Skip to main content

Viewing Checkmarx One Results in JetBrains

Once you have run a Checkmarx One scan on the source code of your JetBrains project, you can import the scan results into your JetBrains IDE. The results are integrated within the IDE in a manner that makes it easy to identify the vulnerable code triage the results and take the required remediation actions.

First you need to import the results from the latest scan of your JetBrains project. Then you can view the results in your JetBrains IDE.

Importing your Checkmarx One Scan Results

To import results from a scan:

  1. In your JetBrains project, click on Checkmarx (on the bottom of the screen) to open the Checkmarx panel.

    6070436346.png

    The Checkmarx panel opens on the bottom of the screen.

    6259737108.png

    The plugin will try to automatically show results for the relevant scan by matching your project and VCS branch to an existing Checkmarx One scan.

  2. If the desired scan is not displayed, you can select the scan manually by entering the Scan ID of the desired scan in the Scan field.

    Use one of the following methods to submit the relevant Scan ID.

Viewing Checkmarx One Scan Results

There are two methods for viewing Checkmarx One scan results in JetBrains:

Viewing Checkmarx One Scan Results in the Checkmarx Panel

You can open the Checkmarx panel below your project and navigate the tree display to view details about a specific vulnerability.

Notice

In order to show the source code for a specified attack vector, you need to have the relevant project open in your JetBrains console.

To view the Checkmarx One results in the Checkmarx panel:

  1. After you import the scan results, and the results are shown in the Checkmarx panel, click on an arrow or double-click a node to expand that node in the tree.

  2. You can use the Checkmarx Toolbar (on the left) to adjust the display, see below.

  3. Click on a vulnerability.

    The details panel is shown on the right, including the a summary of the vulnerability info, a brief description and the Attack Vector (for SAST vulnerabilities).

    6262128749.png
  4. Click on a node in the Attack Vector.

    An editor opens containing the source code in the respective file and location for the selected node.

  5. 6262390874.png

    Hovering over an error or warning in the code shows a tooltip showing info about the vulnerability.

    6079119537.png

Checkmarx Toolbar

On the sidebar, on the left side of the Checkmarx panel, a toolbar with the following actions is available:

Icon

Item

Description

6080757880.png

Settings

Opens the Checkmarx One JetBrains plugin configuration settings

6119817221.png

Refresh

Clear Project, Branch and Scan selection and refresh the Project selection list

6261473467.png

Filter High

Show/hide high severity vulnerabilities

6261080240.png

Filter Medium

Show/hide medium severity vulnerabilities

6262259810.png

Filter Low

Show/hide low severity vulnerabilities

6261375125.png

Filter Info

Show/hide info severity vulnerabilities

6261899381.png

Filter by state

Filter results by state (multi-select, by default all are selected)

6080692311.png

Group By

Select criteria for grouping the results (e.g., severity and query name)

6080168033.png

Expand All

Fully expand the results tree

6080331918.png

Collapse All

Fully collapse the results tree

Managing (Triaging) Results

Checkmarx One tracks specific vulnerability instances throughout your SDLC. Each vulnerability instance has a ‘Predicate’ associated with it, which is comprised of the following attributes: ‘state’, ‘severity’ and ‘comments’. After reviewing the results of a scan, you have the ability to triage the results and modify these predicates accordingly. For more info about triaging results in Checkmarx One, see Managing (Triaging) Vulnerabilities.

You can manage the results directly in the JetBrains console.

Warning

Only users with the Checkmarx One role update-result (e.g., a risk-manager) are authorized to make changes to the predicate. Only users with the role update-result-not-exploitable (e.g., an admin) are authorized to mark a vulnerability as ‘Not Exploitable’.

To edit the result predicate:

  1. Navigate to the vulnerability that you would like to edit.

  2. To adjust the severity, click on the Severity field, and select from the dropdown list the severity that you would like to assign. Options are: High, Medium, Low or Info.

    6262030486.png
  3. To adjust the state, click on the State field, and select from the dropdown list the state that you would like to assign. For SAST and KICS, options are: To Verify, Not Exploitable, Proposed Not Exploitable, Confirmed or Urgent. For SCA, options are: Not Ignored or Ignored.

    Notice

    If you mark a vulnerability as Not Exploitable or Ignored it will not be shown in the results in the web app for this scan or for subsequent scans of this Project.

  4. To add a comment, enter your comment in the field Comment.

  5. In order to apply your changes, click Update.

    The new predicate is applied to the vulnerability instance in this scan as well as to recurring instances of the vulnerability in subsequent scans of the Project. The changes made to the predicate are shown in the Changes tab.

Viewing Checkmarx One Results Using the Code Analyzer

You can leverage the JetBrains code analyzer to display the results, see https://www.jetbrains.com/help/idea/code-inspection.html. You can analyze the whole project or set a custom scope. The results of the Checkmarx One scan are shown together with other problems identified by JetBrains in the Problems tab.

To use the Code Analyzer:

  1. After you retrieve the scan results, and the scan ID is shown in the Checkmarx panel, click Code > Analyze Code > Run Inspection by Name.

    6116311330.png

    The Enter inspection name window is shown.

  2. In the search field, type Checkmarx to locate Checkmarx One, and press Enter.

    6070436691.png

    The Run Checkmarx One window is shown.

  3. For Inspections Scope, leave the Whole project radio button selected (default) to inspect the entire project or select Custom scope and specify the places that you want to inspect, then click OK.

    6070436699.png
  4. Click on Problems (at the bottom of the screen) to open the Problems tool window.

    6116901084.png

    The Problems tool window is shown with any problems that were found, including the Checkmarx One vulnerabilities.

    6116475155.png