Jinja and PlexTrac Data

In this section we talk about how Jinja and PlexTrac start to cross paths and how you can pull data from PlexTrac into your reports. The below sections talk through pulling that type of data into your report.

Findings

Assets

Tags

Report Info

Client Info

Custom Fields (Client, Report, Finding)

Cell Shading (Tables)

Multi-Scope / Multi-Phase / Multi-Purpose Templates

This section is theory and talks about how you should think about and write your Jinja Template if your trying to make it versatile for Multi-Scope/Phase/Purpose type reports.

You can use tags at the Client, Report, and Finding level (for more details read up on Tags) that can be used to categorize and put findings into different buckets to pull from. For example, if you want to have multiple services you provide that are different scopes of penetration testing or security assessments (think internal vs external scans, social engineering or physical security assessment) you could add a tag to a given report to define what type of services are being provided.

You can then reference that in your Jinja Template to add/remove sections of your Report, dependent on your tags, which represent your scope or services provided.

{# Declare a list that will contain our scope #}
{%p set scope_list = [] %}
{# Iterate through the Report Tags to find what 'scope' we tagged our report with #}
{%p for tag in REPORT_INFO.tags %}
{%p if "internal" in tag %}
{# Then add the scope to the list, 'scope_list' using append #}
{%p if scope_list.append("Internal Penetration Test") %}
{%p endif %}
{%p elif "external" in tag %}
{%p if scope_list.append("External Penetration Test") %}
{%p endif %}
{%p endif %}
{%p endfor %}
{# To Display a Section based on the presence of a tag #}
{%p if "Internal" in scope_list %}
TITLE: Internal Penetration Test
Description: Information and Lorem Ipsum
{%p endif %}

In the above code snippet, we can keep our report from showing text in section with the if statement asking if our report has been tagged with that scope or not. What happens inside that code block can be variable or static, but will only show if the scope is met.

This might reduce the need for multiple templates of the same reporting style, but with different scopes (internal vs external).