Results for a DynamicDS scan are located, as they are for static
scans, in the scan reports and the Triage Flaws page. However, due to the fact that DynamicDS scans
evaluate websites at runtime and you can configure the scope of a scan to exclude portions
of the web site, Veracode provides an additional report that indicates how well the scan
investigated the application.
You can view the Links Report in the Veracode Platform or download the XML
version. This comprehensive report lists information about the links, including:
- Each URL in the application successfully crawled and attacked
- Number of times the scan crawled each URL
- Response header names and values
- HTTP response codes for each accessed URL
- All links that refer to the crawled URLs
- Name of the plugin that found each URL
- Links and objects the scan found but did not analyze
- Parameters and values of all posts during the scan
- Verification of auto-crawl instruction or whether specific URLs were provided
Links that the DynamicDS scan crawls and analyzes for vulnerabilities are classified as "Crawled & Audited". Other links (black links) listed in the Links Report are ones that you blacklisted, that you purposely chose to exclude when you were configuring the scan request. The DynamicDS scan detects the black links but knows to not analyze them. Separating the crawled and uncrawled links helps you see which web pages the scan audited and which ones it ignored.
More information is available to explain what happens when Veracode crawls a form on a website.
You can filter the list of links by choosing Link Type
in the Filter
dropdown menu and selecting one of the following link types:
- Crawled: DynamicDS scan explores the web application and catalogues
the series of links and workflows that comprise it.
- Crawled & Audited: As the DynamicDS scan catalogues the links
and workflows of the application, the scan engine also tests the exchanges between
the application and the scan engine for vulnerabilities.
- Crawled & Partially Audited: In certain cases, some exchanges between the
application and the scan engine contain no injections points to test for
vulnerabilities, preventing the engine from performing a complete audit. Therefore,
as the DynamicDS scan catalogues the links and workflows of the
application, the scan engine performs a partial audit.
To see the list of the URLs that your DynamicDS scan detected and the ones it attacked, go to the
Results pane in the left navigation menu of the application and click either:
Triage Flaws and then click
Links Report in the
To download the Links Report, click
Results in the left navigation pane of the application
and do one of the following:
Download Reports... and select Links Report (XML).
Links Report in the left navigation pane of the
application and click Download XML.
The report ZIP file contains the XML document and an XSD representation of the XML schema
if you want to reuse the links information in another application.