Frequently Asked Questions about Code Dx

What are the hardware and software requirements for installing Code Dx?
Hardware Requirements

Although we often get asked what the hardware requirements are, there is no one answer since it largely depends on how many Code Dx projects will be active at the same time, how frequently analyses will be conducted, and how many concurrent users are expected to use the system.

Having said that there is a recommended minimum hardware configuration:

  • Dual-core CPU
  • 8GB of RAM
  • 10 GB hard-disk, SSD is strongly recommended
  • Windows (10 and Server2012 R2+), macOS 10.14+, or Linux (Ubuntu 16+, RHEL/CentOS 7+)
Software Requirements

Code Dx is pre-packaged with most of its requirements. There are, however, certain pre-requisites for installations that will be leveraging the .NET scanning support of Code Dx. For .NET analysis, the .NET runtime is required, and it is strongly recommended to install FxCop and CAT.NET.

 

Please see our fully documented guide on requirements.

How do I obtain Code Dx Enterprise for evaluation?

That’s easy. Just follow the link to request an evaluation of Code Dx Enterprise. We will contact you before sending you an Enterprise evaluation license key.

What tools (bundled, SAST, DAST, IAST, Infrastructure, software composition, and other tools) does Code Dx support?
See a complete list of all our supported tools.
What are the supported Continuous Integration (CI) servers and Integrated Development Environments (IDEs)?

A full listing of our CIs and IDEs can be found on our plugins page.

What issue trackers does Code Dx support?

See a complete list of our issue trackers.

What compliance standards are included in Code Dx?

See a complete list of all our compliance standards and tools.

What programming languages does Code Dx support?

See a complete list of our programming languages.

Does Code Dx require a dedicated server?

No. Code Dx is a Java-based tool that can reside on an existing web server or a virtual machine. A dedicated server is not needed. Use whatever configuration works best for your environment.

What are the inputs to Code Dx?

To run Code Dx’s bundled tools on your code base, upload zip files of source code (C, C++, C#, Java, JavaScript, JSP, PHP, Python, Rails, Ruby, Scala, VB.NET, and XML/XSL). Code Dx Enterprise accepts exported files from the supported tools typically in XML format. Enterprise also supports the direct import of result data from several third-party commercial tools. For unsupported or custom tools, Code Dx offers the option to convert findings into a documented Code Dx XML format for upload.

How are tool vulnerability severities presented in Code Dx?

Our engineering team has performed a complete analysis of multiple static source code analysis tools to determine how vulnerabilities are categorized and presented. Each tool has different ways of representing the severity of the vulnerabilities and weaknesses found. Some tools employ scales from 1 to 10 for example, where 1 means “severe.” Other tools use scales from 1 to 5, where 5 means “severe.” Still other tools employ the use of text-based categories from “nuisance” to “critical.” Code Dx compares all severity categories from these tools, and has established severities that are normalized and mapped to Critical, High, Medium, Low, and Info severity categories.

How do I drill down to see the line of code that has a particular vulnerability?

Code Dx has a drill-in capability by clicking on the specific vulnerability within the triage list. This brings the user to a detailed weakness analysis page where the user is presented with the specific line(s) of code affected by the vulnerability. It also displays any other weaknesses found for the specified line of code and offers detailed explanations of the weakness (through the CWEVis.org and various MITRE CWE-friendly websites), as well as mechanisms for real-time collaboration with fellow analysts, auditors, and developers in an effort to help the user update code to remediate the particular weakness.

Are there any ways of looking just at the new analysis results and filtering out old results?

Yes, filters can be applied to the list of findings to only display “new” findings since the last analysis. In addition, filters can also be applied to findings that were fixed using the “gone” filter, which are those findings that did not occur in the latest analysis.

How do I determine fidelity in my analysis when it comes to false positives?

As a user goes through the triage process, the user determines that a particular vulnerability is a false positive. This is not an automatic process. When applicable, there are bulk operations that can be performed to flag several findings as false positives. These bulk operations help to streamline the triage process. Any finding identified in future analysis runs that has already been identified as a false positive will automatically be marked as a false positive in new analysis runs.

Where does my source code and vulnerability analysis results reside? Is my source code stored in the cloud?
The open-source tools that we bundle are contained within Code Dx. There is no cloud/SAS version of Code Dx. The bundled tools are local to your installation. The only tool that reaches out to the Internet (if available) is Dependency-Check for the purpose of getting the latest CVEs from NIST’s National Vulnerability Database (NVD). All your source code and analysis results remain within your network, under your control.
Can Code Dx scan third-party software components?

Yes, Code Dx checks for the use of vulnerable third-party components. Just upload a zip of your source and binaries and Code Dx will analyze them. Dependency-Check is bundled, and it looks for vulnerable third-party components in Java, .NET applications, and Python applications. Dependency-Check also scans with Retire.js, which checks for the use of vulnerable Javascript components such as JQuery or Angular.

What version control system does Code Dx support?

Code Dx currently integrates with the Git version control system, a free and open-source distributed system designed to handle everything from small to very large projects. If you are using a tool like IBM Clearcase and Jenkins for a build server, Jenkins can pull the source code from Clearcase, run your build, and then send results to Code Dx.

Can the Code Dx server use third-party/external authentication?

Code Dx can use your own Active Directory or LDAP server as well as SAML.  Alternatively, you can create local Code Dx users.

Regarding the developer plugins, are there scanning capabilities for the source code the developers are working on?

The IDE plugins do allow developers to analyze their source code using our bundled open-source tools as they are developing, prior to them committing to source control. With a single click, the code is sent to the Code Dx server, the bundled tools are run, and the developer sees their results in their IDE. Those results are shared with the rest of the team, although if they want, a developer can create their own Code Dx project that acts like their own sandbox. For commercial tools, those results will still appear within the IDE, but they have to be run independent of Code Dx.

Is it possible to add results from tools that Code Dx does not support?
Yes, you can convert the unsupported tool output file to our Code Dx file format. Download “Code Dx XML Schemas and Examples” from the drop-down menu located to the right of the question mark in the header.
Can you add custom rules to Code Dx?
Yes, you can add rules on the Rule Set page. See our User Guide for more information.