Issue attributes

This table describes a few of the predefined issue attributes in AppScan Enterprise.

Name Description
Status Use to track workflow during your remediation process.
CVSS An average score based on a combination of the Base and Temporal CVSS metrics groups and any manually set severity scores.
CVSS Version Indicates the CVSS specification used to calculate the CVSS score. For scans from 10.2.0, the CVSS version is 3.1 and it is version 2.0 for older scans.
Severity Value Manually fine-tune the CVSS score for a specific issue. Typically, you override the settings when you are importing issues from a third-party scanner or from AppScan Standard, or when you are triaging individual issues.
  • Use CVSS
  • Information = 0
  • Low = 0.1 - 3.9
  • Medium = 4.0 - 6.9
  • High = 7.0 - 8.9
  • Critical = 9.0 - 10.0
    Note: Do not change the severity values unless it is absolutely necessary as these ranges are based on the standards set by CVSS 3.1.
Discovery Method Static Analysis (SAST) or Dynamic Analysis (DAST)
Scanner The type of third-party scanner that imported the issue, for example Nessus Vulnerability Scanner.
Application An issue that is imported from AppScan Source. It contains one or more projects and related attributes. An attribute is a characteristic that helps organize scan results into meaningful groups.
Element The name of the object on the page, for example, cookie or parameter, that is vulnerable to the issue, for example, passw.
Classification Type of finding: vulnerability, exception, or informational. An exception is an indication of a suspicious and potentially vulnerable condition that requires more information or investigation.
Source File The source files in the AppScan Source project that contain the vulnerabilities.
Line The line number in the source code where the vulnerability was found.
API The API that contains the vulnerabilities.
Project Name A project in AppScan Source consists of a set of files, including source code, and related information, for example, configuration data. A project is always part of an application.
Fixed Date The date and time stamp of when the issues were fixed. This attribute is read-only.
Overdue An issue that has not been fixed by a predetermined date.

CVSS Metrics

CVSS Base metrics are metrics of the vulnerability that are constant over time and across user environments. CVSS Temporal metrics are metrics of the vulnerability that may change over time. For more information on the details of these metrics, see CVSS Specification.