Web App Scanning Findings Properties

The following table defines the properties in a Tenable Data Stream web app scanning findings payload file. To see an example file, go to Web App Scanning Findings Payload Files.

Property	Data Type	Description
payload_id	string	The ID of the payload sent from Tenable Vulnerability Management.
version	integer	The version of the payload. This number increments when the payload structure changes.
type	string	The type of payload (WAS_FINDING).
count_updated	integer	The number of objects updated in the payload.
count_deleted	integer	The number of objects deleted in the payload.
updates[]	array of objects	Contains the web app scanning findings objects updated in the payload.
updates[].finding_id	string	The unique identifier of the finding (vulnerability).
updates[].url	string	The fully-qualified domain name or URL associated with the finding.
updates[].input_type	string	The type of HTML Form input associated with the finding.
updates[].input_name	string	The type of page element that's vulnerable (for example, an HTML form).
updates[].http_method	string	The HTTP method associated with the finding. .
updates[].output	string	The text output from the plugin that detected the finding.
updates[].proof	string	The output from the web application corroborating that the finding is present.
updates[].payload	string	The attack payload used to detect the finding.
updates[].state	string	The state as determined by the Tenable Web App Scanning state service. Possible values include: OPEN — The compliance finding is currently present on an asset. REOPENED — The compliance finding was previously marked as fixed on an asset but has been detected again by a new scan. FIXED — The compliance finding was present on an asset but is no longer detected. ACTIVE — The compliance finding is currently active on an asset. Note that the API uses different terms for states than the user interface. The new and active states in the user interface map to the OPEN state in the API. The resurfaced state in the user interface maps to the REOPENED state in the API. The fixed state is the same.
updates[].severity	string	The severity of the finding as defined using the Common Vulnerability Scoring System (CVSS) base score. Possible values include info (CVSS score of 0), low (CVSS score between 0.1 and 3.9), medium (CVSS score between 4.0 and 6.9), high (CVSS score between 7.0 and 9.9), and critical (CVSS score of 10.0).
updates[].severity_id	integer	The code for the severity assigned when a user recast the risk associated with the finding. Possible values include: 0 — The vulnerability has a CVSS score of 0, which corresponds to the info severity level. 1 — The vulnerability has a CVSS score between 0.1 and 3.9, which corresponds to the low severity level. 2 — The vulnerability has a CVSS score between 4.0 and 6.9, which corresponds to the medium severity level. 3 — The vulnerability has a CVSS score between 7.0 and 9.9, which corresponds to the high severity level. 4 — The vulnerability has a CVSS score of 10.0, which corresponds to the critical severity level.
updates[].severity_default_id	integer	The code for the severity originally assigned to a finding before a user recast the risk associated with the finding. Possible values are the same as for the severity_id attribute.
updates[].severity_modification_type	string	The type of modification a user made to the finding's severity. Possible values include: NONE — No modification has been made. RECASTED — A user in the Tenable Web App Scanning user interface has recast the risk associated with the finding. ACCEPTED — A user in the Tenable Web App Scanning user interface has accepted the risk associated with the finding. For more information about recast and accept rules, see Recast/Accept Rules in the Tenable Vulnerability Management User Guide.
updates[].recast_reason	string	The text that appears in the Comment field of the recast rule in the Tenable Web App Scanning user interface.
updates[].recast_rule_uuid	string	The UUID of the recast rule that applies to the plugin.
updates[].first_found	string	An ISO timestamp indicating the date and time when a scan first detected the finding on the asset.
updates[].last_found	string	An ISO timestamp indicating the date and time when a scan last detected the finding on the asset.
updates[].last_fixed	string	An ISO timestamp indicating the date and time when a scan no longer detects the previously detected finding on the asset.
updates[].last_observed	string	An ISO timestamp indicating the date and time when the finding was previously detected/observed on the asset.
updates[].indexed_at	string	An ISO timestamp indicating the date and time when the vulnerability was indexed into Tenable Web App Scanning.
updates[].plugin	object	An object containing plugin details for the finding.
updates[].plugin.id	integer	The ID of the plugin that identified the finding.
updates[].plugin.risk_factor	string	The risk factor of the finding associated with the plugin. The risk factor is determined based on the calculation of the CVSS score. The possible values are: LOW — The vulnerability has a CVSS score between 0.1 and 3.9. MEDIUM — The vulnerability has a CVSS score between 4.0 and 6.9. HIGH — The vulnerability has a CVSS score between 7.0 and 9.9. CRITICAL — The vulnerability has a CVSS score of 10.0.
updates[].plugin.original_risk_factor_num	integer	The code for the severity originally assigned to a plugin.
updates[].plugin.locale	string	The plugin language used.
updates[].plugin.type	string	The general type of plugin check (for example, LOCAL or REMOTE).
updates[].plugin.intel_type	string	The intelligence type/source for plugin.
updates[].plugin.name	string	The name of the plugin that identified the vulnerability.
updates[].plugin.version	string	The version of the plugin used to perform the check.
updates[].plugin.publication_date	string	An ISO timestamp indicating the date and time the publication date of the plugin.
updates[].plugin.modification_date	string	An ISO timestamp indicating the date and time the last modification date of the plugin.
updates[].plugin.solution	string	Remediation information for the vulnerability.
updates[].plugin.synopsis	string	Brief description of the plugin or vulnerability.
updates[].plugin.description	string	The full text description of the plugin.
updates[].plugin.patch_publication_date	string	An ISO timestamp indicating the date and time the vendor's patch publication date for the plugin.
updates[].plugin.exploitability_ease	string	The vulnerability's ease of exploitability.
updates[].plugin.stig_severity	string	The Security Technical Implementation Guide (STIG) severity code for the vulnerability.
updates[].plugin.public_display	integer	The public display details for the plugin.
updates[].plugin.in_the_news	boolean	A value specifying whether this plugin has received media attention (for example, ShellShock, Meltdown).
updates[].plugin.exploited_by_malware	boolean	The finding discovered by this plugin is known to be exploited by malware.
updates[].plugin.cvss2_base_score	number	The CVSSv2 base score (intrinsic and fundamental characteristics of a finding that are constant over time and user environments).
updates[].plugin.cvss2_temporal_score	number	The CVSSv2 temporal score (characteristics of a finding that change over time but not among user environments).
updates[].plugin.cvss3_base_score	number	The CVSSv3 base score (intrinsic and fundamental characteristics of a finding that are constant over time and user environments).
updates[].plugin.cvss3_temporal_score	number	The CVSSv3 temporal score (characteristics of a finding that change over time but not among user environments).
updates[].plugin.see_also[]	array of strings	Links to external websites that contain helpful information about the vulnerability.
updates[].plugin.bid[]	array of integers	A list of Bugtraq IDs associated with the finding.
updates[].plugin.policy[]	array of strings	A list of policy names associated with the finding.
updates[].plugin.xrefs[]	array of objects	References to third-party information about the finding, exploit, or update associated with the plugin. Each reference includes a type and an ID (for example, capec and 2003-047).
updates[].plugin.xrefs[].type	string	The type of cross-reference (for example, capec, hipaa, or iso).
updates[].plugin.xrefs[].id[]	array of strings	A list of IDs for the cross-reference type.
updates[].plugin.cpe[]	array of strings	The Common Platform Enumeration (CPE) number for the plugin.
updates[].plugin.cve[]	array of strings	The Common Vulnerability and Exposure (CVE) ID for the plugin.
updates[].plugin.cwe[]	array of strings	The Common Weakness Enumeration (CWE) ID for the plugin.
updates[].plugin.wasc[]	array of strings	The Web Application Security Consortium (WASC) ID for the plugin.
updates[].plugin.owasp_2010[]	array of strings	A list of chapters in OWASP Categories 2010 report for the plugin.
updates[].plugin.owasp_2013[]	array of strings	A list of chapters in OWASP Categories 2013 report for the plugin.
updates[].plugin.owasp_2017[]	array of strings	A list of chapters in OWASP Categories 2017 report for the plugin.
updates[].plugin.owasp_2021[]	array of strings	A list of chapters in OWASP Categories 2021 report for the plugin.
updates[].plugin.owasp_api_2019[]	array of strings	A list of chapters in OWASP Categories API 2019 report for the plugin.
updates[].plugin.vpr	object	An object containing information about the Vulnerability Priority Rating (VPR) for the vulnerability.
updates[].plugin.vpr.score	number	The Vulnerability Priority Rating (VPR) for the vulnerability. If a plugin is designed to detect multiple vulnerabilities, the VPR represents the highest value calculated for a vulnerability associated with the plugin. For more information, see Severity vs. VPR in the Tenable Vulnerability Management User Guide.
updates[].plugin.vpr.drivers	object	The key drivers Tenable uses to calculate a vulnerability's VPR. For more information, see Vulnerability Priority Rating Drivers.
updates[].plugin.vpr.drivers.age_of_vuln	object	A range representing the number of days since the National Vulnerability Database (NVD) published the vulnerability. The valid ranges are: 0-7 days 7-30 days 30-60 days 60-180 days 180-365 days 365-730 days More than 730 days (+731)
updates[].plugin.vpr.drivers.age_of_vuln.lower_bound	integer	The lower bound of the range. For example, for the 0-7 days range, this attribute is 0. For the highest range (more than 730 days), this value is 731.
updates[].plugin.vpr.drivers.age_of_vuln.upper_bound	integer	The upper bound of the range. For example, for the 0-7 days range, this attribute is 7. For the highest range (more than 730 days), this value is 0, which signifies that there is no higher category.
updates[].plugin.vpr.drivers.exploit_code_maturity	string	The relative maturity of a possible exploit for the vulnerability based on the existence, sophistication, and prevalence of exploit intelligence from internal and external sources (for example, Reversinglabs, Exploit-db, Metasploit). The possible values (HIGH, FUNCTIONAL, POC, or UNPROVEN) parallel the CVSS Exploit Code Maturity categories.
updates[].plugin.vpr.drivers.cvss_impact_score_predicted	boolean	A value specifying whether Tenable predicted the CVSSv3 impact score for the vulnerability because NVD did not provide one (true) or used the NVD-provided CVSSv3 impact score (false) when calculating the VPR.
updates[].plugin.vpr.drivers.cvss3_impact_score	number	The NVD-provided CVSSv3 impact score for the vulnerability. If the NVD did not provide a score, Tenable Vulnerability Management shows a Tenable-predicted score.
updates[].plugin.vpr.drivers.threat_intensity_last28	string	The relative intensity based on the number and frequency of recently observed threat events related to this vulnerability. The possible values are: VERY LOW LOW MEDIUM HIGH VERY HIGH
updates[].plugin.vpr.drivers.threat_recency	object	A range representing the number of days since a threat event occurred for the vulnerability. The possible ranges are: 0-7 days 7-30 days 30-120 days 120-365 days More than 365 days (+365)
updates[].plugin.vpr.drivers.threat_recency.lower_bound	integer	The lower bound of the range. For example, for the 0-7 days range, this attribute is 0. For the highest range (more than 365 days), this value is 366.
updates[].plugin.vpr.drivers.threat_recency.upper_bound	integer	The upper bound of the range. For example, for the 0-7 days range, this attribute is 7. For the highest range (more than 730 days), this value is 0, which signifies that there is no higher category.
updates[].plugin.vpr.drivers.threat_sources_last28[]	array of strings	A list of all sources (for example, social media channels, the dark web, etc.) where threat events related to this vulnerability occurred.
updates[].plugin.vpr.drivers.product_coverage	string	The relative number of unique products affected by the vulnerability. The possible values are: LOW MEDIUM HIGH VERY HIGH
updates[].plugin.vpr.updated	string	The ISO timestamp when v last imported the VPR for this vulnerability. v imports a VPR value the first time you scan a vulnerability on your network. Then, Tenable Web App Scanning automatically re-imports new and updated VPR values daily.
updates[].plugin.vpr.updated_reason	string	The reason for the VPR update.
updates[].plugin.cvss2_temporal_vector	object	CVSSv2 temporal metrics for the vulnerability.
updates[].plugin.cvss2_temporal_vector.exploitability	string	The CVSSv2 Exploitability (E) temporal metric for the vulnerability the plugin covers. The possible values are: U — Unproven POC — Proof-of-Concept F — Functional H — High ND — Not Defined
updates[].plugin.cvss2_temporal_vector.remediation_level	string	The CVSSv2 Remediation Level (RL) temporal metric for the vulnerability the plugin covers. The valid values are: O — Official Fix T — Temporary Fix W — Workaround U — Unavailable X — Not Defined
updates[].plugin.cvss2_temporal_vector.report_confidence	string	The CVSSv2 Report Confidence (RC) temporal metric for the vulnerability the plugin covers. The possible values are: UC — Unconfirmed UR — Uncorroborated C — Confirmed ND — Not Defined
updates[].plugin.cvss2_temporal_vector.raw	string	The complete cvss_temporal_vector metrics and result values for the vulnerability the plugin covers in a condensed and coded format. For example, E:U/RL:OF/RC:C.
updates[].plugin.cvss2_vector	object	Additional CVSSv2 metrics for the vulnerability.
updates[].plugin.cvss2_vector.access_complexity	string	The CVSSv2 Access Complexity (AC) metric for the vulnerability the plugin covers. The possible values are: H — High M — Medium L — Low
updates[].plugin.cvss2_vector.access_vector	string	The CVSSv2 Access Vector (AV) metric for the vulnerability the plugin covers. The possible values are: L — Local A — Adjacent Network N — Network
updates[].plugin.cvss2_vector.authentication	string	The CVSSv2 Authentication (Au) metric for the vulnerability the plugin covers. The possible values are: N — None Required S — Single M — Multiple
updates[].plugin.cvss2_vector.availability_impact	string	The CVSSv2 availability impact metric for the vulnerability the plugin covers. The possible values are: N — None P — Partial C — Complete
updates[].plugin.cvss2_vector.confidentiality_impact	string	The CVSSv2 confidentiality impact metric for the vulnerability the plugin covers.The possible values are: N — None P — Partial C — Complete
updates[].plugin.cvss2_vector.integrity_impact	string	The CVSSv2 integrity impact metric for the vulnerability the plugin covers. The possible values are: N — None P — Partial C — Complete
updates[].plugin.cvss2_vector.raw	string	The complete cvss_vector metrics and result values for the vulnerability the plugin covers in a condensed and coded format. For example, AV:N/AC:M/Au:N/C:C/I:C/A:C.
updates[].plugin.cvss3_temporal_vector	object	An object containing the CVSS v3 temporal vector details.
updates[].plugin.cvss3_temporal_vector.exploitability	string	The CVSSv3 Exploit Maturity Code (E) for the vulnerability the plugin covers. The possible values are: Unproven — Corresponds to the Unproven (U) value for the E metric. Proof-of-concept — Corresponds to the Proof-of-Concept (POC) value for the E metric. Functional — Corresponds to the Functional (F) value for the E metric. High — Corresponds to the High (H) value for the E metric. Not-defined — Corresponds to the Not Defined (ND) value for the E metric.
updates[].plugin.cvss3_temporal_vector.remediation_level	string	The CVSSv3 Remediation Level (RL) temporal metric for the vulnerability the plugin covers. The valid values are: O — Official Fix T — Temporary Fix W — Workaround U — Unavailable X — Not Defined
updates[].plugin.cvss3_temporal_vector.report_confidence	string	The CVSSv3 Report Confidence (RC) temporal metric for the vulnerability the plugin covers. The possible values are: U — Unknown R — Reasonable C — Confirmed X — Not Defined
updates[].plugin.cvss3_temporal_vector.raw	string	The complete cvss3_temporal_vector metrics and result values for the vulnerability the plugin covers in a condensed and coded format. For example, E:U/RL:OF/RC:C.
updates[].plugin.cvss3_vector	object	Additional CVSSv3 metrics for the vulnerability.
updates[].plugin.cvss3_vector.access_complexity	string	The CVSSv3 Access Complexity (AC) metric for the vulnerability the plugin covers. The possible values are: H — High M — Medium L — Low
updates[].plugin.cvss3_vector.access_vector	string	The CVSSv3 Attack Vector (AV) metric for the vulnerability the plugin covers. The possible values are: Network — Corresponds to the Network (N) value for the AV metric. Adjacent Network — Corresponds to the Adjacent Network (A) value for the AV metric. Local — Corresponds to the Local (L) value for the AV metric.
updates[].plugin.cvss3_vector.authentication	string	The CVSSv3 Authentication (Au) metric for the vulnerability the plugin covers. The possible values are: None required — Corresponds to the None (N) value for the Au metric. Requires-single-instance — Corresponds to the Single (S) value for the Au metric. Requires-multiple-instances — Corresponds to the Multiple (M) value for the Au metric.
updates[].plugin.cvss3_vector.availability_impact	string	The CVSSv3 availability impact metric for the vulnerability the plugin covers. The possible values are: H — High L — Low N — None
updates[].plugin.cvss3_vector.confidentiality_impact	string	The CVSSv3 confidentiality impact metric for the vulnerability the plugin covers.The possible values are: H — High L — Low N — None
updates[].plugin.cvss3_vector.integrity_impact	string	The CVSSv3 integrity impact metric for the vulnerability the plugin covers. The possible values are: H — High L — Low N — None
updates[].plugin.cvss3_vector.raw	string	The complete cvss3_vector metrics and result values for the vulnerability the plugin covers in a condensed and coded format. For example, AV:N/AC:M/Au:N/C:C/I:C/A:C.
updates[].asset	object	Information about the asset where the scan detected the vulnerability.
updates[].asset.uuid	string	The UUID of the asset where a scan found the vulnerability.
updates[].asset.fqdn	string	The fully qualified domain name for the asset.
updates[].asset.ipv4s[]	array of strings	This value always returns as null.
updates[].asset.ipv4	string	This value always returns as null.
updates[].scan	object	Information about the latest scan that detected the vulnerability.
updates[].scan.completed_at	string	The ISO timestamp when the scan completed.
updates[].scan.schedule_uuid	string	The schedule UUID for the scan that found the vulnerability.
updates[].scan.started_at	string	The ISO timestamp when the scan started.
updates[].scan.uuid	string	The UUID of the scan that found the vulnerability.
updates[].scan.target	string or null	The target IP or hostname of the scan.
deletes[]	array of objects	Contains the host audit objects deleted in the payload.
deletes[].id	string	The ID of the deleted host audit.
deletes[].deleted_at	string	An ISO timestamp indicating the date and time when the host audit was deleted.
first_ts	string	A Unix timestamp indicating the date and time of the first entry in the payload.
last_ts	string	A Unix timestamp indicating the date and time of the last entry in the payload.