Import CheckmarxOne Results attribute for state for each found issue.
under review
J
Jade Crocodile
In CheckmarxOne Results JSON, there is a state related to each issue or group of issues. We would like the ability to map these to similar values in Harness.io. These values are TO_VERIFY, NOT_EXPLOITABLE, PROPOSED_NOT_EXPLOITABLE, CONFIRMED, URGENT and it would be great if they could map to any related values in Harness Exceptions values. Or at the very least not see ones we have marked as NOT_EXPLOITABLE. Command in CheckmarxOne https://checkmarx.com/resource/documents/en/34965-68640-results.html
Log In
Pritesh Chandaliya
under review
Hello Nathan,
From what I understand, the request is that
- already the issues/vulnerabilities with state (on the checkmarkx one side) NOT_EXPLOITABLE, PROPOSED_NOT_EXPLOITABLE should be exempted or be able to be exempted
- STO users should not be able to exempt the issues/vulnerabilities with the (checkmarkx one) state CONFIRMED, URGENT on our side
OR
- STO should show the checkmarkx one state on the exemption dialog on the UI so that its helpful to the developers to know that this can be exempted and this should not be exempted?
Please help confirm. Thanks!
J
Jade Crocodile
As a follow up, this would only need to work if we were to make it returned the following settings: NOT_EXPLOITABLE, PROPOSED_NOT_EXPLOITABLE from Checkmarx. URGENT, TO_VERIFY, and URGENT would not have any effect on "Request Exemption" in Harness.io
J
Jade Crocodile
The feature above doesn't have to do with EPSS as much as the ability to pull in and map the setttings (TO_VERIFY, NOT_EXPLOITABLE, PROPOSED_NOT_EXPLOITABLE, CONFIRMED, URGENT) from the finding to the Harness "Request Exemption" field one's in the STO module.
Pritesh Chandaliya
pending feedback
Customer, please provide your feedback about the suggested response.
Pritesh Chandaliya
Hello Nathan,
we use our own logic to prioritize the issues having said we are working on incorporating EPSS (Exploit Prediction Scoring System) score with all the scanner found issues and will be using it additional to CVSS score and other reference identifier for prioritization.
With the above feature, we will still show all the issues but with lower severity. Hope this helps.
Let me know, thanks!