Name of Your Organization:
Checkmarx
Web Site:
https://checkmarx.com/
Compatible Capability:
Checkmarx Static application security testing (SAST)
Capability home page:
https://checkmarx.com/cxsast-source-code-scanning/
General Capability Questions
Product Accessibility <CR_2.4>
Provide a short description of how and where
your capability is made available to your customers and the public (required):
Checkmarx SAST provides a static application security testing engine, available both as an on-premise application or in the cloud as part of the Checkmarx One application security suite.
As part of the solution, customers can access a user interface and reporting to view and triage all the vulnerabilities found.
Mapping Questions
Map Currency Indication <CR_6.1>
Describe how and where your capability indicates the most recent CWE content used to create or update its mappings (required):
For all the new and updated versions, Checkmarx use the latest version of CWEs list provided by the Mitre organization.
Map Currency Update Approach <CR_6.2>
Indicate how often you plan on updating the mappings to reflect the current CWE content and describe your approach to keeping reasonably current with the CWE content when mapping them to your repository (recommended):
Checkmarx SAST vulnerabilities and related CWE Id are reviewed on every release. Our SAST release cadence includes a new version every 2 calendar months.
MAP CURRENCY UPDATE TIME <CR_6.3>
Describe how and where you explain to your customers the timeframe they should expect an update of your capability’s mappings to reflect newly available CWE content (required):
As part of every Checkmarx SAST release, we provide a full list of new and modified vulnerabilities with each mapped to a CWE. The full list is publicly available at: Checkmarx SAST Resources
Documentation Questions
CWE AND COMPATIBILITY DOCUMENTATION <CR_5.1>
Provide a copy, or directions to its location, of where your documentation describes CWE and CWE compatibility for your customers (required):
All the CWEs, including which presets map to which CWEs, are described as an external article, available for all customers and public: Checkmarx SAST Resources
The documents can be downloaded as PDF or CSV.
In addition, in the user interface, for each vulnerability available in Checkmarx SAST, complete details and a full explanation is available, including CWE ID.
CWEs information is also available as part of the reporting and through APIs.
DOCUMENTATION OF FINDING ELEMENTS USING CWE IDENTIFIERS <CR_5.2>
Provide a copy, or directions to its location, of where your documentation describes the specific details of how your customers can use CWE identifiers to find the individual security elements within your capability’s repository (required):
As part of the Checkmarx SAST application, for each vulnerability the customer can find the complete details and a full explanation, including CWE ID, vulnerability description, risk, possible causes and recommendations on how to remediate the vulnerability:
By clicking on the link, the corresponding page is opened in the mitre.org webpage.
DOCUMENTATION OF FINDING CWE IDENTIFIERS USING ELEMENTS
<CR_5.3>
Provide a copy, or directions to its location, of where your documentation describes the process a user would follow to find the CWE identifiers associated with individual security elements within your capability’s repository (required):
When analyzing and triaging the SAST scan results, for each vulnerability it is possible to access to complete details, including the CWE identification:
By clicking on the icon (?), all the details regarding the vulnerability are available in a dedicated page:
In addition, users can search for specific CWE identifiers.
When leveraging from Mitre.org, Checkmarx extracts the information contained in the Mitre.org section and adds this to the corresponding Checkmarx webpage.
For example, note that for XSS, http://cwe.mitre.org/data/definitions/79.html is encapsulated within http://{application-url}/CxWebClient/cwe.aspx?cweId=79
DOCUMENTATION INDEXING OF CWE-RELATED MATERIAL
<CR_5.4>
If your documentation includes an index, provide a copy of the items and resources that you have listed under "CWE" in your index. Alternately, provide directions to where these "CWE" items are posted on your web site (recommended):
There is no index provided in the current documentation.
Type-Specific Capability Questions
Tool Questions
FINDING TASKS USING CWE IDENTIFIERS <CR_A.2.1>
Give detailed examples and explanations of how a user can locate tasks in the tool by looking for their associated CWE identifier (required):
Documentation is available at Checkmarx SAST Resources
Each element can be downloaded in PDF or CSV format.
The mapping between queries/vulnerabilities and CWEs are available and viewable according for:
- All covered queries.
- New and updated queries in each version.
- Queries associated with predefined query presets.
The documentation allows to map the CWE to specific vulnerabilities, and the vulnerability can be easily located in the user interface by following the steps described on CR_5.3.
FINDING CWE IDENTIFIERS USING ELEMENTS IN REPORTS <CR_A.2.2>
Give detailed examples and explanations of how, for reports that identify individual security elements, the tool allows the user to determine the associated CWE identifier for the individual security elements in the report (required):
The generated reports by the Checkmarx Static application security testing groups the results by vulnerability, and for each vulnerability the associated CWE ID is available:
By clicking on the link available in Vulnerability Name, the page having the complete details and a full explanation is displayed:
By clicking on the link, the corresponding page is opened in the mitre.org webpage.
Before generating the report, user can filter all or specific categories including specific CWEs (which are mapped in the documentation Checkmarx SAST Resources):
All the available categories are available in the public documentation: Predefined Presets
GETTING A LIST OF CLAIMED CWE IDENTIFIER COVERAGE <CR_A.2.3>
Give detailed examples and explanations of how a user can obtain a listing of all of the CWE identifiers that the owner claims the tool is effective at locating in software (required):
Customers can access the list of covered CWE in the public article available at: Checkmarx SAST Resources. Each document can be downloaded in PDF or CSV format.
USING CCR TO PROVIDE CLAIMED CWE IDENTIFIER COVERAGE <CR_A.2.4>
Give a detailed explanation of how a user can find the Coverage Claim Representation (CCR) XML document with all of the CWE identifiers that the owner claims the tool is effective at locating in software (recommended):
There is no CCR documentation available.
GETTING A LIST OF CWE IDENTIFIERS ASSOCIATED WITH TASKS <CR_A.2.6>
Give detailed examples and explanations of how a user can obtain a listing of all of the CWE identifiers that are associated with the tool's tasks (recommended):
Customers can access the list of covered CWE in the public article available at: Checkmarx SAST Resources. Each document can be downloaded in PDF or CSV format.
Service Questions
SERVICE COVERAGE DETERMINATION USING CWE IDENTIFIERS <CR_A.3.1>
Give detailed examples and explanations of the different ways that a user can use CWE identifiers to find out which security elements are tested or detected by the service (i.e. by asking, by providing a list, by examining a coverage map, or by some other mechanism) (required):
Customers can access the list of covered CWE in the public article available at: Checkmarx SAST Resources. Each document can be downloaded in PDF or CSV format.
The documentation allows to map the CWE to specific vulnerabilities, and the vulnerability can be easily located in the user interface by following the steps:
When analyzing and triaging the SAST scan results, it is possible for each vulnerability to access to complete details, including the CWE:
By clicking in the icon ?, all the details regarding the vulnerability are available in a dedicated page:
By clicking on the link, the corresponding page is opened in the mitre.org webpage.
Reporting files also include CWE Id information for each result:
FINDING CWE IDENTIFIERS IN SERVICE REPORTS USING ELEMENTS <CR_A.3.2>
Give detailed examples and explanations of how, for reports that identify individual security elements, the user can determine the associated CWE identifiers for the individual security elements in the report (required):
When generating the report user can filter all or specific categories for specific CWEs (which are mapped in the documentation Checkmarx SAST Resources):
All the available categories are available in public documentation: Predefined Presets
The generated reports by the Checkmarx Static application security testing groups the results by vulnerability, and for each vulnerability the associated CWE Id is available:
By clicking in the link available in Vulnerability Name, the page having the complete details and a full explanation is displayed:
By clicking on the link, the corresponding page is opened in mitre.org webpage.
GETTING A LIST OF CLAIMED CWE IDENTIFIER COVERAGE <CR_A.3.3>
Give detailed examples and explanations of how a user can obtain a listing of all of the CWE identifiers that the owner claims the service is effective at locating in software (required):
Customers can access the list of covered CWE in the public article available at: Checkmarx SAST Resources. Each document can be downloaded in PDF or CSV format.
USING CCR TO PROVIDE CLAIMED CWE IDENTIFIER COVERAGE <CR_A.3.4>
Give a detailed explanation of how a user can find the Coverage Claim Representation (CCR) XML document with all of the CWE identifiers that the owner claims the service is effective at locating in software (recommended):
There is no CCR documentation available.
Online Capability Questions
FINDING ONLINE CAPABILITY TASKS USING CWE IDENTIFIERS <CR_A.4.1>
Give detailed examples and explanations of how a "find" or "search" function is available to the user to locate tasks in the online capability by looking for their associated CWE identifier or through an online mapping that links each element of the capability with its associated CWE identifier(s) (required):
The documentation allows to map the CWE to specific vulnerabilities, and the vulnerability can be easily located in the user interface.
By login in into the user interface, the customer can find for each vulnerability the complete details and a full explanation, including CWE ID, vulnerability description, risk, possible causes and recommendations on how to remediate the vulnerability:
By clicking on the link, the corresponding page is opened in mitre.org webpage.
Additionally, when leveraging from Mitre.org, Checkmarx extracts the information contained in the Mitre.org section and adds this to the corresponding Checkmarx webpage.
For example, note that for XSS, http://cwe.mitre.org/data/definitions/79.html is encapsulated within http://localhost/CxWebClient/cwe.aspx?cweId=79
FINDING CWE IDENTIFIERS USING ONLINE CAPABILITY ELEMENTS <CR_A.4.2>
Give detailed examples and explanations of how, for reports that identify individual security elements, the online capability allows the user to determine the associated CWE identifiers for the individual security elements in the report (required):
When generating the report user can filter all or specific categories for specific CWEs (which are mapped in the documentation Checkmarx SAST Resources):
The generated reports by the Checkmarx Static application security testing groups the results by vulnerability, and for each vulnerability the associated CWE Id is available:
By clicking in the link available in Vulnerability Name, the page having the complete details and a full explanation is displayed:
By clicking on the link, the corresponding page is opened in mitre.org webpage.
GETTING A LIST OF CLAIMED CWE IDENTIFIER COVERAGE <CR_A.4.3>
Give detailed examples and explanations of how a user can obtain a listing of all of the CWE identifiers that the owner claims the online capability’s repository covers (required):
For each project corresponding to a repository, the user has a list executed scans:
For each scan it is possible to triage and review the results:
By clicking in the icon ?, all the details regarding the vulnerability are available in a dedicated page:
By clicking on the link, the corresponding page is opened in mitre.org webpage.
ONLINE CAPABILITY ELEMENT TO CWE IDENTIFIER MAPPING <CR_A.4.5>
If details for individual security elements are not provided, give examples and explanations of how a user can obtain a mapping that links each element with its associated CWE identifier(s), otherwise enter N/A (required):
N/A
Media Questions
ELECTRONIC DOCUMENT FORMAT INFO <B.3.1>
Provide details about the different electronic document formats that you provide and describe how they can be searched for specific CWE-related text (required):
Documentation is available in at Checkmarx SAST Resources
Each element can be downloaded in PDF or CSV format.
Document is searchable by their full name or CWE identifier number.
ELECTRONIC DOCUMENT LISTING OF CWE IDENTIFIERS <CR_B.3.2>
If one of the capability’s standard electronic documents only lists security elements by their short names or titles provide example documents that demonstrate how the associated CWE identifiers are listed for each individual security element (required):
Documentation is available in at Checkmarx SAST Resources
Each element can be downloaded in PDF or CSV format.
The mapping between queries/vulnerabilities and CWEs are available and viewable according for:
- All covered queries.
- New and updated queries in each version.
- Queries associated with predefined query presets.
Graphical User Interface (GUI) Questions
FINDING ELEMENTS USING CWE IDENTIFIERS THROUGH THE GUI <CR_B.4.1>
Give detailed examples and explanations of how the GUI provides a "find" or "search" function for the user to identify your capability’s elements by looking for their associated CWE identifier(s) (required):
The documentation allows to map the CWE to specific vulnerabilities, and the vulnerability can be easily located in the user interface.
By logging into the user interface, the customer can find for each vulnerability the complete details and a full explanation, including CWE ID, vulnerability description, risk, possible causes and recommendations on how to remediate the vulnerability:
By clicking on the link, the corresponding page is opened in the mitre.org webpage.
GUI ELEMENT TO CWE IDENTIFIER MAPPING <CR_B.4.2>
Briefly describe how the associated CWE identifiers are listed for the individual security elements or discuss how the user can use the mapping between CWE identifiers and the capability’s elements, also describe the format of the mapping (required):
Customers can access the list of covered CWE in the public article available at: Checkmarx SAST Resources. Each document can be downloaded in PDF or CSV format.
Questions for Signature
STATEMENT OF COMPATIBILITY <CR_2.11>
Have an authorized individual sign and date the following Compatibility Statement (required):
"As an authorized representative of my organization I agree that we will abide by all of the mandatory CWE Compatibility Requirements as well as all of the additional mandatory CWE Compatibility Requirements that are appropriate for our specific type of capability."
Name: Shmuel Arvatz
Title: CFO
STATEMENT OF ACCURACY <CR_3.4>
Have an authorized individual sign and date the following accuracy Statement (recommended):
"As an authorized representative of my organization and to the best of my knowledge, there are no errors in the mapping between our capability's Repository and the CWE identifiers our capability reports, and those CWE identifiers are as specific as possible within the available CWE repository."
Name: Shmuel Arvatz
Title: CFO
STATEMENT ON FALSE-POSITIVES AND FALSE-NEGATIVES <CR_B.2.10> and/or <CR_B.3.7>
FOR TOOLS AND SERVICES ONLY — Have an authorized individual sign and date the following statement about your tools efficiency in identification of security elements (required):
"As an authorized representative of my organization and to the best of my knowledge, normally when our capability reports a specific security element, it is generally correct and normally when an event occurs that is related to a specific security element our capability generally reports it."
Name: Shmuel Arvatz
Title: CFO
More information is available — Please edit the custom filter or select a different filter.
|
