View your Dynamic Findings in the Mend AppSec Platform

Overview

This article will guide you through where and how to review the Applications and Projects with their Dynamic (DAST) findings, helping you measure the impact of each finding and take actions such as suppressing a finding.

Getting it done

View the Applications or Projects with Dynamic Findings

1. Log in to the Mend AppSec Platform.

2. Navigate to the Applications/Projects view in the top menu bar.

3. Ensure the Dynamic Scan engine is enabled.

4. Search or Select the Application/Project that you would like to view. You can sort by the number of Dynamic Findings and their criticality. You will be redirected to that application's summary page or project’s summary page.

Application/Project Summary View

The Application/Project Summary view provides a high-level overview and analytics of the Dynamic findings for all Projects associated with the Application.

The Findings section comprises three widgets: Total Findings, Total Findings by Scan Engine, and Total Findings by Severity.

• The Total Findings widget shows the total number of findings from all Projects within the current Application.

• The Total Findings by Scan Engine widget shows the total number of findings from all Projects within the current Application by each active scan engine within the current application. The different scan engines are assigned a color. The color key is on the bottom of the widget.

• The Total Findings by Severity widget shows the total number of findings from all Projects within the current Application by severity, Critical, High, Medium, or Low. The different severities are assigned a color. The color key is on the bottom of the widget.

View the Dynamic Findings list of your Project

Note: The Dynamic Findings view is only available at the Project level, not at the Application level.

When navigating to a Project, click Dynamic in the left panel to view the Dynamic findings list. In the view you can find all the findings, including the following information:

By default, the list is filtered to show only non-suppressed and confirmed items.

• Issue Name

• Severity

• URL Reference

• Status

• Confirmed/Unconfirmed - "Confirmed" refers to a vulnerability that Invicti has verified through additional validation steps, providing concrete evidence of its existence. This confirmation process enhances the reliability of scan results by minimizing false positives.
  When the issue's state is changed to Fixed (Unconfirmed), Invicti Enterprise will automatically scan for the fix within a few minutes. If the issue is fixed, the issue's state will be automatically changed to Confirmed.

• CWE IDs

Suppressing Findings

When a false-positive/acceptable risk is reported, it can be suppressed to prevent it from appearing in future results. This action can be coupled with a suppression reason, for tracking and future reference.

You can suppress a finding using either the Mend AppSec Platform or the Invicti Enterprise Portal. The integration supports both methods, and any changes will be reflected on both platforms:

Suppress a Dynamic finding via the Mend AppSec Platform

1. To suppress a finding within the findings details pane, click the Suppress button:

2. Next, select a Suppression reason and add descriptive Notes (Optional). Once done, click Suppress:

3. Once suppressed, a proper indication will be added to that specific finding:

Suppress a Dynamic finding via the Invicti Enterprise Portal

1. In the Issues view, select one or more findings you would like to suppress and click Edit:

2. Update the issue status to Accepted Risk or False Positive and click Save.