When should I correlate?

Sometimes it's straightforward to determine if findings reported by different tools are actually of the same type of vulnerability. The master findings contain almost exactly the same information but possibly with different wording. In these cases correlation is a good idea so that you are not maintaining separate master findings for the same vulnerability.

If information such as the Bugtraq ID, CWE, or CVE numbers are the same, that's also a good indication that the vulnerabilities are the same and should be correlated accordingly.

In other cases it might not be as obvious. The master findings might be similar but contain a few key differences. When it doubt it is generally better to keep them separate as correlation might affect findings outside of the workspace and project. You could also correlate these findings to the same master finding but use different variations. Regardless, if you decide later that the current correlation configuration isn't what you need, you can revert the correlation or correlate to an entirely different master finding.

Which master finding should I use?

When you have several master findings to potentially choose from, review all of the information provided by the master findings. Some tools might report extensive verification and remediation instructions while some might not offer any instructions at all. Not only that, but the information or instructions provided might not be relevant and would require manual updating to accurately reflect what's needed for your environment. Choose the master finding that provides the most accurate information and requires the least amount of manual rewriting. If none of the available master findings are suitable, you can manually create a master finding and add the information you need.

How does Resolve know which findings to correlate?

Correlating a finding affects all other findings that point to the same correlation reference. Correlations are not specific to any business unit, project, or workspace — they apply globally for all findings, whether current or created in the future. Correlating a finding in one project or workspace might affect findings across Resolve.

Can I undo a correlation?

Yes. If you discover that a correlated finding is better suited to its original master finding, you can revert the correlation. You can also correlate a finding to a different master finding as many times as you need.

Keep in mind that no data is ever lost through correlation; the original data is always preserved. Correlation merely makes managing the underlying data easier.