Understanding the Archer XML Report

GRCs

This table provides definitions for the fields in the XML output file.

Table. Archer XML Output Fields
Archer XML Field Definition
any_scan_due_date When you must next run a scan, as dictated by the associated policy.
app_name Name of the application
archer_app_name An optional name to match with the application name in Archer.
app_origin Original origin of the application, such as open source.
assurance_level Deprecated field. The level of assurance for the application.
business_owner First and last name of the person responsible for the application.
business_unit Department or group associated with the application.
custom0 Custom metadata field 1.
custom1 Custom metadata field 2.
custom2 Custom metadata field 3.
custom3 Custom metadata field 4.
custom4 Custom metadata field 5.
custom5 Custom metadata field 6.
custom6 Custom metadata field 7.
custom7 Custom metadata field 8.
custom8 Custom metadata field 9.
custom9 Custom metadata field 10.
custom10 Custom metadata field 11.
custom11 Custom metadata field 12.
custom12 Custom metadata field 13.
custom13 Custom metadata field 14.
custom14 Custom metadata field 15.
custom15 Custom metadata field 16.
custom16 Custom metadata field 17.
custom17 Custom metadata field 18.
custom18 Custom metadata field 19.
custom19 Custom metadata field 20.
custom20 Custom metadata field 21.
custom21 Custom metadata field 22.
custom22 Custom metadata field 23.
custom23 Custom metadata field 24.
custom24 Custom metadata field 25.
dynamic_score Veracode security quality score of the most recent DynamicDS scan of this application.
flaws Parent field of the collection of ArcherRecords that describe flaws.
flaws\app_name Name of the application.
flaws\capecid Category ID for the flaw.
flaws\categoryid ID number of flaw category.
flaws\categoryname Name of the flaw category.
flaws\cia_impact CIA value for the calculated CVSS score.
flaws\count Number of times this flaw occurs in this scan.
flaws\cwe_description Definition of the Common Weakness Enumeration (CWE)
flaws\cweid ID number for the Common Weakness Enumeration (CWE)
flaws\date_first_occurrence Date of the scan when this flaw first occurred.
flaws\exploit_desc Description of the flaw discovered during Manual Penetration Testing.
flaws\exploitdifficulty Level of vulnerability for the calculated CVSS score.
flaws\exploitLevel Calculated level of exploitability after static scan.
flaws\flaw_description Description of the flaw.
flaws\flaw_issue_id Unique issue ID number of the flaw.
flaws\functionprototype Class/function information for flaws in binaries that do not have debug symbols.
flaws\functionrelativelocation Relative location of flaws in the class file of binaries that do not have debug symbols.
flaws\is_latest_build Parameter that indicates if this report is for the most recent scan of the application.
flaws\line Line location of flaws in binaries that do not have debug symbols.
flaws\module Calling module where the flaw is located.
flaws\note Information about the exploitability level (Very Unlikely to Very Likely)
flaws\pcirelated Parameter that indicates if the flaws is PCI-related.
flaws\platform Platform metadata from the application profile.
flaws\published_date Date of the publication date of the scan results.
flaws\remediation_desc Description of how to remediate flaws discovered during Manual Penetration Testing.
flaws\remediation_status Remediation status: either New, Open, Re-Open, or Fixed.
flaws\remediationeffort Level of difficulty in effort to remediate the flaw: value of 1-5, where 5 is the most difficult.
flaws\scope Approximate classpath for flaws in binaries that do not have debug symbols.
flaws\severity Severity of the flaw, ranging from 1-5, where 5 is the most severe.
flaws\severity_desc Description of the flaw severity, where 5 is Very High (VH), 4 is High, 3 is Medium, 2 is Low, and 1 is Very Low (VL).
flaws\sourcefile Name of the source code file in which the flaw is located.
flaws\sourcefilepath Filepath of the source code file in which the flaw is located.
flaws\type Description of the type of flaw.
flaws\url URL where flaw is located by the DynamicDS scan.
flaws\version Version of application in which the flaw is located.
generation_date Date of results report generation.
grace_period_expired Parameter to indicate if flaws have existed in the most recent scan of this application for longer than the acceptable grace period.
last_update_date Date of publication of the most recent scan of this application.
lifecycle_stage Lifecycle stage of this application, such as external or beta testing.
manual_score Security quality score for the most recently published results of Manual Penetration Testing of the application.
mitigated_rating Deprecated field. Score in the previous Veracode scoring system.
modules Parent field of the collection of ArcherRecords that describe the scans.
modules\analysis_type Type of scan: static, dynamic, manual.
modules\architecture Architecture on which the application was built or compiled.
modules\compiler Name and version of the compiler of the module.
modules\module Name of the module.
modules\os Name of the operating system for which the module is targeted.
modules\target_url Target URL that the DynamicDS scan is to analyze.
planned_deployment_date Specified deployment date of the application, if provided.
platform Platform used for the application scan.
policy_compliance_status Description of the policy compliance the application: values include Calculating, Did Not Pass, Conditional Pass, and Pass.
policy_name Name of the policy assigned to the application.
policy_rules_passed Parameter to indicate if the application passed the policy rules.
policy_version Policy version.
rating Deprecated field. Score in the previous Veracode scoring system.
scan_overdue Parameter to indicate if the length of time since the last scan of this parameter is unacceptable according to the associated policy.
static_score Security Quality Score for the most recent static scan of this application.
submitted_date Submission date of the most recent static scan of this application.
tags Comma-delimited list of metadata tags associated with this application.
teams Customer teams assigned to the application.
version Version of this application.