Understand the scanner output
Fluid Attacks’ standalone scanners provide varying levels of detail in their output, depending on the chosen format. This page provides a detailed explanation of each field present in the standalone scanner output.
The CLI snippets and CSV files are recommended, as these formats provide concise and actionable information for understanding and mitigating risks in your code, ports or inputs. If you need to share vulnerability data with external parties or integrate it with other security tools, the SARIF format may be more suitable. The SARIF (Static Analysis Results Interchange Format) output, on the other hand, is more comprehensive and geared towards integration with other security tools and workflows. While it contains extensive data, it may not be as readily interpretable as the former options. Thus, the SARIF output is not explained in detail in this guide.
Scanner default output
Regardless of your chosen output format, the CLI vulnerability report includes information on the scan context at the beginning and a summary at the end.
Scan context
[INFO] Official Documentation: https://help.fluidattacks.com/portal/en/kb/find-security-vulnerabilities/use-the-cli[INFO] Namespace: namespace[INFO] info HEAD is now at: 7d140e5fdba3bf3cefb4ba7b0d0ab139e1942152[INFO] Startup work dir is: /any/universe[INFO] Moving work dir to: /any/universe[INFO] Files to be tested: 1[INFO] Analyzing path 1 of 1: /test/data/lib_root/f052/java_cipher_jmqi.javaThe CLI output begins with the following information:
- A link to the official standalone scanner documentation for comprehensive guidance and troubleshooting
- Key information about the current scan:
- Namespace
- Commit
- Start directory
- Working directory
- Total number of files to be scanned
- For each target file or endpoint, a line indicating the commencement of the scan
Scan summary
[INFO] Summary: 1 vulnerabilities were found in your targets.Upon scan completion, the CLI displays a summary that includes the total number of vulnerabilities identified.
Vulnerability report on the CLI
This is how the standalone scanner output looks like when it finds a vulnerability in the target of evaluation (ToE):
[INFO] 052. Insecure encryption algorithm: namespace//any/test/data/lib_root/f052/java_cipher_jmqi.java found by SAST module. 1 | import com.ibm.mq.*; 2 | import com.ibm.mq.jmqi.JmqiUtils; 3 | import org.apache.log4j.Logger; 4 | 5 | class Test { 6 | 7 | private final String cipherSuite = "TLS_RSA_WITH_AES_128_CBC_SHA256"; 8 | 9 | public void insecure() {> 10 | JmqiUtils.toCipherSuite(cipherSuite); 11 | } 12 | 13 | public void secure() { 14 | String safeSuite = "TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256"; 15 | JmqiUtils.toCipherSuite(safeSuite); 16 | } 17 | 18 | } ^ Col 0CWE-310 - CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:A - CVSS_v4_Score: 2.3More information in: https://db.fluidattacks.com/wek/052/How to read the report
In the first line, the scanner provides the name of the weakness , which is a category that, according to Fluid Attacks’ classification, best suits the detected security issue. Right after it, the line includes the vulnerability location, which is presented in the following format:
<namespace_of_execution>/<path_to_file>After the location is information of the testing technique used to find the vulnerability.
In the following lines, the scanner prints a code snippet with a pointer (>) indicating the exact line where the problem is. Following the above example, it can be understood that the insecure encryption algorithm is in line 10.
1 | import com.ibm.mq.*; 2 | import com.ibm.mq.jmqi.JmqiUtils; 3 | import org.apache.log4j.Logger; 4 | 5 | class Test { 6 | 7 | private final String cipherSuite = "TLS_RSA_WITH_AES_128_CBC_SHA256"; 8 | 9 | public void insecure() {> 10 | JmqiUtils.toCipherSuite(cipherSuite); 11 | } 12 | 13 | public void secure() { 14 | String safeSuite = "TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256"; 15 | JmqiUtils.toCipherSuite(safeSuite); 16 | } 17 | 18 | } ^ Col 0After the code snippet, the output displays the corresponding Common Weakness Enumeration (CWE) and the Common Vulnerability Scoring System (CVSS) vector string and score. Following the example with the finding of an insecure encryption algorithm, this is the corresponding information:
CWE-310 - CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:A - CVSS_v4_Score: 2.3Note: Although a single vulnerability could be associated with multiple CWEs, only one CVSS score is shown, which corresponds to the weakness assigned by Fluid Attacks.
Finally, a link to documentation about the security issue is provided. The documentation page includes the possible impact of exploiting the type of vulnerability, an estimate of time needed to remediate it, and links to fix recommendations, among other information. The following is the line giving this information in the above example.
More information in [our database](https://db.fluidattacks.com/wek/052/):
Output in CSV
| title | cwe | description | cvss_v4 | cvss_v4_score | finding | kind | where | snippet | method |
| 052. Insecure encryption algorithm | CWE-310 | Use of insecure encryption algorithm in namespace//home/any/universe/skims/test/data/lib_root/f052/java_cipher_jmqi.java | CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:A | 2.3 | https://docs.fluidattacks.com /criteria/vulnerabilities/052 | SAST | 10 | 1 import com.ibm.mq.*; 2 import com.ibm.mq.jmqi.JmqiUtils; 3 import org.apache.log4j.Logger; 4 5 class Test \\{ 6 7 private final String cipherSuite = "TLS_RSA_WITH_AES_128_CBC_SHA256"; 8 9 public void insecure() \\{ > 10 JmqiUtils.toCipherSuite(cipherSuite); 11 \\} 12 13 public void secure() \\{ 14 String safeSuite = "TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256"; 15 JmqiUtils.toCipherSuite(safeSuite); 16 \\} 17 18 \\} ^ Col 0 | java.java_insecure_cipher_jmqi |
The CSV format is useful if you want to save your results for future reference or want to store them in an organized manner.
While the CLI output offers a concise summary, the CSV format provides a more detailed breakdown of the identified vulnerabilities. This includes richer context about each finding and the analysis techniques used.
A key feature of the CSV output is the inclusion of the specific detection method used for each vulnerability, in the method column. This allows for precise feedback and reporting, particularly in cases of suspected false positives. Namely, when submitting a false positive report, including the detection method name helps Fluid Attacks’ team investigate the error and further improve the accuracy of the scanner.
Output in SARIF
SARIF (Static Analysis Results Interchange Format) is a standardized output format designed for seamless interoperability between security analysis tools. Key benefits of SARIF include:
- Standardization: Consistent representation of vulnerability data across different tools and platforms
- Rich data: Comprehensive details about the analysis process, including the specific checks performed and the rationale behind each finding
- Integration: Easy integration with a wide range of security information and event management (SIEM) systems, vulnerability management platforms, and other development tools
- Automation: Facilitates automated processing and analysis of vulnerability data for efficient remediation and reporting
The SARIF results include repository information under versionControlProvenance. The properties inform of the following:
repositoryUri: The URI of the scanned repository, which may contain atokenvalue if the repository is privatebranch: The scanned branchrevisionId: The hash of the last commit to the scanned repository
For detailed information about the objects and properties of SARIF, read their documentation .
Free trial Search for vulnerabilities in your apps for free with Fluid Attacks’ automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan . If you prefer the Advanced plan, which includes the expertise of Fluid Attacks’ hacking team, fill out this contact form .