Skip to main content

VSCode Tutorial - Settings.json

Goals

This tutorial is designed to teach the following topics:

  • How to enable scanning any folder or file from the CxVSCode plugin

  • How to move to Quiet (silent) mode

  • How to exclude or include files or folders

  • How to change the report path

  • How to configure a proxy

Prerequisites

  • VSCode 1.44 or later

  • CxSAST 9.0 or higher with known user credentials

  • Source code available

  • Checkmarx VSCode extension installed and enabled

  • The following tutorials completed:

    • Login

    • Scan & Reports

  • settings.json available in the active work space inside the .vscode folder.

Procedure – Enabling Scan any Folder or File

1. On the Extension page, click the Extend icon. The CxVSCode plugin dialog appears.

Checkmarx_ID.png

2. On the Checkmarx SAST 9.x plugin dialog, click Settings.png. A dropdown menu appears.

3. From the dropdown menu, select Extension Settings.

2054390379.png

4. Enable the Enable Scan Buttons option.

2054128371.png

5. Verify that the following has been added to the settings.json file.

cx.enableScanButtons": true

6. In the CX PORTAL toolbar, click Scan Any File. You are asked to select a file for scanning.

2054488956.png

7. Select a file to scan and ensure the scan has completed successfully

8. Disable :Disable: the Enable Scan Buttons option.

2052654677.png

9. Verify that the setting.json file has been updated and that cx.enableScanButtons has been removed.

To verify that the Enable Scan Buttons option is disabled:

  • In the CX PORTAL toolbar, click :Scan_any_file:. A warning appears indicating that this option is dsabled.

2052654685.png

Procedure – Change to Quiet Mode

1. Click :Extension: to open the Extensions page.

2. Under Checkmarx SAST 9.x, click Settings.png. A dropdown menu appears.

Checkmarx_ID.png

3. From the dropdown menu, select Extension Settings.

6448546117.png

4. Enable the Quiet mode.

5. Verify that the following has been added to the settings.json file.

cx.quiet": true

6. From CX SCAN RESULT, generate a report. No popups appear.

7. In the CX PORTAL toolbar, click :Scan_any_file:. You are asked to select a file for scanning.

8. Click Extension to open the Extensions page.

9. Under CxVSCode, click :settings:. A dropdown menu appears.

2054128358.png

10. From the dropdown menu, select Extension Settings.

2054390379.png

11. Enable the Quiet mode option.

2054390464.png

12. Verify that the following has been added to the settings.json file.

cx.quiet": true

13. From CX SCAN RESULT generate a report. No popups appear.

14. Disable the Quiet mode option.

2052654850.png

15. Verify that settings.json has been updated and the cx.quiet setting has been removed.

Procedure – Change Exclude/Include File or Folder Extensions

1. Click :Extension: to open the Extensions page.

2. Under Checkmarx SAST 9.x, click Settings.png. A dropdown menu appears.

Checkmarx_ID.png

3. From the dropdown menu, select Extension Settings.

2054390379.png

11. Enable the Quiet mode option.

12. Change the File Extensions and Folder Exclusions settings as follows:

2052654863.png

13. Verify that the changes are reflected in the settings.json file.

Notice

Strings starting with an exclamation mark (!) indicate that they must be excluded. Remove the exclamation mark to include the items.

Procedure – Change Report Path

1. Click :Extension: to open the Extensions page.

2. Under Checkmarx SAST 9.x, click Settings.png. A dropdown menu appears.

Checkmarx_ID.png

3. From the dropdown menu, select Extension Settings.

2054390379.png

4. Edit the Report Path setting as follows:

2272101124.png

5. Check that the edited report path is reflected in the setting.json file in the cx.reportPath variable as follows:

cx.reportPath": "C:\\Users\\xxxxxx\\OneDrive - yyyyyy\\Documents\\CxFlow\\Report1.json"

6. Generate a new report and verify that it is available in the correct path.

Procedure – Change the SSL Certificate Path

1. Click :Extension: to open the Extensions page.

2. Under Checkmarx SAST 9.x, click Settings.png. A dropdown menu appears.

Checkmarx_ID.png

3. From the dropdown menu, select Extension Settings.

2054390379.png

4. Edit the SSL certificate Path setting as follows:

6447923544.png

5. Check that the SSL certificate path is reflected in the setting.json file in the cx.sslCertificatePath variable as follows:

cx.sslCertificatePath : "d:\certificates\cacert_chain.crt"

6. Enter the path into the certificate chain file that contains all intermediate and root CA certificates for https connections.

Procedure - Enable User Credentials Login

1. Click Extension to open the Extensions page.

2. Under Checkmarx SAST 9.x, click Settings.png. A dropdown menu appears.

Checkmarx_ID.png

3. From the dropdown menu, select Extension Settings.

2054390379.png

4. Enable the User Credentials Login setting as follows:

6448709905.png

5. Verify that the modified report path is reflected in the setting.json file in the cx.enableUserCredentialsLogin variable as follows:

cx.enableUserCredentialsLogin: " true"

6. Select this option for user credentials login.

Procedure – Enabling Workspace Only Scan

1. Click :Extension: to open the Extensions page.

2. Under Checkmarx SAST 9.x, click Settings.png. A dropdown menu appears.

Checkmarx_ID.png

3. From the dropdown menu, select Extension Settings.

2054390379.png

4. Select Enable Workspace Only Scan.

6448873787.png

5. Verify in the settings.json file that the following line was added:

cx.enableWorkspaceOnlyScan ": true

6. In the CX PORTAL, click Scan Any File.

6448414995.png

7. Select a file/folder/workspace to scan and right click on it. You get an option to scan only on the workspace level and not any file or folder.

Configuring a Proxy

1. Navigate to File > Preferences > Settings > Application > Proxy. The proxy dialog appears.

6316261627.png

2. Under Proxy, enter the URL of the proxy server, for example http://proxyhost:port .

3. Under Proxy Support, select Override. All http requests from VSCode Extension are routed via the proxy server.

Assigning Users

You are able to assign users to vulnerabilities as explained below.

1. Open the Result table from the Settings menu.

2. Select the vulnerability to which you want to assign the user.

Assign_Users_to_vulnerabilities_1.png

3. Select Assign User and enter the user name for the new user. The user appears in the Assigned User column of the selected vulnerability.

Assign_Users_to_vulnerabilities_2.png

Working with Comments

You are able to to add and edit comments for one or multiple vulnerabilities. Adding a comment to multiple vulnerabilities is referred to as bulk comment from this point on.

To add a comment to one or several vulnerabilities (bulk comment):

1. In the Result table, select at least one vulnerability and click Edit_icon.png. The Add Comment dialog appears.

Add_Comment_1.png

2. Enter the comment and then click <Submit>. The comment is added under Comments for the selected vulnerabilities. Up to the last five comments appear listed under Comments for each vulnerability.

Add_Comment_2.png

To make adding comment mandatory:

1. Click Extension. The Extensions page appears.

2. Select Mandatory Comments. Comments are now mandatory on result change.

Mandatory_Comment.png

Notice

If this option is enabled inside CxSAST, but commenting is not defiined as mandatory on the plugin side, an error message appears in the Extension Settings dialog with a reminder to make comments mandatory.

Mandatory_Comments.png

Once comments are set to be mandatory and the scan results change, the Add Comment dialog appears and you are asked to add a comment.

Mandatory_Add_Comment.png

Once added, the result state and the associated vulnerability are checked in the Results State column and the comment appears in the Comment column..

Manadtory_result_change_checked.png
Mandatory_Comment_added.png