Reduce the risk in your custom code with Mend SAST grouped findings
Overview
The Question: “SAST tools are known to provide large results containing non-actionable findings. How can I resolve my SAST findings quickly and efficiently using Mend?”
Mend’s Answer: With our grouped findings feature, we show you a common fix location to address all the related data flows at once, resolving multiple weaknesses in one action.
Within Mend SAST, data flows that have the same location for a fix are grouped together and presented as a single finding. This reduces the total number of findings as well as the noise that can lead to alert fatigue among your developers. Grouped findings also reduce the time and effort on remediation actions for the reported weaknesses.
If you have any questions on our grouped findings feature, reach out to your Mend account CSM or our Mend Customer Success Team.
Use Case
To help understand grouped findings, it is important to know the terminology used. These concepts are: source, sink, and data flow.
The source is the location where data is inputted into your application.
The sink is the location where inputted data can cause harm. It is where the vulnerability happens.
The data flow is the steps the inputted data takes to get from the source to the sink location.
Let’s take a look at a real-life SQL Injection example, using the deliberately insecure application, WebGoat.
After scanning WebGoat with Mend SAST, the results will appear in the Mend SAST Application. Let’s review the SQL Injection finding below that is impacted by 4 data flows:
Pulling the details, we can look at each data flow’s source and the steps the tainted input takes to get to its destination. For example, see one of the data flows below with a source location of SqlInjectionLesson8.java.60
:
But what is the “destination” where this data can cause harm? With grouped findings, Mend SAST provides the precise sink location that all the grouped findings’ data flows end at:
Remediating the executeQuery method (sink), e.g. by using a prepared statement instead, will address all 4 data flows:
Reference
What’s new with grouped findings
Mend SAST UI
Summary tab:
A “Data flows” count is now visible in the “Total Vulnerabilities” box. This corresponds to the previously reported total number of findings, as before, each finding represented a single data flow:
Scans:
Applications:
Details tab:
Within the findings table, the “Data Flows” column is now visible and the “Source” column was removed:
Within each Details window, “Data Flows” are grouped by the sink location:
Mend Repo Integrations
Mend Code Security Check:
A “Data Flows” column and data flow information are now visible in the “Mend Code Security Check” New and Resolved findings sections:
New findings:
Resolved findings:
Code Security Report Issue:
A “Data Flows” column and data flow information are now visible in the “Code Security Report” Issue Most Relevant Findings section:
Mend CLI
The findings count within the final summary of the CLI SAST scan is decreased due to the data flows being grouped.
Mend SAST API
Visit our Mend SAST API documentation for more information.
Mend SAST Reports
Technical Report Type: “Data flows” are now grouped per sink location to a common finding:
Short Technical Report Type: “Data flow” counts and information are now included in each finding: