Displaying findings

The Findings view, or any view with findings, displays a findings tree (a hierarchical grouping of assessment criteria) and a findings table for each scan. The item that is selected in the findings tree determines the findings that are presented in the table.

Selecting the root of the tree causes all findings to display in the table - and selecting a grouping type causes only those types of findings to display.


Findings view

AppScan® Source for Analysis displays findings by different groupings that include:

  • Fix Group (default)

    Fix groups in the Findings tree are listed in a heirarchy as follows: Vulnerability group and type > Source > Severity.

  • Vulnerability Type
  • Classification
  • File
  • Source
  • Sink
  • API
  • Bundle
  • CWE
  • Table
Note: Classification and severity sort in descending order by default. All other columns sort in ascending order.

These columns appear in a findings table.

Table 1. Findings table
Column Heading Description
Trace An icon in this column indicates that a trace exists for lost or known sinks.
Severity
  • High: Poses a risk to the confidentiality, integrity, or availability of data and/or the integrity or availability of processing resources. High-severity conditions should be prioritized for immediate remediation.
  • Medium: Poses a risk to data security and resource integrity, but the condition is less susceptible to attack. Medium-severity conditions should be reviewed and remedied where possible.
  • Low: Poses minimal risk to data security or resource integrity.
  • Info: The finding, itself, is not susceptible to compromise. Rather, it describes the technologies, architectural characteristics, or security mechanisms used in the code.
Classification Type of finding: Definitive or Suspect security finding - or Scan Coverage finding.
Note: In some cases, a classification of None may be used to denote a classification that is neither a security finding or a scan coverage finding.
Vulnerability Type Vulnerability category, such as Validation.Required or Injection.SQL.
API The vulnerable call, showing both the API and the arguments passed to it.
Source A source is an input to the program, such as a file, servlet request, console input, or socket. For most input sources, the data returned is unbounded in terms of content and length. When an input is unchecked, it is considered tainted.
Sink A sink can be any external format to which data can be written out. Sink examples include databases, files, console output, and sockets. Writing data to a sink without checking it may indicate a serious security vulnerability.
Directory Full path of the scanned files.
File Name of the code file in which the security finding or scan coverage finding occurs. File paths in findings are relative to the scanned project working directory.
Calling Method The function (or method) from which the vulnerable call is made.
Line Line number in the code file that contains the vulnerable API.
Bundle Bundle that contains this finding.
CWE ID and topic of the community-developed dictionary of common software weaknesses (Common Weakness Enumeration (CWE) topics).
Note: If you select a finding for which AppScan Source cannot locate source, you will be prompted with a dialog box asking if you want to be prompted when source files cannot be located. If you select Yes, you will be prompted each time a finding is selected for which source files cannot be located. If you select No, you will not be prompted. This setting persists as long as the current assessment is open. The setting is reset every time the assessment is opened or if you exit AppScan Source.