Request - Description of how to add new finding types (in addition to dread and cvss) about writehat HOT 2 CLOSED

Hey @mlinton, glad you're enjoying Writehat!

As I'm sure you've discovered, the process for adding new finding types is a bit involved. We didn't have multiple finding types in mind when we first wrote this part, so it's sorely in need of a refactor. Generally, you can look for occurrences of 'CVSS' or 'DREAD' and mirror what they're doing, but the outline below should give you a rough roadmap.

We split findings into DatabaseFinding (those that are stored as templates in the findings database) and EngagementFinding (those that are specific to an engagement). For each finding type, the fields in DatabaseFinding are a subset of those in EngagementFinding - specifically, those that don't contain customer-specific information.

• Create templates (htmlTemplate, abridgedTemplate, and summaryTemplate) in templates/componentTemplates/
• Add a Model class to lib/finding.py that extends `BaseDatabaseFinding
  • Define formClass and set a unique scoringType
  • Specify the new type's HTML templates (htmlTemplate, abridgedTemplate, and summaryTemplate). summaryTemplate should be reusable but the other two are type-specific.
  • Implement properties for score and severity
  • Add your new class to BaseDatabaseFinding::get_child()
• Add three Form classes to lib/findingForm.py
  • FooForm, extending FindingForm
  • FooDatabaseFindingForm, extending FooForm
  • FooEngagementFindingForm, extending FooForm and EngagementFindingForm
• Add a class to lib/findingGroup.py extending BaseFindingGroup
• Update views.py:
  • Implement findingFooNew() and validationFoo() views
  • Add the new scoring type to the filtering logic wherever you see CVSS or DREAD:
    • findingCreate()
    • engagementFgroupCreate()
    • engagementFgroupList()
    • engagementFindingDelete()
    • engagementFindingExport()
    • engagementFindingExcel()
• Add your findingFooNew() and validationFoo() views to urls.py
• Update Javascript
  • Add logic to static/js/findingEdit.js to update the score badge
  • Add a default finding prefix to static/js/engagementEdit.js
  • Add the new scoring type to $('#fgroupAdd').click() in static/js/engagementEdit.js
• Update stylesheets
  • Replicate what the CVSS and DREAD classes are doing in static/css/colors.css
  • Add whatever styles you need to static/css/component/FindingsList.css; these will probably be implementation-specific
• Update templates
  • Add a link to /findings/foo/new to templates/pages/findings.html
• Update base component
  • Add a filter to Component::iconColorDynamic() in components/FindingsList.py
• Miscellaneous
  • Add a sheet for the new finding type to lib/excel.py
  • Update templates/pages/findingGroupStatus.html and static/css/findingGroupStatus.css (I'm so sorry for this one)

There are a few other files that need to be updated, but should be able to replicate what's being done with the existing finding types. lib/dbExport.py, lib/dbImport.py, and lib/resolve.py come to mind, but there may be others.

Let us know if you run into any issues; we're happy to help out.

from writehat.

Hey thanks for the info, I'll take a crack and put a pull request in with my progress once I have a chance. The refactor that you talk about is probably the best approach, as I can image there would be more people looking to add different types of findings.

Thanks again!

from writehat.