The Vulnerabilities tab of the application details section allows you to see a full list of security vulnerabilities in your application.
For each finding, you'll see its:
- Severity level (e.g.,
- Brief description, including vulnerability type and where it is found
- Tags (e.g.,
- Status (e.g.,
- Assigned to information (i.e., the team member tasked with further work on this issue)
You can sort your list based on ID, Severity, Status, and assignment.
You can filter the findings displayed by:
- Its severity level
- Its status
- The person the finding is assigned to
There are also a variety of Advanced Filters that you can use (e.g., category, CVSS score).
Viewing detailed finding information
Clicking on a finding in your results list will open a new window pane on the right with detailed information.
Data Flow: the data flow tab shows you the path from the source (which is the portion of the code that "allows" a vulnerability to occur) to the sink (where the vulnerability happens).
For example, suppose the vulnerability is a command injection vulnerability. The source could be a function accepting user input, while the sink would be where a command execution occurs using the user input. The data flow is the path between these two spots in the code.
Description: the description tab features an in-depth write-up of what the issue is and why it is a problem, as well as mitigation suggestions for securing your app
Comments: the comments tab allows you and your team members to make notes specifically about this finding; if there are multiple comments for this finding, ShiftLeft displays them in reverse chronological order.
Filtering by sources and sinks
Using the filter by sources/sinks feature available in the detailed findings tab, you can triage vulnerabilities faster and determine which findings your code fixes would affect.
For each source/sink identified by ShiftLeft, you'll see an option to Add as Filter.
When set, you'll notice that the vulnerabilities list updates to only include vulnerabilities that feature that same source/sink. If you were to patch that specific code portion, these would be the vulnerabilities affected by your code change.
Notice that the sources/sinks you're using as filters show up in the filters list; to remove, click the X to remove the source/sink.
In addition to the summary-level information displayed in the findings pop-up, you can open a larger window with additional features; to do so, click Details in the top-left of the initial window opened by ShiftLeft when you clicked on a specific finding.
The expanded details view features everything in the summary-level view, plus the ability to:
Set the status of the finding to reflect the work that's been done (e.g., set the status of the finding to Fixed if you've mitigated the issue)
Fixed: Mark the finding as fixed (note that setting this status does fix the finding) so that it will no longer be included in that specific set of scan results. Used to indicate that you've applied a remediation of some type.
Ignored: Mark the finding as ignored so that it doesn't show up in scan results again. Used to indicate that something is a false positive or is unlikely to impact the application's security. If you set the status to ignored, you must also provide a comment that includes information on your reasoning for choosing this status
3rd Party: Mark the finding as 3rd party to indicate that the finding is in a third-party library; the finding can't be fixed at the moment, but it should be something they return to at a later date.
Note that status can be changed at a later date if needed.
Assign to a team member the vulnerability for further research and work
Get a link to issue that's specific to this finding that you can share with others
Launch Security Training that's specific to this type of finding
To return to the summary view, click Minimize in the top-left.