Frequently Asked Questions

Availability and Editions

What open-source static code analysis tools do Code Dx Enterprise and Stat! support?

See a list of our SAST tools in our support section.

Hardware & Software Requirements

What are the hardware and software requirements for installing Code Dx?

Server requirements:

  • Dual-core CPU
  • 4GB of RAM or better
  • 10 GB hard-disk or better, SSD recommended
  • Windows (7+ and Server 2012 R2+), or Mac OS X 10.8+, or Linux (Ubuntu, Fedora, Debian, RHEL, and CentOS). These are the platforms on which Code Dx has currently been tested.

Client Browser requirements:

  • Internet Explorer 11+
  • Chrome 12+
  • Firefox 8+
  • Safari 5+
Does Code Dx require a dedicated server?

No. Code Dx is a Java-based tool that can reside on an existing web server or a virtual machine. A dedicated server is not needed. Use whatever configuration works best for your environment.

What open-source static application security testing tools come bundled with Code Dx?

See a list of our SAST tools in our support section.

What versions of the Eclipse platform does Code Dx support?

Juno (v4.2), Kepler (v4.3), Luna (v4.4), Mars (v4.5), and Neon ( v 4.6).

About Code Dx

What commercial static code analysis tools does Code Dx Enterprise support?

Tools such as:

  • HP Fortify 360 Static Code Analyzer
  • IBM AppScan
  • Checkmarx
  • GrammaTech CodeSonar
  • Parasoft JTest
  • Parasoft DotTest
  • Parasoft C++Test
  • Armorize CodeSecure
  • VeraCode
  • Coverity
  • WhiteHat Sentinel
What specific programming languages does Code Dx support?
What are the inputs to Code Dx?

To run Code Dx’s bundled tools on your code base, upload zip files of source code (C, C++, C#, Java, JavaScript, JSP, PHP, Python, Rails, Ruby, Scala, VB.NET, and XML/XSL). Code Dx Enterprise accepts exported files from the supported tools typically in XML format. Enterprise also supports the direct import of result data from several third-party commercial tools. For unsupported or custom tools, Code Dx offers the option to convert findings into a documented Code Dx XML format for upload.

How are tool vulnerability severities presented in Code Dx?

Our engineering team has performed a complete analysis of multiple static source code analysis tools to determine how vulnerabilities are categorized and presented. Each tool has different ways of representing the severity of the vulnerabilities and weaknesses found. Some tools employ scales from 1 to 10 for example, where 1 means “severe.” Other tools use scales from 1 to 5, where 5 means “severe.” Still other tools employ the use of text-based categories from “nuisance” to “critical.” Code Dx compares all severity categories from these tools, and has established severities that are normalized and mapped to Critical, High, Medium, Low, and Info severity categories.

How do I drill down to see the line of code that has a particular vulnerability?

Code Dx has a drill-in capability by clicking on the specific vulnerability within the triage list. This brings the user to a detailed weakness analysis page where the user is presented with the specific line(s) of code affected by the vulnerability. It also displays any other weaknesses found for the specified line of code and offers detailed explanations of the weakness (through the CWEVis.org and various MITRE CWE-friendly websites), as well as mechanisms for real-time collaboration with fellow analysts, auditors, and developers in an effort to help the user update code to remediate the particular weakness.

Are there any ways of looking just at the new analysis results and filtering out old results?

Yes, filters can be applied to the list of findings to only display “new” findings since the last analysis. In addition, filters can also be applied to findings that were fixed using the “gone” filter, which are those findings that did not occur in the latest analysis.

How do I determine fidelity in my analysis when it comes to false positives?

As a user goes through the triage process, the user determines that a particular vulnerability is a false positive. This is not an automatic process. When applicable, there are bulk operations that can be performed to flag several findings as false positives. These bulk operations help to streamline the triage process. Any finding identified in future analysis runs that has already been identified as a false positive will automatically be marked as a false positive in new analysis runs.

What issue tracking tools does Code Dx integrate with?

Code Dx currently integrates with JIRA, the popular software development issue and bug tracking tool used by agile software development teams.

What continuous integration servers does Code Dx integrate with?

Code Dx currently integrates with the Jenkins extensible open-source continuous integration server.

What Dynamic Application Security Testing (DAST) tools does Code Dx support?

Currently Code Dx provides support for the following tools: HP Webinspect, IBM AppScan, Acunetix, Arachni, Burp Suite, Netsparker, OWASP ZAP, Veracode, and WhiteHat Sentinel Dynamic.

Where does my source code and vulnerability analysis results reside? Is my source code stored in the cloud?

The open-source tools that we bundled are contained within Code Dx. There is no cloud/SAS version of Code Dx, and bundled tools and the tools that we bundle also do not reside in the cloud. They are all local to your installation. The only tool that reaches out to the internet (if available) is Dependency-Check to pull in the latest CVEs from NIST’s National Vulnerability Database (NVD). All your source code and analysis results remain within your network, under your control.

What software compliance industry standards does Code Dx support?

Code Dx currently supports the following standards: Open Web Application Security Project (OWASP) Top 10, CWE/SANS Top 25, Software Fault Patterns (SFP), Seven Pernicious Kingdoms (7PK), CERT Coding Standard, Web Application Security Consortium (WASC), Comprehensive, Lightweight Application Security Process (CLASP), Defense Information Security Agency (DISA) Security Technical Information Guidelines (STIGs), Health Insurance Portability and Accountability Act (HIPAA), and Payment Card Industry Data Security Standard (PCI DSS (Enterprise only)).

How much does it cost to get a software assurance program started with Code Dx in my company?

You can kick-start your company’s software assurance program with Code Dx for as little as $2,500. Stat! provides support for a dozen open-source bundled SAST tools. A five-user annual license is only $2,500 per year with no limit on the number of projects or lines of code that Code Dx can evaluate!

Can Code Dx scan third-party software components?

Yes. Code Dx has two bundled scanners to check for the use of vulnerable third-party components. Just upload a zip of your source/binaries and Code Dx will analyze it. We bundle Dependency-Check, which checks for vulnerable third-party components in Java, .NET applications, and Python applications, and Retire.js, which checks for the use of vulnerable JavaScript components such as JQuery or Angular. This blog post talks a little more about this feature.

How do I obtain Code Dx Enterprise for evaluation?

That’s easy. Just go to our website and request an evaluation of Code Dx to let us know you are interested in evaluating Enterprise. We will contact you before sending you an Enterprise evaluation license key.

What version control system does Code Dx support?

Code Dx currently integrates with the Git version control system, a free and open-source distributed system designed to handle everything from small to very large projects. If you are using a tool like IBM Clearcase and Jenkins for a build server, Jenkins can pull the source code from Clearcase, run your build, and then send results to Code Dx.

Can the Code Dx server use our domain/LDAP for authentication or does it use its own?

Code Dx can use your own Active Directory or LDAP. Alternatively, you can create local Code Dx users as well.

Regarding the developer plugins, are there scanning capabilities for the source code the developers are working on?

The IDE plugins do allow developers to analyze their source code using our bundled open-source tools as they are developing, prior to them committing to source control. With a single click, the code is sent to the Code Dx server, the bundled tools are run, and the developer sees their results in their IDE. Those results are shared with the rest of the team, although if they want, a developer can create their own Code Dx project that acts like their own sandbox. See our blog post on our IDE integration. For commercial tools, those results will still appear within the IDE, but they have to be run independent of Code Dx.

Is it possible to add custom tool rules to Code Dx?

Enterprise allows you to give Code Dx the results from custom tools. You would need to convert the unsupported tool output file into our command Code Dx file format. Examples of this are available in your evaluation—see the “Code Dx XML Schemas and Examples” in the drop-down menu located to the right of the question mark help icon. For adding rules to a bundled tool like PMD, Code Dx Enterprise takes in the result of PMD, so if you run PMD on your own, Code Dx would be able to read in the results. Any custom rules would still appear in Code Dx, including on the rule configuration page.