Findings

Findings (or vulnerabilities as they are also commonly known) are a cornerstone of Canopy. When working on a project, the results of the project are stored as findings, which are typically included in the report (some high level reports only make use of finding statistics).

A key aspect of the finding is its ability to record sufficient information to help the receiving client to understand the identified issue. The following text fields are defaults in Canopy, with their descriptions acting as a suggested use:

Summary

Used to capture a brief summary of the finding.

Background

Used to describe the background information necessary to understand the issue at hand. For example, a finding for SQL injection may include key information to help the user understand SQL injection from its origins, before describing the impact to the client in question.

Description

Used to explain the finding in more detail, specifically focusing on its applicability to the current client and the target asset of the project.

Recommendation

Used to provide recommendations to help address the issue and reduce risk.

Re-test notes

Used to capture update information and other details noted during a re-test phase.

It is also possible to create custom fields to make the finding structure more tailored to each company’s needs.

Access control

Access to findings is inherited from the project. This means that whomever has access to the project (read, write, admin) has the same authority over findings.

Listing findings

The finding list can be found under the phase view. This list allows a user to sort and filter findings, access them and add new findings (manually or from the KB).

image0

Adding a finding

A finding can be added in three main ways:

Adding a manual finding

To add a finding manually:

  1. Access the phase of the project you’re working on.

  2. Click the + FINDING button.

  3. Complete the form and save.

image1

Adding a finding from the KB

Download video

To add a finding from the KB:

  1. Access the phase of the project you’re working on.

  2. Click the + FROM KB button.

  3. Select the findings you want to add to the phase. It is possible to filter and multi-select.

  4. Click the ADD button.

image3

image4

Adding a finding via tool imports

Download video

In order to add findings via the tool importer, simply drag and drop the supported tool results file onto the File Uploads section of the phase view. If the file is from a supported tool and in a supported format, the importing happens automatically. The import process copies data in order to creating findings, assets, examples, references and more.

image6

For further info on supported tools see Supported tools.

Editing a finding

To edit a finding:

  1. Access the finding view from the phase list (or project phase list).

  2. Click the edit icon.

  3. Edit and save.

Rating systems

Finding rating systems are used to tailor Canopy to the risk rating needs of each company and their clients. By default, Canopy uses a Critical-to-Info rating system alongside CVSSv2 and CVSSv3. However, when users need their own rating system this can be added through the use of custom fields (i.e. to storing rating values) and a custom rating calculator plugin. This gives Canopy significant flexibility in adapting to the specific needs of each company that uses it.

We are happy to provide support in adding custom finding rating systems. We also provide support material to help write your own. For further information, see Extending Canopy.

Adding a finding to the KB

Canopy’s Findings Knowledge Base (KB) provides a useful way for storing reusable findings. This is quite common practice in industry, although used to varying degrees. In order to add a finding to the KB:

  1. Access the finding view from the phase findings list (or project phase list).

  2. Click on the ellipsis and click the Add to KB option.

The finding will then be added in an unapproved state to the KB.

Deleting a finding

Findings can be deleted singularly (via the finding view) or based on a selection via the phase finding list.