Support
Working with Reports

Editing vulnerabilities and adding security standards in Invicti Standard

This document is for:
Invicti Standard

The Vulnerability Editor allows you to modify vulnerability details, such as description, name, severity, and impact. You can also edit or assign classifications to vulnerabilities, including CVSS, OWASP, PCI, and other security standards. These changes are applied to custom report policies that you attach when running a scan and they affect your scan result report.

This document explains how to edit vulnerabilities and add security standards to vulnerabilities.

How to edit vulnerability details with the Vulnerability Editor

  1. Select Report Policy Editor from the Home tab.

  1. Click on the policy you want to amend to select it.

  1. In the column on the left, use the Search field or scroll down to find the vulnerability you want to edit, select it by clicking on it, then click Edit to open the Vulnerability Editor.

  1. In the Vulnerability Editor window that opens, make changes to any of the following fields:
  1. Description: Name of the vulnerability.
  2. Type: This field is read-only and identifies the type of vulnerability.
  3. Severity: This defines the importance of the vulnerability. For more information, refer to Vulnerability Severity Levels.

BE CAUTIOUS: Changing an SQL injection severity to "Best Practice" might cause you to miss critical issues in your web application.

  1. Signature Type: Determines how Invicti reports identified vulnerabilities. The drop-down options are:
  • Active: Used for active attacks where Invicti sends an attack payload to identify vulnerabilities. Invicti reports the vulnerability each time it is identified. For example, if an SQL Injection is found on ten different web pages, Invicti reports it on all of those web pages.
  • Passive: Used for passive attacks where Invicti analyzes responses to identify vulnerabilities. Invicti reports the vulnerability each time it is identified. For example, if a Microsoft Outlook Personal Folders File (.pst) is found on ten different web pages, Invicti reports it on all of those web pages.
  • Groupable: Limits the number of times a vulnerability is reported. The default value is 10. For example, if SQL Injection is set to Groupable, Invicti reports it only on 10 web pages.
  • Unique: Reports a vulnerability only once. For example, if SQL Injection is set to Unique, Invicti reports it only one time.
  1. Order: This sets the priority for listing vulnerabilities identified by Invicti. The drop-down options are:
  • Confirmed: Invicti verified the vulnerability with Proof-Based Scanning.
  • Probable: There is a high possibility of a vulnerability. Probable vulnerabilities are very rare in Invicti, applicable mainly to Probable SQLi and Probable LFI vulnerabilities.
  • Possible: The vulnerability was identified but not confirmed. In these cases, Invicti assigns a certainty value.
  • Inactive 
  1. Impacts: This defines the impact of the vulnerability. You can select one or more built-in impacts for the vulnerability identified by Invicti. The impact message is displayed in scan reports.
  2. Retestable: This indicates whether the issue is eligible for retesting. For more information, refer to Managing Issues.
  3. Show Attack Pattern: This determines if Invicti displays the attack pattern within the scan reports.
  4. Hidden: This determines whether the vulnerability is in your custom report. If selected, Invicti removes the vulnerability from the custom report policy list. So, Invicti does not report this vulnerability.
  5. Enabled: This determines whether Invicti performs a security check for a vulnerability. When selected, Invicti verifies whether a vulnerability exists in your system.
  6. Firewall Compatible: This indicates that Invicti can include this vulnerability in the Web Application Firewall Rules report. For additional details, refer to the ModSecurity WAF Rules Report and F5 BIG-IP ASM WAF Rules Report.

  1. Click OK.

NOTE: Your changes will only apply to new scans. To see these changes in reports, you must run new scans using the custom report policy you edited.

How to add security standards to vulnerabilities

The column on the right-hand side in the Report Policy Editor allows you to edit or assign OWASP, PCI, CVSS, and other security standards or classifications. The example below shows how to add the CVSS 4.0 value to a vulnerability.

  1. Use the Search field or scroll down to find the vulnerability you want to edit and select it by clicking on it.

  1. In the Classification column, scroll down to find the security standard you want to add or amend.
  2. All security standards are entered manually except for CVSS 3.0, 3.1, and 4.0. To configure these, select Base metric values from the drop-down fields.

  1. Click OK at the bottom of the screen to save your changes and close the Vulnerability Editor window.

The changes will only apply to new scans. To see these changes in reports, you must run new scans using the custom report policy you edited.