This article provides an overview of all of the information that can be recorded and displayed for a finding when it is ingested into Nucleus. If you are unfamiliar with what a finding is, we recommend reading the article Findings and their properties for an overview of the finding entity.
Categories of data
The Nucleus normalized finding schema allows for the flexible representation of every piece of relevant information identified by a security scanning tool at a point in time. This information is extracted from the security scanning tool and transformed into the most appropriate finding field in Nucleus.
Each of these fields fall into one of the following categories:
Common Definition fields - Information that is the same for all instances of this finding in this scan type, such as the finding’s name and description. These fields are applicable for any finding type.
Common Instance fields - Information that is specific to a finding instance. These fields are also applicable for any finding type.
Type-specific fields - Information that is only recorded and available for particular finding types.
When a point in time scan or snapshot of vulnerability data is downloaded, normalized and ingested into Nucleus, each mapped finding instance is further attributed to a particular scan event (also referred to as an assessment, or simply scan) and asset. These topics are out of scope of this article.
Common Definition Fields
Each finding instance contains the following information for the finding’s definition. All of these field’s values are the same across each instance of the same unique finding:
Field | Description |
|---|---|
Scan Type | The name of the security scanning tool. For example, QUALYS, NESSUS, etc. |
Finding Type | The type of this finding: vulnerability, compliance or vuln-compliance. |
Name | A short name that describes the finding. |
Description | A long form description of the finding. This can be adjusted within Nucleus. |
Recommendation | A generic recommendation for how to resolve this finding. This field does not contain instance specific remediation information but is instead included in the instance fields. This can be adjusted within Nucleus. |
A unique case-insensitive identifier is assigned for each finding definition within the scan type called a finding number. This field is not available in the UI but is included in API responses and data exports to identify uniqueness.
Common Instance Fields
Each finding instance can contain the following information:
Field | Description |
|---|---|
Severity | A criticality rating for this finding. The allowed values are Critical, High, Medium, Low and Informational. This is normalized from the security scanning tool but can be adjusted within Nucleus. |
Output | Unstructured output about this finding instance from the security scanning tool. Often this field contains various instance specific information generated by the source tool that can be used for further understanding the finding instance and remediating it. |
References | Structured output from the security scanning tool (key-value pairs). Often this is used to store additional reference or metadata information, such as tool specific keys and values. |
Package | The software package or dependency that is affected by this finding. This will not be set unless it is relevant to the finding. |
Package Version | The software package or dependency version that is affected by this finding. This will not be set unless the Package is also set, but may not be included. |
Package Version Fixes | The versions of the software package or dependency where this vulnerability was fixed. This will not be set unless the Package is also set, but may not be included. |
Path | The path to the issue on this finding. This is flexibly used for different situations, such as paths on disk, URL paths, code paths, etc. |
Port | The TCP or UDP port that this finding is present on. This is typically only present for network based scans and is accompanied by the service. |
Service | The identified service running on the port that this finding is present on. |
Finding instances also store the following situational information:
Field | Description |
|---|---|
Discovered | The date and time when the finding instance was first discovered by the security scanning tool. If this information is unavailable, it falls back to being the date and time of the first scan that this finding instance was seen in Nucleus. |
Last Seen | The last date and time that Nucleus saw this finding instance in a scan file. |
Last Found | The last date and time this finding was found by the security scanning tool. This will be the same as Last Seen unless the source tool provides a different value for when it was found. |
A unique case-insensitive identifier is assigned to each finding instance called a finding justification key. This identifier is unique amongst a given scan type, finding number and asset. For example, two finding instances may exist at the same time with the same scan type and finding number so long as the asset that the instance is on is different.
In data exports, this field is concatenated with the scan type, finding number and asset id to become the finding instance key, and uniquely identifies the finding instance within your Nucleus project.
Type Specific Fields
The following information may also be recorded on the finding instance, depending on the finding type:
Finding Type | Field Type | Field | Description |
|---|---|---|---|
Vulnerability | Definition | Exploitable | Whether or not the vulnerability is exploitable. This is taken from the security scanning tool but can be adjusted within Nucleus. |
Vulnerability | Definition | CVE | A list of CVEs related to this vulnerability. For some connectors, this will also include identified CWEs. |
Vulnerability | Definition | IAVA | A list of IAVAs related to this vulnerability. This is currently only provided by Tenable (Nessus engine powered) and Rapid7 InsightVM. |
Vulnerability | Definition | CVSS Score | The CVSS Score provided by the scanner. This will be the score for the most recent CVSS version that is provided. |
Compliance | Definition | Compliance Frameworks & Policies | A list of compliance frameworks and policy ids that this compliance check is applicable to. |
Compliance | Instance | Result | Whether or not the check passed, failed or had a warning. |