Skip to main content
Version: 2508.1

issue folder

Description

This is a folder containing information about issues detected in the analysis. The folder contains multiple json files containing issue information. Note that the issue information provided differs depending on the analysis.

  • Source code analysis: Name of issue detection rule, file, line, etc.
  • Open source analysis: Name of issue detection rule, name of open source, license information, etc.
  • Web vulnerability analysis: Name of issue detection rule, analysis target URL, request information including parameters, etc.

File

Source code analysis issue

{
  "issueId" : null,
  "toolType" : "SAST",
  "checkerKey" : "SAST.SW.CCPP.33",
  "determinant" : "75c41dfe0f3d05ef10e835e37427d51e39aa4eb6",
  "risk" : 4,
  "method" : "bug",
  "lineNumber" : 19,
  "filePaths" : [ "FILE_PATH" ],
  "startContextIdx" : 0,
  "fileIdx" : 0,
  "contexts" : [ {
    "eventMsgs" : [ {
      "type" : "source",
      "fileIdx" : 0,
      "line" : 18,
      "messages" : [ {
        "message" : "horus.COMMON.var_0_decl",
        "args" : [ "'a'" ]
      } ],
      "prevLink" : null,
      "link" : null
    }, {
      "type" : "sink",
      "fileIdx" : 0,
      "line" : 19,
      "messages" : [ {
        "message" : "horus.OVERRUN.STATIC.default_desc_0",
        "args" : [ "'a'" ]
      }, {
        "message" : "horus.COMMON.size_0_index_1",
        "args" : [ "10", "10" ]
      } ],
      "prevLink" : null,
      "link" : null
    } ]
  } ],
  "extra" : null,
  "issueSimilarityGroupId" : null,
  "tags" : null,
  "hashes" : [ "35947faea8a2b85e3e8cde7139b8d47a05919e88" ],
  "zipFileObjectPaths" : [ "/null" ]
}

  • issueId Issue ID

  • toolType Analysis type The type of analysis requested is one of the following values.

    • SAST: Source code analysis
    • SCA: Open source analysis
    • DAST: Web vulnerability analysis

  • checkerKey Issue detection rule key The key of the rule that detected the issue.

  • risk Risk The risk of the detected issue is divided into 5 levels: Very High, High, Medium, Low, and Very Low, and each level is displayed as a number.

    • 5: Very High Risk Issue
    • 4: High Risk Issue
    • 3: Medium Risk Issue
    • 2: Low Risk Issue
    • 1: Very Low Risk Issue

  • lineNumber Issue detection point The point at which the issue was detected in the file is displayed as a number of source code lines.

  • filePaths File path The path of the file where the issue was detected.

  • fileIdx File index The index of the file where the issue was detected. If the issue occurred in multiple files, the index of the file can be checked.

  • eventMsgs Issue detection information

    • type Type of issue detection information
      • sink: The deterministic point at which the issue occurs in the source code.
      • source: The point of entry into the issue, the cause.
      • branch: The execution code that contributes to the occurrence of the issue.
      • framework: The structure that extends from the cause of the issue to the point of occurrence.

  • issueSimilarityGroupId Similar issue group ID

  • tags Tags

  • hashes Hashes

Open source analysis issue

{
  "versionId" : "__virt_50cabe6ff1c600835ca832884c723b5c1481070318a64b1cf8adf1804796a5c8",
  "matchType" : "DEPENDENCY",
  "originalVersion" : null,
  "targets" : [ {
    "targetType" : "FILE",
    "name" : "pom.xml",
    "relativePath" : "spdxFullLicense.zip/pom.xml",
    "hashes" : [ {
      "algorithm" : "sha1",
      "value" : "4a62e0f669425ffb8afdae1ec82fc01ed2da6f31"
    } ],
    "type" : null,
    "extra" : [ "zip/etc" ]
  } ],
  "name" : "com.sparrow.sca:application_OpenSSL-standalone",
  "version" : "1.0",
  "purl" : "pkg:maven/com.sparrow.sca/application_OpenSSL-standalone@1.0",
  "repository" : "Maven",
  "repositoryUri" : "https://central.sonatype.com/artifact/com.sparrow.sca/application_OpenSSL-standalone/1.0",
  "binaryHashes" : [ ],
  "sourceTotalHashes" : [ ],
  "confidenceScore" : 7.857142857142857,
  "publishedDate" : null,
  "licenses" : [ ],
  "issues" : [ ],
  "copyrights" : [ ],
  "ecosystem" : {
    "osInfo" : null,
    "packageManager" : null,
    "repository" : "Maven"
  },
  "supplier" : {
    "name" : null,
    "email" : null
  }
}

  • versionId Version ID

  • matchType Identification type The type of the target used to identify the component is one of the following values.

    • binary: The target is a binary file.
    • dependency: The target is a dependency file.
    • source: The source code is analyzed as the analysis target, and the hash value of the source code is generated and compared.
    • snippet: The issue is detected in the header file (.h or .hpp) of the C/C++ language file.
    • SBOM: The SBOM file that organizes the components constituting the software is analyzed.

  • targets Analysis target

    • targetType Analysis target type
    • name Analysis target name
    • relativePath Relative path of the analysis target
    • hashes Hashes of the analysis target
      • algorithm Hash algorithm
      • value Hash value
    • name Component name
    • version Component version
    • purl PURL of the component
    • repository Component repository
    • repositoryUri URI of the component repository
    • binaryHashes Hashes of the binary target
    • sourceTotalHashes Hashes of the source code target
    • confidenceScore Confidence score
    • publishedDate Published date of the component
    • licenses Open source licenses
    • issues Known vulnerabilities
    • copyrights Copyright information
    • ecosystem Ecosystem
      -osInfo OS information
      -packageManager Package manager
      -repository Repository
    • supplier Supplier
      • name Supplier name
      • email Supplier email

Web vulnerability analysis issue

 {
  "toolType" : "DAST",
  "checkerKey" : "RULE_KEY",
  "determinant" : "5157498448cb712a1a8cc39691d204301cc9e59e8824b1fdb558eec5020110bd",
  "risk" : 3,
  "url" : "http://u306.dev.iplanbiz.co.kr:8401/home/layout/list",
  "method" : "GET",
  "parameter" : null,
  "engineId" : "DAST_EV1_ANALYZER",
  "attack" : [ {
    "step" : 0,
    "fragment" : [ {
      "order" : 0,
      "type" : "msg",
      "value" : "2.http.cookie_attribute_test_same_site.not_exist.attack.s0.o0",
      "args" : [ ]
    }, {
      "order" : 1,
      "type" : "msg",
      "value" : "2.http.cookie_attribute_test_same_site.not_exist.attack.s0.o1",
      "args" : [ ]
    } ]
  }, {
    "step" : 1,
    "fragment" : [ {
      "order" : 0,
      "type" : "msg",
      "value" : "2.http.cookie_attribute_test_same_site.not_exist.attack.s1.o0",
      "args" : [ {
        "order" : 0,
        "type" : "code",
        "value" : "GET http://u306.dev.iplanbiz.co.kr:8401/home/layout/list HTTP/1.1\r\nAccept-Language: en-US\r\nCookie: toolType=PC;iportal_JSESSIONID_306=F642219118936C1A91057AD26DA5467D\r\n"
      } ]
    }, {
      "order" : 1,
      "type" : "msg",
      "value" : "2.http.cookie_attribute_test_same_site.not_exist.attack.s1.o1",
      "args" : [ {
        "order" : 0,
        "type" : "code",
        "value" : "Empty String"
      } ]
    } ]
  } ],
  "result" : [ {
    "step" : 0,
    "fragment" : [ {
      "order" : 0,
      "type" : "msg",
      "value" : "2.http.cookie_attribute_test_same_site.not_exist.result.s0.o0",
      "args" : [ ]
    } ]
  } ],
  "solution" : [ {
    "step" : 0,
    "fragment" : [ {
      "order" : 0,
      "type" : "msg",
      "value" : "2.http.cookie_attribute_test_same_site.not_exist.solution.s0.o0",
      "args" : [ ]
    }, {
      "order" : 1,
      "type" : "msg",
      "value" : "2.http.cookie_attribute_test_same_site.not_exist.solution.s0.o1",
      "args" : [ ]
    }, {
      "order" : 2,
      "type" : "msg",
      "value" : "2.http.cookie_attribute_test_same_site.not_exist.solution.s0.o2",
      "args" : [ ]
    } ]
  } ],
  "events" : "{\"version\":\"1.1\",\"seedUrl\":\"http://u306.dev.iplanbiz.co.kr:8401/home/layout/list\",\"dastEventList\":[{\"type\":\"http\",\"data\":{\"method\":\"GET\",\"url\":\"http://u306.dev.iplanbiz.co.kr:8401/home/layout/list\",\"headers\":[{\"name\":\"Accept-Language\",\"value\":\"en-US\"},{\"name\":\"Cookie\",\"value\":\"toolType=PC;iportal_JSESSIONID_306=F642219118936C1A91057AD26DA5467D\"}],\"body\":\"\"}}]}",
  "records" : null,
  "recheck" : "{\"@class\":\"com.sparrow.dast.engine.ev1.analysis.recheck.HbRecheck\",\"type\":{\"@type\":\"string\",\"@value\":\"http\"},\"checkerId\":{\"@type\":\"string\",\"@value\":\"DAST.SW.COMMON.5837\"},\"target\":{\"@type\":\"jsonType\",\"@jsonType\":\"com.sparrow.dast.engine.ev1.analysis.targets.HbTarget\",\"@value\":{\"@class\":\"com.sparrow.dast.engine.ev1.analysis.targets.HbTarget\",\"request\":{\"reqHeader\":\"GET http://u306.dev.iplanbiz.co.kr:8401/home/layout/list HTTP/1.1\\r\\nAccept-Language: en-US\\r\\nCookie: toolType=PC;iportal_JSESSIONID_306=F642219118936C1A91057AD26DA5467D\\r\\n\",\"reqBody\":\"\"}}}}",
  "doms" : [ ]
}

  • toolType Analysis type The type of analysis requested is one of the following values.

    • SAST: Source code analysis
    • SCA: Open source analysis
    • DAST: Web vulnerability analysis

  • checkerKey Issue detection rule key The key of the rule that detected the issue.

  • risk Risk The risk of the detected issue is divided into 5 levels: Very High, High, Medium, Low, and Very Low, and each level is displayed as a number.

    • 5: Very High Risk Issue
    • 4: High Risk Issue
    • 3: Medium Risk Issue
    • 2: Low Risk Issue
    • 1: Very Low Risk Issue

  • url Issue detection URL

  • method Request method

  • parameter Request parameter

  • attack Attack method

  • result Analysis result