Work With Results
Once you have completed your scan, there are a number of different ways to work with and manage your results
- Default Scan Completed Windows
- Scan Result Entry Tab
- Vulnerability List
- File Viewer Pane
- Vulnerability Help
- Summary Information
- Vulnerability Report
Default Scan Completed Windows
By default, once your scan completes you will be presented with two windows, the CodeScan Report and the Vulnerability Help. This setting can be disabled in the “Options” menu in the main CodeScan window. These windows both behave as dockable panels, and can be docked within the main CodeScan window if you desire. Your main CodeScan window will automatically jump to the Scan Result Entry tab.
Scan Result Entry Tab
Most of the result management tools reside within the “Scan Result Entry” tab. This is where you can view a list of all vulnerabilities, manage the status of vulnerabilities and see additional information related to each vulnerability.
The top half of this tab will display full information about the currently selected vulnerability. You can use the information here to identify the paths to the vulnerable code,and see the specific line of code identified in the File Viewer Pane.
Vulnerability List
The vulnerability list is available in the bottom half of the Scan Result Entry tab. It is a list of all vulnerabilities detected by CodeScan. A vulnerability can be selected by clicking on its row in the list, updating the Scan Result Entry tab to display information relevant to this particular vulnerability. A context menu is also available within this list, allowing you to quickly update the status of the vulnerability (Unchecked, Checked Fixed or Checked OK).
This list can be sorted by clicking any column, or filtered by Severity/Filter Threshold.
Filter Threshold is a score which is able to be set through the custom filters in the Project Properties, or will automatically be calculated by CodeScan based on your use of recognised string sanitization techniques.
Filtering by Severity allows you to identify Critical, High, Medium and Low risks separately. These work as toggle buttons – initially all set to “on”. When you click a vulnerability severity button (the colored button in the top left of the vulnerability list panel), this will toggle the vulnerability to off. For example, if you wish to only view the “High” vulnerabilities, you would click “Critical”, “Medium” and “Low” to toggle them to their off position.
File Viewer Pane
The file viewer pane allows you to quickly identify the specific lines of code where the vulnerability is in each instance. It will display the file(s) that are relevant to the current vulnerability. The vulnerable line will be identified with an icon, and will automatically be within view when a vulnerability is selected. This pane will dynamically swap between two modes.
Single-Pane Mode is typical of a Cross-Site Scripting through Direct Output (or similar) vulnerability. This occurs when the user input and the display of the user input all happens within a single line of code.
Dual-Pane Mode is typical of a SQL Injection (or similar) vulnerability, where the vulnerability occurs due to unsanitized user input in two locations/files. In this example, the left pane would show you the source of user input – and on the right, the line of code where the unsanitized data is loaded into the database.
Vulnerability Help
The vulnerability help panel will automatically launch by default, but is also accessible via the context menu in the Vulnerability List and under the “Options” menu in CodeScan. This panel contains full information about each class of vulnerability, including reference links to CWE and OWASP where appropriate, as well as advice around techniques to secure against the vulnerability. Use the left-hand tree panel to navigate through your full vulnerability coverage.
Summary Information
The vulnerability list also includes additional tabs which provide various summary information. The Scan Summary tab holds a number of statistics about the project you have scanned. The File List tab shows a quick breakdown of files with a “Scan Status” – Safe, Vulnerable or Unknown. The Messages tab shows any messages generated by the CodeScan engine during the process of your scan.
Vulnerability Report
Click into the Vulnerability Report tab to access CodeScan’s reporting functionality. You can select which results to display in the report by selecting the relevant filters. By default, everything is selected to provide a complete report. To generate the report, click on the “Report” button in the bottom right of this pane.
To navigate through the report, expand the tree in the left panel. You can use this to quickly jump to different sections of the report.
Exporting Reports
CodeScan includes functionality to export the report to PDF (Portable Document/Adobe Acrobat Format) or XLS (Excel) format. To export your report, simply follow the steps in the Vulnerability Report section, then once the report is open, click the Floppy Disk “Save” icon, and select which format you require from the drop down menu that appears.
