Skip to main content

Client Installation

CxSAST Reporting Authorization Setup

This page describes how to install the CxReportingService authorization setup. The script must be executed prior to the Client API installation.

Authorization and Authentication

The CxReportingService client REST API integrates authentication and authorization with Checkmarx SAST Access Control. For that:

  • A new scope for the CxReportingService is created, named reporting_api

  • New permissions are created:

    • generate-project-report (for project template generation)

    • generate-team-report (for teams templates generation)

    • generate-application-report (for application template generation)

    • generate-executive-report (for executive template generation)

      • Available only in the authorization script from version 1.5.0

    • create-report-template (for new report templates creation)

      • Available only in the authorization script from version 2.0

    • update-report-template (for templates customization)

      • Available only in the authorization script from version 2.0

    • delete-report-template (for templates deletion)

      • Available only in the authorization script from version 2.0

    • edit-report (for configurations customization before generating a report)

      • Available only in the authorization script from version 2.0

    • Permissions available under Reports Category

    • No roles having the new permissions are created. Roles must be created and/or edited manually, in Access Control, to include the new permission.

  • As Swagger acts as a client of the CxReportiveService, a new client was created to authenticate through Swagger, named reporting_service_swagger.

  • From versions from 1.0.0 to 1.4.0, an implicit flow was implemented in the Swagger authentication.

  • In version 1.5.0, the authentication method was changed from implicit to PKCE to the swagger client.

Authorization setup Script

For Versions from 1.0.0 to 1.4.0

A PowerShell script to setup the Access Control configuration, that includes the scope, the client and the permissions has been developed.

Execute the script in the CxSAST Manager host, after first stopping the SystemManager service. This will avoid conflicts in the filesystem access and apply the changes to the system when started.

The script can be found under the CxReportingClientFolder (CxReportingClient-XXXX.zip\CxReportingClient\cx-reporting-auth-setup.ps1)

Warning

The script must be executed in a PowerShell console in Administrator mode.

Script Parameters and Execution

The script has the following parameters:

o Verbose Required - To get details about the applied installation steps.

o Port Default: 5555 - To configure of the IIS port where the CxReportingService Client API will be deployed.

o PortalPort Default: 3000 - To configure of the IIS port where the CxReportingService Portal will be deployed.

o InstallationPath Default: C:\Program Files\Checkmarx - To configure the CxSAST base installation folder.

o BaseAddress Default: http://localhost - To configure the CxReportingService Client API Host IP or Name.

Examples

Default installation, using the default values:

.\cx-reporting-auth-setup.ps1 -Verbose

For an installation with custom values:

.\cx-reporting-auth-setup.ps1 -Verbose -Port 8080 -BaseAddress http://10.32.123.12 -InstallationPath "D:\Installations\Checkmarx"

For Versions from 1.5.0

In version 1.5.0, the authentication method was changed from implicit to PKCE to the swagger client.

A PowerShell script to setup the Access Control configuration, that includes the scope and the permissions has been developed as well as a SQL query executed to create the needed clients.

Execute the script in the CxSAST Manager host, after first stopping the CxSystemManager windows service. This will avoid conflicts in the filesystem access and apply the changes to the system when started.

The script can be found under the CxReportingClientFolder (CxReportingClient-XXXX.zip\CxReportingClient\cx-reporting-auth-setup.ps1)

Warning

The script must be executed in a PowerShell console in Administrator mode.

Script Parameters and Execution

The script has the following parameters:

o Verbose Required - To get details about the applied installation steps.

o Port Default: 5555 - To configure of the IIS port where the CxReportingService Client API will be deployed.

o InstallationPath Default: C:\Program Files\Checkmarx - To configure the CxSAST base installation folder.

o BaseAddress Default: http://localhost - To configure the CxReportingService Client API Host IP or Name.

o DatabaseHost Default: empty string - To configure of the SQL Server host where the CxSAST database is deployed. Examples: localhost or 10.32.2.127,1433

o Username Default: empty string - To configure of the SQL Server username for the CxSAST database.

o Password Default: empty string - To configure of the SQL Server password for the CxSAST database.

Notice

If no Username and Password are set, the SQL Server will try to use Windows Authentication.

Example
Run the Script

Default installation, using the default values:

.\cx-reporting-auth-setup.ps1 -Verbose

For an installation with custom values:

.\cx-reporting-auth-setup.ps1 -Verbose -Port 8080 -PortalPort 3001 -BaseAddress http://10.32.123.12 -InstallationPath "D:\Installations\Checkmarx" -DatabaseHost "localhost\SQLExpress" -Username "**Rep**rts**" -Password "********"

Warning

When running the script, an error message might popup regarding the script not be digitally signed.

Execute one of the following command lines:

Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass

or

powershell -ExecutionPolicy Bypass "& '.\cx-reporting-auth-setup.ps1' -Verbose"

Authentication via Swagger

Notice

Before authenticating to the CxReportingService via Swagger, do the following:

  1. Access the URL <ip>:<port>/swagger/ to display the familiar Swagger interface, listing all the available endpoints.

  2. Click the Authorize button.

    SwaggerAuthorizeButton.png
  3. In the Available Authorizations window, select reporting_api under Scopes and click Authorize.

    AvailableAuthorizationsAuthorize.png
  4. You will be re-direct to the CxPortal login page. Enter your credentials to be authenticated.

    AvailableAuthorizationsLogout.png