Reviewing Scan Results in Azure DevOps (MS-VSTS) Plugin (8.7.0)

Scan results activated by MS-VSTS are displayed in MS-VSTS as well as in the CxSAST (please refer to the Checkmarx CxSAST Documentation – Navigating Scan Results in CxSAST).

Synchronous mode, as defined in configuring a Checkmarx Task enables the viewing of the scan results in MS-VSTS. If unchecked (asynchronous mode) only a link to the scan results in the CxSAST web application is provided in the build results.

To retrieve and view the latest build results in MS-VSTS:

Open MS-VSTS and from the Main screen click Build and Releases and then select Builds. The Build Definition screen is displayed.

Click the Actions  icon in line with the project that you would like to view the results and click View Build Results.  The Build Results Dashboard is displayed.

A graphical summary of the Checkmarx scan results can be viewed by scrolling down the Build Results Dashboard.

A more details version of the scan results can be viewed in the Checkmarx (Report) tab on the Build Results Dashboard.

The CxSAST Summary provides information about the distribution of security issues for the build/project and is divided into the following categories:

  • Vulnerabilities Status - this graph represents the status and severity of security vulnerabilities discovered during a scan.
    •  Default Threshold - Indicates the default threshold setting
    •  High – Indicates the number of high severity vulnerabilities
    •  Medium – Indicates the number of medium severity vulnerabilities
    •  Low - Indicates the number of high low vulnerabilities
  • Results – provides a link to the code viewer in CxSAST (see Navigating Scan Results).
  •  Threshold Status - provides a threshold status indicator (compliant or exceeded).

    If the build is marked as failed (red), this may be because the number of found vulnerability instances exceeded the configured threshold.

The CxOSA Summary provides information about the distribution of security issues for the plan/project and is divided into the following categories:

  • Libraries - distribution of the vulnerable libraries:
    •  Vulnerable and outdated - includes libraries that have at least one security vulnerability and vulnerable libraries for which a newer version is available
    •  No Known Vulnerability Libraries - number of libraries without any known security vulnerabilities
  • Vulnerabilities & Libraries Status - provides a graph with the status of each vulnerability severity and the number of found vulnerability instances for each severity level.
    •  Default Threshold - Indicates the default threshold setting
    •  High – Indicates the number of high severity vulnerabilities
    •  Medium – Indicates the number of medium severity vulnerabilities
    •  Low - Indicates the number of high low vulnerabilities

      CxOSA Summary takes into consideration vulnerability result states. (e.g. Not Exploitable vulnerabilities will not be aggregated in the global summary).

  • Results – provides a link to the CxOSA Viewer in CxSAST.
  •  Threshold Status - provides a threshold status indicator (compliant or exceeded).

    If the build is marked as failed (red), this may be because the number of found vulnerability instances exceeded the configured threshold.

The CxSAST Full Report provides information about the distribution of security issues for the build/project and is divided into the following categories:

  • Report Criteria - provides the following information:
    • Start/End – start and end time for the CxSAST scan
    • Files – total number of files scanned
    • Code Lines – total number of lines of code scanned.

  • Vulnerability Type - provides a list of the vulnerabilities found, the distribution of the vulnerabilities by type (high, medium and low) and the number of vulnerability instances for each type.
  • Analyze Results – provides a link to the vulnerability results in CxSAST code viewer (please refer to the Checkmarx CxSAST Documentation – Navigating Scan Results).

The CxOSA Full Report provides information about the distribution of security issues for the build/project and is divided into the following categories:

  • Report Criteria - provides the following information:
    • Start/End – start and end time for the CxOSA analysis
    • Libraries – total number of libraries analyzed.

    • Vulnerability Type - provides a list of the vulnerabilities found, the distribution of the vulnerabilities by type (high, medium and low) and the number of vulnerability instances for each type.

      Not Exploitable vulnerabilities are not aggregated in the global summary. In coordination with this, the CxOSA Full Report now displays Not Exploitable vulnerabilities with a strike-through.

    • Analysis Results – provides a link to the CxOSA Viewer in CxSAST.