Error while retrieving Checkmarx settings from Sonar database

cmiszczak · February 10, 2020, 7:32pm

Must-share information (formatted with Markdown):

Using SonarQube Enterprise LTS 7.9 (7.9.2) with H2 DB in Staging environment
Using sonar-scanner-4.2.0.1873-linux and CxConsolePlugin-8.90.2 with Jenkins 2.204.1
Having the Sonar-2019.4.1 plugin, com.checkmarx.sonar.cxplugin-2019.4.1.jar, in $sonar_home/extensions/plugins/

The SonarQube instance has been restarted, and the Checkmarx plugin 2019.4.1 is listed as installed within the SonarQube Administartion/Marketpace view.

SonarQube does not keep the Checkmarx configurations (URL, credentials and target project) after saving them at the SonarQube project’s view. There is no option available globally to set those configurations.
I have a Jenkins job which scan the Checkmarx project properly. It scan the project correctly for SnarQube as well but cannot transfer the Checkmarx scan metrics into the SonarQube project dashboard.

Excerpt of the Checkmarx scan:
[2020-02-10 11:45:22,289 INFO ] Scan completed
[2020-02-10 11:45:22,289 INFO ] SAST scan finished. Retrieving scan results
[2020-02-10 11:45:22,310 INFO ] ----------------------------Checkmarx Scan Results(CxSAST):-------------------------------
[2020-02-10 11:45:22,311 INFO ]
[2020-02-10 11:45:22,311 INFO ] ------------------------
[2020-02-10 11:45:22,311 INFO ] SAST vulnerabilities Summary:
[2020-02-10 11:45:22,311 INFO ] ------------------------
[2020-02-10 11:45:22,311 INFO ] SAST high severity results: 0
[2020-02-10 11:45:22,311 INFO ] SAST medium severity results: 31
[2020-02-10 11:45:22,311 INFO ] SAST low severity results: 101
[2020-02-10 11:45:22,311 INFO ]
[2020-02-10 11:45:22,311 INFO ] -----------------------------------------------------------------------------------------
[2020-02-10 11:45:22,311 INFO ] CxConsole session finished
[2020-02-10 11:45:22,311 INFO ] Job completed successfully - exit code 0

Excerpt of the Checkmarx scan info transfer to SonarQube:
INFO: Sensor Import Checkmarx scan results to SonarQube [checkmarx]
INFO: Retrieving Checkmarx scan results for current module [Checkmarx plugin version: 2019.4.1]
INFO: Getting Checkmarx configuration data from sonar Database.
INFO: Getting property: http://x.x.x.x:9000/api/properties?id=checkmarx.server.credentials.secured&resource=cx-flow
INFO: Getting property: http://x.x.x.x:9000/api/properties?id=checkmarx.server.credentials&resource=cx-flow
ERROR: NOTE: Checkmarx scan is canceled;
Error while retrieving Checkmarx settings from Sonar database.
Please make sure Checkmarx credentials are configured. Can be configured by admin at: Project Page > Administration > Checkmarx
[Checkmarx plugin version: 2019.4.1]
ERROR: ---------------------------------------------------------------------------------------

ERROR: Sast results retrieval failed due to exception: null

ERROR: [Checkmarx plugin version: 2019.4.1]
ERROR: ---------------------------------------------------------------------------------------

Excerpt of SoanrQube analysis:
INFO: Analysis total time: 24.725 s
INFO: ------------------------------------------------------------------------
INFO: EXECUTION SUCCESS
INFO: ------------------------------------------------------------------------
INFO: Total time: 26.473s
INFO: Final Memory: 33M/117M
INFO: ------------------------------------------------------------------------
Finished: SUCCESS

ganncamp · February 10, 2020, 7:47pm

Hi,

I doubt the Checkmarx folks monitor this community. You need to report this problem with their plugin directly to them.

HTH,
Ann

cmiszczak · February 10, 2020, 7:54pm

Hi,

I already did, and they told me to contact you guys, since it is SonarQube that is not retaining the Checkmarx configurations.

Christian.

ganncamp · February 10, 2020, 8:04pm

Hi Christian,

When you save other project-level configurations are they actually retained? Are there any errors in your server logs (or browser console) when you save configurations? Also, what happens when you switch to some other DB than H2?

Ann

outsidelogic · March 24, 2020, 4:45pm

Hi Ann, I’m having the same issue. When I configure the checkmarx connection, I get a “connection successful” message. This appears in the Sonar web.log:

2020.03.24 12:30:52 INFO web[AXDVmTuddEad3NnHAAha][c.c.s.w.CxConfigRestEndPoint] Logging into the Checkmarx service.
2020.03.24 12:30:52 INFO web[AXDVmTuddEad3NnHAAhb][c.c.s.w.CxConfigRestEndPoint] Retrieving Cx server projects.
2020.03.24 12:30:52 INFO web[AXDVmTuddEad3NnHAAhc][c.c.s.w.CxConfigRestEndPoint] Logging out of Checkmarx.

When I select the checkmarx project and click Save, I get a “Saved successfully” message, but this appears in the web.log:

2020.03.24 12:40:38 INFO web[AXDVmTuddEad3NnHAAhe][c.c.s.w.CxConfigRestEndPoint] Getting property: http://ah-1015806-001.sdi.corp.my-domain.com:9090/api/properties?id=checkmarx.server.credentials&resource=com.bofa.ecom.olb.amm%3Arelease-config%3A2020.05.0
2020.03.24 12:40:38 ERROR web[AXDVmTuddEad3NnHAAhe][c.c.s.w.CxConfigRestEndPoint] Error updating connection config.
java.lang.NullPointerException: null
at com.checkmarx.sonar.settings.PropertyApiClient.getProperty(PropertyApiClient.java:56)
at com.checkmarx.sonar.sensor.utils.CxConfigHelper.getStoredCredentials(CxConfigHelper.java:96)
at com.checkmarx.sonar.sensor.utils.CxConfigHelper.updateCredentials(CxConfigHelper.java:252)
…

If I return to the checkmarx config page, all the config details are blank. This is SonarQube 6.7.7 (I’m locked into using that version), checkmarx plugin 2019.4.1, and we’re using a MySQL database, which has been working fine for standard scans of Java code.

Thanks is advance for the help!

ganncamp · March 24, 2020, 7:43pm

Hi @outsidelogic,

Welcome to the community!

Sorry, but I don’t know what to tell you. Based on the log you provided, it looks like the problem is squarely in the Checkmarx-provided integration
(java.lang.NullPointerException: null at com.checkmarx.sonar.settings.PropertyApiClient.getProperty(PropertyApiClient.java:56). You’ll have to take it up with them.

Ann

outsidelogic · March 25, 2020, 12:12am

Thanks, Ann. I thought that package structure looked like it pointed to checkmarx code, but I reckoned it might be worth it to raise the flag here anyway. I will follow up with them.

outsidelogic · March 26, 2020, 9:04pm

Hey Ann, I did want to point out that, even though we experience this error in connecting to checkmarx, and it seems like the issue is on the checkmarx side, the SonarQube UI says everything is fine. Seems like there should be some indication of an error. This connection was not actually saved successfully. sonar-checkmarx-saved-successfully-but-not

ganncamp · March 30, 2020, 5:48pm

Hi,

Since you’re on an unsupported version, I can’t take that very far. If you can reproduce it in 7.9.2 or 8.2 then we can have a look. However since this has only been reported in conjunction with the Checkmarx plugin, I would still suspect that it’s receiving the data but not properly storing it.

Ann

mouhamedhaqq · April 30, 2020, 10:03am

Hello @ganncamp @outsidelogic,

I’m facing the same issue on Sonarqube 7.9.3, checkmarx plugin 2019.4.1

I also get the “Saved successfully” message but that’s what I saw in the logs.

2020.04.30 09:34:10 ERROR web[AXHKbNvJxhSDDTq0AAA9][c.c.s.w.CxConfigRestEndPoint] Error updating connection config

It seems that Sonarqube is unable to saved successfully the logging info.

Haqq

ganncamp · May 1, 2020, 5:37pm

Hi,

I was all set to run a quick test with this to see if I could see anything obvious. But it appears I have to give Checkmarx my email address to get access to their plugin, and I have no appetite to do that. Sorry, but you’ll really have to get them to fix their own plugin.

Ann

ganncamp · May 1, 2020, 6:10pm

Hi again,

It seems I was wrong about needing to give my email to get to the plugin. So I’ve downloaded and installed the plugin and… Unable to find Checkmarx settings at the global level I found them at the project level instead.

Unfortunately, I’m not able to test saving the settings because I don’t have a Checkmarx server to connect to. I’m again going to have to refer you to the Checkmarx folks.

Ann

mouhamedhaqq · May 11, 2020, 8:43am

Hi,
After investigating on this issue, we found out that if you are using sonarqube through docker you have to precise the sonar.host.url. That’s the cause of the “no Route to host error”.

You can resolve it by change the network to host or run sonarqube with -Dsonar.host.url=… and then the checkmarx credentials will persist

Also for information the plugin is using the deprecated endpoint properties to get checkmarx credentials.

Regards,
Haqq

vpbobade · October 6, 2020, 3:57pm

Hey - it was an interesting discussion above - got to learn and understand few things.

I also have some queries while using checkmarx plugin with sonarqube. Elaborately, I am actually trying to deploy my checkmarx scans report to sonarqube using checkmarx plugin however when I am trying to test the connectivity of the plugin from Sonarqube , I am getting error as Login failed.

Versions being used in my environment.

Checkmarx plugin version – 2020.3.3
Sonarqube version – 7.9.2 (docker container)

Logs from my sonarqube container:

2020.10.06 15:46:21 ERROR web[AXSvJIQJy9XEZyaQAKi7][c.c.s.w.CxConfigRestEndPoint] Login failed.
javax.net.ssl.SSLException: Connection reset
at java.base/sun.security.ssl.Alert.createSSLException(Unknown Source)
at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
at java.base/sun.security.ssl.SSLTransport.decode(Unknown Source)
at java.base/sun.security.ssl.SSLSocketImpl.decode(Unknown Source)
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(Unknown Source)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396)

any help or clue or guidance will help to fix this and progress further. Thanks in advance

@ganncamp @mouhamedhaqq @outsidelogic @cmiszczak may be you guys can help me here.

vpbobade · October 7, 2020, 3:38am

@Michal_Duda any help would be appreciated on this Michal

ganncamp · October 7, 2020, 12:15pm

Hi @vpbobade,

Please stop tagging people who haven’t already volunteered to participate in this thread by chiming in.

If it wasn’t clear from my previous responses in this thread, let me try again.

SonarSource does not provide, maintain, or support this plugin. No one at SonarSource can help you with this plugin. If you’re trying to use this plugin then I’m going to assume you have a relationship with its provider, and should contact them: Checkmarx.

Ann

vpbobade · October 7, 2020, 1:03pm

Hey @ganncamp -

could you please redirect me (if you are aware of any) to correct Sonarqube community who can help me with my doubts.

vpbobade · December 29, 2020, 6:20am

This has been fixed by disabling the [SONARQUBE] application level proxy.

ganncamp · January 6, 2021, 2:39pm