Using AppScan® Source predefined filters
AppScan® Source includes a set of predefined filters that can be selected for filtering scan results. This help topic describes these out-of-the-box filters.
- ! - AppScan Vital Few
- ! - High Risk Sources
- ! - Important Types
- CWE Top 25 2021 Vulnerabilities
- External Communications
- Low Severity And Informational
- Noise - Quality
- OWASP Mobile Top 10 Vulnerabilities
- OWASP API Top 10 Vulnerabilities
- OWASP Top 10 2017 Vulnerabilities
- OWASP Top 10 2021 Vulnerabilities
- PCI Data Security Standard Vulnerabilities
- Targeted Vulnerabilities - EncodingRequired For HTTP Sources
- Targeted Vulnerabilities - Validation Required For C/C++ Sinks
- Trusted Sources
- Vulnerabilities with no trace
! - AppScan® Vital Few
This filter matches findings from some of the most dangerous vulnerability categories. The results are limited to High and Medium severity vulnerabilities. Results with specific sources are removed from the findings. The specific vulnerability categories which are included in this filter are:
Vulnerability.CrossSiteScripting
Vulnerability.CrossSiteScripting.Reflected
Vulnerability.CrossSiteScripting.Stored
Vulnerability.Injection.OS
Vulnerability.Injection.LDAP
Vulnerability.Injection.SQL
Vulnerability.Injection.Mail
! - High Risk Sources
This filter limits the findings to specific vulnerability types and sources with one of these properties:
Technology.Communications.HTTP
Technology.Communications.IP
Technology.Communications.RCP
Technology.Communications.TCP
Technology.Communications.UDP
Technology.Communications.WebService
! - Important Types
This filter contains findings from a broader range of important vulnerability categories. The findings are limited to High and Medium severities with Definitive or Suspect classifications. The specific categories which are included in this filter are:
Vulnerability.AppDOS
Vulnerability.Authentication.Credentials.Unprotected
Vulnerability.BufferOverflow
Vulnerability.BufferOverflow.FormatString
Vulnerability.BufferOverflow.ArrayIndexOutOfBounds
Vulnerability.BufferOverflow.BufferSizeOutOfBounds
Vulnerability.BufferOverflow.IntegerOverflow
Vulnerability.BufferOverflow.Internal
Vulnerability.CrossSiteRequestForgery
Vulnerability.CrossSiteScripting
Vulnerability.CrossSiteScripting.Reflected
Vulnerability.CrossSiteScripting.Stored
Vulnerability.FileUpload
Vulnerability.Injection
Vulnerability.Injection.LDAP
Vulnerability.Injection.OS
Vulnerability.Injection.SQL
Vulnerability.Injection.XML
Vulnerability.Injection.XPath
Vulnerability.Malicious.EasterEgg
Vulnerability.Malicious.Trigger
Vulnerability.Malicious.Trojan
Vulnerability.PathTraversal
Vulnerability.Validation.EncodingRequired
Vulnerability.Validation.EncodingRequired.Struts
CWE Top 25 2021 Vulnerabilities
This filter focuses on vulnerability types related to the CWE TOP 25 Most Dangerous Software Errors for 2021.
To learn about the 2021 CWE Top 25 Most Dangerous Software Errors, see https://cwe.mitre.org/top25/archive/2021/2021_cwe_top25.html.
External Communications
This filter matches findings which originate from outside the application and across a
network. This filter matches findings which originate at any
Technology.Communications
source.
Low Severity And Informational
This filter contains findings with severities of Low and Informational. All classifications (Definitive, Suspect, and Scan Coverage) are included.
Noise - Quality
This filter causes the results to only include vulnerability types that are related to quality coding practices.
OWASP Mobile Top 10 Vulnerabilities
This filter focuses on vulnerability types related to the Open Web Application Security Project (OWASP) Mobile Top 10 Release Candidate v1.0 list.
To learn about OWASP, see https://www.owasp.org/index.php/Main_Page. Links to various OWASP documents and security risks are available at https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project.
OWASP API Top 10 Vulnerabilities
This filter focuses on vulnerability types related to the Open Web Application Security Project (OWASP) API Top 10 list.
To learn about OWASP, see https://www.owasp.org/index.php/Main_Page. Links to various OWASP documents and security risks are available at https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project.
OWASP Top 10 2017 Vulnerabilities
This filter focuses on vulnerability types related to the Open Web Application Security Project (OWASP) Top 10 2017 list.
To learn about OWASP, see https://www.owasp.org/index.php/Main_Page. Links to various OWASP documents and security risks are available at https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project.
OWASP Top 10 2019 Vulnerabilities
This filter focuses on vulnerability types related to the Open Web Application Security Project (OWASP) Top 10 2019 list.
To learn about OWASP, see https://www.owasp.org/index.php/Main_Page. Links to various OWASP documents and security risks are available at https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project.
OWASP Top 10 2021 Vulnerabilities
This filter focuses on vulnerability types related to the Open Web Application Security Project (OWASP) Top 10 2021 list.
To learn about OWASP, see https://www.owasp.org/index.php/Main_Page. Links to various OWASP documents and security risks are available at https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project.
PCI Data Security Standard Vulnerabilities
This filter focuses on vulnerability types related to the Payment Card Industry Data Security Standard (PCI DSS) Version 3.2 standard.
See https://www.pcisecuritystandards.org/security_standards/index.php for information.
Scan Coverage Findings
This filter causes the results to only include Scan Coverage Findings (see Classifications for more information).
Targeted Vulnerabilities - EncodingRequired
For HTTP Sources
This filter focuses on findings from the Validation.EncodingRequired
and
Validation.EncodingRequired.Struts
vulnerability categories. Only
findings that originate from a Technology.Communications.HTTP
source are
included. The findings are limited to High and Medium severities with Definitive or Suspect
classifications.
Targeted Vulnerabilities - Validation Required For C/C++ Sinks
This filter focuses on Validation.Required
vulnerabilities for a set of
known C and C++ sinks. The findings are limited to High and Medium severities with
Definitive or Suspect classifications.
Trusted Sources
This filter presumes that data coming from certain sources, such as session objects or request attributes, is safe.
Vulnerabilities with no trace
This filter lists vulnerabilities that do not contain traces.