Snapshots represent an aggregation of issues at a point in time, normally monthly, that shows the count of Critical, High, Medium, Low and Informational issues broken down at the following level:
- Application Name (saltminer.asset.id)
- Version Name (saltminer.asset.version_id)
- Source Type (saltminer.asset.source_type)
- Assessment Type (vulnerability.scanner.assessment_type)
- Issue Name (vulnerability.name)
Indices #
Currently the following indices are created as part of the snapshot processing
| Indices | Description |
| snapshots_app_fortify_history | Index that is based on Fortify SSC and FOD data that contains Found_Date and Removed Date where some historical information can be inferred. While not a true snapshot it is as close to reality as can be generated based on the information provided by Fortify. |
Snapshot fields #
| Field | Description |
|---|---|
| vulnerability.source_severity | Best Practice Indicates the severity of the issue, can be source-specific required: No type: keyword engagements: Visible, same as Severity, Required Example: Best Practice |
| saltminer.snapshot_date | Date the snapshot represents. Typically either the 15th (mid month) or current date. Required: Yes type: DateTime example: 2020-12-28T22:42:19.165783 |
| vulnerability.category | The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (Qualys vulnerability categories) This field must be an array. type: keyword engagement: Not used, hard coded to Application Note: This field should contain an array of value. Application is the most common value for SaltMiner but some scanners may provide different values. example: [“Application”] |
| vulnerability.classification | CVSS The classification of the vulnerability scoring system. For example (https://www.first.org/cvss/ ) ECS – this is used at some customers for export to external systems and for SSC comes from a linked rules datasource. May need to be a list instead of a single type: keyword engagement: not used example: CVSS |
| vulnerability.name | Name or short description of issue required: Yes type: keyword (w/.text) engagement: Visible, Required example: SQL Injection |
| vulnerability.severity | Critical/High/Medium/Low, indicates the severity of the issue Critical What other factors (impact/likelihood/etc.) should be included when considering risk? Should we have a risk score? type: keyword engagement: Visible, Required example: Critical |
| saltminer.critical saltminer.high saltminer.medium saltminer.low saltminer.info | System generated fields showing count of each severity for each aggregated total. |
| vulnerability.scanner.assessment_type | Scan assessment type. Must be one of these: SAST, DAST, OSS, PENTEST SAST required: Yes type: keyword engagement: Visible, Optional engagement: Not used |
| vulnerability.scanner.product | SCA Product used to run the scan. SCA, FOD, WebInspect required: Yes type: keyword engagement: Visible, Optional engagement: Not used |
| vulnerability.scanner.vendor | Fortify / FOD / Checkmarx Vendor for the scanner used to identify this issue type: keyword engagement: Visible, Optional example: Fortify vulnerability.scanner.vendor Vendor for the scanner used to identify this issue Yes Yes keyword Fortify / FOD / Checkmarx Fortify |
| vulnerability.score.base | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (CVSS v3.1 Specification Document ) type: float engagement: Not Used example: 5.5 vulnerability.score.base 0 to 10 score, Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. ECS – Scores can range from 0.0 to 10.0, with 10.0 being the most severe No Yes float 5.5 5.5 |
| vulnerability.score.environmental | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Environmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. For example (CVSS v3.1 Specification Document ) type: float engagement: Not Used example: 5.5 vulnerability.score.environmental 0 to 10 score. Environmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. ECS – Scores can range from 0.0 to 10.0, with 10.0 being the most severe No Yes float vulnerability.score.environmental 5.5 |
| vulnerability.score.temporal | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example (CVSS v3.1 Specification Document ) type: float engagement: Not Used |
| vulnerability.score.version | The National Vulnerability Database (NVD) provides qualitative severity rankings of “Low”, “Medium”, and “High” for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example (NVD – Vulnerability Metrics ) type: keyword engagement: Not Used example: 2.0 |
| Source specific attributes | |
| saltminer.source.analyzer | Source-specific analyzer (in this case, Fortify SCA would use a SQL_Injection analyzer) required: No type: keyword example: Semantic Configuration |
| saltminer.source.kingdom | Source-specific kingdom identifier for this issue required: No type: keyword example: Encapsulation |
Flow down fields #
Inventory Asset #
- saltminer.inv_asset.is_production
- saltminer.inv_asset.name
- saltminer.inv_asset.description
- saltminer.inv_asset.version
- saltminer.inv_asset.attributes
- saltminer.inv_asset.key
Assets #
- saltminer.asset.last_scan-days_policy
- saltminer.asset.config_name
- saltminer.asset.source_type
- saltminer.asset.sub_type
- saltminer.asset.is_retired
- saltminer.asset.version_id
- saltminer.asset.asset_type
- saltminer.asset.host
- saltminer.asset.ip
- saltminer.asset.scheme
- saltminer.asset.port
- saltminer.asset.is_production
- saltminer.asset.name
- saltminer.asset.description
- saltminer.asset.version
- saltminer.asset.attributes