Skip to content

Add check metrics to security report

Start tracking the first set of metrics for DAST. The first set of metrics focus on our vulnerability checks, collecting some performance information.

CWE events

DAST has around 32 CWE checks to collect information about for dashboards. Each CWE check has it's own event to report information back through.

The id section gives us:

  • Ability to identify performance impacting rules
  • Technology hints (for SQLi 89.1.3 == MSSQL, 89.1.2 == sqlite, etc.)

The location section gives us a deeper understanding of where vulnerabilities show up in an application and could allow for further performance optimization.

{
    // One event for each CWE check
	"event": "collect_dast_scan_cwe_89_metrics_from_pipeline",
	
	// Columns (join, filter, fast)
	
	"property": "scan_uuid",  //   join: Allows joining/distinct
	"value": 5,               //   fast: Count of vulnerabilities found
	"parameter": 1,           // filter: Version of CWE check
	"label": "active",        // filter: Type of check (active/passive)
                              //         Could this be integrated into the event name? _active, _passive
	
	// JSON column fields (slow)
	
	"total_time": 200, // Time it took for check to run
	
	"id": {            // Breakdown by ID
		"89": {        // Totals of 89.N.M
			"vulnerability_count": 5,
			"element_count": 20,
			"total_time": 200,
			"location": {
				"request_parameter_value": {
					"vulnerability_count": 1,
					"element_count": 20,
					"total_time": 10,
				}
				"cookie_value": {
					"vulnerability_count": 0,
					"element_count": 5,
					"total_time": 10,
				}
			}
		}
		"89.1": {      // Totals of 89.1.N
			"vulnerability_count": 5,
			"element_count": 20,
			"total_time": 200,
			"location": {
				"request_parameter_value": {
					"vulnerability_count": 1,
					"element_count": 20,
					"total_time": 10,
				}
				"cookie_value": {
					"vulnerability_count": 0,
					"element_count": 5,
					"total_time": 10,
				}
			}
		}
		"89.1.1": {   // Details per attack
			"vulnerability_count": 1,
			"element_count": 20,
			"total_time": 10,
			"locations": {
				"request_parameter_value": {
					"vulnerability_count": 1,
					"element_count": 20,
					"total_time": 10,
				}
			}
		}
		"89.1.2": {
			"vulnerability_count": 4,
			"element_count": 20,
			"total_time": 190,
			"locations": {
				"request_parameter_value": {
					"vulnerability_count": 1,
					"element_count": 20,
					"total_time": 10,
				}
			}
		}
	}
}
Edited by Michael Eddington