Title here
Summary here
Checkmarx One Scan
Import JSON Checkmarx One scanner reports
Checkmarx One JSON Parser Documentation
Overview
The Checkmarx One parser for DefectDojo supports importing findings from Checkmarx One in JSON format. The parser handles three types of security findings including SAST (Static Application Security Testing), KICS (Kubernetes/Infrastructure as Code Security), and SCA (Software Composition Analysis) scan results, with specialized parsing logic for each type.
Supported File Types
The Checkmarx One parser accepts JSON file format. To generate this file:
- Log in to the Checkmarx One platform
- Navigate to the Results view
- Use the Export option to download findings in JSON format
The parser can handle several variations of the Checkmarx One JSON output format:
- Results in a top-level
resultsarray (primary format) - Results in
vulnerabilitiesarray - Results structured in separate sections (
scanResults,iacScanResults, orscaScanResults)
Standard Format JSON (Main Format)
Total Fields in JSON
- Total data fields in Checkmarx JSON output: 24 core fields per finding (with nested fields)
- Total data fields parsed into DefectDojo finding: 17 fields
- Total data fields NOT parsed: 7 fields (some fields provide context but aren’t directly mapped)
Standard Format Field Mapping Details
| Data Field # | Checkmarx Data Field | DefectDojo Finding Field | Notes |
|---|---|---|---|
| 1 | type | unsaved_tags | Added as a tag identifying the finding type (sast, kics, sca, etc.) |
| 2 | id | unique_id_from_tool | Primary unique identifier for the finding |
| 3 | similarityId | unique_id_from_tool | Used as fallback if id not present |
| 4 | status | - | Used for state determination but not directly mapped |
| 5 | state | active, verified, false_p | Maps Checkmarx states to DefectDojo fields through determine_state function |
| 6 | severity | severity | Converted to title case (e.g., “HIGH” β “High”) |
| 7 | firstFoundAt | date | Used as finding date if USE_FIRST_SEEN setting is True |
| 8 | foundAt | date | Used as finding date if USE_FIRST_SEEN setting is False |
| 9 | description | description, title | Used for both description and title when available |
| 10 | descriptionHTML | - | Not mapped - HTML version of description is ignored |
| 11 | data.queryId | - | Used in KICS findings but not directly mapped |
| 12 | data.queryName | title (partial) | Used as part of the title construction when needed |
| 13 | data.group/category | description (partial) | Added to description for KICS findings with “Category” prefix |
| 14 | data.line | line | Line number in file where vulnerability exists |
| 15 | data.fileName/filename | file_path | Path to the vulnerable file |
| 16 | data.expectedValue | mitigation (partial) | Added to mitigation for KICS findings |
| 17 | data.value | mitigation (partial) | Added to mitigation for KICS findings |
| 18 | data.nodes[].fileName | description (partial) | Used in node snippets for SAST findings |
| 19 | data.nodes[].method | description (partial) | Used in node snippets for SAST findings |
| 20 | data.nodes[].line | description (partial) | Used in node snippets for SAST findings |
| 21 | data.nodes[].code | description (partial) | Used in node snippets for SAST findings |
| 22 | vulnerabilityDetails.cweId | cwe | CWE ID number |
| 23 | vulnerabilityDetails.cvss | - | Not mapped directly |
| 24 | cveId | unsaved_vulnerability_ids | For SCA findings, mapped to vulnerability IDs list |
Field Mapping Details
The parser contains three main methods for parsing different formats of Checkmarx One output:
parse_results: Main entry point for parsing the standard format with a top-levelresultsarrayparse_vulnerabilities: For parsing the format with avulnerabilitiesarrayparse_vulnerabilities_from_scan_list: For parsing formats with separate sections by vulnerability type
Each vulnerability type has specialized parsing logic:
SAST (Static Application Security Testing) -
get_results_sast:- Focuses on code-level vulnerabilities
- Uses file path from the first node
- Tags findings with “sast”
KICS (Kubernetes/IaC Security) -
get_results_kics:- Infrastructure as Code findings
- Extracts filename from data field
- Tags findings with “kics”
SCA (Software Composition Analysis) -
get_results_sca:- Vulnerability in dependencies/packages
- Handles CVE IDs when present
- Tags findings with “sca” or “sca-container”
Special Processing Notes
Status Conversion
- The
determine_statefunction handles state conversion for all finding types - Maps Checkmarx One states to DefectDojo fields:
- “TO_VERIFY”, “PROPOSED_NOT_EXPLOITABLE”, “CONFIRMED”, “URGENT” β active=True
- “NOT_EXPLOITABLE”, “CONFIRMED”, “URGENT” β verified=True
- “NOT_EXPLOITABLE” β false_p=True
- All findings explicitly set duplicate=False and out_of_scope=False
Severity Conversion
- Severity values from Checkmarx One (“HIGH”, “MEDIUM”, “LOW”, etc.) are converted to title case
- The parser takes the severity directly from the Checkmarx One finding and formats it to match DefectDojo’s expected format
- No numerical conversion is performed, as Checkmarx One already provides categorical severity levels
Description Construction
- For SAST findings with nodes:
- Function
get_node_snippetformats code snippets - Includes file name, method name, line number, and code
- Adds node snippets to description with separator
- Function
- For KICS findings:
- Adds category information with “Category” prefix
- Includes issue type information
- Can include link to Checkmarx One for viewing the finding
Date Processing
- Uses a custom
_parse_datemethod to handle multiple date formats - Supports both string dates (parsed with dateutil.parser) and Timestamp objects with “seconds” field
Title Format
- SAST: Uses description text, or queryPath/queryName with underscores replaced by spaces
- KICS: Uses description or severity + queryName with underscores replaced
- SCA: Uses description or severity + queryName with underscores replaced
- When description is missing, title is constructed from severity and query name
Mitigation Construction
- For KICS findings:
- Combines actual and expected values
- Format: “Actual Value: {value}\nExpected Value: {expectedValue}\n”
- For SAST findings:
- Uses general recommendations from CWE information when available
Deduplication
- Uses unique_id_from_tool based on finding “id” or “similarityId” as fallback
- Consistent across all finding types (SAST, KICS, SCA)
- No custom hash calculation is performed
Tags Handling
- Every finding gets tagged with its type
- Tags include: “sast”, “kics”, “sca”, “sca-container”
Common Settings for All Findings
- All findings have static_finding=True
- SCA findings can have unsaved_vulnerability_ids populated with CVE IDs
- SAST findings include CWE information when available
- All findings have explicit settings for active, verified, false_p, duplicate, and out_of_scope
Sample Scan Data
Sample Checkmarx One scans can be found here.