Issue details panel

The Issue details panel summarizes the selected issue in the application, and is identified by the issue's unique Issue ID. It provides details about the issue and offers an advisory for QA and web developers to use during their remediation process. Depending on the type of issue that is selected, not all information discussed in this topic appears in the user interface.

Overview tab

Displays predefined issue attributes and their values.

Details tab

The Details tab displays the original scan findings that are discovered by the scanner that produced the issue, including differences and the reasoning.

  1. The free trial version does not display information in the tab. Only the full subscription service displays content.
  2. The Details tab doesn't display for imported issues.

The Test Requests and Responses section provides information about the tests and their specific variants that were sent to your web application to discover where it has weaknesses. A test might have multiple variants. A variant is a slight difference of the original test request that the scan job sends to your web application server. A request is first sent that is meant to be legal and to follow the business logic of your application. Then, it sends the same request, but modified to discover how your application handles incorrect or mistaken requests. Each test request might have a number of variants, as many variants as needed to cover all the security rules in the extensive database. For example, a test is sent to check that you have enforced user input rules for a specific parameter. One variant checks that apostrophes are not valid input; another variant checks that quotation marks are not allowed.

Code Snippets provide static analysis of JavaScript source code; the issues found include source-level trace information that highlights the vulnerable source code. Highlighted and numbered lines in the code show, step-by-step, from source to sink, how untrusted data that enters the application gets propagated until it is used in an insecure way.

Trace information includes:
  • Classification: indicates the type of finding: Security (Definitive or Suspect) or Configuration.
  • Context: displays the data flow for the method in the output stack, including the line number in the source code where the issue and context appear.
  • Source File: indicates the source files in the workspace project that contain the vulnerabilities.
  • Line number: indicates where in the code the vulnerability was detected.

Advisory tab

  1. The Advisory tab doesn't display for imported issues.
The Advisory contains the following details about the issue:
  • Type of Test (Application or Infrastructure)
  • Web Application Security Consortium (WASC) Threat Classification
  • The security risks (worst case scenarios) to your organization
  • The possible causes of how the vulnerability came to exist in your application
  • Technical Description of the issue
  • Affected Products (product versions that are affected by this security issue, such as ASP.Net 1.1 Service Pack 1)
  • References and Relevant Links, including CVE, CWE, and IBM Security X-Force

Fix Recommendation tab

  1. The Fix Recommendation tab doesn't display for imported issues.
  2. Not all issues have Fix Recommendations.
A Fix Recommendation provides developers with code samples specific to certain development environments so the issue can be fixed in the application source code:
  • General
  • .Net
  • J2EE
  • Recommended Java Tools
  • References