Role required: Vulnerability Manager or User Manager

The following report options are available, offering varying levels of detail about reported vulnerabilities within a specific group:

• Certificate: Available to User Managers only, it is a document that certifies that your system is undergoing security testing by Fluid Attacks (requires completion of the information section). Among the certificate contents is the number of reported vulnerabilities categorized by their CVSS qualitative ratings, how many of them have been remediated, how many accepted, and the number of reported risk exposure units.
  

• Export: It is a ZIP folder containing vulnerability reports, a file listing compromised records and pictures and videos that constitute vulnerability evidence.
  

• Executive: It is a summarized PDF report of all group vulnerabilities, tailored for management review.

• Technical: It is a customizable, detailed XLSX report of group vulnerabilities, ideal for technical analysis.

Window for choosing the verification code delivery method

Window to enter the verification code

As immediately announced by an alert in Fluid Attacks' platform, you receive an email with the link to the report in the next minutes.  Click the Download Report button in the email to save the report to your device. Bear in mind that the download link expires one hour after delivery.

Note: Please note that there may be restrictions on sending the OTP code by SMS in Canada.

Definitions of the technical report columns

• Related Finding:  The type of vulnerability
• Finding Id: Unique identifier for the type of vulnerability
• Vulnerability Id: Unique identifier for the vulnerability
• Package: Name of the package that may be unsafe
• Vulnerable version: Package version in use
• CVE: Common Vulnerabilities and Exposures (CVE) identifier
• Where: Specific path where the vulnerability is present
• Stream: Steps to reach the vulnerability in dynamic environments
• Specific: Precise line, field or port that presents the vulnerability
• Description: Detailed description of the vulnerability
• Status: Current Status of the vulnerability, where Safe means it is present, whereas Vulnerable means it has been remediated
  
• Severity ( v3.1/v4.0):  Severity score based on the Common Vulnerability Scoring System (CVSS)
• Requirements: Likely unfulfilled security requirements
• Impact: What an attacker can achieve exploiting the vulnerability
• Threat: The attack vector an attacker has to follow and the privileges they require to exploit the vulnerability
• Recommendation: Suggested actions to fix the vulnerability
• External BTS: URL of the issue in your bug tracking system (BTS) related to this vulnerability
• Compromised Attributes: Data or information compromised due to the vulnerability (e.g., usernames, IDs, passwords)
• Tags: User-defined tags to categorize or identify the vulnerability
• Business Critically:  Priority score; a numerical value representing the organization-defined importance of this security issue (ranges from 0 to 1 billion)
• Technique: Security testing technique used to detect the vulnerability
• Report Moment: Date when the vulnerability was confirmed
• Close Moment: Date when the vulnerability was fixed (if applicable)
• Age in days: Number of days since the vulnerability was confirmed
• First Treatment: Initial treatment applied to the vulnerability
• First Treatment Moment: Date when the first treatment was applied
• First Treatment Justification: Justification given for applying the first treatment
• First Treatment expiration Moment:  Expiration date for the first treatment (if Temporarily accepted)
• First Assigned: Email of the first person who was assigned to remediate the vulnerability
• Current Treatment: Current treatment applied to the vulnerability
• Current Treatment Moment: Date when the current treatment was applied
• Current Treatment Justification: Justification given for applying the current treatment
• Current Treatment expiration Moment: Expiration date for the current treatment (if Temporarily accepted)
• Current Assigned: Email of the person who is currently assigned to remediate the vulnerability
• Pending Reattack:  Whether the reattack (i.e., verification of the effectiveness of your fix) is currently Requested (Yes or No)
• # Requested Reattacks: The total number of times that a reattack has been requested
• Remediation Effectiveness: The percentage representing one positive reattack outcome (confirming the vulnerability was fixed) out of all the reattacks carried out
• Last requested reattack: Date of the most recent reattack request
• Last reattack Requester: Email of the person who requested the most recent reattack
• CVSSv3.1 string vector:  The values used to derive the score represented textually
• Attack Vector (v3.1/v4.0): How remote the attacker can be in order to  exploit the vulnerable system 
  
• Attack Complexity (v3.1/v4.0): How easy it is for the attacker to exploit the vulnerability
• Privileges Required (v3.1/v4.0): Level of privileges an attacker needs
• User Interaction (v3.1/v4.0):  Whether user interaction is required for exploitation
• Severity Scope:  Whether the vulnerability impacts components beyond that which is vulnerable (CVSS v3.1 metric only)
• (Vulnerable) Confidentiality Impact: The i mpact of exploitation on information confidentiality
• (Vulnerable) Integrity Impact: The i mpact of exploitation on information integrity
• (Vulnerable) Availability Impact: The impact of exploitation on information availability
  
• Exploitability (v3.1)/Exploit Maturity (v4.0): Probability of exploitation given the current state of techniques for it, exploit code availability, and actual exploitation "in the wild"
  
• Remediation Level: Whether there are fixes or workarounds available for the vulnerability (CVSS v3.1 metric only)
• Report Confidence:  Level of confidence in the existence of the vulnerability, given the amount of detail with which it is reported (CVSS v3.1 metric only)
  
• Subsequent Confidentiality Impact: Exploitation impact on information confidentiality in one or more systems other than the vulnerable system (CVSS v4.0 metric only)
• Subsequent Integrity Impact: Exploitation impact on information integrity in one or more systems other than the vulnerable system (CVSS v4.0 metric only)
• Subsequent Availability Impact: Exploitation impact on information availability in one or more systems other than the vulnerable system (CVSS v4.0 metric only)
• CWE ids: Common Weakness Enumeration (CWE) identifier
• Commit Hash: ID of the commit that created the vulnerability
  
• Root Nickname: User-defined nickname of the root where the vulnerability was found
  
• Root branch: The specific branch that is tested and where the vulnerability was found
• Severity level (v3.1/v4.0): CVSS qualitative rating
• EPSS: Exploit Prediction Scoring System; a value ranging from 0 to 100 that corresponds to the likelihood that the vulnerability will be exploited in the wild. This value is retrieved from the FIRST database by the Fluid Attacks scanner's SCA module.

Filter the technical report

Role required: Vulnerability Manager or User Manager

1. In the Vulnerabilities section, click on Generate report.
   


2. Click on the filters button on the right side of the Technical button.
   




3. A pop-up window appears, presenting you with the filter options.
   




These are the available filters:

• Type: The name of the type of vulnerability
  
• Report date range: The dates within which vulnerabilities were reported
  
• Locations: Specific path where the vulnerabilities are present
  
• Last report: Include only types whose last report was more recent than the specified value (given in days)
  
• Age: Include only types whose first report was more recent than the specified value (given in days)
  
• Severity range: Minimum and maximum CVSS severity scores
  
• Closing date: Include only vulnerabilities remediated on a date more recent than the one specified
  
• Treatment: Currently applied vulnerability treatment
  
• Reattack: Current reattack status
  
• Status: Whether the reported lines of code, inputs or ports are Vulnerable (the vulnerability is present) or Safe (the vulnerability is no longer present)


4. Customize your report as needed and click on the Generate XLS button.
   


5. Choose where you want to receive the code for two-step verification (SMS app or WhatsApp).
   

Remember you need to have your mobile phone registered in the platform for this step.


6. Enter the code you received and click on Verify.
   


7. After successful verification, wait for the email containing the filtered report in XLSX format and download it within the first hour of receiving it.

To download a comma-separated values (CSV) file containing all of your organization's vulnerabilities (including their vulnerability statuses), follow these steps:

1. Go to the Analytics section at the organization level (i.e., the one you access through the collapsible menu).
   




2. Click the Vulnerabilities button on the top right corner of the section.
   




3. Choose where you want to receive the two-step verification code (SMS app or WhatsApp).
   


4. Enter the verification code you received and click Verify. Your browser then downloads a compressed file containing the CVS file.
   

You can also obtain this information via API using the vulnerabilitiesUrl method. Find the details on how to make API requests to the platform in the Fluid Attacks API documentation.