Skip to main content
Skip table of contents

Review the top high-severity Custom-Code Security Findings within your organization

Overview

As Security Champion or AppSec manager, you will be reviewing the top Applications and Projects with high-severity custom-code security findings. You will want to drill down into them to review their summaries and findings, including their information, data flows / code, and suggested remediations.

Getting it done

Review the top Application with highest severity Custom-Code Security Findings

Beginning on the Mend Application Security Dashboard, ensure only the Code Scan engine is enabled.

  1. Click the Dependencies Scan engine to disable it if it isn’t already.

By default, the Applications widget showing the Top 10 high-risk Applications by Total Findings is ranked by the total number of findings.

  1. Click the “H” in the red box on the Applications widget to rank by most high-severity findings.

If multiple applications are tied for the selected ranking order, they are listed alphabetically.

  1. Click the Application that has been sorted to the top with the most high-risk findings. You will be redirected to that application's summary page.

  1. Click Projects in the left pane or click the Projects widget in the Overview section to view the Projects associated with the Application.

Review the top Project within the Application with high-severity Custom-Code Security Findings

  1. Click the “H” in the red box on the Projects table to rank by most high-severity findings.

  2. Click the Project that has been sorted to the top with the most high-risk findings. You will be redirected to that project's summary page.

  1. Click Code in the left pane or the Total Findings by Scan Engine widget in the findings section to view the latest code findings associated with the Project.

By default, the code findings are grouped by Language and Type and presented in a collapsed state.

  1. Click the Severity column's filter icon.

  1. Select High to restrict the findings table to only show the highest-risk findings.

Reviewing the high-risk findings

  1. Expand the findings.

  2. Click a high-risk finding to show the details of that finding on the right side of the screen.

The finding details window defaults to the Details tab. The top section of the finding details shows the Rating, Severity, and CWE for the finding, along with three action buttons.

If you don’t agree with the severity assigned to the finding, you can change it.

  1. Click the edit icon next to the severity rating to display a pop-up window with a dropdown list containing the different severity levels: High, Medium, and Low.

  1. Click the dropdown box to show the different severity levels.

  2. Select the new severity level.

  1. Click OK.

The three action buttons allow you to create a Jira issue, Suppress or Unsuppress the finding and set the finding as Reviewed or Unreviewed. Hovering over each will inform you of what each action button does.

Note: Creating Jira Issues from within the Mend Platform requires you to have Mend's Jira Integration installed and configured.

The Description section of the Details tab briefly describes the finding and provides the path to the affected file within the Project, the line number for the affected line of code within the file, and a snippet of the code with the affected line highlighted. At the bottom of the Description section is a link to view the entire source code of the affected file in GitHub.

The Data Flows section of the Details tab will list each file in the project where data is passed through and is affected by the finding. Each item in the Data Flows section will also briefly describe the finding and provide the path to the affected file within the project, the line number for the affected line of code, and a snippet of the code with the affected line highlighted. The bottom of each item in the Data Flows section also has a link to view the entire source code of the affected file in GitHub.

The Remediations tab of the finding details window lists recommended ways to remediate the finding and provides resources for further reading related to the type of CWE found.

The Description tab of the finding details window provides a description of the CWE the finding matched to and a list of Violations related to the CWE.

The Comment tab of the finding details window allows you to comment on the finding.

To close the finding details window, click the “X“ in the top right corner.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close