Creating a Finding
Last updated
Last updated
© 2024 PlexTrac, Inc. All rights reserved.
Creating a finding within PlexTrac can be initiated either through the Clients module or the Reports module, but either approach involves selecting a report to add the findings. When created within PlexTrac, users can update using five tabs: Finding Details, Affected Assets, Screenshots/Videos, and Code Samples.
Step 1: From the Reports module, click the row of the impacted report.
Step 2: Click the Findings tab.
Step 3: Click Create Finding from the "Add Findings" pulldown menu.
Step 4: Enter a finding name and select the finding severity. Click Create.
Step 5: The edit finding page has four tabs for collecting data about a finding (further details on each tab are provided below).
Title (required): All finding titles must be unique within a report. The tool will provide an error message after clicking Save if an existing title is used.
Severity (required): Identifies the severity rating for the finding. The values are in ascending order: Informational
, Low
, Medium
, High
, and Critical
.
Score type: Identifies the score associated with a finding. This can be used to record a general score, a CVSS 2.0 score, a CVSS 3.0 score, a CVSS 4.0 score, or dynamically create a CVSS 3.1 score using the provided calculator.
Priorities: Associate the finding with a priority in the Priorities module.
Status: Defines the status of the finding (Open
, Closed
, or In Process
). It defaults to Open
.
Sub-Status: Provides further details on the status of a finding if set up by admin. If no sub-status values have been configured, this field will not appear.
Assigned to: Identifies the user assigned to a finding. Only one user can be assigned, and an email will be sent once the finding is saved. The list in the pulldown menu is derived from the list of users added to a client.
Description (required): An RTF field allowing content, images, links, code examples, tables, and lists to be entered as needed. This field has collaborative editing enabled.
Recommendations: An RTF field allowing content, images, links, code examples, tables, and lists to be entered as needed. This field has collaborative editing enabled.
References: An RTF field allowing content, images, links, code examples, tables, and lists to be entered as needed. It has collaborative editing enabled.
CVE ID: Common Vulnerabilities and Exposures (CVE) identifier(s) assigned to the finding. This field requires a format of CVE prefix + Year + arbitrary digits. There is no limit to the number of random digits.
Example ID with four digits: CVE-2014-3127
Example ID with five digits: CVE-2018-54321
Example ID with six digits: CVE-2019-456132
CWE ID: The Common Weakness Enumeration (CWE) identifier(s) assigned to the finding. This field requires a two-to-four-digit number format.
Example ID with two digits: 99
Example ID with three digits: 243
Example ID with four digits: 1423
Tags: Stores any tags associated with a finding to help manage and retrieve the finding more easily later.
Custom Fields: Click Add custom field to insert more labels and values as needed.
Step 5: Click Save.
The information entered is now displayed in the Findings Details tab and can be modified as needed. More details of a finding can be added by continuing to the other available tabs.
This tab displays any affected assets associated with a finding. The Affected Assets page provides more information on this topic, such as how to import or create.
This tab stores screenshots and videos associated with a finding, as videos are not allowed in the Finding Details rich-text fields.
To add a file, drag it onto the box on the page or click to navigate to files on the computer. Repeat as needed.
This tab stores any code samples related to a finding for future reference. Click Add Section to add additional sections. The code will be formatted when the report is published.