writehat icon indicating copy to clipboard operation
writehat copied to clipboard

Published 20 hours ago verified publisher icon blacklanternsecurity

Feature request: additional meta tags

Open kerrymilan opened this issue 2 years ago • 6 comments

  • Add a {todo} tag. This tag should not display in the rendered report, but should be used to indicate in the review status or report overview page that the section requires attention.
  • Add tags for {findings.criticalCount} and {findings.highCount} for use in summary sections. Optionally scope to a specific finding group or finding type.

kerrymilan avatar Sep 26 '22 13:09 kerrymilan

Hi @kerrymilan,

I have started working on this over here: https://github.com/thejohnbrown/writehat/commit/129cc1a23c2b6e165672692fed2b023c0601f9d1 (branch: https://github.com/thejohnbrown/writehat/tree/additional-meta-tags). I have so far implemented new tags for cvss and dread (total, info, low, medium, high and critical), proactive total and grand total per severity.

I'm trying to think of a good way to approach tags for individual finding groups at the moment. I was hoping to build the user_context dictionary dynamically based on the name of the finding group however as we can have duplicate finding group names this isn't possible. Any thoughts? My only idea so far is just numbering the groups 1, 2, 3, etc. and then accessing them through a tag like findings.1.criticalTotal.

thejohnbrown avatar Jan 09 '23 14:01 thejohnbrown

I've implemented scoping to finding groups over here https://github.com/thejohnbrown/writehat/tree/additional-meta-tags. I approached this how I said above, giving each finding group inside the engagement a sequential ID starting from 1 according to the order they appear on the engagement overview page. For example if you had 3 finding groups and wanted to get a total count of the vulnerabilities in finding group 2, you would use the meta tag { findings.group.2.totalcount }. I haven't implemented the TODO meta tag but the second bullet point is done so i'm happy to make a PR.

thejohnbrown avatar Jan 11 '23 08:01 thejohnbrown

Any update on this?

thejohnbrown avatar May 23 '23 08:05 thejohnbrown

yo, just got around to taking a look at your implementation. I have been wanting this feature for quite some time, so I would love to get a pull request going.

The main thing I noticed was that When there are no findings of a specific type or severity, it should default to a 0 value rather than being nothing, as can be seen in the following screenshot

default_should_be_0

TMDeal avatar May 25 '23 15:05 TMDeal

Good point. I'll make that change and create a PR this week.

thejohnbrown avatar May 30 '23 07:05 thejohnbrown

I have made a PR here https://github.com/blacklanternsecurity/writehat/pull/93. The issue with it not displaying '0' has also been fixed.

If you're wondering why the branch name is different it's because I had to create a new one as git did some weird stuff.

thejohnbrown avatar Jun 01 '23 16:06 thejohnbrown