UI Portfolio Pages

The Portfolio page and its sub-pages (The Application page, The Project page) allow you to create and manage applications and projects.

The Portfolio page

View and manage the applications in your portfolio.

Table 1. Portfolio


+ Create Create applications:
  • New Application(s): Create an application.
    Note: See Create an application for more information.
  • New Application(s) with SCM (only available for customers with concurrent subscriptions): Create one or more applications (and projects) using repositories in your SCM.
    Note: See Integrate Multiple SCM Repositories for more information.
Search by Name Search applications by name.
Table fields Lists all applications in your portfolio. For each application, view:
  • The quantity of projects
  • The subscriptions available in the application
  • The total quantity of issues
  • Per-severity issue quantities
  • The quantity (sum) of policy violations captured in the most recent test of a default branch in any of the application's projects
  • The latest completed test (including test type) of a default branch in any of the application's projects
Note: Issue quantities in the Total Issues and severity columns do not include dismissed issues (via issue triage or issues dismissed due to components triaged as excluded).
Note: Quantities in the Total Active Policy Violations () column may include dismissed issues. See Monitor policy on the Portfolio page for more information on the policy values in this table.
Click an application name to open the Application page (see "Portfolio Application Page" below).

Click on the ellipse icon to select:

  • Settings: Open the application's settings.
  • Delete: Delete the application.
    Note: All of the application's projects, branches, and test data will be deleted.

The Application page

View and manage the projects in an application.

Projects tab

Lists all projects and descriptions in the application.

Table 2. Application > Projects


+ Create Create projects:
  • New Project(s): Create a SAST & SCA project, or a DAST project.
  • New Project(s) with SCM (only available for customers with concurrent subscriptions): Create multiple SAST & SCA projects using repositories in your SCM.
    Note: See Bulk integrating projects into an application for more information.
Test Type Filter projects by type.
Table fields View all the projects in your application. For each project, view:
  • The policy status of the most recent test of each project's default branch
  • The project's name and default branch
  • The total quantity of tests run
  • The total quantity of issues
  • Per-severity issue quantities
  • The quantity of policy violations captured in the most recent test of each project's default branch
  • The latest completed test (including test type) of each project's default branch
  • Repository type
Note: Issue quantities in the Total Issues and severity columns do not include dismissed issues (via issue triage or issues dismissed due to components triaged as excluded).
Note: Quantities in the Total Active Policy Violations () column may include dismissed issues. See Monitor policy on the Portfolio page for more information on the policy values in this table.

Click a project name or issue quantity to open the Project page (see "Portfolio Project Page" below) and view issues in the Project. When you click an issue quantity in a severity column, only issues matching the severity you select appear on the Project page.

Click on the ellipse icon to select:

  • New Test: Test the project (see How to test from the web UI).
  • Settings: Open the project's settings.
  • Delete: Delete the project.
    Note: All the project's branches and test data will be deleted.

Settings tab

Manage settings for applications.

Table 3. Application > Settings


General Change name and description of Application. Add Tags. Change the application's automatic branch deletion setting.
Members Give users or groups access to the application. Control what different users can do with roles.
Subscriptions View Static/SCA subscriptions applied to the application.
Integrations Manage your SCM connections within an application (only available for customers with concurrent subscriptions using GitHub/GitHub Enterprise bulk onboarding).

The Project page

Different information appears on the Project page, depending on the type of project (SAST & SCA or DAST) you open.

Branch dropdown

Use the branch dropdown (available while using the Summary, Issues, Components, Licenses, and Tests tabs) to view results for different branches in your project.



Project Test Details

Select the Project Test Details icon to view the latest tests run against the project.

Note: In SAST & SCA projects, Project Test Details is available while using the Issues, Components, and Licenses tabs — and shows the latest tests run on the current branch. In DAST projects, Project Test Details is available while using the Issues tab.


Summary tab

Use the charts on the Summary tab to track the quantity of SAST and SCA issues in a branch over time, and the average age of outstanding (unresolved) issues with different severities.

Table 4. Application > Project > Summary


Issues Over Time A chart that shows the quantity of detected and absent SAST and SCA issues in each test of a branch over time (by default, 30 days).
Note: Issues captured in different SCA tests (package manager or signature analysis) are tracked separately.

Each point on the chart represents a test. Hover over a point to view the test's completed date and time, and the quantity of detected or absent issues.

Important: Points on the chart are static and represent completed tests. A test's detected issue quantity includes all the issues detected in the test, even if the issues were detected in earlier tests and dismissed (via triage). A test's absent issue quantity only includes issues that, after being detected the previous test, are no longer detected. Only the previous test is considered when calculating a test's absent issue quantity.
Legend Select an issue status in the legend (below the chart title) to hide/show it.
Date ranges Select a date range to narrow the scope of the chart to tests run in a period of time.
  • 30D, 90D, 90D: Show the tests run on the branch in the last 30 (default), 60, or 90 days.
  • Since First Test: Show all the tests run on the branch.
  • Custom Range: Show the tests run on the branch between two dates.
Average Age of Outstanding Issues A chart that shows the average age (in days) of issues in the branch, grouped by severity.
Note: Issue age is the time between when an issue is detected (or redetected) and when the issue is no longer detected (absent) or triaged and dismissed.

Hover over a bar in the chart to see the value in days.

Legend Select a severity in the legend (below the chart title) to hide/show it.

Issues tab

Lists issues in the project.

Table 5. Application > Project > Issues


Clear All Clear checkbox selections.
Triage Selected / Triage All Triage one, multiple, or all issues. See Ways to triage issues in for more information.
Export Selected / Export all Export one, multiple, or all issues. See How to export issues to CSV or JSON for more information.
Filters panel Click the filter icon to open and close the filter panel. Filter issues by Triage Status, Fix-By Status, Issue Type, Issue Category, Severity, Tool Type (DAST, SAST, and SCA — including Package Manager or Signature Analysis), Location, CWE (Common Weakness Enumeration, CWE™), Standard, and/or Owner (assignee). Select a non-default branch with the branch dropdown (near the top of the page) to enable issue comparisons. See Compare default and non-default branches in a project.
Important: automatically deduplicates components so that, when a component is captured in package manager and signature analysis tests of the same branch, it only appears once on the Components tab. However, each issue associated with the component will be listed twice on the Issues tab (or, duplicate issues appear for each component captured in package manager and signature analysis tests of the same branch). Duplicate SCA issues must be triaged separately, but if you triage a component (exclude it from your SBOM), all of the component's issues (including duplicates) are dismissed.
Note: By default, issues captured in both types of SCA tests (package manager and signature analysis) appear in the table. Use the Tool Type filter to show issues captured in package manager or signature analysis tests.
Table fields Issue Type: Select an Issue Type name to see Issue Details tab, which includes:
  • A description of the issue and its severity
  • Local effect
  • Links to related CWE and Common Vulnerabilities and Exposures (CVE®) codes (when available)
  • Black Duck® Security Advisory (BDSA) codes (when available)
  • A link to training resources in Secure Code Warrior (when available, and after the Secure Code Warrior integration is enabled by your Organization Administrator)
  • A list of branches the issue is found in
  • And more

When you select a SAST issue, you can:

For issues captured in DAST tests, you can use the Evidence tab to find more information on attacks.

Components tab

Lists a project's open source components, along with each component's version. Use this bill of materials to identify components that require updates and view upgrade recommendations for direct and transitive dependencies. You can use the branch dropdown (near the top of the page, next to the project name) to view components for different branches in your project.

Table 6. Application > Project > Components


Filters panel Click the filter icon to open and close the filter panel. Filter a project's components by SBOM (included/excluded) Component (name), License, License Family, Security Risk, Match Type, and/or Match Score.
Clear All Clear checkbox selections.
Triage Selected / Triage All Triage one, multiple, or all components. See Ways to triage components in for more information.
Table Fields

For each component, view Security Risk (severity), Component Name (including version), Match Type, Match Score, Usage, and License Name.

Important: automatically deduplicates components so that, when a component is captured in package manager and signature analysis tests of the same branch, it only appears once on the Components tab. However, each issue associated with the component will be listed twice on the Issues tab (or, duplicate issues appear for each component captured in package manager and signature analysis tests of the same branch). Duplicate SCA issues must be triaged separately, but if you triage a component (exclude it from your SBOM), all of the component's issues (including duplicates) are dismissed.
Note: By default, components from both types of SCA tests (package manager and signature analysis) are displayed. Use the Match Type filter to only display components captured in package manager or signature analysis tests.

Each component captured in an SCA test is compared with a copy of the component in the knowledge base to generate additional metadata. Precise match types (beyond direct and transitive dependencies) and (percentage) match scores are generated for components captured in signature analysis tests.

Each component can have multiple match type values. Match types include:

  • Direct Dependency: A direct dependency is a package your project requires to run and compile (typically, managed with package managers like pip, npm, ... etc.). It is possible for a package to be both a direct and transitive dependency.
  • Transitive Dependency: Transitive dependencies are packages that aren't directly referenced in your project, but rather, are packages that are referenced by your project's direct dependencies. It is possible for a package to be both a direct and transitive dependency.
  • Exact Directory: The component's directory structure matches the directory structure in the knowledge base.
  • Exact File: The component's files match files in the knowledge base.
  • Files Added/Deleted: The component includes additional files, or doesn't include some of the files in the knowledge base.
  • Files Modified: One or more of the component's files were modified and don't match files in the knowledge base.

A higher match score indicates a closer match, and a lower match score indicates a component was modified. Precise match scores only appear for components identified in signature analysis tests; the match score for a component identified in a package manager test will always be 100%.

Select a component's name to view:

  • Component Details
    • View detailed information about the component including Match Types, Match Score, a description of the component, and helpful links.
    • View Component Origins (different ways the component is included in the project). For each component origin, view upgrade guidance and a dependency tree (View Dependency Tree).
  • Security Details
    • A list of issues that match the component version, a link to issue details, triage status, origin, CWE and vulnerability ID.
  • Licenses
    • List of licenses available for this component version.
    • License information.
    • If available, you can select a different license depending on use case.

Licenses tab

View Licenses for your project. You can use the branch dropdown (near the top of the page, next to the project name) to view licenses for different branches in your project.

Table 7. Application > Project > Licenses


Filters panel Click the filter icon to open and close the filter panel. Filter a project's licenses by License (name) and/or License Family.
Table Fields

A list of your project's applicable licenses, the number of components each license applies to, and each license's family (Permissive, Restrictive Third Party Proprietary, Reciprocal, etc.).

Click on a license's name to view License Details, including a list of components that use the license.

Tests tab

View tests run on the project.

Table 8. Application > Project > Tests


Table fields

After you open a SAST & SCA project, Use SAST and SCA tabs to the left of the table to view different types of tests. The DAST tab opens for DAST projects.

  • Test Id: An ID that uniquely identifies the test.
  • Date: The date and time when the test started.
  • Test Status: The status of the test (Completed, Canceled, etc.).
  • Policy Violations: Shows the quantity of policy violations detected in the test, and the quantity of issue and component policies assigned to the project (or branch) when the test started. Open the dropdown menu to see the names of the policies, along with links to view issues that violate different rules.
    Note: Dropdown menus only appear next to completed tests if issue/component policies were assigned to the branch (for SAST & SCA projects) or DAST project when the test started. Component policies only appear for SCA tests. See Monitor policy on the Tests page for more information.

    When you create non-default branches, policies are disabled by default. You can enable policies on non-default branches when you Add a branch to a project or Edit a branch.

Select a test ID to see:

  • Detected Issues: Issues detected in the test.
  • Absent Issues: Issues found in the previous test, but not found in the current test.
  • Test Metrics: A comparative summary of the current and previous test that includes the number of files captured and analyzed, lines of code analyzed, and analysis time.

Branches tab

View, and manage a SAST & SCA project's branches.

Table 9. Application > Project > Branches


+ Create New Branch Add a branch to the project.
Note: If you integrate a SCM repository, your default branch in your repository will become you default branch in your project. In order to test other branches in your SCM repository, you need to import them. See Add a branch to a project.
Show IDE Branches By default, branches you test with (from your IDE) are hidden. Use this toggle to show them.
Table fields

Lists all the branches in the SAST & SCA project. Here, you can see:

  • The project's default branch
  • The date and time of the most recent test run against the branch

Click a branch name to modify the branch's settings, including:

  • Branch Name
  • Branch Description
  • How often the branch needs to be tested before it's deleted automatically
  • Policy settings, including:
    • If the branch's policies are set manually, or inherited from the project
    • The branch's issue policies
    • The branch's component policies
    • The branch's test scheduling policies

DAST Profiles tab

View, and manage a DAST project's profile.

Table 10. Application > Project > DAST Profiles


Table fields

Lists the profile in the DAST project.

Here, you can see:

  • The date and time of the most recent test run against the project
  • The quantity of issues captured in the most recent test, grouped by severity

Select a profile name to modify it's settings, including:

  • Profile Name
  • Allowed Hosts and Authentication
  • The profile's scan-settings.json file
  • Whether or not active attacks are performed when the project is tested

Settings tab

Manage settings for projects.

Table 11. Application > Project > Settings


General Edit Project Name and Description. Change the project's automatic branch deletion setting.
Integrations
Policies View project policies and add an existing policy to the project.