-
Notifications
You must be signed in to change notification settings - Fork 10
QuickStart
CxAnalytix performs read-only operations using the SAST REST APIs to obtain vulnerability data. It is therefore possible to execute CxAnalytix locally (e.g. on your workstation) or on a test system without the need to make any production changes. The requirements to execute a test crawl are:
- Download the latest release binaries
- Install the .Net core runtime
- Update the configuration with
- The URL of your SAST system
- A username and password has access to the SAST portal
You can obtain the latest release binaries where the release builds are published on GitHub. Unzip the zip package into a directory of your choice.
It is possible to download the installer for the .Net Core runtime, or use the Chocolatey package manager to perform the install:
choco install dotnetcore-runtime
Note: you may need to reboot after the install.
Microsoft provides detailed documentation explaining how to install the .Net Core runtime on various Linux platforms. If you are not planning on doing any development with the CxAnalytix code, installing the SDK is not required.
Configuration is required before execution. At a minimum, replace the default values for your
- Checkmarx URL, including protocol e.g.
http://localhost
- username
- password
Configure your environment settings in dotnet.exe.config
.
See the configuration guide for in-depth configuration documentation.
The CLI will extract vulnerability data from all scans in your Checkmarx instance. While this is a read-only operation, it does consume some resources on the server as the scans are crawled. Performing the first crawl on a production system could cause performance degradation in some cases. It is better to avoid doing this in production without testing first. If you have no system other than a production system, use a single thread to perform scan crawls.
Execute the CLI to perform a crawl with the following command:
dotnet CxAnalytixCLI.dll
With a default configuration, the application log and the vulnerability data files (which are "just" log files) are located in the .\logs
directory.
Last export date for projects is tracked in a state file on the file system. With a default configuration, the state file is located at .\CxAnalytixExportState.json
.
If you run the CLI again it will only look for scans since the last check date for each project recorded in the state file. If the state file is deleted, running the CLI again will perform the entire crawl.