Custom ordering of findings

[MWedl]

Discussed in #13

^{Originally posted by aronmolnar May 10, 2023}

Problem

Currently, the CVSS vector is a mandatory field for findings. Findings are ordered by CVSS score during reporting (and in the findings array in the HTML report).

Solution

It should be possible to customize the ordering and get rid of the mandatory CVSS score. It should be possible to sort by multiple custom-defined fields (e.g. first per target, second by severity).

It might also be desirable to allow custom ordering by drag&drop in the findings section.

Drawback

None

[MWedl]

We are starting to implement this feature.

Users will be able to configure the finding ordering in the design. The design holds a list of fields to sort by and their sort direction. The data structure for the finding ordering config will be something like:

[{"field": "cvss", "order": "desc"}, {"field": "title", "order": "asc"}]

[{"field": "target", "order": "asc"}, {"field": "cvss", "order": "desc"}, {"field": "created", "order": "asc"}]

In pentest projects the findings use the ordering config from the design by default. It will be possible to override the finding order. I.e. not use the ordering config from the design and manually move findings up and down in the finding list via drag and drop.

[MWedl]

Implemented in https://github.com/Syslifters/sysreptor/releases/tag/2023.119

[Lednerb]

Thanks fore adding this feature!

However, the custom sorting should also be used for the editing part on the left side (where all the findings are added to).

---

And also additionally, when the CVSS field is removed maybe an color-option for the risk indicator would be nice to have.

Background information:
In our pentests we apply the risk manually to each finding with a enum field risk_category with the values ciritcal, high, medium, low, observation and recommendation.

So a mapping with colors instead of the automatically applied from the cvss field would be a nice to have addition.

[MWedl]

The custom sorting should already be used by the finding sidebar in projects. For existing projects, please note that you need to refresh the design for these projects to apply any design changes including the configured finding order. See also this answer #64 (comment)

The SysReptor frontend sets the sidebar colors based on the cvss field or the newly added predefined field severity. The severity field is an enum of severity levels (critical, high, medium, low, info; same as CVSS levels). I think you cannot use this field because you use 6 levels instead of 5.

Adding a configuration option for mapping custom risk levels to sidebar colors would be quite a niche configuration, which I think will not be used by many users. Since the benefit is quite small (just a colored findings sidebar) compared to the implementation complexity, we will not implement this for now.

[Lednerb]

Thanks for the answer!

The sorting works already, I indeed had not updated the design.