Skip to main content

Application Details Page

Open the Application Details Page

Click on View.png in the row of the relevant application.

Alternatively, perform the following:

  1. On the Applications page, click on the relevant application row.

    The Applications' preview pane opens on the right side of the screen.

  2. Click on Go to Application

    Image_062.png

Applications Overview

Applications group multiple projects to a logical entity.

The Applications Overview presents aggregated information and analytics for a group of projects within the framework of an application.

Image_063.png

Overview Widgets

Projects in Application

The Projects in Application widget displays the risk level of each project assigned to the application with a scale of High, Medium and Low.

The data reflects the last scan in the application for the selected branch.

Projects_in_Application.png

Vulnerabilities

The Vulnerabilities widget display the total number of vulnerabilities from all the Projects' severities (High, Medium, Low).

This visualization does not include vulnerabilities marked as Not Exploitable.

Vulnerabilities.png

Compliances

Summarizes the projects compliances.

Compliances.png

Point to Info.png for the list of vulnerability categories in which the vulnerabilities detected in SAST are categorized.

These categories are explained in the table below.

Compliances_List.png

Categories

Description

FISMA 2014

Displays the vulnerabilities associated with categories (2014), as defined by FISMA (Federal Information Security Modernization Act). All vulnerabilities that do not fall into any of the FISMA categories are listed as Uncategorized.

PCI DSS v3.2.1

Displays the vulnerabilities associated with categories (DSS v3.2), as defined by PCI (Payment Card Industry). All vulnerabilities that do not fall into any of the PCI categories are listed as Uncategorized.

NIST SP 800-53

Displays the vulnerabilities associated with categories (SP 800-53), as defined by NIST (National Institute of Standards and Technology). All vulnerabilities that do not fall into any of the NIST categories are listed as Uncategorized.

ASD STIG 4.10

Displays vulnerabilities categorized by the DISA Application and Development STIG once the STIG post-installation script has been run.

OWASP Top 10 2021

Displays the vulnerabilities associated with categories (A1 to A10) that appear in the list of the 10 most serious risks, as defined by OWASP (Open Web Application Security Project). All vulnerabilities that do not fall into any of the OWASP Top 10 2021 categories are listed as Uncategorized.

OWASP Top 10 API

This category specifically addresses API Security and categorizes vulnerabilities that are related to Broken Object Level Authorization, Broken User Authentication, Excessive Data Exposure, Lack of Resources & Rate Limiting, Broken Function Level Authorization, Mass Assignment, Security Misconfiguration, Injection, Improper Assets Management and Insufficient Logging & Monitoring.

OWASP Top 2017

Displays the vulnerabilities associated with categories (A1 to A10) that appear in the list of the 10 most serious risks, as defined by OWASP (Open Web Application Security Project). All vulnerabilities that do not fall into any of the OWASP Top 10 2017 categories are listed as Uncategorized.

OWASP Mobile Top 10 2016

Displays the vulnerabilities associated with categories (M1 to M10) that appear in the list of the 10 most serious risks, as defined by OWASP (Open Web Application Security Project). All vulnerabilities that do not fall into any of the OWASP Mobile Top 10 2017 categories are listed as Uncategorized.

OWASP Top 10 2013

Displays the vulnerabilities associated with categories (A1 to A10) that appear in the list of the 10 most serious risks, as defined by OWASP (Open Web Application Security Project). All vulnerabilities that do not fall into any of the OWASP Top 10 2013 categories are listed as Uncategorized.

Top Vulnerable Projects

Presented in word cloud style, where the three top vulnerable Projects are displayed with different risk level colors.

Top_Vulnerable_Projects.png

Aging Summary

The Aging Report widget presents the amount of vulnerabilities distributed by severities (High, Medium, Low) for the first discovery date in a specific time range. The data reflects the last scan in the project for the selected branch.

The widget includes a bar chart presentation with the following parameters.

  • x-axis - Presents 4 constant time ranges:

    • 0 - 30 days

    • 30 - 60 days

    • 60 - 90 days

    • 90+days

  • y-axis - Presents the amount of vulnerabilities.

  • Chart data - 3 stacked bars per each time range (High, Medium, Low) with the amount of vulnerabilities per bar type.

    Aging_Summary.png

Results by Scanner Type

The results are displayed as pie charts for all the projects assigned to the application.

They indicate the aggregated number of vulnerabilities found per scan type:

  • SAST

  • SCA

  • IaC Security

  • API Security

Vulnerabilities flagged with the state of Not Exploitable are not included.

Results_by_Scanner_Type.png

Results by State

Displays the aggregated number of vulnerabilities per state from all the projects assign to the application.

  • To Verify

  • Not Exploitable

  • Proposed Not Exploitable

  • Confirmed

  • Urgent

Vulnerabilities flagged with the Not Exploitable state are counted, only for this visualization.

6484656278.png

Results by Projects Tags

Displays the aggregated number of vulnerabilities found per project tag from all the projects assigned to the application.

6482592625.png

Note

Vulnerabilities labeled Not Exploitable are not counted.

Results by Scan Origin

Displays the aggregated number of vulnerabilities found per scan origin, from all the Projects assigned to the Application.

For example:

  • Jenkins

  • Github action

  • Github webhooks

  • Checkmarx One webscan

  • CLI

  • Webapp

    Results_by_scan_origin.png

Note

Vulnerabilities labeled Not Exploitable are not counted.

Results by Technologies

Displays the aggregated number of vulnerabilities found per technology from all the Projects assigned to the Application.

The technologies include:

  • Languages

  • Platforms

  • Packages

Multiple versions of the item are aggregated under the same item, but are flagged with the number of versions.

The tooltip lists the versions and any vulnerabilities flagged with the Not Exploitable state are not counted.

Results_by_Technologies.png

Note

Vulnerabilities labeled Not Exploitable are not counted.

Understanding Fusion Insights

An average cloud-native application can have hundreds or even thousands of different components. Any of those can have a number of vulnerabilities that present an expanding attack surface. Instead of merely aggregating scan results, Checkmarx One provides advanced correlation of results from static code scans. This allows development teams to focus on solving the most critical items by prioritizing vulnerabilities according to their real risk and potential.

The Fusion Insights section in application details provides a visual and textual representation of both micro-services and cloud resources together with the relationships between them. The feature currently supports microservices written in the Java or C# programming languages and cloud resources based on Terraform over AWS and CloudFormation frameworks.

The visual representation, referred to as the Topology view (default), shows an intuitive and interactive graph where each node represents a microservice or a consumed cloud resource.

The textual representation, referred to as the Table view, is the inventory of all microservices and cloud resources.

To switch between the views, hover over the View field in Fusion Insights and select the required option.

137396_hpr.png

Prerequisites

Prerequisites for Fusion include the following:

  • The customer has purchased the license for Checkmarx One Professional Package

  • One or more projects are associated with an application

  • Full scan of SAST and/or IaC Security has completed successfully in Checkmarx One.

Supported Languages and Frameworks

  • In SAST: Java, C#

  • In IaC Security: Terraform/AWS, CloudFormation

Topology view

The graph in the Topology view shows microservices and cloud resources scanned respectively by SAST and IaC Security and the relationships between them.

Fusion_Topology.png

The microservices which are based on the projects scanned by SAST are labeled by the JAVA (1) or C# icon. The nodes of cloud resources scanned by IaC Security are labeled with the icon of the cloud resource type, such as S3 bucket. (2).

Connecting lines denote the actions performed on respective entities and the arrows show the action’s direction:

  • solid line (3) means that the operation on the target entity is Write

  • dotted line (4) means that the operation on the target entity is Read

Red lines (5) are high-priority connections that pose high contextual risk and potentially present the most critical SAST threats whose remediation must be the first priority. The red shield icon in the middle of a red line displays the number of SAST related vulnerabilities whose combination with the respective cloud resource vulnerability creates a high contextual risk. Clicking on a shield opens the respective vulnerabilities in the SAST Results viewer.

The eye icon above a node (6) labels publicly accessible resources.

For your convenience, there is a legend at the bottom of the screen explaining the meaning of connecting lines and the Public Access icon.

Clicking on a microservice opens a popup with the summary of the associated scan results split by priority.

137397_hpr.png

Clicking on the icon in upper right corner of the popup (highlighted in the screenshot above) opens a side panel with detailed information on the scan results obtained by various scanners and all cloud resource connections. The attributes provided by an IaC Security scan (such as write) are also shown in this panel. In addition, clicking on each Results bar inside the popup (i.e., SAST or SCA) opens the Checkmarx One Results Viewer in a new browser tab.

The timestamp of the latest correlation appears in the upper right corner (9). Correlation is performed automatically upon each scan completion, but you can invoke it manually when necessary by clicking the Correlate icon (10).

Clicking and holding a node allows you to move it across the graph at your convenience without disrupting the connections.

You can zoom in and out of the Fusion Insights graph by doing one of the following:

  • Use the + and - button to the right of the graph (8)

  • Use your mouse wheel.

To fit the graph to layout size, click Reset (7).

Table view

The Table view presents the BOM (Bill of Materials) of all microservices and cloud resources in separate tabs. The total number of entities in the grid appears in parentheses next to the Bill of Materials heading. In the screenshots below, the total number is 11 (3 microservices and 8 cloud resources).

Microservices tab

The grid in the Microservices tab shows all microservices grouped by the programming language (Java or C#).

137398_hpr.png

The following information is presented for each microservice:

  • Microservice Repository - The name of the repository where the microservice resides

  • Connected Cloud Resource Type - The type of a cloud resource connected to the microservice

  • Connected Cloud Resource Name - The name of a cloud resource connected to the microservice

  • Microservice Operation - The action that the microservice performs on the cloud resource: Read or Write

To quickly find a specific microservice, use the Search field.

Notice

The search works only in the currently expanded group.

To filter the grid content by a specific language or cloud resource type, click Add Filter and make the required selection. Multiple filters are also allowed.

To change the number of rows on each page, click on the Rows drop-down list and make the required selection.

Cloud Resources

The grid in the Cloud Resources tab shows all cloud resources grouped by the resource type.

137399_hpr.png

The following information is presented for each microservice:

  • File - The name of the cloud resource IaC file. To see a full path to a file, hover over its name

  • Resource Name - The name of the cloud resource.

  • Category - The cloud resource category, such as Compute, Storage, Queues, etc.

  • Access - Shows whether the cloud resource is configured as publicly or privately accessible.

  • Encryption - Shows whether the cloud resource is encrypted or unencrypted.

  • Shared - Shows whether the cloud resource is used by one (No) or multiple (Yes) microservices.

  • Consumers - The microservices which consume the cloud resource.

To quickly find a specific cloud resource, use the Search field.

Notice

The search works only in the currently expanded group.

To filter the grid content by resource type, access permission or category click Add Filter and make the required selection. Multiple filters are also allowed.

To change the number of rows on each page, click on the Rows drop-down list and make the required selection.

Exporting a BOM

You can export a BOM to a JSON or CSV file and then manipulate it in an external tool.

To export the currently opened BOM, click the Export icon (highlighted in the screenshot below).

137400_hpr.png

In the popup that appears do the following:

  1. Determine the scope of the exported data by clicking inside the Select Report Sections field and selecting the required option: All Data, Microservices or Cloud Resources. The selected option appears as a tag.

  2. Select the JSON or CSV format.

  3. If one or multiple filters are currently applied, select the Export filtered data option to export only the data shown in the grid. To ignore the filters and export the entire data, deselect Export filtered data.

  4. Click Export.

In this section: