Findings

Findings (or vulnerabilities as they are also commonly known) are a cornerstone of Canopy. When working on a project, the results of the project are stored as findings, which are typically included in the report (some high level reports only make use of finding statistics).

A key aspect of the finding is its ability to record sufficient information to help the receiving client to understand the identified issue. The following text fields are defaults in Canopy, with their descriptions acting as a suggested use:

  • Summary: Used to capture a brief summary of the finding.

  • Background: Used to describe the background information necessary to understand the issue at hand. For example, a finding for SQL injection may include key information to help the user understand SQL injection from its origins, before describing the impact to the client in question.

  • Description: Used to explain the finding in more detail, specifically focusing on its applicability to the current client and the target asset of the project.

  • Recommendation: Used to provide recommendations to help address the issue and reduce risk.

  • Re-test update: Used to capture update information and other details noted during a re-test phase.

Access control

Access to findings is inherited from the project. This means that whomever has access to the project (read, write, admin) has the same authority over findings.

Listing findings

The finding list can be found under the phase view. This list allows a user to sort and filter findings, access them and add new findings (manually or from the KB).

../_images/finding_list.png

Adding a finding

A Finding can be added to a Phase in different ways. The most common approaches are to re-use a Finding from the Findings KB, or to import from support tools. In this section, we expand on all options supported via Canopy’s web UI.

Starting with a blank finding

If you have no previous write-ups and you’re not working with tool imports, you can add a blank finding. To add a finding manually:

  1. Access the phase of the project you’re working on.

  2. Click the + FINDING button.

  3. Complete the form and save.

Adding a finding from the KB

Watch video

To add a finding from the KB:

  1. Access the phase of the project you’re working on.

  2. Click the + FROM KB button.

  3. Select the findings you want to add to the phase. It is possible to filter and multi-select.

  4. Click the ADD button.

../_images/finding_add_from_kb.png

Adding a finding via tool imports

Watch video

In order to add findings via the tool importer, simply drag and drop the supported tool results file onto the File Uploads section of the phase view. If the file is from a supported tool and in a supported format, the importing happens automatically. The import process copies data in order to creating findings, assets, examples, references and more.

../_images/file_uploads_section.png

For further info on supported tools see Supported tools.

Adding a finding from the project

Canopy supports re-testing of previously reported findings. Findings can be selected during the re-test phase creation step. However, it’s also possible to add findings from previous phases via the From Project button, which is accessed by clicking on the + FROM KB button on the Phase view.

Editing a finding (Improved in 3.9!)

In Canopy 3.9, we have added support for inline editing. This makes Finding editing a lot more intuitive.

../_images/finding_inline_edit.png

However, you can still edit in “all fields” mode:

../_images/finding_full_edit_mode.png

To edit a finding using inline editing, simply open the finding you want to work on, and click the specific field. Depending on the type of field, you may see a save button or not. If you do not see a save button, this means that once a change has been made (e.g. selection from a drop-down, change of a date), the change is saved automatically.

To edit in full field mode click on the edit icon. You will see the finding presented with all fields enabled for editing, and options on the bottom of the page to save or cancel the modifications.

Rating systems

Finding rating systems are used to tailor Canopy to the risk rating needs of each company and their clients. By default, Canopy uses a Critical-to-Info rating system alongside CVSSv2 and CVSSv3. However, when users need their own rating system this can be added through the use of custom fields (i.e. to storing rating values) and a custom rating calculator plugin. This gives Canopy significant flexibility in adapting to the specific needs of each company that uses it.

We are happy to provide support in adding custom finding rating systems. We also provide support material to help write your own. For further information, see Extending Canopy.

Adding a finding to the KB

Canopy’s Findings Knowledge Base (KB) provides a useful way for storing reusable findings. This is quite common practice in industry, although used to varying degrees. In order to add a finding to the KB:

  1. Access the finding view from the phase findings list (or project phase list).

  2. Click on the ellipsis and click the Add to KB option.

The finding will then be added in an unapproved state to the KB.

Deleting a finding

Findings can be deleted singularly (via the finding view) or based on a selection via the phase finding list.

Exporting findings

Findings can be exported as part of a phase export.