Risk rating calculations proposal

[geckom]

Feature Request

In ./views/findings_list.haml findings are giving a risk rating of Critical, Severe, Moderate, Low or Informational (primarily for the pie chart). This calculations are run every time the finding list page is viewed. I propose moving this logic to the save finding function and saving the result into the 'risk' column of the database.

Advantages:

• Less load - risk rating is only calculated on save not on every load of the findings list.
• Simplified chart logic
• Simplified reporting ie. if risk=medium instead of if CVSS>3 and CVSS <6 (example: issue else statements/ complex if #246 )

This would work with dread, cvss 2 & 3, nist 800 and risk matrix.

Additionally, as per CVSS3 score of 0.0 is considered "Informational" not "Low". This can be fixed at the same time.

I am happy to make the modifications and submit a PR, however it would be a rather big change and it would not be backwards compatible. Are the core developers happy for me to make these modifications? We could leave in the existing logic for some time to help with backwards compatibility.

[BuffaloWill]

Thanks @geckom. I like the idea of a cross compatible score for a finding and this would make chart logic much cleaner. However, let's use a new column instead of re-purposing the risk column. Re-using the risk column could become problematic for existing user data.

I am happy to land this with a new column in a finding for cross compatible risk (e.g. serpico_risk would work as a column name or whatever you think). Also, if the functionality for calculation is stored in a helper method then we can run it across all findings when serpico first starts up. This would be handy for fresh charts rather than waiting for the user to save each finding that may already exist in a database. Even more so because this would now allow us to add an administrative interface charting assessments over time and other statistics from the existing findings (#374).

[BuffaloWill]

Hey @geckom, any updates on this? If you'd like to team up ping me and I will try to help.

[geckom]

I have the add and edit findings pages including in a field called "serpico_risk" as requested (hidden). It should mirror the risk or be assigned a number from 0 to 5 (info to critical). I am now investigating the most efficient method to calculate these are start up - mostly like UPDATE * WHERE serpico_risk IS NULL. And lastly I am currently putting in the the templating code. Should be doing a PR within the next 48hours.

[geckom]

Added 2 new helper functions:

• calculate_serpico_risk(finding, scoring) -- calculates the serpico_risk rating for the provided scoring system based on the findings data.
• fill_serpico_risk() -- Look fo any findings missing serpico_risk (where NULL), calculate the risk score and update the finding.

Currently fill_serpico_risk() is called on the '/reports/list' route. Is there a better place to put this for start up???

serpico_risk field added to Finding and TemplateFinding Models. Finding add and update functions have been updated. Where can I find what scoring system to use for the TemplateFindings? Should I used the global risk scoring variable??

If any findings are missing a risk the console will show output like this:

Calaculating new risk ratings for 2 findings...
- Test Report / SQL Injection / 4
- Test Report / Cross Site Scripting (XSS) / 2

[frisch-raphael]

Any advance on this geckom ? I feel like Serpico would greatly benefits from this way of doing