Skip to main content

CxOSA Frequently Asked Questions

This section of the Checkmarx CxOSA Documentation includes information about frequently asked questions about CxOSA. Use the search tool to find a specific subject.

What are the CxOSA prerequisites?

For information about the required prerequisites for using CxOSA, refer to Preparing the Environment for CxOSA.

What are the prerequisites for initiating a CxOSA scan in the Web portal and resolving dependencies locally?

  • Ensure you are scanning a supported languages and package manager.

  • Check Environment Permissions:

    The package manger executable file should be permitted to run by the CxSAST processes running user. To avoid complications it is recommended to allow all users to execute the package managers. By default the CxSAST services run as a Network Service which should be allowed to execute the package manager executable.

  • Check Environment Variables:

    To be on the safe side you should check the environment variables set and add the execution file path if it does not already exist in the System Path variable

    To validate the permission for executing we can use psexec ( ) https://docs.microsoft.com/en-us/sysinternals/downloads/psexec

    Example:

    o Run with network service user: psexec -i -u "nt authority\network service" cmd.exe and try to run the relevant package manager command as appears in Supported Languages and Package Managers.

  • Enable Dependency Resolution:

    Under Projects & Scans>Project, select a project, then click the OSA tab. Check the ‘Resolve dependencies by initiating install command for package manager before performing OSA scan’ checkbox for dependency resolution to run via the Web Portal or REST API scan.

Where can I find information about connection settings?

For more information about connection settings, refer to CxOSA Connection Settings.

Which languages/extensions does CxOSA support?

For information about which languages/extensions CxOSA supports, refer to the CxOSA Release Notes.

How does CxOSA detect open source components?

  • Resolving dependencies from package manager configuration file (e.g pom.xml for java)

    File fingerprints (name, checksum, etc..).

Where can I find information about vulnerabilities?

Our OSA Cloud Service uses NVD (https://nvd.nist.gov). NVD is an authoritative source that provides information only after checking and verifying vulnerabilities. For additional sources, contact [email protected].

Do I need an additional license to use CxOSA?

You can use the same license as for CxSAST, but with CxOSA enabled. The Checkmarx License Importer (CxLicenseImporter.exe) is used to import the updated license into CxSAST. For more information about the CxOSA licence details, refer to 4PCxOSA License Details.

Is there sample source code I can download to scan?

To download simple source code to scan, go to the Quick Start Guide and download a sample project by clicking on Clone or Download. Unzip it to the folder you want to install the code.

I received 0 or very few results. How can I diagnose this?

What are the most common error cases for CxOSA?

Case

Error Log

UI Message

No OSA Directory configuration

Open Source Analysis directory isn't configured properly

To configure Open Source Analysis, specify Open Source location in Edit Project

Failed to connect OSA Cloud Service Server

Failed to send request to OSA Cloud Service Server

Unable to connect to the OSA Server, please contact your Checkmarx Administrator

OSA Cloud Service Server returns error

Error while executing OSA Cloud Service request

Internal OSA error. Please try again later

No OSA Files found

No sources for Open source Analysis where found

No files found for Open Source Analysis

Failure to access OSA directory

Failed to access to Open Source Analysis directories

Cannot access <path>. Please check Open Source location in Edit Project

Who do I contact for CxOSA support?

CxOSA support is provided by Checkmarx. For support cases, unless it’s a connectivity issue, we use the same logs as for CxSAST. All log files should be zipped and sent to [email protected].