Findings¶
Findings (or vulnerabilities as they are also commonly known) are a cornerstone of Canopy. When working on a project, the results of the project are stored as findings, which are typically included in the report (some high level reports only make use of finding statistics).
A key aspect of the finding is its ability to record sufficient information to help the receiving client to understand the identified issue. The following text fields are defaults in Canopy, with their descriptions acting as a suggested use:
- Summary
Used to capture a brief summary of the finding.
- Background
Used to describe the background information necessary to understand the issue at hand. For example, a finding for SQL injection may include key information to help the user understand SQL injection from its origins, before describing the impact to the client in question.
- Description
Used to explain the finding in more detail, specifically focusing on its applicability to the current client and the target asset of the project.
- Recommendation
Used to provide recommendations to help address the issue and reduce risk.
- Re-test notes
Used to capture update information and other details noted during a re-test phase.
It is also possible to create custom fields to make the finding structure more tailored to each company’s needs.
Access control¶
Access to findings is inherited from the project. This means that whomever has access to the project (read, write, admin) has the same authority over findings.
Listing findings¶
The finding list can be found under the phase view. This list allows a user to sort and filter findings, access them and add new findings (manually or from the KB).
Adding a finding¶
A finding can be added in three main ways:
Adding a manual finding¶
To add a finding manually:
Access the phase of the project you’re working on.
Click the + FINDING button.
Complete the form and save.
Adding a finding from the KB¶
To add a finding from the KB:
Access the phase of the project you’re working on.
Click the + FROM KB button.
Select the findings you want to add to the phase. It is possible to filter and multi-select.
Click the ADD button.
Adding a finding via tool imports¶
In order to add findings via the tool importer, simply drag and drop the supported tool results file onto the File Uploads section of the phase view. If the file is from a supported tool and in a supported format, the importing happens automatically. The import process copies data in order to creating findings, assets, examples, references and more.
For further info on supported tools see Supported tools.
Editing a finding¶
To edit a finding:
Access the finding view from the phase list (or project phase list).
Click the edit icon.
Edit and save.
Rating systems¶
Finding rating systems are used to tailor Canopy to the risk rating needs of each company and their clients. By default, Canopy uses a Critical-to-Info rating system alongside CVSSv2 and CVSSv3. However, when users need their own rating system this can be added through the use of custom fields (i.e. to storing rating values) and a custom rating calculator plugin. This gives Canopy significant flexibility in adapting to the specific needs of each company that uses it.
We are happy to provide support in adding custom finding rating systems. We also provide support material to help write your own. For further information, see Extending Canopy.
Adding a finding to the KB¶
Canopy’s Findings Knowledge Base (KB) provides a useful way for storing reusable findings. This is quite common practice in industry, although used to varying degrees. In order to add a finding to the KB:
Access the finding view from the phase findings list (or project phase list).
Click on the ellipsis and click the Add to KB option.
The finding will then be added in an unapproved state to the KB.
Deleting a finding¶
Findings can be deleted singularly (via the finding view) or based on a selection via the phase finding list.