Нello! I am concerned with the reliability of checkmarx scans.
I have created a checkmarx project with only two files:
I have used beautifier.io to generate library.formatted.js from library.minified.js. There are no other changes; the two files are exactly the same except for whitespace formatting changes.
Concerningly, checkmarx perceives different security threats for the two similar files. In particular, it perceives several high-risk items in the minified version, and no high-risk items in the formatted version.
If two javascript files are identical save for their formatting, why would checkmarx perceive different security threats in each?
How do I trust checkmarx's judgement if whitespace, a factor that will be ignored by the JS interpreter, influences the assessment?
We are aware that white spaces changes do effect the results in some cases, and we are constantly reviewing ways to improve our analysis.
Getting your input will be very helpful in order to resolve those issue, so if you can please open a ticket to Checkmarx support with those examples and we'll do our best to help.