Reports
Every successful scan (see Scanning) by Coana creates a report and associates it with a project (See Projects). The report contains the list of detected vulnerabilities along with other metadata, such as the date of the scan, the version of the Coana CLI that was used, the branch, and commit of the scanned project. Reports are persisted in Coana, and you can always go back and view old reports.
On the report page, you can toggle between the “Reachable”, “Unknown”, and “Not reachable” tabs:
Reachable: shows the vulnerabilities where Coana’s reachability analysis has determined that the vulnerable code is reachable from the application’s entry point. It also shows vulnerabilities not directly tied to a specific usage of the vulnerable dependency. In the latter case the vulnerability is marked with the “Always affected” tag. This is typically the case for vulnerabilities that affect non-library dependencies, e.g, CLI applications, where the dependency is not directly used in the code.
We recommend that you focus your effort on remediating the vulnerabilities in this tab, as these are the vulnerabilities that may be exploited.
Unknown: contains the vulnerabilities where Coana’s reachability analysis is not yet able to determine if the vulnerable code is reachable from the application’s entry point. We strive to add support for vulnerabilities soon after they are discovered, but newly discovered vulnerabilities may be in this state for a short period of time. The vulnerabilities in the “Unknown” tab will move to the “Reachable” or “Not reachable” as soon as support is added (usually within 24 hours).
Not reachable: shows the vulnerabilities where Coana’s reachability analysis has determined that the vulnerable code is not reachable from the application’s entry point.
Report Vulnerabilities
From this page, you have direct access to details about vulnerabilities detected in your project. The vulnerabilities are categorized as “Reachable”, “Unknown” or “Not reachable” as described above. We also include various other details about the vulnerabilities such as the CVSS score, severity, affected package name and version among other things. You can find more information about each vulnerability in the Analysis details, Fixes and Vulnerability details panes.
Analysis Details
The analysis details pane contains information derived from the reachability analysis, including the list of source locations in the application code that either directly or indirectly (through other dependencies) use the code affected by the vulnerability. The pane also shows the dependency chain(s) leading to the vulnerable dependency, and a human-readable textual description of what the reachability analysis is scanning for.
Vulnerability Fixes
The “Vulnerability Fixes” pane provides details about available fixes and instructions on how to apply these fixes to your codebase using the Coana CLI.
To apply a fix, copy the generated command and paste it into the root directory of your project.
If the fix is outdated — for example, if your dependency tree has changed since the report was generated — Coana will terminate with an error.
To prompt Coana to regenerate the fix, add the --recompute-outdated flag when running the command. For example:
npx @coana-tech/cli apply-fixes --recompute-outdated . fix_eb347ed6-009d-4a4b-bfee-598ceda0038dIf the vulnerability impacts multiple workspaces, Coana will provide an option to select which workspaces you want to apply the fix to.
Vulnerability Details
The vulnerability details pane contains information about the vulnerability advisory, such as the CVE, the name of the affected dependency, the severity and CVSS score and the affected versions.
Vulnerability Dismissal Action
From the Actions menu, you can choose “Dismiss…” to open the vulnerability dismissal window. The dismissal feature allows you to disregard vulnerabilities, which you have determined are not applicable to your project. For example, you can choose to dismiss a vulnerability if the vulnerable dependency is only used by an internal tool. Dismissals can either have an expiration date or be permanent. If you have enabled the Dependabot integration, you will also have the option of dismissing associated Dependabot alerts in GitHub.