Security Issues

Each AST tool creates a security report during each scan. This is part of the security pipeline work. The security report contains a list of issues found during the security scan. Work with the security report should be started with importing issues from AST tools to Maverix. Although security issues are automatically imported after a scan, it is possible to perform it manually using the Maverix user interface.

Select the Applications menu item at the top left of the Maverix user interface. The applications page appears on the screen. Click the Show app details button at the bottom right of the application card.

 

 

Select the Issues menu item and click the Import issues image197.png button at the top right to import issues from AST tools.

 

 

The Import started confirmation appears at the bottom right. When the import is complete, the imported issues will appear on the screen. In the example shown above, the issues were detected as a result of running the SAST tool. It’s possible to set up auto import of security issues from AST tool in Maverix security pipeline, for more information, see the "Artifact Security Pipeline" section.

The total number of currently open security issues (not yet fixed) is shown to the right of the Issues menu item.

Each issue is presented as a separate line containing a brief description of the issue in the following columns:

  • The issue Id in the AST tool.
  • The issue Type (SAST, DAST, SCA Compliance, SCA Security).
  • The issue Source is the filename for SAST issues or the component name and version for SCA issues.
  • The issue Category type (e.g. Potential_SQL_Injection for SAST issues, etc.).
  • The issue Status in the AST tool (To Verify, Reviewed, Open, Fixed, False Positive).
  • The issue Severity in the AST tool (Low, Medium, High, Critical).
  • The issue CWE (Common Weakness Enumeration), if applicable. CWE is a community-developed list of software and hardware weakness types. It serves as a common language, a measuring stick for security tools, and as a baseline for weakness identification, mitigation, and prevention efforts.
  • Defect is a link to a corresponding security defect.

All this information about the security issues is imported to Maverix from AST tools.

Click security issue ID to start the work. A page with detailed information about the issue appears. This page contains five tabs.

 

 

  • The Details tab contains detailed information about the issue with an indication of the potential hazard, its cause, and recommendations for its elimination. In addition, you can see the results of AVC analysis in the AVC Status and AVC Accuracy fields. For more information, see the "Issue Categories" section of the Application Administrator Guide.
  • The Path tab contains information that helps to find the root of the issue.

 

 

  • The Status history tab contains information about each occurrence of this issue during the security scans performed. This tab contains information on every issue detected during the security scans. You can also track the history vulnerability statuses here (the Old Status and New status fields). The status update is only displayed if it has actually changed. For instance, if a scan was carried out, but the security issue status has not changed, only the date is updated.

 

 

  • The Import Task Id field is automatically filled in when importing from any tool. The Scan Task Id field is automatically filled in according to the scan results.
  • The Comments and Recommendation tabs allow you to add some comments and recommendations to the issue. They will be saved after clicking the Send button on the Comments tab or the Save button on the Recommendation tab. If similar problems are found on subsequent scans, all saved recommendations will automatically be added to such issues. This functionality is implemented in Maverix based on the issue correlation analysis.

 

 

Maverix tracks the history of issues. If a previously detected issue isn’t found during the next security scan, it automatically gets the "fixed" status.

Click the link to the AST tool in the Found by field on the right side of the Details tab. The AST tool login page appears. Enter your login and password to view and, if necessary, update the security issue in the AST tool. It’s not possible to update security issues directly in Maverix. If security issues have been updated in the AST tool, it’s necessary to import this update into Maverix. Click the Import issues image209.png button to import the updated issues.

Information on security issues can be exported as a report in XLSX (MS Excel) or PDF (Adobe Acrobat) formats. Open the security issues list, see above in this section. Click the Export Issues image201.png button in the upper right corner.

 

 

Select the required format (XLSX or PDF) from the drop-down menu and click the corresponding menu item. A confirmation message appears in the bottom right corner, and after a few seconds, the report file will be downloaded in the selected format.

Without going into the structure of the reports, it's worth noting that they contain links to vulnerabilities detected by Sonatype products (CVE id), as well as to non-vulnerable versions of libraries (Non-vulnerable versions), among other things.

 

 

If any filters are applied to the security issues list, they are taken into account when generating the report.

 

For example, if you need to generate a report containing security issues in descending order of severity, apply the Severity: filter: High to Low and generate the report.