Issue information pane

The Issue information pane shows all content available for the issue.

To open the Issues pane for an issue:
  • On the Issues page, click a specific issue.
    The Issue information pane opens to the right of the screen.
    Tip: You can toggle between issues and issue information by selecting different issues on the main page with the information pane open. The Issue information pane refreshes when you select different issues.
From the Issues information pane, you can view specific issue-related information from the header and one of several tabs:

Header

Visible from every tab, the header notes the vulnerability type, issue severity, status, and location. It also includes the following actions:

  • Click Share to share an issue either by link or by Issue ID.
  • Click Full view to open full issue details in a new browser tab.
  • Based on the status of an issue, buttons are displayed to update the status of the selected issue. For example, Mark in progress, Close issue.
  • Click the ellipsis icon, to update the severity of the selected issue.

Details tab

The Details tab displays an summary of issues details in sections, including, where possible, the part of the code where the vulnerability is contained or shown. Details vary according to scanning technology.

When appropriate, issue details include a copy icon () to copy the information to the clipboard.

Scanner technology Details Description
DAST Differences The parameters that were changed from the original request that resulted in identification of an issue. The different call also is shown in red in the Test Requests and Responses section.
Reason Why ASoC flagged this as an issue.
Test Requests and Responses Information about the tests, and their specific variants, that were sent to your web application to discover where it has weaknesses. Strings in red indicate the different request used by the test (noted by Difference); strings highlighted in yellow indicate input changes as part of the test.
SCA Main details The relative path location of the issue in code and the library name.
Related If the issue belongs to a fix group, a link to the associated fix group.
SAST Location The location of the issue in code. Depending on issue type, location information may also include the API from which the issue originated, or the source (where data originates) and sink (where data ends) information for the issue.
Call trace The context of the issue, or the flow of tainted data through a section of an application that contains an the vulnerability. The Call trace section includes a legend to help you understand the different areas of the code, including best fix point, alternate fix points, source, sink, and the taint flow.
Autofix If an autofix is available for the issue, it is displayed here. A diff is shown with the original code in red and the fixed code in green. Click Copy to copy the fixed code.
Related If the issue belongs to a fix group, a link to the associated fix group.

Library tab (SCA only)

The Library tab contains useful information about the library associated with the issue, including overall risk of the library to your applications, and license details.

Table 1.
Item or option Description Values
Library
Last found The date the open source library was last found in associated applications.
License (license name)
Copyleft
  • Copyleft applies on modifications as well as own code that uses the open-source software (FULL).
  • Non-copyleft license (NO).
  • Copyleft applies only to modifications (PARTIAL)
Copyright risk
  • 1: Anyone may use the code without restriction.
  • 2: Anyone who distributes the code must provide certain notices as described in the license. These generally require providing attributions and/or license terms with the software.
  • 3: Anyone who distributes a modification of the code may be required to make the source code for the modification publicly available. Attribution and/or license terms may also be required.
  • 4: Anyone who distributes a modification of the code or a product that is based on or contains part of the code may be required to make publicly available the source code for the product or modification, subject to an exception for software that dynamically links to the original code. These licenses include LGPL and GPL with Class Path Exception, as examples. Attribution and/or license terms may be required.
  • 5: Anyone who distributes a modification of the code or a product that is based on or contains part of the code may be required to make publicly available the source code for the product or modification, regardless of whether the code is dynamically or statically linked. (for example, GPL). Attribution and/or license terms may be required.
  • 6: Anyone who develops a product that is based on or contains part of the code, or who modifies the code, may be required to make publicly available the source code for that product or modification if they (a) distribute the software or (b) enable others to use the software via hosted or web services. Attribution and/or license terms may be required.
  • 7: Anyone who develops a product that is based on or contains part of the code, or who modifies the code, may be required to make publicly available the source code for that product or modification if they (a) distribute the software or (b) enable others to use the software via hosted or web services. Attribution and/or license terms may be required.
Linking
  • Linking will infect the code linking code (Viral).
  • Dynamic linking will not infect the linking code (Dynamic)
  • The licensing of the linking code will remain unaffected (Non-viral).
Patent risk
  • Royalty free and no identified patent risks (1).
  • Royalty free unless litigated (2).
  • No patents granted (3).
  • Specific identified patent risks (4).
Risk level The overall risk of the library to the application.
  • Low
  • Medium
  • High
Royalty free Royalty status of the library
  • Royalty-free and no identified patent risks (YES).
  • Royalty-free unless litigated (CONDITIONAL).
  • No patents granted (NO).
URL The URL at which to learn more about the specified library.
Note: A library may have more than one license.

Source code tab (SAST only)

The Source code tab displays code associated with the issue for faster and more efficient issue triage.

By default, you can browse your local directory structure for source code files:
  • Click Add directory to associate a local root source code directory with the issue.
  • Hover over highlighted vulnerabilities in source code for remediation suggestions.
  • Source code viewed through the Issues detail pane remains private. It is not uploaded to ASoC.
If the IRX file scanned was generated in a GitHub repository, and as such the scan has information linking it to GitHub:
  • Ensure that the last commit available during the scan is also available on the GitHub server.
  • Click Open file on GitHub to open the file in the GitHub web interface in a new browser tab.
  • Remediate the code in GitHub.

In either instance, the connection to source code is not persistent; reconnect to source code each browser session as needed during for triage and remediation.

How to fix tab

The How to fix tab offers detailed information on cause, risk, exploit example, fix recommendation, CWE, related articles and external references. Click the > next to each section to expand the information

Where possible, a large selection of code-specific information is available by clicking the relevant code name (.Net, Angular, Apex and so on) directly underneath the issue name, and in the drop-down at the right of the pane.

Comments tab

Use this tab to add your own comments visible to you and other users, and included in reports.

Audit trail tab

The Audit tab notes change details for the issue. A row for each change notes change date and time, the entity that made the change, and the details of how the issue changed. For example, a change in issue type or severity will be noted in Audit tab entries.

Properties tab

The Properties tab lists expanded issue details, including how and when the issue was found, type, status, severity, scanner technology, and location, and including issue ID.

From the Properties tab you can:
  • Click the issue ID to open full issue details in the current browser tab.
  • Click the copy icon () to copy a specific property to the system clipboard for pasting to other applications.
  • Click Copy properties to copy all listed properties to the system clipboard for pasting to other applications, such as a Jira item.