Links

Creating a Finding

Creating a finding within PlexTrac can be initiated either through the Clients module or the Reports module, but either approach involves selecting a report to add the findings. When created within PlexTrac, users can update using five tabs: Finding Details, Affected Assets, Screenshots/Videos, and Code Samples.
Step 1: From the Reports module, click the row of the impacted report.
Step 2: Click the Findings tab.
Step 3: Click Create Finding from the "Add Findings" pulldown menu.
Step 4: The "Create New Finding" page appears with five tabs to collect data about a finding (further details on each tab exist below).
At a minimum, enter a finding title, select the finding severity, and enter a finding description as required fields. All other fields are optional.
  1. 1.
    Title (required): All finding titles must be unique within a report. The tool will provide an error message after clicking Save if an existing title is used.
  2. 2.
    Severity (required): Identifies the severity rating for the finding. The values are in ascending order: Informational, Low, Medium, High, and Critical.
  3. 3.
    Score type: Identifies the score associated with a finding. This can be used to record a general score, a CVSS 2.0 score, a CVSS 3.0 score, or dynamically create a CVSS 3.1 score using the provided calculator.
  4. 4.
    Status: Defines the status of the finding (Open, Closed, or In Process).
  5. 5.
    Sub-Status: Provides further details on the status of a finding if set up by admin. If no sub-status values have been configured, this field will not appear.
  6. 6.
    Assigned to: Identifies the user assigned to a finding. Only one user can be assigned and will receive an email once the finding is saved. The list in the pulldown menu is derived from the list of users added to a client.
  7. 7.
    Description (required): An RTF field allowing content, images, links, code examples, tables, and lists to be entered as needed. This field has collaborative editing enabled.
  8. 8.
    Recommendations: An RTF field allowing content, images, links, code examples, tables, and lists to be entered as needed. This field has collaborative editing enabled.
  9. 9.
    References: An RTF field allowing content, images, links, code examples, tables, and lists to be entered as needed. This field has collaborative editing enabled.
  10. 10.
    CVE ID: Common Vulnerabilities and Exposures (CVE) identifier(s) assigned to the finding. This field requires a format of CVE prefix + Year + arbitrary digits. There is no limit to the number of random digits.
    • Example ID with four digits: CVE-2014-3127
    • Example ID with five digits: CVE-2018-54321
    • Example ID with six digits: CVE-2019-456132
  11. 11.
    CWE ID: Common Weakness Enumeration (CWE) identifier(s) assigned to the finding. This field requires a format of a two-to-four-digit number.
    • Example ID with two digits: 99
    • Example ID with three digits: 243
    • Example ID with four digits: 1423
  12. 12.
    Tags: Stores any tags associated with a finding to help manage and retrieve the finding more easily later.
  13. 13.
    Custom Fields: Click Add custom field to insert more labels and values as needed.
Step 5: Click Save.
The information entered is now displayed in the Findings Details tab and can be modified as needed. More details of a finding can be added by continuing to the other available tabs.

Affected Assets Tab

This tab displays any affected assets associated with a finding. More information on this topic, such as how to import or create, can be found on the Affected Assets page.

Screenshots and Videos Tab

This tab stores screenshots and videos associated with a finding, as videos are not allowed in the Finding Details rich-text fields.
To add a file, drag it onto the box on the page or click to navigate to files on the computer. Repeat as needed.

Code Sample Tab

This tab stores any code samples related to a finding for future reference. Click Add Code Sample to insert content. Click Add Section to add a caption and the code. The code will be formatted when the report is published.
The code will be formatted when the report is published.