Skip to main content

Application Details Page

Open the Application Details Page

Click on View.png in the row of the relevant application.

Alternatively, perform the following:

  1. On the Applications page, click on the relevant application row.

    The Applications' preview pane opens on the right side of the screen.

  2. Click on Go to Application

    Image_062.png

Applications Overview

Applications group multiple projects to a logical entity.

The Applications Overview presents aggregated information and analytics for a group of projects within the framework of an application.

Image_063.png

Overview Widgets

Projects in Application

The Projects in Application widget displays the risk level of each project assigned to the application with a scale of Critical, High, Medium and Low.

The data reflects the last scan in the application for the selected branch.

Projects_in_Application.png

Vulnerabilities

The Vulnerabilities widget display the total number of vulnerabilities from all the Projects' severities (Critical, High, Medium, Low).

This visualization does not include vulnerabilities marked as Not Exploitable.

Vulnerabilities.png

Compliances

Summarizes the projects compliances.

Compliances.png

Point to Info.png for the list of vulnerability categories in which the vulnerabilities detected in SAST are categorized.

These categories are explained in the table below.

Compliances_List.png

Categories

Description

FISMA 2014

Displays the vulnerabilities associated with categories (2014), as defined by FISMA (Federal Information Security Modernization Act). All vulnerabilities that do not fall into any of the FISMA categories are listed as Uncategorized.

PCI DSS v3.2.1

Displays the vulnerabilities associated with categories (DSS v3.2), as defined by PCI (Payment Card Industry). All vulnerabilities that do not fall into any of the PCI categories are listed as Uncategorized.

NIST SP 800-53

Displays the vulnerabilities associated with categories (SP 800-53), as defined by NIST (National Institute of Standards and Technology). All vulnerabilities that do not fall into any of the NIST categories are listed as Uncategorized.

ASD STIG 4.10

Displays vulnerabilities categorized by the DISA Application and Development STIG once the STIG post-installation script has been run.

OWASP Top 10 2021

Displays the vulnerabilities associated with categories (A1 to A10) that appear in the list of the 10 most serious risks, as defined by OWASP (Open Web Application Security Project). All vulnerabilities that do not fall into any of the OWASP Top 10 2021 categories are listed as Uncategorized.

OWASP Top 10 API

This category specifically addresses API Security and categorizes vulnerabilities that are related to Broken Object Level Authorization, Broken User Authentication, Excessive Data Exposure, Lack of Resources & Rate Limiting, Broken Function Level Authorization, Mass Assignment, Security Misconfiguration, Injection, Improper Assets Management and Insufficient Logging & Monitoring.

OWASP Top 2017

Displays the vulnerabilities associated with categories (A1 to A10) that appear in the list of the 10 most serious risks, as defined by OWASP (Open Web Application Security Project). All vulnerabilities that do not fall into any of the OWASP Top 10 2017 categories are listed as Uncategorized.

OWASP Mobile Top 10 2016

Displays the vulnerabilities associated with categories (M1 to M10) that appear in the list of the 10 most serious risks, as defined by OWASP (Open Web Application Security Project). All vulnerabilities that do not fall into any of the OWASP Mobile Top 10 2017 categories are listed as Uncategorized.

OWASP Top 10 2013

Displays the vulnerabilities associated with categories (A1 to A10) that appear in the list of the 10 most serious risks, as defined by OWASP (Open Web Application Security Project). All vulnerabilities that do not fall into any of the OWASP Top 10 2013 categories are listed as Uncategorized.

Top Vulnerable Projects

Presented in word cloud style, where the three top vulnerable Projects are displayed with different risk level colors.

Top_Vulnerable_Projects.png

Aging Summary

The Aging Report widget presents the amount of vulnerabilities distributed by severities (Critical, High, Medium, Low) for the first discovery date in a specific time range. The data reflects the last scan in the project for the selected branch.

The widget includes a bar chart presentation with the following parameters.

  • x-axis - Presents 4 constant time ranges:

    • 0 - 30 days

    • 30 - 60 days

    • 60 - 90 days

    • 90+days

  • y-axis - Presents the amount of vulnerabilities.

  • Chart data - 3 stacked bars per each time range (Critical, High, Medium, Low) with the amount of vulnerabilities per bar type.

    Aging_Summary.png

Results by Scanner Type

The results are displayed as pie charts for all the projects assigned to the application.

They indicate the aggregated number of vulnerabilities found per scan type:

  • SAST

  • SCA

  • IaC Security

  • API Security

Vulnerabilities flagged with the state of Not Exploitable are not included.

Results_by_Scanner_Type.png

Results by State

Displays the aggregated number of vulnerabilities per state from all the projects assign to the application.

  • To Verify

  • Not Exploitable

  • Proposed Not Exploitable

  • Confirmed

  • Urgent

Vulnerabilities flagged with the Not Exploitable state are counted, only for this visualization.

6484656278.png

Results by Projects Tags

Displays the aggregated number of vulnerabilities found per project tag from all the projects assigned to the application.

6482592625.png

Note

Vulnerabilities labeled Not Exploitable are not counted.

Results by Scan Origin

Displays the aggregated number of vulnerabilities found per scan origin, from all the Projects assigned to the Application.

For example:

  • Jenkins

  • Github action

  • Github webhooks

  • Checkmarx One webscan

  • CLI

  • Webapp

    Results_by_scan_origin.png

Note

Vulnerabilities labeled Not Exploitable are not counted.

Results by Technologies

Displays the aggregated number of vulnerabilities found per technology from all the Projects assigned to the Application.

The technologies include:

  • Languages

  • Platforms

  • Packages

Multiple versions of the item are aggregated under the same item, but are flagged with the number of versions.

The tooltip lists the versions and any vulnerabilities flagged with the Not Exploitable state are not counted.

Results_by_Technologies.png

Note

Vulnerabilities labeled Not Exploitable are not counted.

Risk Management Tab for an Application

The Risk Management tab on the Application page shows up to 50 of the most severe risks in the application.

This screen can be accessed either from the main Application Risk Management screen or by navigating to the relevant Workspace Workspace.png > Applications page.

By default, the risks are sorted by Risk Score and shown in descending order, enabling you to quickly identify the most critical risks. You can change the sorting method and apply filters for each column. There is also a quick-filter to show only results for runtime vulnerabilities.

There is a button in the filter bar for accessing the relevant documentation in our documentation portal.

Risk_MGMT_Tab.png

The following info is shown for each risk.

  • Vulnerability Name: The name of the vulnerability. For SAST and IaC Security, this is the type of vulnerability. For SCA, this is a combination of the risk ID and the package in which it was identified. For BYOR, this is rule attribute from the SARIF file (if not provided, then the ruleID is used).

  • Risk Score: The severity of the risk on a scale from 0.1 (low) to 10 (critical). For more info about how the risk score is calculated see here.

    In addition, for accounts with Cloud Insights integration, the Image_1387.png icon indicates a risk that is Internet Facing.

  • Vulnerability Type: This column categorizes vulnerabilities based on their general types. Results identified by the SAST scanner are categorized as "Code". SCA results are either "Direct Package" or "Transitive Package". IaC Security results are referred to as "Configuration", and BYOR are referred to as "Imported Results".

  • Additional Trait - Shows if there are specific additional risk factors. Possible values are currently: "Exploitable Path" and "Suspected Malware".

  • Days Open: The number of days since the vulnerability was initially detected.

  • Origin: This column shows the name of the project where the vulnerability was identified.

Risk Score Parameters

Click on the Risk Score for a row in the table in order to open a side panel that shows a breakdown of the risk factors that contribute to the Risk Score calculation.

Image_1929.png

The data shown in this panel differs depending on the scanner that identified the risk. The data is divided into three tabs: Threat Impact, Exposure Risk and Environmental Sensitivity. Click on a tab to show the data for that section. The following is a summary of the data shown in each section:

  • Threat Impact - Focuses on how much damage a vulnerability could cause if exploited.

  • Exposure Risk - Assesses how likely the vulnerability is to be exploited, considering factors like access levels, attack complexity, and known exploits.

  • Environmental Sensitivity - Measures the impact of the vulnerability in the specific application context, including whether the system is public, live, or has specific configuration details like dependency tracking.

Risk Management Tab for an Application

The Risk Management tab on the Application page shows up to 50 of the most severe risks in the application.

This screen can be accessed either from the main Application Risk Management screen or by navigating to the relevant Workspace Workspace.png > Applications page.

By default, the risks are sorted by Risk Score and shown in descending order, enabling you to quickly identify the most critical risks. You can change the sorting method and apply filters for each column. There is also a quick-filter to show only results for runtime vulnerabilities.

There is a button in the filter bar for accessing the relevant documentation in our documentation portal.

Risk_MGMT_Tab.png

The following info is shown for each risk.

  • Vulnerability Name: The name of the vulnerability. For SAST and IaC Security, this is the type of vulnerability. For SCA, this is a combination of the risk ID and the package in which it was identified. For BYOR, this is rule attribute from the SARIF file (if not provided, then the ruleID is used).

  • Risk Score: The severity of the risk on a scale from 0.1 (low) to 10 (critical). For more info about how the risk score is calculated see here.

    In addition, for accounts with Cloud Insights integration, the Image_1387.png icon indicates a risk that is Internet Facing.

  • Vulnerability Type: This column categorizes vulnerabilities based on their general types. Results identified by the SAST scanner are categorized as "Code". SCA results are either "Direct Package" or "Transitive Package". IaC Security results are referred to as "Configuration", and BYOR are referred to as "Imported Results".

  • Additional Trait - Shows if there are specific additional risk factors. Possible values are currently: "Exploitable Path" and "Suspected Malware".

  • Days Open: The number of days since the vulnerability was initially detected.

  • Origin: This column shows the name of the project where the vulnerability was identified.

Risk Score Parameters

Click on the Risk Score for a row in the table in order to open a side panel that shows a breakdown of the risk factors that contribute to the Risk Score calculation.

Image_1929.png

The data shown in this panel differs depending on the scanner that identified the risk. The data is divided into three tabs: Threat Impact, Exposure Risk and Environmental Sensitivity. Click on a tab to show the data for that section. The following is a summary of the data shown in each section:

  • Threat Impact - Focuses on how much damage a vulnerability could cause if exploited.

  • Exposure Risk - Assesses how likely the vulnerability is to be exploited, considering factors like access levels, attack complexity, and known exploits.

  • Environmental Sensitivity - Measures the impact of the vulnerability in the specific application context, including whether the system is public, live, or has specific configuration details like dependency tracking.