You can see it at http://checkmarx.teammentor.net/Library/CheckMarx_Queries (which should only open the CheckMarx_Queries library in your browser)
Here the main features/capabilities:
- there is a TM Library that holds the CheckMarx's Query's data (created from the data retrieved from this WebMethod)
- there is a TM Folder per language type - also mapped to the TM Article's Technology field
- there is a TM View per query type - also mapped to the TM Article's Phase field
- the Type field indicates if there is a TeamMentor Landing Page for a particular Query
- the Category field contains the CWE Id (good to see the cases when the same CWE is applied to multiple queries)
- The Article html content is made of:
Default view:
Viewing a query with no Landing Page
Viewing a Query with a TeamMentor Landing Page
Viewing the Query's Metadata and Source
Article viewer : with the TeamMentor Landing page content, followed by the CWE content
Article viewer (cont) : With the CWE data followed by the Checkmarx Rules's data
Finally, as I also mentioned in the Util - CheckMarx Rule and Guidance Viewer (with C# SAST Rules and CWE data) it is pretty spectacular and powerful that CheckMarx rules are written in C# and are easily consumable and edited (the CxAuditor tool has a REPL-like environment to execute these queries, under an environment where the Checkmarx's engine intermediate objects are exposed and scriptable).
Now if only the other SAST vendors had a similar scripting language/environment :)
Also really cool would be if we could:
- fire-up a scan directly from one of these query's pages
- allow the easy fork of a Query (keep the metadata and TM references) in order to customise the query (think git gist)
- select a query pack based on a criteria and use it on a scan
- create a similar view based on a security assessment result (i.e. where an TM Article is an Security Finding, that is mapped to a Query, that is mapped to a Landing Page, that is mapped to a CWE ID)
