Filtering a list of security issues in an application

When an application has many scans that discover many vulnerabilities, use filters on the preset issue attributes, such as Issue Severity, Issue Type, or Issue Status to help you reduce the list to a more manageable size.

About this task

You cannot filter on these issue attributes:
  • ID
  • Location
  • Last Updated
  • Date Created
  • Fixed Date
  • Description
  • IssueXML
  • Comments

Procedure

  1. Open the first application that you plan to triage. By default, the list of issues is grouped by Severity. You can also group the issues by Issue Type, Status, or Scanner instead. The classification filters for the list automatically display in the sidebar.
  2. Use the Add filters field to further refine the filter list. For example, to find URLs that are vulnerable to security issues, filter by Domain and then by Path. The list shrinks to show you all the vulnerabilities that are discovered on that page. If the list is still large, filter by Issue Type or Issue Severity.
    Note: If you filter by a status that is customized to be hidden from view (noise, passed, or fixed), the filtered status is still displayed in the issue list.
  3. To find a specific issue, enter its Issue ID number in the Add filters field. This is useful to finding issues that you might have noted in an email, in a PDF, defect tracking system, or in an old report.
  4. To focus on dynamic analysis (DAST) or static analysis (SAST) issues, filter by Discovery Method. Then, you can filter by Issue Type and then by Path.
    1. Click the Issue ID of each issue to open a unique About this Issue report. The report provides details about the issue and offers an advisory for QA and web developers to use during their remediation process.
    2. Filter by Scan Name to isolate the area of the application that is producing the vulnerabilities. This method can help you see whether you have complete coverage for the application. It is useful when you have many issues for an application, or many scans for an application. Then, filter by Issue Type.
  5. To make SAST issue column headers visible, select them from the Column Selection grid layout menu. By default, these column headers are hidden because the SAST issues must be imported from AppScan® Source.
    1. To see the Trace tab of the About this Issue report, filter by Source File and then by Issue ID.
    2. Filter by Source File and then by API. This filter combination shows you the API and the arguments that are passed to it.
    3. Filter by Classification and then by Scan Coverage Findings to determine areas where the scan configuration in AppScan Source might be improved for better scan coverage, such as lost sink findings.
      Note: New in 9.0.3.1. iFix2: By default, scan coverage findings are filtered from view. To remove the default, go to List menu > Customize View and clear the Scan Coverage Findings check box. This affects the formulas that display in the Portfolio tab, because the formulas don't include scan coverage findings in their calculations.

Results

The filters are saved for each specific application.

What to do next

Triaging issues in an application