Skip to content

Architecture

johannes-tw edited this page Jun 24, 2020 · 26 revisions

Web Service (WebHook)

Overview

  • CxFlow listens to HTTP/S requests matching specific payloads that represent pull/merge requests and push requests.
  • Bitbucket (Server & Cloud)
  • GitHub
  • Azure DevOps / TFS
  • GitLab
  • CxFlow is configured to process events associated with branches considered important/protected across the enterprise based on the following:
  • List of static values
  • master
  • develop
  • release
  • List of regular expressions
  • External Groovy Script execution hooks
  • Upon receiving an event, CxFlow will:
  • A scan request for the repository will be initiated
  • Scans will be attempted as incremental with the following rules (optional):
  • A full scan was conducted within the last 7 days (configurable)
  • A scan was conducted within the last 5 scans (configurable)
  • Global file exclusion pattern(s) will be applied for every scan according to the CxFlow configuration
  • Optionally Result feedback can be configured
  • CxFlow generates the XML report
  • Results are filtered
  • Results are published according to the configured feedback channel(s)
  • File type, number of references, percentage of code base (reflected from post exclusions) are mapped
  • CxFlow iterates through a rule set that attempts to match the fingerprint of the source code
  • Rules are evaluated in the order they have been provided in the configuration file. Once a match is found, CxFlow stops checking further
  • There is a default/catchall rule for those not matching a finger print
  • Based on the fingerprint rule matching, an associated Checkmarx preset is assigned
  • This information is saved to the local CxFlow cache. Note: If multiple instances of CxFlow are load-balanced, the cache is only available to the local instance performing the processing. This design can be enhanced if required.
  • A scan request for the repository is initiated with the scan preset that has been assigned in the previous step(s)
  • Scans are attempted as incremental with the following rules:
  • A full scan has been conducted within the last 7 days
  • A scan has been conducted within the last 5 scans
  • Global file exclusion pattern(s) are applied for every scan according to the CxFlow configuration
  • In addition, result feedbacks can be configured as follows:
  • CxFlow generates the XML report.
  • Results are filtered
  • Results are published according to the configured feedback channel(s)

Load Balancing

CxFlow integrates easily with Load Balancing as it is stateless/RESTful and can run on any available port

Workflow

Refer to the following for additional information.

Network Architecture

The network architecture is divided into inbound and outbound traffic.

Inbougnd

CxFlow requires network connectivity from the SCM Repository to the specified port which it is listening on (8443 - HTTPS | 8080 - HTTP). CxFlow can filter access based on IP addresses.

NOTE: This functionality becomes available with the next release.

Outbound

CxFlows requires access to any of the desired feedback channels over HTTP/S:

  • Jira
  • Azure DevOps WorkItems
  • GitLab Issues
  • GitHub Issues
  • Pull / Merge Request Markdown Comments Access is required for any Checkmarx Instances

Software Components

  • Java Runtime 8 or 11
  • Gradle 5.4 (Build)
  • Spring Boot 2.1.9, Spring boot is regularly updated as part of ongoing 3rd party library maintenance

Execution

Please see the following for detailed execution instructions