I’m working on the integration of TeamMentor with Checkmarx and needed to have some control on how the data the WebServices returns.
The previous version of this integration made direct changes to the Checkmarx content database, but this time around that will not work, since for example CheckMarx maps it’s guidance to CWE_ID and we want to map the guidance to the Checkmarx’ Query_ID (TeamMentor has technology/application specific guidance, so we can show an SQL Injection article for Java and a different article for .NET (both have the same CWE_ID, but have different Query_ID)
Initially I was going to use PostSharp to add the TM specific code ‘on top’ of Checkmarx dlls, but since in effect this would mean the modification of CheckMarx dlls (to insert PostSharp aspects), I went for an hook on Http Pipeline instead :)
In order to allow me to develop this script, I added (a slightly modified version of ) the O2 WebREPL to a local copy of Checkmarx, so that I can execute C# directly on the server:
Since we are in the same process, we have access to all CheckMarx’s dlls, for example the main WebServices one:
the example above showed a failed login attempt, and the one below shows a successful one:
Since we have lambda methods in this REPL environment, here is a function to get a valid SessionId:
Which can then be used to fetch a particular CWE_ID description:
The returned style doesn’t work very well with the REPL css, but we can see that the checkmarx CWE info is there:
this is the same content that is currently retrieved from the execution of:
which looks like this.
So the objective is to have our content (i.e TeamMentor Guidance) to show there
Scripts used in this post
1) Wrap HTML Post requests
2) Getting data from InputStream (when XML form submission)
3) Dynamic Hook in Global.asax.cs