type NETWORK SERVICE) → OK. Tick "Modify" permissions if needed, and press OK.

** replace NETWORK SERVICE with the target user account discovered in step 1.b

In this section: