Skip to main content

CxSAST Reporting Authorization Setup

This article describes how to install the CxReportingService authorization setup. The script must be executed before the Client API installation.

Authorization and Authentication

The CxReportingService client REST API integrates authentication and authorization with Checkmarx SAST Access Control. For that:

  • A new scope for the CxReportingService is created, named reporting_api

  • New permissions are created:

    • generate-project-report (for project template generation)

    • generate-team-report (for team template generation)

    • generate-application-report (for application template generation)

    • generate-executive-report (for executive template generation)

      • Available only in the authorization script from version 1.5.0

    • create-report-template (for new report template creation)

      • Available only in the authorization script from version 2.0

    • update-report-template (for template customization)

      • Available only in the authorization script from version 2.0

    • delete-report-template (for template deletion)

      • Available only in the authorization script from version 2.0

    • edit-report (for configuration customization before generating a report)

      • Available only in the authorization script from version 2.0

    • create-template-schedule (for new report schedules creation)

      • Available only in the authorization script from version 3.0

    • edit-template-schedule (for schedule editing)

      • Available only in the authorization script from version 3.0

    • change-status-schedule (to change the state of schedule)

      • Available only in the authorization script from version 3.0

    • delete-template-schedule (to delete scheduled events)

      • Available only in the authorization script from version 3.0

    • Permissions are available under the Reports category.

    • No roles having the new permissions are created. Roles must be created and/or edited manually in Access Control to include the new permission.

  • As Swagger acts as a client of the CxReportiveService, a new client was created to authenticate through Swagger, named reporting_service_swagger.

  • From versions 1.0.0 to 1.4.0, an implicit flow was implemented in the Swagger authentication.

  • In version 1.5.0, the authentication method was changed from implicit to PKCE to the swagger client.

Authorization Setup Script

For Versions from 1.0.0 to 1.4.0

A PowerShell script to set up the Access Control configuration, which includes the scope, the client, and the permissions, has been developed.

Execute the script in the CxSAST Manager host after first stopping the SystemManager service. This will avoid conflicts in the filesystem access and apply the changes to the system when started.

The script can be found under the CxReportingClientFolder (CxReportingClient-XXXX.zip\CxReportingClient\cx-reporting-auth-setup.ps1)

Warning

The script must be executed in a PowerShell console in Administrator mode.

Script Parameters and Execution

The script has the following parameters:

  • Verbose Required - To get details about the applied installation steps.

  • Port Default: 5555 - Configure the IIS port where the CxReportingService Client API will be deployed.

  • PortalPort Default: 3000 - Configure the IIS port where the CxReportingService Portal will be deployed.

  • InstallationPath Default: C:\Program Files\Checkmarx - Configure the CxSAST base installation folder.

  • BaseAddress Default: http://localhost - Configure the CxReportingService Client API Host IP or Name.

Examples

Default installation, using the default values:

.\cx-reporting-auth-setup.ps1 -Verbose

For an installation with custom values:

.\cx-reporting-auth-setup.ps1 -Verbose -Port 5555 -BaseAddress http://10.32.123.12 -InstallationPath "D:\Installations\Checkmarx"

System Requirements Starting with Version 1.5.0

Notice

Execute this script on all machines where SAST is installed.

If you have a High Availability environment, you must run it on all machines where SAST is installed.

SqlCmd: This script executes a set of queries in the SAST database and uses the SqlCmd Utility to execute them. To execute this script, you must have SQL Server Management tools or SqlCmd Utility installed on your machine.

Warning

If you get the error: sqlcmd : The term 'sqlcmd' is not recognized as the name or cmdlet, function, script file, or operable program. you need to install SqlCmd.

For instructions on how to install SqlCmd, see sqlcmd Utility.

Notice

If you run a SQL command to clean the [accesscontrol].[Clients] table, you must run the Authorization Script again to insert CxReporting clients.

For Version 1.5.0

In version 1.5.0, the authentication method was changed from implicit to PKCE to the swagger client.

A PowerShell script to set the Access Control configuration, which includes the scope and permissions, has been developed, and an SQL query has been executed to create the needed clients.

Execute the script in the CxSAST Manager host after first stopping the CxSystemManager Windows service. This will avoid conflicts in the filesystem access and apply the changes to the system when started.

The script can be found under the CxReportingClientFolder (CxReportingClient-XXXX.zip\CxReportingClient\cx-reporting-auth-setup.ps1)

Warning

The script must be executed in a PowerShell console in Administrator mode.

Script Parameters and Execution

The script has the following parameters:

  • Verbose Required - Get details about the applied installation steps.

  • Port Default: 5555 - Configure the IIS/Docker port where the CxReportingService Client API will be deployed.

  • InstallationPath Default: C:\Program Files\Checkmarx - Configure the CxSAST base installation folder.

  • BaseAddress Default: http://localhost - Configure the CxReportingService Client API Host IP or Name.

  • DatabaseHost Default: empty string - Configure the SQL Server host where the CxSAST database is deployed. Examples: localhost or 10.32.2.127,1433

  • Username Default: empty string - Configure the SQL Server username for the CxSAST database.

  • Password Default: empty string - Configure the SQL Server password for the CxSAST database.

Notice

If no Username and Password are set, the SQL Server will try to use Windows Authentication.

Example

Run the Script

Default installation, using the default values:

.\cx-reporting-auth-setup.ps1 -Verbose

For an installation with custom values:

.\cx-reporting-auth-setup.ps1 -Verbose -Port 5555 -PortalPort 3000 -BaseAddress http://10.32.123.12 -InstallationPath "D:\Installations\Checkmarx" -DatabaseHost "localhost\SQLExpress" -Username "**Rep**rts**" -Password "********"

Warning

An error message might appear regarding the script not being digitally signed when running the script.

Execute one of the following command lines:

Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass

or

powershell -ExecutionPolicy Bypass "& '.\cx-reporting-auth-setup.ps1' -Verbose"

For Versions from 2.0.0

In version 2.0.0, the authentication method was changed from implicit to PKCE to the swagger client.

A PowerShell script to set up the Access Control configuration, which includes the scope and the permissions, has been developed, and an SQL query has been executed to create the needed clients.

Execute the script in the CxSAST Manager host after first stopping the CxSystemManager Windows service. This will avoid conflicts in the filesystem access and apply the changes to the system when started.

The script can be found under the CxReportingClientFolder (CxReportingClient-XXXX.zip\CxReportingClient\cx-reporting-auth-setup.ps1)

Caution

The script must be executed in a PowerShell console in Administrator mode.

Script Parameters and Execution

The script has the following parameters:

  • Verbose Required - Get details about the applied installation steps.

  • Port Default: 5555 - Configure the IIS/Docker port where the CxReportingService Client API will be deployed.

  • PortalPort Default: 3000 - Configure the IIS/Docker port where the CxReportingWizard will be deployed.

  • InstallationPath Default: C:\Program Files\Checkmarx - Configure the CxSAST base installation folder.

  • BaseAddress Default: http://localhost - Configure the CxReportingService Client API Host IP or Name.

  • DatabaseHost Default: empty string - Configure the SQL Server host where the CxSAST database is deployed. Examples: localhost or 10.32.2.127,1433.

  • Username Default: empty string - Configure the SQL Server username for the CxSAST database.

  • Password Default: empty string - Configure the SQL Server password for the CxSAST database.

Notice

If no Username and Password are set, the SQL Server will try to use Windows Authentication.

Example

Run the Script

Default installation, using the default values:

.\cx-reporting-auth-setup.ps1 -Verbose

For an installation with custom values:

.\cx-reporting-auth-setup.ps1 -Verbose -Port 5555 -PortalPort 3000 -BaseAddress http://10.32.123.12 -InstallationPath "D:\Installations\Checkmarx" -DatabaseHost "localhost\SQLExpress" -Username "CxReports" -Password "123456"

Caution

An error message might appear regarding the script not being digitally signed when running the script. Execute one of the following command lines:

  • Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass

  • powershell -ExecutionPolicy Bypass "& '.\cx-reporting-auth-setup.ps1' -Verbose"

In this section: