Saturday, 27 October 2012

CheckMarx Queries in TeamMentor with some Landing Pages

Here is a pretty cool PoC (still in draft mode) of the integration of TeamMentor (TM) with Checkmarx content

You can see it at (which should only open the CheckMarx_Queries library in your browser)

Here the main features/capabilities:
  • there is a TM Library that holds the CheckMarx's Query's data (created from the data retrieved from this WebMethod)
  • there is a TM Folder per language type  - also mapped to the TM Article's Technology field
  • there is a TM View per query type - also mapped to the TM Article's Phase field
  • the Type field indicates if there is a TeamMentor Landing Page for a particular Query
  • the Category field contains the CWE Id (good to see the cases when the same CWE is applied to multiple queries)
  • The Article html content is made of:
    • IFrame with TM Landing Page content (if there is a TM Landing Page) 
    • IFrame with CWE content (if CWE ID > 0) 
    • Query rule's Metadata
    • Query rule's source (in Checkmarx meta C# language)

Default view:

Viewing a query with no Landing Page

Viewing a Query with a TeamMentor Landing Page

Viewing the Query's Metadata and Source

Article viewer : with the TeamMentor Landing page content, followed by the CWE content

Article viewer (cont) : With the CWE data followed by the Checkmarx Rules's data

Editing the CWE data using the TeamMentor 'Notepad' GUI

Finally, as I also mentioned in the Util - CheckMarx Rule and Guidance Viewer (with C# SAST Rules and CWE data) it is pretty spectacular and powerful that CheckMarx rules are written in C# and are easily consumable and edited (the CxAuditor tool has a REPL-like environment to execute these queries, under an environment where the Checkmarx's engine intermediate objects are exposed and scriptable).

Now if only the other SAST vendors had a similar scripting language/environment :)

Also really cool would be if we could:

  • fire-up a scan directly from one of these query's pages
  • allow the easy fork of a Query (keep the metadata and TM references) in order to customise the query (think git gist)
  • select a query pack based on a criteria and use it on a scan
  • create a similar view based on a security assessment result (i.e. where an TM Article is an Security Finding, that is mapped to a Query, that is mapped to a Landing Page, that is mapped to a CWE ID)