Fortinet white logo
Fortinet white logo

Viewing the Scan Result

Viewing the Scan Result

The FortiDevSec scan result for application vulnerability scanning is populated in a comprehensive dashboard that provides an insight into the scanned applications categorizing the findings based on the scanners used with the calculated risk rating indicators. You can view the detected vulnerabilities' details per application. A Sample application is generated on the GUI and first time Intercom product users are guided by an interactive product tour, to discover the product and its configurations.

The dashboard Summary panel displays a gist of the scanned applications that include categorization of the applications scanned as per the assigned risk rating, the number of findings to review, the number of applications not scanned in the current week, and the overall average risk rating of the applications scanned. The top 5 OWASP and SANS categories are displayed along with the vulnerability counts for the entire organization.

Viewing Scanned Applications

The application panel lists all the scanned applications with basic details. Consider this example screenshot from the dashboard.

You can analyze the following information specific to each application.

  • The number of vulnerabilities found by each scanner type, in this case, 763 vulnerabilities are found by SAST, 17 vulnerabilities are found by DAST, and 29 by SCA. Click on the legend for each scan type to view the categorization of the findings by their severity.
  • The risk rating assigned by FortiDevSec for this application.
  • The total number of vulnerabilities detected.
  • The vulnerability counts for both OWASP and SANS categories.

Click on the application name or the number of vulnerabilities to view scan details.

Viewing Scanned Application Details

In this panel details such as, the scanner types used with a break-up of the number of vulnerabilities found by each scanner and the associated risk rating are displayed. In this example, there are a total of 839 vulnerabilities found and categorized based on the scanners that detected them.

  • Click on the number of vulnerabilities for any scanner type to view the specifics.
  • You can filter the vulnerabilities based on OWASP and SANS categorization.
  • Click View All to view details of all vulnerabilities detected.

  • Modify Risk Rating - You can modify the risk rating settings for the application on this page, click Set Rating Factors.
  • Plugins - You can enable and configure JIRA integration with FortiDevSec, click Plugins.
  • Scan History - You can view the scan history of the application such as the type of scanners used for various scans, the scan duration, total number of vulnerabilities found, and the associated risk.

Hover over to view CI/CD and build related information.

Scan details are listed in the panel on the right side.

The displayed application related data includes the number of files and lines of code scanned, scanner types used, the App ID and organization ID, and the time when the application was added and last scanned. Click Scanner Config to download the fdevsec.yaml file.

  • Modify App ID - You can modify the application ID, the new ID is displayed in this Details panel instantly. Ensure that you update the modified application ID in any existing fdevsec.yaml file.
  • Deactivating/Deleting the Application - You can deactivate an application wherein no modification is allowed to the application vulnerability findings, but you are allowed to view them. You can delete an application (that is not being scanned) from the dashboard only after deactivating it.
Viewing Vulnerabilities

All vulnerabilities are listed in this panel along with the associated source file name, the line number (SAST)/URL (DAST), and the assigned severity.

  • Active vulnerabilities are those that are currently present in your application. In this case, there are 339 active vulnerabilities.
  • The vulnerabilities for each scanner type display the number of Unique vulnerabilities. A unique vulnerability can have multiple instances but it is counted only once here.
  • You can manually Sync the vulnerabilities from the JIRA plugin for each application.
  • You can download vulnerabilities in .csv format, click Export.

Modifying the Vulnerability Status

You can modify the status of each vulnerability or of all vulnerabilities, select Select Multiple and set the status.

The following status types are supported.

  • New: This is a new vulnerability detected by the scan.
  • Confirmed: This is a real vulnerability and requires a fix.
  • In Review: This vulnerability is currently in review/looked into for further action.
  • Reviewed: This vulnerability review is complete.
  • Reopened: This is a fixed vulnerability detected again in the rescan and requires to be addressed.
  • Fixed: This vulnerability is fixed and does not appear in the next scan result.
  • Risk Accepted: This vulnerability is an accepted risk and continues to exist without any potential damage.
  • False Positive: This vulnerability is a potential flaw in the scanner or is indicative of a unique feature of the application.
  • Removed: This vulnerability is overlooked in the application.
Viewing Vulnerability Details

Click on the vulnerability name to view all details associated with each finding.

  • The details displayed are the risk rating (severity) assigned by FortiDevSec.
  • The associated file and the line number that the vulnerability is found in.
  • The Issue description and the associated CWE (if any). Click on the CWE link to view details.
  • The associated OWASP Top10 or SANS Top 25 category.
  • The number of Similar Occurrences that it is found in, click on each instance to view details. Click to expand each of the instance.
  • The history of the vulnerability is also displayed that includes the time of its first and last appearance.
  • The CI/CD and Build details.

Note: For the SECRET scanner, the Code field contains the following information:

  • Hash - Git commit hash.

  • By - Details of the user who has committed the change.

  • The last line in code field contains the commit message added by the user. If the GIT commit message is more than 200 characters it is truncated.

Applying Filters

You can filter the displayed findings based on specific criteria. The following filters are available on the left-side panel of the vulnerabilities page.

  • Calculated Risk Rating - Filtered based on the assigned risk rating.
  • Status - Filtered based on the status.
  • Category - Filtered based on the specific application.
  • Files - Filtered based on the specific files.
  • Directory - Filtered based on the specific directories.
  • OWASP Top 10 - Filters based on the specific OWASP vulnerability.
  • SANS top 25 - Filters based on the specific SANS vulnerability.
  • Images - Filters based on the image files.

Viewing the Scan Result

Viewing the Scan Result

The FortiDevSec scan result for application vulnerability scanning is populated in a comprehensive dashboard that provides an insight into the scanned applications categorizing the findings based on the scanners used with the calculated risk rating indicators. You can view the detected vulnerabilities' details per application. A Sample application is generated on the GUI and first time Intercom product users are guided by an interactive product tour, to discover the product and its configurations.

The dashboard Summary panel displays a gist of the scanned applications that include categorization of the applications scanned as per the assigned risk rating, the number of findings to review, the number of applications not scanned in the current week, and the overall average risk rating of the applications scanned. The top 5 OWASP and SANS categories are displayed along with the vulnerability counts for the entire organization.

Viewing Scanned Applications

The application panel lists all the scanned applications with basic details. Consider this example screenshot from the dashboard.

You can analyze the following information specific to each application.

  • The number of vulnerabilities found by each scanner type, in this case, 763 vulnerabilities are found by SAST, 17 vulnerabilities are found by DAST, and 29 by SCA. Click on the legend for each scan type to view the categorization of the findings by their severity.
  • The risk rating assigned by FortiDevSec for this application.
  • The total number of vulnerabilities detected.
  • The vulnerability counts for both OWASP and SANS categories.

Click on the application name or the number of vulnerabilities to view scan details.

Viewing Scanned Application Details

In this panel details such as, the scanner types used with a break-up of the number of vulnerabilities found by each scanner and the associated risk rating are displayed. In this example, there are a total of 839 vulnerabilities found and categorized based on the scanners that detected them.

  • Click on the number of vulnerabilities for any scanner type to view the specifics.
  • You can filter the vulnerabilities based on OWASP and SANS categorization.
  • Click View All to view details of all vulnerabilities detected.

  • Modify Risk Rating - You can modify the risk rating settings for the application on this page, click Set Rating Factors.
  • Plugins - You can enable and configure JIRA integration with FortiDevSec, click Plugins.
  • Scan History - You can view the scan history of the application such as the type of scanners used for various scans, the scan duration, total number of vulnerabilities found, and the associated risk.

Hover over to view CI/CD and build related information.

Scan details are listed in the panel on the right side.

The displayed application related data includes the number of files and lines of code scanned, scanner types used, the App ID and organization ID, and the time when the application was added and last scanned. Click Scanner Config to download the fdevsec.yaml file.

  • Modify App ID - You can modify the application ID, the new ID is displayed in this Details panel instantly. Ensure that you update the modified application ID in any existing fdevsec.yaml file.
  • Deactivating/Deleting the Application - You can deactivate an application wherein no modification is allowed to the application vulnerability findings, but you are allowed to view them. You can delete an application (that is not being scanned) from the dashboard only after deactivating it.
Viewing Vulnerabilities

All vulnerabilities are listed in this panel along with the associated source file name, the line number (SAST)/URL (DAST), and the assigned severity.

  • Active vulnerabilities are those that are currently present in your application. In this case, there are 339 active vulnerabilities.
  • The vulnerabilities for each scanner type display the number of Unique vulnerabilities. A unique vulnerability can have multiple instances but it is counted only once here.
  • You can manually Sync the vulnerabilities from the JIRA plugin for each application.
  • You can download vulnerabilities in .csv format, click Export.

Modifying the Vulnerability Status

You can modify the status of each vulnerability or of all vulnerabilities, select Select Multiple and set the status.

The following status types are supported.

  • New: This is a new vulnerability detected by the scan.
  • Confirmed: This is a real vulnerability and requires a fix.
  • In Review: This vulnerability is currently in review/looked into for further action.
  • Reviewed: This vulnerability review is complete.
  • Reopened: This is a fixed vulnerability detected again in the rescan and requires to be addressed.
  • Fixed: This vulnerability is fixed and does not appear in the next scan result.
  • Risk Accepted: This vulnerability is an accepted risk and continues to exist without any potential damage.
  • False Positive: This vulnerability is a potential flaw in the scanner or is indicative of a unique feature of the application.
  • Removed: This vulnerability is overlooked in the application.
Viewing Vulnerability Details

Click on the vulnerability name to view all details associated with each finding.

  • The details displayed are the risk rating (severity) assigned by FortiDevSec.
  • The associated file and the line number that the vulnerability is found in.
  • The Issue description and the associated CWE (if any). Click on the CWE link to view details.
  • The associated OWASP Top10 or SANS Top 25 category.
  • The number of Similar Occurrences that it is found in, click on each instance to view details. Click to expand each of the instance.
  • The history of the vulnerability is also displayed that includes the time of its first and last appearance.
  • The CI/CD and Build details.

Note: For the SECRET scanner, the Code field contains the following information:

  • Hash - Git commit hash.

  • By - Details of the user who has committed the change.

  • The last line in code field contains the commit message added by the user. If the GIT commit message is more than 200 characters it is truncated.

Applying Filters

You can filter the displayed findings based on specific criteria. The following filters are available on the left-side panel of the vulnerabilities page.

  • Calculated Risk Rating - Filtered based on the assigned risk rating.
  • Status - Filtered based on the status.
  • Category - Filtered based on the specific application.
  • Files - Filtered based on the specific files.
  • Directory - Filtered based on the specific directories.
  • OWASP Top 10 - Filters based on the specific OWASP vulnerability.
  • SANS top 25 - Filters based on the specific SANS vulnerability.
  • Images - Filters based on the image files.