Checkmarx SAST 9.5 for Windows - 源代码扫描 (静态应用安全测试)

Posted by sysin on 2022-10-30
Estimated Reading Time 11 Minutes
Words 2.4k In Total

点击访问官方网站


请访问原文链接:Checkmarx SAST 9.5 for Windows - 源代码扫描 (静态应用安全测试),查看最新版。原创作品,转载请保留出处。

作者主页:www.sysin.org

抄袭者 maczqq_23930765hanzheng260561728 请远离本站!!!


img

世界
运行于代码之上。
我们守护代码安全。

CHECKMARX 为现代应用程序开发提供最全面的应用安全管理平台

img

产品

源代码扫描 – Checkmarx SAST

开源扫描 – Checkmarx SCA

安全编码培训 – Checkmarx CodeBashing

交互式代码扫描 – Checkmarx IAST]

软件安全管理平台

开源:基础设施即代码项目 – Checkmarx KICS

了解为什么我们的客户喜欢我们

1,800 多家客户的信赖之选,并且客户数量正持续增长。

通过将安全无缝融入工作流程,Checkmarx 客户可节省关键的开发时间。已有超过 40 家财富 100 强企业和半数财富 50 强企业使用 Checkmarx,我们拥有众多知名客户。

了解更多

EXPLORE CHECKMARX ONE

CHECKMARX ONE 的能力:一个建立在大量创新基础之上的平台

凭借一己之力或作为 Checkmarx 应用安全管理平台的一部分,我们的解决方案可满足您软件开发生命周期每个阶段的需求

静态应用安全测试(SAST)

SAST 可在软件开发过程中通过扫描应用程序源代码来识别漏洞,而且可以帮助您确定安全问题的优先级并快速加以修复。

img

img

注:Checkmarx Fusion、API 安全和 DAST 目前仅提供有限功能(LA)。

如果您的组织开发自研软件,我们理解您面临的安全挑战

img

开发人员

将安全测试无缝融入您的流水线并自动执行,同时不会减缓您的速度

了解详情

img

APPSEC

提供您需要的解决方案、支持和指导,帮助将 AppSec 融入您团队的 DNA。

了解如何实现

img

领导力

如期发布,不折不扣。充分提高生产力、安全性和 ROI

让我们谈谈

与应用安全测试领导者同行

在复杂性中求速度

交付更安全的代码

VELOCITY-AMID-COMPLEXITY-1.png

我们的平台由开发人员为开发人员构建,为您提供快速准确的扫描,而且可与您日常使用的工具轻松集成,并提供修复指导, 帮助您按期交付。

无缝安全扫描

面向现代应用程序的 APPSEC

SEAMLESS-SECURITY-COVERAGE-1.png

Checkmarx One AST 平台以及独立的解决方案提供您需要的自动化、结果和准确性,确保您代码的安全性,同时加快部署速度。

灵活的部署选项

基于专家诀窍打造

FLEXIBLE-DEPLOYMENT-OPTIONS-1.png

得益于我们行业领先的研究、软件开发专业知识和深度安全专长,无论是部署在本地还是云端,我们的 AppSec 测试解决方案都可帮助您实现快速数字化转型。

源代码扫描 – Checkmarx SAST

从源头确保您代码的安全

借助 CxSAST,您随时可以根据需要,运行快速、准确的增量或完整扫描。依靠我们行业领先的 SAST 解决方案,为您提供所需的灵活性、准确性和扫描范围,通过规则集全面保证您最关键代码的安全。

注册并申请演示

img

img

文档 社区 数据表 数据表

将安全自动化植入您的开发流程。无缝处理最复杂的编程环境

img

解决复杂性

  • 触手可及的灵活性

轻松扩展安全测试,随时随地灵活运行扫描,支持超过 25 种语言和框架,使安全成为您开发生命周期的组成部分——所有这些都可以在您正在使用的工具中实现。

需要灵活点吗?是的,谢谢!

以 DEVOPS 的速度保证准确性

  • 您真正可以信赖的结果

获得您需要的准确性,快速解决问题,减少误报或虚假警报。我们的技术和专家将帮助您在 CI/CD 流程发现最关键的漏洞。

等等,能减少误报?

img

img

合理降低风险

  • 始终离不开修复

可定制查询规则,可执行的建议,简单的网页界面,使得跟踪您的应用程序风险简单易行。通过我们的 “最佳修复点” 功能,您可以确定错误的确切位置,以及如何快速修复。

我喜欢这个深度分析功能

我们可以满足您的任何需求

我们的产品附带专家服务,以确保您在最短的时间内实现安全投资的最大价值。进一步了解我们的全球服务。

我能享受配套服务吗?

自推出 CxSAST 以来,我们一直通过技术、创新和首屈一指的客户价值引领行业

生命周期

准确性

准确性

适合您的开发生命周期

与您的代码库轻松集成并实现自动化,同时不会减缓您的速度。观看集成 Gitlab 演示

系统要求

Server Host Requirements (v9.5.0)

Server host requirements depend on whether the installation is Centralized or Distributed, and on how many lines of code will need to be scanned. These requirements are also applicable for CxAudit.

For Proof of Concept (POC), Microsoft SQL Express (pre-installed with CxSAST) can be used. For Production, we recommend using a commercial version of Microsoft SQL Server. Choose a version that supports your scalability and performance needs. Formore details about features supported by the different editions of SQLServer, please use the following link.

In addition to the requirements in the table below, in general, CPU clockspeed and disk speed will affect scan time. For exact tested versions, see the CxSAST Release Notes.

Purpose Lines of Code Installed RAM** Cores CPU Speed Disk OS Web Server Other Software
Centralized **(POC) **200K 8 GB 6-8 2.8 GHz 80 GB (recommended) See:Supported Components and Operating Systems IIS 7/7.5/8/8.5/10 Windows Installer 3.1 or aboveRun msiexec to check.NET Framework 4.7.1An environment (either Centralized or Distributed) where CxManager and CxEngine are on the same server requires .NET Core 6.x Runtime & Hosting installed on the server.For a Distributed environment where the CxManager is on one server and the CxEngines are on dedicated servers: – the CxEngines servers require .NET Core 6.x(this information mainly concerns Windows CxEngines and bare-metal Linux CxEngines, because Linux CxEngines using Docker are already set up)Java 1.17 (Oracle or AdoptOpenJdk).C++ Redist 2010 and 2015 SP3MS SQL Driver(info) For specific details on required prerequisites per product component, seeRequired Prerequisites for Installing CxSAST in a Distributed Environment.Active MQ : 5.17.1
500K 16 GB
Centralized (Production) 200K 10 GB Minimum: 8 for 1 concurrent scan.Additional 2 cores for each additional concurrent scan,up to a maximum of12cores,(Recommended: 4, 6, or 8 cores )Max recommended concurrent scans:3** Scans of 1M LOC or more arerecommended to limit concurrency orrun on their own distributed server. 2.8 GHz 250 GB(recommended) IIS 7/7.5/8/8.5/10
600K 16 GB
1.2M 24 GB 2.8 GHz
2M 40 GB
3M 56 GB
4M 72 GB
Distributed **- CxEngine (Production)**For multiple CxEngine servers(for concurrent scans),each server should meetthe requirements. 200K 6 GB 4 (for 1 concurrent scan)Additional 2 cores for each additional concurrent scan (Recommended: 4, 6, or 8 cores)Recommendedsocket configuration:Single socket Recommended: 2.8 GHz 100 GB(recommended) NA
600K 12 GB
1.2M 20 GB Recommended: 2.8 GHz
2M 32 GB
3M 48 GB
4.5M 72 GB
Distributed - CxManager with Management & Orchestration Layer (Production) 14 GB 8 2.5 GHz 250 GB(recommended) IIS 7/7.5/8/8.5/10
Distributed - CxManager without Management & Orchestration Layer (Production)orWeb Portal (apart of CxManager) 10 GB 4 2.5 GHz 250 GB(recommended) IIS 7/7.5/8/8.5/10
Distributed - ActiveMQ (Production) 8 GB 4 2.5 GHz 250 GB(recommended) Apache Tomcat 8.5.81
Distributed - Database (Production) 12 GB 6-8 2.5 GHz 350-400 GB(recommended) NA MS SQL Server(Express not recommended)2012/2014/2016/2017/2019MSSQL 2019 is supported on CxSAST 9.3 and up

** Note: GB RAM / LOC numbers for Javascript are higher.

As of CxSAST 9.3 the engine can be installed on a Linux machine. For more details please refer to: Installing and Configuring the CxEngine Server on Linux

The Checkmarx Server requires dedicated memory allocation; features such as Memory Ballooning cannot be used.

Cloud Environments

For Cloud Environment installations (AWS, etc.), these requirements may not exactly match the ones for Centralized or Distributed installations because you are choosing from predefined hardware packages and not defining your own specifications.

Engine Socket configuration

To learn more about socket configuration, use our Engine Socket Configuration guide

DB Latency

Acceptable Latency Components
Network <5ms, ideally <1ms CxManager(s), SQL Server(s), ActiveMQ
Network <30ms CxEngines
Disk I/O <20ms avg CxManager, CxEngine, SQL Server, ActiveMQ

Supported Components and Operating Systems (9.5.0)

The following operations systems have been tested with CxSAST and CxOSA for v9.5.0:

Operating Systems CxSAST Engine CxSAST CxOSA Access Control Management & Orchestration
Windows (64-bit) 10 ✔️ ✔️
Windows (64-bit) 11 ✔️ ✔️
Windows Server 2008R2 ✔️ ✔️
Windows Server 2012 ✔️ ✔️
Windows Server 2012R2 ✔️ ✔️
Windows Server 2016 ✔️ ✔️
Windows Server 2019 ✔️ ✔️
Windows Server 2022 ✔️ ✔️
Linux CentOS 7 ✔️
Linux CentOS 8 ✔️
Linux Ubuntu 18.04 ✔️
Linux Ubuntu 20.04 ✔️
Linux RedHat 8.3 ✔️
Linux Fedora 33 ✔️
Linux Fedora 34 ✔️
Java Version CxSAST CxOSA Access Control Management & Orchestration
Java 17 ✔️ ✔️ ✔️

Note: If SAST 9.5 is uninstalled and SAST 9.4. is reinstalled, it is necessary to manually downgrade Java back to version 8, because 9.4 is not compatible with JAVA 17 (even though the 9.4 installation wizard indicates that it completed successfully).

Frameworks CxSAST CxOSA Access Control Management & Orchestration
Microsoft .NET Core 6.0.5 Runtime & Hosting ✔️
Frameworks CxSAST CxOSA Access Control Management & Orchestration
Microsoft .NET Core 6.0.5 Runtime & Hosting ✔️
WebServer CxSAST CxOSA Access Control Management & Orchestration
IIS 7.5-10 ✔️

Supported Browsers

The following browsers have been tested with CxSAST / CxOSA v9.0.0 and Codebashing v3.2.0

Browsers CxSAST CxOSA Access Control Management & Orchestration Codebashing
Chrome Latest Latest
Edge Latest Latest
Safari Latest Latest
Firefox Latest Latest

‘Latest’ is defined by the browser vendors. Check with the respective browser vendor for the latest version available.

If you are using Chrome version 80 - please refer to the following page.

Accessing the Web Portal from the SAST Server in Chrome

In a default all-in-one setup, the web portal could be directly accessed from the SAST server via http://localhost:80/CxWebClient by clicking a shortcut icon.

If a user clicks this shortcut icon in an attempt to access the web portal, the authentication request is issued to Access Control, usually by using a fully qualified domain name (FQDN), for example:

http://user-laptop.dm.cx/

Localhost and FQDN are treated as different domains, although the web portal and Access Control reside on the same host. Since Chrome (version 80 and higher) has changed its way on how it relates to cookies, using HTTP does not allow switching between product components anymore and prevents the authentication process from completing successfully, which affects SAST applications, as outlined below.

下载地址

百度网盘链接:https://pan.baidu.com/s/1qayqn9xJ1-gL1Yf93s6FFw?pwd= <专享>


捐助本站 ❤️ Donate

点击访问官方网站


如果文章中使用的内容或图片侵犯了您的版权,请联系作者删除。如果您喜欢这篇文章或者觉得它对您有所帮助,欢迎您发表评论,也欢迎您分享这个网站,或者赞赏一下作者,谢谢!

支付宝赞赏 微信赞赏

赞赏一下


☑️ 评论恢复,欢迎留言❗️
敬请注册!点击 “登录”,用户注册或者 Github 图标。已知不支持 21.cn 和 189.cn 邮箱。
Pageviews: