multiple targets per engagement: missing IP or/and fqdn for host filtering?

[Whitehorse2]

I am currently using DefectDoJo with OpenVAS reports, these have countless hosts per engagement.

What I am missing here in the analysis is e.g. the IP address in findings to search directly for fqdn or IP (#11709 (comment)) inside findings.

In Hosts/Endpoints have fqdn with port, but also without an overview of the criticality. An overview (or some statistics) of which targets/hosts/IPs have how many critical and medium vulnerabilities would be very helpful here.
The fqdn is more likely to change than an IP address, so it is better for tracking, but fqdn is better for a fast identification.

DefectDoJo seems to work somewhat differently in this respect, perhaps also in order to be comparable with other scanner results.

For scans with many different systems, it seems important to be able to filter according to the target and receive statistics about how many critical / medium findings are on one target (not endpoint with only one port).

Is there perhaps a way to get closer to this, e.g. by importing an additional IP column with the parser or something similar?

Thank you very much for your work on this project. I am actually very fond of DefectDoJo, but I would like to describe here my problems with the evaluation of the OpenVAS data. The fact that this data is permanently missing seems to me to be an even bigger problem for my usage.

[valentijnscholten]

I don't have much experience with importing reports with endpoints, but could you elaborate more with screenshots maybe? I'm not sure I understand your request. Do you just want an extra column with the IP, or do you want to group the findings differently?

[Whitehorse2]

I would like to be able to sort the findings by IP. This is independent of the port. The FQDN should also remain in the data.
When I look at the list of findings, I always look for a column on which system the vulnerability should be located, so I have to follow up on each one and check the endpoint and manually convert the endpoint to an IP (if it still exists in the DNS).
So an IP column would definitely be helpful. I'm trying to describe the issues here from the perspective of analyzing OpenVAS data with multiple hosts. Perhaps there are also other suggestions on how to improve the evaluation of OpenVAS scan data in DefectDoJo.

[Whitehorse2]

Finally, an FQDN column or an overview of the hosts (without port) and the number of vulnerabilities with severity would also be helpful.

So the question is rather, what can I perhaps already implement and what might be possible in the future to simplify the evaluation, because I suspect the same problem may also exist with other scan parsers if the engagements, or the tests in them, have a large number of different hosts. I hope the problem with the evaluation is a bit clearer, otherwise please ask again.

Perhaps there are also suggestions as to how others deal with it, which is why I started it as a discussion.

[valentijnscholten]

Two things that could be helpful:

• In Defect Dojo Pro there is a Smart upload feature which allows you to distribute Findings over multiple projects based on the Endpoint.
• In OSS there's a service field on each finding that could be populated (via the API) with a value of your choosing, for example the ip.