Friday 26 October 2012

Util - CheckMarx Rule and Guidance Viewer (with C# SAST Rules and CWE data)

The more I look at Checkmarx the more I like it, for example here is a simple Rules and Guidance viewer that was created by just visualising the 2Mbs of data retrieved from the GetQueryCollection WebMethod

The code is here (Gist) and the standalone exe is at Util - CheckMarx Rule and Guidance Viewer v1.0.exe




Here is the Util - CheckMarx Rule and Guidance Viewer v1.0.exe in action (on checkmark's public server):


When you start the tool you will be asked for a user (now on SI's test server):


Then the password:


And if the login was successful, you will see the list of supported languages:


Which you can then expand into the desired Query.

The selected Query's source code will be shown on the top-right code viewer, and the Query CWE mapping is shown on the bottom-right browser.


Now look at that last screenshot, specially the query's code.

THAT code is the rule that checkmarx's engine uses to find SQL Injections!!!!!!

  • It gets the Interactive Inputs (it knows about)
  • Then the sanitation and (I expect) the validation methods
  • Then it passes this values into an method that returns the findings
Isn't that beautiful!

C# managed rules for SAST!

THIS is how things should be done!!!

The 2nd screenshot shows a more advanced/complex rule, and since we are in C# land, we should be able to perform real comprehensive/complex analysis (with external data/mappings if required).

Now if only Checkmarx released these rules under an Open License, so that we can easily share our customisations and write rules like for non-supported frameworks :)