Skip to main content

Viewing SAST Results

The SAST Result page contains 2 main sections that work in synergy.

  • Vulnerabilities Table

  • Code Viewer

Vulnerabilities Table

5959123255.png

The Vulnerabilities Table displays the list of vulnerabilities that were found during the last SAST scan of the Project.

The scan results data is a reflection of a single SAST scan.

Grouping Vulnerabilities

Vulnerabilities are shown in a nested tree structure with two grouping levels - Primary and Secondary.

5965906341.png

By default, the Primary grouping is by Language and the Secondary grouping is by Vulnerability.

You can adjust the Primary and Secondary grouping to any of the following column parameters.

  • Language - Default Primary

  • Vulnerability - Default Secondary

  • Severity

  • Status

  • Source File

  • Sink File

  • Source Node

  • Sink Node

5961613382.png

The following grouping options are available:

  • Language - Default

  • Secondary - The following grouping columns are available:

    • Vulnerability - Default

    • Severity

    • Status

    • Source File

    • Sink File

    • Source Node

    • Sink Node

Filtering Vulnerabilities

Quick Filters

The default Vulnerabilities list contains All the languages that were found during the SAST scan.

5961187396.png

Vulnerabilities list can be quickly filtered by Language. The languages list is presented at the top, and clicking a Language filters the list accordingly.

For example:

5961154632.png

Complex Filters

5961646130.png

Vulnerabilities list supports additional filtering options, by any column.

A filter can be added or removed from the view.

Notice

By default, a state filter is applied to hide vulnerabilities that are in the state Not Exploitable.

Filtering supports applying several filters at once (with an AND condition between the filtering options).

The following filtering columns are optional:

  • Severity

  • Status

  • Source File

  • Sink File

  • Source Node

  • Sink Node

Code Viewer

6415253873.png

The Code Viewer section enables viewing a specific source code vulnerability, including its detailed information.

Code Viewer section includes the following functionalities:

  • The panel is opened on demand by clicking on a vulnerability in the table.

  • The Attack Vector pane shows the full path of the attack vector. Click on a node to show the relevant code in the Code Viewer.

  • The panel can be resized by dragging the bottom bar, which resizes the code viewer section vs. the vulnerabilities section.

  • An additional panel is integrated within the Code Viewer panel, containing the following options:

    • Changes Flow.png - Includes information about Severity and/or State changes that were performed for a specific vulnerability, in addition to added Comments.

    • Notes Note.png - Includes all the comments that were added for a specific vulnerability.

    • Description Info.png - A Short description about a specific vulnerability. When clicking Read More a new page will be opened including a more detailed description.

Code Viewer Display Modes

Code Viewer section can be presented in 3 different modes.

To switch between the modes, click the Change Mode icon Layout_Table.png

The possible Code Viewer modes are:

  • Split Vertically (Default)

  • Split Horizontally

  • Table View

5959254315.png

When the Vulnerabilities table is shown in Split Vertically or Split Horizontally mode, clicking on a vulnerability instance opens the Code Viewer window (on the top or side respectively), showing the relevant code.

6413812986.png

When the table is shown inTable View mode, clicking on a vulnerability opens a side-panel showing detailed info about the vulnerability, divided into tabs.

6415319424.png

Opening Code Viewer

To open the Code Viewer section, perform the following:

  1. On the Results screen, set the mode as Split Vertically (default) or Split Horizontally.

  2. Click on a vulnerability grouping to expand the display. Continue drilling down until the individual vulnerability instances are shown.

  3. Click on a vulnerability instance to show the relevant code in the Code Viewer window.

Best Fix Location

It often occurs that several different vulnerabilities in your code intersect at a particular node. In such cases, securing the content of that node can remediate multiple vulnerabilities all in one shot. This can dramatically cut the time and effort needed to remediate the vulnerabilities in your source code. Wherever relevant, Checkmarx identifies the key node, where remediation can have the greatest impact, and labels it as the “Best Fix Location (BFL)”. The BFL label is shown for the relevant node in the Attack Vector pane.

6415319481.png

Managing (Triaging) Results

Checkmarx One tracks specific vulnerability instances throughout your SDLC. Each vulnerability instance has a ‘Predicate’ associated with it, which is comprised of the following attributes: ‘State’, ‘Severity’ and ‘Notes’. After reviewing the results of a scan, you have the ability to triage the results and modify these predicates accordingly. For more info about triaging results in Checkmarx One, see Managing (Triaging) Vulnerabilities.

You can adjust the predicate for a specific vulnerability while viewing that vulnerability on the Scan Results page.

Warning

Only users with the Checkmarx One role update-result (e.g. a risk-manager) are authorized to make changes to the predicate. Only users with the role update-result-not-exploitable (e.g. an admin) are authorized to mark a vulnerability as ‘Not Exploitable’.

Triaging a Single Vulnerability

Notice

The procedure for adjusting the predicate differs slightly depending on the mode in which you are showing the results. The following procedure assumes that you are in Split Vertically or Split Horizontally mode, which show the Code Viewer for the selected vulnerability. If you are in Table View mode, then the adjustments are made in the sidebar that shows the vulnerability details.

To edit the result predicate:

  1. Open the vulnerability that you would like to edit in the Code Viewer.

  2. To adjust the severity, click on the Severity field, and select from the dropdown list the severity that you would like to assign. Options are: High, Medium, Low or Info.

    6429245485.png
  3. To adjust the state, click on the State field, and select from the dropdown list the state that you would like to assign. Options are: To Verify, Not Exploitable, Proposed Not Exploitable, Confirmed or Urgent.

  4. To add a note, click on the Note icon in the toolbar. In the Notes pane that opens, click + Add and then enter the desired text and click the Add button at the bottom.

    6415319535.png

Triaging Multiple Vulnerabilities (Bulk Action)

To edit the result predicate for multiple vulnerabilities:

  1. In the Vulnerabilities table, select the checkbox next to each vulnerability for which you would like to make the changes.

    Note

    Alternatively, you can select all instances in a group of vulnerabilities by selecting the checkbox at the top of that section.

    A menu bar is shown at the top of the table.

    6429147139.png
  2. To adjust the severity, click on the Change Severity button, and select from the dropdown list the severity that you would like to assign. Options are: High, Medium, Low or Info.

    6428983311.png
  3. To adjust the state, click on the Change State button, and select from the dropdown list the state that you would like to assign. Options are: To Verify, Not Exploitable, Proposed Not Exploitable, Confirmed or Urgent.

  4. To add a note, click on the Add Note button. In the Notes pane that opens, enter the desired text and click Save.