Lab 1: Environment Setup
In this lab, we will focus on configuring our environment using an IDE and the Checkmarx plugin. While Checkmarx supports multiple IDEs, we will be leveraging Eclipse in this lab. Checkmarx has integrated plugins with the following IDEs:
- Eclipse (Currently only Eclipse 2022 is supported)
- Visual Studio
- VS Code
To learn more, checkout Checkmarx Integrations with Popular IDEs
For these labs, we are using a known vulnerable Java project based heavily on EasyBuggy to demonstrate vulnerability detection and remediation capabilities. Note that if this application is run, this Java application can result in system crashes as a result of memory leaks, deadlock, JVM crashes, etc. In these labs, we are only using Checkmarx solutions that scan source code, thus there is no reason or need to run this project and it is not recommended to do so. If you do wish to run the project, do so at your own risk. It is HIGHLY recommended you do so in a sandbox environment (e.g. within a VM)
The first step is to install Eclipse, if you don’t already have it installed.
If you already have Eclipse installed, you can skip this section. When we are done with the lab, you can always uninstall/disable the Checkmarx plugin
- Navigate to https://www.eclipse.org/ide/ to download the Eclipse installer for your operating system.
- Run the installer.
Install the Checkmarx Extension
Once Eclipse is installed, we need to install the Checkmarx IDE extension. The Checkmarx Eclipse Extension is available on the Eclipse Marketplace. You can initiate the installation directly from the Eclipse Marketplace.
- Open Eclipse
- Within the Eclipse console, click Help > Eclipse Marketplace…
In the Find box, enter “Checkmarx” and click Go
- Click Install for the Checkmarx AST Plugin.
- Click Finish
If a security warning is shown, click Select All and Trust Selected
- Eclipse will require a restart to complete the installation of the extension
Configure the Checkmarx Extension
After installing the plugin, you need to configure access to the Checkmarx One server before you can start importing results in your Eclipse IDE.
In the top menu, click Window > Preferences. (For Mac OS, click Eclipse > Preferences)
In the Preferences window, click Checkmarx AST (or search for Checkmarx AST in the search box). The Checkmarx One Eclipse plugin configuration settings are shown.
Item Value Checkmarx AST: Api Key <provided by proctor> Additional Options <leave blank>
- Enter the provided API key
- Click Test Connection to verify that the connection works.
- Click Apply and Close to save settings.
Import the Project into the IDE
The next step is to import the workshop project “TotallySecureApp” into Eclipse.
- In the top menu, click File > Import.
Select Git > Projects from Git (with smart import).
- Select Clone URI
- Paste the URI for “TotallySecureApp” https://github.com/cxworkshops/totallysecureapp.git into the URI field and click Next.
- Select the master branch and click Next
- Choose a destination directory on your local system to store the source code and click Next.
- Click Finish to complete the import process.
Load scan results into the Checkmarx One extension
- In the top menu, click Window > Show View > Other.
- Select Checkmarx > Checkmarx AST Scan from the list to open the Checkmarx AST Scan view and click Open.
- The Checkmarx AST Scan panel will open at the bottom of the Eclipse window.
- Select the TotallySecureApp project and master branch; the latest scan will automatically populate and a results tree will appear. The results tree can be expanded to view results from different AST scanners (e.g., SAST, SCA).
- Group By fields can be added by clicking the three dots on the Checkmarx AST menu. Additional filtering changes can also be made via this menu.
- Individual scan results can be selected, viewed, and updated from the results tree.
- Checkmarx has IDE plugins for all major IDEs
- The Checkmarx One Eclipse plugin is available within the Eclipse Marketplace. Only Eclipse 2022 is currently supported.
- The Checkmarx One Eclipse plugin can be connected to a Checkmarx One instance by configuring one field (the API Key).
- Checkmarx scan results can be reviewed all within the IDE.