Skip to content

Architecture

Jump to bottom
johannes-tw edited this page Jun 24, 2020 · 26 revisions

Web Service (WebHook)

Overview

  • CxFlow listens to HTTP/S requests matching specific payloads that represent pull/merge requests and push requests.
  • Bitbucket (Server & Cloud)
  • GitHub
  • Azure DevOps / TFS
  • GitLab
  • CxFlow is configured to process events associated with branches considered important/protected across the enterprise based on the following:
  • List of static values
  • master
  • develop
  • release
  • List of regular expressions
  • External Groovy Script execution hooks
  • Upon receiving an event, CxFlow will:
  • A scan request for the repository will be initiated
  • Scans will be attempted as incremental with the following rules (optional):
  • A full scan was conducted within the last 7 days (configurable)
  • A scan was conducted within the last 5 scans (configurable)
  • Global file exclusion pattern(s) will be applied for every scan according to the CxFlow configuration
  • Optionally Result feedback can be configured
  • CxFlow generates the XML report
  • Results are filtered
  • Results are published according to the configured feedback channel(s)
  • File type, number of references, percentage of code base (reflected from post exclusions) are mapped
  • CxFlow iterates through a rule set that attempts to match the fingerprint of the source code
  • Rules are evaluated in the order they have been provided in the configuration file. Once a match is found, CxFlow stops checking further
  • There is a default/catchall rule for those not matching a finger print
  • Based on the fingerprint rule matching, an associated Checkmarx preset is assigned
  • This information is saved to the local CxFlow cache. Note: If multiple instances of CxFlow are load-balanced, the cache is only available to the local instance performing the processing. This design can be enhanced if required.
  • A scan request for the repository is initiated with the scan preset that has been assigned in the previous step(s)
  • Scans are attempted as incremental with the following rules:
  • A full scan has been conducted within the last 7 days
  • A scan has been conducted within the last 5 scans
  • Global file exclusion pattern(s) are applied for every scan according to the CxFlow configuration
  • In addition, result feedbacks can be configured as follows:
  • CxFlow generates the XML report.
  • Results are filtered
  • Results are published according to the configured feedback channel(s)

Load Balancing

CxFlow integrates easily with Load Balancing as it is stateless/RESTful and can run on any available port

Workflow

Refer to the following for additional information.

Clone this wiki locally