Skip to main content

Viewing the Applications Overview Tab

Applications group multiple projects to a logical entity for which you can run application (group) scans. The Applications Overview presents aggregated information and analytics for a group of projects within the framework of an application. The Applications Overview shows by default once the Applications page is opened.

To access the Application Overview:

  1. On the Applications and Projects page, click Applications. The list of applications appears.

  2. Click the desired application in the list, for example sanity scans. A list of the projects that belong to this application appears. From this list, you can enter the project overview for each project and view their results.

    Applications_and_Projects_Applications.png

  3. Click Go_to_Application.png.

    The Applications Overview appears.

    Applications_Overview.png

The sections below illustrate and explain the various widgets in the Applications Overview.

Overview Widgets

Projects in Application

The Projects in Application widget displays the risk level of each project assigned to the application with a scale of High_Risk.png High, Medium_Risk.png Medium and Low_Risk.png Low. The data reflects the last scan in the application for the selected branch.

Projects_in_Application.png

Vulnerabilities

The Vulnerabilities widget display the total number of vulnerabilities from all the Projects' severities (High_Risk.png High, Medium_Risk.png Medium, Low_Risk.png Low). This visualization does not include vulnerabilities marked as Not Exploitable.

Vulnerabilities.png

Compliances

Summarizes the projects compliances.

Compliances.png

Point to Info.png for the list of vulnerability categories in which the vulnerabilities detected in SAST are categorized. These categories are explained in the table below.

Compliances_List.png
Table 1. 

Categories

Description

FISMA 2014

Displays the vulnerabilities associated with categories (2014), as defined by FISMA (Federal Information Security Modernization Act). All vulnerabilities that do not fall into any of the FISMA categories are listed as Uncategorized.

PCI DSS v3.2.1

Displays the vulnerabilities associated with categories (DSS v3.2), as defined by PCI (Payment Card Industry). All vulnerabilities that do not fall into any of the PCI categories are listed as Uncategorized.

NIST SP 800-53

Displays the vulnerabilities associated with categories (SP 800-53), as defined by NIST (National Institute of Standards and Technology). All vulnerabilities that do not fall into any of the NIST categories are listed as Uncategorized.

ASD STIG 4.10

Displays vulnerabilities categorized by the DISA Application and Development STIG once the STIG post-installation script has been run.

OWASP Top 10 2021

Displays the vulnerabilities associated with categories (A1 to A10) that appear in the list of the 10 most serious risks, as defined by OWASP (Open Web Application Security Project). All vulnerabilities that do not fall into any of the OWASP Top 10 2021 categories are listed as Uncategorized.

OWASP Top 10 API

This category specifically addresses API Security and categorizes vulnerabilities that are related to Broken Object Level Authorization, Broken User Authentication, Excessive Data Exposure, Lack of Resources & Rate Limiting, Broken Function Level Authorization, Mass Assignment, Security Misconfiguration, Injection, Improper Assets Management and Insufficient Logging & Monitoring.

OWASP Top 2017

Displays the vulnerabilities associated with categories (A1 to A10) that appear in the list of the 10 most serious risks, as defined by OWASP (Open Web Application Security Project). All vulnerabilities that do not fall into any of the OWASP Top 10 2017 categories are listed as Uncategorized.

OWASP Mobile Top 10 2016

Displays the vulnerabilities associated with categories (M1 to M10) that appear in the list of the 10 most serious risks, as defined by OWASP (Open Web Application Security Project). All vulnerabilities that do not fall into any of the OWASP Mobile Top 10 2017 categories are listed as Uncategorized.

OWASP Top 10 2013

Displays the vulnerabilities associated with categories (A1 to A10) that appear in the list of the 10 most serious risks, as defined by OWASP (Open Web Application Security Project). All vulnerabilities that do not fall into any of the OWASP Top 10 2013 categories are listed as Uncategorized.



Top Vulnerable Projects

Presented in word cloud style, where the three top vulnerable Projects are displayed with different risk level colors.

Top_Vulnerable_Projects.png

Aging report

The Aging Report widget presents the amount of vulnerabilities distributed by severities (High_Risk.png High, Medium_Risk.png Medium, Low_Risk.png Low) for the first discovery date in a specific time range. The data reflects the last scan in the project for the selected branch. The widget includes a bar chart presentation with the following parameters.

  • x-axis - Presents 4 constant time ranges:

    • 0 - 30 days

    • 30 - 60 days

    • 60 - 90 days

    • 90+days

  • y-axis - Presents the amount of vulnerabilities.

  • Chart data - 3 stacked bars per each time range (High_Risk.png High, Medium_Risk.png Medium, Low_Risk.png Low) with the amount of vulnerabilities per bar type.

Aging_Report.png

Note

All the results below are depicted in a pie chart format

Results by Scanner Type

The results are displayed as pie charts for all the projects assigned to the application. They indicate the aggregated number of vulnerabilities found per scan type:

  • SAST

  • SCA

  • KICS

  • API Security

Vulnerabilities flagged with the state of Not Exploitable are not included.

6484590815.png

Note

Vulnerabilities labeled Not Exploitable are not included.

Results by State

Displays the aggregated number of vulnerabilities per state from all the projects assign to the application:

  • To Verify

  • Not Exploitable

  • Proposed Not Exploitable

  • Confirmed

  • Urgent

Vulnerabilities flagged with the Not Exploitable state are counted, only for this visualization.

6484656278.png

Note

Vulnerabilities labeled Not Exploitable are counted for this visualization only.

Results by Projects Tags

Displays the aggregated number of vulnerabilities found per project tag from all the projects assigned to the application.

6482592625.png

Note

Vulnerabilities labeled Not Exploitable are not counted.

Results by Technologies

Displays the aggregated number of vulnerabilities found per technology from all the Projects assigned to the Application.

The technologies include:

  • Languages

  • Platforms

  • Packages

Multiple versions of the item are aggregated under the same item, but are flagged with the number of versions. The tooltip lists the versions and any vulnerabilities flagged with the Not Exploitable state are not counted.

Results_by_Technologies.png

Note

Vulnerabilities labeled Not Exploitable are not counted.

Results by Scan Origin

Displays the aggregated number of vulnerabilities found per scan origin, from all the Projects assigned to the Application.

For example:

  • Jenkins

  • Github action

  • Github webhooks

  • Checkmarx One webscan

  • CLI

  • Webapp

Results_by_scan_origin.png

Note

Vulnerabilities labeled Not Exploitable are not counted.

In this section: