Content Events Tasks Activity Assess  

Item 37 of 37 
 Checkmarx SAST Certified Engineer (CxCE)

(Attempt 2 of 3)


You scored

83% in 0:41:01
Congratulations, you got over the pass score of 80%.

Question 1

Query customization via CxAudit can reduce result review / triage efforts

True 
False

Question 2 Incorrect!

As it pertains to incremental scanning, a full scan should be run under all of the following
conditions except

When Checkmarx has been upgraded

If query customizations have been made

When presets are changed 

when a namespace or package is refactored

On a regular schedule

Question 3

Security policy alone should govern KPIs and how they are measured.

True

False 

Question 4

Engine Servers don't require a license.

True 
False

Question 5

Teams in Checkmarx are often organized to align with development team structure.

True 
False

Question 6

What do CxQL queries run against?

A - DOM

B - DFG

C - AST

A and B 
A and C

Question 7 Incorrect!

Which of the following statements are correct?

Checkmarx can open tickets in Jira automatically 

Checkmarx can open tickets in TFS automatically 
CxSAST can open tickets in Jira manually, through the Results panel, clicking on the Open
Issue button 
Checkmarx can close tickets manually in TFS

All of the above

Question 8

When creating a preset, the synchronize button will select similar queries across all Checkmarx
supported languages by CWE.

True 
False

Question 9 Incorrect!

What type of command can be triggered by pre or post scan action?

Only batch commands coded directly into the project configuration

Only batch files present in the executables folder on the server

Any script present in the executables folder on the server

Any executable available on the server or network 

None of the above

Question 10

Checkmarx best practices recommend no more than _____ concurrent scans on a single engine,
even though the default configuration may be different.

2 
3

Question 11

The benefits of code slicing include

speeding up scans

allowing teams to focus on specific areas of an application

providing relief from server limitations -- especially if the project is large

isolating scanning problems within a project

All of the above 

Question 12 Incorrect!

The following is a limitation of custom fields in Checkmarx

Up to 10 custom fields can be specified.

Only 4 custom fields can be specified.

Custom fields become mandatory fields for every project once created.

Custom fields cannot accept numeric values.

None of the above. 

Question 13

Source-pulling uses a pre-scan action to move code to a network share for scanning.

True 
False

Question 14

The Cx CLI can launch OSA scans.

True 
False

Question 15 Incorrect!

A company has a very small development team, which manages a multi-million LOC application
and has never done static analysis before. They also have no established application security
policy. Which preset should be used to scan the application?

All

High and Medium Only

Checkmarx Default 
They should create their own

None of the above

Question 16 Incorrect!

Threat modeling helps provide all of the following except

application context

potential attack vectors 

an understanding of known risks/issues

the ability to find all false negatives

reduced false positives

Question 17

What directory is repository (e.g. Git) source code pulled to?

CxSrc 
ExtSrc

UnzippedSrc

Reports

None of the above

Question 18

Organizational AppSec policy can influence which of the following?

A - Preset selection

B - Remediation priority

All of the above 

Question 19

Which of these component(s) of CxSAST communicate directly with the database?

A - SystemManager

B - JobsManager and ScansManager

C - Engine

A and B 
All of the above

Question 20 Incorrect!

Where are engine scan configurations stored?

Engine

Database

Configuration 
ExtSrc

CxSrc

Question 21

Enabling Long Path support on CxManager is the only thing needed to be configured to access files
having long path names.

True

False 

Question 22

Pre / post scan actions are limited to sending an email to the project owner.

True

False 

Question 23

The Engine log provides details about the composition of a scan including LOC, Scan Accuracy, and
query results.

True

False 

Question 24

If a project has some parsing issues, you can resolve them by creating a CxQL query using CxAudit.

True

False 

Question 25

CxSAST OData allows queries on Projects

True 
False

Question 26

Checkmarx supports SSL to the Manager and between the Manager and the Engines.

True 
False

Question 27

Application security policy, compliance requirements, and mandates from leadership do not need
to be considered during the application onboarding process.

True

False 

Question 28

CxSAST supports all the following Source Control (SCM) system, except

Git

SVN

CVS 
TFS

None of the above

Question 29

Duplicate Project feature copies the following set of properties: Preset, Team and the Last scan
from the source project with all results and remarks.

True

False 

Question 30

If a scan is stuck in "Waiting to process" status, what component may not be running?

Engine

SystemManager

JobsManager 
ScansManager

Portal

Question 31

One of the simplest way to code slice is to break apart projects by language.

True 
False

Question 32 Incorrect!

To prepare Checkmarx for built-in integration with Jira, the Checkmarx administrator must

A - Modify the Checkmarx web.config file

B - Configure default values for all mandatory issue fields 

C - Mark a result as confirmed 
All of the above

Question 33

Which component of CxSAST is responsible for scanning source code?

Engine 
SystemManager

JobsManager

ScansManager

Portal

Question 34

The Checkmarx portal is capable of integrating with which external Checkmarx services?

Professional services

Checkmarx Dynamic Testing (CDT)

CxRASP

Codebashing 
None of the above

Question 35

Which of the following is not guaranteed as an outcome of application onboarding?

Less false positives

Higher fidelity results

No false negatives 
Actionable data

Happier developers

Question 36 Incorrect!

The SimilarityID is used to track the status of results across many scans. Which of the following
is not associated with a similarityID?

Result state

Result severity

Assigned User

Result comment 
None of the above

Question 37

The 'Executable' folder path is where pre- and post-scan batch files are located on the CxManager
Server.

True 
False

Question 38 Incorrect!

The best way to keep a baseline scan of a project from being deleted by data retention is:

Avoid running data retention until the baseline scan is no longer needed

Set the number of scans to retain for the project to some really high number, like a billion.

Branch the project in Checkmarx and then run data retention

Lock the scan

Run data retention for a date range that does not include the date of the baseline scan 

Question 39

CI Plugins can break builds based on Checkmarx scan results with asynchronous scans.

True

False 

Question 40

Which is built first by the Engine?

AST 
DFG

DOM

Question 41

You must be a SAST Admin to use the REST API

True

False 

Question 42

Checkmarx has full-featured IDE plugins for Eclipse, JetBrains IDEs (e.g., IntelliJ), and Visual
Studio. They may be downloaded at https://www.checkmarx.com/plugins/.

True 
False

Question 43

Jenkins pipeline jobs cannot integrate with the Checkmarx Jenkins plugin; it can only integrate
with the Checkmarx CLI.

True

False 

Question 44

74. Which component of CxSAST is responsible for performing Data Retention?

Engine

SystemManager

JobsManager 
ScansManager

Portal

Question 45

Once a query has been overridden, a new scan must be conducted to see the result of the
changes made.

True 
False

Question 46

With With the Portal or any IDE Plugin, how can you see more information about a Result?

By selecting the question mark next to the vulnerability query 

By double-clicking on the result in the result pane

By using IntelliJ's built-in Google capabilities

Staring at the screen really hard

By pressing CTRL + End +D

Question 47

CxAudit can be used to change the severity of a CxSAST query

True 
False

Question 48

Scan logs may be found here.

 A - CxManager server

B - Engine server

C - Database

A and B 
None of the above

Question 49

The query viewer can

help developers understand how Checkmarx finds results

provide information about a vulnerability

allow users to view General queries

provide the ability to modify the query description

All of the above 

Question 50

By design, users can only be mapped to a single team.

True

False 

Question 51

Results from Private Scans are included in Project trends in reports

True

False 

Question 52 Incorrect!

Which component of CxSAST is responsible for generating reports?

Engine

SystemManager

JobsManager

ScansManager 
Portal

Question 53

Which of the following is *not* a CxFlow Workflow?

CI/CD

Repository Driven (Webhook)

Production 
Batch

Question 54 Incorrect!

All of the following are examples of scanning before the build except:

A scan action that occurs after pulling from the source control repository, but before the build
in the build management tool 
A nightly scheduled scan that pulls code directly from the source control repository

A post or pre-receive hook that scans code before a merge occurs in the source control
repository

A developer incrementally scanning code from an IDE such as IntelliJ before committing to the
source control repository

A scan triggered from the command prompt using the command line interface after calling
mvn install

Question 55 Incorrect!

Which component of CxSAST is responsible for unzipping source code?

Engine

SystemManager

JobsManager

ScansManager

Portal 

Question 56

Configuring SMTP settings enables a SMTP server bundled with Checkmarx.

True

False 

Question 57

Which SCM specific integration has a built-in webhook capability?

Github 
Perforce

TFS

SourceSafe

SVN

Question 58

If custom fields have been defined, they become required fields when creating a project.

True

False 

Question 59 Incorrect!

Which of the following steps of the application onboarding process best validates the ability of
Checkmarx to successfully parse and scan the code?

Scan log review

Query customization

Threat modeling

Result review

None of the above 

Question 60

Which of the following details does a CxManager consider before assigning a scan to an Engine?

LOC

Engine LOC configuration

Engine state

All of the above 

Question 61

Which component of CxSAST is responsible for monitoring engine availability?

Engine

SystemManager 
JobsManager

ScansManager

Portal

Question 62

Application onboarding is a process comprised of threat modeling, scan log review, scan tuning,
result review, and query customization.

True 
False

Question 63

Tickets should be opened for Checkmarx Support via e-mail.

True

False 

Question 64

CxSAST OData API can be used by any Checkmarx user?

True

False 

Question 65

Which of the following are commonly used in queries to identify vulnerabilities?

Sources

Sinks

Sanitizers

Data flows

All of the above 

Question 66

CxAudit can be installed on Windows desktops or servers.

True 
False

Question 67

ExtSrc stores source code permanently (until a scan is deleted)?

True

False 

Question 68

Scan performed by CxFlow for a new project returned the following results:

File A: One XSS vulnerability

File B: Two XSS vulnerabilities and two SQL Injection vulnerabilities

File C: One Code Injection vulnerability and two SQL Injection vulnerabilities.

How many JIRA tickets (issues) will be created?

3 
5

Question 69

What is the GB to LoC ratio used in sizing a CxEngine

1.6 GB/ 100,000 LoC 

1 GB/100,000 LoC

32 GB/ 1 million LoC

5 GB/ 200,000 LoC

None of the Above

Question 70

Concurrent Scans license limit is the same as the number of CxEngines

True

False 

Question 71

CxSAST Reports can be generated via the CLI

True 
False

Question 72

When creating a custom integration with a Data Analytics tool, which of the APIs are
recommended to use ?

ODATA 
SOAP

GraphQL

REST 

Question 73

Files that have been removed before an incremental scan may still show as results.

True 
False

Question 74 Incorrect!

The App Sec team wants to append metadata to a Checkmarx project to include app owner, tech
stack, major version, SCM used, line of business, and inventory ID. They should

adopt a project naming convention to include all the metadata

submit a feature requests to Checkmarx Support as metadata cannot be ascribed to

Checkmarx projects

create a team structure according that incorporates app owner, tech stack, SCM used, and
line of business 
create custom fields for each of the metadata to be tracked for each project

create separate Checkmarx instances for each line of business and SCM used

Question 75

Data retention can be scheduled to run at regular intervals via the Checkmarx Portal.

True

False 

Question 76

Checkmarx all-in-one (or centralized) deployments are easily scaled.

True

False 

Question 77

Incremental scans always run significantly faster than full scans.

True

False 

Question 78 Incorrect!

Which SCM has to have an executable path configured?

Perforce

Mercurial

TFS

SourceSafe 
SVN

Question 79

The Hierarchy View provides a high-level view of the company/team structure.

True 
False

Question 80

All steps of the project configuration must be completed before a project can be scanned.

True

False 

Question 81

Checkmarx presets are a good way to assess application code according to compliance
requirements.

True 
False

Question 82

An SVN client must be installed prior to using source pulling from a Git source code repository.

True

False 

Question 83

If a new executable query is created via CxAudit, it will automatically be added to the All preset.

True

False 

Question 84 Incorrect!

What is the base requirement for a scan to be accepted as incremental?

A. 7% of the code has changed

B. There is no change threshold governing incremental scanning

C. 7% of the files have changed 

D. 3% of the files have changes

C and D

Question 85

CxFlow supports incremental scans

True 
False

Question 86

Reducing the number of presets is a good idea because

it simplifies the preset selection process

it improves control over how development teams use Checkmarx

it can better align Checkmarx with security policy

it makes managing presets easier

All of the above 

Question 87

The number of concurrent scans licensed always matches the number of registered engines.

True

False 

Question 88

Query customizations can be applied at the Corp, Team, and Project level.

True 
False

Question 89

Difficulty detecting input validation (vs. sanitization) is a limitation of Checkmarx.

True 
False

Question 90

CxEngines are licensed

True

False 

Question 91

Sources refer to areas where potentially tainted input or data may be introduced into the
application. Sinks are where that potentially tainted data may manifest itself in the form of an
exploit of the application. Source and sinks represent the beginning and end of data flows within
the application.

True 
False

Question 92 Incorrect!

What information is required to configure a Checkmarx IDE Plugin?

Server URL

Server URL, Credentials

Server URL, Credentials, Project Type, Scan Speed

Version of the IDE in use

None of the above 

Question 93

How can a PowerShell script be executed as a pre / post scan action?

It can't

By selecting the ps1 file as the command when configuring the action

By creating a separate Executables directory that only contains the PowerShell file

By configuring a batch file to execute the PowerShell script. 

By installing a PowerShell plugin for Checkmarx

Question 94

The Cx CLI only runs on Windows systems.

True

False 

Question 95 Incorrect!

Checkmarx hotfixes do not need to be installed on which of the following:

CxManager 
CxEngine 
CxAudit 
None of the above

Question 96

Different installers are used to install the different Checkmarx components.

True

False 

Question 97

I got an error message when trying to login, which log should I look at first?

WebServices log

Access Control log 

Installation log

Engine log

None of the above

Question 98

Query customizations make sense:

When there are many results and systemic false positives

When a false negative was found by a penetration test

 When a framework is in use and not supported by Checkmarx

When custom sanitization routines are in use

All of the above 

Question 99

The similarityID calculation includes all of the following except

The method signature encapsulating the sink node

The Checkmarx query ID

The file name

The relative path of the file 

The number of spaces before the first element of the source node

Question 100

It is a good idea to customize a query if

A - There are large volumes of false positive results for a query

B - Common coding patterns or libraries are used

C - The code base is legacy and not actively being developed

Both A and B 
All of the above

Question 101

Increasing the number of concurrent scans automatically gives a user more scanning capacity.

True

False 

Question 102

After result review/triage has been done for a project, each true finding found should be marked
as Confirmed, and any false positives should be marked as Not Exploitable with a comment
describing why it is not exploitable.

True 
False

Question 103 Incorrect!

Which scans are prioritized in CxSAST?

A - Smaller scans

B - Larger scans

C - Scans from System Manager

A and C

B and C 

Question 104

In the IDE plugins, how can you view the best fix location?

By selecting lines in the results pane

By viewing the results in the Graph View 

By reading the tooltip for a result

You can't

By installing a special best fix location plugin for Checkmarx

Question 105 Incorrect!

Which component of CxSAST is responsible for beautifying minified JS?

Engine

SystemManager

JobsManager

ScansManager 
Portal

Question 106

The Jenkins scripted pipeline DSL is based on the syntax of what programming language?

C#

Python

Perl

Groovy 
None of the above

Question 107 Incorrect!

Which is not a supported SCM?

Git

Perforce 
TFS

SourceSafe

SVN

Question 108

For HTTP, not HTTPS, it is important to ensure that organizational firewalls allow all of the
following except:

HTTP (TCP port 80) from clients such as IDE plugins to the CxManager host

HTTP (TCP port 80) should also be opened between the CxManager and all CxEngines in a
distributed architecture

SQL Server traffic by default on TCP port 1433 from the CxManager to SQL Server

HTTP (TCP port 80) from clients such as CI/CD plugins or the Command Line Interface to the
CxManager host

HTTP (TCP port 8080) should also be opened between the CxManager and all CxEngines in a
distributed architecture 

Question 109

Incremental scanning represents a tradeoff between scan quality and scan speed.

True 
False

Question 110

You must be a SAST Admin to use the CxSAST OData API

True

False 

Question 111

CxQL is a DSL based on what language?

JavaScript

Perl

Python

VB

C# 

Question 112 Incorrect!

What directory is zipped source code unzipped to?

None of the above

Reports

UnzippedSrc 
ExtSrc

CxSrc

Question 113

New queries can only be added at the project level.

True

False 

Question 114 Incorrect!

Which of the following statements are correct?

A - CxSAST can close tickets in JIRA manually

B - Closed tickets in JIRA will change the status of a CxSAST result to not exploitable.

C - CxSAST cannot close tickets. However, this can be done through CxFlow.

D - Closing tickets should be done in JIRA manually, after confirming the vulnerabilities are
fixed correctly

Answers C and D 

Question 115

As an User with Admin role, which of the following I have permissions to retrieve from the
Checkmarx Portal?

A - Scan logs

B - System logs

C - IIS Logs

D-A&B 
All of the above

Question 116

Only the SAST Auditor can see the query source in the Query Viewer.

True

False 

Question 117

Checkmarx cannot integrate at all with which of the following CI systems?

Jenkins

Maven

CircleCI

None of the above 

Question 118

A best practice is to audit query customizations periodically.

True 
False

Question 119

This dashboard/table can be helpful when troubleshooting issues with Checkmarx, because it
shows host details, state, and version and hotfix information.

Result Viewer

Scans List

Tree Branch View

Project State

Installation Information 

Question 120

Once a project is assigned to a team, it cannot be reassigned to a different team.

True

False 

Question 121

The JIRA ticket created by Checkmarx will provide a link to the vulnerability associated with the
ticket.

True 
False

Question 122

Scan frequency and project size are typically combined to determine how many Checkmarx
engines and concurrent scans may be needed.

True 
False

Question 123

For project X, the number of scans to keep was specified at 5. When the 6th scan is run,
Checkmarx will automatically delete the oldest scan.

True

False 

Question 124

When planning to run the first scan of a project, security policy, a threat model of the application,
and available resources to work with scan results should be considered.

True 
False

Question 125

It is good practice to create language-specific presets.

True

False 

Question 126

CxSAST can integrate with any other defect tracking system, as long as CxFlow has the corresponding
support implemented

True 
False

Question 127

CxSrc stores source code permanently (until a scan is deleted)?

True 
False

Question 128

OData provides data access to which of the following main data objects?

Scans 
Organization Data

Scanners

Users

License information

Question 129

An incremental scan is always compared to the last full scan.

True 
False

Question 130

Developers or Dev Team leads do not need to participate in the application onboarding process;
their sole responsibility is to fix results found by Checkmarx.

True

False 

Question 131

Checkmarx runs on Oracle and Microsoft SQL Server DBMS.

True

False 

Question 132

When an incremental scan is submitted, what gets scanned?

A - All of the application code

B - 7% of the application code

C - Changed files

D - A configurable closure of unchanged files

C and D only 

Question 133

An engine with 4 cores is meant to run how many scans simultaneously?

1 
2

Question 134

CxSAST reports can be exported to the following formats

PDF

RTF

CSV

XML

All of the above 

Question 135

A scan successfully completed but is showing no results, where should you look to see if there
were problems with the scan?

JobsManager log

ScansManager log

Scan log 
Engine log

WebClient log

Question 136

To build automation to manage Checkmarx Engines, I should use

Ruby slippers

Cx CLI

SOAP SDK

REST API 
OData API

Question 137

The parameters specified when launching data retention will always override project settings.

True

False 

Question 138

Which of the following is a limitation of metrics obtained from static analysis testing?

Pulling metrics is slow.

Static analysis metrics focus mostly on code quality.

Static analysis does not fully consider application context. 

Static analysis only scans binaries.

None of the above

Question 139

If a scan is stuck in "New" status, what component may not be running?

Engine

SystemManager

JobsManager

ScansManager 
Portal

Question 140

To launch a Checkmarx scan from a custom, Linux-based build server, I should use

CxARM

Cx CLI 
SOAP SDK

REST API

OData API

Question 141

JIRA is the only bug tracker supported by CxFlow

True

False 

Question 142

Data retention can be launched via APIs

True 
False

Question 143

On the flow graph (best fix location graph), each data flow is represented by a

SingularityID

DataFlowID

BestFixPathID

SimilarityID 
None of the above

Question 144

A project can be created in Checkmarx via the Portal, APIs, or the CLI.

True 
False

Question 145

Which CxSAST components require a valid HID license?

A - CxManager

B - CxEngine

C - CxAudit

A and C 
All of the above
 Question 146

Only out-of-the-box presets should be used, because they were designed by experts

True

False 

Question 147

Which component of CxSAST is responsible for storing Results in the database?

Engine

SystemManager

JobsManager

ScansManager 
Portal

Question 148

This user role cannot create projects or run scan, but has read-only access to scan results:

SAST Scanner

SAST Reviewer 
SAST Auditor

User Manager

Question 149

Heuristic queries cannot be overridden.

True

False 

Question 150

Depending on the database environment (DBMS), the Checkmarx database may need to be
manually created before installation.

True 
False

Question 151

A Checkmarx engine with 12GB of RAM can scan a code base up to (approximately)

100,000 LOC

120,000 LOC

600,000 LOC 
1.2M LOC

None of the above

Question 152

The Checkmarx Jenkins plugin supports which types of projects

A - Freestyle

B - Pipeline

C - Inline

A and C

A and B 

Question 153 Incorrect!

Which of the following are not managed by data retention?

PathResults Table

NodeResults Table

Scan Logs

CxSRC

None of the above 

Question 154

Users can create custom Data Analysis templates

True 
False

Question 155 Incorrect!

Which of the following statements is most accurate?

Breaking builds without application onboarding is a recommended best practice.

Application onboarding is an easy and lightweight process that produces actionable results
very quickly for all projects.

Small organizations with limited resources can still implement application onboarding
processes.

Threat modeling is an optional component of application onboarding, because it does not offer
much value within the onboarding process.

The widest preset should always be used (e.g., All, which includes low and informational
checks) even if the results are unworkable. 

Question 156

A user automatically gets access to all other teams at the same level in the hierarchy.

True

False 

Question 157

The MS Windows Git client must be installed prior to using source pulling from a Git source code
repository.

True 
False

Retake this quiz

 Previous Show more in this Learnlist Done



Terms and Conditions Privacy Policy Contact Us Security