Reporting

The Reporting section of the ShiftLeft dashboard allows you to create and export reports featuring your applications' findings.

The ShiftLeft dashboard's reporting page

You can display information for just one of your applications or multiple applications simultaneously. To do so, click Select Applications and check the applications you want included in your report.

Setting the reporting dates

You can set the time frame for which you see data:

  • Choosing Weekly will display findings for the past four weeks
  • Choosing Monthly will display findings for the past twelve months
  • Choosing Quarterly will display findings for the past four quarters
  • Choose Custom Date will allow you to specify the date range in which you're interested

As you change your dates, you'll see the values for the data displayed change.

To switch from a custom date filter back to a default date filter, click Clear Custom Date

Reporting data

The reporting home page displays:

  • Findings Trends, which shows how the number of findings for your applications changes over time;
  • Findings Summary, which shows the total number of findings, critical vulnerabilities, secrets, and security insights present in your applications, along with the percentage change in each of these measures during your selected time frame;
  • Findings by Severity, which shows the number of findings by severity
  • Findings Trends, which shows the number of new findings, common findings, and regressions and the number of findings fixed over time.

Configure App Branches

Rather than including all of the data for a given application, you can choose to include only specific branches. For example, let's say that your report includes information for App A and App B. However, you can customize the report to include information for all branches scanned for App A. For App B, you could include only two branches: fix-1 and fix-2.

The ShiftLeft dashboard's configure app branch dialog

Export report

To export a copy of your data, click Export. You can choose to Export as PDF or to Export as HTML.

If you do not want to export all of your data, flip the Custom toggle to select the specific details you want to include in the report. Then, choose Export as PDF or Export as HTML.

Reporting on OSS vulnerabilities

The reporting section features an OSS Vulnerabilities tab, which allows you to create and export data on vulnerabilities introduced to your applications via OSS libraries and packages.

Selecting applications

You can display information for just one of your applications or multiple applications simultaneously. To do so, click Select Applications and check the applications you want included in your report.

Setting the reporting dates

You can set the time frame for which you see data:

  • Choosing Weekly will display findings for the past four weeks
  • Choosing Monthly will display findings for the past twelve months
  • Choosing Quarterly will display findings for the past four quarters
  • Choose Custom Date will allow you to specify the date range in which you're interested

As you change your dates, you'll see the values for the data displayed change.

To switch from a custom date filter back to a default date filter, click Clear Custom Date

Viewing data

The OSS Vulnerability Trends chart provides a graphical view of how the number of OSS vulnerabilities has changed over the date range you selected. The top reachable issues in your selected applications are to the right of the graph.

A view of the reporting functionality for OSS vulnerabilities

Underneath the summary information is a full list of packages that introduce vulnerabilities, as well as:

  • Its version number
  • Its type
  • The total number of CVEs associated with that package
  • The number of reachable CVEs
  • When findings related to that package were first identified
  • The number of applications affected
A view of the OSS dependencies list

Configuring branches when viewing OSS vulnerabilities

Rather than including all of the data for a given application, you can choose to include only specific branches. For example, let's say that your report includes information for App A and App B. However, you can customize the report to include information for all branches scanned for App A. For App B, you could include only two branches: fix-1 and fix-2.

To do so, click Configure Branches in the top-right.

Dependencies

The reporting section features a Dependencies tab, which displays a list of the libraries, packages, and external tooling used by your org's apps.

In addition to showing the specific apps and all of the dependencies on which they rely, ShiftLeft's list also displays a CVE ID to help you find additional information about issues resulting from using a particular dependency.

The provided search filter allows you to look for apps with specific dependencies or patterns (e.g., log4j).