During a scan, the scanner finds vulnerabilities within the Target’s URLs. When the scanner finds a vulnerability, a finding is created. These findings are registered at Snyk API & Web, and there are some actions you can do over them, namely:
Change a finding’s state
Change a finding’s severity
Change a finding’s assignee
Change a finding’s label
Re-test a finding
Add a note to a finding
Change State
A finding’s state can change either automatically (by the scanner, as a result of a target scan or re-test) or manually (by means of the user’s actions).
Using the Snyk API & Web interface, you can define a finding as “Accepted” if you acknowledge and accept its risk, or as “Invalid” if you consider it to be a false positive.
You can do so from either view of the Finding's details or from the Findings list:
from the side panel / small details screen, by clicking on the 3 vertical dots that appear on the bottom-right corner and choosing the respective action:
from the full details page, by clicking on the respective button, on the bottom right of the screen:
or from the list of findings, by clicking the State dropdown:
These actions will be reflected in the State field shown below:
To learn more about the findings’ states and how they can change, make sure to read this article.
Change Severity
Depending on the type of vulnerability found, its exploitability, impact, and scope, a CVSS score and severity classification are attributed to the finding, helping you prioritize the vulnerabilities fixes:
While the CVSS score cannot be manually changed, you can still change the finding’s severity. This can be done directly from the finding’s details page:
either from the small details panel, by clicking on the 3 vertical dots to open the dropdown menu, and clicking on the Change severity option:
or from the full details page, by clicking on the respective button, on the bottom right of the screen:
Regardless of which method you choose, you can then define the intended value and save the change:
Once you do, Snyk API & Web will not change the severity back, so please make sure you really intend to make the change. You can read more about this in severity levels in findings.
Change Assignee
After a target scan or a re-test, you may want to assign a vulnerability to be taken care of by a certain team member. This can be done either through the finding’s details page, by clicking on the respective pencil icon next to the Assignee field (see image below), or through the Target's page or the Scan Results page, by selecting one or more findings and clicking on the respective dropdown.
To learn more about how to change a finding’s assignee, make sure to read this article.
Change Labels
To help you filter scan results, you may want to use finding labels. You can create and apply them to your findings:
through the finding’s details page, by clicking on the pencil icon that appears next to the respective field:
or through the findings list, by clicking on the Set labels dropdown:
Re-test
After fixing vulnerabilities previously reported by Snyk API & Web, you can re-test them to make sure they can no longer be exploited and are indeed resolved.
To start a re-test:
visit the finding’s details and click on the Re-test button:
or access any list in which it is displayed (target's page, scan results page, or findings list), select it, and click on the Re-test button:
If, during a re-test, the scanner isn’t able to replicate the vulnerability, the finding is marked as Fixed; otherwise, it remains listed as Not Fixed until it can no longer be replicated by the scanner.
Add a note
When viewing a vulnerability’s details, you can add comments or notes for your teammates: just scroll down to the bottom of the page, write the intended note, and press the Add note button. Please bear in mind that these notes are not a way to contact Snyk API & Web and should only be used to leave contextualized information available for your teammates.
