Understand the scanner output | Fluid Attacks Help

Understand the scanner output

Fluid Attacks' standalone scanner provides varying levels of detail in its output, depending on the chosen format. This page provides a detailed explanation of each field present in the standalone scanner output.

The CLI snippets and CSV files are recommended, as these formats provide concise and actionable information for understanding and mitigating risks in your code, ports or inputs. If you need to share vulnerability data with external parties or integrate it with other security tools, the SARIF format may be more suitable. The SARIF (Static Analysis Results Interchange Format) output, on the other hand, is more comprehensive and geared towards integration with other security tools and workflows. While it contains extensive data, it may not be as readily interpretable as the former options. Thus, the SARIF output is not explained in detail in this guide.

Scanner default output

Regardless of your chosen output format, the CLI vulnerability report includes information on the  scan context at the beginning and a summary at the end.

Scan context

[INFO] Official Documentation: https://help.fluidattacks.com/portal/en/kb/find-security-vulnerabilities/use-the-cli
[INFO] Namespace: namespace
[INFO] info HEAD is now at: 7d140e5fdba3bf3cefb4ba7b0d0ab139e1942152
[INFO] Startup work dir is: /any/universe
[INFO] Moving work dir to: /any/universe
[INFO] Files to be tested: 1
[INFO] Analyzing path 1 of 1: /test/data/lib_root/f052/java_cipher_jmqi.java

The CLI output begins with the following information:

  1. A link to the official standalone scanner documentation for comprehensive guidance and troubleshooting
  2. Key information about the current scan:
    1. Namespace
    2. Commit
    3. Start directory
    4. Working directory
    5. Total number of files to be scanned
  3. For each target file or endpoint, a line indicating the commencement of the scan

Scan summary

[INFO] Summary: 1 vulnerabilities were found in your targets.

Upon scan completion, the CLI displays a summary that includes the total number of vulnerabilities identified.

Vulnerability report on the CLI

This is how the standalone scanner output looks like when it finds a vulnerability in the target of evaluation (ToE):

[INFO] 052. Insecure encryption algorithm: namespace//any/test/data/lib_root/f052/java_cipher_jmqi.java found by SAST module.

   1 | import com.ibm.mq.*;
   2 | import com.ibm.mq.jmqi.JmqiUtils;
   3 | import org.apache.log4j.Logger;
   4 |
   5 | class Test {
   6 |
   7 |  private final String cipherSuite = "TLS_RSA_WITH_AES_128_CBC_SHA256";
   8 |
   9 |  public void insecure() {
> 10 |   JmqiUtils.toCipherSuite(cipherSuite);
  11 |  }
  12 |
  13 |  public void secure() {
  14 |   String safeSuite = "TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256";
  15 |   JmqiUtils.toCipherSuite(safeSuite);
  16 |  }
  17 |
  18 | }
     ^ Col 0
CWE-310 - CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C - CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:A
More information in: https://help.fluidattacks.com/portal/en/kb/articles/criteria-vulnerabilities-052

How to read the report

In the first line, the scanner provides the name of the type of vulnerability, which is a category that, according to Fluid Attacks' classification, best suits the detected security issue. Right after it, the line includes the vulnerability location, which is presented in the following format:

<namespace_of_execution>/<path_to_file>

After the location is information of the testing technique used to find the vulnerability.

In the following lines, the scanner prints a code snippet with a pointer (>) indicating the exact line where the problem is. Following the above example, it can be understood that the insecure encryption algorithm is in line 10.

   1 | import com.ibm.mq.*;
   2 | import com.ibm.mq.jmqi.JmqiUtils;
   3 | import org.apache.log4j.Logger;
   4 |
   5 | class Test {
   6 |
   7 |  private final String cipherSuite = "TLS_RSA_WITH_AES_128_CBC_SHA256";
   8 |
   9 |  public void insecure() {
> 10 |   JmqiUtils.toCipherSuite(cipherSuite);
  11 |  }
  12 |
  13 |  public void secure() {
  14 |   String safeSuite = "TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256";
  15 |   JmqiUtils.toCipherSuite(safeSuite);
  16 |  }
  17 |
  18 | }
     ^ Col 0

After the code snippet, the output displays the corresponding Common Weakness Enumeration (CWE) and Common Vulnerability Scoring System (CVSS) string vector. Following the example with the finding of an insecure encryption algorithm, this is the corresponding information:

CWE-310 - CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C - CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:A

Note on CWE and CVSS
Note: Although a single vulnerability could be associated with multiple CWEs, only one CVSS score (v3.1 and v4.0) is shown, which corresponds to the type of vulnerability assigned by Fluid Attacks.

Finally, a link to documentation about the security issue is provided. The documentation page includes the possible impact of exploiting the type of vulnerability, an estimate of time needed to remediate it, and links to fix recommendations, among other information. The following is the line giving this information in the above example.


Output in CSV

title
cwe
description
cvss
finding
stream
kind
where
snippet
method
052. Insecure encryption algorithm
CWE-310
Use of insecure encryption algorithm in namespace//home/any/universe/skims/test/data/lib_root/f052/java_cipher_jmqi.java
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C
https://docs.fluidattacks.com /criteria/vulnerabilities/052
skims
SAST
10
1 import com.ibm.mq.*; 2 import com.ibm.mq.jmqi.JmqiUtils; 3 import org.apache.log4j.Logger; 4 5 class Test { 6 7 private final String cipherSuite = "TLS_RSA_WITH_AES_128_CBC_SHA256"; 8 9 public void insecure() { > 10 JmqiUtils.toCipherSuite(cipherSuite); 11 } 12 13 public void secure() { 14 String safeSuite = "TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256"; 15 JmqiUtils.toCipherSuite(safeSuite); 16 } 17 18 } ^ Col 0
java.java_insecure_cipher_jmqi
Advice on using the CSV format
The CSV format is useful if you want to save your results for future reference or want to store them in an organized manner.

While the CLI output offers a concise summary, the CSV format provides a more detailed breakdown of the identified vulnerabilities. This includes richer context about each finding and the analysis techniques used.

A key feature of the CSV output is the inclusion of the specific detection method used for each vulnerability, in the method column. This allows for precise feedback and reporting, particularly in cases of suspected false positives. Namely, when submitting a false positive report, including the detection method name helps Fluid Attacks' team investigate the error and further improve the accuracy of the scanner.

Output in SARIF

SARIF (Static Analysis Results Interchange Format) is a standardized output format designed for seamless interoperability between security analysis tools. Key benefits of SARIF include:
  1. Standardization: Consistent representation of vulnerability data across different tools and platforms
  2. Rich data: Comprehensive details about the analysis process, including the specific checks performed and the rationale behind each finding
  3. Integration: Easy integration with a wide range of security information and event management (SIEM) systems, vulnerability management platforms, and other development tools
  4. Automation: Facilitates automated processing and analysis of vulnerability data for efficient remediation and reporting
Free trial message
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.