search

Syslifters / reptor

Other
11 stars 3 forks source link

Burp import handling with severity / cvss #175

Closed byteboltsec closed 5 months ago

byteboltsec commented 5 months ago

Hi @aronmolnar , thanks for pushing out the new Burp importer!

As Burp is handling the risk ratings with severity and not with cvss scoring, a hint in the documentation and adaptions in the Demo projects would be really awesome. Currently, the starter designs are interpreting all Burp findings as Info in the rendered PDF, which could cause confusion.

Thank you!  

aronmolnar commented 5 months ago

Thanks for the hint. I updated the documentation: https://docs.sysreptor.com/cli/tools/burp/#known-limitations

Burp doesn't populate CVSS scores. So if your report uses CVSS scores only, all findings are rated as "Info". You can, however, add the "severity" field to your report design. If you then push the scan results, the severity field holds the risk information. This should be immediately visible in the "Reporting" page of the SysReptor UI (there, the "severity" field overrides "cvss").

If this should also apply to your PDF, you must update your report design to use the severity field. You can also use conditionals (like if cvss exists, use cvss, else severity). You then have no longer a numeric score or a vector but only a value (e.g., "high") and a label (e.g., "High").

You can no longer use for example finding.cvss.level, but instead you can use finding.severity.value (e.g., "high") or finding.severity.label (e.g., "High").

byteboltsec commented 5 months ago

Hi @aronmolnar, thanks for updating the documentation in detail!

I've customized the finding table template which can handle cvss and severity parallel (like from Burp), feel free do adopt / link / change it. Hope it will help other SysReptor users 😉 

<tbody>
  <section v-for="finding in findings">
    <tr v-if="(!finding.cvss.vector || finding.cvss.vector === 'n/a') && finding.cvss.score" class="table-row-link"
      :class="'risk-bg-' + finding.severity.value">
      <td class="td-center">
        {{ findings.indexOf(finding) + 1 }}
      </td>
      <td class="td-center">
        <ref :to="finding.id">{{ finding.severity.label }}</ref>
      </td>
      <td>
        <ref :to="finding.id">{{ finding.title }}</ref>
      </td>
      <td class="td-center">
        <ref :to="finding.id" class="ref-page" />
      </td>
    </tr>
    <tr v-else class="table-row-link" :class="'risk-bg-' + finding.cvss.level">
      <td class="td-center">
        {{ findings.indexOf(finding) + 1}}
      </td>
      <td class="td-center">
        <ref :to="finding.id">{{ finding.cvss.score }}</ref>
      </td>
      <td>
        <ref :to="finding.id">{{ finding.title }}</ref>
      </td>
      <td class="td-center">
        <ref :to="finding.id" class="ref-page" />
      </td>
    </tr>
  </section>
</tbody>

table

aronmolnar commented 5 months ago

Great, many thanks!