Cloud Services

DevOps Intelligence

Static scan
Published On Nov 19, 2024 - 12:27 PM

Static scan

Understand how Kyndryl enables you to protect your code from security vulnerabilities from the Secure dashboard.
Static Application Security Testing (SAST), also known as static code analysis, is a method used to analyze source code for potential security vulnerabilities without executing the code. The Static Scan page provides vulnerability information from SonarQube, enabling development managers and security and compliance officers to assess the reliability and security of their applications.The Security Rating widget features a donut chart that represents the security rating for all the projects based on the latest analysis scan date. The rating is categorized into five scales: A, B, C, D, and E. Currently, three projects are synced with SonarQube, and the latest scan indicates an A rating, signifying a high level of security.
DevOps Intelligence captures information from all synced projects, and if any critical vulnerabilities are detected, they will be flagged in the ‘Vulnerability by Severity’ widget.
Selecting Static scan will open the Static scan dashboard displaying graphs that enables an in-depth comprehension of the source code vulnerabilities detection, under the following criteria:

Security rating

The Security Rating widget features a Security Rating donut chart that represents security rating only for technical services with the latest analysis scan date. The chart displays percentages for data based on the following ratings:
  • A Rating
    : Green color.
  • B Rating
    : Yellow color.
  • C Rating
    : Orange color.
  • D Rating
    : Red color.
  • E Rating
    : Dark red color.
Security rating is classified based on the following criteria:
  • A
     = 0 Vulnerabilities.
  • B
     = at least 1 Minor Vulnerability.
  • C
     = at least 1 Major Vulnerability.
  • D
     = at least 1 Critical Vulnerability.
  • E
     = at least 1 Blocker Vulnerability.
The total number of technical services in a given rating is shown by hovering over the chart.

Vulnerability by severity

The Vulnerability by severity graph represents the total number of vulnerabilities aggregated according to day-month timeline selection. Graph data supports selecting predetermined Applications and Dashboards from the Drop-down menu. By default, it is for all applications and technical services and represents data for the last 7 days.
Severities are classified according to their criticality:
  • Critical
    : Dark red color
  • High
    : Red color
  • Medium
    : Orange color
  • Low
    : Sky blue color
  • Info
    : Green color
The Vulnerability by severity widget provides details about any detected vulnerabilities by means of a bar graph that presents two axis, described as follows:
  • X-Axis (
    Duration
    ): The X-axis corresponds to the months and dates from the period selected to show data. Each bar contains data for 1 month
  • Y-Axis (
    Total Vulnerabilities
    ): The Y-axis corresponds to the number of vulnerabilities detected in the selected period
By hovering over the bars in the graph, you can view data about the total number of vulnerabilities detected and the severity they belong to, as follows:
  • Group
    : The severity to which the vulnerabilities belong.
  • Range
    : The cut-out date for the vulnerabilities detected.
  • Value
    : The total number of vulnerabilities detected.
By placing the cursor right above a bar, in alignment with the center of it, the following information is displayed:
  • Range
    : The cutout date for detected Vulnerabilities
  • Critical
    : Total number of vulnerabilities detected and classified as Critical severity
  • High
    : Total number of vulnerabilities detected and classified as High severity
  • Medium
    : Total number of vulnerabilities detected and classified as Medium severity
  • Low
    : Total number of vulnerabilities detected and classified as Low severity
  • Info
    : Total number of vulnerabilities detected and classified as Info severity
  • Total
    : Total number of vulnerabilities detected, including all severities

Top critical technical services and Vulnerability density

The Top Critical Technical services widget is a top critical technical services chart that represents the top technical service listed according to its criticality.
Vulnerability Density is the cumulative vulnerability count per unit size of code. The Vulnerability Density, technical services chart represents the top technical services listed according to their vulnerability density. DevOps Intelligence considers 1000 source lines as the unit code size.

Secure static scan details

The Secure Static scan details table View is located at the bottom of the dashboard that provides the latest successfully executed Static Scan Analysis data in a tabular form and enables a detailed view of each technical service. Each row in the table displays information for a specific technical service, separated by columns of information type:
  • Technical service
    : The name of the micro technical service within the larger application
  • Application
    : The name of the application, typically comprising multiple micro-technical services
  • Vulnerabilities
    : Total Number of Open vulnerabilities
  • Critical
    : Total number of vulnerabilities classified as Critical severity
  • High
    : Total number of vulnerabilities classified as High severity
  • Secure Engine
    : The security source tool is configured
  • Security Rating
    : Security rating from A to E
  • Analysis Date
    : The date the analysis was performed
  • URL Vulnerabilities
    : The URL to the actual vulnerability information in the Secure engine page
The Static Scan details table displays all data regarding the timeframe selected. All the columns in this table can be sorted except the
URL vulnerabilities
 column. Above this table, you will find a search box that allows searching technical services by name and a
Settings
 icon that allows changing the table settings to show or hide pre-selected columns.
The static scan details table
The details table helps the CISO identify which projects have the most vulnerabilities and provides a breakdown of these issues. For example, you can sort by critical vulnerabilities to prioritize those SonarQube projects. This makes it easy to understand where to focus first.
For a detailed analysis history, you can select a specific repository and view the scan history. DI presents the history of vulnerabilities reported for the project, sorted by the scan analysis date. This provides a clear view of how the vulnerability rating has changed over time for a specific project.
The details table also supports detailed views for each technical service. To access details for a specific technical service, select the overflow menu located to the far right of the table and select View Details.
Technical services are a micro-service that is analogous. This is the most granular degree of granularity. Repos in Travis are mapped. Only Technical Services with static scans in the last 6 months will be displayed.
The following elements are displayed in this dialog:
  • The title
    Static scan
     detail plus the name of the technical service in question
  • The Summary, which shows the total number of
    Open vulnerabilities
     and the
    Security rating
     for the technical service
  • Two tabs that you can click on, with the option to toggle between ascending and descending alphanumeric order for most columns:
    Details
     and
    Analysis
     History
    • Details
      : Clicking the
      Details
       tab displays
      Vulnerability details
       in a tabular form and provides the following details for the technical service:
      • Component
      • Severity
      • Rule
      • Description
      • Effort
      • Line No.
      • Status
      • Latest update date
    • Analysis history
      : Clicking the
      Analysis history
       tab displays
      Static scan history
       in a tabular form and provides the following details for the technical service:
      • Security rating
        : Security rating from A to E
      • Vulnerabilities
        : Total number of open vulnerabilities for the technical service
      • Critical
        : The total number of vulnerabilities detected and classified as Critical severity
      • High
        : The total number of vulnerabilities detected and classified as High severity
      • Medium
        : The total number of vulnerabilities detected and classified as Medium severity
      • Low
        : The total number of vulnerabilities detected and classified as Low severity
      • Info
        : The total number of vulnerabilities detected and classified as Info severity
      • Scan analysis date
        : The date when the scan analysis was completed
At the bottom of the table, you will find:
  • A selectable arrow below the bottom left corner of the table filters the number of Items per page; 25, 50, and 100 are the available options.
  • A selectable arrow below the bottom right corner of the table enables navigation across pages of data (Page 1 of 3, Page 2 of 3, etc.)
Do you have two minutes for a quick survey?
Take Survey