| ... | ... | @@ -37,3 +37,36 @@ The analysis will start and the user will be reported when the analysis is finis |
|
|
|
After the analysis is finished, in order to see the results of the analysis, the user should click on the tile of the project in order to select it, and then on the "Security Report" option that is available on the Menu on the left side of the web page.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Security Page
|
|
|
|
|
|
|
|
At the first part of the page, the results of the Quantitative Security Assessment web service for the "sonar-scannet-ant" project are presented (see figure below). As can be seen by this figure, the overall _Security Index_ of the analysed application is shown both in a numerical and in a discrete form (i.e., stars). In addition to this, two radar charts are provided, showing the individual scores of the Security Properties and Security Characteristics.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Apart from these high-level charts, a detailed table with the specific security issues that were identified through static analysis (and used for the calculation of the high-level scores presented above) is also provided on the same page. A screenshot of this table (containing the results of the "sonar-scannet-ant" project) is presented below:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The high-level charts are expected to give a high-level overview of the broader security level of the analyzed software and pinpoint broader security problems, whereas the detailed table allows developers identify the exact issues that need to be fixed in order to improve the security of the application.
|
|
|
|
|
|
|
|
For instance, in the given project, as can be seen in the figure above, the analyzed application receives a relatively high overall security score (i.e., *Security Index*). In particular, the _Security Index_ was found to be 72%, which is a relatively high security score.
|
|
|
|
|
|
|
|
> **Attention:** It should be noted that the _Security Index_ is a relative score that denotes how the analyzed software project compares to the software projects that were used for the calibration of the model (i.e., 100 most popular Java projects from the Maven Repository). For instance, a really high _Security Index_ (e.g., close to 100%) indicates that the security of the analyzed software is comparable to the top 5% of the most secure projects of the selected benchmark (i.e., Maven Repository projects).
|
|
|
|
|
|
|
|
However, there is space for improvements. A closer look at the radar chart of the *Security Properties* reveals that a small score is assigned by the service to the *Logging* property. Hence, based on this observation, the developers could better organize their refactoring activities, by starting from issues that belong to this *Security Property*. Hence, the developers, through the detailed table, could narrow down their focus only to the static analysis alerts (i.e., security issues) that are related to the *Logging* property.
|
|
|
|
|
|
|
|
The second part of this page contains the results of the *Vulnerability Prediction* mechanism. The purpose of the *Vulnerability Prediction* web service is to detect security hotspots, i.e., source code files that belong to a software project and are likely to contain vulnerabilities.
|
|
|
|
|
|
|
|
> **Attention:** Contrary to the QSA mechanism which is based on the results of static code analysis, the Vulnerability Prediction mechanism is based on text mining of the source code and particularly on concepts retrieved from the field of Natural Language Processing (NLP). Hence, the results of the QSA are not used by the Vulnerability Prediction mechanism, meaning that the two mechanisms are independent, and are meant to be used complementarily.
|
|
|
|
|
|
|
|
The results of the *Vulnerability Prediction* web service are presented both in graphical and in tabular form. As can be shown in the figure below, the results of the vulnerability prediction are illustrated in the form of a heatmap. It should be noted that the heatmap contains the results of the "sonar-scanner-ant" project.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
In this heatmap each rectangle corresponds to a specific source code file of the analyzed software project, whereas the color of the rectangle denotes the probability of the corresponding source code file to contain vulnerabilities. More specifically, the darker the shade of the rectangle, the higher the probability of its associated source code file to contain vulnerabilities. This visualization is considered very useful for the developers and project managers, as it allows them to easily pinpoint the hotspots of the software project, i.e., source code files that are likely to be vulnerable.
|
|
|
|
|
|
|
|
The detailed results of the vulnerability prediction analysis are also provided in the form of a table (see figure below). Each line of the table contains information for a specific source code file of the analyzed software project, including its vulnerability status and its probability of containing vulnerabilities. The table also allows the user to rank the source code files based on their probability to contain vulnerabilities. This is expected to facilitate the prioritization of the testing and fortification efforts of the software developers, by allocating limited test resources to high risk (i.e., potentially vulnerable) areas. For example, more exhaustive security testing can be applied to source code files that are more likely to contain vulnerabilities.
|
|
|
|
|
|
|
|
|
|
|
|
|
