Improve Findings Format #519
Description
The Findings Format is used e.g. to export data to other Applications like DefectDojo, however some necessary and/or useful information is not included in the Findings.
Therefore we will collect a List of possible Improvements here. We are happy about any suggestions by the community.
Release 4.0 Scope
-
Add Timestamp of when a Finding was identified (called
identified_at), it should be optional as we do not always have this exact information. Added optionalidentified atparameter to findings #1434 -
Add Timestamp of when a Finding was parsed (called
parsed_at) as a fallback whenidentified_atis not present. Will be solved by Added Timestamps to Findings JSON File #492 -
Add additional JSON attributes, that give information about how a Finding was identified ("evidence", "steps_to_reproduce"?) or what impact it has ("impact"?), see ⚙️ Add a generic (SCB) finding importer to the DefectDojo Integration Hook #332 (comment) @secureCodeBox/contributer-team do we have any data available to do this?
-
Add optional JSON attribute "mitigation" for solutions how the vulnerability might be fixed, can be populated i.e. by "zap_solution" in zap Added optional
mitigationattribute to findings #1639 -
Make severity, category and name required breaking => update findings format check
-
Add optional JSON attribute "cve" for CVEas present i.e. in trivy Added references attribute to findings #1676
-
Add optional JSON attribute "cwe" for CWE as present i.e. in ZAP Added references attribute to findings #1676
-
Add optional JSON attribute "notes"/"other"/"additional_info" for other important information text that clarifies the vulnerability.
Additional Ideas for further development
- Add optional JSON attribute "vulnerability_id_from_tool" for ids of vulnerabilities assigned by the specific scanners
@secureCodeBox/contributer-team please share any ideas you have in the comments.
Metadata
Metadata
Labels
Type
Projects
Status