The scan summary page of the application details section provides you with high-level information regarding the application you've submitted for analysis.
To the left, you'll see high-level details, including:
- The total number of findings for the application, including breakdowns of the findings' severity levels;
- How your findings total has changed since your last scan (if applicable), including whether you've resolved any issues, introduced new findings/regressions;
- How long it took preZero to scan your app;
- Whether your app is compliant with OWASP or PCI-DSS standards;
- The number of OSS packages leveraged by your app and the number of findings this practice introduces to your app.
To the right is a severity chart that visually displays the severity levels of the findings identified and the number of secrets and insights present in your application.
In addition to the severity chart, you can toggle over to the Metadata view, which provides insight into what Qwiet preZero looks at during each scan. As you read the graph from left to right, you'll move from seeing the types of findings identified by Qwiet preZero to the components that are a part of your application to seeing the findings identified as present in the individual components.
Metadata graph definitions
Application scan: The application that you submitted
Code: The code scanned by Qwiet
File: The number of source files scanned. When scanning compiled artifacts, the accuracy of this count may depend on the presence and accuracy of debug/source-map information.
Configuration: Files that have been scanned as configuration files
External: Files that contain at least one user-defined method
Internal: Files that contain no user-defined methods, including synthetic (i.e., fake) files like
Lines of Code: For each file with line number information and more than one method body, Qwiet takes the largest line number and sums it over the files present.
Method: Methods scanned
External: Built-in and library methods, as well as synthetic methods (i.e., those not present in the code, but implicitly exist in the type system).
If this list contains methods you consider to be scanned project code, please contact the Qwiet Customer Success team about blacklisting those methods.
Internal: Methods with bodies contained in the scanned user code.
If this list contains methods that should better be viewed as external library code (e.g., vendored dependencies), then please contact the Qwiet Customer Success team about blacklisting those methods.
Model: Statistics collected by Qwiet preZero demonstrating its understanding of inputs/outputs of the scanned code. You can use these statistics to verify that Qwiet understands vendored (external) libraries and frameworks used in your codebase.
If the statistics indicate that Qwiet preZero does not understand your code correctly, please reach out to the Qwiet Customer Success team; we will then generate a model (a.k.a. policy or annotations) of the libraries you're using.
HTTP Routes: Exposed HTTP routes
Sinks: Points where potentially tainted data leaves your program; Qwiet preZero tracks and evaluates dataflows from sources to sinks. This statistic counts the number of methods where this happens (this statistic is a summary on a per-method basis rather than a granular count). Sinks are further divided into additional categories, but because they are not mutually exclusive, the sums of individual categories may not add up to equal the total number of sinks
Exposed (Public API): Methods where the return value or an output parameter is a sink of potentially tainted data. These are typically public API functions exposed by your program
Expressions: Expressions within method bodies identified as sinks of taint (e.g., methods that can be used to write to global variables). This kind of sink is relatively rare.
HTTP Requests: Methods that send outgoing HTTP requests to a URL
HTTP Responses: Methods that send HTTP response data
Library Methods: Methods whose input parameters are sinks of taint. These are typically external library functions, as opposed to user code
Logging: Methods that log their inputs
SQL: Methods that perform SQL queries
Sources: Points where tainted data enters your program (or the Qwiet preZero scanning engine becomes aware that tainted data is present). This statistic counts the number of methods where this happens (this statistic is a summary on a per-method basis rather than a granular count). Sources are further divided into additional categories, but because they are not mutually exclusive, the sums of individual categories may not add up to equal the total number of sources
Attacker Controlled: Methods that process attacker-controlled data (and are not already counted above as an HTTP request)
Exposed (Public API): Methods where their input parameters are sources of taints. These are typically user-written code (as opposed to external library code) that are callable from the outside (e.g., HTTP handlers for applications or public API functions in cases where the user code is a library), but this also includes cases where Qwiet preZero attaches a taint to a method's input parameter for other reasons (e.g., various heuristics). The subcategories are not necessarily exhaustive or mutually exclusive, so the sums of individual categories do not necessarily add up to equal the total
Expressions: Expressions within method bodies identified as sources of taint. In these cases, the source is typically not the true source of the taint -- it is instead a point where Qwiet preZero noticed that data is tainted. For example, Qwiet may mark all access to specific fields of classes as tainted, even though the taint comes from a system call deep in a library
HTTP Data: Methods that work with HTTP source data. These can be HTTP handlers or middleware written by you or library methods that return information about an incoming HTTP request
Library Methods: Methods that return a tainted value (directly or through an out parameter). These are typically external library functions, as opposed to user code
Library Users: Library-style sources that return a tainted value (either directly or through an out parameter). These are typically external library functions, as opposed to user code
OSS: the open-source packages/libraries leveraged by your application
- Dependencies: Dependencies (including transitive dependencies) of your project. These are used by our SCA (software composition analysis) scanning for known CVEs. You can use this list to verify that Qwiet preZero has a correct understanding of your build configuration (Qwiet cannot report CVEs in your upstream if it doesn't understand your upstream)
Clicking Scan Details on the right of the summary page opens an informational tab useful for troubleshooting. It includes details like the
sl invocation used, the access token submitted, and more.
Near the bottom of the application details summary page is a series of boxes displaying additional insights into your application, including:
- The top 5 OSS packages used that introduce vulnerabilities;
- The top 5 vulnerability categories present in your application;
- The top 5 vulnerability references (i.e., CVE reference identifiers).