Understand the scanner output
Depending on the format, Machine Standalone will inform you of different things.
For personal use, we recommend using the CSV format or the CLI snippets because it contains more meaningful information when it comes to understanding and evaluating the risk in your source code or endpoint.
On the other hand, the SARIF format contains a lot of information that is not very informative for the end-user. This format is used, among other things, for internal processes within the organization, and for that reason, that output will not be explained. At least not for now.
The meaning of each field that Machine Standalone returns is explained below.
Scanner default output
No matter what output format you choose, the CLI will always display some information before and after the vulnerability reports.
Before
[INFO] Official Documentation: https://docs.fluidattacks.com/machine/scanner/standalone/
[INFO] Namespace: namespace
[INFO] info HEAD is now at: 7d140e5fdba3bf3cefb4ba7b0d0ab139e1942152
[INFO] Startup work dir is: /any/universe
[INFO] Moving work dir to: /any/universe
[INFO] Files to be tested: 1
[INFO] Analyzing path 1 of 1: /test/data/lib_root/f052/java_cipher_jmqi.java
First, Machine will provide the official documentation for the tool. We strongly encourage end users to refer to this documentation in case of any issues or questions.
After that, the tool will display information about the current execution, such as the namespace, the commit being used, the working directory, and the total number of files to be scanned.
Finally, for each target, we will see a line indicating when the scan started for that target.
After
[INFO] Summary: 1 vulnerabilities were found in your targets.
After the scan is completed, Machine will provide a summary of the execution, including the total number of vulnerabilities found. If you chose CSV format, this summary line will also appear at the end of the result file.
Vulnerability report on the CLI
[INFO] 052. Insecure encryption algorithm: namespace//any/test/data/lib_root/f052/java_cipher_jmqi.java
1 | import com.ibm.mq.*;
2 | import com.ibm.mq.jmqi.JmqiUtils;
3 | import org.apache.log4j.Logger;
4 |
5 | class Test {
6 |
7 | private final String cipherSuite = "TLS_RSA_WITH_AES_128_CBC_SHA256";
8 |
9 | public void insecure() {
> 10 | JmqiUtils.toCipherSuite(cipherSuite);
11 | }
12 |
13 | public void secure() {
14 | String safeSuite = "TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256";
15 | JmqiUtils.toCipherSuite(safeSuite);
16 | }
17 |
18 | }
^ Col 0
CWE-310 - CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C
More information in: https://docs.fluidattacks.com/criteria/vulnerabilities/052
How to read the report
In the first line, Machine will provide the title of the finding corresponding to the detected vulnerability, as well as its location, which will be presented in the following format:
<namespace_of_execution>/<path_to_file>
After this information, Machine will print a code snippet with a pointer > indicating the exact line where the problem is.
1 | import com.ibm.mq.*;
2 | import com.ibm.mq.jmqi.JmqiUtils;
3 | import org.apache.log4j.Logger;
4 |
5 | class Test {
6 |
7 | private final String cipherSuite = "TLS_RSA_WITH_AES_128_CBC_SHA256";
8 |
9 | public void insecure() {
> 10 | JmqiUtils.toCipherSuite(cipherSuite);
11 | }
12 |
13 | public void secure() {
14 | String safeSuite = "TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256";
15 | JmqiUtils.toCipherSuite(safeSuite);
16 | }
17 |
18 | }
^ Col 0
After the code snippet, the output will display the corresponding Common Weakness Enumeration (CWE) and Common Vulnerability Scoring System (CVSS) vector for each report. It is important to note that a single finding could be associated with multiple CWEs, but only one CVSS is calculated for each one of them. For example:
CWE-310 - CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C
Finally, after each report, a link to more information about the particular vulnerability will be provided. This may include examples of the vulnerability and an estimate of how much time may be needed to remediate it.
More information in: https://docs.fluidattacks.com/criteria/vulnerabilities/052
Output in CSV format
|
title
|
cwe
|
description
|
cvss
|
finding
|
stream
|
kind
|
where
|
snippet
|
method
|
|
052. Insecure encryption algorithm
|
CWE-310
|
Use of insecure encryption algorithm in namespace//home/any/universe/skims/test/data/lib_root/f052/java_cipher_jmqi.java
|
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C
|
https://docs.fluidattacks.com /criteria/vulnerabilities/052
|
skims
|
SAST
|
10
|
1 import com.ibm.mq.*; 2 import com.ibm.mq.jmqi.JmqiUtils; 3 import org.apache.log4j.Logger; 4 5 class Test { 6 7 private final String cipherSuite = "TLS_RSA_WITH_AES_128_CBC_SHA256"; 8 9 public void insecure() { > 10 JmqiUtils.toCipherSuite(cipherSuite); 11 } 12 13 public void secure() { 14 String safeSuite = "TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256"; 15 JmqiUtils.toCipherSuite(safeSuite); 16 } 17 18 } ^ Col 0
|
java.java_insecure_cipher_jmqi
|
This format will provide you with the same information as the CLI output, but it will be more specific and provide additional details about what has been found and how it was found.
For example, the CSV format includes a description and a categorization based on how and where the vulnerability was found.
Finally, in the last column, you will find the name of the method responsible for reporting that specific vulnerability. This will come in handy if you want to create an issue stating that you found a false positive in your Machine execution.