Use of Checkmarx

Hi All,

Our security team wants to check our webMethods code for vulnerabilities and general standards followed/not followed for security using CheckMarx. At very high level I have understood that we need our code in some repository like GitLab to begin with. But the challenge is that we need to do it using CheckMarx which doesn’t enlist anything like webMethods flow language explicitly.

As, eventually, we save everything as XML in disc can we achieve the vulnerability test?

https://checkmarx.atlassian.net/wiki/spaces/KC/pages/1269825578/8.9.0+Supported+Code+Languages+and+Frameworks

If anybody has used it ever, if yes, can you please help us on process and best practices around it.

Will add more after working sessions with concerned teams.

Regards,

Sanket

Hi Sanket,

this is a really complex task as the flow language is using a very special custom XML format consisting of two parts:
node.ndf and flow.xml

The java services will be difficult to check as well as they consist of different parts stored in different files, i.e. node.idf, node.ndf and java.frag, before they get combinated into one *.java file.

When checking adapter services this not easy either as there is an entry in the node.ndf XML file, which is Base64 encoded and needs to be decoded before checking its XML structure.

Regards,
Holger

Thanks a lot Holger for your quick response!

So just wondering, in that case to achieve the same objective as mentioned in my original question, do we have any in-house tool from SAG or any other tool to scan for such vulnerabilities as it would be mandatory for certain compliance in our organization.

Regards,

Sanket

I would suggest talking to your account manager of SAG/presales to find out if there is something similar to what you’re requesting as customize solution on professional service side.

webMethods is not compatible with Checkmarx.
https://www.checkmarx.com/technology/supported-coding-languages/

1 Like

Thanks for your response!

I see the link of supported language, I have provided in the original question, but was jut wondering as everything being saved ultimately as XML and other kind of files can we try any tool.

As of now doesn’t seems to be very encouraging option.

Regards,

Sanket

Hi Sanket,

as I already tried to point earlier in this thread, there are different formats of XML used by webMethods to represent the nodes and their implementations dependent on node type.
So it will be difficult to create a grammar for CheckMarx to check against.

You will have to differentiate between flow service, java service, adapter based service, document type, document schema, web service descriptor etc.

Regards,
Holger

Oh yeah Holger!

So raising a case with softwareAG seems to be only case here. Isn’t?

Regards,
Sanket

Hi Sanket,

might be worth a try.

Additionally you can open a feature request at Brainstorm.

Regards,
Holger