The Checkmarx One Visual Studio Code plugin (extension) enables you to import results from a Checkmarx One scan directly into your VS Code console. You can view the vulnerabilities that were identified in your source code and navigate directly to the vulnerable code in the editor.
Home Page: https://marketplace.visualstudio.com/items?itemName=checkmarx.ast-results
License: Apache License 2.0
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "github-actions[bot]")
Not able to configure the VS code extension for check Marx.
Getting errors while trying to bind to a project. PFA the screenshot for more details.
master branch.new-branch.
I think we should add an option to create a new scan for the new branch.
I can't have docker installed. Company restrictions.
I would like to have a configuration, that would allow me to specify a binary location for the kicks executable. this would be used instead of defaulting to docker
No
Extension is configuration to allow podman in rootless mode for KICs scanner.
Running in rootless mode is default for most installs of podman, has a better security profile, and does not require docker daemon.
I've been having issues with the dependency ast-cli-javascript-wrapper
After I cloned the repo, it could not be installed from the registry(by running npm install), and when I installed it from source, for some reason inside the ast-vscode-extension, it still throws erorrs:
I will be able to build ast-vscode-extension from source
I can't install the dependency ast-cli-javascript-wrapper from the registry, and after I installed it from GitHub(still version 0.0.85), the code still couldn't run.
I encountered this issue while working on integrating Prompt security's extension to ast-vscode-extension
KiCs scanner VS Code integration with SE Linux results in the scan failing & SE Linux alert
Scan should succeed
KiCs scanner VS Code integration with SE Linux results in the scan failing & SE Linux alert which suggests a volume (different name each time) is mounted without the context flag (:z|:Z) and thus the scanner is unable to save the result.
The outputs suggests a volume (target object in SE Linux trouble shooting report is different name each time) is mounted without the context flag (:z|:Z) and thus the scanner is unable to save the result.
VSCode Terminal Output:
[INFO - 4:14:37 pm] Checkmarx plugin is running
[INFO - 4:14:37 pm] Initializing severity filters
[INFO - 4:14:37 pm] Git Extension - Add branch.
[INFO - 4:14:37 pm] GIT API - Open repository
[INFO - 4:14:38 pm] GIT API - Open repository
[INFO - 4:14:38 pm] Data refreshed and synced with AST platform
[INFO - 4:14:39 pm] Initializing state filters
[INFO - 4:14:39 pm] Initializing group by selections
[INFO - 4:14:39 pm] Filters initialized
[INFO - 4:36:18 pm] Opened a supported file by KICS. Starting KICS scan
[ERROR - 4:36:22 pm] Error: Check container engine state. Failed: exit status 126
[INFO - 4:38:10 pm] File saved updating KICS results
[ERROR - 4:38:14 pm] Error: Check container engine state. Failed: exit status 126
[INFO - 4:39:10 pm] File saved updating KICS results
[ERROR - 4:39:13 pm] Error: Check container engine state. Failed: exit status 126
SE Linux troubleshooting message:
SELinux is preventing kics from write access on the directory kics2005771008.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that kics should be allowed write access on the kics2005771008 directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'kics' --raw | audit2allow -M my-kics
# semodule -X 300 -i my-kics.pp
Additional Information:
Source Context system_u:system_r:container_t:s0:c66,c81
Target Context unconfined_u:object_r:user_tmp_t:s0
Target Objects kics2005771008 [ dir ]
Source kics
Source Path kics
Port <Unknown>
Host XXXXX
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-37.16-1.fc37.noarch
Local Policy RPM selinux-policy-targeted-37.16-1.fc37.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name XXXXXXX
Platform Linux XXXXX 6.0.12-300.fc37.x86_64 #1 SMP
PREEMPT_DYNAMIC Thu Dec 8 16:58:47 UTC 2022 x86_64
x86_64
Alert Count 1
First Seen 2022-12-21 18:23:57 AEDT
Last Seen 2022-12-21 18:23:57 AEDT
Local ID XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
Raw Audit Messages
type=AVC msg=audit(1671607437.973:2608): avc: denied { write } for pid=623252 comm="kics" name="kics2005771008" dev="tmpfs" ino=50785 scontext=system_u:system_r:container_t:s0:c66,c81 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=0
Hash: kics,container_t,user_tmp_t,dir,write
In my React projects, at random times, the extension is opening a "tsconfig.json" file out of nowhere in VsCode. Sometimes, it opens a "keybidings.json" instead. Some of these files are not even part of my solution Explorer.
No random file should pops up in the IDE without my explicit action to open a file.
When VsCode starts, or in other times when i'm typing code, wham!!! a random tsconfig.json file pops up in front of me, disrupting my work and suddenly I'm typing code in this file instead of my solution files, all my logic is gone and it just makes me mad!
No Log appears when this bug happens, however this is the log I have:
[INFO - 10:44:41 AM] Checkmarx plugin is running
[INFO - 10:44:41 AM] Initializing severity filters
[INFO - 10:44:41 AM] Initializing group by selections
[INFO - 10:44:41 AM] Data refreshed and synced with Checkmarx One platform
[INFO - 10:44:42 AM] Initializing state filters
[INFO - 10:44:42 AM] Git Extension - Add branch.
[INFO - 10:44:47 AM] Filters initialized
[INFO - 10:44:49 AM] Group by initialized
A clear and concise description of what the bug is.
A clear and concise description of what you expected to happen.
A clear and concise description of where the behavior differed from the expected behavior
Add any other context about the problem here.
Paste the output from your extension. Redact if needed.
Scan return an error: Error: Please verify if engine is running
kics is executed without errors and issues are highlighted and results are shown in the output as expected.
kics seems to be executed correctly (I think, from the message File saved updating KICS results) but only the error is shown in the output, not the actual results.
Version: 1.73.1
Commit: 6261075646f055b99068d3688932416f2346dd3b
Date: 2022-11-09T02:22:48.959Z
Electron: 19.0.17
Chromium: 102.0.5005.167
Node.js: 16.14.2
V8: 10.2.154.15-electron.0
OS: Darwin arm64 21.6.0
Sandboxed: No
[INFO - 19:31:20] Checkmarx plugin is running
[INFO - 19:31:20] Initializing severity filters
[INFO - 19:31:20] Data refreshed and synced with AST platform
[INFO - 19:31:20] Git Extension - Add branch.
[INFO - 19:31:20] Initializing state filters
[INFO - 19:31:20] Initializing group by selections
[INFO - 19:31:20] Filters initialized
[INFO - 19:31:26] Opened a supported file by KICS. Starting KICS scan
[ERROR - 19:31:27] Error: Please verify if engine is running
[INFO - 19:31:31] File saved updating KICS results
[ERROR - 19:31:31] Error: Please verify if engine is running
[INFO - 19:33:22] Opened a supported file by KICS. Starting KICS scan
[ERROR - 19:33:22] Error: Please verify if engine is running
[INFO - 19:33:28] File saved updating KICS results
[ERROR - 19:33:28] Error: Please verify if engine is running
We want to use our own Azure OpenAI service for AI guided remediation instead of ChatGPT
VScode extension setting for Azure OpenAI service endpoint
N/A
The plugin disables the fields for selecting project, branch and scan several times:
I expect to be able to select the project, branch and scan.
We have 70 developers and many are having problems and are unable to perform the view issues or scan from Visual Studio Code.
I select a project and every time the branch and check fields are disabled.
I've already uninstalled and reinstalled the Checkmarx Plug-in and it didn't help.
In Visual Studio 2022 everything works with the same APIKey.
Add any other context about the problem here.
[INFO - 9:52:23 AM] Checkmarx plugin is running
[INFO - 9:52:23 AM] Initializing severity filters
[INFO - 9:52:23 AM] Initializing group by selections
[INFO - 9:52:24 AM] Git Extension - Add branch.
[INFO - 9:52:24 AM] GIT API - Open repository
[INFO - 9:52:24 AM] Initializing state filters
[INFO - 9:52:26 AM] Filters initialized
[INFO - 9:52:26 AM] Data refreshed and synced with Checkmarx One platform
[INFO - 9:52:27 AM] Group by initialized
We are proposing to integrate the IDE scanning into our current process, but due to some company restrictions we cannot install docker on employee laptops
Is there another way for us to execute the scanning without docker? for example, scanning IaC template using Go and display the result in IDE
I would greatly appreciate any reply you can give me. I understand it is a big ask
Also wondering if we go with paid Checkmarx One, will the docker installation still be mandatory?
A clear and concise description of what the bug is.
A clear and concise description of what you expected to happen.
A clear and concise description of where the behavior differed from the expected behavior
Add any other context about the problem here.
Paste the output from your extension. Redact if needed.
The extension does not seem able to read any of my files.
When I open a supported file type (ie Dockerfile or a .tf file), or trigger the scan manually as documented here, the KICS scan should run and the results should be displayed as described here.
There is no visible result in the editor. Selecting the Output view shows this
[INFO - 9:00:50 AM] Checkmarx plugin is running
[INFO - 9:00:50 AM] Initializing severity filters
[WARN - 9:00:50 AM] Git extension - Could not find vscode.git installed.
[INFO - 9:00:50 AM] Data refreshed and synced with AST platform
[INFO - 9:00:51 AM] Initializing state filters
[INFO - 9:00:51 AM] Initializing group by selections
[INFO - 9:00:51 AM] Filters initialized
[INFO - 9:05:19 AM] Opened a supported file by KICS. Starting KICS scan
[ERROR - 9:05:26 AM] Error: Creating directory
Error reading file
[INFO - 9:08:26 AM] Opened a supported file by KICS. Starting KICS scan
[ERROR - 9:08:36 AM] Error: Error reading file
[INFO - 9:09:21 AM] Opened a supported file by KICS. Starting KICS scan
[ERROR - 9:09:24 AM] Error: Error reading file
[INFO - 9:12:09 AM] Opened a supported file by KICS. Starting KICS scan
[INFO - 9:12:13 AM] File saved updating KICS results
[ERROR - 9:12:14 AM] Error: Error reading file
[ERROR - 9:12:14 AM] Error: Error reading file
[INFO - 9:12:40 AM] File saved updating KICS results
[ERROR - 9:12:40 AM] Error: Error reading file
[INFO - 9:15:22 AM] Opened a supported file by KICS. Starting KICS scan
[ERROR - 9:15:27 AM] Error: Error reading file
[ERROR - 9:18:52 AM] Error: Error reading file
[INFO - 9:19:37 AM] Opened a supported file by KICS. Starting KICS scan
[ERROR - 9:19:41 AM] Error: Error reading file
Documentation link in vscode extension does not link to correct URL
To open valid page in checkmarx site
Links to here: https://checkmarx.com/resource/documents/en/34965-68742-checkmarx-vs-code-extension--plugin-.html
which returns a 404
Non
A clear and concise description of what the bug is.
clicking on the Documentation within CX1 VSCode plugin to direct me to VSCode documentation page for Checkmarx One. https://checkmarx.com/resource/documents/en/34965-68742-checkmarx-one-vs-code-extension--plugin-.html
I am being directed to a CxSAST VSCode documentation instead.
(https://checkmarx.com/resource/documents/en/34965-8128-visual-studio-code-extension-plugin.html)
Add any other context about the problem here.
Paste the output from your extension. Redact if needed.
Hello!
I hope you are doing well!
We are a security research team. Our tool automatically detected a vulnerability in this repository. We want to disclose it responsibly. GitHub has a feature called Private vulnerability reporting, which enables security research to privately disclose a vulnerability. Unfortunately, it is not enabled for this repository.
Can you enable it, so that we can report it?
Thanks in advance!
PS: you can read about how to enable private vulnerability reporting here: https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository
When you first initializing the extension, in a new VSCode workspace, you need to select a project and branch from Checkmarx One.
Now, I think the idea of the extension is not just to be a general viewer for Checkmarx One, but to show the relevant results from Checkmarx One for your current work.
When the extension initialized, fetch the list of projects from Checkmarx One, and look for a project configured for the current local git repo. (I mean, the remote of the local repo).
After that, if found, set the current branch automatically, or the default branch if the current is not existing.
A clear and concise description of what the bug is.
A clear and concise description of what you expected to happen.
A clear and concise description of where the behavior differed from the expected behavior
Add any other context about the problem here.
Paste the output from your extension. Redact if needed.
Currently, only base Visual Studio Code can install extensions from Checkmarx through the Microsoft extension registry. Forks (such as VSCodium) are prohibited from using the Microsoft marketplace (see microsoft/vscode#31168) so make use of an open registry alternative.
To support other VSC-based editors, the extension should be published to Open VSX (https://open-vsx.org/).
People are able to manually install the extensions by downloading the individual VSIX packages, but that's not as nice as having in-editor support. I imagine if you were to offer this extension via Open VSX it wouldn't come with the same level of support as VSCode's extension because who knows what forks are doing in their code.
Whenever a new window of VS Code is opened, I'd expect the Terminal tab to be selected by default. However since installing Checkmarx the Output tab is displayed providing me information about the loading of the plugin, which I shouldn't care about as long as no errors are occurring. This means I always have to switch back to Terminal view.
[INFO - 14:52:15] Checkmarx plugin is running
[INFO - 14:52:15] Initializing severity filters
[INFO - 14:52:15] Initializing group by selections
[INFO - 14:52:15] Data refreshed and synced with Checkmarx One platform
Provide an option to disable printing to Output unless critical (and potentially make this a default). No other extensions do this, so I'm unsure why Checkmarx has to :)
N/A
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.