Documentation Index

Fetch the complete documentation index at: https://help.nucleussec.com/llms.txt

Use this file to discover all available pages before exploring further.

Nucleus to PCI Technical ASV Report

  • 2 minute(s) read
Prev Next

Overview

This article will tell you all the pieces of a PCI ASV report and where that information comes from in Nucleus. Many of these fields are populated based on the actions you take within Nucleus.

Technical Report Fields

Scan Customer Information

This comes from the client's organization information from Step 1 of the PCI report workflow. Change this by editing the Organization Information for that client.

Approved Scanning Vendor Information

This comes from the Master Org Information from Step 1 of the PCI Report Workflow. Edit this by editing your organization's details.

Scan Status

Date Scan Completed

Calculated automatically based on the latest scan date for each in-scope asset. The earliest latest scan date is used.

Scan Expiration Date

Automatically calculated to be 90 days after the "Date Scan Completed" Field.

Compliance Status

Marked as failed if any in-scope assets have a medium severity vulnerability or higher present.

Scan Report Type

Static field

Number of Unique in-scope components scanned

Automatically calculated based on vuln scan results.

Number of identified failing vulnerabilities

Automatically calculated based on vuln scan results.

Out of Scope # of Components

Calculated based on the number of assets in the Nucleus project with the "Compliance Scope" attribute marked as "No".

Scan Customer Attestation

Pre-Filled out paragraph which populates its fields based on the Organization data from Step 1 of the PCI workflow.

ASV Attestation

Pre-filled out paragraph that populates based on the Master Organization data from Step 1 of the PCI workflow.

Part 1 Scan Information

Populated automatically based on Org Data.

Part 2 Vulnerability Details

Populated from the Active Vulnerability List in Nucleus. This is a list of all vulnerabilities for each asset, along with associated details.

  • Asset: The asset which the vulnerability affects.
  • Services: List of all ports and services detected on the asset. Populated automatically from scan results.
  • Findings: The list of findings affecting this asset. Each finding has its own table with all associated information:
    • Title - The name of the vulnerability in Nucleus.
    • Target - The affected asset.
    • Base CVSS Score - CVSS score for this vulnerability, if applicable, populated from scan results.
    • CVSS Vector - CVSS Vector, if applicable. Populated from scan results.
    • Risk - Severity attribute of the vulnerability. Populated from the Nucleus Active Vulnerability List.
    • Description - The description of the vulnerability, populated automatically from scan results.
    • Suggestion - Solution on how to fix the vulnerability, populated automatically from vuln scan results.
    • Reference - References that pertain to the vulnerability. Populated automatically from vulnerability scan results.
    • Output - Specific output of the finding on that asset, populated automatically from the vulnerability scan results.
    • Compliance Status - Automatically a Fail unless the vulnerability was marked as a False Positive, Mitigated via compensating Control, or Accepted Risk in the Nucleus Active Vulnerability List.

Each asset has a list of all the vulnerabilities that affect it. And each vulnerability has all the details of the vulnerability for that asset. You should see that most of these fields will populate automatically and should make reporting for PCI ASV technical reports much easier!

Those are all the relevant fields in the PCI Technical report.

If you have any questions, please contact us through the support center.