Static scan
understand how kyndryl enables you to protect your code from security vulnerabilities from the secure dashboard static application security testing (sast), also known as static code analysis, is a method used to analyze source code for potential security vulnerabilities without executing the code the static scan page provides vulnerability information from sonarqube, enabling development managers and security and compliance officers to assess the reliability and security of their applications the security rating widget features a donut chart that represents the security rating for all the projects based on the latest analysis scan date the rating is categorized into five scales a, b, c, d and e currently, three projects are synced with sonarqube and the latest scan indicates an a rating, signifying a high level of security captures information from all synced projects, and if any critical vulnerabilities are detected, they will be flagged in the vulnerability by severity widget selecting static scan will open the static scan dashboard displaying graphs that enables an in depth comprehension of the source code vulnerabilities detection, under the following criteria security rating docid 067iawestno9 iopmech1 vulnerability by severity docid 067iawestno9 iopmech1 top critical technical services and vulnerability density docid 067iawestno9 iopmech1 vulnerability density docid 067iawestno9 iopmech1 secure static scan details docid 067iawestno9 iopmech1 security rating the security rating widget features a security rating donut chart that represents security rating only for technical services with the latest analysis scan date the chart displays percentages for data based on the following ratings a rating green color b rating yellow color c rating orange color d rating red color e rating dark red color security rating is classified based on the following criteria a = 0 vulnerabilities b = at least 1 minor vulnerability c = at least 1 major vulnerability d = at least 1 critical vulnerability e = at least 1 blocker vulnerability note the total number of technical services in a given rating is shown by hovering over the chart vulnerability by severity the vulnerability by severity graph represents the total number of vulnerabilities aggregated according to day month timeline selection graph data supports selecting predetermined applications and dashboards from the drop down menu by default, it is for all applications and technical services and represents data for the last 7 days severities are classified according to their criticality critical dark red color high red color medium orange color low sky blue color info green color the vulnerability by severity widget provides details about any detected vulnerabilities by means of a bar graph that presents two axis, described as follows x axis ( duration ) the x axis corresponds to the months and dates from the period selected to show data each bar contains data for 1 month y axis ( total vulnerabilities ) the y axis corresponds to the number of vulnerabilities detected in the selected period by hovering over the bars in the graph, you can view data about the total number of vulnerabilities detected and the severity they belong to, as follows group the severity to which the vulnerabilities belong range the cut out date for the vulnerabilities detected value the total number of vulnerabilities detected by placing the cursor right above a bar, in alignment with the center of it, the following information is displayed range the cutout date for detected vulnerabilities critical total number of vulnerabilities detected and classified as critical severity high total number of vulnerabilities detected and classified as high severity medium total number of vulnerabilities detected and classified as medium severity low total number of vulnerabilities detected and classified as low severity info total number of vulnerabilities detected and classified as info severity total total number of vulnerabilities detected, including all severities top critical technical services and vulnerability density the top critical technical services widget is a top critical technical services chart that represents the top technical service listed according to its criticality vulnerability density is the cumulative vulnerability count per unit size of code the vulnerability density, technical services chart represents the top technical services listed according to their vulnerability density considers 1000 source lines as the unit code size the secure static scan details table view is located at the bottom of the dashboard that provides the latest successfully executed static scan analysis data in a tabular form and enables a detailed view of each technical service each row in the table displays information for a specific technical service, separated by columns of information type technical service the name of the micro technical service within the larger application application the name of the application, typically comprising multiple micro technical services vulnerabilities total number of open vulnerabilities critical total number of vulnerabilities classified as critical severity high total number of vulnerabilities classified as high severity secure engine the security source tool is configured security rating security rating from a to e analysis date the date the analysis was performed url vulnerabilities the url to the actual vulnerability information in the secure engine page note the static scan details table displays all data regarding the timeframe selected all the columns in this table can be sorted except the url vulnerabilities column above this table, you will find a search box that allows searching technical services by name and a settings icon that allows changing the table settings to show or hide pre selected columns toggel vulnerable services vs all services the static scan details table the details table helps the ciso identify which projects have the most vulnerabilities and provides a breakdown of these issues for example, you can sort by critical vulnerabilities to prioritize those sonarqube projects this makes it easy to understand where to focus first for a detailed analysis history, you can select a specific repository and view the scan history di presents the history of vulnerabilities reported for the project, sorted by the scan analysis date this provides a clear view of how the vulnerability rating has changed over time for a specific project the details table also supports detailed views for each technical service to access details for a specific technical service, select the overflow menu located to the far right of the table and select view details note technical services are a micro service that is analogous this is the most granular degree of granularity repos in travis are mapped only technical services with static scans in the last 6 months will be displayed the following elements are displayed in this dialog the title static scan detail plus the name of the technical service in question the summary, which shows the total number of open vulnerabilities and the security rating for the technical service two tabs that you can click on, with the option to toggle between ascending and descending alphanumeric order for most columns details and analysis history details clicking the details tab displays vulnerability details in a tabular form and provides the following details for the technical service component severity rule description effort line no status latest update date analysis history clicking the analysis history tab displays static scan history in a tabular form and provides the following details for the technical service security rating security rating from a to e vulnerabilities total number of open vulnerabilities for the technical service critical the total number of vulnerabilities detected and classified as critical severity high the total number of vulnerabilities detected and classified as high severity medium the total number of vulnerabilities detected and classified as medium severity low the total number of vulnerabilities detected and classified as low severity info the total number of vulnerabilities detected and classified as info severity scan analysis date the date when the scan analysis was completed note at the bottom of the table, you will find a selectable arrow below the bottom left corner of the table filters the number of items per page; 25, 50, and 100 are the available options a selectable arrow below the bottom right corner of the table enables navigation across pages of data (page 1 of 3, page 2 of 3, etc ) by default, the dashboard shows only services that contain vulnerabilities, which means not all services are displayed click the show all toggle to display all services for selected applictions, regardless of vulernability