GitLab Checkmarx SonarQube Integration
Purpose
In previous article, we know how to integrate GitLab and Checkmarx. In this article, we want to integrate SonarQube too. When we commit code to GitLab, we want GitLab to trigger these actions automatically:
- GitLab sends the code to Checkmarx to scan.
- GitLab triggers SonarQube to scan.
- SonarQube integrates Checkmarx's report.
Procedure
You can reference the official document: https://checkmarx.atlassian.net/wiki/spaces/SD/pages/169246832/SonarQube+Plugin+v8.5.0+and+up
- Download the plugin from here, it only supports SonarQube LTS version (for now, it's 8.x)
- Configurea Quality Gate/Profiles of SonarQube for Checkmarx's rules.
- Use GitLab to trigger Checkmarx scan and record the project name of Checkmarx.
- Configure Checkmarx data in SonarQube, which you can reference here.
- Trigger GitLab CI again, you will see the following log in your SonarQube job
1INFO: Sensor Import Checkmarx scan results to SonarQube [checkmarx]
2INFO: Retrieving Checkmarx scan results for current module [Checkmarx plugin version: 2021.2.1]
3INFO: Getting Checkmarx configuration data from sonar Database.
4INFO: Resolving Cx setting: checkmarx.server.project_name
5INFO: Forced authentication is enabled: Sonar credentials must be provided
6INFO: Sonar server token is provided
7INFO: Checkmarx credentials migration not needed
8INFO: Sonar server token is provided
9INFO: Resolving Cx setting: checkmarx.server.project_name
10INFO: Forced authentication is enabled: Sonar credentials must be provided
11INFO: Checkmarx server version [9.2.0.41015]. Hotfix [24].
12INFO: Logging into the Checkmarx service.
13INFO: Connecting to https://your.checkmarx.server/
14INFO: Initializing Cx client [2020.2.4.NO.SCA]
15INFO: Checkmarx server version [9.2.0.41015]. Hotfix [24].
16INFO: Logging into the Checkmarx service.
17INFO: full team path: \CxServer\\Team1
18INFO: preset name: All
19INFO: ---------------------------------Get Last CxSAST Results:--------------------------------
20INFO: Waiting for server to generate xml report. 4990 seconds left to timeout
21INFO: Checkmarx High vulnerabilities: 3
22INFO: Checkmarx New-High vulnerabilities: 0
23INFO: Checkmarx Medium vulnerabilities: 23
24INFO: Checkmarx New-Medium vulnerabilities: 1
25INFO: Checkmarx Low vulnerabilities: 142
26INFO: Checkmarx New-Low vulnerabilities: 7
27INFO: Checkmarx scan link: https://your.checkmarx.server//CxWebClient/ViewerMain.aspx?scanId=1000157&ProjectID=67
- You can see the Checkmarx issues in SonarQube now.
Problem
I find some issues are not created in SonarQube and it seems due to the rule is not defined in Checkmarx's SonarQube plugin. I'm still checking it.
Posts in this Series
- Run SonarQube on Linux Docker with Mono to scan .NET 4.8 Code
- GitLab SonarQube Integration with .NET
- Use Grafana to Manage SonarQube KPI
- Use Grafana to Manage GitLab CI/CD Pipelines
- Use GitLab to do .NET 4.8 CI/CD
- GitLab Checkmarx CI/CD Integration
- GitLab Checkmarx SonarQube Integration