Reports

Every successful scan (see Scanning) by Coana creates a report and associates it with a project (See Projects). The report contains the list of detected vulnerabilities along with other metadata, such as the date of the scan, the version of the Coana CLI that was used, the branch, and commit of the scanned project. Reports are persisted in Coana, and you can always go back and view old reports.

On the report page, you can toggle between the "Reachable", "Unknown", and "Not reachable" tabs:

Reachable: shows the vulnerabilities where Coana's reachability analysis has determined that the vulnerable code is reachable from the application's entry point. It also shows vulnerabilities not directly tied to a specific usage of the vulnerable dependency. In the latter case the vulnerability is marked with the "Always affected" tag. This is typically the case for vulnerabilities that affect non-library dependencies, e.g, CLI applications, where the dependency is not directly used in the code.

We recommend that you focus your effort on remediating the vulnerabilities in this tab, as these are the vulnerabilities that may be exploited.

Unknown: contains the vulnerabilities where Coana's reachability analysis is not yet able to determine if the vulnerable code is reachable from the application's entry point. We strive to add support for vulnerabilities soon after they are discovered, but newly discovered vulnerabilities may be in this state for a short period of time. The vulnerabilities in the "Unknown" tab will move to the "Reachable" or "Not reachable" as soon as support is added (usually within 24 hours).

Not reachable: shows the vulnerabilities where Coana's reachability analysis has determined that the vulnerable code is not reachable from the application's entry point.