View Vulnerabilities


Go to the Vulnerabilities tab from the application's Overview page to see a list of all vulnerabilities found in that application. Contrast shows you all the vulnerabilities it's discovered including SQL Injection, Cross-Site Scripting (XSS), Command Injection, Path Traversal, XML External Entity Processing (XXE), Cross-Site Request Forgery (CSRF), Java Deserialization and many more.

Note: For Contrast to find weaknesses and present findings, you must exercise your application. You can then track, share and receive remediation guidance for each vulnerability that Contrast reports.

Explore Vulnerability Data

View and manage basic information for each vulnerability in the grid. Or, click on a vulnerability for more details including the type of vulnerability, guidance on how to fix it, line of code and the ability to replay the attack.

To see all vulnerabilities in a certain category - such as vulnerabilities that are open - use the dropdown menu by the vulnerability count above the grid to choose the appropriate quick view. The view default is "All". You can also click on the magnifying glass icon to search for specific vulnerabilities.

View the timeline

Click the trend line symbol above the grid to view a timeline of the vulnerabilities. Use the buttons above the chart to view data by Severity or Discovery. Any filters you apply in the grid also update the data in the chart. Use the filter for the Last Detected column to update the time span shown in the timeline.

Hover over the trend lines to see a breakdown of the data for that point in time. If you're viewing data by severity, this includes the number of vulnerabilities reported, the specific time stamp, and a breakdown of the total number of vulnerabilities by severity. If you're viewing data by discovery, this includes the number of vulnerabilities reported, the specific time stamp, and a breakdown the total number of vulnerabilities by status (newly discovered, duplicate or remediated).

To see your application's vulnerability data in more detail, you can also configure your Contrast agent to report session metadata.

Learn More

For more information on analyzing, managing and exporting reports on vulnerabilities, see the following articles:

Session Metadata

Pinpoint the source of vulnerabilities in your application with session metadata reported by your Contrast agent. As soon as you add the necessary configuration property to your agent file, the agent reports the information along with the rest of your standard vulnerability data to the Contrast UI.

Agent Configuration

To send session metadata for your application to the Contrast UI, you must add the configuration settings to your agent configuration file. The build properties that the agent can report are branch name, build number, commit hash, committer, Git tag, repository, test run and version. You may include all or some of these properties, as desired. The system can store up to 255 characters for each build property. This metadata will be available to you as additional information for each vulnerability reported or as a way to filter them. See the following table for the configuration key that corresponds to each property.

UI label Configuration key
Commit Hash commitHash
Committer committer
Branch Name branchName
Git Tag gitTag
Repository repository
Test Run testRun
Version version
Build Number buildNumber

You can supply these settings as system properties, environment settings or properties in a YAML configuration file. See the following configuration examples for each application language.


If you use system properties for Java, include an additional entry in the line where you add your javaagent flag. In this case, you will set the property contrast.application.session_metadata to a set of key-value pairs that identify your test run.


As a .NET developer using app.config or web.config, you can add an entry to your configuration to specify this property.

<?xml version="1.0"?>
  <connectionStrings />
    <add key="contrast.application.session_metadata" value="branchName=feature/some-new-thing,committer=Jane,repository=Contrast-DotNet" />

If you use YAML configuration, like most Node and Ruby agents, you can add an additional entry to your contrast_security.yaml file.

 session_metadata: branchName=feature/some-new-thing,committer=Jane,repository=Contrast-Ruby

Continuous integration

If you don't want to set these fields locally, you can also edit your continuous integration (CI) build scripts to set these for you. In Jenkins, you can pull the build number using the BUILD_NUMBER property.


If you use plugins in your CI, like the Contrast Jenkins Plugin, you can use these to make even more dynamic updates.


View Data by Application

To see the session metadata reported by the agent, go to your application's Vulnerabilities tab. The data for each vulnerability is displayed in the grid and the timeline.


Use the View By menu above the timeline to filter the data by the properties that you included in your agent configuration. This updates the values shown in the Seen By column in the grid. Use the filter for the grid column to refine the results.

To see vulnerabilities that aren't associated with any session metadata, select Disassociated in the View By menu. The Seen By column will then disappear, as the agent hasn't reported any metadata for these vulnerabilities.

Note: If session metadata hasn't been configured for this agent, the View By menu and Seen By column do not appear.


Your selections also update the data shown in the timeline, which you can view by Severity or Discovery. Hover over the trend lines in the grid for a breakdown of the data at that point in time.

For a broader view of vulnerability data reported for each application, see the vulnerabilities Overview.