- Author: Pedric Kng
- Updated: 18 Mar 2019
Azure DevOps (formally VSTS) or TFS (Team Foundation Server) is a common tool to use for planning development backlogs. This integration will describe the pushing of Checkmarx scan results (xml report) as work items to be managed.
This tutorial was only possible through the hard work of https://github.com/CxTyler
- Azure DevOps & TFS (2015,2017,2018)
- REST API access
- Permission to create additional item Fields
- CxSAST xml scan result report
- Generate CxSAST XML Results (Post-Scan Action or Manually Generated)
- Setup Custom Fields within Azure DevOps (formally VSTS) or TFS (Team Foundation Server) under Work Item Type named 'Bug'
| Field | Description |
|---|---|
| Similarity ID | Checkmarx specific field to identify a unique Vulnerability |
| Node ID | Checkmarx specific field to identify a unique node for each Result |
- Create Customer Script to parse the XML report for relevant issue tracking data
- Vulnerability Name
- Source Filename
- Destination Filename
- Assignee
- Severity
- Priority
- Deep link
- Read result entries and create new work items in Azure DevOps/TFS via custom script. Requires Microsoft's REST APIs for Azure DevOps [4] or TFS [5] for TFS and authentication token [8] to utilize API calls to create/update/delete Work Items.
- Use WitAdmin [1] to export out Work Item Type (WIT) definition named 'Bug'
witadmin exportwitd /collection:%COLLECTIONURL% /p:%PROJECTNAME% /f:%FILENAME% /n:Bug- Edit the WIT definition file to add in the customized fields [2];
<FIELDS>
...
<FIELD name="Similarity ID" refname="Checkmarx.SimilarityID" type="String" />
<FIELD name="Node ID" refname="Checkmarx.NodeID" type="String" />
...
</FIELDS>
<FORM>
...
<Control Label="Similarity ID" Type="FieldControl" FieldName="Checkmarx.SimilarityID" ReadOnly="True" />
<Control Label="Node ID" Type="FieldControl" FieldName="Checkmarx.NodeID" ReadOnly="True" />
...
</FORM>- Import the edited definition using WitAdmin [1] Tip: use additional parameter [/v] to validate the definition before importing.
witadmin importwitd /collection:CollectionURL [/p:Project] /f:FileName [/e:Encoding] [/v]- Refresh the portal page to view the changes
- Export the XML Report from CxSAST
- Edit the global variables in script 'CxTFS2017.py' [6]. Note the following;
- authenticate using Personal Access Token (PAT) [10] to authenticate to the TFS
- usage of library 'keyring' [9] to store the authentication token in the base64 encoded {username}:{personalaccesstoken}
| Variables | Description |
|---|---|
| MAX_CX_RESULTS | Max number of results to be imported |
| CXSAST_RESULTS_XML | Path of CxSAST XML Report |
| SERVICE_NAME | Keyring indexing label |
| API_VERSION | Azure DevOps/TFS API Version [3] |
| USER_NAME | Azure DevOps/TFS username, used for keyring indexing |
| TFS2017_URL | Azure DevOps/TFS Collection URL e.g., http://localhost:8081/tfs/DefaultCollection/ |
| PROJECT_NAME | Azure DevOps/TFS project name |
| SIMILARITY_ID_FIELD | Azure DevOps/TFS customized 'Similarity ID' field name e.g., Checkmarx.SimilarityID |
| NODE_ID_FIELD | Azure DevOps/TFS customized 'Node ID' field name e.g., Checkmarx.NodeID |
| IGNORE_FP | ignore result flagged 'false-positive'; not imported |
- Execute the python script, it will;
- import in 'New' & 'High' severity issues found in the report as work item
- flag existing work item as 'Resolved' if no longer found in report
Import, export, and manage work item types [1]
Add or modify a field to track work [2]
Azure DevOps/TFS REST API Versioning [3]
Azure DevOps Work item API documentation [4]
TFS Work Item API documentation [5]
TFS2017 Work item script source [6]
Azure DevOps Work Item script source [7]
Azure DevOps/TFS REST API Authentication [8]
Using PY Keyring [9]
Authenticating with personal access tokens [10]