Navigating Scan Results (v8.8.0 to v8.9.0)

Owned by David P (Deactivated)
Last updated: Feb 25, 2020
6 min read

When viewing full Scan Results in the web interface, you can interactively navigate through the results:

The interface includes four panes with different levels of information. You can drill down from a comprehensive list all the way down to the actual code elements, by moving through the panes in the following order:

Queries (lower-left pane) - Each item in the list is a specific type of vulnerability for which CxSAST queries the scanned code, with the number of found instances of that vulnerability. The queries are sorted by code language, category, and severity.

Clicking () takes you to the Codebashing™, our interactive learning platform, where you can learn about code vulnerabilities, why they happen, and how to eliminate them. Once there, select a tutorial and start sharpening your skills.

Codebashing provides developers with a new in-context learning platform that sharpens the skills they need to fix vulnerabilities and write secure code. This new approach makes AppSec learning an engaging experience, more effective, with a fast learning curve.

Codebashing is currently available as a free limited edition to all users. This version includes a free edition of Codebashing covering:

  • Lessons: SQL Injection (SQLi), Cross-site scripting (XSS), XML Injection (XXE)
  • Languages: Java, .Net, PHP, Node.JS, Ruby, Python

The full and paid version will include over 20+ lessons and additional languages:

  • Lessons: Session fixation, Use of insufficiently random values, Reflected XSS, Command Injection, DOM XSS, Directory (Path) Traversal, Privileged Interface Exposure, Leftover Debug Code, Session Exposure in URL, User Enumeration, Horizontal Privilege Escalation, Vertical Privilege Escalation, Authentication Credentials in URL, Cross Site Request Forgery (POST), Cross Site Request Forgery (GET), Click Jacking, Insecure URL Direct.
  • Languages: Scala, C/C++.

Clicking ( ? ) displays comprehensive information about this vulnerability type, including risk details, a description of the cause and mechanism, recommendations for avoiding the vulnerability and source code examples.

The Severity drop-down list provides the following methods for displaying the detected vulnerabilities:

  • Severity - displays application security risks (vulnerabilities) by severity (High, Medium and Low)
  • OWASP Top 10 2017 - displays the vulnerabilities associated with categories (A1 to A10) that appear in the list of the 10 most serious risks, as defined by OWASP (Open Web Application Security Project). All vulnerabilities that do not fall into any of the OWASP Top 10 2017 categories are grouped under un-categorized.

  • OWASP Top 10 2013 - displays the vulnerabilities associated with categories (A1 to A10) that appear in the list of the 10 most serious risks, as defined by OWASP (Open Web Application Security Project). All vulnerabilities that do not fall into any of the OWASP Top 10 2013 categories are grouped under un-categorized.

  • PCI - displays the vulnerabilities associated with categories (DSS v3.2), as defined by PCI (Payment Card Industry). All vulnerabilities that do not fall into any of the PCI categories are grouped under un-categorized.

  • FISMA - displays the vulnerabilities associated with categories (2014), as defined by FISMA (Federal Information Security Modernization Act). All vulnerabilities that do not fall into any of the FISMA categories are grouped under un-categorized.

  • NIST - displays the vulnerabilities associated with categories (SP 800-53), as defined by NIST (National Institute of Standards and Technology). All vulnerabilities that do not fall into any of the NIST categories are grouped under un-categorized.

  • OWASP Mobile Top 10 2016 - displays the vulnerabilities associated with categories (M1 to M10) that appear in the list of the 10 most serious risks, as defined by OWASP (Open Web Application Security Project). All vulnerabilities that do not fall into any of the OWASP Mobile Top 10 2017 categories are grouped under un-categorized.

  • Custom - a user-defined method for rating the security levels. Using the Custom method requires integrating the user's severity rating method with CxSAST. For more details, please contact Checkmarx support.

The following images show the Severity drop-down list opened after selecting OWASP (2017 or 2013) and PCI for the first, second and third image, respectively.

The following images show the Severity drop-down list opened after selecting FISMA and NIST for the first and second image, respectively. 

Select a query to view found instances in the Results pane:

Results (lower-right pane) - Displays the found instances of the query that is selected in the Queries pane in the following two formats:

  • Graph (right tab in Results pane) - Graphical display of first and last code elements of each found instance, with the relationships between them.

In the CxSAST IDE plugins, the Graph pane displays full paths of the code elements that constitute the found instances together with the relationships between them.

  • Results (left tab in Results pane) - Tabular list of found instances and details. The highlighted instance's code element details appear at the top. You can navigate the results using pagination controls.

Select an instance node (Graph tab) or an instance check-box (Results tab) enabling you to change the following states (user permission dependent):

Results State - useful for disregarding false positives or just for planning what issues to handle

  • To Verify (default) – instance requires verification (i.e. authorized user)

  • Not Exploitable – instance has been confirmed as not exploitable (i.e. false positive). Instances defined with this state are not represented in the scan summary, graph, reports or dashboard, etc.

    Depending on your user permissions you may not be able to select the "Not Exploitable" state. If this is the case select the “Proposed Not Exploitable” state and then escalate the instance to an authorized user for confirmation.

  • Proposed Not Exploitable – instance has been proposed as not exploitable (i.e. potential false positive). Instances defined with this state are represented in the scan summary, graph, reports or dashboard, etc. until such a time that the state is changed to “Not Exploitable"

  • Confirmed – instance has been confirmed as exploitable and requires handling

  • Urgent – instance has been confirmed as exploitable and requires urgent handling

    It is also possible to customize result states to your own preferences. Contact Checkmarx customer support for more information.

Result Severity (High, Medium, Low and Info) - useful for defining the priority level of the selected issue. 

When the state of an instance is changed (i.e. to Not Exploitable), all other instances with same similarity ID are automatically marked with the newly changed state. A popup window is displayed (if enabled) listing all the affected instances including the project name, scan date and a direct link to the affected instance.

Assign to Useruseful for planning who should handle the selected issue.

Click Comments to add a comment to an instance. This metadata is maintained for the project when performing future scans and for instances that continue to be found.

Click Save Scan Subset for selected instances to appear in the results list as an independent result set.

If configured, tickets can be opened in a bug tracking system (e.g. Jira) by clicking Open ticket.

Click the link icon to obtain a URL to this results interface with the instance immediately selected.

Path (upper-right pane) - Displays the full path of code elements that constitute the vulnerability instance that is selected in the Results pane. This path represents the full attack vector for the vulnerability instance.

Select an instance in the Results pane (Results or Graph tab) and view its attack vector in the Path pane.

Number of Nodes

The Number of Nodes column in the Results panel provides the number of nodes in the attack vector provided by each result. Sorting, filtering and grouping options are available. This column is disabled by default and can be made available from the Columns selection tool. 

Select a code element in the Path pane to view it in its code context, in the Source Code pane (see below).

Source Code (upper-left pane): Displays the source code files.

Highlights the code line containing the element that is selected in the Path pane.

When using the CxSAST IDE plugins, you can immediately fix the code in place!



Read more: