Support for displaying CxSCA scan results in CxSAST is available from CxSAST 9.0 HF19, 9.2 HF14 and 9.3 HF7. Make sure to always have the latest available hotfix installed.
To users to easily compare scan results generated with scans by two different engines, it is now possible to display CxSCA results in the summary page of CxSAST. To display the CxSCA results in CxSAST, do the following:
1. Enable the option by editing the IsScaEnabled feature flag in the database.
2. Enable your user to log in to CxSAST and CxSCA by setting up the Primary Access Control.
3. Define the CxSCA URL and the tenant name in CxSAST.
4. To view scan results of CxSCA in CxSAST, log in to CxSAST and, from the menu, select Dashboard > Projects State.
Enabling Displaying CxSCA in the Database
You have to first enable this option in the database as follows:
1. Open SQL Server Management Studio.
2. In the Object Explorer, navigate to Databases >CxDB >CxComponentConfiguration. Tables > dbo.
3. Right-click dbo.CxComponentConfiguration and select Edit Top 200 Rows. The associated keys appear listed.
4. Navigate to IsScaEnabled and set it to true.
Enabling Access Control to Authenticate Users for CxSAST and CxSCA
Secondly, you have to enable Access Control to authenticate users for CxSAST and CxSCA at the same time by setting up the Primary Access Control.
To enable the Primary Access Control feature:
1. Go to the CxSCA Portal.
2. Click User Management icon (highlighted by the red square in the left pane in the above screenshot). The Access Control page opens.
3. Select Settings.
4. Continue with the configuration as explained here.
Defining the CxSCA Properties in CxSAST
By default, CxSAST displays the CxOSA settings on the dashboard, if the license for CxOSA was accepted. Users can choose to display CxSCA results in this space instead. To do so, you have to define the CxSCA URL and the tenant name in CxSAST as follows:
1. In CxSAST, from the menu, go to Settings > Application Settings and select SCA Settings from the menu.
If OSA Settings is displayed instead, this feature has not been enabled in the database.
2. Edit the SCA text display according to the feature flag configuration.
3. Under Tenant Name, enter the tenant name.
4. Under API URL, select a CxSCA API URL from the dropdown list, or enter a custom URL if needed, for example for a proxy site.
5. Under Webapp URL, select a CxSCA URL from the dropdown list, or enter a custom URL if needed, for example for a proxy site.
6. Click <TEST CONNECTION> to verify that your settings are correct.
7. Click <CLOSE> and refresh the page.
All connection test results must be labeled
for the CxSCA results to be displayed on the Dashboard.
Viewing the CxSCA Results in CxSAST
If enabled and configured as explained in this section, a summary of results obtained by scanning source code in CxSCA is displayed side by side with a summary of CxSAST scan results in the CxSAST Dashboard as illustrated in this section.
By default, a summary or place holder of CxOSA scan results is displayed.
To view summaries of CxSAST and CxSCA results side by side in the CxSAST Dashboard, the following is required:
- The user must have a license activated for both CxSAST and CxSCA.
- The respective projects in CxSAST and CxSCA must have the same name.
- Both projects must have been scanned by CxSAST and CxSCA.
- The relevant CxSAST user must have full access to CxSCA.
- Displaying CxSCA must be enabled in the database as explained above.
- Access Control must be configured to log in to both CxSAST and CxSCA.
Displaying the Summary for CxSAST and CxSCA
To display the summary of test results for CxSAST and CxSCA, do the following:
1. Log in to CxSAT and CxSCA using the Primary Access Control that you configured earlier.
2. Go to Dashboard > Projects State.
3. Click the project for which you want to view the scan summaries, for example CXPROJECT6. The scan summary appears for both the CxSAST and the CxSCA scans.
Full Report for the CxSCA Results
To view a full report for the CxSCA results, do the following:
1. Click <See Full Report>. The CxSCA application opens in a new tab with a full report on the selected project, for example CXPROJECT6.
2. For additional information and instructions on working with CxSCA, refer to the CxSCA Documentation.
If there is another SAST project scan with the same name
- Verify that the CxSAST project and the corresponding CxSCA project have the same name.
- Verify that no other CxSAST project in the network has been assigned the same name.
If no scans have been performed yet for the corresponding CxSCA project
- Perform a scan for the corresponding CxSCA project.
If the corresponding CxSCA project does not exist
- Make sure that there is a CxSCA scan with the same project name.
- Return to the SCA settings page,
- Make sure that your tenant name and the URLs are correct.
- Test the connection.
- Update if needed.
In case, the connection cannot be established or results cannot be retrieved otherwise, a general error is reported
- Return to the CxSCA settings page.
- Verify that your tenant name and the URLs are correct.
- Test the connection.
- Update if needed.