Skip to main content

Setting Up the Maven Plugin

The Checkmarx plugin for Maven is simple to configure and run as follows:

  1. Make sure that you have Apache Maven installed on the host used to develop your code. If not installed, go to the Apache Maven download site to download and install it.

  2. Download and configure the Checkmarx Maven plugin as required.

  3. Create a new Maven project and compile it.

For additional information, refer to Frequently Asked Questions .

Prerequisites

Required Application

Version

Apache Maven

3.2.0 and higher

CxSAST

8.9 and higher

CxOSA

8.7.0 and higher

Maven Plugin

9.00.2 and higher

Configuring the Checkmarx Maven Plugin

Add the code sequence inside the <plugin> section as illustrated in the code sample below. This code sample is a typical example for a pom.xml file snippet and relevant for both CxSAST & CxOSA scans. It contains the available parameters with sample values.

To include CxSAST & CxOSA with your project, add or modify the parameters in the pom.xml file as illustrated in the code sample and explained in the table below:

Notice

  • You are unable to start using CxOSA unless the end user license agreement (EULA) has been viewed and accepted.

  • You can run CxOSA with the CxSAST scan by including the <osaEnabled> tag in the pom.xml file.

  • You cannot run CxOSA without running the CxSAST scan.

  • <url>, <username> and <password> are mandatory parameters.

<build>
        <plugins>
            <plugin>
                <groupId>com.checkmarx.maven</groupId>
                <artifactId>checkmarx-maven-plugin</artifactId>
                <version>x.xx.x</version>              
                <configuration>
                    <url>http://localhost</url>
                    <username>user@org</username>
                    <password>Org123456</password>
                    <fullTeamPath>CxServer\SP</fullTeamPath>
                    <preset>all</preset>
                    <isIncrementalScan>false</isIncrementalScan>
                    <highSeveritiesThreshold>1</highSeveritiesThreshold>
                    <mediumSeveritiesThreshold>20</mediumSeveritiesThreshold>
                    <lowSeveritiesThreshold>30</lowSeveritiesThreshold>               
                    <fileExclusions>file1, file2</fileExclusions>
                    <folderExclusions></folderExclusions>                                      
                    <generatePDFReport>true</generatePDFReport>
                    <isSynchronous>true</isSynchronous>
                    <outputDirectory>c:\users\tmp</outputDirectory>
                    <projectName>Project 22 (Maven)</projectName>
                    <scanTimeoutInMinutes>10</scanTimeoutInMinutes>                     
                    <disableCertificateVerification>false</disableCertificateVerification>
                    <osaEnabled>false</osaEnabled>
                    <osaHighSeveritiesThreshold>1</osaHighSeveritiesThreshold>
                    <osaMediumSeveritiesThreshold>0</osaMediumSeveritiesThreshold>
                    <osaLowSeveritiesThreshold>0</osaLowSeveritiesThreshold>
                    <osaExclusions>file1, file2</osaExclusions>
                    <osaIgnoreScopes>1</osaIgnoreScopes>
                    <osaGenerateJsonReport>0</osaGenerateJsonReport>
                    <enablePolicyViolations>true</enablePolicyViolations>
                 </configuration>
            </plugin>       
         </plugins>
</build> 

You can change the following parameter values as listed in the table below.

Parameter

Type

Scan Type

Default Value

Description

<url>

URL

http:/localhost/

The hostname of the Checkmarx application.

The Maven plugin also supports https://

<username>

string

The username of the user running the scan.

<password>

string

The password of the user running the scan.

<fullTeamPath>

string

CxServer

The full path describing the team thatr the scan belongs to.

<outputDirectory>

file

{project.build.directory}\checkmarx

Define an output directory for scan reports.

<projectName>

string

${project.name}

The name of the project being scanned. It is taken from the Maven pom.xml project name, if not provided.

<isSynchronous>

Boolean

CxSAST,

CxOSA

true

If true, the build waits for the scan to end and displays the results.

If false, the build triggers the scan without waiting for the scan to end and the results are not displayed.

<disableCertificateVerification>

Boolean

CxSAST

CxOSA

false

Disables the SSL/TLS certificate validation.

<highSeveritiesThreshold>

integer

CxSAST

Configure a threshold for the High Severity Vulnerabilities. The build fails, if the number of high severity vulnerabilities exceeds the threshold.

Leave empty to ignore the threshold.

<mediumSeveritiesThreshold>

integer

CxSAST

Configure a threshold for the medium severity vulnerabilities. The build fails, if the number of medium severity vulnerabilities exceeds the threshold.

Leave empty to ignore the threshold.

<lowSeveritiesThreshold>

integer

CxSAST

Configure a threshold for the Low Severity Vulnerabilities. The build fails, if the number of low severity vulnerabilities exceeds the threshold.

Leave empty to ignore the threshold.

<isIncrementalScan>

Boolean

CxSAST

true

If true, an incremental scan is performed, which means that only modified files are scanned.

<preset>

string

CxSAST

Checkmarx default

Configure this field to scan the project with one of the predefined scan presets or one of your custom presets.

<fileExclusions>

string

CxSAST

List of files and\or file patterns, which the scan ignores.

<folderExclusions>

string

CxSAST

List of folders and\or folder patterns, which the scan ignores.

<generatePDFReport>

Boolean

CxSAST

true

If true, a PDF report is generated in the output directory.

<scanTimeoutInMinutes>

integer

CxSAST

0

Defines a timeout (in minutes) for the scan. If the specified time has passed, the build fails. Set to 0 to run the scan without time limit. The scan runs without time limit, if this value is not provided.

<osaEnabled>

Boolean

CxOSA

false

If true, CxOSA is enabled.

<osaHighSeveritiesThreshold>

integer

CxOSA

Configure a threshold for the CxOSA High Severity Vulnerabilities. The build fails, if the number of high severity vulnerabilities exceeds than the threshold.

Leave empty to ignore the threshold.

<osaMediumSeveritiesThreshold>

integer

CxOSA

Configure a threshold for the CxOSA Medium Severity Vulnerabilities. The build fails, if the number of medium severity vulnerabilities exceeds the threshold.

Leave empty to ignore the threshold.

<osaLowSeveritiesThreshold>

integer

CxOSA

Configure a threshold for the CxOSA Low Severity Vulnerabilities. The build fails, if the number of low severity vulnerabilities exceeds the threshold.

Leave empty to ignore the threshold.

<osaIgnoreScopes>

string

CxOSA

List of Maven scopes to be ignored in a CxOSA scan. Provided scopes are ignored by default unless configured otherwise.

<osaExclusions>

string

CxOSA

List of Maven dependencies that are not included in CxOSA. An exclusion should be of the form groupId.artifactId.

Notice

osaExclusions has been deprecated and is not supported anymore. If applied, the following log message is returned:

${param} is not supported in this Maven version.

<osaGenerateJsonReport>

Boolean

CxOSA

true

If true, a CxOSA PDF report is generated in the output directory.

<enablePolicyViolations>

Boolean

CxSAST,

CxOSA

false

The build breaks, if either the CxOSA or CxSAST policy is violated.

Notice

A policy is assigned to a project from within CxSAST.