Skip to main content

Navigating Scan Results

When viewing scan results in the web interface, the scan results overview appears and you can browse through the results The scan results summary consists of four panes with various levels of information as illustrated below. You can drill down from a comprehensive list to the actual code elements by moving through the panes in the order outlined below.

The result summary is divided into the following four panes:

  • Code Pane. Displays the code with detected vulnerability highlighted in the code.

  • Path Pane. Displays the full path of 'vulnerable' code elements with

  • Queries Pane. Defines how to present the query results.

  • Results Pane. Displays the result as table or graph. In addition, background information is available on detected vulnerabilities.

Notice

The Queries pane is covered first as it defines how results are presented. The Queries pane is followed by the Results pane as you have to select the results here to locate them in the code and gain additional information.

6436173225.png

Queries

Lower left pane: Each item in the list is a specific type of vulnerability for which CxSAST queries the scanned code. Each item is listed with the number of detected instances of the respective vulnerability. The queries are sorted by code language, category, and severity.

6436173189.png

The drop-down menu lets you select the desired method for displaying the detected vulnerabilities as illustrated below.

6436173222.png
  • Severity - displays application security risks (vulnerabilities) by severity (High 6436173126.png , Medium 6436173123.png , Low 6436173120.png and Info 6436173117.png ).

  • OWASP Top 10 2017 - displays the vulnerabilities associated with categories (A1 to A10) that appear in the list of the 10 most serious risks, as defined by OWASP (Open Web Application Security Project). All vulnerabilities that do not fall into any of the OWASP Top 10 2017 categories are listed as Uncategorized.

  • OWASP Top 10 2013 - displays the vulnerabilities associated with categories (A1 to A10) that appear in the list of the 10 most serious risks, as defined by OWASP (Open Web Application Security Project). All vulnerabilities that do not fall into any of the OWASP Top 10 2013 categories are listed as Uncategorized.

  • PCI DSS v3.2 - displays the vulnerabilities associated with categories (DSS v3.2), as defined by PCI (Payment Card Industry). All vulnerabilities that do not fall into any of the PCI categories are listed as Uncategorized.

  • FISMA 2014 - displays the vulnerabilities associated with categories (2014), as defined by FISMA (Federal Information Security Modernization Act). All vulnerabilities that do not fall into any of the FISMA categories are listed as Uncategorized.

  • NIST SP 800-53 - displays the vulnerabilities associated with categories (SP 800-53), as defined by NIST (National Institute of Standards and Technology). All vulnerabilities that do not fall into any of the NIST categories are listed as Uncategorized.

  • OWASP Mobile Top 10 2016 - displays the vulnerabilities associated with categories (M1 to M10) that appear in the list of the 10 most serious risks, as defined by OWASP (Open Web Application Security Project). All vulnerabilities that do not fall into any of the OWASP Mobile Top 10 2017 categories are listed as Uncategorized.

  • Custom - a user-defined method for rating the security levels. Using the Custom method requires integrating the user's severity rating method with CxSAST. For more details, please contact Checkmarx support.

  • ASD STIG 4 10 - displays vulnerabilities categorized by the DISA Application and Development STIG once the STIG post-installation script has been run.

  • OWASP Top 10 API

The following images illustrate the methods for displaying the detected vulnerabilities.

Notice

To learn more about each vulnerability, click (?) to view additional information on it provided by Codebashing.

6436173219.png
6436173216.png
6436173213.png
6436173210.png
6436173207.png
6436173201.png
6436173198.png
6436173195.png
6436173192.png

Results Summary

Lower right pane: The lower right section hosts the result summary with tutorial as follows:

  • Results: View a list of detected vulnerabilities and select them for further action.

  • Graph: View a graphical display that displays affected code elements and the relationship between them.

  • Codebashing: Learn more about detected instances using Codebashing.

Results

To view a list of detected instances and details, select Results. The highlighted instance's code element details appear at the top. You can navigate the results using pagination controls.

6436173147.png

Select an instance node (Graph tab) or a listed result (Results tab) 6436173141.png to change the following (depending on your user permissions):

6436173180.png

Useful for disregarding false positives or just for planning what issues to handle

  • To Verify (default) – instance requires verification (i.e., authorized user)

  • Not Exploitable – instance has been confirmed as not exploitable (i.e., false positive). Instances defined with this state are not represented in the scan summary, graph, reports or dashboard, etc.

  • Proposed Not Exploitable – instance has been proposed as not exploitable (i.e., potential false positive). Instances defined with this state are represented in the scan summary, graph, reports or dashboard, etc. until such a time that the state is changed to “Not Exploitable"

  • Confirmed – instance has been confirmed as exploitable and requires handling

  • Urgent – instance has been confirmed as exploitable and requires urgent handling.

Notice

  • Depending on your user permissions you may not be able to select the "Not Exploitable" state. If this is the case select the “Proposed Not Exploitable” state and then escalate the instance to an authorized user for confirmation.

  • When the state of an instance is changed (for example to Not Exploitable), all other instances with same similarity ID are automatically marked with the newly changed state. A popup window is displayed (if enabled) listing all the affected instances including the project name, scan date and a direct link to the affected instance.

  • If enabled, issuing a 6436173114.pngcomment is required when either changing the state of scan results to Not Exploitable or to any different severity change, depending on the option you enabled.

6436173177.png

Useful for defining the priority level of the selected issue.

  • 6436173144.png

    High

  • 6436173171.png

    Medium

  • 6436173168.png

    Low

  • 6436173165.png

    Info

6436173162.png

Useful for planning who should handle the selected issue.

6436173156.png

Add a comment to an instance. This metadata is maintained for the project when performing future scans and for instances that continue to be found. When adding a comment, it is logged with date and time into the comment history.

6436173153.png

Use this option for selected instances to appear in the results list as an independent result set.

6436173150.png

Click to open a ticket in a bug tracing system, for example in JIRA.

The results are listed with the following parameters:

  • Selector: Check to select

    6436173141.png

    the desired result to perform the tasks listed above.

  • Id: The ID of the respective scan.

  • Detection Date: The date on which the vulnerability was detected for the first time in the scanned code.

  • Direct: Click

    6436173138.png

    to copy the direct URL of this vulnerability to the clipboard. You are able to log on from a different host and directly access CxSAST and this vulnerability report.

  • Query Name: The name associated with the query of the source code.

  • Status: The status of the result, for example New (newly detected).

  • Source Folder: The folder of the resource with the detected vulnerability.

  • Source File Name: The name of the resource file in which the vulnerability was detected.

  • Source Line: The line number in the source code where the vulnerability was detected.

  • Source Object: The object where the vulnerability was detected. Once you select the list entry, the object appears highlighted in the resource available in the upper left window.

  • Destination Folder: The destination of the resource.

  • Destination File Name: The name of the destination file for the resource with the vulnerability.

  • Destination Line: The line number in the destination.

  • Destination Object: The destination object, for example the output of the source.

  • Result State: The status of the result. The result state can be updated. For available status options, refer to the table above. Updating the result state automatically adds a comment to the comment section.

  • Result Severity: The severity of the result. The severity can be updated. For available severities, refer to the table above. Updating the result severity automatically adds a comment to the comment section.

  • BFL Node: BFL stands for Best Fix Location. This parameter defines the node where the fix of the vulnerability should be implemented.

  • BFL Group Size: Defines the group size that the fix should have.

  • Priority: Defines the priority at which the vulnerability should be handled.

  • Assigned User: Lists the user to whom this vulnerability has been assigned. To assign a user, refer to the table above.

  • Ticket ID: The ID of the ticket, if assigned. For additional information on opening a ticket, refer to the table above.

  • Comments: Free text you may add. If updating result severity or result state, a comment is added automatically. To add a comment, click6436173135.png

    and enter the comment into the Comment field. Once the comment is saved, it is logged with date and time under Comments History.

Graph

To display the first and last code elements of each detected instance with the relationships between them, select Graph.

6436173186.png

Notice

In the CxSAST IDE Plugins, the Graph pane displays full paths of the code elements that constitute the found instances together with the relationships between them.

Codebashing

To learn more about code vulnerabilities, why they happen, and how to eliminate them, select 6436173330.jpg Codebashing to enter the interactive Checkmarx learning platform. Codebashing provides developers with an in-context learning platform that helps understand vulnerabilities and write secure code. Codebashing comes as a free version with basic capabilities. Additional learning material and in-depth information is available with the full version.

The free edition of Codebashing covers the following:

  • Lessons: SQL Injection (SQLi), Cross-site scripting (XSS), XML Injection (XXE)

  • Languages: Java, .Net, PHP, Node.JS, Ruby, Python

The full version includes over 20 lessons and additional languages:

  • Lessons: Session fixation, Use of insufficiently random values, Reflected XSS, Command Injection, DOM XSS, Directory (Path) Traversal, Privileged Interface Exposure, Leftover Debug Code, Session Exposure in URL, User Enumeration, Horizontal Privilege Escalation, Vertical Privilege Escalation, Authentication Credentials in URL, Cross Site Request Forgery (POST), Cross Site Request Forgery (GET), Click Jacking, Insecure URL Direct.

  • Languages: Scala, C/C++.

The Path Pane

The Path Pane displays the full path of code elements that constitute the vulnerability instance selected in the Results pane. This path represents the full attack vector for the vulnerability instance.

To view the attack vector:

  • Select an instance in the Results pane (Results or Graph tab) and view its attack vector in the Path pane. The code line containing the element that has been selected in the Path pane is highlighted.

6436173132.png

Notice

  • The Number of Nodes column in the Results panel provides the number of nodes in the attack vector provided by each result. Sorting, filtering and grouping options are available. This column is disabled by default and can be made available from the Columns selection tool.

  • When using the CxSAST IDE Plugins, you can immediately fix the code in place!

The Code Pane

The Code Pane displays the source code of your scanned resource with the detected vulnerabilities marked. Use the Path pane or Results pane to highlight detected vulnerabilities in the code.

6436173129.png