Understanding the Links Report

Results and Reports

Results for a DynamicDS scan are located, as they are for static scans, in the scan reports and the Triage Flaws page. However, due to the fact that DynamicDS scans evaluate websites at runtime and you can configure the scope of a scan to exclude portions of the web site, Veracode provides an additional report that indicates how well the scan investigated the application.

You can view the Links Report in the Veracode Platform or download the XML version. This comprehensive report lists information about the links, including:

  • Each URL in the application successfully crawled and attacked
  • Number of times the scan crawled each URL
  • Response header names and values
  • HTTP response codes for each accessed URL
  • All links that refer to the crawled URLs
  • Name of the plugin that found each URL
  • Links and objects the scan found but did not analyze
  • Parameters and values of all posts during the scan
  • Verification of auto-crawl instruction or whether specific URLs were provided

Links that the DynamicDS scan crawls and analyzes for vulnerabilities are classified as "Crawled & Audited". Other links (black links) listed in the Links Report are ones that you blacklisted, that you purposely chose to exclude when you were configuring the scan request. The DynamicDS scan detects the black links but knows to not analyze them. Separating the crawled and uncrawled links helps you see which web pages the scan audited and which ones it ignored.

More information is available to explain what happens when Veracode crawls a form on a website.

You can filter the list of links by choosing Link Type in the Filter dropdown menu and selecting one of the following link types:
  • Crawled: DynamicDS scan explores the web application and catalogues the series of links and workflows that comprise it.
  • Crawled & Audited: As the DynamicDS scan catalogues the links and workflows of the application, the scan engine also tests the exchanges between the application and the scan engine for vulnerabilities.
  • Crawled & Partially Audited: In certain cases, some exchanges between the application and the scan engine contain no injections points to test for vulnerabilities, preventing the engine from performing a complete audit. Therefore, as the DynamicDS scan catalogues the links and workflows of the application, the scan engine performs a partial audit.


To see the list of the URLs that your DynamicDS scan detected and the ones it attacked, go to the Results pane in the left navigation menu of the application and click either:

  • Links Report
  • Triage Flaws and then click Links Report in the Dynamic tab.

To download the Links Report, click Results in the left navigation pane of the application and do one of the following:

  1. Click Download Reports... and select Links Report (XML).
  2. Click Links Report in the left navigation pane of the application and click Download XML.



Download the links report

The report ZIP file contains the XML document and an XSD representation of the XML schema if you want to reuse the links information in another application.