Checkmarx
Checkmarx Scan,Checkmarx Scan detailed: XML report from Checkmarx SAST (source code analysis)Checkmarx OSA: json report from Checkmarx Open Source Analysis (dependencies analysis)
To generate the OSA report using Checkmarx CLI:
./runCxConsole.sh OsaScan -v -CxServer <...> -CxToken <..> -projectName <...> -enableOsa -OsaLocationPath <lib_folder> -OsaJson <output_folder>
That will generate three files, two of which are needed for defectdojo. Build the file for defectdojo with the jq utility:
jq -s . CxOSAVulnerabilities.json CxOSALibraries.json
Data for SAST, SCA and KICS are supported.
Sample Scan Data
Sample Checkmarx scans can be found here.
Default Deduplication Hashcode Fields
By default, DefectDojo identifies duplicate Findings using these hashcode fields:
- cwe
- severity
- file path