Our security team wants to check our webMethods code for vulnerabilities and general standards followed/not followed for security using CheckMarx. At very high level I have understood that we need our code in some repository like GitLab to begin with. But the challenge is that we need to do it using CheckMarx which doesn’t enlist anything like webMethods flow language explicitly.
As, eventually, we save everything as XML in disc can we achieve the vulnerability test?
this is a really complex task as the flow language is using a very special custom XML format consisting of two parts:
node.ndf and flow.xml
The java services will be difficult to check as well as they consist of different parts stored in different files, i.e. node.idf, node.ndf and java.frag, before they get combinated into one *.java file.
When checking adapter services this not easy either as there is an entry in the node.ndf XML file, which is Base64 encoded and needs to be decoded before checking its XML structure.
So just wondering, in that case to achieve the same objective as mentioned in my original question, do we have any in-house tool from SAG or any other tool to scan for such vulnerabilities as it would be mandatory for certain compliance in our organization.
I would suggest talking to your account manager of SAG/presales to find out if there is something similar to what you’re requesting as customize solution on professional service side.
I see the link of supported language, I have provided in the original question, but was jut wondering as everything being saved ultimately as XML and other kind of files can we try any tool.
As of now doesn’t seems to be very encouraging option.
as I already tried to point earlier in this thread, there are different formats of XML used by webMethods to represent the nodes and their implementations dependent on node type.
So it will be difficult to create a grammar for CheckMarx to check against.
You will have to differentiate between flow service, java service, adapter based service, document type, document schema, web service descriptor etc.