Splitting Vulnerability Sections

[vysecurity]

Currently I have sections such as:

Critical Risk Findings
Critical rIsk 1: ABCDEF

High Risk Findings
High risk 1: ABCDEF

However, I want to add 1 more layer such as:

Web app 1
Critical Risk Findings
Critical Risk 1: ABCDEF
High Risk Findings
High risk 1: dbgdsbd

Web app 2
Critical Risk Findings
Critical Risk 1: ABCDEF
High Risk Findings
High risk 1: dbgdsbd

Is there any way to tag individual findings within the findings list with an APPNAME or APPID, then use the HTML template to only print those findings for that web app, or to recurse through a list of APPNAME or APPID tags manually specified?

Let's say I have around 50 web applications, and I want to group it into its own individual section. Each finding for that web app will be tagged somehow with "webappname"?

[MWedl]

Hi,
you need to adapt your design to group findings. You can add a custom field of type enum or string (depending on your requirements) and group by that in HTML. In the last release we have added the functionality to customize finding sorting (configure in design -> finding fields). This affects the findings in the design and the frontend. If you order by APPID then by CVSS, the findings are grouped in the frontend too.

To group findings in the HTML template you can use something like that:

<section v-for="findingGroup in lodash.groupBy(findings, f => f.appid)">
  <h1 class="in-toc numbered">Findings of {{ findingGroup[0].appid }}</h1>

  <div v-for="finding in findingGroup">
     <h2 class="in-toc numbered">{{ finding.title }}</h2>
     ...
  </div>
</section>

[vysecurity]

Thanks for the suggestion. I'll give it a shot.

Apologies, wanted to ask for a bit more help as I don't really get the 'language'.

If I now have a findingGroup, how can I read the number of Critical, High, Medium, Low, Info from each findingGroup?

I'm basically trying to make it render sections per finding group only if the count is >0 too.

Tried this but no luck:

 <section v-for="findingGroup in lodash.groupBy(findings, f => f.appid)">
   
    <div v-for="findingRiskGroup in lodash.filter(findingGroup, f => f.cvss.level === 'critical')">

      <template v-if="findingRiskGroup.length > 0">
      <h2 class="in-toc">Critical Risk Findings</h2>

Edit: I sorted it! My report looks insane.

Now I'm having another issue where I want to calculate the number of appid:

 <div v-show="(findingGroup, appid) in lodash.groupBy(findings, f => f.appid)">
    
    <p>
Number of apps: <b>{{ findingGroup.length }}</b> applications.
    </p>
</div>

without it printing the text twice lol.. How do I do that? I tried v-show but no luck.

Solved it with

 <div v-if="total = lodash.uniqBy(findings, f => f.appid)">

but now I'm having trouble with figuring out how to get under each appid:

1 high, 2 medium,and 8 low risk vulnerabilities

but for each app id and only print the text once.
ChatGPT keeps recommending that I use a <script> block but I cannot.

Sad times :'(

<section v-for="(findingGroup, appid) in lodash.groupBy(findings, f => f.appid)">
  <h1 class="in-toc numbered">{{ appid }}</h1>
  <h2 id="vuln-summary" class="in-toc">Summary of Technical Findings</h2>
      <p>
      <CommaAndJoin and=" and ">
        <template #critical v-if="total = lodash.countBy(lodash.filter(findings, f => f.appid === appid && f.cvss.level === 'critical'), z => z.findingIndex)">
          <strong class="finding-risk-critical">
            <div v-if="total = lodash.countBy(lodash.filter(findings, f => f.appid === appid && f.cvss.level === 'critical'), z => z.findingIndex)">{{ total.undefined }} Critical</div></strong>
        </template>
        <template #high v-if="finding_stats.count_high > 0">
          <strong class="finding-risk-high">{{ finding_stats.count_high }} High</strong>
        </template>
        <template #medium v-if="finding_stats.count_medium > 0">
          <strong class="finding-risk-medium">{{ finding_stats.count_medium }} Medium</strong>
        </template>
        <template #low v-if="finding_stats.count_low > 0">
          <strong class="finding-risk-low">{{ finding_stats.count_low }} Low</strong>
        </template>
        <template #info v-if="finding_stats.count_info > 0">
          <strong class="finding-risk-info">{{ finding_stats.count_info }} Informational</strong>
        </template>
      </CommaAndJoin>
      risk vulnerabilities were identified.
    </p>

Of course trying to change all of the v-if from finding_stats to my crazy filter, but it's turning out a bit shit.

OK I overcame the issue again.

[vysecurity]

Turns out it was never overcome. The <template #risk> tag seems to break CommaAndJoin...?

If I don't use <template> with a # thing, the values are correct, if I use # it breaks the values and it gets wrong values.

[MWedl]

The <template #name> syntax is used in Vue templates for so-called slots to pass HTML data to <comma-and-join>. In the <comma-and-join> the slot-name (word after the #) can be anything, but it has to be unique. If you used <template #risk> multiple times, try to change it to unique names <template #risk1>, <template #risk2>, etc.

If you want to iterate over a list and generate dynamic slots based on list contents, you can generate dynamic slot names with <template v-for="role in user.roles" #[role]>. The generated dynamic slot names also have to be unique.