Understanding Hybrid (SAST/DAST) Correlation

When Hybrid Correlation is enabled, URL-located results may be correlated with file-located results by mapping result URLs to a set of source code locations. Results with file and URL locations may be correlated if the file location overlaps with any of the discovered file locations for the given URL. (Data flows are also checked for overlaps.)

Source code is analyzed (for supported languages and frameworks) to determine the specific files and line ranges that declare the endpoint used by the URL path. If binaries are also provided, Software Risk Manager will automatically build a call graph from the indicated source location to collect additional locations to compare against. (Call graph generation is only supported for JVM and CLR binaries.)