Vulnerability Grouping¶
The Vulnerability Grouping feature allows you to summarize the content of a workspace by consolidating similar or repeated vulnerabilities into groups. This provides a simplified and concise view of vulnerabilities, reducing noise when a large number of similar findings are present.
Grouping can be configured in two ways: automatic (based on a shared criterion) or manual (user-defined). Both modes can coexist within the same workspace.
Automatic Grouping¶
Automatic grouping applies a criterion at the workspace level. When active, Faraday continuously monitors vulnerability creation and modification to maintain groups according to the selected criterion.
Grouping Criteria¶
Two criteria are available for automatic grouping:
- By Name: Vulnerabilities with similar names are grouped together. The similarity threshold (match precision) is configurable.
- By CVE: Vulnerabilities sharing the same CVE identifier are grouped together.
Only one criterion can be active per workspace at a time. Automatic grouping is optional — a workspace can have no criterion selected.
Configuring Automatic Grouping¶
Automatic grouping can be configured:
- At workspace creation: Select a grouping criterion in the workspace settings before saving.
- On an existing workspace: Edit the workspace configuration and update the Group By field.
Note: Only users with the Administrator role can configure or modify the automatic grouping criterion.
Changing the Criterion¶
If you change the grouping criterion on an existing workspace:
- Faraday will warn you that the existing automatic groups will be dissolved.
- The regrouping process will run in the background.
- Progress and completion can be tracked in the Processing Queue.
Manually created groups are preserved when the automatic criterion changes. Vulnerabilities belonging to manual groups are excluded from automatic regrouping.
How Automatic Grouping Works¶
- When a new criterion is applied to an existing workspace, Faraday scans all vulnerabilities and builds groups automatically.
- As new vulnerabilities are created or modified, they are automatically evaluated and added to existing groups if they match the criterion.
- When a criterion is active, it acts as a constraint — the grouping is continuously maintained.
Manual Grouping¶
Manual grouping lets you define your own groups regardless of whether automatic grouping is enabled. Manual groups take precedence over automatic groups: vulnerabilities in a manual group are excluded from automatic grouping.
Who Can Create Manual Groups¶
Users with the Administrator, Pentester, or any custom role that includes the Update Vulnerabilities permission can create and modify manual groups.
Creating a Manual Group¶
Manual grouping is only available from the workspace-level vulnerabilities view (outside any asset context).
- Select two or more ungrouped vulnerabilities from the vulnerability table.
- Click the Manual Grouping icon in the table header.
- Enter a unique name for the group within the workspace.
- Click Create to return to the vulnerability table, or Create and Explore to open the group view immediately.
Adding vulnerabilities to an existing manual group:
- Select exactly one existing manual group.
- Select one or more ungrouped vulnerabilities to add.
- Click the Manual Grouping icon.
- Click Add to return to the vulnerability table, or Add and Explore to open the group view immediately.
Error Messages¶
| Message | Cause |
|---|---|
| Please select 2 or more vulnerabilities to create a manual grouping | Fewer than 2 items selected |
| Only manual groups can be modified | An automatic group was selected |
Group Representation¶
In each group, the vulnerability with the highest risk score is automatically selected as the representative vulnerability. This is the vulnerability displayed in the vulnerability table on behalf of the group.
- The representative is determined automatically and cannot be manually chosen.
- The representative may change over time if risk scores are updated or new vulnerabilities are added (or existent vulnerabilities are deleted) to the group.
In the vulnerability table, groups are displayed with the representative vulnerability's name followed by the number of grouped vulnerabilities in parentheses (e.g., Apache HTTP Server Response Split (5)).
Exploring a Group (Group View)¶
Clicking the Explore Group arrow icon next to a grouped vulnerability opens the Group View, which shows all vulnerabilities within the group.
You can also access the Group View from a vulnerability's detail panel by clicking the arrow icon in the header.
Group View Header¶
The header displays (left to right):
- A shortcut to return to the workspace vulnerability table (Back to Vulnerabilities)
- The name of the representative vulnerability.
- The group name (for manual groups) or the grouping criterion (for automatic groups).
- An Ungroup icon — available for manual groups only. Clicking it dissolves the group and returns vulnerabilities to the workspace as ungrouped.
- Total count of vulnerabilities in the group.
- Total count of associated assets.
- Total count of associated services.
Tabs in Group View¶
Vulnerabilities tab: Displays all vulnerabilities in the group as a standard, paginated table. All standard table operations are supported: right-click, bulk updates, column configuration, and filtering.
Assets tab: Displays only the assets associated with the vulnerabilities in the group. Operates as a standard asset table with a Back to Assets shortcut in the header.
Services tab: Displays only the services associated with the vulnerabilities in the group. Operates as a standard services table with a Back to Services shortcut in the header.
Editing Grouped Vulnerabilities¶
From the Workspace's Vulnerability Table¶
When performing operations from the main vulnerability table:
- Edit operations (bulk or individual) affect only the representative vulnerability of the group.
- Delete operations affect all vulnerabilities within the group, in addition to any individually selected ungrouped vulnerabilities.
A warning is shown before deletion if the selection includes one or more groups, indicating the total number of vulnerabilities that will be deleted (including those inside groups).
From the Group View¶
All standard table operations are available within the Group View, including multi-select, bulk updates, filtering, and right-click actions.
When deleting vulnerabilities from the Group View:
| Scenario | Result |
|---|---|
| All vulnerabilities deleted | The group is dissolved; you are redirected to the workspace vulnerability table |
| All but one vulnerability deleted | The group is dissolved; the remaining vulnerability becomes ungrouped |
| Some vulnerabilities deleted | The group is updated; counters for assets and services are recalculated |
Effect of Edits on the Representative¶
Editing a field used by the grouping criterion (e.g., the vulnerability name when using name-based grouping) may trigger a re-evaluation of the representative. If a grouped vulnerability's risk score changes, the representative may be replaced by another vulnerability in the group with a higher score.
Renaming a Manual Group¶
The name of a manual group can be edited from the vulnerability detail panel:
- Open the detail panel of a grouped vulnerability.
- Click the group name displayed in the panel header.
- Enter a new unique name.
- Confirm. If the name already exists in the workspace, an error will be shown.
Group Visibility by Context¶
All Workspaces View¶
- The workspaces List View includes a column Grouped by showing the automatic grouping criterion configured for each workspace. If no criterion is set, None it is displayed.
- The workspace Grid view shows a grouping indicator on each workspace card. If no criterion is set, None it is displayed.
- The all-workspaces vulnerability list displays vulnerabilities in a flat (ungrouped) view. Groups are not shown here, and manual grouping is not available from this view.
Workspace View¶
- The vulnerability table displays groups with the representative vulnerability and the group member count.
- The total vulnerability count considers each group as a single vulnerability.
- The Assets and Services tabs are not affected by grouping.
Asset View (Inside a Workspace Asset)¶
In this version, the vulnerability table inside an asset is displayed flat, without grouping. Group information is not shown at the asset level.
Permissions Summary¶
| Action | Required Role |
|---|---|
| Configure or change automatic grouping criterion | Administrator |
| View grouped vulnerabilities | All users assigned to the workspace |
| Create or modify manual groups | Administrator, Pentester, or custom role with Update Vulnerabilities permission |
| Dissolve (ungroup) a manual group | Administrator, Pentester, or custom role with Update Vulnerabilities permission |
Migrating from Duplicates (Upgrade from 5.19 to 5.20)¶
Starting in Faraday 5.20, the legacy duplicates feature has been replaced by Vulnerability Grouping. Workspaces that had vulnerabilities marked as duplicates in version 5.19 or earlier will not be automatically migrated.
To convert existing duplicates into groups, run the following management command after upgrading:
faraday-manage sync-duplicates-groups
Options:
| Option | Description |
|---|---|
-a / --all-workspaces |
Migrate duplicates across all workspaces |
-w <workspace-name> / --workspace-name <workspace-name> |
Migrate duplicates in a specific workspace |
Examples:
# Migrate all workspaces
faraday-manage sync-duplicates-groups --all-workspaces
# Migrate a specific workspace
faraday-manage sync-duplicates-groups --workspace-name my-workspace
Note: This command only needs to be run once after upgrading from 5.19 to 5.20. Workspaces that had no duplicates are unaffected.