Skip to main content

utils

The utils command enables the ability to perform Checkmarx One utility functions.

Usage

./cx utils [command] 

Flags

Name

Default

Description

---help, -h

help for the health-check command

completion

The completion command enables the ability to perform CLI command auto completion.

The auto completion supports 4 command line types: bash, zsh, fish, and powershell.

Notice

Auto completion enabling is valid only for the current session.

In case that the session is closed you need to configure it again.

Usage

./cx utils completion --shell [bash|zsh|fish|powershell]

Flags

Name

Default

Description

--shell, -s

The type of shell [bash/zsh/fish/powershell]

---help, -h

help for the health-check command

Examples

Bash Auto Completion

Linux

To configure auto completions for each session, execute the following:

# load and export a set of Environment Variables for the completion command:
$ source <(./cx utils completion -s bash)
# Load completion for each Linux session:
$ ./cx utils completion -s bash > /etc/bash_completion.d/cx
MAC

To configure auto completions for each session, execute the following:

# load and export a set of Environment Variables for the completion command:
$ source <(./cx utils completion -s bash)
# Load completion for each MAC session:
$ ./cx utils completion -s bash > /usr/local/etc/bash_completion.d/cx

zsh Auto Completion

To configure auto completions for each session, execute the following:

# Enable auto completion for the environment:
$ echo "autoload -U compinit; compinit" >> ~/.zshrc
# To load auto completion for each session, execute once:
$ ./cx utils completion -s zsh > "${fpath[1]}/_cx"
# start a new shell for this setup to take effect

fish Auto Completion

To configure auto completions for each session, execute the following:

# Configure auto completion:
$ ./cx utils completion -s fish | source
# To load auto completion for each session, execute once:
$ ./cx utils completion -s fish > ~/.config/fish/completions/cx.fish

PowerShell Auto Completion

# load and export a set of Environment Variables for the completion command:
$ PS> .\cx.exe utils completion -s powershell | Out-String | Invoke-Expression
# To load auto completion for each session, execute:
$ PS> .\cx.exe utils completion -s powershell > cx.ps1
# source this file from your PowerShell profile

env

The env command presents the configured environment variables.

Usage

./cx utils env [flags] 

Flags

Name

Default

Description

---help, -h

help for the env command

Examples

Using the env command

[email protected]:~/ast-cli$ ./cx utils env

Detected Environment Variables:

            cx_proxy_auth_type:
                  cx_client_id:
              cx_client_secret:
                     cx_apikey:
                     cx_branch:
                    cx_timeout:
                   cx_base_uri:
                     cx_tenant:
                    http_proxy:
                  sca_resolver:
              cx_base_auth_uri:

contributor-count

The contributor-count command enables the ability to count unique contributors from different SCM repositories, for the past 90 days.

Usage

./cx utils contributor-count [command] 

Flags

Name

Default

Description

--help, -h

help for the user-count command

Global Flags

The user-count family of commands does not support all global flags. The following flags are supported.

Flag

Default

Description

--proxy <string>

Proxy server to send communication through

--proxy-auth-type <string>

Proxy authentication type (basic or ntlm)

--proxy-ntlm-domain <string>

Window domain when using NTLM proxy

--timeout <string>

5 Seconds

Timeout for network activity

--debug

Debug mode with detailed logs

github

The github command presents the unique contributors for the provided GitHub repositories or organizations. Contributors are found by visiting all repositories and comparing the author property of each commit. Bots are counted as contributors if their commits do not have “type” as “Bot” (dependabot is correctly excluded). Contributors who commit with different names in git configurations will be counted as different contributors.

Usage

./cx utils contributor-count github [flags] 

Flags

Name

Default

Description

--format <string>

table

  • Selects the output format

  • Select one of the following formats:

    json, list, table

--help, -h

Help for the github command

--orgs <strings>

List of organizations to scan for contributors. Comma separated list.

--repos <strings>

List of repositories to scan for contributors.

Comma separated list.

--token <string>

GitHub OAuth token. Requires “Repo” scope and organization SSO authorization, if enforced by the organization.

--url <string>

https://api.github.com/

API base URL

Examples

Using the github Command to Count an Organization
PS C:\Users\ast-cli> cx utils contributor-count github --orgs checkmarx --token <token>

Name                               UniqueContributors 
----                               ------------------ 
...
Checkmarx/ast-cli                  1                  
Checkmarx/kics                     2   
...      
Total unique contributors          N
Using the github Command to Count Specific Repositories
PS C:\Users\ast-cli> cx utils contributor-count github --repos ast-cli,kics --orgs checkmarx --token <token>

Name                               UniqueContributors 
----                               ------------------ 
Checkmarx/ast-cli                  1                  
Checkmarx/kics                     2         
Total unique contributors          3

azure

The azure command presents the unique contributors for the provided Azure DevOps repositories, projects, and organizations.

Usage

./cx utils contributor-count azure [flags]

Flags

Name

Default

Description

--help, -h

help for the results command

--orgs strings <string>

List of organizations to scan for contributors

Comma separated list

--projects <string>

List of projects to scan for contributors

Comma separated list

--repos <string>

List of repositories to scan for contributors

Comma separated list

--token <string>

Azure DevOps personal access token. Requires “Connected server” and “Code“ scope

--url-azure <string>

https://dev.azure.com/

API base URL

--format <string>

table

  • Selects the output format

  • Select one of the following formats:

    json, list, table

Examples

Using the azure Command to Count an Organization contributors
./cx utils contributor-count azure --orgs <orgs> --token <token>
[email protected]:~/ast-cli$ ./cx utils contributor-count azure --orgs Checkmarx --token 12345678910

Name                                      UniqueContributors 
----                                      ------------------ 
Checkmarx/public/ast-cli                  2
Checkmarx/private/ast-java-wrapper        1                    
...                                       ...
Total unique contributors                 7     

2022/03/18 10:30:46 Note: dependabot is not counted but other bots might be considered users.
./cx utils contributor-count azure --orgs <orgs> --token <token> --debug
[email protected]:~/ast-cli$ ./cx utils contributor-count azure --orgs Checkmarx --token 12345678910

Name                                      UniqueContributors 
----                                      ------------------ 
Checkmarx/public/ast-cli                  2
Checkmarx/private/ast-java-wrapper        1                    
...                                       ...
Total unique contributors                 7     

Name                                      UniqueContributorsUsername 
----                                      -------------------------- 
Checkmarx/public/ast-cli                  User Checkmarx
Checkmarx/private/ast-java-wrapper        UserCheckmarx                
...

2022/03/18 10:30:46 Note: dependabot is not counted but other bots might be considered users.
Using the azure Command to Count Projects contributors
./cx utils contributor-count azure --orgs <orgs> --projects <projects> --token <token>
[email protected]:~/ast-cli$ ./cx utils contributor-count azure --orgs Checkmarx --projects public --token 12345678910

Name                                      UniqueContributors 
----                                      ------------------ 
Checkmarx/public/ast-cli                  2                  
...                                       ...
Total unique contributors                 5     

2022/03/18 10:30:46 Note: dependabot is not counted but other bots might be considered users.
./cx utils contributor-count azure --orgs <orgs> --projects <projects> --token <token> --debug
[email protected]:~/ast-cli$ ./cx utils contributor-count azure --orgs Checkmarx --projects public --token 12345678910

Name                                      UniqueContributors 
----                                      ------------------ 
Checkmarx/public/ast-cli                  2                  
...                                       ...
Total unique contributors                 5     


Name                                      UniqueContributorsUsername 
----                                      -------------------------- 
Checkmarx/public/ast-cli                  User Checkmarx          
...

2022/03/18 10:30:46 Note: dependabot is not counted but other bots might be considered users.
Using the azure Command to Count Repositories contributors
./cx utils contributor-count azure --orgs <orgs> --projects <projects> --repos <repos> --token <token>
[email protected]:~/ast-cli$ ./cx utils contributor-count azure --orgs Checkmarx --projects public --repos asa-cli --token 12345678910

Name                                      UniqueContributors 
----                                      ------------------ 
Checkmarx/public/ast-cli                  2                  
Total unique contributors                 2     

2022/03/18 10:30:46 Note: dependabot is not counted but other bots might be considered users.
./cx utils contributor-count azure --orgs <orgs> --projects <projects> --repos <repos> --token <token> --debug
[email protected]:~/ast-cli$ ./cx utils contributor-count azure --orgs Checkmarx --projects public --repos ast-cli --token 12345678910

Name                                      UniqueContributors 
----                                      ------------------ 
Checkmarx/public/ast-cli                  2                                                    
Total unique contributors                 2     


Name                                      UniqueContributorsUsername 
----                                      -------------------------- 
Checkmarx/public/ast-cli                  User Checkmarx          


2022/03/18 10:30:46 Note: dependabot is not counted but other bots might be considered users.

gitlab

The gitlab command presents the unique contributors for the provided GitLab groups or projects.

Usage

.\cx.exe utils contributor-count gitlab [flags]

Flags

Name

Default

Description

--format <string>

table

  • Selects the output format

  • Select one of the following formats:

    json, list, table

--help, -h

help for the github command

--token <string>

GitLab OAuth token with at least ‘read_api’ and 'read_repository' permissions.

--groups <strings>

List of group names to scan for contributors

Comma separated list for more than one names

If a subgroup is being used, the full path of subgroup is required . Full path includes the names of the parent groups and can be copied from the gitlab urls when the group is opened in the browser

--projects <strings>

List of project names to scan for contributors

Project names should be full path/namespace

Comma separated list for using more than one project names

--url-gitlab <string>

https://gitlab.com

API base URL

Examples

Using the gitlab Command to Count an Organization
C:\Users\ast-cli> .\cx.exe utils contributor-count gitlab --token <token> --groups Checkmarx-ts/cxlite

Name                               UniqueContributors 
----                               ------------------ 
...
Checkmarx/CxLite/CxDemo            1                  
...      
Total unique contributors          1
Using the gitlab Command to Count Specific Repositories
C:\Users\ast-cli>.\cx.exe utils contributor-count gitlab --token <token> --projects Checkmarx/CxLite/CxDemo

Name                               UniqueContributors 
----                               ------------------ 
Checkmarx/CxLite/CxDemo            1                           
Total unique contributors          1

bitbucket

The bitbucket command presents the unique contributors for the provided Bitbucket repositories, projects and organizations.

Usage

./cx utils contributor-count bitbucket [flags]

Flags

Name

Default

Description

--help, -h

help for the Bitbucket command

--workspaces <string>

List of workspaces to scan for contributors

A Comma separated list

--repos <string>

List of repositories to scan for contributors

A Comma separated list

--username <string>

Username for Bitbucket authentication

--password <string>

App password for Bitbucket authentication. Requires read on “Workspace membership“ and “Repositories“ permissions

--url-bitbucket <string>

https://api.bitbucket.org/2.0/

API base URL

--format <string>

table

  • Selects the output format

  • Select one of the following formats:

    json, list, table

Examples

Using the bitbucket Command to Count Workspace Contributors
./cx  utils contributor-count bitbucket --workspaces <workspaces> --username <username> --password <password>
[email protected]:~/ast-cli$ ./cx utils contributor-count bitbucket --workspaces Checkmarx --username cx --password 12345678910

Name                                      UniqueContributors 
----                                      ------------------ 
Checkmarx/ast-cli                         2
Checkmarx/ast-java-wrapper                1                    
...                                       ...
Total unique contributors                 7     

2022/03/18 10:30:46 Note: dependabot is not counted but other bots might be considered users.
./cx utils contributor-count bitbucket --workspaces <workspaces> --username <username> --password <password> --debug
[email protected]:~/ast-cli$ ./cx utils contributor-count bitbucket --workspaces Checkmarx --username cx --password 12345678910

Name                                      UniqueContributors 
----                                      ------------------ 
Checkmarx/ast-cli                         2
Checkmarx/ast-java-wrapper                1                    
...                                       ...
Total unique contributors                 7       

Name                                      UniqueContributorsUsername 
----                                      -------------------------- 
Checkmarx/ast-cli                         User Checkmarx
Checkmarx/ast-java-wrapper                UserCheckmarx                
...

2022/03/18 10:30:46 Note: dependabot is not counted but other bots might be considered users.
Using the bitbucket Command to Count Repositories Contributors
./cx utils contributor-count bitbucket --workspaces <workspaces> --repos <repos> --username <username> --password <password>
[email protected]:~/ast-cli$ ./cx utils contributor-count azure --orgs Checkmarx --repos ast-cli --username cx --password 12345678910

Name                                      UniqueContributors 
----                                      ------------------ 
Checkmarx/ast-cli                         2                  
Total unique contributors                 2     

2022/03/18 10:30:46 Note: dependabot is not counted but other bots might be considered users.
./cx utils contributor-count bitbucket --workspaces <workspaces> --repos <repos> --username <username> --password <password> --debug
[email protected]:~/ast-cli$ ./cx utils contributor-count azure --orgs Checkmarx --repos ast-cli --username cx --password 12345678910

Name                                      UniqueContributors 
----                                      ------------------ 
Checkmarx/ast-cli                         2                  
Total unique contributors                 2        


Name                                      UniqueContributorsUsername 
----                                      -------------------------- 
Checkmarx/ast-cli                         User Checkmarx          


2022/03/18 10:30:46 Note: dependabot is not counted but other bots might be considered users.

learn-more

The learn-more command provides the ability to retrieve additional descriptions from the CLI for SAST vulnerabilities.

The command must be run with the attribute query-id, which can be retrieved from a scan’s results and passed to this command.

Usage

./cx utils learn-more --query-id <query-id> --format [json|table|list]

Flags

Name

Default

Description

--query-id (required)

The SAST query-id for a vulnerability

--format

list

The format flag would output the descriptions in required format. Accepted values are json, list and table. If the format flag is not provided, by default the output is generated in list format.

---help, -h

Help for the learn-more command

Examples

learn-more command

Default (without format flag)
./cx utils learn-more --query-id 5854466950125120303
QueryID                : 5854466950125120303
QueryName              : Open_Redirect
QueryDescriptionID     : Stored_Open_Redirect
ResultDescription      : The potentially tainted value provided by @SourceElement in @SourceFile at line @SourceLine is used as a desti
nation URL by @DestinationElement in @DestinationFile at line @DestinationLine, potentially allowing attackers to perform an open redirection.


Risk                   : An attacker could use social engineering to get a victim to click a link to the application, so that the user 
will be immediately redirected to another site of the attacker's choice. An attacker can then craft a destination website to fool the v
ictim; for example - they may craft a phishing website with an identical looking UI as the previous website's login page, and with a si
milar looking URL, convincing the user to submit their access credentials in the attacker's website. Another example would be a phishing website with an identical UI as that of a popular payment service, convincing the user to submit their payment information.


Cause                  : The application redirects the user’s browser to a URL provided by a tainted input, without first ensuring that
 URL leads to a trusted destination, and without warning users that they are being redirected outside of the current site. An attacker 
could use social engineering to get a victim to click a link to the application with a parameter defining another site to which the app
lication will redirect the user’s browser. Since the user may not be aware of the redirection, they may be under the misconception that the website they are currently browsing can be trusted.


GeneralRecommendations :
1.  Ideally, do not allow arbitrary URLs for redirection. Instead, create a mapping from user-provided parameter values to legitimate URLs.
2.  If it is necessary to allow arbitrary URLs:
    *   For URLs inside the application site, first filter and encode the user-provided parameter, and then either:
        *   Create a white-list of allowed URLs inside the application
        *   Use variables as a relative URL as an absolute one, by prefixing it with the application site domain - this will ensure all redirection will occur inside the domain
    *   For URLs outside the application (if necessary), either:
        *   White-list redirection to allowed external domains by first filtering URLs with trusted prefixes. Prefixes must be tested u
p to the third slash \[/\] - `scheme://my.trusted.domain.com/,` to prevent evasion. For example, if the third slash \[/\] is not valida
ted and scheme://my.trusted.domain.com is trusted, the URL scheme://my.trusted.domain.com.evildomain.com would be valid under this filter, but the domain actually being browsed is evildomain.com, not domain.com.
        *   For fully dynamic open redirection, use an intermediate disclaimer page to provide users with a clear warning that they are leaving the site.



Samples                : [{Java protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
    String redirectUrl = request.getParameter("redirectUrl");
    if (redirectUrl != null) {
        response.sendRedirect(redirectUrl);
    } else {
          response.sendRedirect("/");
    }
} Java Servlet Vulnerable to Open Redirection} {Java protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
    String redirectUrl = request.getParameter("redirectUrl");
    if (redirectUrl != null && redirectUrl.startsWith("https://www.trusteddomain.com/")) {
        response.sendRedirect(redirectUrl);
    } else {
          response.sendRedirect("/");
    }
} Whitelisting an Allowed External Domain, Preventing Open Redirection}]
Json format
./cx utils learn-more --query-id 5854466950125120303 --format json
[{"queryId":"5854466950125120303","queryName":"Open_Redirect","queryDescriptionId":"Stored_Open_Redirect","resultDescription":"The pote
ntially tainted value provided by @SourceElement in @SourceFile at line @SourceLine is used as a destination URL by @DestinationElement
 in @DestinationFile at line @DestinationLine, potentially allowing attackers to perform an open redirection.\n\n","risk":"An attacker 
could use social engineering to get a victim to click a link to the application, so that the user will be immediately redirected to ano
ther site of the attacker's choice. An attacker can then craft a destination website to fool the victim; for example - they may craft a
 phishing website with an identical looking UI as the previous website's login page, and with a similar looking URL, convincing the use
r to submit their access credentials in the attacker's website. Another example would be a phishing website with an identical UI as tha
t of a popular payment service, convincing the user to submit their payment information.\n\n","cause":"The application redirects the us
er’s browser to a URL provided by a tainted input, without first ensuring that URL leads to a trusted destination, and without warning 
users that they are being redirected outside of the current site. An attacker could use social engineering to get a victim to click a l
ink to the application with a parameter defining another site to which the application will redirect the user’s browser. Since the user
 may not be aware of the redirection, they may be under the misconception that the website they are currently browsing can be trusted.\
n\n","generalRecommendations":"\r\n1.  Ideally, do not allow arbitrary URLs for redirection. Instead, create a mapping from user-provid
ed parameter values to legitimate URLs.\r\n2.  If it is necessary to allow arbitrary URLs:\r\n    *   For URLs inside the application s
ite, first filter and encode the user-provided parameter, and then either:\r\n        *   Create a white-list of allowed URLs inside th
e application\r\n        *   Use variables as a relative URL as an absolute one, by prefixing it with the application site domain - thi
s will ensure all redirection will occur inside the domain\r\n    *   For URLs outside the application (if necessary), either:\r\n     
   *   White-list redirection to allowed external domains by first filtering URLs with trusted prefixes. Prefixes must be tested up to 
the third slash \\[/\\] - `scheme://my.trusted.domain.com/,` to prevent evasion. For example, if the third slash \\[/\\] is not validat
ed and scheme://my.trusted.domain.com is trusted, the URL scheme://my.trusted.domain.com.evildomain.com would be valid under this filte
r, but the domain actually being browsed is evildomain.com, not domain.com.\r\n        *   For fully dynamic open redirection, use an i
ntermediate disclaimer page to provide users with a clear warning that they are leaving the site.\r\n\n\n","samples":[{"progLanguage":"
Java","code":"protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {\n  
  String redirectUrl = request.getParameter(\"redirectUrl\");\n    if (redirectUrl != null) {\n        response.sendRedirect(redirectUr
l);\n    } else {\n          response.sendRedirect(\"/\");\n    }\n}","title":"Java Servlet Vulnerable to Open Redirection"},{"progLang
uage":"Java","code":"protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOExceptio
n {\n    String redirectUrl = request.getParameter(\"redirectUrl\");\n    if (redirectUrl != null \u0026\u0026 redirectUrl.startsWith(\
"https://www.trusteddomain.com/\")) {\n        response.sendRedirect(redirectUrl);\n    } else {\n          response.sendRedirect(\"/\");\n    }\n}","title":"Whitelisting an Allowed External Domain, Preventing Open Redirection"}]}]

remediation

The remediation command enables you to automatically remediate vulnerabilities for results that came from a specific Checkmarx scanner.

Usage

./cx utils remediation [command]

Flags

Name

Default

Description

--help

N/A

help for the utils remediation

Commands

Name

Default

Description

kics

used to remediate kics results

sca

used to remediate sca results

kics

The kics command enables you to automatically remediate sca vulnerabilities.

Caution

This feature is currently supported only for Terraform projects.

Usage

./cx utils remediation kics [flags]

Flags

Name

Mandatory

Default

Description

--engine <string>

no

docker

Name in the $PATH for the container engine to run kics. Example:podman

--kics-files <string>

yes

N/A

Absolute path to the folder that contains the file(s) to be remediated.

--results-file <string>

yes

N/A

Path to the kics scan results file. This is used to identify and remediate the kics vulnerabilities.

--similarity-ids <string>,<string>

no

Remediates all vulnerabilities

List with the similarity ids that should be remediated : --similarity-ids b42a19486a8e18324a9b2c06147b1c49feb3ba39a0e4aeafec5665e60f98d047,9574288c118e8c87eea31b6f0b011295a39ec5e70d83fb70e839b8db4a99eba8

Examples

Remediating all vulnerabilities
./cx utils remediation kics --results-file <PATH-TO-RESULTS> --kics-files <ABSOLUTE-PATH-TO-FILES>
[email protected]:/AST$ ./cx utils remediation kics --results-file "./results.json" --kics-files "/home/terraform_examples/"
{"available_remediation_count":3,"applied_remediation_count":3}
Remediating a specific vulnerability
./cx utils remediation kics --results-file <PATH-TO-RESULTS> --kics-files <ABSOLUTE-PATH-TO-FILES> --similarity-ids <SIMILARITY-ID-LIST>
[email protected]:/AST$ ./cx utils remediation kics --results-file "./results.json" --kics-files "/home/terraform_examples/" --similarity-ids b42a19486a8e18324a9b2c06147b1c49feb3ba39a0e4aeafec5665e60f98d047
{"available_remediation_count":3,"applied_remediation_count":1}
Remediating using a specific engine
./cx utils remediation kics --results-file <PATH-TO-RESULTS> --kics-files <ABSOLUTE-PATH-TO-FILES> --engine <ENGINE-NAME>
[email protected]:/AST$ ./cx utils remediation kics --results-file "./results.json" --kics-files "/home/terraform_examples/" --engine podman
{"available_remediation_count":3,"applied_remediation_count":3}

sca

The sca command enables you to automatically remediate sca vulnerabilities.

Usage

./cx utils remediation sca [flags]

Warning

Currently only npm dependency files (package.json) are supported for this functionality.

Flags

Name

Default

Description

--package-files <string>

N/A

Path to input package files to remediate the package version

--package <string>

N/A

Name of the package to be replaced

--package-version <string>

N/A

Version of the package to be replaced

Examples

Remediating a specific package successfully
././cx utils remediation sca --package-files <PACKAGE-FILE-PATHS> --package <PACKAGE-NAME> --package-version <PACKAGE-VERSION>
[email protected]:/AST$ ./cx utils remediation sca --package-files /home/package.json ,/home/src/package.json --package copyfiles --package-version 1.2.1
Remediating a nonexistent package
././cx utils remediation sca --package-files <PACKAGE-FILE-PATHS> --package <PACKAGE-NAME> --package-version <PACKAGE-VERSION>
[email protected]:/AST$ ./cx utils remediation sca --package-file /home/package.json --package copyfile --package-version 1.2.1
Package copyfile not found
Remediating using an unsupported file
././cx utils remediation sca --package-files <PACKAGE-FILE-PATHS> --package <PACKAGE-NAME> --package-version <PACKAGE-VERSION>
[email protected]:/AST$ ./cx utils remediation sca --package-file /home/pom.xml --package log4j --package-version 1.2.1
Unsupported package manager file