Configuring Open Source Analysis (CxOSA) in Maven (up to v8.6.0)

You can easily run Open Source Analysis (CxOSA) with the regular SAST scan, by including the <osaEnabled> tag in the <configuration> section.

Note that you cannot run CxOSA without running the CxSAST scan.

To include Open Source Analysis (CxOSA) to your project, add the following dependency code inside the <configuration> section:

<build>
        <plugins>
            <plugin>
                <groupId>com.checkmarx.maven</groupId>
                <artifactId>checkmarx-maven-plugin</artifactId>
                <version>x.xx.x</version>
                <dependencies>
                    <dependency>
                        <groupId>commons-io</groupId>
                        <artifactId>commons-io</artifactId>
                        <version>2.5</version>
                    </dependency>
                </dependencies>
                <configuration>
                        <url>http://localhost</url>
                        <username>user@org</username>
                        <password>Org123456</password>             
                        <highSeveritiesThreshold>1</highSeveritiesThreshold>
                        <mediumSeveritiesThreshold>20</mediumSeveritiesThreshold>
                        <lowSeveritiesThreshold>30</lowSeveritiesThreshold>
                        <isIncrementalScan>false</isIncrementalScan>
                        <preset>all</preset>
                        <fileExclusions>file1, file2</fileExclusions>
                        <folderExclusions></folderExclusions>
                        <fullTeamPath>CxServer\SP</fullTeamPath>
                        <generatePDFReport>true</generatePDFReport>
                        <isSynchronous>true</isSynchronous>
                        <outputDirectory>c:\users\tmp</outputDirectory>
                        <projectName>Project 22 (Maven)</projectName>
                        <scanTimeoutInMinutes>10</scanTimeoutInMinutes>
						<osaEnabled>true</osaEnabled>
   						<osaHighSeveritiesThreshold>4</osaHighSeveritiesThreshold>
    					<osaMediumSeveritiesThreshold>20</osaMediumSeveritiesThreshold>
    					<osaLowSeveritiesThreshold>30</osaLowSeveritiesThreshold>
    					<osaGeneratePDFReport>true</osaGeneratePDFReport>
    					<osaGenerateHTMLReport>true</osaGenerateHTMLReport>
    					<osaExclusions></osaExclusion>                                
                </configuration>         
            </plugin>
        </plugins>
</build>                

You can change the following parameter values:

ParameterTypeDefault ValueDescription
osaEnabled

boolean

falseIf true, CxOSA will be enabled.
osaHighSeveritiesThreshold
integer

Configure a threshold for the CxOSA High Severity Vulnerabilities.

The build will fail if the sum of High Severity Vulnerabilities is larger than the threshold.

Leave empty to ignore threshold.
osaMediumSeveritiesThreshold
integer

Configure a threshold for the CxOSA Medium Severity Vulnerabilities.

The build will fail if the sum of Medium Severity Vulnerabilities is larger than the threshold.

Leave empty to ignore threshold.
osaLowSeveritiesThreshold
integer

Configure a threshold for the CxOSA Low Severity Vulnerabilities.

The build will fail if the sum of Low Severity Vulnerabilities is larger than the threshold.

Leave empty to ignore threshold.
osaGeneratePDFReport

boolean

trueIf true, a CxOSA PDF report will be generated in the output directory.
osaGenerateHTMLReport

boolean

trueIf true, a CxOSA HTML report will be generated in the output directory.
osaExclusions

String


List of Maven dependencies that will not be included in CxOSA.

An exclusion should be of the form:

groupId.artifactId

Save the changes to your pom.xml file and run:

	mvn checkmarx:scan

Running your build process will now automatically initiate the Checkmarx CxSAST scan that includes Open Source Analysis (CxOSA).