CxFlow can use a proxy server for making HTTP/HTTPS connections to the internet by adding additional arguments to the startup command. Irrespective of which scan engine is used, the proxy configuration will remain the same.

The following arguments are required:

http.proxyHost – the host or IP address of the proxy server.

http.proxyPort – the port used by the proxy server.

http.proxyUser - Optional and only needed if the proxy server needs authentication.

http.proxyPassword - Optional and only needed if the proxy server needs authentication.

Or

https.proxyHost - the host or IP address of the proxy server.

https.proxyPort - the port used by the proxy server.

https.proxyUser - Optional and only needed if the proxy server needs authentication.

https.proxyPassword - Optional and only needed if the proxy server needs authentication.

java -Dhttp.proxyHost=myproxyserver.com -Dhttp.proxyPort=9595 -jar cxflow.jar <Additional-CxFlow-parameters>

java -Dhttp.proxyHost=myproxyserver.com -Dhttp.proxyPort=9595 -Dhttp.proxyUser=<proxy user> -Dhttp.proxyPassword=<proxy password> -jar cxflow.jar <Additional-CxFlow-parameters>

To use CxFlow over HTTPS, an SSL certificate is required to be imported into a keystore.
See documentation on importing certificates here:
https://docs.oracle.com/cd/E54932_01/doc.705/e54936/cssg_create_ssl_cert.htm#CSVSG180
https://www.baeldung.com/spring-boot-https-self-signed-certificate

To allow CxFlow to trust self-signed certificates, the parameter '--checkmarx.trustcerts = true' needs to be provided via command line when starting the cxflow.

java -Dhttp.proxyHost=myproxyserver.com -Dhttp.proxyPort=9595 -jar cxflow.jar --checkmarx.trustcerts = true' <Additional-CxFlow-parameters>

CxFlow is a Springboot application driven by a YAML configuration file. CxFlow can be configured to run over HTTPS by updating the application.yml configuration file.
Edit the application.yml file and update the server section as follows:

server:
    port: <desired_ssl_port - usually 443 or 8443>
    ssl:
        key-store: <keystore filename>
        key-store-password: <key/store password>
        key-store-type: { JKS | PKCS12 }
        key-alias: <key alias in the keystore>
        enabled-protocols:
          - TLSv1.3
          - TLSv1.2

https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#howto-configure-ssl

Assumptions:

• JDK 8 installed
• Windows Machine running CxFlow
  Open a CMD prompt and type the following

keytool -genkeypair -alias cxflow -keyalg RSA -keysize 2048 -storetype PKCS12 -keystore C:\keystorecxflow.p12 -validity 3650
keytool -export -alias cxflow -keystore C:\keystorecxflow.p12 -rfc -file C:\cxflow.cert
 
//Import certificate to Windows Trust Store
certutil.exe -addstore root C:\cxflow.cert

Insert the following into the application.yml file

  port: 443
  ssl:
    key-store: C:\keystorecxflow.p12
    key-store-password: xxxxx
    key-store-type: PKCS12
    key-alias: cxflow
    enabled-protocols:
    - TLSv1.3
    - TLSv1.2

To allow CXFlow to accept custom enterprise certificates without altering the default cacert, you can configure it to trust additional certificates by adding them to a custom trust store.
See documentation on importing certificates here:

keytool -importcert -file <path-to-your-certificate> -keystore custom-truststore.jks -alias <your-alias>

checkmarx:
  version: 9.4
  username: admin@cx
  truststorepath: C:\\Users\\abc\\OneDrive - Checkmarx\\Desktop\\certificate\\custom-truststore1.jks
  truststorepassword: satyam
  customkeystore: true