Findings

The findings tab of the application details section allows you to see the results of a preZero scan. Currently, preZero identifies the following types of issues: vulnerabilities, OSS vulnerabilities, container findings, secrets, and insights.

Vulnerabilities

The Vulnerabilities tab allows you to see a full list of security vulnerabilities in your application.

For each finding, you'll see its:

• Finding ID
• Status (e.g., Fixed)
• Severity level (e.g., critical)
• Brief description, including vulnerability type and where it is found
• Tags (e.g., OWASP a1-injection or CVSS 9)

You can sort your list based on Finding ID or Severity level.

Qwiet the Noise

To help streamline the amount of information displayed, you can toggle on Qwiet the Noise, which filters for only critical and high severity vulnerabilities.

Filtering findings

You can filter the findings displayed by:

• Its severity level
• Its status
• The person the finding is assigned to
• CVSS Score
• Sink or Source Method
• OWASP Category
• CWE Category
• Category

Viewing detailed finding information

Clicking on a finding in your results list will open a new window pane on the right with detailed information.

• Data Flow: the data flow tab shows you the path from the source (which is the portion of the code that "allows" a vulnerability to occur) to the sink (where the vulnerability happens).

  For example, suppose the vulnerability is a command injection vulnerability. The source could be a function accepting user input, while the sink would be where a command execution occurs using the user input. The data flow is the path between these two spots in the code.

• Description: the description tab features an in-depth write-up of what the issue is and why it is a problem, as well as mitigation suggestions for securing your app.

• Comments: the comments tab allows you and your team members to make notes specifically about this finding; if there are multiple comments for this finding, Qwiet displays them in reverse chronological order.

Filtering by sources and sinks

Using the filter by sources/sinks feature available in the detailed findings tab, you can triage vulnerabilities faster and determine which findings your code fixes would affect.

For each source/sink identified by Qwiet, you'll see an option to Add as Filter.

When set, you'll notice that the vulnerabilities list updates to only include vulnerabilities that feature that same source/sink. If you were to patch that specific code portion, these would be the vulnerabilities affected by your code change.

Notice that the sources/sinks you're using as filters show up in the filters list; to remove, click the X to remove the source/sink from the filters list.

Expanded details

In addition to the summary-level information displayed in the findings pop-up, you can open a larger window with additional features; to do so, click Details in the top-left of the initial window opened by Qwiet when you click on a specific finding.

The expanded details view features everything in the summary-level view, plus the ability to:

• Set the finding status to reflect work that's been done (e.g., set the finding status to Fixed if you've mitigated the issue):

  • Open: The default status value for a finding

  • Fixed: Mark the finding as fixed if you've applied remediation of some type (note that setting this status does not fix the finding) so that Qwiet doesn't include the finding in the scan results

  • Ignored: Mark the finding as ignored so it doesn't show up in scan results again. Used to indicate that something is a false positive or is unlikely to impact the application's security. If you set the status to ignored, you must also provide a comment that includes information on your reasoning for choosing this status

  • 3rd Party: Mark the finding as 3rd Party to indicate that the finding is in a third-party library; you can't fix the finding at the moment, but you should return to it at a later date

    To hide/show findings in the dashboard based on their statuses, use the Status filter (e.g., to display open and fixed findings while excluding those that are ignored or 3rd party, select the status filter's Open and Fixed values). To show all values, ensure no status filter values are selected.

    Note that you can change the status at a later date if needed.

• Assign to a team member the vulnerability for further research and work

• Get a link to issue that's specific to this finding that you can share with others

• Launch Security Training that's specific to this type of finding

To return to the summary view, click Minimize in the top-left.

OSS Vulnerabilities

The OSS Vulnerabilities tab lets you see a complete list of findings introduced to your application using OSS libraries and packages.

Summary information

At the top of the page is a row of summary information. This includes:

• Whether or not there are new results available. Qwiet continually checks your application and alerts you if there are new OSS vulnerabilities affecting your application discovered after you scanned your application (the timestamp displayed tells you the last time you submitted your app for analysis). If there are new findings, you should rescan your application to populate the results to the dashboard;
• The number of reachable findings, as well as the number of reachable findings for each severity level;
• The number of unreachable findings and the number of unreachable findings for each severity level.

For each finding in the complete list, you'll see the following:

• ID
• Status (e.g., Fixed)
• Severity level (e.g., critical)
• Reachability state
• The package name and version where the finding can be found
• Tags (e.g., OWASP a1-injection or CVSS 9)

Qwiet the Noise

To help streamline the amount of information displayed, you can toggle on Qwiet the Noise, which filters for only critical and high severity findings that are reachable and exploitable.

Filtering findings

You can filter the findings displayed by:

• Severity level
• Status
• The person the finding is assigned to
• Exploitability status (e.g., display only OSS findings that have known exploits or only findings that have no known exploits)
• CVSS Score
• EPSS Score
• Reachability status
• Package Url
• Package Component
• CWE Category
• Cve

Viewing detailed finding information

Clicking on a finding in your results list will open a new window pane on the right with detailed information.

• Description: the description tab features an in-depth write-up of what the issue is and why it is a problem, as well as mitigation suggestions for securing your app

• Data Flow: for reachable vulnerabilities, the data flow tab shows how an attacker could exploit the vulnerability introduced

• Exploits (Blacklight): the exploits tab includes up-to-date exploitability information on the vulnerability, including the:

  • Date reported

  • The source providing a proof of concept of the exploit

  • The availability of the exploit (e.g., public, private, or commercial)

    The Exploit Prediction Score System (EPSS) score shown for the vulnerability can help you determine the severity and priority of a given vulnerability. The EPSS score falls between 0 and 1, and we recommend focusing on findings with a high EPSS score and high CVSS score.

    

  • Comments: the comments tab allows you and your team members to make notes specifically about this finding; if there are multiple comments, Qwiet displays them in reverse chronological order.

Expanded details

In addition to the summary-level information displayed in the findings pop-up, you can open a larger window with additional features; to do so, click Details in the top-left of the initial window opened by Qwiet when you click on a specific finding.

The expanded details view features everything in the summary-level view, plus the ability to:

• Set the finding status to reflect work that's been done (e.g., set the finding status to Fixed if you've mitigated the issue):

  • Open: The default status value for a finding

  • Fixed: Mark the finding as fixed if you've applied remediation of some type (note that setting this status does not fix the finding) so that Qwiet doesn't include the finding in the scan results

  • Ignored: Mark the finding as ignored so it doesn't reappear in scan results. Used to indicate that something is a false positive or is unlikely to impact the application's security. If you set the status to ignored, you must also provide a comment that includes information on your reasoning for choosing this status

  • 3rd Party: Mark the finding as 3rd Party to indicate that the finding is in a third-party library; you can't fix the finding at the moment, but you should return to it at a later date

    To hide/show findings in the dashboard based on their statuses, use the Status filter (e.g., to display open and fixed findings while excluding those that are ignored or 3rd party, select the status filter's Open and Fixed values). To show all values, ensure no status filter values are selected.

    Note that you can change the status at a later date if needed.

• Assign to a team member the vulnerability for further research and work

• Get a link to issue that's specific to this finding that you can share with others

Click Minimize in the top-left to return to the summary view.

Container

The Container tab of the application details section lets you see a complete list of findings introduced to your application via its accompanying container.

Summary information

At the top of the page is a row of summary information. This includes:

• The number of reachable findings, as well as the number of reachable findings for each severity level;
• The number of unreachable findings and the number of unreachable findings for each severity level.

Below, you'll see a full finding list. For each finding in the list, you'll see:

• ID
• Status (e.g., Fixed)
• Severity level (e.g., critical)
• Reachability state
• The package name and version where the finding can be found
• Tags (e.g., CWE 190 or CVSS 7)

Qwiet the Noise

To help streamline the amount of information displayed, you can toggle on Qwiet the Noise, which filters for only critical and high severity findings that are reachable and exploitable.

Filtering findings

• Severity level
• Status
• The person the finding is assigned to
• Exploitability status (e.g., display only OSS findings that have known exploits or only findings that have no known exploits)
• CVSS Score
• EPSS Score
• Reachability status
• Package Url
• Package group
• Package Component
• CWE Category
• Cve

Viewing detailed finding information

Clicking on a finding in your results list will open a new window pane on the right with detailed information.

• Description: the description tab features an in-depth write-up of what the issue is and why it is a problem, as well as mitigation suggestions for securing your app

• Exploits (Blacklight): the Exploits section includes up-to-date exploitability information on the vulnerability, including the:

  • Date reported

  • The source providing a proof of concept of the exploit

  • The availability of the exploit (e.g., public, private, or commercial)

    The Exploit Prediction Score System (EPSS) score shown for the vulnerability can help you determine the severity and priority of a given vulnerability. The EPSS score falls between 0 and 1, and we recommend focusing on findings with a high EPSS score and high CVSS score.

    

• Comments: the comments tab allows you and your team members to make notes specifically about this finding; if there are multiple comments, Qwiet displays them in reverse chronological order.

Expanded details

In addition to the summary-level information displayed in the findings pop-up, you can open a larger window with additional features; to do so, click Details in the top-left of the initial window opened by Qwiet when you click on a specific finding.

The expanded details view features everything in the summary-level view, plus the ability to:

• Set the finding status to reflect work that's been done (e.g., set the finding status to Fixed if you've mitigated the issue):

  • Open: The default status value for a finding

  • Fixed: Mark the finding as fixed if you've applied remediation of some type (note that setting this status does not fix the finding) so that Qwiet doesn't include the finding in the scan results

  • Ignored: Mark the finding as ignored so it doesn't reappear in scan results. Used to indicate that something is a false positive or is unlikely to impact the application's security. If you set the status to ignored, you must also provide a comment that includes information on your reasoning for choosing this status

  • 3rd Party: Mark the finding as 3rd Party to indicate that the finding is in a third-party library; you can't fix the finding at the moment, but you should return to it at a later date

    To hide/show findings in the dashboard based on their statuses, use the Status filter (e.g., to display open and fixed findings while excluding those that are ignored or 3rd party, select the status filter's Open and Fixed values). To show all values, ensure no status filter values are selected.

    Note that you can change the status at a later date if needed.

• Assign to a team member the vulnerability for further research and work

• Get a link to issue that's specific to this finding that you can share with others

Click Minimize in the top-left to return to the summary view.

Secrets

The Secrets tab lets you see a complete list of secrets (or sensitive data) exposed by your application.

For each finding in the list, you'll see:

• Finding ID
• Status (e.g., Open)
• Severity level
• Brief description
• Tags (e.g., Entropy 0.34 or OWASP-a3-sensitive-data-exposure)

Filtering findings

You can filter the findings displayed by:

• Its severity level
• Its status
• The person the finding is assigned to
• CVSS Score
• Sink or Source Method
• OWASP Category
• Category

Viewing detailed finding information

Clicking on a finding in your results list will open a new window pane on the right with detailed information.

• Description: the description tab shows you the specific secret detected and where Qwiet preZero detected it in your code. This section includes a write-up of the issue and why it's a problem, as well as mitigation suggestions for securing your app

• Comments: the comments tab allows you and your team members to make notes specifically about this finding; if there are multiple comments for this finding, Qwiet displays them in reverse chronological order.

Expanded details

In addition to the summary-level information displayed in the findings pop-up, you can open a larger window with additional features; to do so, click Details in the top-left of the initial window opened by Qwiet when you click on a specific finding.

The expanded details view features everything in the summary-level view, plus the ability to:

• Set the finding status to reflect work that's been done (e.g., set the finding status to Fixed if you've mitigated the issue):

  • Open: The default status value for a finding

  • Fixed: Mark the finding as fixed if you've applied remediation of some type (note that setting this status does not fix the finding) so that Qwiet doesn't include the finding in the scan results

  • Ignored: Mark the finding as ignored so it doesn't show up in scan results again. Used to indicate that something is a false positive or is unlikely to impact the application's security. If you set the status to ignored, you must also provide a comment that includes information on your reasoning for choosing this status

  • 3rd Party: Mark the finding as 3rd Party to indicate that the finding is in a third-party library; you can't fix the finding at the moment, but you should return to it at a later date

    To hide/show findings in the dashboard based on their statuses, use the Status filter (e.g., to display open and fixed findings while excluding those that are ignored or 3rd party, select the status filter's Open and Fixed values). To show all values, ensure no status filter values are selected.

    Note that you can change the status at a later date if needed.

• Assign to a team member the vulnerability for further research and work

• Get a link to issue that's specific to this finding that you can share with others

To return to the summary view, click Minimize in the top-left.

Insights

The Insights tab lets you see a complete list of insights present in your JavaScript application.

For each finding in the list, you'll see:

• Finding ID
• Status (e.g., Open)
• Severity level
• Brief description of the issue
• Tags (e.g., OWASP a1-injection or HTTP Header Injection)

Filtering findings

You can filter the findings displayed by:

• Its severity level
• Its status
• The person the finding is assigned to
• CVSS Score
• OWASP Category
• Category

Viewing detailed finding information

Clicking on a finding in your results list will open a new window pane on the right with detailed information.

• Description: the description tab shows you where Qwiet preZero detected the insight in your code and why it's a problem.

• Comments: the comments tab allows you and your team members to make notes specifically about this finding; if there are multiple comments for this finding, Qwiet displays them in reverse chronological order.

Expanded details

In addition to the summary-level information displayed in the findings pop-up, you can open a larger window with additional features; to do so, click Details in the top-left of the initial window opened by Qwiet when you click on a specific finding.

The expanded details view features everything in the summary-level view, plus the ability to:

• Set the finding status to reflect work that's been done (e.g., set the finding status to Fixed if you've mitigated the issue):

  • Open: The default status value for a finding

  • Fixed: Mark the finding as fixed if you've applied remediation of some type (note that setting this status does not fix the finding) so that Qwiet doesn't include the finding in the scan results

  • Ignored: Mark the finding as ignored so it doesn't show up in scan results again. Used to indicate that something is a false positive or is unlikely to impact the application's security. If you set the status to ignored, you must also provide a comment that includes information on your reasoning for choosing this status

  • 3rd Party: Mark the finding as 3rd Party to indicate that the finding is in a third-party library; you can't fix the finding at the moment, but you should return to it at a later date

    To hide/show findings in the dashboard based on their statuses, use the Status filter (e.g., to display open and fixed findings while excluding those that are ignored or 3rd party, select the status filter's Open and Fixed values). To show all values, ensure no status filter values are selected.

    Note that you can change the status at a later date if needed.

• Assign to a team member the vulnerability for further research and work

• Get a link to issue that's specific to this finding that you can share with others

To return to the summary view, click Minimize in the top-left.