Navigating Scan Results (v9.3.0 and up)

Owned by Johannes Stark (Unlicensed)
Last updated: Aug 16, 2021 by Eliezer Basner (Unlicensed)
9 min read

When viewing scan results in the web interface, the scan results overview appears and you can browse through the results The scan results summary consists of four panes with various levels of information as illustrated below. You can drill down from a comprehensive list to the actual code elements by moving through the panes in the order outlined below.

The result summary is divided into the following four panes:

  • Code Pane. Displays the code with detected vulnerability highlighted in the code.
  • Path Pane. Displays the full path of 'vulnerable' code elements with
  • Queries Pane. Defines how to present the query results.
  • Results Pane. Displays the result as table or graph. In addition, background information is available on detected vulnerabilities. 

The Queries pane is covered first as it defines how results are presented. The Queries pane is followed by the Results pane as you have to select the results here to locate them in the code and gain additional information.  


Queries  

Lower left pane: Each item in the list is a specific type of vulnerability for which CxSAST queries the scanned code. Each item is listed with the number of detected instances of the respective vulnerability. The queries are sorted by code language, category, and severity.

The drop-down menu lets you select the desired method for displaying the detected vulnerabilities as illustrated below.

  • Severity - displays application security risks (vulnerabilities) by severity (High , Medium , Low  and Info ).
  • OWASP Top 10 2017 - displays the vulnerabilities associated with categories (A1 to A10) that appear in the list of the 10 most serious risks, as defined by OWASP (Open Web Application Security Project). All vulnerabilities that do not fall into any of the OWASP Top 10 2017 categories are listed as Uncategorized.

  • OWASP Top 10 2013 - displays the vulnerabilities associated with categories (A1 to A10) that appear in the list of the 10 most serious risks, as defined by OWASP (Open Web Application Security Project). All vulnerabilities that do not fall into any of the OWASP Top 10 2013 categories are listed as Uncategorized.

  • PCI DSS v3.2 - displays the vulnerabilities associated with categories (DSS v3.2), as defined by PCI (Payment Card Industry). All vulnerabilities that do not fall into any of the PCI categories are listed as Uncategorized.

  • FISMA 2014 - displays the vulnerabilities associated with categories (2014), as defined by FISMA (Federal Information Security Modernization Act). All vulnerabilities that do not fall into any of the FISMA categories are listed as Uncategorized.

  • NIST SP 800-53 - displays the vulnerabilities associated with categories (SP 800-53), as defined by NIST (National Institute of Standards and Technology). All vulnerabilities that do not fall into any of the NIST categories are listed as Uncategorized.

  • OWASP Mobile Top 10 2016 - displays the vulnerabilities associated with categories (M1 to M10) that appear in the list of the 10 most serious risks, as defined by OWASP (Open Web Application Security Project). All vulnerabilities that do not fall into any of the OWASP Mobile Top 10 2017 categories are listed as Uncategorized.

  • Custom - a user-defined method for rating the security levels. Using the Custom method requires integrating the user's severity rating method with CxSAST. For more details, please contact Checkmarx support.

  • ASD STIG 4 10 - displays vulnerabilities categorized by the DISA Application and Development STIG once the STIG post-installation script has been run.
  • OWASP Top 10 API

The following images illustrate the methods for displaying the detected vulnerabilities.

To learn more about each vulnerability, click (?) to view additional information on it provided by Codebashing. 



Results Summary

Lower right pane: The lower right section hosts the result summary with tutorial as follows:

  • Results: View a list of detected vulnerabilities and select them for further action.
  • Graph: View a graphical display that displays affected code elements and the relationship between them.
  • Codebashing: Learn more about detected instances using Codebashing.

To view a list of detected instances and details, select Results. The highlighted instance's code element details appear at the top. You can navigate the results using pagination controls

Select an instance node (Graph tab) or a listed result (Results tab)  to change the following (depending on your user permission):

Useful for disregarding false positives or just for planning what issues to handle

  • To Verify (default) – instance requires verification (i.e. authorized user)

  • Not Exploitable – instance has been confirmed as not exploitable (i.e. false positive). Instances defined with this state are not represented in the scan summary, graph, reports or dashboard, etc.

  • Proposed Not Exploitable – instance has been proposed as not exploitable (i.e. potential false positive). Instances defined with this state are represented in the scan summary, graph, reports or dashboard, etc. until such a time that the state is changed to “Not Exploitable"
  • Confirmed – instance has been confirmed as exploitable and requires handling
  • Urgent – instance has been confirmed as exploitable and requires urgent handling.
  • Custom – user-defined result states. For instructions how to add custom results states, see Adding Custom Result States.  
  • Depending on your user permissions you may not be able to select the "Not Exploitable" state. If this is the case select the “Proposed Not Exploitable” state and then escalate the instance to an authorized user for confirmation.
  • When the state of an instance is changed (for example to Not Exploitable), all other instances with same similarity ID are automatically marked with the newly changed state. A popup window is displayed (if enabled) listing all the affected instances including the project name, scan date and a direct link to the affected instance.
  • If enabled, issuing a comment is required when either changing the state of scan results to Not Exploitable or to any different severity change, depending on the option you enabled.
  • Dedicated permissions are requested for each result state, including the user-defined custom result states.

Useful for defining the priority level of the selected issue.

  •  High
  •  Medium
  •  Low
  • Info
Useful for planning who should handle the selected issue.

Add a comment to an instance. This metadata is maintained for the project when performing future scans and for instances that continue to be found. When adding a comment, it is logged with date and time into the comment history.

Use this option for selected instances to appear in the results list as an independent result set.

Click to open a ticket in a bug tracing system, for example in /wiki/spaces/SD/pages/2869003494.

The results are listed with the following parameters:

  • Selector: Check to select  the desired result to perform the tasks listed above.
  • Id: The ID of the respective scan.
  • Detection Date: The date on which the vulnerability was detected for the first time in the scanned code.
  • Direct: Click  to copy the direct URL of this vulnerability to the clipboard. You are able to log on from a different host and directly access CxSAST and this vulnerability report.
  • Query Name: The name associated with the query of the source code. 
  • Status: The status of the result, for example New (newly detected).
  • Source Folder: The folder of the resource with the detected vulnerability.
  • Source File Name: The name of the resource file in which the vulnerability was detected.
  • Source Line: The line number in the source code where the vulnerability was detected.
  • Source Object: The object where the vulnerability was detected. Once you select the list entry, the object appears highlighted in the resource available in the upper left window.
  • Destination Folder: The destination of the resource.
  • Destination File Name: The name of the destination file for the resource with the vulnerability.
  • Destination Line: The line number in the destination. 
  • Destination Object: The destination object, for example the output of the source.
  • Result State: The status of the result. The result state can be updated. For available status options, refer to the table above. Updating the result state automatically adds a comment to the comment section.
  • Result Severity: The severity of the result. The severity can be updated. For available severities, refer to the table above. Updating the result severity automatically adds a comment to the comment section.
  • BFL Node: BFL stands for Best Fix Location. This parameter defines the node where the fix of the vulnerability should be implemented.
  • BFL Group Size: Defines the group size that the fix should have.
  • Priority: Defines the priority at which the vulnerability should be handled.
  • Assigned User: Lists the user to whom this vulnerability has been assigned. To assign a user, refer to the table above.
  • Ticket ID: The ID of the ticket, if assigned. For additional information on opening a ticket, refer to the table above.
  • Comments: Free text you may add. If updating result severity or result state, a comment is added automatically. To add a comment, click  and enter the comment into the Comment field. Once the comment is saved, it is logged with date and time under Comments History

To display the first and last code elements of each detected instance with the relationships between them, select Graph

In the CxSAST /wiki/spaces/SD/pages/1339261279, the Graph pane displays full paths of the code elements that constitute the found instances together with the relationships between them.

To learn more about code vulnerabilities, why they happen, and how to eliminate them, select  Codebashing to enter the interactive Checkmarx learning platform. Codebashing provides developers with an in-context learning platform that helps understand vulnerabilities and write secure code. Codebashing comes as a free version with basic capabilities. Additional learning material and in-depth information is available with the full version.

The free edition of Codebashing covers the following:

  • Lessons: SQL Injection (SQLi), Cross-site scripting (XSS), XML Injection (XXE)
  • Languages: Java, .Net, PHP, Node.JS, Ruby, Python

The full version includes over 20 lessons and additional languages:

  • Lessons: Session fixation, Use of insufficiently random values, Reflected XSS, Command Injection, DOM XSS, Directory (Path) Traversal, Privileged Interface Exposure, Leftover Debug Code, Session Exposure in URL, User Enumeration, Horizontal Privilege Escalation, Vertical Privilege Escalation, Authentication Credentials in URL, Cross Site Request Forgery (POST), Cross Site Request Forgery (GET), Click Jacking, Insecure URL Direct.
  • Languages: Scala, C/C++.

The Path Pane displays the full path of code elements that constitute the vulnerability instance selected in the Results pane. This path represents the full attack vector for the vulnerability instance.

To view the attack vector:

  • Select an instance in the Results pane (Results or Graph tab) and view its attack vector in the Path pane. The code line containing the element that has been selected in the Path pane is highlighted.

  • The Number of Nodes column in the Results panel provides the number of nodes in the attack vector provided by each result. Sorting, filtering and grouping options are available. This column is disabled by default and can be made available from the Columns selection tool. 
  • When using the CxSAST IDE plugins, you can immediately fix the code in place!

The Code Pane displays the source code of your scanned resource with the detected vulnerabilities marked. Use the Path pane or Results pane to highlight detected vulnerabilities in the code.

.


Read more: