Viewing SAST Results
The SAST Result page contains 2 main sections that work in synergy.
Vulnerabilities Table
Code Viewer
Vulnerabilities Table
 |
The Vulnerabilities Table displays the list of vulnerabilities that were found during the last SAST scan of the Project.
The scan results data is a reflection of a single SAST scan.
Grouping Vulnerabilities
Vulnerabilities are shown in a nested tree structure with two grouping levels - Primary and Secondary.
 |
By default, the Primary grouping is by Language and the Secondary grouping is by Vulnerability.
You can adjust the Primary and Secondary grouping to any of the following column parameters.
Language - Default Primary
Vulnerability - Default Secondary
Severity
Status
Source File
Sink File
Source Node
Sink Node
 |
The following grouping options are available:
Language - Default
Secondary - The following grouping columns are available:
Vulnerability - Default
Severity
Status
Source File
Sink File
Source Node
Sink Node
Filtering Vulnerabilities
Quick Filters
The default Vulnerabilities list contains All the languages that were found during the SAST scan.
 |
Vulnerabilities list can be quickly filtered by Language. The languages list is presented at the top, and clicking a Language filters the list accordingly.
For example:
 |
Complex Filters
 |
Vulnerabilities list supports additional filtering options, by any column.
A filter can be added or removed from the view.
Notice
By default, a state filter is applied to hide vulnerabilities that are in the state Not Exploitable.
Filtering supports applying several filters at once (with an AND condition between the filtering options).
The following filtering columns are optional:
Severity
Status
Source File
Sink File
Source Node
Sink Node
Code Viewer
 |
The Code Viewer section enables viewing a specific source code vulnerability, including its detailed information.
Code Viewer section includes the following functionalities:
The panel is opened on demand by clicking on a vulnerability in the table.
The Attack Vector pane shows the full path of the attack vector. Click on a node to show the relevant code in the Code Viewer.
The panel can be resized by dragging the bottom bar, which resizes the code viewer section vs. the vulnerabilities section.
An additional panel is integrated within the Code Viewer panel, containing the following options:
Changes
- Includes information about Severity and/or State changes that were performed for a specific vulnerability, in addition to added Comments.Notes
- Includes all the comments that were added for a specific vulnerability.Description
- A Short description about a specific vulnerability. When clicking Read More a new page will be opened including the following information:
Vulnerability risk - What might happen.
Vulnerability cause - How does it happen.
General recommendations - How to avoid it.
Code examples
For example:
Code Viewer Display Modes
Code Viewer section can be presented in 3 different modes.
To switch between the modes, click the Change Mode icon 
The possible Code Viewer modes are:
Split Vertically (Default)
Split Horizontally
Table View
 |
When the Vulnerabilities table is shown in Split Vertically or Split Horizontally mode, clicking on a vulnerability instance opens the Code Viewer window (on the top or side respectively), showing the relevant code.
 |
When the table is shown inTable View mode, clicking on a vulnerability opens a side-panel showing detailed info about the vulnerability, divided into tabs.
 |
Opening Code Viewer
To open the Code Viewer section, perform the following:
On the Results screen, set the mode as Split Vertically (default) or Split Horizontally.
Click on a vulnerability grouping to expand the display. Continue drilling down until the individual vulnerability instances are shown.
Click on a vulnerability instance to show the relevant code in the Code Viewer window.
Codebashing Links
Codebashing is an interactive AppSec training platform built by developers for developers. Codebashing sharpens the skills that developers need to avoid security issues, fix vulnerabilities, and write secure code in the first place. See Codebashing documentation here.
When you select a SAST vulnerability for which a Codebashing lesson exists, a link to the relevant lesson is shown. Click on the link to open the lesson in a new browser.
Note
If you don’t yet have a license for Codebashing, a dialog opens showing a link to start a free trial.
 |
Best Fix Location
It often occurs that several different vulnerabilities in your code intersect at a particular node. In such cases, securing the content of that node can remediate multiple vulnerabilities all in one shot. This can dramatically cut the time and effort needed to remediate the vulnerabilities in your source code. Wherever relevant, Checkmarx identifies the key node, where remediation can have the greatest impact, and labels it as the “Best Fix Location (BFL)”. The BFL label is shown for the relevant node in the Attack Vector pane.
 |
Managing (Triaging) Results
Checkmarx One tracks specific vulnerability instances throughout your SDLC. Each vulnerability instance has a ‘Predicate’ associated with it, which is comprised of the following attributes: ‘State’, ‘Severity’ and ‘Notes’. After reviewing the results of a scan, you have the ability to triage the results and modify these predicates accordingly. For more info about triaging results in Checkmarx One, see Managing (Triaging) Vulnerabilities.
You can adjust the predicate for a specific vulnerability while viewing that vulnerability on the Scan Results page.
Warning
Only users with the Checkmarx One role update-result (e.g. a risk-manager) are authorized to make changes to the predicate. Only users with the role update-result-not-exploitable (e.g. an admin) are authorized to mark a vulnerability as ‘Not Exploitable’.
Triaging a Single Vulnerability
Notice
The procedure for adjusting the predicate differs slightly depending on the mode in which you are showing the results. The following procedure assumes that you are in Split Vertically or Split Horizontally mode, which show the Code Viewer for the selected vulnerability. If you are in Table View mode, then the adjustments are made in the sidebar that shows the vulnerability details.
To edit the result predicate:
Open the vulnerability that you would like to edit in the Code Viewer.
To adjust the severity, click on the Severity field, and select from the dropdown list the severity that you would like to assign. Options are: High, Medium, Low or Info.
To adjust the state, click on the State field, and select from the dropdown list the state that you would like to assign. Options are: To Verify, Not Exploitable, Proposed Not Exploitable, Confirmed or Urgent.
To add a note, click on the Note icon in the toolbar. In the Notes pane that opens, click + Add and then enter the desired text and click the Add button at the bottom.
Triaging Multiple Vulnerabilities (Bulk Action)
To edit the result predicate for multiple vulnerabilities:
In the Vulnerabilities table, select the checkbox next to each vulnerability for which you would like to make the changes.
Note
Alternatively, you can select all instances in a group of vulnerabilities by selecting the checkbox at the top of that section.
A menu bar is shown at the top of the table.
To adjust the severity, click on the Change Severity button, and select from the dropdown list the severity that you would like to assign. Options are: High, Medium, Low or Info.
To adjust the state, click on the Change State button, and select from the dropdown list the state that you would like to assign. Options are: To Verify, Not Exploitable, Proposed Not Exploitable, Confirmed or Urgent.
To add a note, click on the Add Note button. In the Notes pane that opens, enter the desired text and click Save.