Reviewing Scan Results in SonarQube

Scan results in SonarQube that are related to Checkmarx, are also displayed in the CxSAST. For more information about viewing scan results in CxSAST, refer to the Checkmarx CxSAST Documentation at Navigating SAST Scan Results.Navigating Scan Results

Checkmarx scan results can be viewed on the SonarQube Project Space by clicking on the desired project from the Project List. The Project Space is displayed.

The top section of the Project Space (Quality Gate) shows the releasability status of the project and its current state of quality. If the project passes quality, a green all-clear 'Passed' label appers. If not, a red 'Failed' label appears with details and drill-downs that are immediately available to quickly identify what went wrong.

Just below the Quality Gate information shows the numbers of old and new Issues in each area. Checkmarx issues (vulnerabilities) are aggregated as part of the 'Bugs & Vulnerabilities' panel. Clicking on any figure in this panel will take you to a detailed view of the related issue in the Issues page.

Clicking on a Checkmarx issue opens a new page relating to the specific issue chosen.

Code location nodes (version dependent) are highlighted and sorted accordingly. Nodes coming from different files are also indicated.

You can drill-down into 'Vulnerabilities' and show the Checkmarx results by clicking the Measures tab and selecting Overview . A graphical diagram of the Remediation Effort, Lines of Code and Security Vulnerabilities is displayed.

This displays the vulnerabilities' operational risks. The closer a bubble's color is to red, the more severe the worst vulnerabilities are. Bubble size indicates vulnerability volume, and each bubble's vertical position reflects the estimated time to address the vulnerabilities. Small green bubbles on the bottom edge are best. Mouse-over a bubble to display additional information about the issue.

Click Remediation Effort to display the list of security issues that need remediation.

Users can define the time needed (in minutes) to fix a security issue. The value is then calculated and displayed to the user, as seen above.

By scrolling down, a graphical diagram of the Remediation Effort, Lines of Code and Vulnerabilities can also be viewed.

Clicking on one of Checkmarx results, in this case “Checkmarx - High Vulnerabilities”, shows the list of files and the number of detected issues.

Clicking on one of the files opens the code viewer showing the content of the file and the list of found issues.

The code viewer is the heart of SonarQube; it displays the source code of a file and its high-level statistics. The main purpose of the code viewer is to show source code and its effort to fix it.

Clicking on the colored severity icon (version dependent) expands the issue, as seen below.

Clicking on opens the rule description.

Clicking the 'More' tab and then selecting 'Checkmarx Report' opens a graphical side-by-side summary report of the Checkmarx scan results.

The CxSAST Vulnerabilities Status report provides information about the distribution of security issues for the project and is divided into the following categories:

The CxSAST Full Report provides information about the distribution of security issues for the project and is divided into the following categories: