Findings Data Dictionary

Analytics

The following definitions describe the dimensions and measures used on the findings explore in Veracode Analytics.

Dimension Description
Application Custom Fields The metadata entered in application custom fields 1-25. Located from Application > Metadata > Asset > Custom Fields.
Application ID The unique numerical identifier associated with the application profile, provided by Veracode.
Application Name The name of the application, created by the user when creating an application on the Veracode Platform.
Application Passed Policy (Yes/No) Determines if the application did or did not pass policy compliance. Values are Yes or No.
Application Purpose The business purpose of the application, located from the application metadata.
Application Rescanned (Yes/No) Determines if the application was rescanned. Values are Yes or No.
Application Scanned (Yes/No) Determines if the application was scanned. Values are Yes or No.
Archer Application Name The application name where the data is published to Archer. Located from Application > Metadata > Archer Name.
Business Owner Email The email address associated with the business owner of the application.
Business Owner Name The first and last name of the user responsible for the application. Located from Application > Profile > Organizational Information.
Business Unit The name of the business unit.
Created Date The date the application was created.
Current Policy The current policy associated with the application.
Current Policy Compliance The application policy compliance based on the latest scan results.
Industry The type of industry for which the application is used. Located from Application > Metadata > Industry.
Initial Published Date The earliest date that a scan for the application was published.
Latest Published Date The most-recent date that a scan for the application was published.
License Account Scans licensed by this account. For third-party applications, it is the account that paid for the scan. For SDLC applications, it is the same as the scanning account.
License Type The type of license: SDLC license or Third-party license. Most applications are software delivery lifecycle (SDLC) license, third-party license type is not commonly used. Veracode offers you the ability to scan your software supplier partners through the Veracode Platform. Values are either SDLC for internal testing of first-party software or third-party for permitting a software supplier to test the code they are developing for the Veracode user.
Requested a Consultation Veracode offers the ability to schedule a consultation with application security consultants to better understand Veracode scanning and results. Values are No Readout Requested or Readout Requested based on if the application has had a consultation requested.
Scanning Account The account where scans occurred. For software delivery lifecycle (SDLC) applications, it is the same as the licensed account. For third-party applications, it is the vendor account. Third-party applications are not commonly used.
Scanning Status The scanning status for the application. Values are DynamicMP + SDLC, DynamicMP Only, No Published Policy Scans, and SDLC only.
Tags List The list of tags for the application that are added from the application metadata. Veracode allows users to provide a tag to organize their applications as part of the application metadata.
Web Application Flag Determines if the application is a web application or not. This flag is set on the application metadata page.

Applications Measures

Measure Description
Application Scan Counts The total count of applications scanned, rescanned, and not scanned in the past 90 and 365 days.
Applications with Consultations The count of applications for which security consultations have been requested.
Count The count of distinct application IDs
Percentage of Applications with Consultation Requests The percentage of applications for which a consultation call was requested.

CWE Dimensions

Dimension Description
Category Name Category of the common weakness enumeration (CWE) category for the finding found after the application was scanned.
Description The CWE category description for the finding.
Flaw Name The CWE name of the finding.
ID The CWE ID of the finding. This dimension is most useful when combined with the Flaw Name dimension.
OWASP 2013 The top ten vulnerabilities identified by the 2013 version of the Open Web Application Security Project (OWASP).
OWASP 2017 The top ten vulnerabilities identified by the 2017 version of the Open Web Application Security Project (OWASP).
Remediation Effort The level of effort it takes to remediate the finding.
SANS 25 The list of the most significant errors that can lead to software vulnerabilities, according to the SANS top 25 list.
Top 5 Categories The finding by CWE top 5 category of the most significant errors that can lead to software vulnerabilities, according to the SANS top 25 list.

Findings

Dimension Description
Application ID The application ID associated with the finding.
Custom Severity The user-created severity for the finding. Located fromPolicy > Policies > Custom Severities.
Custom Severity Description The description for the finding with user-created severity.
Custom Severity Name The name of the severity of the finding. Values are Informational, Very Low, Low, Medium, High, or Very High.
CWE ID The ID and the name of the common weakness enumeration (CWE) found after the application was scanned.
Description Provides a brief description of the finding. For a category description, see the CWE Description dimension.
Exploitability The rating for the likelihood that an attacker could exploit the finding.
Exploitability Description The description for the likelihood that an attacker could exploit the finding.
Fixed Date The date a finding was closed because it was no longer present in the scan results for the application. The finding has been fixed or remediated.
Finding Status The status of the finding. Values are Open or Closed.
First Found Date The date the finding was first found. You can filter by Date, Month, Quarter, Time, Week, Year.
Flaw Age The range between the Finding Found Date and Finding Resolved Date dimensions. If the resolved date is null, use today's date.
Flaw Age Tier The length of time by days the finding was open. Values are 1, 7, 30, or 90 days.
Flaw ID The ID of the finding on the Veracode Platform.
Last Found Date The date the finding was last found. You can filter by Date, Month, Quarter, Time, Week, Year.
Mitigation Status The mitigation status for the finding. Values are Proposed, Accepted, Rejected, or Not Mitigated. Provides the latest mitigation workflow status for a mitigation on a finding.
Most Recent Mitigation Details The fields in this menu include the most recent mitigations details for:
  • Acceptance Date - date the most recent mitigation proposal was accepted.
  • Acceptance Time - time the most recent mitigation proposal was accepted
  • Proposal Date - date the most recent mitigation proposal was made
  • Proposal Time - time the most recent mitigation proposal was made
  • Rejection Date - date the most recent mitigation proposal was rejected
  • Rejection Time - time the most recent mitigation proposal was rejected
New Finding (Yes/No) Determines if the finding is new. Values are Yes or No.
Policy or Sandbox Scan Determines if the finding is in a policy or sandbox scan.
Policy Rule Passed Determines if a finding passed policy.
Policy Rule Passed (Yes/No) Determines if a finding passed policy. Values are Yes or No.
Reopened Date The date a finding was reopened. You can filter by Date, Month, Quarter, Time, Week, Year.
Reopened Finding (Yes/No) Determines if the finding is a reopened finding.
Resolved Date The date a finding was closed either through remediation, indicating the finding is no longer available in the results, or through a mitigation or resolution workflow that has been approved. You can filter by Date, Month, Quarter, Time, Week, Year.
Resolution and Mitigation Status Provides the latest resolution workflow information for a finding. Values are Proposed, Accepted, Rejected, Closed through Scan, or No Resolution/Mitigation. A finding may be resolved through the mitigation workflow or through a scan.
Resolution and Mitigation Type The latest details on the type of mitigation workflow or resolution applied to the finding. Mitigation workflow types are: Mitigated by Design, Mitigated by OS Environment, Mitigated by Network Environment. Other resolution types are: Proposed Custom Cleansing Function, Reviewed - No Action Taken, Remediated by User. Closed through a scan resolution type areF: Fixed.
Sandbox Name The name of the sandbox scan in which the finding was found.
Scan Type The type of scan that produced this finding. Values are Dynamic, Static or Manual Penetration Test.

Findings Measures

Dimension Description
Average Mitigation Process - Days The average time that elapses between a finding being proposed to accepted.
Time to Resolve The count of days that elapsed from the time a finding was opened or reopened to the earliest subsequent resolution. Resolution types are remediation or an accepted mitigation. This measure is calculated within a single sandbox. The Time To Resolve measure is always calculated on a per-context basis, meaning it is calculated for the time to resolve a finding within a single sandbox context, instead of the multiple instances of a finding across several sandboxes.
Total Mitigation Process Days The total time that elapses between a finding being proposed to accepted.
Total Number of Flaws - Application The total number of findings by application. You can use the dimensions below to filter on count of findings by severity.
Total Number of Sandbox Flaws The total number of findings by sandbox. You can use the dimensions below to filter on count of findings by severity.