Introduction

Findings (or vulnerabilities as they are also commonly known) are a cornerstone of Canopy. When working on a project, the results of the project are stored as findings, which are typically included in the report (some high level reports only make use of finding statistics). A finding will typically have

A key aspect of the finding is its ability to record sufficient information to help the receiving client to understand the identified issue. The following text fields are defaults in Canopy, with their descriptions acting as a suggested use:

• Summary: used to capture a brief summary of the finding.
• Background: used to describe the background information necessary to understand the issue at hand. For example, a finding for SQL injection may include key information to help the user understand SQL injection from its origins, before describing the impact to the client in question,
• Description: used to explain the finding in more detail, specifically focusing on its applicability to the current client and the target asset of the project.
• Recommendation: used to provide recommendations to help address the issue and reduce risk.
• Re-test notes: used to capture update information and other details noted during a re-test phase.

Access control

Access to findings is inherited from the project. This means that whomever has access to the project (read, write, admin) has the same authority over findings.

The finding list

The finding list can be found under the phase view. This list allows a user to sort and filter findings, access them and add new findings (manually or from the KB). For example:

Adding a finding

A finding can be added in three main ways:

Adding a manual finding

To add a finding manually:

1. Access the phase of the project you're working on.
2. Click the "+ FINDING" button
3. Complete the form and save.

Adding a finding from the KB

To add a finding from the KB:

1. Access the phase of the project you're working on.
2. Click the drop down button and select "Add findings from KB"
3. Selecting the findings you want to add to the phase. It is possible to filter and multi-select.
4. Add the findings.

Adding a finding via tool imports

In order to add findings via the tool importer, simply drag and drop the supported tool results file onto the File Uploads section of the phase view. If the result file is from a supported tool and in the supported format, the importing happens automatically. The import process copies data in order to creating findings, assets, examples, references and more.

Editing a finding

To edit a finding:

1. Access the finding view from the phase list (or project phase list).
2. Click the edit icon.
3. Edit and save.

Finding rating systems

Finding rating systems are used to tailor Canopy to the risk rating needs of each company and their clients. By default, Canopy uses a Critical - Info rating system alongside CVSSv2 and CVSSv3. However, when users need their own rating system this can be added through the use of custom fields (i.e. to storing rating values) and a custom rating calculator. This gives Canopy significant flexibility in adapting to the specific needs of each company that uses it.

Adding a finding to the KB

Canopy's Finding Knowledge Base (Finding KB) provides a useful way for storing reusable findings. This is quite common practice in industry, although used to varying degress. In order to add a finding to the Knwoledge Base:

1. Access the finding view from the phase findings list (or project phase list).
2. Click on the ellipsis and click the Add to KB option.

The finding will then be added in an unapproved state to the Finding KB.

Deleting a finding

Findings can be deleted singularly (via the finding view) or based on a selection via the phase finding list.