Submitting a Code Level Vulnerability

If the 'Vulnerability Type' is chosen as 'Code Level', you will be provided with the following fields:

  • Title - This field is 'Mandatory'. You can enter the title of the vulnerability that you are currently logging.
  • Description - This field is 'Mandatory'. You can use this field to describe the vulnerability which you are currently logging.
  • File Name - This field is 'Mandatory'. In this field you can enter the name of the file which has the vulnerable code or you can enter the entire path of the file as well.
  • Start Line Number - This field is 'Mandatory'. You can enter the starting line number of the vulnerable code block in the mentioned file.
  • End Line Number - This field is 'Mandatory'. You can enter the ending line number of the vulnerable code block in the mentioned file.
  • Vulnerable Code - This field is 'Mandatory'. You can add the vulnerable code snippet in this field.
  • Steps to Reproduce - This field is 'Mandatory'. You can provide detailed steps on how to reproduce the vulnerability that you are currently logging.
  • Mitigation - This field is 'Mandatory'. You can provide information/suggestions on how to fix the vulnerability that you are currently logging.
  • CVE - This field is 'Not Mandatory'. You can provide any relevant CVE Ids for the vulnerability that you are currently logging.
  • Tags - This field is 'Not Mandatory'. You can add tags for the vulnerability that you are currently logging.
  • Add File - This field is 'Not Mandatory'. Using this feature you can attach any files like screenshots/videos etc for the vulnerability that you are currently logging. This can aid the developer in better understanding the issue that has been reported.
  • Custom Fields - This can either be a 'Mandatory' or a 'Non Mandatory' field depending on if it has been created as a mandatory field or not. More about custom fields here.

 

Logging a Code Level Vulnerability:

For the sake of demonstration we will be logging a vulnerability against the OWASP Juice Shop application code.

  1. From the 'Vulnerabilities' page click on 'New Vulnerability'.



  2. Select an 'Asset' from the list of your assets. Onboarding an asset is a prerequisite to adding any vulnerabilities. More on how to onboard assets here.



  3. Now select a 'CWE ID' from the list of CWE ids. This is not mandatory. More about CWEs here.



  4. Select a severity for the vulnerability that you are currently logging. You can either choose a standard severity or give your input to the CVSS calculator and it will calculate the severity for you. More about how the CVSS calculator works here.



  5. Now enter all the relevant information in the fields that you are presented with. In this case we have added a tag to the vulnerability. We have named it as 'Authorization' so that going forward any similar issues that are reported can use the same tag and vulnerabilities can then be filtered later based on this tag. More on how to use filters here.



  6. Click on 'Finish'. The vulnerability has been logged successfully.

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Article is closed for comments.

Articles in this section

See more