SAST Results Viewer
The SAST Result Viewer helps identify and manage vulnerabilities in SAST-scanned projects and code, providing a comprehensive overview with its Vulnerabilities Table and Code Viewer.
Understanding the Vulnerabilities Table
The Vulnerabilities Table is a great tool for understanding the vulnerabilities found during a project's SAST scan. It organizes the vulnerability details into columns. For more details on the vulnerability table columns, see here. The table is customizable and can be filtered, sorted, and organized to best suit your needs. You may also add notes to specific vulnerabilities for yourself and for collaboration with colleagues. The table is searchable and can be exported as a .csv file for easy sharing or manipulation in an Excel worksheet.
 |
The table below details the columns in the vulnerabilities table.
Parameter | Description |
|---|---|
Severity | The severity of the vulnerability:
|
Status | Status of the vulnerability: New Recurrent - The vulnerability has been detected at least once before. |
Detection Date | The Detection Date value varies between the UI and a CSV report. In the UI, it represents the initial vulnerability identification, whereas in the CSV report, it represents the most recent date the vulnerability was flagged. |
State | To Verify - Vulnerability requires verification, for example, by an authorized user. Default state of a new result. Not Exploitable - Vulnerability has been confirmed as not exploitable (false positive). Proposed Not Exploitable (PNE) - A vulnerability proposed as not exploitable, for example, as a potential false positive. These vulnerabilities are a potential threat until their state is changed to Confirmed or Not Exploitable. Confirmed - Vulnerability has been confirmed as exploitable and requires handling. Urgent - Vulnerability has been confirmed as exploitable and requires urgent handling. |
Source Node | The first node (input) of the vulnerable sequence. |
Source File | The file in which the source node is located. |
Sink Node | The last node (output) of the vulnerable sequence. NoteThe sink node is identical to the source node for a single node's vulnerabilities. |
Sink File | The file in which the sink node is located. |
Changes Made in | If the Source code, Query, or Scanner changed between the previous and the current scan, this column shows where the change was made. Hover over a result in this column and click on |
Customizing Your Table View
Note
Refreshing a page will reset any results, groupings, or filtering changes.
Using the Groups and Filters Bar
In the Groups & Filters bar above the vulnerability table, use groups to organize your data based on a vulnerability's detail and find similar vulnerabilities quicker.
You can assign up to three group levels, which can be edited by clicking Edit Groups. As in the example image below, if a table has the default groups Language, Severity, and Vulnerability, it will first display the vulnerability's language (Java) as a dropdown, then the severity (High), and lastly, the vulnerability's category (Code Injection).
 |
You can reorder groups by dragging their labels, which changes the order of the results on the table. To remove a group, click the x on its label or Clear All to remove all the groups.
At the end of the Groups & Filters bar, you can search the table, toggle column filtering, or export your table results view as a .csv file for sharing.
When a scan result is checked, the Groups & Filters bar shows the number of selected results and displays different options, such as changing a result's Severity level or State. You may also Add Notes or view the code in detail with the View Code option.
 |
Filtering and Sorting the Vulnerability Table
Filter your table view further by focusing on a vulnerability detail category. Before filtering the columns, adjust the table Rows view to your liking. The vulnerability table's default setting displays 10 rows of results per page, as indicated in the Rows dropdown. Select the dropdown to toggle the view to 20 or 50 rows.
Hover over a column header, click the filtering icon 
, and select your filter(s) from the dropdown list or search. Applied filters are listed in the Groups & Filters bar.
Hover over a column header and click the sorting icon 
to toggle between sorting in ascending or descending order.
Inspecting a Vulnerability Result
Once your vulnerability table is customized to your liking, you can inspect a vulnerability's code and explore the best way to remediate it.
There are two ways to view a vulnerability's code, leading to different views.
The first way, is to select a vulnerability by clicking on its row to add it as a tab to the top of the results view. You can open and maintain multiple results views. Toggle between them by clicking on their tabs or hovering over one and clicking the x to close it. Selecting a result tab opens its View Code panel.
The second method to view a vulnerability's code is to mark its checkbox and click View Code. This method allows you to mark and open multiple vulnerabilities simultaneously while displaying them all in one panel.
(L) Single-tab vulnerability view code panel; (R) Multiple vulnerabilities view code panel
Use the following table to compare features between the different views and decide which better suits your needs:
Feature | Single Vulnerability View Code | Multiple Vulnerability View Code |
|---|---|---|
Risk Description | ✓ | X |
Notes | ✓ | ✓ |
Changelog | ✓ | X |
Attack Vector | ✓ | ✓ |
Best Fix Location (BFL) | ✓ | ✓ |
Viewing the Code
When opened in a new tab, the View Code risk panel includes the Risk (vulnerability name), attack vector, Best Fix Location (BFL), a Description of the vulnerability, Notes, and a Changelog. In the Description, clicking on View More will expand the description and open it in a new side panel, while clicking Learn More at Codebashing will redirect you to learn more about the vulnerability in Codebashing (where relevant).
(L) Expanded description of an SQL Injection vulnerability; (R) SQL Injection course in Codebashing
The Changelog details the history of your changes to the vulnerability. The attack vector (vulnerability flow) shows you the code that leads to the vulnerability, and the BFL is the code - when remediated - which fixes it. The BFL is highlighted and focused by default when opening the View Code risk panel. You can search within the code or zoom in with the icons in the upper-right corner. Note, on the ribbon, you may change the Severity, State, or Add Note to the result. Remember to click Save when done.
When viewing the code after results are marked or multi-selected, the View Code risk panel is similar to the above, except it doesn't display a description of the risk or the changelog.
By marking a risk's checkbox, you can adjust its Severity, Result State, or Add Note. Marking a risk's checkbox replaces the attack vector with the same ribbon mentioned above. Remember to click Save when done.
Triaging SAST Results
Each risk instance in your project is assigned a risk state. When a new risk is identified, its initial state is set to To Verify, meaning it hasn't been assessed by your AppSec team yet. The severity of the risk is primarily based on the CVSS score of the vulnerability. Your AppSec team can then update the risk state to one of the following options:
Not Exploitable - Select this state if your team has determined that this risk doesn’t threaten your application (and isn’t expected to cause a risk at any time in the future).
Proposed Not Exploitable - Select this state if your team has tentatively suggested that this risk doesn’t threaten your application.
Confirmed - Select this state if your team has confirmed that this risk poses a threat and requires mitigation.
Urgent - Select this state if your team has determined that this risk poses an imminent threat and requires urgent mitigation.
When changing the Result State to Not Exploitable or Proposed Not Exploitable, a note is required to confirm the change. A change log at the bottom tracks all past changes for a single result. When multiple results are updated, the Edit title includes the number of selected results, and hovering over the State dropdown displays them.
Notice
You need update-result-not-exploitable, update-result-state-propose-not-exploitable, and add-notes permissions to use this feature.
Important
Known limitation: this functionality is not enforced via plugins; it will be added later.
Based on your AppSec team's determination, the score can be adjusted to a score between 0.0 and 10.0 with the following severity breakdown:
Critical - 9.0 to 10.0
High - 7.0 to 8.9
Medium - 4.0 to 6.9
Low - 0.1 to 3.9
Info - 0.0
Note
Users with permissions such as Update-result-severity or Update-result-severity-if-in-group can change the risk severity or score.
There are three ways to triage the results:
From the Table View: Select a result from the table to open a new job. Change the severity or state using the Edit dropdown and click Save.
Using Checkboxes: Select one or more results by checking their boxes. Then, use the Edit dropdown above the table to change their severity or state and click Save.
Through the View Code Tab: Select one or multiple results in the View Code tab, adjust the severity or state using the Edit dropdown, and click Save.
Adding Notes
Use notes to document your work with a vulnerability or improve collaboration by sharing it with colleagues. Clicking Add Note opens the note panel, where you can view the highlighted risk, add a new note, or view previous notes. Make sure to click Save Note before exiting.
Hover over the Add Note icon 
to view the latest notes and the number of notes of a vulnerability. Notes are only available for one result at a time and are viewable by multiple users. Previous notes are only visible one at a time and may be deleted by hovering over them and selecting Delete.