- Checkmarx Documentation
- Checkmarx One
- Checkmarx One User Guide
- Viewing Scan Results
- Viewing and Managing SAST Results
Viewing and Managing SAST Results
The SAST Result Viewer helps identify and manage vulnerabilities in SAST-scanned projects and code, providing a comprehensive overview with its Vulnerabilities Table and Code Viewer.
Understanding the Vulnerabilities Table
The Vulnerabilities Table is a great tool for understanding the vulnerabilities found during a project's SAST scan. It organizes the vulnerability details into columns. For more details on the vulnerability table columns, see here. The table is customizable and can be filtered, sorted, and organized to best suit your needs. You may also add notes to specific vulnerabilities for yourself and for collaboration with colleagues. The table is searchable and can be exported as a .csv file for easy sharing or manipulation in an Excel worksheet.
The table below details the columns in the vulnerabilities table.
Parameter | Description |
---|---|
Severity | The severity of the vulnerability: Critical High Medium Low Info |
Status | Status of the vulnerability: New Recurrent - The vulnerability has been detected at least once before. |
Detection Date | The Detection Date value varies between the UI and a CSV report. In the UI, it represents the initial vulnerability identification, whereas in the CSV report, it represents the most recent date the vulnerability was flagged. |
State | To Verify - Vulnerability requires verification, for example, by an authorized user. Not Exploitable - Vulnerability has been confirmed as not exploitable (false positive). Proposed Not Exploitable (PNE) - A vulnerability proposed as not exploitable, for example, as a potential false positive. These vulnerabilities are a potential threat until their state is changed to Confirmed or Not Exploitable. Confirmed - Vulnerability has been confirmed as exploitable and requires handling. Urgent - Vulnerability has been confirmed as exploitable and requires urgent handling. |
Source Node | The first node (input) of the vulnerable sequence. |
Source File | The file in which the source node is located. |
Sink Node | The last node (output) of the vulnerable sequence. NoteThe sink node is identical to the source node for a single node's vulnerabilities. |
Sink File | The file in which the sink node is located. |
Changes Made in | If the Source code, Query, or Scanner changed between the previous and the current scan, this column shows where the change was made. Hover over a result in this column and click on to copy its vulnerability ID into the clipboard. You may send this ID to colleagues to collaborate on the vulnerability. |
Customizing Your Table View
Note
Refreshing a page will reset any results, groupings, or filtering changes.
Using the Groups and Filters Bar
In the Groups & Filters bar above the vulnerability table, use groups to organize your data based on a vulnerability's detail and find similar vulnerabilities quicker.
You can assign up to three group levels, which can be edited by clicking Edit Groups. As in the example image below, if a table has the default groups Language, Severity, and Vulnerability, it will first display the vulnerability's language (Java) as a dropdown, then the severity (High), and lastly, the vulnerability's category (Code Injection).
You can reorder groups by dragging their labels, which changes the order of the results on the table. To remove a group, click the x on its label or Clear All to remove all the groups.
At the end of the Groups & Filters bar, you can search the table, toggle column filtering, or export your table results view as a .csv file for sharing.
When a scan result is checked, the Groups & Filters bar shows the number of selected results and displays different options, such as changing a result's Severity level or State. You may also Add Notes or view the code in detail with the View Code option.
Filtering and Sorting the Vulnerability Table
Filter your table view further by focusing on a vulnerability detail category. Before filtering the columns, adjust the table Rows view to your liking. The vulnerability table's default setting displays 10 rows of results per page, as indicated in the Rows dropdown. Select the dropdown to toggle the view to 20 or 50 rows.
Hover over a column header, click the filtering icon , and select your filter(s) from the dropdown list or search. Applied filters are listed in the Groups & Filters bar.
Hover over a column header and click the sorting icon to toggle between sorting in ascending or descending order.
Inspecting a Vulnerability Result
Once your vulnerability table is customized to your liking, you can inspect a vulnerability's code and explore the best way to remediate it.
There are two ways to view a vulnerability's code, leading to different views.
The first way, is to select a vulnerability by clicking on its row to add it as a tab to the top of the results view. You can open and maintain multiple results views. Toggle between them by clicking on their tabs or hovering over one and clicking the x to close it. Selecting a result tab opens its View Code panel.
The second method to view a vulnerability's code is to mark its checkbox and click View Code. This method allows you to mark and open multiple vulnerabilities simultaneously while displaying them all in one panel.
(L) Single-tab vulnerability view code panel; (R) Multiple vulnerabilities view code panel
Use the following table to compare features between the different views and decide which better suits your needs:
Feature | Single Vulnerability View Code | Multiple Vulnerability View Code |
---|---|---|
Risk Description | ✓ | X |
Notes | ✓ | ✓ |
Changelog | ✓ | X |
Attack Vector | ✓ | ✓ |
Best Fix Location (BFL) | ✓ | ✓ |
Viewing the Code
When opened in a new tab, the View Code risk panel includes the Risk (vulnerability name), attack vector, Best Fix Location (BFL), a Description of the vulnerability, Notes, and a Changelog. The Changelog details the history of your changes to the vulnerability. The attack vector (vulnerability flow) shows you the code that leads to the vulnerability, and the BFL is the code - when remediated - which fixes it. The BFL is highlighted and focused by default when opening the View Code risk panel. You can search within the code or zoom in with the icons in the upper-right corner. Note, on the ribbon, you may change the Severity, State, or Add Note to the result. Remember to click Save when done.
When viewing the code after results are marked or multi-selected, the View Code risk panel is similar to the above, except it doesn't display a description of the risk or the changelog.
By marking a risk's checkbox, you can adjust its Severity, Result State, or Add Note. Marking a risk's checkbox replaces the attack vector with the same ribbon mentioned above. Remember to click Save when done.
Adding Notes
Use notes to document your work with a vulnerability or improve collaboration by sharing it with colleagues. Clicking Add Note opens the note panel, where you can view the highlighted risk, add a new note, or view previous notes. Make sure to click Save Note before exiting.
Hover over the Add Note icon to view the latest notes and the number of notes of a vulnerability. Notes are only available for one result at a time and are viewable by multiple users. Previous notes are only visible one at a time and may be deleted by hovering over them and selecting Delete.