SAST Overview

The SP360 Static Application Security Testing (SAST, sometimes also referred to as Static Code Analysis) Dashboard offers significant functionality for the continuous monitoring capabilities for Vulnerability Management. It enables you to get deep insights into different Key Performance Indicators (KPIs) for your source code contained in the connected code repositories by offering many filters to configure your view into your vulnerability data.

Whereas all the other dashboards get their vulnerability information from Qualys, the Static Code Analysis information provided on this dashboard leverages SonarQube, which returns not only vulnerability data, but also information about Bugs discovered in your code. This dashboard enables you to focus on the vulnerabilities and Bugs that are most important for your organization. In addition to illustrating the “current state” of vulnerabilities, it also adds significant insight into the historical “trending” so you can see the progress your organization is making in addressing any and all outstanding vulnerabilities.

Filtering Chart Content

For ease of use, options/buttons at the top of the dashboard can be used to filter the chart information. In addition, the last section of the dashboard (i.e., SAST list) allows you to include or exclude the Code Repositories that contribute to the Bug and Vulnerability data.

Options/Buttons Descriptions
SeverityFrom this drop-down you can select one or more severities of interest to alter the charts accordingly. The severity of each Bug or Vulnerability is classified as Urgent, Critical, Serious, Medium and Minimal. Hovering the cursor over the chart shows the breakdown of Bugs and Vulnerabilities.
By clicking this button, you can filter (limit) the available information to only the Bugs found while performing the static code analysis. All the charts will be modified to show entries specific to Bugs.
By clicking this button, you can filter (limit) all the available information to vulnerabilities. All the charts will be modified to show entries specific to vulnerabilities.
Duration Using this control, you can establish the time-period the chart covers. The available options are 4 weeks, 3 months, 6 months or 1 year.
IntervalUsing this control, you can establish the period of time each data point represents. The available intervals are 1 week, 4 weeks, 3 months, 6 months or 1 year. The intent is to enable you to view the trending over the desired time periods; for example, month-over-month, or quarter-over-quarter.
To view the Bug and Vulnerability counts for each interval in all the charts you can use this toggle button, which removes the need to hover over the chart.

The SAST dashboard provides information for Bugs and Vulnerabilities in three sections:

  1. Vulnerabilities Trending History
  2. Current Vulnerabilities (i.e., current counts)
  3. Vulnerability Metrics

Vulnerabilities Trending History

Vulnerabilities Trending History (which is a collapsible section) provides you with an overall trending of Bugs, PBV and Vulnerability counts, so that you can observe the progress made over time. The data is represented in charts (as shown above) and segmented with a separate chart for:

  1. Total Number of Vulnerabilities
  2. New Vulnerabilities
  3. Reopened Vulnerabilities
  4. Fixed Vulnerabilities

Note: In the lower four Trending Charts, you will find two annotations. The annotation displayed on top shows the number of vulnerabilities (i.e., New, Reopened, Fixed or Ignored) discovered since the completion of the last Interval chosen, so it represents a partial Interval. It grows by a day, each day.

The annotation displayed on the bottom shows the vulnerabilities discovered for the last full Interval retroactively from today, such as 1-week, 4-weeks, and so on. This is a moving interval that changes each day. When selecting a 1-week Interval, both annotations are “drillable”, allowing you to see the corresponding vulnerabilities. For Intervals other than 1-week, only the second annotation is “drillable”.

Total Number of Vulnerabilities

The trending of all existing Bugs and Vulnerabilities (i.e., New, Reopened or Existing) and filtered according to the controls discussed above. Often organizations will be most interested in the highest severity issues and will limit the charts to only Urgent and Critical.

New Vulnerabilities

This chart provides you with insight into “new” Bugs and Vulnerabilities, meaning those that were discovered for the first time within the chosen interval. For example, if you chose an interval of one week, the chart will show how many new Bugs and Vulnerabilities were found for each complete week, for the entire chosen duration.

Reopened Vulnerabilities

This chart provides you with insight into “reopened” Bugs and Vulnerabilities, meaning those that were previously remediated, but re-discovered within the chosen interval. In general, “reopened” Bugs and Vulnerabilities should be rare.

Fixed Vulnerabilities

This chart provides you with insight into those Bugs and Vulnerabilities that were remediated within the chosen interval. Most organizations find this insightful and will correlate these numbers to their most recent development or IT efforts.

Current Vulnerabilities

Current Vulnerabilities (which is a collapsible section) provides you with charts that show the current Bugs and Vulnerability counts in the following categories:

  1. By Severity – which allows you to quickly focus on the most severe Bugs and Vulnerabilities.
  2. By Status – to easily discern the current Bugs and Vulnerabilities by their status.
  3. Group by Issue – a grouping chart that shows your Bugs and Vulnerabilities in groups, to easily understand the types of each that are most common and that by addressing their underlying root cause can, enable you to address multiple vulnerabilities at a time.

For the By Severity and By Status bar charts, the counts are presented by three bars: in total, and then broken out by Bugs and Vulnerabilities. If you opt for just one of Bugs or Vulnerabilities, the chart is reduced to a single bar for each category.

By default, these counts are represented as bar charts. If you prefer to see the counts expressed as percentages and in a pie chart format, click the action icon to the right of the Current Vulnerabilities heading, as shown below.

By clicking the action icon in the upper-right corner of those charts, you can view a pop-up (shown below) that lists all groups (not just the Top 10) and provides additional information. The action icon allows you to see each Bug or Vulnerability for the group.

Vulnerability Metrics

Vulnerability Metrics (which is a collapsible section and is collapsed by default) provides insights into how long your open Bugs and Vulnerabilities have been open, and how long it took to close them. Often organizations have Service Level Agreements (SLAs) that commit them to addressing issues within a given timeframe, and this information helps you understand how well you are adhering to your SLAs.

The Bug and Vulnerability Metrics are presented in one of two formats that can be toggled by clicking the action icon on the upper-right hand portion of this section. By default, the Severity-based format is shown, which contains the following two bar charts.

Days (Average Time Open)

This bar chart shows the total number of open Bugs and Vulnerabilities (upper right notation) and the average number of days (upper left notation) that each severity of Bugs and Vulnerabilities have been open. Hovering over the chart will also show how many Bugs and Vulnerabilities were considered for the metric calculations.

Days (Average Time to Closure)

This bar chart shows the number of Bugs and Vulnerabilities closed in the specified time frame (upper right notation) and the average number of days (upper left notation) the Bugs and Vulnerabilities were open before being closed.

Clicking on the action icon to the far right of the Vulnerability Metrics header displays a “Timeband” label, and breaks down the number of Bugs and Vulnerabilities by ranges of days, for example, those open less than three days, or between three and seven days. This data is presented in pie chart format.

Notice that the action icon used to toggle between Severity-based and Timeband-based formats changes.

SAST (Asset) List

This section of the dashboard lists all the established Accounts, their associated source code repositories, and branches. To better understand the operational details, let's breakdown the key features this sub-section offers.

The upper left corner has the following two tabs: “Repositories” and “Accounts”, as shown and explained below.

SAST (Accounts)

The "Accounts" tab contains two sections:

  1. New Integration - This section allows users to connect/integrate new or existing accounts for the repository's platforms. SP360 currently supports the four most commonly used cloud-based repositories i.e., Azure DevOps, GitHub, GitLab, and Bitbucket.

    Clicking on any of the buttons associated with each of these cloud-based repositories will result in a pop-up window that allows users to either connect to additional repositories associated with an already integrated account, or connect/integrate to a new account (and then presumably connect repositories associated with that account for vulnerability scanning), as shown below.

    Note: While the user interface within SP360 is identical for all supported cloud-based repositories, the pre-requisite authorizations that need to be established vary from repository to repository. Once the required pre-requisites are established, the steps required to connect to and scan any cloud-based repository are the same. It is outside the scope of this help facility to describe how to establish these pre-requisite authorizations within each repository, however, the table below describes the requirements.

    Azure DevOps BitBucket GitHub GitLab
    Required Permissions

    Any ONE of these permissions will suffice:

    • Project Collection Administrator
    • Project Collection Build Administrator OR
    • Project Administrator

    All THREE permissions are required:

    • Admin
    • Write AND
    • Read
    Admin

    Any ONE of these permissions will suffice:

    • Owner
    • Reporter
    • Developer OR
    • Maintainer
    Best PracticeIt is preferred, though not required that the Repository Account Owner connect to the repository.

    The process flow diagram below explains the required pre-requisites that the user needs to establish to connect/scan any cloud-based repositories.

  2. Integrated Accounts - Provides users a snapshot summary of the already connected/integrated accounts.

    The upper left-hand corner in the “Integrated Accounts” section contains a blue box that reflects the number of accounts currently integrated.

    The SAST (Accounts) grid includes the following fields by default, however, users can customize the grid to add, remove, or re-arrange fields to meet their needs by clicking the action icon, explained here.

    Column Headers Definition
    ACCOUNT“Full” name of connected Account. Includes Repo Icon, Type, and Name.
    REPOSITORIESNumber of Repositories connected using this Account. This is a drillable field.
    CONNECTED BYSP360 user that established connection to Repo Account.
    ACCOUNT OWNERPerson that owns Repo Account. Often the same as “Connected By”, but not necessarily.
    UPDATED ATLast time action was taken (e.g. connect, or deactivate) that affected the status of the Account.
    ACTIONSThe available Action Icons for Accounts (explained in the table below).

    To learn more about the optional fields that users can add, remove, or re-arrange in the SAST (Accounts) grid, click here.

    Action Icons

    Action Icon Description

    By clicking this toggle button, users can activate/deactivate scanning of all repositories associated with that account. When this action is taken, the row with the impacted account will be highlighted in pale yellow, and on the repositories tab, all impacted repositories will also be highlighted in pale yellow.

    Clicking on this action icon for an already integrated account results in a pop-up window for users to add repositories for that account.

    To explain the process of adding repositories/branches, let’s consider the example below.

    Step 1: Clicking on the corresponding action icon for a GitHub-based DemoClient-SP360 account results in the following pop-up window which lists all available repositories.

    Step 2: Select the desired repositories by checking off the corresponding boxes in the first column. Users can choose multiple repositories, as needed.

    Step 3: For each selected repository, users are required to select the desired “Available Branches” from the drop-down, as shown below. This field also offers users a multi-select option.

    Step 4: Once the desired branches are selected, clicking on the will complete the process and add the selected repositories/branches to the SAST Account grid.

    To view the account details for a specified account, users can click this button. The account details are displayed in a pop-up window, as shown below.

    At the bottom right of the Details page is a button that provides you with an alternate way to deactivate the SAST. This will stop the scanning of the repository, until it is re-activated.

SAST (Repositories)

The “Repositories” tab lists all repositories and/or branches currently connected. SP360 will scan these repositories and/or branches looking for bugs and vulnerabilities, as shown below.

The upper left-hand corner on the “Repositories” tab contains a blue box that reflects the number of repositories currently connected.

Filtering Options and Action Icons

The upper right-hand corner on the “Repositories” tab offers three dropdown filters. These allow you to select which repositories to display based on the following attributes.

Filtering Options Definition
By Repository TypeThis filter allows you to select repositories based on the cloud-based repository type. Available options are:
  • Azure DevOps
  • GitHub
  • GitLab
  • Bitbucket
By AccountThis filter allows you to select repositories based on which account(s) they are associated. The pull-down will show all currently connected/integrated accounts.
By State

This filter allows you to select repositories based on their current state. Available options are:

  • Active – Repository is in a connected and active state, that is, there are no problems or errors.
  • Inactive – Repository is inactive, either because the user deactivated it at the repository level or deactivated the account (and therefore all associated repositories).
  • Error – Repository is in some error state. When available, SP360 includes more details about the error in the hover text.
  • Disconnected–Repository appears disconnected, that is, it cannot be reached by SP360 or SonarQube.

The SAST (Repositories) grid includes the following fields by default, however, users can customize the grid to add, remove, or re-arrange fields to meet their needs by clicking the action icon, explained here.

Column Headers Definition
REPOSITORY/BRANCH

“Full” name of Repository. Includes Repository Icon, Repository Name, Repository Branch, and a tool tip indicator, if appicable.

Tool Tip Scenarios
  • If a given Repository/Branch is designated by an amber triangle icon, it indicates that there are some languages in the Repository/Branch that cannot be scanned by SP360 because one or more of the languages they contain are not supported. Hovering the cursor over the amber triangle icon displays the specific languages that could and could not be scanned.
  • Additionally, it may be the case that a Repository/Branch cannot be scanned by SP360 because a pre-requisite build step cannot be successfully completed. These pre-requisite steps are needed for Java and C# programs. This is indicated by a red triangle icon, and clicking the icon displays a pop-up that delineates the errors.
ACCOUNTAccount used to connect Repository.
REPOSITORY STATUSCurrent status of Repository. Includes the following states: Connected, Sync Completed, and Deactivated.
VULNThe number of currently existing Vulnerabilities for the selected Branch. This is a drillable field.
BUGSThe number of currently existing Bugs for the selected Branch. This is a drillable field.
CODE UPDATED ATLast time code changes were submitted to Repository/Branch.
LAST SCANNED ATLast time the Repository/Branch was scanned by SonarQube
ACTIONSThe available Action Icons for Accounts (explained in the table below).

To learn more about the optional fields that users can add, remove, or re-arrange in the SAST (Repositories) grid, click here.

Action Icons

Action Icons Description
By clicking this toggle button, users can activate/deactivate scanning of all repositories.
Users can initiate a manual scan for the selected repository/branch by clicking this action icon. Typically, SP360 will scan a repository whenever changes are submitted (on a two-hour cycle), so manual scans should not be required often. The typical scenario is that a problem fix was attempted and the user wants immediate feedback on whether the fix worked.
By clicking this action icon, users can view vulnerabilities associated with the selected Repository/Branch. This functionality is also available by clicking the linked value in the Vulnerabilities column.
This action icon displays bugs associated with the selected repository/branch. This functionality is also available by clicking the linked value in the Bugs column.

To view the account details for a specified account, users can click this button. The account details are displayed in a pop-up window, as shown below.

At the bottom right of the Details page is a button that provides you with an alternate way to deactivate the SAST. This will stop the scanning of the repository, until it is re-activated.