Using SonarQube Enterprise LTS 7.9 (7.9.2) with H2 DB in Staging environment
Using sonar-scanner-4.2.0.1873-linux and CxConsolePlugin-8.90.2 with Jenkins 2.204.1
Having the Sonar-2019.4.1 plugin, com.checkmarx.sonar.cxplugin-2019.4.1.jar, in $sonar_home/extensions/plugins/
The SonarQube instance has been restarted, and the Checkmarx plugin 2019.4.1 is listed as installed within the SonarQube Administartion/Marketpace view.
SonarQube does not keep the Checkmarx configurations (URL, credentials and target project) after saving them at the SonarQube project’s view. There is no option available globally to set those configurations.
I have a Jenkins job which scan the Checkmarx project properly. It scan the project correctly for SnarQube as well but cannot transfer the Checkmarx scan metrics into the SonarQube project dashboard.
Excerpt of the Checkmarx scan:
[2020-02-10 11:45:22,289 INFO ] Scan completed
[2020-02-10 11:45:22,289 INFO ] SAST scan finished. Retrieving scan results
[2020-02-10 11:45:22,310 INFO ] ----------------------------Checkmarx Scan Results(CxSAST):-------------------------------
[2020-02-10 11:45:22,311 INFO ]
[2020-02-10 11:45:22,311 INFO ] ------------------------
[2020-02-10 11:45:22,311 INFO ] SAST vulnerabilities Summary:
[2020-02-10 11:45:22,311 INFO ] ------------------------
[2020-02-10 11:45:22,311 INFO ] SAST high severity results: 0
[2020-02-10 11:45:22,311 INFO ] SAST medium severity results: 31
[2020-02-10 11:45:22,311 INFO ] SAST low severity results: 101
[2020-02-10 11:45:22,311 INFO ]
[2020-02-10 11:45:22,311 INFO ] -----------------------------------------------------------------------------------------
[2020-02-10 11:45:22,311 INFO ] CxConsole session finished
[2020-02-10 11:45:22,311 INFO ] Job completed successfully - exit code 0
Excerpt of the Checkmarx scan info transfer to SonarQube:
INFO: Sensor Import Checkmarx scan results to SonarQube [checkmarx]
INFO: Retrieving Checkmarx scan results for current module [Checkmarx plugin version: 2019.4.1]
INFO: Getting Checkmarx configuration data from sonar Database.
INFO: Getting property: http://x.x.x.x:9000/api/properties?id=checkmarx.server.credentials.secured&resource=cx-flow
INFO: Getting property: http://x.x.x.x:9000/api/properties?id=checkmarx.server.credentials&resource=cx-flow
ERROR: NOTE: Checkmarx scan is canceled;
Error while retrieving Checkmarx settings from Sonar database.
Please make sure Checkmarx credentials are configured. Can be configured by admin at: Project Page > Administration > Checkmarx
[Checkmarx plugin version: 2019.4.1]
ERROR: ---------------------------------------------------------------------------------------
ERROR: Sast results retrieval failed due to exception: null
When you save other project-level configurations are they actually retained? Are there any errors in your server logs (or browser console) when you save configurations? Also, what happens when you switch to some other DB than H2?
Hi Ann, I’m having the same issue. When I configure the checkmarx connection, I get a “connection successful” message. This appears in the Sonar web.log:
2020.03.24 12:30:52 INFO web[AXDVmTuddEad3NnHAAha][c.c.s.w.CxConfigRestEndPoint] Logging into the Checkmarx service.
2020.03.24 12:30:52 INFO web[AXDVmTuddEad3NnHAAhb][c.c.s.w.CxConfigRestEndPoint] Retrieving Cx server projects.
2020.03.24 12:30:52 INFO web[AXDVmTuddEad3NnHAAhc][c.c.s.w.CxConfigRestEndPoint] Logging out of Checkmarx.
When I select the checkmarx project and click Save, I get a “Saved successfully” message, but this appears in the web.log:
2020.03.24 12:40:38 INFO web[AXDVmTuddEad3NnHAAhe][c.c.s.w.CxConfigRestEndPoint] Getting property: http://ah-1015806-001.sdi.corp.my-domain.com:9090/api/properties?id=checkmarx.server.credentials&resource=com.bofa.ecom.olb.amm%3Arelease-config%3A2020.05.0
2020.03.24 12:40:38 ERROR web[AXDVmTuddEad3NnHAAhe][c.c.s.w.CxConfigRestEndPoint] Error updating connection config.
java.lang.NullPointerException: null
at com.checkmarx.sonar.settings.PropertyApiClient.getProperty(PropertyApiClient.java:56)
at com.checkmarx.sonar.sensor.utils.CxConfigHelper.getStoredCredentials(CxConfigHelper.java:96)
at com.checkmarx.sonar.sensor.utils.CxConfigHelper.updateCredentials(CxConfigHelper.java:252)
…
If I return to the checkmarx config page, all the config details are blank. This is SonarQube 6.7.7 (I’m locked into using that version), checkmarx plugin 2019.4.1, and we’re using a MySQL database, which has been working fine for standard scans of Java code.
Sorry, but I don’t know what to tell you. Based on the log you provided, it looks like the problem is squarely in the Checkmarx-provided integration
(java.lang.NullPointerException: null at com.checkmarx.sonar.settings.PropertyApiClient.getProperty(PropertyApiClient.java:56). You’ll have to take it up with them.
Thanks, Ann. I thought that package structure looked like it pointed to checkmarx code, but I reckoned it might be worth it to raise the flag here anyway. I will follow up with them.
Hey Ann, I did want to point out that, even though we experience this error in connecting to checkmarx, and it seems like the issue is on the checkmarx side, the SonarQube UI says everything is fine. Seems like there should be some indication of an error. This connection was not actually saved successfully.
Since you’re on an unsupported version, I can’t take that very far. If you can reproduce it in 7.9.2 or 8.2 then we can have a look. However since this has only been reported in conjunction with the Checkmarx plugin, I would still suspect that it’s receiving the data but not properly storing it.
I was all set to run a quick test with this to see if I could see anything obvious. But it appears I have to give Checkmarx my email address to get access to their plugin, and I have no appetite to do that. Sorry, but you’ll really have to get them to fix their own plugin.
It seems I was wrong about needing to give my email to get to the plugin. So I’ve downloaded and installed the plugin and… Unable to find Checkmarx settings at the global level I found them at the project level instead.
Unfortunately, I’m not able to test saving the settings because I don’t have a Checkmarx server to connect to. I’m again going to have to refer you to the Checkmarx folks.
Hi,
After investigating on this issue, we found out that if you are using sonarqube through docker you have to precise the sonar.host.url. That’s the cause of the “no Route to host error”.
You can resolve it by change the network to host or run sonarqube with -Dsonar.host.url=… and then the checkmarx credentials will persist
Also for information the plugin is using the deprecated endpoint properties to get checkmarx credentials.
Hey - it was an interesting discussion above - got to learn and understand few things.
I also have some queries while using checkmarx plugin with sonarqube. Elaborately, I am actually trying to deploy my checkmarx scans report to sonarqube using checkmarx plugin however when I am trying to test the connectivity of the plugin from Sonarqube , I am getting error as Login failed.
Versions being used in my environment.
Checkmarx plugin version – 2020.3.3
Sonarqube version – 7.9.2 (docker container)
Logs from my sonarqube container:
2020.10.06 15:46:21 ERROR web[AXSvJIQJy9XEZyaQAKi7][c.c.s.w.CxConfigRestEndPoint] Login failed.
javax.net.ssl.SSLException: Connection reset
at java.base/sun.security.ssl.Alert.createSSLException(Unknown Source)
at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
at java.base/sun.security.ssl.SSLTransport.decode(Unknown Source)
at java.base/sun.security.ssl.SSLSocketImpl.decode(Unknown Source)
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(Unknown Source)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396)
any help or clue or guidance will help to fix this and progress further. Thanks in advance
Please stop tagging people who haven’t already volunteered to participate in this thread by chiming in.
If it wasn’t clear from my previous responses in this thread, let me try again.
SonarSource does not provide, maintain, or support this plugin. No one at SonarSource can help you with this plugin. If you’re trying to use this plugin then I’m going to assume you have a relationship with its provider, and should contact them: Checkmarx.
