How can the Custom Fields be used ?

[jakuta-tech]

How are the custom fields in Admin used ?

Currently adding a custom field under Admin --> Settings --> 'Custom Fields' adds it to the web interface and the variable name can be seen in the database but I don't seem to be able to call it in the word doc as a variable using ${cfVARIABLENAME}.

Also when the variable has a default value, and the save icon is pressed, the Default variable disappears from the text box.

[summitt]

Hey @jakuta-tech ! thanks for reporting the issue related to saving the variable in admin. I'll get that mitigated in the next release.

As for your question about how to use the variables, here is a quick walkthrough.

When you create the variables in admin they will be of the type Assessment or Vulnerability. This will determine where they show up in the UI and how the variables will be populated in the report.

The ones above are created for the assessment. So when you create a new assessment these fields will be available in the Assessment Overview pages. If you hover over the name it will show you the variable that can be used.

Note that adding variables or updating variables does not affect existing assessments. You will need to open an active assessment in Scheduling and save it to add these to an ongoing assessment

As an example, I'll create a table in the Scope that uses these variables:

You need to select Update on each field to ensure its saved with the assessment. This is a bug that will be mitigated in the next release as these should be set without you needing to click update if you are just going to use the default values.

Now you can generate the report and they will be populated as shown below in the generated docx file.

[jakuta-tech]

Perfect, thank you for the great explanation.

[summitt]

@jakuta-tech This you reported is now mitigated in 1.1.20

[summitt]

We put up additional documentation about how to create and use custom variables to automate features in your security assessment reports here.

[ptrac3]

Hi everyone, I was playing with custom fields and they work great for generating custom reports but I did not find a way to use them in the vulnerability database. Is that possible? For example: I would like to associate a certain CVE-ID to a vulnerability and I would like that information to be stored in the database so whenever I add the vulnerability in the report it will come prepopulated with the information.
I have tried manually adding a vulnerability with the API by passing a "cve" or "cfcve" parameter but it does not seem to be working.
Thanks in advance and hopefully I didn't miss some documentation about this!

[summitt]

There is a bug in the current release that is preventing these from getting updated correctly. This will be fixed next week in the release we are presenting at DEF CON next Saturday.

[ptrac3]

Thanks for the reply and looking forward to the update! Out of curiosity, is this bug the same of what seems to be preventing me from adding vulnerabilities from the API? (assuming I am not doing something wrong).
Hi @summitt thanks for the reply! I am checking out the new update but maybe I didn't ask my question correctly. What I wanted to know is whether custom fields can be used with default vulnerabilities too rather than having them populated In vulnerabilities added to an assessment. I will list below the steps I did:

• created a new custom field named "cwe" and applied it to "vulnerability". The idea here would be to have CWE-IDs associated with vulnerabilities
• with the new update I was expecting to have the possibility to store a CWE value when creating a new default vulnerability. to remove room for mistakes I erased local faction data, started docker from scratch and tried creating the custom field before / after importing default vulnerabilities from Faction.

This shows the custom field:

This instead the view when creating a new vulnerability:

Looking forward to any feedback, would it be possible in case to have this as a feature request? (if it's not a bug or unexpected). Thanks in advance!