Each tenant that uses SafeSCARF as a Service has a unique entry point to their SafeSCARF Vulnerability Management Portal (SVMP) instance. URL for the particular tenant can be discovered inside of Overview tab:
SVMP represents a unique place for SafeSCARF users, where technical and non-technical users can have a single view of vulnerabilities related to products they are developing or operating.
SVMP uses a permission model that enabled access or manipulate of particular parts of the portal, Product Types, or Products accordingly to permissions assigned to particular users. As SVMP is delivered in a Software as a Service model user will never be able to fully manipulate all parts of the SVMP.
To login into SVMP user needs to use the same credentials that are in use for Pan-Net Cloud Portal. More information can be find on official Pan-Net Cloud Portal documentation.
SVMP object hierarchy
To use SVMP in a proper way it is very important to understand its object structure, from the level of Product Types to particular Findings. Each of these objects has its way (page or API endpoint) to manipulate data.
Product Type represents the top-level model, and it can be a business decision, offices, product group, or any other logic that fits into customers' requirements.
Example: Security Products, Voice Department, etc.
Product is a product, project, system that is under security testing.
Example: ACME Certificate agent
Engagement is actually a moment in time when testing is taking place. They can be named by timeline, version of the product, test strategy, etc. There are two types of Engagements, Interactive Engagement is created and filled with findings by engineers. The other one CI/CD Engagement is dedicated to the automation of the vulnerability discovery process. As its name suggests it is intended to be consumed using CI/CD pipelines.
Example: Alpha, Stage_scanning
Test groups activities conducted by engineers and storing activities from engineers.
Example: Achore Image Scan, Penetration Scan
Finding represents actual findings that could represent vulnerabilities (can be false positives as well). Can be categorized with severities like Critical, High, Medium, Low or Informational.
Example: CVE-2019-18218 - php7.0-7.0.30-0+deb9u1(dpkg)
Endpoint represents a testable system by its IP address or FQDN, but keep in mind that not all tests are actually dealing with the endpoints, so that information can be omitted.