Overview of SCA Scan Results

Modified on Thu, 5 Sep at 7:35 PM

Scan with start

Once online scans finishes we get the result like following

Above picture shows that we scanned a project named “vulnado-test” and “vulnpy” which has (SCA) and other scans. Let’s dive into that.

Understanding the results:

Here,

“C” - number of Critical severe vulnerabilities found in SAST scan

“H” - number of Hard severe vulnerabilities found in SAST scan

“M” - number of Medium severe vulnerabilities found in SAST scan

“L” - number of Low severe vulnerabilities found in SAST scan

“E” - number of Explotability severe vulnerabilities found in SAST scan

Step 2 : Click on row with title “pom.xml” and you will see screen like this :

Which will contain the following information about your SCA scan

1) Project Scanned

Name of our current project. In this case vulnado

2) Snapshot Scan Time

When scan was performed, on which date and at what time

3) API key owner

Which user performed this scan? We show their email address

Open Pull Requests

To directly address the issues identified in the SAST scan, you can initiate fixes by opening a pull request. Locate the “Open a fix PR” button, which is present on the right side above the search bar (as illustrated in the above image).

Upon clicking this button, a pop-up window will appear.

This window presents a compiled list of all identified issues along with available fixes.

Browse through the list and select the issues for which you wish to raise a pull request.

After making your selections, click on the “Open a fix PR” button at the bottom of the pop-up window.

Search Bar :

Users can search vulnerabilities by giving input in this bar.

Filters on left side :

You can apply filters through the left filter bar. The filter bar includes:

SEVERITY: Enables filtering of vulnerabilities based on their severity levels such as Critical, High, Medium, or Low, or Exploitability allowing you to prioritize remediation efforts.
In Allowed List: This filter shows only those vulnerabilities that have been added to the allowed list, facilitating quick review of previously acknowledged issues.
New Vulnerabilities: Filters the vulnerabilities based on their discovery date, helping to isolate recent issues that need immediate attention.
Show Files: This filter allows you to choose the files which “Excluded” or “Not Excluded”.

Vulnerability card :

Three Dots Menu: A clickable icon represented by three dots on the card. Clicking this brings up a menu with several options for managing the vulnerability:

Add to Allowed List: Allows you to temporarily include the vulnerability in your allowed list, acknowledging it but deciding it does not require immediate action.
Mark as False Positive: If you determine that the reported vulnerability is not a genuine threat, you can label it as a false positive for a certain duration.
Overwrite Severity: Provides the capability to adjust the severity rating of a vulnerability, based on your assessment.
Add Comment: Offers a space to add notes or comments regarding the vulnerability, which can be useful for team communications or future reviews.

Options like, “Add to Allowed List” and “Mark as False Positive” further provide various timeline options allowing you to set the duration of these settings:

Mark for a Day: Apply the setting for 24 hours.
Mark for a Week: Extend the setting for one week.
Mark for a Month: Keep the setting for one month.
Mark for a Year: Maintain the setting for a full year.
Mark Forever: Indefinitely apply the setting until changed.
Select Custom Date: This choice opens a popup where you can select an exact date for the setting to expire, offering precise control over the duration

Manage vulnerabilities in Cluster

For more efficient vulnerability management, our interface allows users to apply settings to multiple vulnerabilities simultaneously. This feature is especially useful when you need to quickly classify several issues as false positives or add them to the allowed list without adjusting each one individually.

Select Vulnerabilities: At the top left of each vulnerability card, there is a checkbox. Click these checkboxes to select the vulnerabilities you wish to manage together.

Apply Cluster Actions: After making your selections, two options will appear next to the count of selected vulnerabilities at the top of the list:
- Set as False Positive: This action enables you to collectively mark all selected vulnerabilities as false positives.
- Add to Allowed List: This allows you to add all chosen vulnerabilities to the allowed list simultaneously.

Managing vulnerabilities in groups saves time, reduces mistakes, and keeps your project’s security handling consistent and straightforward.

View Dependencies

Click on “dependencies” to view vulnerable dependencies in that project

View Licenses

Click on “OSS Licenses” to view licenses :

View Remediations

Click on “Remediation” to view remediations :