Viewing Checkmarx One Results in Visual Studio
Once you have run a Checkmarx One scan on the source code of your Visual Studio project, you can import the scan results into your Visual Studio IDE. The results are integrated within the IDE in a manner that makes it easy to identify the vulnerable code triage the results and take the required remediation actions.
First you need to import the results from the latest scan of your Visual Studio project. Then you can view the results in your Visual Studio IDE.
GIF - How to view scan results
Importing your Checkmarx One Scan Results
To import results from a scan:
In the main navigation, click View > Other Windows > Checkmarx.
The Checkmarx panel opens.
The plugin will try to automatically show results for the relevant scan by matching your project and branch to an existing Checkmarx One scan.
If the desired scan is not displayed, you can select the scan manually by entering the Scan ID of the desired scan in the Scan field.
Use one of the following methods to submit the relevant Scan ID.
In the Checkmarx panel, click on the Project dropdown.
A dropdown list of your Checkmarx One Projects is shown.
Select the Checkmarx One Project that corresponds to the Visual Studio project that you are working on.
The Branch field automatically refreshes, and retrieves available branches for this Project.
Click on the Branch dropdown.
A dropdown list of the branches for the selected Project is shown.
Select the desired branch.
The Scan field automatically refreshes, and retrieves available scans of this branch of the Project.
Click on the Scan dropdown.
All of the scans for this branch are shown, with the most recent on top.
Select the desired scan.
The scan results are imported into Visual studio and the selected scan ID is shown below the search box in the Checkmarx panel.
Log in to the Checkmarx One web application.
Navigate to the the desired Project page.
On the Scan History tab, copy the Scan ID of the desired scan.
In the Visual Studio console > Checkmarx panel, in the Scan search box, paste the Scan ID and press Enter.
The scan results are imported into Visual Studio and the selected scan ID is shown below the search box in the Checkmarx panel.
Viewing Checkmarx One Scan Results
You can open the Checkmarx panel below your project and navigate the tree display to view details about a specific vulnerability.
Notice
In order to show the source code for a node in an attack vector, you need to have the relevant project open in your Visual Studio console.
To view the Checkmarx One results in the Checkmarx panel:
After you import the scan results, in the Checkmarx panel click on an arrow or double-click a node to expand that node in the tree.
You can use the Checkmarx Toolbar in the header bar to adjust the display, see below.
Click on a vulnerability.
The details panel is shown on the right, including a summary of the vulnerability info, a brief description and the Attack Vector (for SAST vulnerabilities).
Click on a node in the Attack Vector.
An editor opens containing the source code in the respective file and location for the selected node.
Checkmarx Toolbar
On the sidebar, on the left side of the Checkmarx panel, a toolbar with the following actions is available:
Icon | Item | Description | |
|---|---|---|---|
| Filter High | Show/hide high severity vulnerabilities | |
| Filter Medium | Show/hide medium severity vulnerabilities | |
| Filter Low | Show/hide low severity vulnerabilities | |
| Filter Info | Show/hide info severity vulnerabilities | |
| Filter by state | Filter results by state (multi-select, by default all are selected except for Not Exploitable and Proposed Not Exploitable) | |
| Group By | Select one or more criteria for grouping the results. Options are: File, Severity, State and Query Name. | |
| Refresh | Clear Project, Branch and Scan selection and refresh the Project selection list | |
| Settings | Opens the Checkmarx One Visual Studio plugin configuration settings |
Managing (Triaging) Results
Checkmarx One tracks specific vulnerability instances throughout your SDLC. Each vulnerability instance has a ‘Predicate’ associated with it, which is comprised of the following attributes: ‘state’, ‘severity’ and ‘comments’. After reviewing the results of a scan, you have the ability to triage the results and modify these predicates accordingly. For more info about triaging results in Checkmarx One, see Managing (Triaging) Vulnerabilities.
You can manage the results directly in the Visual Studio console.
Warning
Only users with the Checkmarx One role update-result (e.g., a risk-manager) are authorized to make changes to the predicate. Only users with the role update-result-not-exploitable (e.g., an admin) are authorized to mark a vulnerability as ‘Not Exploitable’.
To edit the result predicate:
Navigate to the vulnerability that you would like to edit.
To adjust the severity, click on the Severity field, and select from the dropdown list the severity that you would like to assign. Options are: High, Medium, Low or Info.
To adjust the state, click on the State field, and select from the dropdown list the state that you would like to assign. For SAST and KICS, options are: To Verify, Not Exploitable, Proposed Not Exploitable, Confirmed or Urgent. For SCA, options are: Not Ignored or Ignored.
Notice
If you mark a vulnerability as Not Exploitable or Ignored it will not be shown in the results in the web app for this scan or for subsequent scans of this Project.
To add a comment, enter your comment in the field Comment.
In order to apply your changes, click Update.
The new predicate is applied to the vulnerability instance in this scan as well as to recurring instances of the vulnerability in subsequent scans of the Project. The changes made to the predicate are shown in the Changes tab.
Codebashing Links
Codebashing is an interactive AppSec training platform built by developers for developers. Codebashing sharpens the skills that developers need to avoid security issues, fix vulnerabilities, and write secure code in the first place. See Codebashing documentation here.
When you select a SAST vulnerability for which a Codebashing lesson exists, a link to the relevant lesson is shown. Click on the link to open the lesson in a new browser.
Note
If you don’t yet have a license for Codebashing, a dialog opens showing a link to start a free trial.
 |