Traceable's Issues page provides a view of detected API security issues, enabling you to monitor, analyze, and remediate them effectively. The Issues page lists these issues, providing important information such as severity, endpoint count, and OWASP category.
What will you Learn from this Topic?
By the end of this topic, you will be able to:
Understand the Issue Flow navigation and drill down into each issue to access its evidence, context, and logs.
Update the status of issues and remediation methods.
Understand the Issue auto-resolution and deletion logic based on the detection sources.
Refer to the Issues Overview to understand issues, their lifecycle, and their key components.
Navigating the Issues Flow
When you first land on the Issues page, Traceable shows a list of detected issues, grouped by their name. This list displays key information, including Severity, Last Seen, and the Number of API Endpoints where the issue was observed. The grouping and filtering options enable you to narrow your focus based on a specific indicator. After applying these options, you can drill down into a specific issue to view more detailed information, such as Overview, References, and Status Log.
You can view the evidence for a particular issue for deeper analysis of the data, including its URL, status code, last seen, mutations, and assertions. The Detailed View page for an issue is divided into sections that offer data, logs, and insights that help you understand its impact on your application.
1. Main Issues View
Upon navigating to the Issues page, Traceable displays a comprehensive list of issues in the Open or Reopened state. This page serves as a dashboard where you can:
Main Issues View
View Listed Issues — Each issue is presented with details such as its severity, the number of endpoints it was observed in, and OWASP category, etc. For more information, see Issue Listings.
Group and Filter — While Traceable groups the data on the page based on Issue Names by default, you can group the data based on other categories as well. Additionally, you can filter data based on the issue's impact or your specific requirements. For more information, see Grouping and Filtering Options.
2. Drilling Down into an Issue
After choosing how to group and filter the issues, you can drill down into a specific issue for a more granular view. Based on the grouping, click a list item to view the issues under it, and then click the Issue Name. The detailed view page highlights the following information about the issue:
Issue Details — The top section of the page provides details about the issue, including the Endpoint, Source, Last Seen, Severity, CVSS Score, OWASP Rank, and CWE Rank. Using these details, you can take the necessary steps to mitigate such issues and enhance your application security.
Overview — The Overview section provides a description of the issue, its impact, attack methodology, and how you can mitigate such issues. Traceable also provides you with the Issue Evidence for you to drill down on. Traceable gathers this evidence for each issue. The 5 latest pieces of evidence as seen in the last 24 hours are shown in the tab. Further, you can view the detailed span for each piece of evidence. Using the evidence, you gain access to critical details about the issue, which helps you assess the severity of the issue and work towards its remediation.
Note
For dormant APIs, Traceable shows the 5 latest evidences that it has seen in 90 days.
For issues having AST as the Source, you can customize the detection conditions according to your requirements. For more information, see Mutation and Assertion Overrides.
If you have enabled AI Features in your account, Traceable shows AI Generated Insights along with the Evidence in the Overview section. These insights are context-sensitive, and you can use them to analyze, prioritize issues, and work towards their remediation.
.png)
AI Generated Insight
References — The References tab provides curated links to trusted external sources where you can gather deeper insights into the nature, impact, and remediation of an issue. This tab helps you understand key details about the issue, such as the attack mechanism and the effect, which you can use for remediation.
Status Log — The Status Log tab provides you with a timeline of all status changes related to the issue, along with the timestamps and status updates. This helps you track the issue lifecycle and understand when and how the issue was opened, reopened, or fixed.
Remediation — Based on the above details, you can take the necessary actions towards remediation of the issue. Traceable provides the following options for you to do so:
Integrations — Traceable supports multiple integrations for you to choose from. You can use either of these to create tickets in your corresponding projects and work towards their remediation. For more information, see Integrations.
Status Change — You can use the drop-down to change the status of an issue based on your requirements. While changing the status, Traceable also shows a pop-up window where you can specify a comment for the status change. This helps you maintain a log of historical events related to the issue. Further, this comment is visible in the Status Log tab of the issue where you changed the status. For more information on the available statuses, see Issue Status Management and Remediation.
Issue Status Management and Remediation
Traceable enables you to create integration tickets and change the status according to your requirements for issue remediation.
Supported Statuses
You can manually change the state of the detected issue to any of the following:
State | Description |
|---|---|
Open | Traceable has detected an issue. |
Under review | The issue has been acknowledged. You are taking steps to close it. |
Fixed | The issue has been closed. Traceable continues to monitor the asset (API endpoint or service) even after you mark it as fixed. If Traceable finds new issues, it automatically moves them to an Open state for you to review and resolve. |
Not an issue | Move the issue to a Not an Issue state when you do not want Traceable to report it. If Traceable continues to see this issue category, it does not move it to an open state. |
Accepted risk | You can move the issue to this state when you understand and accept the impact. |
Issue Remediation
You can update the status or create integration tickets using either of the following methods:
Individual Update — Update the status or create tickets for each issue individually.
Bulk Update — Update the status or create tickets for multiple issues at once.
The following tabs highlight the steps for the above methods.
To remediate an issue, complete the following steps:
If the Issues page is grouped by a category, click the arrow corresponding to the category.
Click the issue name you wish to remediate.
In the Issue Detailed View page’s top right corner, click the Integration icon(s) or Status drop-down according to your requirements.
Note
If you have not configured an integration, you can do so directly by clicking the relevant Integration icon. For the configuration steps, see the corresponding document under Integrations.
Do one of the following:
If you clicked the Integration icon(s), specify the ticket details according to your requirements.
If you clicked the Status drop-down, change the status, and add the comment in the pop-up window according to your requirements. This helps you maintain a log of historical events related to the issue. Further, the comment is visible in the Status Log tab of the Issue’s Detailed View.
Bulk Update
You can remediate multiple issues at once by performing a bulk update. This includes changing the issue status in Traceable or creating Jira tickets for multiple issues simultaneously.
Step 1: Select Issues
Navigate to the Issues page.
Use filters or grouping as needed to narrow down the list.
Select the checkboxes next to the issues that you want to update.
Step 2: Perform Bulk Action
At the bottom of the page, click one of the following options:
Update Status – to update the status of the selected issues within Traceable.
Jira icon – to create Jira tickets for the selected issues.
Note:
Bulk ticket creation is currently supported only for the Jira integration.
You must have an existing Jira integration configured to create tickets. If not already configured, clicking the Jira icon will prompt you to complete the integration setup. For configuration steps, see Jira Integration.
Updating Issue Status in Bulk
When you click Update Status, a pop-up window appears where you can:
Select the new status for the selected issues.
Optionally add a comment describing the change.
The status change is reflected in the Status Log tab of each issue. Additionally, if the issues are linked to Jira tickets, the status update is synchronized with Jira through Traceable’s bidirectional sync feature.
Creating Jira Tickets in Bulk
When you click the Jira icon, a ticket creation dialog is displayed. This dialog allows you to specify the project and issue type for the Jira tickets. You can choose between two modes:
Single Ticket
Creates one Jira ticket that includes information for all the selected issues. The summary and description fields are populated with a combined view of the selected issues.Separate Tickets
Creates an individual Jira ticket for each selected issue. Each ticket contains information specific to one issue. You can preview and customize each ticket before submitting.
.png)
Handling Issues Already Linked to Jira
If one or more of the selected issues are already linked to Jira tickets, you are presented with two options:
Ignore linked issues – Jira tickets will be created only for issues that are not currently linked.
Unlink and create new – Existing Jira links will be removed, and new tickets will be created for all selected issues, including those previously linked.
Additional Consideration
When creating Jira tickets in bulk, you can also update the issue status using the Update Status option from the same selection view. This bulk update action is fully compatible with the bidirectional sync functionality between Traceable and Jira, ensuring that updates made in Traceable are reflected in Jira and vice versa.
Issue Auto-Resolution
While you can resolve an issue by changing its status to Fixed, Traceable also auto-resolves it. The following table lists the applicability and scenario of auto-resolution for each source:
Note
The updated status of the auto-resolved issues may take up to 24 hours to reflect on the Traceable platform.
Applicability and Scenario → Source | Auto-Resolution | Scenario 1 | Scenario 2 |
|---|---|---|---|
Live Traffic | Yes | Traceable has not detected the issue in the 14 days since its last occurrence. | - |
API Security Testing | Yes | Traceable has not detected the issue in the 60 days since its last occurrence. | Traceable does not detect the issue in the 15 scans following its last observation. |
Compliance | Yes | Traceable has not detected the issue in the 14 days since its last occurrence. | - |
Issue Deletion
You can delete detected issues from the Issue Detailed View by changing their status to Fixed or Not an issue. Traceable also deletes issues if they are deleted from all Sources. For example, let us say an issue has Live Traffic and AST as the Source. Then, Traceable deletes the issue when it is deleted from both Sources.