Project
This template allows us to analyze the findings, the density, and the trends of a specific project within a configurable timeframe.
Permissions
To be able to generate the Project report, the user must be associated with an Access Control role that has the generate-project-report permission. Since this permission is not included in any of the default Access Control roles, you must create a new role or edit an existing role, to include the new permission.
KPIs
Data Information
The Data Information card shows details related to the scanned project, such as the total number of scans executed, the total number of lines of code scanned, the scan time average, and the last data retention execution date.
Filtered By
In this card you can see which filters were applied when generating the report:
Included: Data included in the report. All data available in the report is filtered according to the specified included filters.
Excluded: Data filtered out from the report.
Specific filters can be applied when generating the project template to restrict and refine the data and the results to analyze.
The following filters can be defined when generating the template:
Severity: By default, Low and Informative results are excluded.
Allowed values to be excluded from the report are: Critical, High, Medium, Low, and Information.
Result State: By default, all Result States are included.
Allowed values to exclude are: To Verify, Confirmed, Urgent, Proposed Not Exploitable, and Not Exploitable.
Status: By default, only New and Recurrent are included.
Allowed values to exclude are: New, Recurrent, and Resolved.
What happens when Resolved results are included?
The Resolved Results section is displayed in the report.
All other KPI calculations (out of Resolved Results section) are not affected by the resolved results.
What happens when Resolved results are excluded?
The Resolved Results section is not displayed in the report.
Timeframe: Defines the date range in the analysis and it is composed of a starting date and an ending date. The maximum allowed period to be defined is 1 year. In case the timeframe is not defined:
The Timeframe used is the project lifetime.
If the project lifetime extends over 1 year, the timeframe starts from the year prior to the last scan date.
Data Points: allowed values are last or first. The default value is last.
last: means that the last scan is considered.
first: means the first scan is considered.
Example: Timeframe is for analysis is 1 week and the data point is first.
Each day of the week is considered as a data point.
In case there are several full scans on the same day, the results for that day will be represented according to the first scan of the day.
Total Results Overview
The Total Results Overview provides trend analysis over time.
The Density cards are calculated based on the last full scan executed for the project within the timeframe under analysis.
The labels for Data Retention, Preset Change, and Query Change mark the dates where these events occurred to help you understand changes in the total results and possible variations in the findings over time.
How are the timeframe dates arranged?
Data grouping is arranged based on the length of the timeframe.
Data grouping period is identified on the chart by its end date.
Report Formats:
In PDF format, if the timeframe period is:
over 180 days, the data points are every 2 weeks.
over 30 days and under 180 days, the data points are per week.
under 30 days, the data points are presented by day.
In JSON format, the full scope of data is presented
Example: Monthly Timeframe
Timeframe: From 1st of January to 30th of January.
Data point: last scan.
Data points are displayed per week, where the first data point identified is the 7th of January and shows the results for the last scan executed between the 1st and the 7th.
The second data point is identified by the 14th of January, the third by the 21st of January, the fourth by the 28th of January and the last would be identified by the 5th of February (even if it extends the timeframe filter).
Example: One-Year Timeframe
Timeframe: From 1st of January to 31st of December.
Data point: first scan.
Data points are displayed every 2 weeks, where the first data point identified is the 14th of January and shows the results for the first scan executed between the 1st and the 14th of January.
Scan Results Overview
The KPIs displayed in the scan results overview are based on the last full scan executed for the project within the timeframe in analysis. Last scan details for Scan Id and Scan Date are displayed.
For further details about the KPIs, please see Scan Template.
State Transitions Metrics
For each transition detected in the project, within the timeframe in analysis, you can see how many days the transition takes on average, and how many results have changed.
Take as an example the High results from To Verify to NE:
3 results were changed from To Verify to Not Exploitable.
On average the transition takes 24 days.
The minimum number of days is 20 and the maximum is 29.
Resolved Results Overview
This section only appears in case Resolved Results is included in the report (defined in the Filters).
The chart shows the trends over time for the resolved results.
The Total Results line shows the number of results currently present in the project, so you can compare the ratio between resolved and open findings. In case some of the open results are assigned to a specific user, you can see those totals in the Assigned line.
The labels for Data Retention, Preset Change, and Query Change mark the dates where these events occurred to help you understand changes in the total results and possible variations in the findings over time.
Top 5 Resolved Vulnerabilities by Severity
The Top 5 Resolved Vulnerabilities shows the vulnerabilities which had more results resolved within the time frame under analysis. For each vulnerability, the total number of results resolved is displayed.
Results by Language
As each project might comprise several languages, specific charts showing the total findings over time are part of the project report.
Languages Overview
The chart shows the trends over time for the scanned languages.
The labels for Data Retention, Preset Change, and Query Change mark the dates where these events occurred to help you understand changes in the total results and possible variations in the findings over time.
Language Vulnerabilities
For each specific language, you can see the trends of the results by severity and by its density as well.
Average (in days) from any transition to Resolved
A vulnerability that disappears between two consecutive scans S1 and S2 of the same project, is considered resolved in scan B.
When a vulnerability does not appear in a new scan, the state transition considers the vulnerability’s most recent state, regardless of the previous states.
For each transition detected in the project, within the timeframe in analysis, you can see how many days the transition takes on average, the maximum of days, the minimum of days, and how many results have changed. All these details are displayed and grouped by severity.
Severity proportions on the graph are calculated based on how many transitions were made on each severity.
This KPI considers full scans only.
Example:
Only results as To Verify were Resolved a total of 40 results.
21 High results were resolved.
On average, fixing a High vulnerability takes 1 day.
The minimum number of days is 0 and the maximum is 14.
How are the transitions identified?
Example:
Scan S1 has the vulnerability V1 as a result, having state = Confirmed
Scan S1 has the vulnerability V1 as a result, having state = To Verify
V1 state is updated from To Verify to Urgent
The source code is fixed
Scan S2 is executed and V1 and V1 are not flagged anymore → V1 and V2 are Resolved vulnerabilities
Two transitions to Resolved are identified:
For V1: Confirmed → Resolved
For V1: Urgent → Resolved
What is the behavior when a resolved result reappears?
If a result reappears after being resolved, and it is resolved once again, the two transitions will be considered in two different timelines.
Example:
Vulnerability V1 is marked as Confirmed in January 2023
Vulnerability V1 is Resolved in February 2023
Vulnerability V1 reappears in March 2023 To Verify
Vulnerability V1 is Resolved in April 2023
Timeframe applied to generate the report is between January 1st and the end of February
Only the transition Confirmed → Resolved is considered
Timeframe applied to generate the report is between March 1st and the end of April
Only the transition To Verify → Resolved is considered
Timeframe applied to generate the report is between January 1st and May 1st. The following transitions are considered:
Confirmed → Resolved
To Verify → Resolved