Current Behavior
Analysis can use multiple sources: internal DB matching (internal), OSS Index, and Snyk when configured.
The internal analyzer serves users who rely on mirrored/public intelligence rather than a paid SCA product.
Among commercial paths exposed in this codebase today, Snyk is the primary vendor-specific SCA integration in vuln-analysis/snyk.
Proposed Behavior
Add an optional Checkmarx SCA analyzer, enabled only when configured (credentials, feature flag, org/project identifiers as required by Checkmarx APIs), analogous to Snyk.
Implement it as a new Maven module under vuln-analysis/ (e.g. vuln-analysis/checkmarx) that:
implements VulnAnalyzer (same extension point as Snyk/OSS Index),
contains Checkmarx-specific API client and response parsing / mapping to the existing CycloneDX VDR shape consumed by the vuln analysis workflow,
does not reuse Snyk DTOs or parsers for Checkmarx payloads.
When Checkmarx is disabled or misconfigured, behavior is unchanged: no Checkmarx traffic, no requirement for Checkmarx credentials.
Register the new module in vuln-analysis/pom.xml (alongside snyk, oss-index, etc.) and wire it through the same plugin / factory patterns used by existing analyzers.
Checklist
Current Behavior
Analysis can use multiple sources: internal DB matching (internal), OSS Index, and Snyk when configured.
The internal analyzer serves users who rely on mirrored/public intelligence rather than a paid SCA product.
Among commercial paths exposed in this codebase today, Snyk is the primary vendor-specific SCA integration in vuln-analysis/snyk.
Proposed Behavior
Add an optional Checkmarx SCA analyzer, enabled only when configured (credentials, feature flag, org/project identifiers as required by Checkmarx APIs), analogous to Snyk.
Implement it as a new Maven module under vuln-analysis/ (e.g. vuln-analysis/checkmarx) that:
implements VulnAnalyzer (same extension point as Snyk/OSS Index),
contains Checkmarx-specific API client and response parsing / mapping to the existing CycloneDX VDR shape consumed by the vuln analysis workflow,
does not reuse Snyk DTOs or parsers for Checkmarx payloads.
When Checkmarx is disabled or misconfigured, behavior is unchanged: no Checkmarx traffic, no requirement for Checkmarx credentials.
Register the new module in vuln-analysis/pom.xml (alongside snyk, oss-index, etc.) and wire it through the same plugin / factory patterns used by existing analyzers.
Checklist