Dashboard
Reports

Reports

Report overview

Every successful scan (see Scanning) by Coana creates a report and associates it with a project (See Projects). The report contains the list of detected vulnerabilities along with other metadata, such as the date of the scan, the version of the Coana CLI that was used, the branch, and commit of the scanned project. Reports are persisted in Coana, and you can always go back and view old reports.

On the report page, you can toggle between the "Reachable", "Unknown", and "Not reachable" tabs:

Reachable: shows the vulnerabilities where Coana's reachability analysis has determined that the vulnerable code is reachable from the application's entry point. We recommend that you focus your effort on remediating the vulnerabilities in this tab, as these are the vulnerabilities that may be exploited.

Unknown: contains the vulnerabilities where Coana's reachability analysis is not yet able to determine if the vulnerable code is reachable from the application's entry point. We strive to add support for vulnerabilities soon after they are discovered, but newly discovered vulnerabilities may be in this state for a short period of time. The vulnerabilities in the "Unknown" tab will move to the "Reachable" or "Not reachable" as soon as support is added (usually within 24 hours).

Not reachable: shows the vulnerabilities where Coana's reachability analysis has determined that the vulnerable code is not reachable from the application's entry point.

Vulnerabilities

Vulnerability

From the reports page, you have access to information and actions related to the discovered vulnerabilities.

Vulnerability details

Vulnerability details The vulnerability details page contains information about the vulnerability advisory, such as the CVE, the name of the affected dependency, the severity and CVSS score and the affected versions. From this pane, Coana also lists the vulnerability fixes (package updates) required to remove the vulnerability.

Analysis details

Analysis details The analysis details pane contains information derived from the reachability analysis, including the list of source locations in the application code that either directly or indirectly (through other dependencies) use the code affected by the vulnerability. The pane also shows the dependency chain(s) leading to the vulnerable dependency, and a human-readable textual description of what the reachability analysis is scanning for.

Vulnerability dismissal action

Vulnerability dismissal From the Actions menu, you can choose "Dismiss..." to open the vulnerability dismissal window. The dismissal feature allows you to disregard vulnerabilities, which you have determined are not applicable to your project. For example, you can choose to dismiss a vulnerability if the vulnerable dependency is only used by an internal tool. Dismissals can either have an expiration date or be permanent.