Viewing the Global API Inventory and Risks Page for API Security

The Global API Inventory lists all APIs and risks detected during all the scans in all projects on the platform.

To view the Global Inventory and details on each API, follow the instructions below.

Select Global Catalog from the menu. You are asked whether to open the Global SCA inventory or the Global API inventory.

Select API | Inventory and Risks. The Global API Inventory Table appears as illustrated and listed below.

Parameter	Description
Application	The application to which this project belongs. If the project does not belong to any application, this field is marked ----.
Project	The project for which the API in this row was discovered.
Endpoint Path	The path of the endpoint where the API is located.
Method	The method of the API as follows. Get Head Post Put Delete Connect Options Trace ANY. All methods
Total Risk	The number of risks found in the selected API.
Data Origin	Indicates where the API of this project was detected, for example inside the code.
Sensitive Data	The number of sensitive data attributes for all scans in the listed project.
API Discovered	The date when the API was discovered.
Last Updated	The date when the API was updated last.

In the Global API Table, click somewhere inside the line of the desired API, for example yev-i62.

Additional information on parameters and details of the selected API appears as illustrated and explained below.

Parameter	Description
Risks	Displays the number and severity of risks detected in the selected API. To view the Risks table for this API, click inside the risk bar . The Risks table matches the global risks table explained below.
Parameters	Shows the number of sensitive data in the code. To see a list of the sensitive data in the code, click inside the widget. Sensitive data is a set of data that Checkmarx defined as sensitive. This set of sensitive data is listed below. Sensitive data is not related to the detected vulnerabilities. It simply provides you with an overview on what is potentially vulnerable against threats. In this example, one sensitive data parameter was found twice. Sensitive parameters are divided up into five categories such as Name, Personal Data etc. Each category has a set of parameters defined. Name: firstname, surname, familyname, fullname, name Personal Data: birthday, dob, dateofbirth, phone, mobile, email, socialsecurity, ssn, driverslicense Address: address, zipcode Bank: credit, cardnumber, account Secrets: dcredentials, secret, auth, apikey, pass, pwd, password
Data Origins	Displays the details of the source code to which this API belongs.
Latest Changes	Lists the changes on this API since it was discovered. The current example shows that there were no changes to the API. The following changes may have occurred and be listed as follows: Structure: Added or removed Response and Request parameters, for example: Structure \| {Parameter} was removed Structure \| {Parameter} was added Risk: Detected one or more new risks. Risks are characterized by their risk level (High, Medium, Low, Informal) and grouped in categories, for example: Risk \| {Number} new {Level} found Sensitive Data: Flagged parameters as sensitive, for example: Sensitive Data \| {Parameter} was found in {Request or Response}

You are able to view details and classification of each vulnerability as explained below. In addition, you are able to modify the classification of one or multiple instances of a detected vulnerability.

To view a risk detected in an API listed in the Global API Inventory list:

In the Global API Table, click somewhere in the line of the desired API, for example yev-i62. Details and a link to the risk of the selected API appear.
Click the Risk Bar . The Risks table for this API appears. According to the indicator on the Risks bar, 12 Medium and 16 Low Severity risks have been detected.
Click somewhere inside the row of the desired risk. Additional information on the selected risk appears.

Click inside the icons for additional information. Details of the risk and the sensitive data with their location are displayed.

The screen image and the table below illustrate and list the details of an unsafe object binding.

Parameter	Values	Description
Source File	/iast-manager-times-6-total-589252-locjava-354324-loc/manager-servicescopy5/src/main/java/com/checkmarx/iast/manager/rest/ScansResource.java(line:250)	The path and file name of the file with the Unsafe Object Binding.
Status	New Recurrent. The vulnerability has been detected at least once before	The status of the unsafe object binding
Source Node	The first node (input) of the vulnerable sequence.	The beginning of the attack vector.

Parameter

Values

Description

Source File

/iast-manager-times-6-total-589252-locjava-354324-loc/manager-servicescopy5/src/main/java/com/checkmarx/iast/manager/rest/ScansResource.java(line:250)

The path and file name of the file with the Unsafe Object Binding.

Status

New

Recurrent. The vulnerability has been detected at least once before

The status of the unsafe object binding

Source Node

The first node (input) of the vulnerable sequence.

The beginning of the attack vector.

To view all the SAST scan results around the Unsafe Object Binding vulnerability:

Under Details, click . The SAST vulnerabilities appear. In this example, 1234 Java vulnerabilities have been detected.
Expand the list by clicking .
Expand a vulnerability. In this example, we are looking at Stored XSS. This vulnerability appears listed with additional information for each scan that detected it. In this case, Stored XSS has been detected 42 times.

Click an instance in the table to view a detailed report and its exact location in the code. In this example, the first detected instance of the 42 detected Stored XSS vulnerabilities has been selected.

SAST_Vulnerabilities_1234_Java_Stored_XSS_1st_instance.png

The table below lists and explains the parameters in the list.

Parameter	Description
(Severity)	The severity of the vulnerability: High Medium Low
Status	Status of the vulnerability: New Recurrent. The vulnerability has been detected at least once before.
State	To Verify. The vulnerability has to be verified. Not Exploitable. Proposed Not Exploitable Confirmed. The vulnerability has been verified as vulnerability. Urgent. Needs to be urgently addressed.
Source Node	The first node (input) of the vulnerable sequence.
Source File	The file in which the source node is located.
Sink Node	The last node (output) of the vulnerable sequence. Note For vulnerabilities that affect a single node, the sink node is identical to the source node.
Sink File	The file in which the sink node is located.
ID	To read the vulnerability ID, point to . To copy the ID into the clipboard, click .

To modify the classification of one or multiple vulnerabilities:

Select the desired vulnerabilities in the list. Options as to what can be modified show as illustrated below.

Choose what to modify as outlined below. Explanations for the various options can be found in the table above.

Option	Description
Change Severity	Click to change the severity to one of the following: - High - Medium - Low - Info.
Change State	Click to change the state to one of the following: To Verify Not Exploitable Proposed Not Exploitable Confirmed Urgent
Add Note	Click to add a note (free text).
Clear Selection	Clear all the selected vulnerabilities. When clearing the selection, the options to modify severities is hidden again.

To view all the sensitive data in the code:

Under Parameters, click . All sensitive data parameters in the code appear.

Interface	Description
	List of all sensitive parameters in the API with warnings. This section is identical with the list of the sensitive data parameters.
	List of all parameters in the request to the API. The sensitive parameters are labeled .
	List of all parameters in the response by the API. The sensitive parameters are labeled .

To view the Global Risks Table for all the listed APIs, follow the instructions below.

To view details and classifications for any listed risk and modify classifications for vulnerabilities detected as part of the risk, refer to the instructions above under Viewing a Risk in Detail for risks listed per API in the Global API Inventory.

To view the Global Risk table:

Select Global Catalog from the menu and then API | Inventory and Risks. The Global API Inventory Table appears.

In the Global API Inventory Table, select Risks. The Risks Table appears for all scans per Project and Application to which a specific project may belong.

The parameters in the Risks table are listed and explained below.

Parameter	Description
Severity	Indicates the risk severity as follows: High Medium Low
Applications	The application to which this project belongs. If the project does not belong to any application, this field is marked ----.
Project	The project for which the risk was detected.
Risk Name	The name of the risk.
Status	Indicates the status of the risk a follows: - A newly detected vulnerability. - The vulnerability has been detected at least once before.
Endpoint Path	The path of the endpoint where the API is located in which the risk was detected.
Method	The method of the API as follows: GET HEAD POST PUT DELETE CONNECT OPTIONS TRACE
Data Origin	Indicates where the risk was detected, for example inside the code.
Risk Discovered	The date when the risk was detected.

In this section:

Viewing the Global API Inventory and Risks Page for API Security

Note

Search results