See where vulnerabilities are and more details | Fluid Attacks

See where vulnerabilities are and more details

See the list of vulnerabilities detected

Role required: User, Vulnerability Manager or User Manager
Vulnerabilities is the initial section you encounter upon entering a group.

Total of vulnerabilities

If you hover your mouse cursor over the title of the Vulnerabilities tab, you will be able to view the cumulative count of all currently active vulnerabilities within that group.

Know your vulnerabilities table

Role required: User, Vulnerability Manager or User Manager

In this table, you will see comprehensive information about the vulnerabilities reported in your group. This table comprises distinct columns, allowing you to turn specific columns on or off via the column filter button based on your preference for the displayed information. In total, there are thirteen columns which are described below:

  • Type: The name of the type of vulnerability from our standardized set whose characteristics are met by the vulnerability found in your system.
  • Status: The condition of the group regarding this type of vulnerability, the values are Vulnerable if the vulnerability is still present and Safe otherwise.
  • Severity: The maximum CVSS v3.1 (Common Vulnerability Scoring System) temporal score among the open vulnerabilities in this type of vulnerability.
  • % Risk Exposure: The contribution that this type of vulnerability is making to the CVSSF units for this group. It is given as a percentage and only open vulnerabilities are taking into account.
  • Impact (0-1000): This column displays a prioritization indicator for remediation, integrating CVSS, EPSS (Exploit Prediction Scoring System) and asset criticality.
  • Open vulnerabilities: The total number of locations where the type of vulnerability was found and is still vulnerable; that is, not yet remediated.
  • Last report: The number of days elapsed since we found a vulnerability of that specific type, regardless of its vulnerable or safe status.
  • Age: The number of days elapsed since the type of vulnerability was found in your system for the first time.
  • Remediation %: The percentage of closed vulnerabilities of that type.
  • Reattack: The status of the reattacks for the type of vulnerability, which is Pending if at least one requested reattack is due to one of the vulnerabilities of this type; otherwise, it is just a hyphen.
  • Release Date: Date when the typology was reported.
  • Treatment: List the Treatments that this typology has.
  • Description: A definition of the type of vulnerability.
Click on the downward-facing arrow on the left of the Type column to see some of the information stacked.

Vulnerability Table Second Half
Note: It is possible to observe the same vulnerability type multiple times, as it allows for the grouping of vulnerabilities that exhibit similar attributes, such as description, recommendations, severity, and other relevant characteristics.
new tag

Spot newly reported vulnerabilities

A newly reported vulnerability type will be designated with a "New" label. This label will remain active for the new finding during seven days, after which it will disappear.

new tag

Search the vulnerabilities table

Role required: User, Vulnerability Manager or User Manager
The Vulnerabilities section's search bar provides a convenient way to search for information within the vulnerabilities table. It offers three search options to refine your search results:

  • Type: This option allows you to search for vulnerabilities based on their type.

  • Repository Nickname: You can use this option to search for vulnerabilities associated with a specific repository by its nickname.

  • Locations: Use it to search for vulnerabilities based on their locations.

Hide and show columns in the vulnerabilities table

Role required: User, Vulnerability Manager or User Manager

You can filter the table by either hiding or showing specific columns. To accomplish this, simply click on the Columns button.

Columns button

As a result, a pop-up window will appear, allowing you to show and hide columns as needed.

Filtering Columns

Filter the vulnerabilities table

Role required: User, Vulnerability Manager or User Manager

The other way of filtering is by clicking the Filters button. Here you will have the activated filters that you have at the same time activated in the column filter.

Filters Button

Note: Keep in mind that the filters you apply will be visible in the table. These applied filters will persist in the Vulnerabilities sections across various groups within the same organization or even in different organizations.

Filters applied

Generate reports

Role required: Vulnerability Manager or User Manager

In the Vulnerabilities section, you find the Generate report option. If you would like more information about what types of reports are generated and how to request them, you can click on the following link.

See where vulnerabilities are located

Role required: User, Vulnerability Manager or User Manager
Click on a type of vulnerability listed in the Vulnerabilities section to enter that type's Locations section. There, you can access detailed information about the specific location, including the estimated time to resolve these vulnerabilities, statuses, and other relevant details. In addition, various functionalities are provided, such as reattacks, applying treatments, and managing the assignment of vulnerabilities, among other functionalities.

The header is the main entry point for comprehensively understanding the Locations section. Below, we detail the fundamental elements included in this header.

Vulnerability header

  • Title: Name of the type of vulnerability you have selected.

  • Percentage of Risk Exposure: This shows you the percentage of risk that can be reduced by fixing this vulnerability.

  • Status: Whether the group is Safe or Vulnerable depending on the presence of this reported type of vulnerability. Additionally, this element shows the severity score, according to the CVSS.

  • Open vulnerabilities: How many locations in your system still have that type of vulnerability. In the table, you can precisely find which files and code lines are affected.

  • First reported: The year, month and day we first identified and reported that type of vulnerability for the group in question.

  • Est. remediation time: The MMTR (Mean Time to Repair). This represents the number of hours on average that we estimate it will take you to remediate the selected type of vulnerability.

The Locations table provides thorough information about the vulnerability's specific locations, encompassing a total of thirteen columns. The detailed descriptions of each column are outlined below:

Locations table explication

  • Location: The files where this type of vulnerability has been reported. They can be understood as individual vulnerabilities of that type.

  • Specific: In what lines of code, inputs (e.g., password field) or ports each vulnerability was detected.

  • Status: Whether the location is Safe from the type of vulnerability reported or remains Vulnerable to it.

  • Technique: The testing technique used to detect the vulnerability, which can be SAST, DAST, SCA, CSPM, MPT, SCR, or RE.

  • Severity: The CVSS v3.1 (Common Vulnerability Scoring System) temporal score given to the vulnerability.

  • % Risk Exposure: Represents the contribution that this vulnerability is making to the metric CVSSF for this type of vulnerability. It is given as a percentage and is set to zero if the vulnerability is safe.

  • Impact (0-1000): This column displays a prioritization indicator for remediation, integrating CVSS, EPSS (Exploit Prediction Scoring System) and asset criticality.

  • Report date: The dates when the vulnerability in that location was reported.

  • Reattack: Whether a reattack has been requested and is pending, is on hold, has been verified (open) or verified (closed). If this cell is blank, it should be interpreted that a reattack has not been requested.

  • Treatment: The defined Treatment for each vulnerability, which could be in progress, temporarily accepted, permanently accepted or Zero Risk.

  • Tags: Any tags that you have given each vulnerability to identify it.

  • Treatment Acceptance: The locations that have accepted treatment.

  • Assignees: Locations that have an assigned.

You can identify a newly reported vulnerability by observing the "New" label. This label remains visible for a duration of seven days.

New tag location
Click on Add filter limit the information you see in the table. Remember that you can see the filters you have applied in the table next to the Add filter button.

Filters

Use the search bar to look for information within the rows of the table.

See inside a vulnerability

Role required: User, Vulnerability Manager or User Manager
Clicking on any vulnerabilities reported in the Locations section will open a pop-up window containing five tabs: DetailsSeverityCodeTreatments, and Tracking. This window has a unique URL so that you can share the specific vulnerability with members and Fluid Attacks staff.

We will now explain each of these tabs and the information they contain. Also, remember that you can also view this window in the To do section.

See the details of a specific vulnerability

Role required: User, Vulnerability Manager or User Manager
The Details tab is the one that opens by default when you click on a vulnerability. It provides detailed information about the specific vulnerability you have selected. It comprises several subsections, such as location, general details, reattacks, treatments and package details. It is important to note that the last section only applies to SCA vulnerabilities, namely those identified as F 011 and 393.

Vulnerability Detail Tab

Here we explain the information of each item:

  • Location:
    • Locations: Path where the vulnerability was found
    • LoC / Port / Input: Specific line of code, port number, or input field that presents the vulnerability
  • General details:
    • Report date: The date the vulnerability was reported.
    • Closing date: The date the vulnerability was closed
    • Commit hash: Commit ID where the vulnerability was found
    • Tags: Vulnerability identification tags
    • Level: The user's rating of the vulnerability that indicates how important/critical it is
    • Zero risk: Whether this location has this treatment applied
  • Reattacks:
    • Last request: Date of last time a re-attack was requested
    • Requester: The name of the person requesting the reattack
    • Cycles: Total of how many reattacks have been requested
    • Efficiency: Percentage of efficiency in the solution of vulnerabilities
  • Treatments:
    • Current: Current treatment of vulnerability
    • Assigned: The person assigned the vulnerability
    • Date: Date stipulated in the application of the treatment
    • Expiration: Date stipulated in the application of the treatment Temporarily Accepted
    • Justification: The justification given when the Temporarily Accepted treatment was applied
    • Changes: The number of times the treatment of that vulnerability has changed
  • Package details: This information will be visible only in SCA vulnerabilities, specifically F 011 and 393
    • Name: Name of package that is vulnerable
    • Vulnerable version: The version of the package
    • CVE: CVE identifier.

Learn the severity of a specific vulnerability

Role required: User, Vulnerability Manager or User Manager

In the Severity tab, you will find expanded information about the severity score of that specific location. Here you are presented with the related Vector string, the calculated Severity score and a visual representation where you can hover over each metric to obtain greater details.

Severity Tab

There is also a link in the given vector string, where you are redirected to the CVSS v3.1 calculator and get the assigned severity score, allowing you to understand this better.

See the vulnerable line of code

Role required: User, Vulnerability Manager or User Manager

This tab is only shown for vulnerabilities detected with SAST and SCR.
When you click on a vulnerability found by SAST or SCR, you can access the Code tab. There you can see the vulnerable portion of the code.

Code Tab

Edit Treatment for a vulnerability

Role required: User, Vulnerability Manager or User Manager

When you click on a specific vulnerability, you can apply or modify the Treatment for a specific vulnerability in the Treatments tab. Additionally, you can perform other actions such as changing the assignment and adding or editing External BTS, tags, and Level.

Clicking on the following link, you can visit the dedicated article, where you will understand the different types of treatments and how to fill in the other fields that compose this section.

Treatments Tab

See the history of a specific vulnerability

Role required: User, Vulnerability Manager or User Manager

In the Tracking tab when you click on a specific vulnerability, you can learn how the vulnerability has evolved over time.

Tracking Tab

Role required: User, Vulnerability Manager or User Manager
You can now quickly access the information and characteristics of a particular vulnerability. The URLs of each location are accompanied by a unique ID that identifies them. This ID is the vulnerability ID. Just select a location, and you will have the link to share it. You can easily copy the URL from the URL icon:
Link location

See the description of a type of vulnerability

Role required: User, Vulnerability Manager or User Manager

When you open a type of vulnerability and open its Description section, you find concise technical information about the type of vulnerability. This information includes what this type of vulnerability entails, the security requirements that you may not be complying with, the potential dangers associated with it, and the recommendations that you can follow to remediate or mitigate the risks.

Description Tab

See the severity of a type of vulnerability

Role required: User, Vulnerability Manager or User Manager

You can see details on the severity of a type of vulnerability in its Severity section. Fluid Attacks determines the severity of the vulnerabilities it detects based on the Common Vulnerability Scoring System (CVSS) version 3.1. The severity level reflects how impactful the exploitation of the vulnerability would be, and CVSS is the standard method of measurement. CVSS scores go from 0.1 to 10.0. The qualitative rating depends on those scores: Low from 0.1 to 3.9, Medium from 4.0 to 6.9, High from 7.0 to 8.9 and Critical from 9.0 to 10.0.

Severity

See evidence of exploitability

Role required: User, Vulnerability Manager or User Manager
On the platform, you can find code snippets showing the existence of the type of vulnerability, as well as screenshots and videos showing the exploitation of the vulnerability in question. Access this information by opening the type of vulnerability of your interest and clicking on Evidence. To learn more, read the article Examine the evidence of exploitability.

See the timeline of a type of vulnerability

Role required: User, Vulnerability Manager or User Manager
When you click on a type of vulnerability, you can enter its Tracking section. This shows you a timeline with the closure cycles (each cycle refers to a reattack request and its outcome and the application of temporary or permanent acceptance treatments). The cycles are shown from the most recent to the oldest. To see the timeline of a specific finding, follow the steps in See the history of a specific vulnerability.

Vulnerability Tracking Tab

See affected records

Role required: User, Vulnerability Manager or User Manager

Enter a type of vulnerability and open the Records section to find the information our ethical hackers have gathered by exploiting a particular type of vulnerability in your system. This information is sensitive and relevant to your organization and may include financial details such as account numbers, financial transactions, and credit card numbers; personal data such as phone numbers, contacts, and personal identification information; technical information such as roles, keys, and access tokens, and other related information.

Records

Comment on a type of vulnerability

Plan required: Advanced
Role required: User, Vulnerability Manager or User Manager

Enter a type of vulnerability to find its Consulting section. This is a forum-like space where you can share your doubts, comments or thoughts with the Fluid Attacks team or your work team. It allows any member to post and respond. You can find this tab in three different sections on our platform; the one in the Locations section is specifically for vulnerability level consulting. If you want to explore this section further, we invite you to follow this link.

Consulting tab

Get notified of a type of vulnerability

Role required: Vulnerability Manager or User Manager

This function helps us notify all locations of the specific vulnerability type with vulnerable status to receive a report of these.

To receive this email, click on the Notify button.

Notify button

You will get a confirmation pop-up window if you want to receive the notification.

confirmation window

When you click Notify, you will get an email called Vulnerability Alert, which has information about this locations.

Request reattacks

Role required: User, Vulnerability Manager or User Manager

Another functionality in the Locations section is Reattack, which focuses on validating the effectiveness of the solution applied to a vulnerability by executing a reattack. We have an exclusive section dedicated to this functionality. We invite you to access the following link for more details and to learn more about its use.

reattack button

Role required: Vulnerability Manager or User Manager
Members with the User role can assign fix work to themselves and edit the External BTS, Tags and Level values.
The Edit function in the Locations section allows you to perform various actions with the selected location, such as applying a treatment, assigning it to a team member, adding external BTS, defining tags and assigning a level. To understand more about each of the fields, click here.

Now, we will provide an explanation on how to edit a location. First, you must select which vulnerability you want to edit, followed by clicking on the Edit button.

Edit action

You will get a pop-up window where you can edit the vulnerability.

Edit pop-window

To save the changes you have made, click on the Confirm button.