Reviewing Scan Results in Bamboo

Scan results activated by Atlassian Bamboo are displayed in Bamboo as well as in the CxSAST. For additional information, refer to Navigating Scan Results in CxSAST.


 To view the scan result summary


Synchronous mode, as defined in configuring a CxSAST scan action enables viewing the scan results in Atlassian Bamboo. If cleared (asynchronous mode), only a link to the scan results in the CxSAST web application is provided with the build results.

  •  In the Build Dashboard window, open a project and select a build.

 

    The build results summary is displayed.

  

A graphical side by side summary of the scan results can be viewed in the Checkmarx Report section of the Build Results Summary dashboard.

 CxSAST Summary

The CxSAST Summary provides information about the distribution of security issues for the plan/project and is divided into the following categories:

  • Status Bar – red lists issues found (exceeded threshold value or violation of one or more policies):

  • Status Bar – green indicates a passed scan:

  • Vulnerabilities Status - this graph represents the status and severity of security vulnerabilities discovered during a scan.
    •  Recurrent - The status of a vulnerability is recurrent if it was already discovered in a previous scan
    •  New - The status of a vulnerability is new if it was discovered for the first time, or if it was re-opened after being resolved in a previous scan
    •  Default Threshold - Indicates the default threshold setting
    •  High – Indicates the number of high severity vulnerabilities
    •  Medium – Indicates the number of medium severity vulnerabilities
    •  Low - Indicates the number of high low vulnerabilities
  • PDF Report – provides a link to the CxSAST report in PDF format.
  • Results – provides a link to the code viewer in CxSAST (see Navigating Scan Results).

 

 CxOSA Summary

The CxOSA Summary provides information about the distribution of security issues for the plan/project and is divided into the following categories:

  • Vulnerabilities & Libraries Status - provides a graph with the status of each vulnerability severity and the number of found vulnerability instances for each severity level.
    •  Default Threshold - Indicates the default threshold setting
    •  High – Indicates the number of high severity vulnerabilities
    •  Medium – Indicates the number of medium severity vulnerabilities
    •  Low - Indicates the number of high low vulnerabilities

      CxOSA Summary takes into consideration vulnerability result states. (e.g. Not Exploitable vulnerabilities will not be aggregated in the global summary).

  • Results – provides a link to the CxOSA Viewer in CxSAST.

 

If the build is marked as failed (red), this may be because the number of found vulnerability instances exceeded the configured threshold.

 CxSAST Full Report

The CxSAST Full Report provides information about the distribution of security issues for the job/project and is divided into the following categories:

  • Report Criteria - provides the following information:
    • Start/End – start and end time for the CxSAST scan.
    • Files – total number of files scanned.
    • Code Lines – total number of lines of code scanned.
  • Vulnerability Type - provides a list of the vulnerabilities found, the distribution of the vulnerabilities by type (high, medium and low) and the number of vulnerability instances for each type.
  • Analyze Results – provides a link to the source code viewer in CxSAST (see Navigating Scan Results).
  • PDF Report – provides a link to the CxSAST report in PDF format.

 

 CxOSA Full Report

The CxOSA Full Report provides information about the distribution of security issues for the job/project and is divided into the following categories:

  • Report Criteria - provides the following information:
    • Start/End – start and end time for the CxOSA analysis
    • Libraries – total number of libraries analyzed
  • Vulnerability Type - provides a list of the vulnerabilities found, the distribution of the vulnerabilities by type (high, medium and low) and the number of vulnerability instances for each type.

    Not Exploitable vulnerabilities are not aggregated in the global summary. In coordination with this, the CxOSA Full Report now displays Not Exploitable vulnerabilities with a strike-through.

  • Analysis Results – provides a link to the CxOSA Viewer in CxSAST.

 

If the build failed due to CxOSA and/or CxSAST policy violations, then a unified report will be displayed showing the following information: 

  • Number of violated policies
  • Names of violated policies
  • Names of respective rules violated 
  • Type of scan used
  • Number of instances of a violated rule
  • First detection date

 

A textual summary of the scan results can be viewed in the Logs (Build Results Summary > Logs > View).

 

The source repository should be checked out in the same Job as the Checkmarx Task for the CxSAST Bamboo plugin to recognize the checkout folder. Using plan level repositories that are checked out in other Job/Stage is not yet supported. In this case a log message that "repository was not found" is displayed in the logs.

 

 

 

The ‘PDF report location:’ URL provides navigation to the current CxSAST scan results in PDF format:

<BAMBOO_HOME>\xml-data\build-dir\<JOB_KEY>\Checkmarx\Reports\CxSASTReport_<date-time>.pdf