There's one thing Checkmarx can maybe fix, actually two things. First, when we first ran it on a big project, there wasn't enough memory on the computer. It originally ran with eight gigabytes, and now it runs with 32. The software stopped at some point, and while I don't think it said it ran out of memory, it just said "stopped" and something else. We had to go to the logs and send them to the integrator, and eventually, they found a memory issue in the logs and recommended increasing the memory. We doubled it once, and it didn't seem enough. We doubled it again, and it helped. So, even if the software reaches capacity on the computer, even though it writes it in the logs, it should also give an indication in the GUI to the person running it, saying "not enough memory" or "not enough disk space." Another problem is that when it's scanning and it has an internal problem, for example, it cannot check something, or an internal bug or internal problem, it's being found in the logs, but there's no indication to the user. Now, this is good for them because the user runs it, gets a report, everything's fine. But in a way, it's not good for them because the user doesn't know there's a problem since they don't check the logs. Because mostly, only the manager looks at the logs and only if there's a problem being reported. You run a process, get a report, but in the logs, there might be an indication that it couldn't check several files or understand something. There's a problem, an internal problem that can be fixed, but nobody knows about it because we don't look at the code. The user doesn't look at the logs; only the business manager does, but they don't know because the user doesn't report it, because the user doesn't know. So, my suggestion for them is this: if they have problems, they should say, 'Here is the report,' but also indicate to the user somewhere, perhaps in the GUI, not necessarily in the report itself, 'We found 100 problems while looking at your code. Please provide us the logs so we can try to fix those.' Then they can ask if the user has any problems. This way, users would know to send them their logs, and they could improve their software, meaning fix the problems. Now, they may not want to do this because they'll get flooded with millions of responses and millions of problems from all over the world. They would have to fix them, and people might get angry, asking why they provided a report when there were hidden problems. People might say, 'How come you gave me a report with seven or eight problems when analyzing it, there were internal problems with your code? So it's not a perfect report.'" So, these internal issues are logged but not communicated to the user through the Checkmarx interface (GUI) or report. The solution also has a few false positives. So, if they had an easier way for users to send an email directly, instead of just opening a ticket. Because when we open a ticket, they want all the logs and everything, and it becomes a hassle. Perhaps they could implement an easier system where users can send a snippet of the code, along with an explanation of why they believe it's a false positive, referencing the specific report. This way, Checkmarx could analyze the information and the development team could potentially fix the product in those areas. It wouldn't require them to necessarily respond to the user, but I'm not sure if that's feasible for most companies.
