Skip to main content

View route details

Route coverage helps you understand how vulnerabilities map to your application's attack surface.

If you remove routes from the Route coverage list (steps 8 and 9) and they still exist when the server restarts or you exercise the application, Contrast includes them in the list again. To permanently exclude routes, select the Exclude icon (ExcludeIcon.png) at the end of the route's row.

Steps

  1. Select  Applications in the header.

  2. Select the name of an application.

    The Overview tab shows the number of routes exercised compared to the number of total routes in your application.

  3. In the Overview tab, select the number of routes exercised or select the Route coverage tab.

    This image shows the options for selecting route coverage details

  4. In the Route coverage tab, the Route coverage summary shows this information:

    Image shows the route coverage summary with selected metadata.

    • Exercised routes: This section shows these details:

      • The percentage of discovered routes that you exercised.

      • The number of exercised routes.

    • Session metadata: This section shows these details, based on the applied session metadata filters:

      Note

      If you haven't applied session metadata filters, no values display. To see values for session metadata, select Apply filter or Edit filter (to change the current filters) and specify the filters you want to use.

      • Percentage of routes exercised that match the applied filters.

      • The number of exercised routes that match the applied filters.

      • The selected session.

      • The repository for the application

      • Build number

      • Branch name

      • Committer

  5. In the Route Coverage tab, if you don't apply session metadata filters, the route coverage chart displays.

    Note

    If you previously selected metadata filters, this chart does not display. To see the chart, select Clear the filters.

    RouteCoverageChart.png

    The chart displays details about routes based on their status:

    • Discovered by Contrast (but never exercised with the agent)

    • Exercised with the Contrast agent

    • Exercised and found to contain vulnerabilities

  6. In the Route coverage list, view additional details about each route.

    • Route: A route that Contrast identified or is tracking.

    • Server: The servers where the application is running.

      By default, the Server column shows up to three servers. To view a complete list of servers (if more than three are in use), select Show all.

      RouteServers.png

      Note

      When you delete a server, Contrast removes it from the list instead of displaying it as greyed out.

    • Vulnerabilities: The number of vulnerabilities associated with the route.

    • Last activity: The activity time span for the route.

    • Status: The route status.

  7. Select an option to view details for each route that Contrast has identified in the application:

    1. To view the URL for the route, select a route name.

    2. To view vulnerability details for a specific route, select a section of the severity bar Vulnerability column. Each section indicates one or more severity levels: Critical, High, Medium, Low, and Notes.

    3. To view routes based on an activity time span, select the Filter icon (icon-filter.svg) next to the Last Activity column.

      Changing the time span also changes the time span for the route coverage chart.

      To clear the filter selection, select Clear next to the column heading.

    4. To view routes with a specific status only, select the Filter icon ( icon-filter.svg) next to the Status column. The status options are:

      • All: Shows all routes that are not excluded.

      • Exercised: Shows only routes that are exercised.

      • Not Exercised: Shows routes that Contrast discovered but are not exercised.

      • Vulnerable: Shows only routes that have a vulnerability associated with them.

      • Excluded: Shows only routes that you excluded from the application scoring calculations.

  8. To remove a single route from the list:

    1. Hover over the end of the row and click the Remove icon (routeRemoveIcon.png).

    2. To confirm the removal of the route, select Delete.

  9. To remove multiple routes from the list:

    1. Select the check mark next to one or more routes or to select all routes, select the check mark next to Route.

    2. In the batch action menu at the bottom of the page, select the Remove icon (routeRemoveIcon.png).

    3. To confirm the removal of the route, select Delete.

  10. To view and share route details outside of Contrast:

    1. Select the check mark next to one or more routes or to select all routes, select the check mark next to Route.

    2. In the batch action menu at the bottom of the page, select the Export  icon( icon-download.svg).

      This action exports the details to a CSV file. The file downloads to your default download location.

      The CSV file includes:

      • A list of the application's routes.

      • Details about the server on which they were found.

      • Details of when the routes were last exercised.

      • A list of vulnerabilities, the severity and status of each.

See also

In this section: