Frequently Asked Questions about Code Dx
What are the hardware and software requirements for installing Code Dx?
Although we often get asked what the hardware requirements are, there is no one answer since it largely depends on how many Code Dx projects will be active at the same time, how frequently analyses will be conducted, and how many concurrent users are expected to use the system.
Having said that there is a recommended minimum hardware configuration:
- Dual-core CPU
- 8GB of RAM
- 10 GB hard-disk, SSD is strongly recommended
- Windows (10 and Server2012 R2+), macOS 10.14+, or Linux (Ubuntu 16+, RHEL/CentOS 7+)
Code Dx is pre-packaged with most of its requirements. There are, however, certain pre-requisites for installations that will be leveraging the .NET scanning support of Code Dx. For .NET analysis, the .NET runtime is required, and it is strongly recommended to install FxCop and CAT.NET.
Please see our fully documented guide on requirements.
How do I obtain Code Dx Enterprise for evaluation?
That’s easy. Just follow the link to request an evaluation of Code Dx Enterprise. We will contact you before sending you an Enterprise evaluation license key.
What tools (bundled, SAST, DAST, IAST, Infrastructure, software composition, and other tools) does Code Dx support?
What are the supported Continuous Integration (CI) servers and Integrated Development Environments (IDEs)?
A full listing of our CIs and IDEs can be found on our plugins page.
What issue trackers does Code Dx support?
See a complete list of our issue trackers.
What compliance standards are included in Code Dx?
See a complete list of all our compliance standards and tools.
What programming languages does Code Dx support?
See a complete list of our programming languages.
Does Code Dx require a dedicated server?
No. Code Dx is a Java-based tool that can reside on an existing web server or a virtual machine. A dedicated server is not needed. Use whatever configuration works best for your environment.
What are the inputs to Code Dx?
How are tool vulnerability severities presented in Code Dx?
Our engineering team has performed a complete analysis of multiple static source code analysis tools to determine how vulnerabilities are categorized and presented. Each tool has different ways of representing the severity of the vulnerabilities and weaknesses found. Some tools employ scales from 1 to 10 for example, where 1 means “severe.” Other tools use scales from 1 to 5, where 5 means “severe.” Still other tools employ the use of text-based categories from “nuisance” to “critical.” Code Dx compares all severity categories from these tools, and has established severities that are normalized and mapped to Critical, High, Medium, Low, and Info severity categories.
How do I drill down to see the line of code that has a particular vulnerability?
Code Dx has a drill-in capability by clicking on the specific vulnerability within the triage list. This brings the user to a detailed weakness analysis page where the user is presented with the specific line(s) of code affected by the vulnerability. It also displays any other weaknesses found for the specified line of code and offers detailed explanations of the weakness (through the CWEVis.org and various MITRE CWE-friendly websites), as well as mechanisms for real-time collaboration with fellow analysts, auditors, and developers in an effort to help the user update code to remediate the particular weakness.
Are there any ways of looking just at the new analysis results and filtering out old results?
Yes, filters can be applied to the list of findings to only display “new” findings since the last analysis. In addition, filters can also be applied to findings that were fixed using the “gone” filter, which are those findings that did not occur in the latest analysis.
How do I determine fidelity in my analysis when it comes to false positives?
As a user goes through the triage process, the user determines that a particular vulnerability is a false positive. This is not an automatic process. When applicable, there are bulk operations that can be performed to flag several findings as false positives. These bulk operations help to streamline the triage process. Any finding identified in future analysis runs that has already been identified as a false positive will automatically be marked as a false positive in new analysis runs.
Where does my source code and vulnerability analysis results reside? Is my source code stored in the cloud?
Can Code Dx scan third-party software components?
What version control system does Code Dx support?
Code Dx currently integrates with the Git version control system, a free and open-source distributed system designed to handle everything from small to very large projects. If you are using a tool like IBM Clearcase and Jenkins for a build server, Jenkins can pull the source code from Clearcase, run your build, and then send results to Code Dx.
Can the Code Dx server use third-party/external authentication?
Code Dx can use your own Active Directory or LDAP server as well as SAML. Alternatively, you can create local Code Dx users.
Regarding the developer plugins, are there scanning capabilities for the source code the developers are working on?
The IDE plugins do allow developers to analyze their source code using our bundled open-source tools as they are developing, prior to them committing to source control. With a single click, the code is sent to the Code Dx server, the bundled tools are run, and the developer sees their results in their IDE. Those results are shared with the rest of the team, although if they want, a developer can create their own Code Dx project that acts like their own sandbox. For commercial tools, those results will still appear within the IDE, but they have to be run independent of Code Dx.