Using AppScan® Source predefined filters

AppScan® Source includes a set of predefined filters that can be selected for filtering scan results. This help topic describes these out-of-the-box filters.

Note: In AppScan® Source Version 8.8, predefined filters were improved to provide better scan results. If you need to continue using the predefined filters from older versions of AppScan® Source (archived filters are listed in AppScan Source predefined filters (Version 8.7.x and earlier)), follow the instructions in Restoring archived predefined filters.

Note: In AppScan® Source for Development (Visual Studio plug-in), this view is part of the Edit Filters window.

! - AppScan Vital Few
! - High Risk Sources
! - Important Types
CWE Top 25 2021 Vulnerabilities
CWE Top 25 2024 Vulnerabilities
DISA Application Security V5R3 Vulnerabilities
DISA Application Security V6R3 Vulnerabilities
External Communications
Low Severity And Informational
Noise - Quality
OWASP Mobile Top 10 Vulnerabilities
OWASP Top 10 2017 Vulnerabilities
OWASP Top 10 2021 Vulnerabilities
OWASP API Security Top 10 2019 Vulnerabilities
OWASP API Security Top 10 2023 Vulnerabilities
PCI Data Security Standard V4.0 Vulnerabilities
Scan Coverage Findings
Targeted Vulnerabilities - EncodingRequired For HTTP Sources
Targeted Vulnerabilities - Validation Required For C/C++ Sinks
Trusted Sources
Vulnerabilities with no trace

! - AppScan® Vital Few

This filter matches findings from some of the most dangerous vulnerability categories. The results are limited to High and Medium severity vulnerabilities. Results with specific sources are removed from the findings. The specific vulnerability categories which are included in this filter are:

Vulnerability.CrossSiteScripting
Vulnerability.CrossSiteScripting.Reflected
Vulnerability.CrossSiteScripting.Stored
Vulnerability.Injection.OS
Vulnerability.Injection.LDAP
Vulnerability.Injection.SQL
Vulnerability.Injection.Mail

! - High Risk Sources

This filter limits the findings to specific vulnerability types and sources with one of these properties:

Technology.Communications.HTTP
Technology.Communications.IP
Technology.Communications.RCP
Technology.Communications.TCP
Technology.Communications.UDP
Technology.Communications.WebService

! - Important Types

This filter contains findings from a broader range of important vulnerability categories. The findings are limited to High and Medium severities with Definitive or Suspect classifications. The specific categories which are included in this filter are:

Vulnerability.AppDOS
Vulnerability.Authentication.Credentials.Unprotected
Vulnerability.BufferOverflow
Vulnerability.BufferOverflow.FormatString
Vulnerability.BufferOverflow.ArrayIndexOutOfBounds
Vulnerability.BufferOverflow.BufferSizeOutOfBounds
Vulnerability.BufferOverflow.IntegerOverflow
Vulnerability.BufferOverflow.Internal
Vulnerability.CrossSiteRequestForgery
Vulnerability.CrossSiteScripting
Vulnerability.CrossSiteScripting.Reflected
Vulnerability.CrossSiteScripting.Stored
Vulnerability.FileUpload
Vulnerability.Injection
Vulnerability.Injection.LDAP
Vulnerability.Injection.OS
Vulnerability.Injection.SQL
Vulnerability.Injection.XML
Vulnerability.Injection.XPath
Vulnerability.Malicious.EasterEgg
Vulnerability.Malicious.Trigger
Vulnerability.Malicious.Trojan
Vulnerability.PathTraversal
Vulnerability.Validation.EncodingRequired
Vulnerability.Validation.EncodingRequired.Struts

CWE Top 25 2021 Vulnerabilities

This filter focuses on vulnerability types related to the CWE TOP 25 Most Dangerous Software Errors for 2021.

To learn about the 2021 CWE Top 25 Most Dangerous Software Errors, see https://cwe.mitre.org/top25/archive/2021/2021_cwe_top25.html.

CWE Top 25 2024 Vulnerabilities

This filter focuses on vulnerability types related to the CWE TOP 25 Most Dangerous Software Errors for 2024.

To learn about the 2024 CWE Top 25 Most Dangerous Software Weaknesses, see https://cwe.mitre.org/top25/archive/2024/2024_cwe_top25.html.

DISA Application Security V5R3 Vulnerabilities

This filter focuses on vulnerability types related to the Defense Information Systems Agency (DISA) Application Security and Development Security Technical Implementation Guide (STIG) Version V5R3.

To learn about the DISA Application Security and Development STIG, see https://public.cyber.mil/stigs/.

DISA Application Security V6R3 Vulnerabilities

This filter focuses on vulnerability types related to the Defense Information Systems Agency (DISA) Application Security and Development Security Technical Implementation Guide (STIG) Version V6R3.

To learn about the DISA Application Security and Development STIG, see https://public.cyber.mil/stigs/.

External Communications

This filter matches findings which originate from outside the application and across a network. This filter matches findings which originate at any Technology.Communications source.

Low Severity And Informational

This filter contains findings with severities of Low and Informational. All classifications (Definitive, Suspect, and Scan Coverage) are included.

Noise - Quality

This filter causes the results to only include vulnerability types that are related to quality coding practices.

OWASP Mobile Top 10 Vulnerabilities

This filter focuses on vulnerability types related to the Open Web Application Security Project (OWASP) Mobile Top 10 Release Candidate v1.0 list.

To learn about OWASP, see https://www.owasp.org/index.php/Main_Page. Links to various OWASP documents and security risks are available at https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project.

OWASP Top 10 2017 Vulnerabilities

This filter focuses on vulnerability types related to the Open Web Application Security Project (OWASP) Top 10 2017 list.

OWASP Top 10 2021 Vulnerabilities

This filter focuses on vulnerability types related to the Open Web Application Security Project (OWASP) Top 10 2021 list.

OWASP API Security Top 10 2019 Vulnerabilities

This filter focuses on vulnerability types related to the Open Web Application Security Project (OWASP) Top 10 2019 list.

To learn about the OWASP API Security Project, see https://owasp.org/www-project-api-security/.

OWASP API Security Top 10 2023 Vulnerabilities

This filter focuses on vulnerability types related to the Open Web Application Security Project (OWASP) Top 10 2023 list.

To learn about the OWASP API Security Project, see https://owasp.org/www-project-api-security/.

PCI Data Security Standard V4.0 Vulnerabilities

This filter focuses on vulnerability types relateds to the Payment Card Industry Data Security Standard (PCI DSS) version 4.0 standard.

See https://www.pcisecuritystandards.org/security_standards/index.php for information.

Scan Coverage Findings

This filter lists vulnerabilities that contains scan coverage findings. See Classifications for more information.

Targeted Vulnerabilities - `EncodingRequired` For HTTP Sources

This filter focuses on findings from the Validation.EncodingRequired and Validation.EncodingRequired.Struts vulnerability categories. Only findings that originate from a Technology.Communications.HTTP source are included. The findings are limited to High and Medium severities with Definitive or Suspect classifications.

Targeted Vulnerabilities - Validation Required For C/C++ Sinks

This filter focuses on Validation.Required vulnerabilities for a set of known C and C++ sinks. The findings are limited to High and Medium severities with Definitive or Suspect classifications.

Trusted Sources

This filter presumes that data coming from certain sources, such as session objects or request attributes, is safe.

Vulnerabilities with no trace

This filter lists vulnerabilities that do not contain traces.