Issue attributes

This table describes a few of the predefined issue attributes in AppScan Enterprise.

Name Description
Status Use to track workflow during your remediation process.
CVSS An average score based on a combination of the Base and Temporal CVSS metrics groups and any manually set severity scores.
Severity Value Manually fine-tune the CVSS score for a specific issue. Typically, you override the settings when you are importing issues from a third-party scanner or from AppScan Standard, or when you are triaging individual issues.
  • Use CVSS
  • Information = 0
  • Low = 3
  • Medium = 6
  • High = 8
  • Critical = 12
Discovery Method Static Analysis (SAST) or Dynamic Analysis (DAST)
Scanner The type of third-party scanner that imported the issue, for example Nessus Vulnerability Scanner.
Application An issue that is imported from AppScan Source. It contains one or more projects and related attributes. An attribute is a characteristic that helps organize scan results into meaningful groups.
Element The name of the object on the page, for example, cookie or parameter, that is vulnerable to the issue, for example, passw.
Classification Type of finding: vulnerability, exception, or informational. An exception is an indication of a suspicious and potentially vulnerable condition that requires more information or investigation.
Source File The source files in the AppScan Source project that contain the vulnerabilities.
Line The line number in the source code where the vulnerability was found.
API The API that contains the vulnerabilities.
Project Name A project in AppScan Source consists of a set of files, including source code, and related information, for example, configuration data. A project is always part of an application.
Fixed Date The date and time stamp of when the issues were fixed. This attribute is read-only.
Overdue An issue that has not been fixed by a predetermined date.
Table 1. CVSS Base metricsThese are metrics of the vulnerability that are constant over time and across user environments.

CVSS Base metrics

Metric Description
Access Vector Whether the vulnerability can be exploited only locally, also from adjacent networks, or from any network connection ("remotely exploitable").
Access Complexity The difficulty involved in exploiting this vulnerability.
Authentication The number of times that an attacker must authenticate to a target to exploit the vulnerability.
Confidentiality Impact The impact on confidentiality if this vulnerability is successfully exploited.
Integrity Impact The extent to which system integrity (the accuracy of information supplied by the application) is compromised if this vulnerability is successfully exploited.
Availability Impact The impact on the availability of information resources if this vulnerability is successfully exploited.
Table 2. CVSS Temporal metricsThese are metrics of the vulnerability that may change over time.

CVSS Temporal metrics

Metric Description
Exploitability The current state of exploitation techniques using this vulnerability.
Remediation Level The level of remediation available to protect against the vulnerability.
Report Confidence The degree of confidence in the existence and technical details of the vulnerability.