7. Reports and Vulnerability Management

The results of a scan are summarized in a report. Reports can be displayed and downloaded in different formats.


gb_video The reporting is briefly explained in a video.


The GCS save not only the latest report of a scan but all reports of all scans ever run. This allows access to information from the past. The reports contain the discovered vulnerabilities and information of a scan.

Once a scan has been started, the report of the results found so far can be viewed. When a scan is completed, the status changes to Done and no more results will be added.

7.1. Reading a Report

An overview of all existing reports of a task can be displayed by selecting Scan Management in the menu panel and clicking on the number of reports in the column Reports (see Fig. 7.1).

The following information is displayed:

Date

Date and time of report creation.

Unfinished scans are marked with warning.

Severity

Highest severity found on the target.

Critical/Medium/Low/Log

Number of found vulnerabilities for each severity class.

file_black

Show all results for the respective report.

Executive PDF

By clicking download the “Executive Report” can be downloaded. It contains general information about the scan and lists of hosts sorted by severity.

Technical PDF

By clicking download the “Technical Report” can be downloaded. It contains general information about the scan as well as about the scanned hosts and details for each found vulnerability.

_images/report_1.png

Fig. 7.1 Summary of all reports of a scan

To interpret the results, note the following information:

  • Multiple findings can have the same cause.

    If an especially old software package is installed, often multiple vulnerabilities exist. Each of these vulnerabilities is tested by an individual VT and causes an alert. The installation of a current package will remove a lot of vulnerabilities at once.

  • Critical critical and Medium medium

    Findings of the severity levels Critical and Medium are most important and should be addressed with priority. Before addressing medium level findings, critical level findings should get addressed. Only in exceptional cases this approach should be deviated from, e.g., if it is known that the high level findings need to be less considered because the service cannot be reached through the firewall.

  • Low low and Log log

    Findings of the severity levels Low and Log are mostly interesting for detail understanding. These findings are filtered out by default but can hold very interesting information. Considering them will increase the security of the network and the systems. Often a deeper knowledge of the application is required for their understanding. Typical for a result with the severity Log is that a service uses a banner with its name and version number. This could be useful for an attacker when this version has a known vulnerability.

7.2. Results of a Report

A report can be opened by clicking file for the desired report in the report overview (see Fig. 7.1).

Tip

The latest report of a scan can be displayed by selecting Scan Management in the menu panel and clicking file in the row of the scan.

The name, date and time of the scan as well as the highest found severity are displayed at the top.

The following registers are available:

  • Dashboard

  • Grid Overview

  • Table Overview

7.2.1. Dashboard

The dashboard provides a summarizing overview of the found vulnerabilities, their severities and their possible solutions.

The following information is displayed:

  • Total number of detected vulnerabilities

  • Number of detected vulnerabilities for each solution type

  • Number of detected vulnerabilities for each severity level

  • The two solutions with the highest fix percentage

  • Risk level (highest found severity)

  • Top 10 hosts with number of found vulnerabilities and distribution of severities (sorted by number of vulnerabilities or by severity)

7.2.2. Grid Overview

The grid overview shows all found vulnerabilities sorted from highest to lowest severity.

By clicking Filter + the results can be filtered (see Chapter 7.3).

_images/report_3.png

Fig. 7.2 Result of a scan

For every result the following information is displayed:

1 – Name of the found vulnerability.

2 – Severity of the vulnerability.

3 – Open an overlay showing details of the vulnerability.

4 – QoD is short for “Quality of Detection” and shows the reliability of the detection of a vulnerability.

5 – Solution type for the found vulnerability. The following the solutions are possible:

  • Official Fix: an official vendor patch is available. Unless otherwise noted, it is assumed that this fix fully resolves the vulnerability.

  • Temporary Fix: a workaround (information about a configuration or a specific deployment scenario that can be used to avoid exposure to the vulnerability) is available to temporarily eliminate the vulnerability.

    There can be none, one or more workaround(s) available.

    This is usually the “first line of defense” against a new vulnerability before a risk reduction or official fix has been issued or even discovered.

  • Risk Reduction: information about a configuration or deployment scenario that helps to reduce the risk of the vulnerability is available but that does not resolve the vulnerability on the affected product.

  • No Fix Available: there is no fix for the vulnerability and there never will be one.

    This is often the case when a product has been orphaned, is no longer maintained or otherwise deprecated.

  • Searching for Fix: there is currently no solution available to remediate the vulnerability but there may be a solution in the future.

6 – Host for which the result was found.

7 – Port number and protocol type used to find the vulnerability on the host.

8 – Host name and operating system of the host for which the result was found.

9 – Severity level of the vulnerability.

7.2.3. Table Overview

The table overview shows the results of the scan in the form of different tables.

There are three different tables that can be selected (see Fig. 7.3):

  • Overview: all detected results

  • Host: results grouped by host

  • Vulnerability: results grouped by vulnerability

By clicking Filter + the results can be filtered (see Chapter 7.3).

_images/table_overview_1.png

Fig. 7.3 Different tables in the table overview

7.2.3.1. “Overview” Table

For every result the following information is displayed:

Name

Name of the corresponding vulnerability.

Severity

Severity of the corresponding vulnerability. It is displayed with the color according to the severity level to support the analysis of the results.

Host

Host for which the result was found.

Port

Port number and protocol type used to find the result on the host.

Solution

Solution for the corresponding vulnerability. The following the solutions are possible:

  • Official Fix: an official vendor patch is available. Unless otherwise noted, it is assumed that this fix fully resolves the vulnerability.

  • Temporary Fix: a workaround (information about a configuration or a specific deployment scenario that can be used to avoid exposure to the vulnerability) is available to temporarily eliminate the vulnerability.

    There can be none, one or more workaround(s) available.

    This is usually the “first line of defense” against a new vulnerability before a risk reduction or official fix has been issued or even discovered.

  • Risk Reduction: information about a configuration or deployment scenario that helps to reduce the risk of the vulnerability is available but that does not resolve the vulnerability on the affected product.

  • No Fix Available: there is no fix for the vulnerability and there never will be one.

    This is often the case when a product has been orphaned, is no longer maintained or otherwise deprecated.

  • Searching for Fix: there is currently no solution available to remediate the vulnerability but there may be a solution in the future.

QoD

QoD is short for “Quality of Detection” and shows the reliability of the detection of a vulnerability.

By default, only results that were detected by a VT with a QoD of 70 % or higher are displayed. The possibility of false positives is thereby lower. The filter can be adjusted to show results with a lower QoD (see Chapter 7.3).

Details

By clicking details an overlay is opened showing details of the vulnerability.

_images/table_overview_2.png

Fig. 7.4 Overview table

7.2.3.2. “Host” Table

For every host the following information is displayed:

Name

IP address of the host.

Severity

Highest severity found on the host.

High/Medium/Low

Number of found vulnerabilities for each severity.

By clicking on a number, the top 20 vulnerabilities for the selected severity found on the respective host are displayed.

_images/table_overview_3.png

Fig. 7.5 Host table

7.2.3.3. “Vulnerability” Table

For every vulnerability the following information is displayed:

Name

Name of the vulnerability.

Severity

Severity of the vulnerability. It is displayed with the color according to the severity level to support the analysis of the results.

Host

Number of hosts on which the vulnerability was found.

By clicking on the number, the top 20 hosts on which the vulnerability was found as well as additional details are displayed.

Port

Number of ports by which the vulnerability was found.

By clicking on the number of ports, the top 20 ports by which the vulnerability was found as well as additional details are displayed.

Solution

Solution for the corresponding vulnerability. The following the solutions are possible:

  • Official Fix: an official vendor patch is available. Unless otherwise noted, it is assumed that this fix fully resolves the vulnerability.

  • Temporary Fix: a workaround (information about a configuration or a specific deployment scenario that can be used to avoid exposure to the vulnerability) is available to temporarily eliminate the vulnerability.

    There can be none, one or more workaround(s) available.

    This is usually the “first line of defense” against a new vulnerability before a risk reduction or official fix has been issued or even discovered.

  • Risk Reduction: information about a configuration or deployment scenario that helps to reduce the risk of the vulnerability is available but that does not resolve the vulnerability on the affected product.

  • No Fix Available: there is no fix for the vulnerability and there never will be one.

    This is often the case when a product has been orphaned, is no longer maintained or otherwise deprecated.

  • Searching for Fix: there is currently no solution available to remediate the vulnerability but there may be a solution in the future.

QoD

QoD is short for “Quality of Detection” and shows the reliability of the detection of a vulnerability.

By default, only results that were detected by a VT with a QoD of 70 % or higher are displayed. The possibility of false positives is thereby lower. The filter can be adjusted to show results with a lower QoD (see Chapter 7.3).

Details

By clicking details an overlay is opened showing details of the vulnerability.

_images/table_overview_4.png

Fig. 7.6 Host table

7.3. Filtering a Report

Since a report often contains a lot of findings, the complete report as well as only filtered results can be displayed.

The grid overview or table overview of a report (see Chapter 7.2) can be filtered as follows:

  1. Select Scan Management in the menu panel.

  2. Click on the total number of reports in the column Reports.

    → The overview of all reports of a task is opened.

  3. In the row of the desired report click file.

  4. Select the register Grid Overview or Table Overview.

  5. Click Filter +.

  6. For Quality Of Detection Range (QoD) and Severity set the minimal and maximal values using the sliders (see Fig. 7.7).

    _images/report_filter.png

    Fig. 7.7 Adjusting the filter for the report

  7. For Solution select the buttons of the desired solution types.

    Tip

    The selected solution types are highlighted by a border.

  8. For Port, Host, Hostname and Operating System select the ports, hosts, host names and operating systems in the drop-down lists for which the found results should be displayed.

  9. Click Apply.

7.4. Exporting a Report

A report can be exported in various formats:

Executive Report (PDF or JSON)

This report contains general information about the scan and lists of hosts sorted by severity.

Technical Report (PDF or JSON)

This report contains general information about the scan as well as about the scanned hosts and details for each found vulnerability.

OpenVAS XML

A report can be exported as follows:

  1. Select Scan Management in the menu panel.

  2. Click on the total number of reports in the column Reports.

    → The overview of all reports of a scan is opened.

  3. In the row of the desired report click download for Executive PDF or Technical PDF.

  4. Save the report by clicking OK.

    or

  1. Select Scan Management in the menu panel.

  2. Click on the total number of reports in the column Reports.

    → The overview of all reports of a scan is opened.

  3. In the row of the desired report click file.

  4. Select the register Grid Overview or Table Overview.

  5. Select the desired report format in the drop-down list Download (see Fig. 7.8).

  6. Click the slider Anonymized if IP addresses should be anonymized in the downloaded report.

    _images/report_export.png

    Fig. 7.8 Exporting a report

  7. Click report_download.

  8. Save the report by clicking OK.

7.5. Notifications for Reports

Notifications can be sent regularly as a summary of scans or when a report is complete (see Chapter 5.4).