Results Details per Scanner

Viewing Scan Results in the Results Viewers

Each type of scanner identifies different types of risks in your Project. Therefore, there is a designated viewer for viewing results from each of the scanners. The following sections describe the information that is shown for each risk that is identified by the scanners.

Do the following to view the summary of a list of scan results for each scanner:

Click the desired project in the Projects and Application list. The scan preview pane appears for this project on the right screen side.
To view a summary or a list of results obtained by the desired scanner, for example API Security, do the following:
- For an overview on the number of results and their severity, click Overview.
- For a list of results, click Results or click <View Results> in the Overview.

SAST Results

The SAST Result page contains 2 main sections that work in synergy.

Vulnerabilities Table
Code Viewer

Vulnerabilities Table

The Vulnerabilities Table displays the list of vulnerabilities that were found during the last SAST scan of the Project.

The scan results data is a reflection of a single SAST scan.

Grouping Vulnerabilities

Vulnerabilities are shown in a nested tree structure with two grouping levels - Primary and Secondary.

By default, the Primary grouping is by Language and the Secondary grouping is by Vulnerability.

You can adjust the Primary and Secondary grouping to any of the following column parameters.

Language - Default Primary
Vulnerability - Default Secondary
Severity
Status
Source File
Sink File
Source Node
Sink Node

The following grouping options are available:

Language - Default
Secondary - The following grouping columns are available:
- Vulnerability - Default
- Severity
- Status
- Source File
- Sink File
- Source Node
- Sink Node

Filtering Vulnerabilities

Quick Filters

The default Vulnerabilities list contains All the languages that were found during the SAST scan.

Vulnerabilities list can be quickly filtered by Language. The languages list is presented at the top, and clicking a Language filters the list accordingly.

For example:

Complex Filters

Vulnerabilities list supports additional filtering options, by any column.

A filter can be added or removed from the view.

Notice

By default, a state filter is applied to hide vulnerabilities that are in the state Not Exploitable.

Filtering supports applying several filters at once (with an AND condition between the filtering options).

The following filtering columns are optional:

Severity
Status
Source File
Sink File
Source Node
Sink Node

Code Viewer

The Code Viewer section enables viewing a specific source code vulnerability, including its detailed information.

Code Viewer section includes the following functionalities:

The panel is opened on demand by clicking on a vulnerability in the table.
The Attack Vector pane shows the full path of the attack vector. Click on a node to show the relevant code in the Code Viewer.
The panel can be resized by dragging the bottom bar, which resizes the code viewer section vs. the vulnerabilities section.
An additional panel is integrated within the Code Viewer panel, containing the following options:
- Changes - Includes information about Severity and/or State changes that were performed for a specific vulnerability, in addition to added Comments.
- Notes - Includes all the comments that were added for a specific vulnerability.
- Description - A Short description about a specific vulnerability.
  When clicking Read More a new page will be opened including the following information:
  - Vulnerability risk - What might happen.
  - Vulnerability cause - How does it happen.
  - General recommendations - How to avoid it.
  - Code examples
    For example:

Code Viewer Display Modes

Code Viewer section can be presented in 3 different modes.

To switch between the modes, click the Change Mode icon

The possible Code Viewer modes are:

Split Vertically (Default)
Split Horizontally
Table View

When the Vulnerabilities table is shown in Split Vertically or Split Horizontally mode, clicking on a vulnerability instance opens the Code Viewer window (on the top or side respectively), showing the relevant code.

When the table is shown inTable View mode, clicking on a vulnerability opens a side-panel showing detailed info about the vulnerability, divided into tabs.

Opening Code Viewer

To open the Code Viewer section, perform the following:

On the Results screen, set the mode as Split Vertically (default) or Split Horizontally.
Click on a vulnerability grouping to expand the display. Continue drilling down until the individual vulnerability instances are shown.
Click on a vulnerability instance to show the relevant code in the Code Viewer window.

Codebashing Links

Codebashing is an interactive AppSec training platform built by developers for developers. Codebashing sharpens the skills that developers need to avoid security issues, fix vulnerabilities, and write secure code in the first place. See Codebashing documentation here.

When you select a SAST vulnerability for which a Codebashing lesson exists, a link to the relevant lesson is shown. Click on the link to open the lesson in a new browser.

Note

If you don’t yet have a license for Codebashing, a dialog opens showing a link to start a free trial.

Best Fix Location

It often occurs that several different vulnerabilities in your code intersect at a particular node. In such cases, securing the content of that node can remediate multiple vulnerabilities all in one shot. This can dramatically cut the time and effort needed to remediate the vulnerabilities in your source code. Wherever relevant, Checkmarx identifies the key node, where remediation can have the greatest impact, and labels it as the “Best Fix Location (BFL)”. The BFL label is shown for the relevant node in the Attack Vector pane.

Managing (Triaging) Results

Checkmarx One tracks specific vulnerability instances throughout your SDLC. Each vulnerability instance has a ‘Predicate’ associated with it, which is comprised of the following attributes: ‘State’, ‘Severity’ and ‘Notes’. After reviewing the results of a scan, you have the ability to triage the results and modify these predicates accordingly. For more info about triaging results in Checkmarx One, see Managing (Triaging) Vulnerabilities.

You can adjust the predicate for a specific vulnerability while viewing that vulnerability on the Scan Results page.

Warning

Only users with the Checkmarx One role update-result (e.g. a risk-manager) are authorized to make changes to the predicate. Only users with the role update-result-not-exploitable (e.g. an admin) are authorized to mark a vulnerability as ‘Not Exploitable’.

Triaging a Single Vulnerability

Notice

The procedure for adjusting the predicate differs slightly depending on the mode in which you are showing the results. The following procedure assumes that you are in Split Vertically or Split Horizontally mode, which show the Code Viewer for the selected vulnerability. If you are in Table View mode, then the adjustments are made in the sidebar that shows the vulnerability details.

To edit the result predicate:

Open the vulnerability that you would like to edit in the Code Viewer.
To adjust the severity, click on the Severity field, and select from the dropdown list the severity that you would like to assign. Options are: High, Medium, Low or Info.
To adjust the state, click on the State field, and select from the dropdown list the state that you would like to assign. Options are: To Verify, Not Exploitable, Proposed Not Exploitable, Confirmed or Urgent.
To add a note, click on the Note icon in the toolbar. In the Notes pane that opens, click + Add and then enter the desired text and click the Add button at the bottom.

Triaging Multiple Vulnerabilities (Bulk Action)

To edit the result predicate for multiple vulnerabilities:

In the Vulnerabilities table, select the checkbox next to each vulnerability for which you would like to make the changes.
Note
Alternatively, you can select all instances in a group of vulnerabilities by selecting the checkbox at the top of that section.
A menu bar is shown at the top of the table.
To adjust the severity, click on the Change Severity button, and select from the dropdown list the severity that you would like to assign. Options are: High, Medium, Low or Info.
To adjust the state, click on the Change State button, and select from the dropdown list the state that you would like to assign. Options are: To Verify, Not Exploitable, Proposed Not Exploitable, Confirmed or Urgent.
To add a note, click on the Add Note button. In the Notes pane that opens, enter the desired text and click Save.

API Security Results

The API Security Result page contains a list of risks, the Risks table, which can be sorted according to the parameters listed in that table. Additional information on these parameters are available under Viewing the Scanners Tab.Viewing the Scanners Tab (API Security)

Severity
Risk Name
Status
Endpoint Path
Method
Data Origin
Risk Discovered

Risks Table

The table illustrated below lists all the API security risks detected during the recent scans.

To view the Risks table from the Project Preview:

Under Projects and Applications, In the Projects list, click somewhere in the line of the desired project. The Project Preview appears.
In the Projects Preview, click for the desired scanner, in this case API Security. The Risks table appears as illustrated below.

To view the Risks table from the Project Overview:

Open the Project Overview, for example by clicking in the Project Preview.
In the Project Overview, click . The Risks table appears with the scan results. This example reflects the results illustrated on the Scanners tab page listed in the Risks table.Viewing the Scanners Tab (API Security)

Viewing Scan Results in Detail

This section explains how to view the scan results and what you see. For every detected risk, the risk itself (for example a privacy violation) and a list of sensitive data that appear in the code are displayed. The sensitive data is a set of parameters in various categories that have been defined as sensitive data by Checkmarx.Viewing the Scanners Tab (API Security)

Notice

The list of sensitive data is not related to the detected vulnerabilities. It simply provides you with an overview on what is potentially vulnerable against threats.

To display the details of the detected risk and a list of sensitive data in the code:

Click the row of the respective risk, for example Privacy Violation. The Details and Parameters widgets appear with information on the detected risk and the sensitive parameters in the code.
Click somewhere inside the Details and Parameters widgets. Further information on the risk and a list of sensitive data in the code and their location appear.Viewing the Scanners Tab (API Security)
To get more information, refer to the next sections on this page.

To view the details on the detected risk:

Click somewhere in the Details widget to view additional information on the detected risk. The table below lists and explains where the risk is located. The risk in this example is a Privacy Violation.

Parameter	Value	Description
Source File	/src/main/java/com/sanity/scan/controller/UserController.java(line:30)	The path and file name of the file with the Privacy Violation.
Status	New Recurrent. The vulnerability has been detected at least once before.	The status of the privacy violation
Source Node	The first node (input) of the vulnerable sequence.	The beginning of the attack vector.

Parameter

Value

Description

Source File

/src/main/java/com/sanity/scan/controller/UserController.java(line:30)

The path and file name of the file with the Privacy Violation.

Status

New

Recurrent. The vulnerability has been detected at least once before.

The status of the privacy violation

Source Node

The first node (input) of the vulnerable sequence.

The beginning of the attack vector.

To view all the SAST scan results around the detected risk:

In the Details widget, click . A list of SAST vulnerabilities appears. In this example, 7 Java vulnerabilities have been detected.
Expand the list by clicking .

Expand a vulnerability. The vulnerability appears listed with additional information.

Parameter	Description
(Severity)	The severity of the vulnerability: High Medium Low
Status	Status of the vulnerability: New Recurrent. The vulnerability has been detected at least once before.
State	To Verify. The vulnerability has to be verified. Confirmed. The vulnerability has been verified as vulnerability.
Source Node	The first node (input) of the vulnerable sequence.
Source File	The file in which the source node is located.
Sink Node	The last node (output) of the vulnerable sequence. Note For vulnerabilities that affect a single node, the sink node is identical to the source node.
Sink File	The file in which the sink node is located.
ID	To read the vulnerability ID, point to . To copy the ID into the clipboard, click .

Expand a vulnerability and click inside the line that details it. A table with further information on that vulnerability appears and the exact location in the code is displayed.
In addition, a short description of the vulnerability is provided. For a more detailed explanation, click Read More. A more detailed description opens in a new tab of your browser.

To view a list of the sensitive data parameters in the code:

Click somewhere in the Parameters widget. All the sensitive data in the code appears listed with its location
Under Parameters, click . A list with the sensitive data parameters appears as outlined in the table below.

Interface	Description
	List of all sensitive parameters in the API with warnings. This section is identical with the list of the sensitive data parameters above.
	List of all parameters in the request to the API. The sensitive parameters are labeled .
	List of all parameters in the response by the API. The sensitive parameters are labeled .

SCA Results

The SCA Results page shows the SCA results for the most recent scan of your Project. This includes a list of all 3rd party packages identified in your Project as well as the specific risks associated with those packages such as, vulnerabilities, legal risks, and outdated versions.

This screen includes a Header bar with general info about the Project and scan. It also shows detailed scan results, divided into the following tabs.

Packages – shows info about the open source packages used by your project and the risks that are associated with those packages, including: security vulnerabilities, license violations, and outdated versions. This tab includes two types of pages:
- All Packages – shows a list of all packages that were identified by this scan
- Package Details – shows detailed info about the risks associated with a specific package.
Risks – shows info about all of the security vulnerabilities that were identified in the open source packages used by your project, including: severity level, CVE references, remediation recommendations etc. This tab includes two types of pages:
- All Risks– shows a list of all vulnerabilities identified in your open source dependencies.
- Risk Details – shows detailed info about a specific vulnerability.
Container (for projects with container images) – shows info about packages identified in your container images as well as the vulnerabilities associated with those packages.
- Container Packages – shows a list of all of the packages identified in the container images.
- Container Vulnerabilities – shows a list of all of the vulnerabilities associated with the container packages.

Header Bar

The header bar shows general info about the Project and scan that is currently displayed on the page.

The following tables describe the info shown in the Header bar and the Action buttons that are available.

Header Bar Info

Item	Description	Possible Values
Project Name	The name of the project.	e.g., webgoat5
Scan Method	The method that was used to scan the project.	Zip – zip file, specified in the Project configuration CLI – the scan was run from the Command Line Interface Recalculated - user clicked the Recalculate button for an existing scan. This causes the Risks to be recalculated based on current data without re-scanning the project. See Recalculating Risk Auto-scan - a scan recalculation was triggered automatically because new vulnerabilities were identified in your packages. Github - GitHub repository, specified in the Project configuration Jenkins Plugin – the scan was run as part of Jenkins CI/CD process
Scanned	The date and time that the scan was run.	e.g., Feb 23, 2021 11:51 AM
Scan ID	When you hover over Scan ID, the unique identifier of the scan generated by Checkmarx SCA is shown. There is a button to copy the ID to your clipboard.	e.g., 95fc1f60-a4aa-4835-acfd-95aa315d4890

Actions

Icon	Action	Description	Options
	Scan Report	Click on this button to download a file containing an overview of the security of your project as well as specific vulnerabilities, legal risks, and outdated versions identified by the scan.	Report sections: All data tables (Default) Packages Vulnerabilities Licenses Policy Violations File formats: PDF (Default) XML JSON CSV
	Software Bill of Materials	Click on this button to download a file containing detailed info about each of the open source packages used by your program, and the associated risks. You can specify how the SBOM will be formatted, CycloneDX v1.4 or SPDX v2.2. Learn more about Checkmarx's SBOMs here.	File formats: XML (for CycloneDx only) JSON
	Remediation Manifest	Click on this button to start the process of remediating the Project’s manifest files. For more information see Remediation using a Manifest File.	N/A
Hide Dev Dependencies toggle		Toggle this switch on in order to hide results for dev packages. For more information, see Supported Dev Dependencies Specification.

Hiding Dev & Test Dependencies

Checkmarx SCA is able to distinguish between development dependencies and production dependencies for several package managers. On the Scan Results page, the number in parenthesis next to the Hide Dev & Test Dependencies toggle indicates the number of dev & test dependencies in the Project. Toggle the Hide Dev & Test Dependencies switch ON if you would like to hide vulnerable packages that were identified as dev and test dependencies.

Identifying Dev Dependencies

The following table shows how dev dependencies are identified for specific package managers.

Package Manager	Dev Dependency Specification
NPM	In the manifest file (package.json or bower.json), using the devDependencies attribute. For example, "devDependencies" : { "my_test_framework": "^3.1.0". "another_dev_dep": "1.0.0 - 1.2.0" }
Yarn
Bower
Composer	Packages under the require-dev section in the composer.json file.

Identifying Test Dependencies

Any package with the word "test" in the file path is identified as a test dependency.

Packages Tab

The Packages tab shows detailed info about the packages that were identified in your source code and the vulnerabilities that they contain.

The Packages tab contains sub-tabs that show two types of pages:

All Packages – shows a list of all packages that contain vulnerabilities that were identified by this scan. This tab is accessed by clicking on the Show All button on the Project page.
Notice
Alternatively, whenever you navigate to the Scan Results page the All Packages sub-tab is shown under the Packages tab.
Package Details – shows detailed info about a specific package. Click on a row in the All Packages sub-tab or in the Project page to access this page.
Notice
Alternatively, you can access this page by clicking on a package in the Global Inventory & Risks > Packages page.

You can navigate between the various tabs that you have opened.

All Packages Page

The All Packages sub-tab shows separate tabs for the different types of packages (Direct 3rd Party Packages, Transitive 3rd Party Packages, and Saas Providers). Each tab shows the overall number of packages of this type as well as the number of policy violations for that category.

Notice

For a package that is referenced both directly and transitively, the total number of packages shown at the top of the All Packages tab counts that package only once. Therefore, the total number of packages may be fewer than the total of the Direct packages plus the number of Transitive packages.

Clicking on a category heading expands that section, to show a list of packages of that type that were identified by this scan of your Project. For each package, info is shown about the risks related to that package. You can search for specific packages using the search box.

You can also sort by column headers and set filters for each column.

The following table describes the info shown for each package identified by this scan.

Item

Description

Possible Values

Package

The name of the package.

e.g., dom4j:dom4j

Version

The version of the package that you are using.

e.g., 1.6.1

Outdated

Indicates whether or not a more recent version of the package is available.

The package is outdated. Hover over the icon to view additional info about the more recent versions.

An empty field indicates that the package is up to date.

Effective License

Shows the Licenses that are associated with the package. For multiple licenses, hover over the display to show all licenses and the associated legal risks.

e.g., GPL 2.0, Apache2.1

Risks (Aggregated)

A color coded bar graph indicating the number of vulnerabilities of each severity level. Hover over the bar to view a breakdown of the results by Vulnerability, Legal Risk and Supply Chain.

Tip

You can apply complex filters to show only packages that contain risks of a specific type and of a specific severity.

e.g.,

Identified By

Indicates how the package was identified.

Manifest – identified by resolving the manifest file
Binary – identified by analyzing hashes and fingerprints of files in the Project

References

Shows the number of paths that reference this package.

Tip

Packages that are referenced both directly and transitively, are included in the Direct 3rd Party section and the number of direct (D) and transitive (T) paths are given.

e.g., 1D, 12T

Usage

(for Projects with Exploitable Path activated)

Indicates whether or not this package is used (called) by your project’s source code.

Used - This package is used by your project’s source code.
Potentially Used - This package is a dependency of a direct package that is used by your project’s source code.
Unused - No usage of this package was found.
Unknown - Checkmarx SCA could not determine whether the package is used.

Dependency

Shows labels that Checkmarx applied to the package. There is a label indicating the package manager used for package resolution. Additional labels are applied to special types of dependencies.

Package Manager - shows the package manager that was used for resolution, e.g., Maven, Pip, Nuget, Npm etc.
Dev - is applied to dev dependencies.
Test - is applied to all packages that have the word "test" in their file path.
Verified by NPM - is applied to packages for which the signatures were verified using npm audit signatures.
Private Package - is applied to packages that are hosted on private repositories.

AppSec Knowledge Center

Link to the AppSec Knowledge Center page for each package.

Package Details Page

The Package Details sub-tab shows detailed info about a specific package. The top info pane gives general info about the package, and the separate cards below it show detailed info about various aspects of the risks posed by the package.

Info Pane

Item	Description
Package	The name and version of the package.
Dependency Type	The type of package manager used for this package.
License(s)	Shows all licenses that you have that are associated with this package.
Published	The date that this version of the package was published.

Package Details Sections

screencapture-sca-checkmarx-net-2023-03-22-12_57_26.png

Item	Description
Watch Out! (for malicious packages)	This warning card will be displayed if this version of the package is known to be malicious.
Policies	The total number of policies this project is assigned to, followed by the number of Policy Violations.
Vulnerability	The total number of vulnerabilities in this package, followed by a color coded bar graph indicating the number of vulnerabilities of each severity level.
Legal Risk	The total number of Legal Risks in this package, followed by a color coded bar graph indicating the number of Legal Risks of each severity level.
Supply Chain	The total number of Supply Chain risks affecting this package, followed by a color coded bar graph indicating the number of Supply Chain risks of each severity level.
Supply Chain Analysis (for packages with Supply Chain risks)	Shows gauge widgets representing three risk categories (Reputation, Reliability and Behavior). The scores are given on a scale of 0-10, with 10 indicating the highest level of security.
Version	Shows the version you are using, the newest version, the number of newer versions released since you last updated and an overall assessment of whether there is a need to update your version.
Learn More About This Package	Shows a link to the AppSec Knowledge Center for more information about this package.
Management of Risks	Shows if any vulnerabilities and Supply Chain risks that have been marked as ignored.
Licenses	Shows the number of Licenses that have been marked as Effective Licenses. In addition, a link is given to view detailed information about this license in the risk details tab.
References	Shows the number of manifest files that refer to this package and indicates whether it is a direct or transitive dependency.
Identified By	Indicates how the vulnerable package was identified. Possible values are: Manifest – identified by resolving the manifest file Binary – identified by analyzing hashes and fingerprints of files in the Project
File Path	The file path to the manifest file where this package was identified is shown. Click on the icons to view or download the file.
Package Path	The selected package is displayed in blue. If this is a transitive dependency (i.e., it is accessed via other packages), then the full path by which the package is accessed is shown above it. You can click on any package shown in the path in order to open a new tab showing details for that package. If there are multiple paths to this package, then you can click on the forward and back arrows at the bottom of the pane to view each of the paths. Tip Frequently you can fix the vulnerabilities by updating the transitive packages with their latest versions.
Package Usage (for projects with Exploitable Path activated)	Shows the places in your code where the vulnerable package is called. Results are grouped by file path. Expand an item to see the line number and node of each place where the package is called.

Container Tab

In addition to scanning the packages in your source code itself, Checkmarx SCA also scans the containers (i.e., Docker image files) on which your source code runs. Checkmarx SCA identifies each of the Docker files being used, extracts all layers of each Image file and identifies the packages used by each layer.

The Container tab shows the container packages identified in your project and the vulnerabilities associated with them.

The Container tab contains two sub-tabs:

Container Packages – shows a list of all of the packages identified in the container images.
Container Vulnerabilities – shows a list of all of the vulnerabilities associated with the container packages.

Container Packages Page

The Container Packages sub-tab shows a list of all of the packages identified in the container images. For each container package, info is shown about the risks related to that package. You can search for specific packages and images using the search box.

You can also sort by column headers and set filters for each column.

The following table describes the info shown for each package identified in the containers.

Item

Description

Possible Values

Package Name

The name of the package.

e.g., musl

Version

The version of the package.

e.g., 1.2.2-r1

Image

The name of the image that was scanned.

e.g., python

Image Tag

The version of the image.

e.g., rc-alpine3.13

Vulnerabilities

A color coded bar graph indicating the number of vulnerabilities of each severity level.

e.g.,

Identified By

The path to the Docker file in which the specific image is found. (Hover to view the entire path.)

e.g., Joao4/JavaVulnerableLab-dockerfile/JavaVulnerableLab-master/dockerfile1/Dockerfile

Dep. Type

The repository in which the image is located.

e.g., Docker Hub

Container Vulnerabilities Page

The Container Vulnerabilities sub-tab shows a list of all of the vulnerabilities associated with the container packages. Detailed information is shown for each vulnerability. You can search for specific vulnerabilities and packages using the search box.

You can also sort by column headers and set filters for each column.

You can click on a vulnerability to open a new tab showing additional info about the vulnerability.

Notice

Container vulnerabilities for which the Category is "unknown" are marked as Low severity. Also, these vulnerabilities are only shown in the summary table, but you can't drill down to view the details page, since there are no details that we can provide.

The following table describes the info shown for each vulnerability that was identified in the containers.

Item	Description	Possible Values
Risk Level	The severity level of the vulnerability.	HIGH (RED) - (7.1 to 10.0) MEDIUM (ORANGE) - (3.1 to 7.0) LOW (GREY) - (0.0 - 3.0) For more info see Severity Levels.
ID	The ID of the CVE listing. The ID consists of the CVE prefix followed by the year that the CVE was discovered and the serial counter for that year's CVE listings.	e.g., CVE-2020-9488
Category	The category of the vulnerability.	e.g., CWE-20
Package Name	The name of the package in which the vulnerability was identified.	e.g., musl
Version	The version of the package in which the vulnerability was identified.	e.g., 1.2.2-r1
Publication Date	The date the vulnerability was published in the NVD.	e.g., Nov 16, 2020

Risks Tab

The Risks tab shows info about all of the Risks that are associated with the open source packages used by your project. This includes vulnerabilities (e.g., CVEs), as well as supply chain risks (e.g., malicious packages), legal risks and outdated packages.

The Risks tab contains sub-tabs that show two types of pages:

All Risks – shows a list of all Risks identified by this scan. This tab is accessed by clicking on the Show All button on the Project page and then selecting the Risks tab. The results on the All Risks tabs are divided into the following tabs:
- Vulnerability - shows a list of vulnerabilities in your open source packages that can be exploited by an attacker. This includes vulnerabilities that have been published as CVEs as well as vulnerabilities identified by the Checkmarx Vulnerability Research Team (i.e., Cx). The summary graph shows the total number of vulnerabilities and a breakdown by severity level.
- Supply Chain - shows various types of supply chain risks that affect the packages in your project, such as packages that are Malicious by design and packages that are vulnerable to ChainJacking attacks etc. The summary graph shows the total number of supply chain risks and a breakdown by severity level.
- Legal Risk - shows all of the Legal Risks relating to the licensing of the packages used in your project. The summary graph shows the total number of legal risks and a breakdown by severity level.
- Outdated - shows a list of all packages that have vulnerabilities or supply chain risks, for which a more recent package version is available. The summary graph shows the total number of vulnerable outdated packages as well as a breakdown by severity level (i.e., highest severity vulnerability in the package).
Risk Details – shows detailed info about a specific Risk. Click on a row in the All Risks tab to access this page.

Notice

Alternatively, you can access this page by clicking on a Risk in the Global Inventory & Risks > Risks page.

Notice

The packages listed in the Outdated section aren’t clickable and don’t have a Risk Details page associated with them.

You can navigate between the various tabs that you have opened.

All Risks Page

The All Risks sub-tab shows separate tabs for the different types of Risks (Vulnerability, Supply Chain, Legal Risk and Outdated). Each tab shows the overall number of Risks for this type and the number of Risks for each risk level. Clicking on the arrow on the left of the tab expands a list below it to show all Risks of this type identified by this scan of your Project. For each Risk, info is shown about the nature of the Risk. You can search for specific Risks using the search box.

Notice

If a Risk is present in several packages in your Project, a separate record is listed for each instance of the vulnerability. Similarly, for Legal Risks, each package that a license applies to is listed as a separate risk instance.

You can also sort by column headers and set filters for each column.

Clicking on the arrow on the left of the tab expands a list showing all of the risks of that type.

Notice

A row in which the CVE is marked with a strikethrough line indicates that that Risk has been marked as Not Exploitable. However, the strikethrough line is only shown for scans that are run after the Risk was marked as Not Exploitable. Similarly, vulnerabilities marked as Not Exploitable are not counted towards the total number of vulnerabilities in subsequent scans.

The following table describes the info shown for each vulnerability identified by this scan.

Item	Description	Possible Values
Status	Indicates the status of this vulnerability for this project.	For vulnerability or supply chain risks: To Verify - This is the initial state of all vulnerabilities and supply chain risks, indicating that it is a new finding that hasn’t yet been assessed by your AppSec team. Not Exploitable - Select this state if your team has determined that this risk doesn’t pose a threat to your application (and isn’t expected to cause a risk at any time in the future). Proposed Not Exploitable - Select this state if your team has suggested tentatively that this risk doesn’t pose a threat to your application. Confirmed - Select this state if your team has confirmed that this risk does pose a threat and requires mitigation. Urgent - Select this state if your team has determined that this risk poses an imminent threat and requires urgent mitigation. Tip When the state is set as Not Exploitable, the risk is marked with a strikethrough line and the Risk Details page is grayed out. Indicates a legal risk that was marked as “effective”.
Violations	Shows the number of violations of security policies that were assigned to this project.
Exploitability	Shows which exploitability indicators apply to this vulnerability.	Exploitable Path - indicates that a path was detected from your source code to the vulnerable method in the package, enabling attackers to exploit the vulnerability. Tip Results are only returned if Exploitable Path was activated for this project and the project uses a language that is supported for Exploitable Path. Known - This vulnerability is cataloged by CISA as a Known Exploited Vulnerability (KEV), indicating that it poses a severe and imminent threat. PoC - A Proof of Concept (POC) for exploiting this vulnerability is available in the wild, making it easy for threat actors to implement an exploitation of this vulnerability. We draw this info from Offensive Security's Eploit Database.
Risk Score	Shows the the severity level of the vulnerability based on its CVSS score in the NVD, as well as the precise CVSS score. Tip The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities.	- this package version is malicious by design. HIGH MEDIUM LOW Tip For Legal Risks, risks with UNKNOWN severity are shown in light grey. For more info see Severity Levels.
ID	The ID of the CVE listing. The ID consists of the CVE prefix followed by the year that the CVE was discovered and the serial counter for that year's CVE listings. Tip Vulnerabilities discovered by the Checkmarx Vulnerability Research Team which are net catalogued as CVEs, are indicated by the “Cx” prefix.	e.g., CVE-2020-9488
Category	The category of the vulnerability. For CWEs, the CWE is given as well as a brief description of the vulnerability.	e.g., CWE-89\|SQL Injection, Malicious, ChainJacking etc.
Identified in Package	The name and version of the package in which the vulnerability was identified. In addition, an indication is shown for whether this is a direct or transitive dependency (D or T). Results can be filtered by Direct/Transitive. Tip For vulnerabilities, each package affected by the vulnerability is listed as a separate risk. Similarly, for legal risks, each package to which a license applies is listed as a separate risk.	e.g., loadash @ 4.13.1 ^(T)
Publication Date	The date the vulnerability was published in the NVD.	e.g., Nov 16, 2020
Explore in AppSec Knowledge Center	Click on the icon to learn more about this vulnearbility in our AppSec Knowledge Center.

Risk Details Page

The Risk Details sub-tab shows detailed info about a specific Risk. The top info pane gives general info about the vulnerability, and the separate cards below it show detailed info about various aspects of the risks posed by the vulnerability.

The different risk types are:

Vulnerability - a vulnerability that can be exploited by an attacker. This includes vulnerabilities that have been published as CVEs as well as vulnerabilities identified by Checkmarx AppSec experts (i.e., Cx).
Supply Chain - shows various types of Supply Chain risks that affect the packages in your project, such as packages that are Malicious by design and packages that are vulnerable to ChainJacking attacks.
Legal Risk - shows all of the Legal Risks relating to the licensing of the packages used in your project.

Each type of risk shows different cards on the details page. The different cards are described in the tables below. Outdated risks don’t have a details page. There is also a control for changing a Risk state or in the case of Legal Risks to mark it as Effective License.

Vulnerability Details

Vulnerabilities are risks that can be exploited by an attacker. This includes vulnerabilities that have been published as CVEs as well as vulnerabilities identified by the Checkmarx Vulnerability Research Team (i.e., Cx).

Info Pane

Item	Description	Possible Values
ID	The ID of the CVE listing. The ID consists of the CVE prefix followed by the year that the CVE was discovered and the serial counter for that year's CVE listings. Tip Vulnerabilities discovered by the Checkmarx Vulnerability Research Team which are net yet catalogued as CVEs, are indicated by the “Cx” prefix.	e.g., CVE-2019-12384
Package	The name of the package in which the vulnerability was identified.	e.g., com.fasterxml.jackson.core:jackson-databind 2.9.8
Version	The version of the package where the vulnerability was identified.	e.g., 5.1.26
Risk Level	The severity level of the vulnerability, based on its CVSS score in the NVD database.	HIGH - 7.0-10.0 MEDIUM - 4.0-6.9 LOW - 0.0-3.9 For more info see Severity Levels.
Risk State	This indicates the current state of the vulnerability as determined by your AppSec team. All new risks are initially marked as To Verify. A user with `manage-risk` role (e.g., Admin, SCA Manager) can change the Risk state for this Project by clicking on the Risk State field and selecting the radio button for the desired state. See Risk Management.	To Verify Not Exploitable Proposed Not Exploitable Confirmed Urgent Tip When the state is set as Not Exploitable, the page is grayed out and the risk is marked with a strikethrough line on the All Risks tab.

Vulnerability Details Sections

Item	Description
Information	A description of the nature of the threat posed by the vulnerability and the date the vulnerabiliity was published in the NVD.
References	Links to external resources about the vulnerability. Links are given for topics such as: Advisory, Commit, Release Notes, Issue etc.
Remediate this Vulnerability	Recommended steps that should be taken to remediate this vulnerability. Tip The recommended package version, is the minimum version that does not contain this particular vulnerability. To find the minimum version that doesn’t contain any vulnerabilities, click on Find best package version.
Policies	The number of Policies the Project is assigned to and the number of Policy violations.
Vulnerable Package Path	The vulnerable package is displayed in blue. If this is a transient dependency (i.e., it is accessed via other packages), then the full path by which the package is accessed is shown above it. You can click on any package shown in the path in order to open a new tab showing details for that package. Tip Frequently, you can fix the vulnerabilities by updating the transient packages with their latest versions.
CVSS Information	Shows the CVSS Version, Score, and Severity, as well as the components that make up the CVSS score including: Attack Vector, Confidentiality Impact, Attack Complexity, Integrity Impact, Authentication, and Availability Impact. For a full explanation of the metrics that make up the CVSS score, see section 2 of this article.

Supply Chain Risk Details

Supply Chain risks include various types of risks that affect the packages in your project, such as packages that are Malicious by design and packages that are vulnerable to ChainJacking attacks.

Info Pane

Item	Description	Possible Values
ID	An internal ID starting with the “Cx” prefix that was assigned to this risk by the Checkmarx Vulnerability Research Team.	e.g., Cx27b685d0-978d
Package	The name of the package in which the vulnerability was identified.	e.g., com.fasterxml.jackson.core:jackson-databind 2.9.8
Version	The version of the package where the vulnerability was identified.	e.g., 5.1.26
Risk Level	The severity level of the vulnerability, based on its CVSS score in the CVE database. Malicious (supply chain) packages are labeled Malicious and the icon is shown.	- Malicious HIGH MEDIUM LOW For more info see Severity Levels.
Risk State	This indicates the current state of the supply chain Risk as determined by your AppSec team. All new risks are initially marked as To Verify. A user with `manage-risk` role (e.g., Admin, SCA Manager) can change the Risk state for this Project by clicking on the Risk State field and selecting the radio button for the desired state. See Risk Management	To Verify Not Exploitable Proposed Not Exploitable Confirmed Urgent Tip When the state is set as Not exploitable, the page is grayed out and the risk is marked with a strikethrough line on the All Risks tab.

Supply Chain Details Sections

Item	Description
Information	A description of the nature of the threat posed by the supply chain risk and the date the supply chain risk was published on the NVD.
References	Links to external resources about the risk. Links are given for topics such as: Article, etc.
Remediate this Vulnerability	Recommended steps that should be taken to remediate this vulnerability.
Policies	The number of Policies the Project is assigned to and the number of Policy violations.
Vulnerable Package Path	The vulnerable package is displayed in blue. If this is a transient dependency (i.e., it is accessed via other packages), then the full path by which the package is accessed is shown above it. You can click on any package shown in the path in order to open a new tab showing details for that package. Tip Frequently, you can fix the vulnerabilities by updating the transient packages with their latest versions.
CVSS/Risk Score	Shows the CVSS Version, Score, and Severity. For a full explanation of the metrics that make up the CVSS score, see section 2 of this article.

Legal Risk Details

Legal Risks include all of the Legal Risks relating to the licensing of the packages used in your project.

Info Pane

Item	Description	Possible Values
ID	The name of the License.	e.g., MIT
Risk Level	An overall assessment of the legal risks associated with this license.	HIGH MEDIUM LOW UNKNOWN (light grey) For more info see Severity Levels.

Legal Risk Details Sections

Item	Description
Information	A description of the nature of the threat posed by the legal risk.
References	Links to external resources about the vulnerability. Links are given for topics such as: License URL, etc.
Instances in Scan	A list of all packages in the Project that are affected by this Legal Risk. A link next to each package takes you to an external page with info about the package.
Risk Management	An admin user can mark a License as “Effective” for this Project (i.e., if they intend to consume this package in accordance with the licensing restrictions of this license.).
Policies	The number of Policies the Project is assigned to and the number of Policy violations.
Legal Risk	Shows the License Score and Severity, as well as the components that make up the License score including: Copyright Risk, Patent Risk and Copyleft. For an explanation on the calculation of these scores, below.

Legal Risk Scores

You can view detailed info about legal risks affecting your packages by clicking on a legal risk in the Scan Results > Risks tab. The Legal Risks Details page opens showing detailed info about the related licenses and legal risks. The Legal Risk pane shows the overall License Score as well as scores for specific license risk categories. The following table explains these scores:

Field	Value type and range	Details
Copyright Risk Score	A number between 1 and 7 Sometimes represented as a multiple of 13, since in CxOSA it is presented on a scale of 1-100.	The score is defined as follows: 1 - Licensed users may use code without restriction. 2 - Anyone who distributes the code must retain any attributions included in original distribution. 3 - Anyone who distributes the code must provide certain notices, attributions and/or licensing terms in documentation with the software. 4 - Anyone who distributes a modification of the code may be required to make the source code for the modification publicly available at no charge. 5 - Anyone who distributes a modification of the code or a product that is based on or contains part of the code may be required to make publicly available the source code for the product or modification, subject to an exception for software that dynamically links to the original code. 6 - Anyone who distributes a modification of the code or a product that is based on or contains part of the code may be required to make publicly available the source code for the product or modification. 7 - Anyone who develops a product that is based on or contains part of the code, or who modifies the code, may be required to make publicly available the source code for that product or modification if s/he (a) distributes the software or (b) enables others to use the software via hosted or web services. Tip The Legal Risk calculation is based on the copyright risk score, where Level 1-3 is considered as a low risk, Level 4-5 as a medium risk, and Level 6-7 as a high risk.
Patent Risk Score	A number between 1 and 4 Sometimes represented as multiplications of 20, since in CxOSA is presented on a scale of 1-100	Ranks the license based on 1- Royalty free and no identified patent risks 2- Royalty free unless litigated 3- No patents granted 4- Specific identified patent risks
Copyleft	One of the following: Full, Partial, No	Copyleft is a property of the license that means that the package is free to use, but it is forbidden to make it proprietary. A copyleft license is also viral since any work containing a package that has a copyleft-license must also retain this property. The valid values are described as follows: Full - Full copyleft license Partial - Copyleft applies on modifications only No - Not a copyleft license
Linking Type	One of the following: Viral, NonViral, Dynamic	This parameter describes the situation where a package is linked to an application. (This use case is mainly covered in the GPL / LGPL license.) Viral - Infects the code using this package, meaning it will have to be under the same license ans the linked package. Non Viral - will not affect the licensing of the linking code Dynamic - Only cases of dynamic linking will not effect the licensing of the linking code (e.g., LGPL)
Royalty Free	Yes, No or Conditional	Some licenses explicitly grant a patent license. Some explicitly say they do not. Some condition the patent license on not being sued by the user, and if sued the license is revoked. Yes – patent license is granted No – patent license is not granted Conditional – patent license granted under some condition – this may change according to each license and requires consultation.
License Source Detection	e.g., Manifest File, Package Binary etc.	Indicates the source of information that identified the legal risk.

IaC Security Results

The IaC Security Result page contains 2 main sections that work in synergy.

Vulnerabilities Table
Code Viewer

Vulnerabilities Table

The Vulnerabilities Table displays the list of vulnerabilities that were found during the last IaC Security scan of the Project.

The scan results data is a reflection of a single IaC Security scan.

Grouping Vulnerabilities

Vulnerabilities are shown in a nested tree structure with two grouping levels - Primary and Secondary.

By default, the Primary grouping is by Platform and the Secondary grouping is by Severity.

You can adjust the Primary and Secondary grouping to any of the column parameters. You can also select None to remove a grouping level.

None
Platform - Default Primary
Query Name
Severity - Default Secondary
Status
State
Issue Type
Category
File

Filtering Vulnerabilities

You can filter the vulnerabilities display by any column.

Filtering supports applying several filters at once (with an AND condition between the filtering options).

The following filtering options are available:

Status
Severity
State
Actual Value
Expected Value

Code Viewer

The Code Viewer section enables viewing a specific source code vulnerability, including its detailed information.

Code Viewer section includes the following functionalities:

The panel is opened on demand by clicking on a vulnerability in the table.
The panel can be resized by dragging the bottom bar, which resizes the code viewer section vs. the vulnerabilities section.
An additional panel is integrated within the Code Viewer panel, containing the following options:
- Changes - Includes information about Severity and/or State changes that were performed for a specific vulnerability, in addition to added Comments.
- Notes - Includes all the comments that were added for a specific vulnerability.
- Description - Shows a brief description of this vulnerability. The bottom section shows the file where the vulnerability was identified, as well as the problematic “value” and the “expected value” for that element.

Opening Code Viewer

To open the Code Viewer section, perform the following:

Click on a vulnerability grouping to expand the display. Continue drilling down until the individual vulnerability instances are shown.
Click on a vulnerability instance to show the relevant code in the Code Viewer window.

Managing (Triaging) Results

You can adjust the predicate for a specific vulnerability while viewing that vulnerability on the Scan Results page.

Warning

Only users with the Checkmarx One role update-result (e.g., a risk-manager) are authorized to make changes to the predicate. Only users with the role update-result-not-exploitable (e.g., an admin) are authorized to mark a vulnerability as ‘Not Exploitable’.

Triaging a Single Vulnerability

To edit the result predicate:

Navigate to the vulnerability that you would like to edit.
To adjust the severity, click on the Severity field, and select from the dropdown list the severity that you would like to assign. Options are: High, Medium, Low or Info.
To adjust the state, click on the State field, and select from the dropdown list the state that you would like to assign. Options are: To Verify, Not Exploitable, Proposed Not Exploitable, Confirmed or Urgent.
To add a note, click on the Note icon in the toolbar. In the Notes pane that opens, click + Add and then enter the desired text and click the Add button at the bottom.

Triaging Multiple Vulnerabilities (Bulk Action)

To edit the result predicate for multiple vulnerabilities:

In the Vulnerabilities table, select the checkbox next to each vulnerability for which you would like to make the changes.
Note
Alternatively, you can select all instances in a group of vulnerabilities by selecting the checkbox at the top of that section.
A menu bar is shown at the top of the table.
To adjust the severity, click on the Change Severity button, and select from the dropdown list the severity that you would like to assign.
Options are: High, Medium, Low or Info.
To adjust the state, click on the Change State button, and select from the dropdown list the state that you would like to assign.
Options are: To Verify, Not Exploitable, Proposed Not Exploitable, Confirmed or Urgent.
To add a note, click on the Add Note button. In the Notes pane that opens, enter the desired text and click Save.

In this section: