Work With Result Vulnerabilities
This section of the Getting Started guide will get you comfortable working with Vulnerabilities. This portion assumes you have already gone through the rest of the Getting Started tasks including setting up a security task.
In the context of Scumblr, a vulnerablity is a finding associated with a result that can be flagged either Observational (meaning it may not be a vulnerablity in itself) or Critical, High, Medium, Low, Informational.
Earlier in this tutorial, we stepped through setting up a Curl security task to identify if the server is running Apache. For this tutorial, let's assume that upon further investigation this issue is more of a low risk finding instead of observational. Let's go ahead and make some changes to this vulnerability to reflect this.
Let's go ahead and run our Saved Filter from the previous tutorial. Click on the result (exp. www.scottbehrens.com) and expand out the Observation.
In the upper left corner of the finding, we can change it's status. Let's go ahead and update it to Low.
For this example, let's pretend we have removed the server banner and the issue is now resolved. Many security analyzers (Github and Curl for example) will automatically detect when a vulnerablity is no longer present and flag the result as Auto-Remediated.
Since this is just an example, let's go ahead and update the status to remediated. You can do that by selecting the dropdown on the right of the vulnerability.
If you refresh the page you will see the vulnerability is no longer listed.
Vulnerability filters are a powerful tool to let you narrow down and filter out vulnerabilities. As you saw earlier, we updated our vulnerablity to be a low risk finding and we also flagged it as remediated. To show this remediated vulnerablity, you can filter based on the status Remediated as seen below:
To simulate a regression, let's go ahead and re-run our Curl task. Navigate to your Tasks page by clicking the link in the top banner. Select the checkbox next to the Curl Analyzer and click the Run button.
Navigate back to your Result and you should see the vulnerability is now reopened.
This section contains a little more context on how to work with vulnerabilities.
Vulnerabilities have 5 Status types enumerated below.
You can mark a vulnerability Remediated once it has been resolved. If it is identified again it will be changaed to Reopened type.
You can mark a vulnerability False Positive and it will be moved into a closed state. If it is identified again after 30 days, it will be changed to Reopened type.
You can mark a vulnerability Ignored if you don't care about the issue or it's truly a false positive. Ignored vulnerabilities will never reopen.
Certain security tasks can auto-remediate vulnerabilities (such as the Curl security task) if the issue is no longer present. Auto-Remediated issues will be moved into closed status.
If an issue is found to have regressed, it will be moved into Reopened state.
You can manually add a finding by clicking the Add Finding button on a result. This can be useful for issue identified manually via code review, penetration tests, etc.
If you use Jira and have setup your Jiralicious file, you can associate a Jira ticket with your vulnerabilities. Simply specify a comma separated list of Jira ID's and click the Update button. Once the page is refreshed, they will be converted into links.
