Route coverage

For Assess users, route coverage associates vulnerabilities with the originating web request.

Web requests are the primary interface of web applications. A request may be handled by one function with many subsequent functions coordinating interactions with other services, databases, or files.

During the request handling process, Contrast monitors data flows across the application to identify vulnerabilities. A single web request may be vulnerable to multiple types of attacks. Contrast associates these vulnerabilities with the original request.

For example:

GET /users?active=true
Accept: application/json

This request could be handled by a function such as:

public class UserController {
    public String users(@RequestParam(name="active", required=false, defaultValue=true) Bool active) {

An application route is a combination of three parts:

  • an HTTP verb (GET in this example)

  • the resource path (/users)

  • the method signature of the controller (UserController.users(Bool active))

With route coverage, you can see detailed information on the components of your application, such as which routes have been exercised versus which ones have not. This can help you decide where to focus testing and remediation.

When the Contrast agent starts, it instruments functions in the application so that web requests can be assessed for vulnerabilities while the application is running. If a function implements a framework to handle web requests, Contrast can identify the route before a request is handled. These routes are labeled Discovered in Contrast.

When your application is handling a request, Contrast tracks the activity as an Exercised route.

Contrast supports route discovery for these frameworks:


The Java and Node.js agents only report routes from supported frameworks. The Java agent also requires the option<example_name> be defined in the agent configuration.

If the framework you are using is unsupported, please contact Support and let us know. For unsupported frameworks, Contrast will attempt to infer the routes based on observed requests, but you will not see any routes discovered within Contrast.