View application vulnerabilities

From the Applications list, you can view vulnerabilities for a specific application.

Before you begin
  • Exercise (browse or use) your application so Contrast can find weaknesses and present results in the Contrast application.

  • To see your application's vulnerability data in more detail, configure your Contrast agent to report session metadata.

Steps
  1. Select Applications in the header.

    The Applications list displays the number of open vulnerabilities for each application. To view details for specific types of vulnerabilities (for example, critical or high), in the Open Vulnerabilities column, select the relevant section of the bar.

    OpenVulnBar.png

    An open vulnerability has a status of Reported, Suspicious, or Confirmed.

  2. Alternatively, In the Applications list, select an application name and then, select the Vulnerabilities tab. You see a list of vulnerabilities for that application.

  3. In the Vulnerabilities tab, to filter vulnerabilities, select the small triangle at the very top of the list.

    VulnAppMainFilter.png

    These filter options are available:

    • Open

    • High confidence

    • Policy violation

    • Pending review

  4. To search for specific vulnerabilities, select the magnifying glass icon ( MagnifiyingGlassIcon.png).

  5. To view a timeline of the vulnerabilities, select the trend line symbol (TrendlineIcon.png ) above the list .

    Use the buttons above the chart to view data by Severity or Discovery. Hover over the trend lines to see a breakdown of the data for that point in time (number of vulnerabilities, time stamp, or status).

    Any filters you apply in the list also update the data in the chart. Use the filter for the Last detected column to update the time span shown in the timeline.

  6. To filter by columns , select the Filter icon (filterIcon.png ) next to the column headers. These filters are available, if applicable to the selected application:

    • Severity: Available filters are: Critical, High, Medium, Low, and Note.

    • Vulnerability: Available filters, if applicable to the selected application, are:

      • Vulnerability tags : Custom tags you assigned to vulnerabilities

      • Type: Types of vulnerabilities

      • Modules: Application modules associated with a vulnerability

      • Servers: Servers hosting the application.

      • Environments: Development, QA, and production

      • Sinks: Vulnerabilities that originate from a common sink

        A sink is common custom code shared between multiple data-flow vulnerabilities.

        Filtering by sink can help you identify a line of code that is causing multiple vulnerabilities.

      • URLs: Vulnerabilities associated with a specific URL.

      • Compliance policy: Vulnerabilities associated with selected compliance policies

      • Routes: Vulnerabilities associated with selected routes.

    • Last detected: Available filters are: First or Last detected and Time range. Select Custom to enter specific dates and times.

    • Status: Available filters are Status and whether Contrast is tracking the vulnerability.

For merged applications, the Open Vulnerabilities column in the Applications list displays the number of vulnerabilities for all application modules in the primary application. The Applications list displays the primary application but not the modules in the primary application.

Example:

Before you merge applications, the Open Vulnerabilities column looks similar to this:

AppsUnmerged.png

After you merge applications, the bar in the Open Vulnerabilities column shows vulnerabilities for the primary application and all the merged application modules. The Vulnerabilities list does not show the merged application modules

AppsMergedVulns.png

See also

View vulnerabilities at an organization level