1. Horangi Academy
  2. Working with Code Scanner

Understanding Code Scan Findings

Title

The title of the finding.

Tags

Tags allow you to sort through your findings according to what kind of finding they are.

Tags in Code Scanner findings:

  • CVE

CVE ID of the finding

  • Subtype
  1. Dependency
    These are code scanner findings that originated from the Dependency Checkers.
  2. Lint
    These are code scanner findings that originated from the Linters.
  3. Security
    These are code scanner findings that originated from our security-oriented linters.
  • Lang

The programming language the code is written in (see Supported Languages)

  • Type

The type of code scanner finding. Findings can be classified according to the following.

  1. Code Smell
    Findings detecting issues related to code quality which would impact the ease of code maintenance.
  2. Vulnerability
    Issues related to known security vulnerabilities.
  3. Bug

    Findings related to bugs that can alter or break the application’s functionality.

  • Name (Dependency Checker Only)

The name of the dependency implicated in the finding.

Severity Ranking

To assist in prioritizing remediation, Horangi provides a severity ranking based on the impact to an organization. The risk severity model is based on the Common Vulnerability Scoring System (CVSS) version 3 published by the National Vulnerability Database.

Severity: Critical

CVSS 3 Score: 9.0 - 10.0

Critical severity findings indicate that the discovered weakness requires immediate remediation and/or mitigation. Critical findings typically represent weaknesses that were leveraged to gain access to systems or data that commonly have financial or reputation loss factors attributed.

Severity: High

CVSS 3 Score: 7.0 - 8.9

High severity findings indicate that the discovered weakness is publicly disclosed and trivial to abuse. High findings typically represent weaknesses that were leveraged to gain privileged access to networks, systems, or applications.

Severity: Medium 

CVSS 3 Score: 4.0 - 6.9

Medium severity findings indicate weaknesses are likely to lead to compromise but either requires other attacks to be significantly impactful, resulting in limited access, or require advanced knowledge and techniques to execute the attacks.

Severity: Low

CVSS 3 Score: 0.1 - 3.9

Low severity findings indicate weaknesses that are not directly exploitable. Low findings typically require a chain of weaknesses to exploit fully, disclose non-sensitive technical information, or do not lead to any additional compromise within an environment.

Severity: Informational

CVSS 3 Score: N/A

Informational severity findings are reserved for weaknesses that represent a deviation from best practice or a weakness that should be reviewed because it may expose other weaknesses or lead to future vulnerability. While these weaknesses don’t directly lead to compromise, they still represent potential risk and should be addressed.

Description

The description is a brief explanation of what the finding is and how it works.

Non-Compliant Code

Code Scanner findings have samples of non-compliant code that illustrates what type of code the finding looks for.

Exceptions

Some Code Scanner findings have samples of exceptions that the scanner ignores.

Implication

The implication is what would the finding’s impact be on the organization if not addressed.

Recommendation

The recommendation is a guide on how to remediate this particular finding.

Compliant Code

Code Scanner findings have samples of compliant code that illustrates how to remediate a certain finding.

Affected Targets

These are the repositories that have this particular finding.