[Feature Request] Add support to finding retesting, custom enums to findings and Status

[pimps]

Is your feature request related to a problem? Please describe.
The app doesn't support retesting at the moment. Also, the finding status is only used for keeping status of finding writing with "requires editing" and "ready".

Describe the solution you'd like

• Add more status to the finding like "Open", "Fixed/Closed", "Risk Accepted".
• Add another rich text field on the finding for retesting notes.
• Add the ability to insert custom enums in the finding templates and/or custom rich text fields. For example, the ability to add Likelihood and Technical Impact (That are basically enums). This is useful for teams that use custom score rating instead of CVSS. Adding the ability to insert custom rich text fields in the report would likely make the tool capable to handle any kind of scenario related to templating.

Describe alternatives you've considered
Unfortunately there is no alternatives to use to cover this request.

Additional context
Teams usually needs to perform retesting on findings. Adding support to this in ghostwriter would be awesome. Additionally, adding the ability to include custom enums and rich text fields to findings in an easy way would help teams to easily adapt templating.

[Cave-Johnson]

I'd like to +1 this. Especially the ability to use rating / scoring methods other than CVSS and severity.

[cccaaasser]

I like this finding tracking idea.

[KomodoGal]

+1 to both, especially the custom enums

[KomodoGal]

I found a work around, in my case we use "Severity", "Impact" and "Probability", I was able to insert "Impact" and "Probability" in the "CVSS vector" field like this: High;Low (Impact;Probability) then in the template I separate them and through a bunch of if statements you can get formatted text:

Impact: {% set im = finding.cvss_vector.split(‘;’)[0] %}{% if ‘Cri’ in im %}Critical{% elif ‘High’ in im %}High{% elif ‘Med’ in im %}Medium{% elif ‘Low’ in im %}Low{% else %}Informational{% endif %}
Probability: {% set pr = finding.cvss_vector.split(‘;’)[-1] %}{% if ‘Cri’ in pr %}Critical{% elif ‘High’ in pr %}High{% elif ‘Med’ in pr %}Medium{% elif ‘Low’ in pr %}Low{% else %}Informational{% endif %}

(All the strings between the if statements are formatted to your liking)
I was not able to insert more than 3 fields into the CVSS vector field. Every time I would try to reference a higher index the template will fail. You can use pop(0) to get another field

[chrismaddalena]

Thanks for sharing!

[ArgentEnergy]

+1 for having custom fields.

My work is currently using host_detection as a finding category (Input Validation, Authentication, etc...), network_techniques for difficulty of exploit (Low, Medium, and High), replication_steps as finding status (OPEN, CLOSED, ACCEPTED), and affected_entities as our finding evidence.

Right now we have to manually update an executive summary page and retest notes for findings.

Another couple features not mentioned here that would be nice:

• Easier way to integrate chart generation
• A new page that allows users to search for report findings by different criteria (date, evidence text, tester that found the finding, finding title). For example, show me all high and critical findings with the text containing "SAML tampering" found by Bob in 2022.

We use pandas with matplotlib to generate custom charts that are then embedded in the report automatically from Ghostwriter. I had to modify the reportwriter.py and a few other files in the core code for the chart integration.

@chrismaddalena For reference: master...StratumSecurity:Ghostwriter:v3.1.5-custom

[chrismaddalena]

Thanks for sharing your work, @ArgentEnergy!

[MoJo1760]

+1 for a remediation testing flag

[github-actions]

This issue has been labeled as stale because it has been open for 30 days with no activity.

[github-actions]

This issue is closed because it has been inactive for 14 days since being labeled stale. Feel free to re-open the issue with a comment. If this needs further discussion (e.g., a feature request), it might be better to open a topic under the Discussions tab.

[chrismaddalena]

Does the custom fields feature address this for you @pimps @KomodoGal @ArgentEnergy? You can add a boolean field to flag a finding for remediation testing or add fields for other things.

The only thing you can't do is have a custom select box for selecting pre-determined strings. Issue #477 is tracking that. I don't know if we can do it, but it is tracked as a possibility on the road map.

Other things are mentioned here, like charts, but I'd like to know if custom fields cover the basic remediation testing feature.

[ArgentEnergy]

I haven't been using the custom fields for the retest status as we've been using replication_steps from the earlier versions, which is already a text field. My hope was to move it over to a custom field that had predefined values using a dropdown so it's less error-prone for a user and have it default to the open status.