search

dradis / dradis-ce

Dradis Framework: Collaboration and reporting for IT Security teams
https://dradis.com/ce/
GNU General Public License v2.0
668 stars 190 forks source link

[General Question] Tags are on issues not on evidence #758

Closed h8h closed 2 years ago

h8h commented 3 years ago

Hi there,

I have a dradis issue with title "Cross Site Scripting".

Lets assume on one node it is persistent and on the other node it is reflective.

So I added two evidences for "Cross Site Scripting" but the "tagging" (critical, high, medium, info) happens on the issue. That forces me to double the issue. An issue with tagging "high" and one with "medium".

If the tag is on the evidence I can use one common "Cross Site Scripting" issue.

That leads to the general question: Whats the basic idea behind have tags on issues, instead on evidence?

MattBudz commented 2 years ago

@h8h Typically vulnerability scanners put severity (i.e. tag in this case) on an Issue level. However, some scanners (notably Burp) set the severity at the evidence level.

Burp takes the stance of giving each individual instance a Severity instead of assigning an overall rating to the Issue. To some extent, it makes sense, as you can have different severities depending on the circumstance (e.g. confirmed, authenticated, etc.). This is why Severity is available in the evidence but not the issue.

Burp can keep things consistent within its interface by assigning to the issue the "highest impact" of each of the instances because the data model/presentation is always the same. Unfortunately, that's a luxury we can't have as there is no guarantee for us about the naming convention our users are going to use (they can call it Severity, Impact, Risk, or anything else by creating a mapping with the Plugin Manager).

In addition, Burp doesn't have to deal with imports from others tools, users manually changing values, or re-uploading of scans by team members. If for example, we took the same approach that Burp does and on upload, we assign the Issue's severity as the highest of the Evidence in that scan it will work fine. But then imagine that after the upload a human reviews the results and considers that the actual Risk should be different because of some particular circumstance, if we were to upload another Burp scan, then we'd be in a mess because the user wants the issue to have a given value, but the parser will overwrite it with the new value coming from the new scan.

Hopefully, this sheds some light on tags at the issue level.