Working with Vulnerabilities

In the Project View, click the Vulnerabilities tab to display the list of vulnerabilities, which contains the information listed in the table below.

Item	Description
Vulnerabilities List	List of vulnerabilities according to the selected severity type. Vulnerabilities listed here are in relation to the current project and scan selected. Clicking a severity type displays all those vulnerabilities grouped with that severity in the Vulnerabilities List.
All	All vulnerabilities regardless of severity
High	Vulnerabilities of high severity
Medium	Vulnerabilities of medium severity
Low	Vulnerabilities of low severity
Info	Vulnerabilities of informal severity
	Click Add Filters to filter the vulnerabilities in the Vulnerabilities List
Vulnerability State	Checking a check-box in the Vulnerabilities List enables you to change the state of a vulnerability. This is useful for disregarding false positives or just for defining what vulnerabilities to handle and how to handle them.
Vulnerability Status	Represents the vulnerability according to the current selection and includes all related information about the vulnerability.
Vulnerability	The name of the vulnerability, for example LDAP Injection, SQL Injection
Severity	The severity of vulnerabilities as listed above. The severity of a vulnerability can be modified according to the vulnerability handing method used.
First Detected Date	The date, time and the scan (scanID) that the vulnerability was first discovered.
Status Flag	State of the vulnerability, possible vulnerability states could be To Verify (default), Confirmed, Suspicious, Not a Problem or Remediated. The state of a vulnerability can be modified according to the vulnerability handling method used.
#	The unique ID of a vulnerability, direct link to the correlating SAST project scan results. Relevant only, if SAST Correlation is enabled.
Show SAST Result	Direct link to the correlating SAST project scan results. Relevante only, if SAST Correlation is enabled.
Comment	Click to add new comment or view existing comments
Codebashing	Click to display comprehensive information about the selected vulnerability
Attack Vector	The vulnerable code flow (attack vector). The attack vector represents the flow of data from input to sink (vulnerable code flow). Clicking on a node presents the relevant line of code.
Code Snippets	Code snippets located to the right of the Attack Vector represents the code as IAST interprets it during execution time. The code presented may differ from the actual source code of the application. IAST exposes the data as it runs and not as it is in the source code.
Multiple Inputs	By clicking on the Multiple Input icon, you can choose the input to track. Note Available only, if multiple inputs are presented.
HTTP Request	The actual HTTP request used in the test.
HTTP Response	The actual HTTP response used in the test.
Watch	Represents the problematic vulnerable input before and after the execution of each step in the Attack Vector. If the vulnerable input reflected in the HTTP Request (marked in red) is also reflected in the HTTP Response, it is also marked in red. Note For some ‘special vulnerabilities’, the ‘Watch’ values may not show under Attack Vector > Details.

In the list of vulnerabilities, click Add Filter. The Filter Vulnerabilities dialog appears. Vulnerabilities can be filtered by the follwing:
- Status (New or Recurrent)
- Detection Date (Start and End Date)
- URL
- Method Name
- SAST Correlation (Yes or No)
- Pending State (True or False)
- State (To Verify, Conformed, Suspicious, Not a Problem or Remediation)
- Assigned To (a specific user).
To apply the filter, click <Update>.
To cancel the settings, click Cancel.
To reset all filters, click Reset Filters.

Checkmarx includes predefined presets with IAST, which work with all languages supported by IAST such as the following:

PCI DSS V3.2 (v3.9.0 and up)
OWASP Top 10 for 2017
OWASP Top 10 for 2013
OWASP Top 10 for 2010
OWASP REST API Top 10 (v3.7.0 and up)

A list of predefined presets and subcategories is available in the next section of this page. To filter the scan results with a predefined preset, do the following:

Next to Add Filters, select the predefined preset from the drop-down list.
From the Preset Severity drop-down menu, select the vulnerability severity that you want to display in the scan results. By default, All is selected for a predefined preset, but any available severity can be selected instead.
To return to the regular IAST scan results without applying a predefined preset, click Clear at the top of the dropdown menu.

The following table displays all available presets and their sub-categories:

Preset	Sub-categories
PCI DSS v3.2 (v3.9.0 and up)	6.5.1 – Injection Flows 6.5.3 – Insecure Cryptographic Storage 6.5.4 – Insecure Communication 6.5.7 – Cross-Site Scripting 6.5.8 – Improper Access Control 6.5.9 – Cross-Site Request Forgery 6.5.10 – Broken Authentication and Session Management
OWASP Top 10 for 2017	A1 - Injection A2 - Broken Authentication A3 - Sensitive Data Exposure A4 - XML External Entities (XXE) A5 - Broken Access Control A7 - Cross-Site Scripting (XSS) A8 - Insecure Deserialization
OWASP Top 10 for 2013	A1 - Injection A2 - Broken Authentication A3 - Cross-Site Scripting (XSS) A4 - Insecure Object Reference A6 - Sensitive Data Exposure A8 - Cross-Site Request Forgery (XSRF) A10 - Unvalidated Redirects and Forwards
OWASP Top 10 for 2010	A1 - Injection A2 - Cross-Site Scripting (XSS) A4 - Insecure Direct Object References A5 - Cross-Site Request Forgery (XSRF) A6 - Security Misconfiguration A7 - Insecure Cryptographic Storage A9 - Insufficient Transport Layer Protection A10 - Unvalidated Redirects and Forwards
OWASP REST API Top 10 (v3.7.0 and up)	API2 - Broken Authentication API3 - Excessive Data Exposure API4 - Lack of Resources and Rate Limiting API6 - Mass Assignment API7 - Security Misconfiguration API8 - Injection API10 - Insufficient Logging and Monitoring

Clicking Vulnerability Description in the list of vulnerabilities opens the vulnerability description that displays comprehensive information about the selected vulnerability. This is useful for defining how to handle the vulnerability as illustrated in the screen images below for the example of SQL Injection.

The vulnerability description displays information that includes the vulnerability risk and cause details and general recommendations for remediating and avoiding the vulnerability. Source code examples and CWE links are also provided.

Modifying the vulnerability state may be useful for disregarding false positives or just for defining, what vulnerabilities to handle, and how to handle them.

Note

Only users with the correct permissions can change the state of a vulnerability and approve a suggested vulnerability state change.
Changing the State of a Vulnerability or Suggesting a Vulnerability State Change can only be performed on completed scans.

To change the state of a vulnerability:

Check the respective vulnerability.
Click Change State. The Select State dialog is displayed with the states that can be defined.
Select the desired state and click <CHANGE>. The state of the vulnerability is changed and displayed in the Vulnerabilities List and under Vulnerability Status.

State	Description
To Verify (default)	Vulnerability requires verification
Confirmed	Vulnerability confirmed as vulnerable and requires handling
Suspicious	Vulnerability proposed as suspicious (potential FP).
Not a Problem	Vulnerability confirmed as not vulnerable (confirmed FP).
Remediated	Vulnerability has been confirmed as handled.

To suggest a vulnerability state change:

Select the desired state and click <SUGGEST>. The change is now waiting for approval and displayed in the Vulnerabilities List. In the example below, the suspicious state has been suggested and is waiting for approval.

Note

The actual state of the vulnerability does not change until it is approved.
No special permissions are required to suggest changing the vulnerability state.

To approve a suggested vulnerability state change:

Check the vulnerability for which a change has been suggested. The Review State dialog appears.
Do one of the following:
- To approve, click <APPROVE>. The state of the vulnerability is changed to the suggested state displayed in the Vulnerabilities List and the Vulnerability Status.
- To deny, click <DENY>. The suggestion is overruled and the state of the vulnerability remains as it was before the suggestion.

Severity changes are useful for defining, what vulnerabilities to handle, and how to handle them. In cases where there is no agreement on the severity of a specific finding, or a final decision has been made, the severity can be changed as follows:

Check the severity of that vulnerability in the list of vulnerabilities. The Change Severity dialog appears.
Select the severity and click <CHANGE>. The severity of the vulnerability is changed. The new severity appears in the Vulnerabilities List and the Vulnerability Status.

Note

Changing the Severity of a Vulnerability can only be performed on completed scans.
Severity change actions are logged automatically in the Comments list as [Auto Comment].

Comments are useful for defining, what vulnerabilities to handle, and how to handle them. In addition, auto comments are used to log any actions performed on the vulnerability, for example changing its severity.

To add a comment to a vulnerability:

Check the relevant severity in the list of vulnerabilities. The Add Comment dialog appears.
Enter the desired comment (max. 256 characters) and click <ADD>. The comment is saved in the list of comments for the selected vulnerability.

To view the list of all comments:

In the Projects View, under Vulnerabilities, click Comment for the desired vulnerability. All existing comments for this vulnerability appear listed.

The following actions are automatically logged in the Comments list as [Auto Comment]:

Change State
Review State (Deny/Approve)
Change Severity
Assign to User.

Note

Only users with the proper permissions can add a comment to a vulnerability.
Comments can only be added to vulnerabilities detected by completed scans.

Check the relevant severity in the list of vulnerabilities.
Click Assign to User. The Select User dialog appears.
Select the desired user from the list and click <ASSIGN>. The vulnerability is assigned to the user and the change appears in the Vulnerabilities List and the Vulnerability Status.

Assigning a vulnerability to a user is are automatically logged in the Comments list as [Auto Comment].

Note

Only users with the proper permissions can assign a vulnerability to a user.
Vulnerabilities can only be assigned to users, if the scan is complete.

In this section:

Working with Vulnerabilities

Note

Note

Note

Note

Note

Note

Note

Search results