Summary

The summary page of the application details section provides you with high-level information regarding the application you've submitted for analysis.

The scan history that features prominently provides insight into what ShiftLeft CORE looks at during each scan. As you read the graph from left to right, you'll move from seeing the types of findings identified by ShiftLeft CORE to the components that are a part of your application to seeing the findings identified as present in the individual components.

The ShiftLeft dashboard's Summary tab with scan metadata graph

In addition to the scan history graph, you can toggle over to a simplified graph using the line graph icon; this graph shows you the number of findings present in the current and previous scans:

The ShiftLeft dashboard's Summary tab with scan details graph

To the right and the bottom of these graphs are graphical summaries by finding types (vulnerabilities, OSS Vulnerabilities, container vulnerabilities, secrets, and insights). ShiftLeft also displays:

  • Severity levels (e.g., critical, high, medium, or low) for vulnerabilities, OSS vulnerabilities, and container vulnerabilities;
  • Reachability status for OSS and container vulnerabilities.
Metadata graph definitions

  • Application scan: the application that you submitted
    • Code: the code that's owned by your application (e.g., isn't a part of a third-party library or an associated container)
      • Files: the number of source files scanned. When scanning compiled artifacts, this may depend on the presence and accuracy of debug/source-map information.
      • Literals: the number of times literal data that appears directly in the source code (e.g., a specific number, a character, or a string value)
      • Expressions: The total lines of code scanned in your application. This only counts lines that contain a CPG node. Empty lines or lines containing curly braces will not be counted; multi-line literals will only count as a single line. When scanning compiled artifacts, this may depend on debug/source-map information.
      • Methods: all of the methods in your application
        • External: methods not owned by your organization (e.g., libraries or language built-ins used by your project) that are directly referenced or called. Applications written using dynamic languages like Python or JavaScript may include methods in imported dependencies that are never called. If you bundle libraries with your project for scanning, you may need to contact the ShiftLeft customer success team to "blacklist" these libraries so that they're flagged as External libraries and not scanned
          • Sanitization: External methods marked as those encoding/escaping user input or flagged as a CHECK method (see sanitization function policy for implementation details)
          • Public API: External methods marked as FROM_OUTSIDE and DESCRIPTOR
        • Internal: Methods owned by your organization where the code is available (e.g., org.apache.methodName is external, while io.yourOrg.methodName is internal). If you bundle libraries with your project for scanning, you may need to contact the ShiftLeft customer success team to "blacklist" these libraries so that they're flagged as External libraries and not scanned
          • Public API: methods that are recognized as exposed via HTTP; these are methods inside your code that behave as entry points (e.g., route handlers)
          • Sanitization: internal methods marked to encode/escape their inputs or marked as CHECK. Must be implemented with a custom policy. Otherwise, ShiftLeft finds zero methods.
      • Parameters: the number of parameters of all methods
        • Sensitive:
          • Location: location-related information
          • PII: personal identifiable information
          • Payment: payment-related information
          • Token: token values
    • OSS: the open-source packages/libraries leveraged by your application
      • Dependencies: the number of distinct dependencies detected

Additional insights

Near the bottom of the application details summary page is a series of boxes displaying Additional Insights:

  • The number of findings in each vulnerability category (e.g., 41 findings involving sensitive data usage);
  • The top OSS packages with vulnerabilities leveraged by your application with vulnerabilities and the number of vulnerabilities resulting from that package;
  • The top OSS vulnerability references (e.g., the number of times your application is affected by a specific CVE);
  • The number of findings assigned to users for further work (if any).
The bottom of the summary page showing additional insights information