Skip to main content

API Security Results

The API Security Result page contains a list of risks, the Risks table, which can be sorted according to the parameters listed in that table. Additional information on these parameters is available under Viewing the Scanners Tab (API Security).

  • Severity.png Severity

  • Risk Name

  • Status

  • Endpoint Path

  • Method

  • Data Origin

  • Risk Discovered

Risks Table

The table illustrated below lists all the API security risks detected during the recent scans.

To view the Risks table from the Project Preview:

  1. Under Projects and Applications, In the Projects list, click somewhere in the line of the desired project. The Project Preview appears.

    Project_Preview_APISEC.png

  2. In the Projects Preview, click Results_button_white.png for the desired scanner, in this case API Security. The Risks table appears as illustrated below.

To view the Risks table from the Project Overview:

  1. Open the Project Overview, for example by clicking Overview_button_white.png in the Project Preview.

    Project_Overview_View_Results.png

  2. In the Project Overview, click View_Results.png. The Risks table appears with the scan results. This example reflects the results illustrated on the scanners tab page listed in the Risks table.

    Risks_Table.png

Viewing Scan Results in Detail

This section explains how to view the scan results and what you see. For every detected risk, the risk itself (for example a privacy violation) and a list of sensitive data that appear in the code are displayed. The sensitive data is a set of parameters in various categories that have been defined as sensitive data by Checkmarx.

Notice

The list of sensitive data is not related to the detected vulnerabilities. It simply provides you with an overview of what is potentially vulnerable to threats.

To display the details of the detected risk and a list of sensitive data in the code:

  1. Click the row of the respective risk, for example Medium_Severity.png Privacy Violation. The Details and Parameters widgets appear with information on the detected risk and the sensitive parameters in the code.

    Risk__Privacy_Violation.png

  2. Click somewhere inside the Details and Parameters widgets. Further information on the risk and a list of sensitive data in the code and their location appear.

    Risk__Privacy_Violation_Details.png

    To get more information, refer to the next sections on this page.

To view the details on the detected risk:

  • Click somewhere in the Details widget to view additional information on the detected risk. The table below lists and explains where the risk is located. The risk in this example is a Privacy Violation.

    Details.png

    Parameter

    Value

    Description

    Source File

    /src/main/java/com/sanity/scan/controller/UserController.java(line:30)

    The path and file name of the file with the Privacy Violation.

    Status

    New

    Recurrent. The vulnerability has been detected at least once before.

    The status of the privacy violation

    Source Node

    The first node (input) of the vulnerable sequence.

    The beginning of the attack vector.

To view all the SAST scan results around the detected risk:

  1. In the Details widget, click View_SAST_Results.png. A list of SAST vulnerabilities appears. In this example, 7 Java vulnerabilities have been detected.

    Privacy_Violation__View_SAST_Results__collapsed.png

  2. Expand the list by clicking Java_vulnerabilities_compressed.png.

    Privacy_Violation__View_SAST_Results.png

  3. Expand a vulnerability. The vulnerability appears listed with additional information.

    Privacy_Violation_Password__Additional_Details.png

    Parameter

    Description

    Severity_light.png(Severity)

    Severity of the vulnerability:

    High_Severity.png High

    Medium_Severity.png Medium

    Low_Severity.png Low

    Status

    Status of the vulnerability:

    New

    Recurrent - The vulnerability has been detected at least once before.

    State

    To Verify - Vulnerability requires verification, for example, by an authorized user.

    Confirmed - Vulnerability has been confirmed as exploitable and requires handling.

    Source Node

    The first node (input) of the vulnerable sequence.

    Source File

    The file in which the source node is located.

    Sink Node

    The last node (output) of the vulnerable sequence.

    Note

    For vulnerabilities that affect a single node, the sink node is identical to the source node.

    Sink File

    The file in which the sink node is located.

    ID

    To read the vulnerability ID, hover over Copy.png.

    To copy the ID into the clipboard, click on Copy.png.

  4. Expand a vulnerability and click inside the line that details it. A table with further information on that vulnerability appears and the exact location in the code is displayed.

    Privacy_Violation_Password.png

    In addition, a short description of the vulnerability is provided. For a more detailed explanation, click Read More. A more detailed description opens in a new tab of your browser.

To view a list of the sensitive data parameters in the code:

  1. Click somewhere in the Parameters widget. All the sensitive data in the code appears listed with its location

    Parameters.png

  2. Under Parameters, click View_All_Parameters.png. A list with the sensitive data parameters appears as outlined in the table below.

  • Interface

    Description

    View_All_Parameters__Warnings.png

    List of all sensitive parameters in the API with warnings. This section is identical with the list of the sensitive data parameters above.

    View_All_Parameters__Request.png

    List of all parameters in the request to the API. The sensitive parameters are labeled Sensitive.png.

    View_All_Parameters__Response.png

    List of all parameters in the response by the API. The sensitive parameters are labeled Sensitive.png.

In this section: