AppSec Vulnerabilities

This is the screen where users can drill down into the details of vulnerabilities discovered in the scans performed on the project, manually add new vulnerabilities, or take actions on vulnerabilities.

2497

All vulnerabilities identified in the project since the platform's inception are listed in this section.

Blue or grey circles to the left of each row in the table indicate whether the vulnerability has already been opened as an issue on the issue manager used in the organization.

If the circle is already blue, selecting these vulnerabilities is impossible when the "Assign Issue" bulk action is set in the top left corner.

When the circle is red, it means the issue is closed by the issue manager.

WOE/MTF (Window of Exposure / Mean Time to Fix) column displays the number of days passed since the first seen date of new and recurrent vulnerabilities. For closed vulnerabilities, it shows the number of days between the first seen date and the date they were closed on.

Additional details of the vulnerability can be seen by clicking on the page icon on each row's rightmost side. Details presented vary depending on the tool that has identified the vulnerability.

2494

If the user wants to assign issues for vulnerabilities manually, the Bulk Action menu to the upper left of the table is clicked, and "Assign Issue" is selected.

This action opens a new column to the left of the table where the user can select the vulnerabilities assigned to the same user on the issue manager.

Once the selection is made, you must click the "Assign Issue" button next to the Bulk Action menu.

Clicking on this button opens a new modal where the user can enter the username of the assignee and the description, which will appear on the issue manager.

Other actions available in Bulk are; closing manually imported vulnerabilities, assigning or removing endpoints to or from vulnerabilities, and marking vulnerabilities as they won't fix.

Marking multiple vulnerabilities as false-positive and removing the false-positive mark can also be achieved from the same Bulk Action menu.

First, False Positive needs to be selected under the Bulk Action menu. Then vulnerabilities whose status will be changed to/from false-positive should be checked, and the "False Positive" button needs to be clicked.

This opens a new modal where you can change the status of selected vulnerabilities to/from false positives.

Team Lead and Admin level users can mark vulnerabilities as false positives by entering false-positive descriptions without requiring approval.

Developer-level users can only send a false positive request which needs to be approved by their team leads or the admin.

Users can export the vulnerability table in CSV format by clicking on the export button at the top right corner of the page.