Issue details panel

The Issue details panel summarizes the selected issue in the application, and is identified by the issue's unique Issue ID. It provides details about the issue and offers an advisory for QA and web developers to use during their remediation process. Depending on the type of issue that is selected, not all information discussed in this topic appears in the user interface.

Details tab

The Details tab displays the original scan findings that are discovered by the scanner that produced the issue, including differences and the reasoning.

Note:
  1. The free trial version does not display information in the tab. Only the full subscription service displays content.
  2. The Details tab doesn't display for imported issues.

The Test Requests and Responses section provides information about the tests and their specific variants that were sent to your web application to discover where it has weaknesses.

A test might have multiple variants. A variant is a slight difference from the original test request that the scan job sends to your web application server. A request is first sent that is meant to be legal and to follow the business logic of your application. Then, it sends the same request, but modified to discover how your application handles incorrect or mistaken requests.

Each test request might have a number of variants - as many variants as needed to cover all the security rules in the extensive database. For example, a test is sent to check that you have enforced user input rules for a specific parameter. One variant checks that apostrophes are not valid input, while another variant checks that quotation marks are not allowed.

Code Snippets provide static analysis of JavaScript source code. The issues found include source-level trace information that highlights the vulnerable source code. Highlighted and numbered lines in the code show, step-by-step, from source to sink, how untrusted data that enters the application gets propagated until it is used in an insecure way.

Trace information includes:
  • Classification: Indicates the type of finding: Security (Definitive or Suspect) or Configuration.
  • Context: Displays the data flow for the method in the output stack, including the line number in the source code where the issue and context appear.
  • Source File: Indicates the source files in the workspace project that contain the vulnerabilities.
  • Line number: Indicates where in the code the vulnerability was detected.

How to fix tab

Note: The How to fix tab doesn't display for imported issues.
The How to fix contains the following details about the issue:
  • The possible causes of how the vulnerability came to exist in your application
  • The security risks (worst case scenarios) to your organization
  • A Fix Recommendation provides developers with code samples specific to certain development environments so the issue can be fixed in the application source code. Not all issues have fix recommendations.
  • References and Relevant Links, including CVE, CWE, and IBM Security X-Force

Comments tab

The Comments tab displays the comments added by you or other users in your organization that can be usedul reminders.

Note: The Comments tab doesn't display for imported issues.

Audit trail tab

The Audit trail tab provides a comprehensive record of all activities and changes associated with a particular issue within an application under your organization. This feature is crucial for tracking the history and evolution of an issue, ensuring transparency, accountability, and facilitating effective collaboration among team members.

Properties tab

The Properties tab lists expanded issue details, including how and when the issue was found, type, status, severity, scanner, and location, and including issue ID. You can easily duplicate the relevant information and paste it into reports, emails, or other communication channels using the "Copy Properties" option.