Customizing vulnerability results

You must have the Comply Report Content Administrator role to customize vulnerability results. For more information about Comply roles, see User role requirements.

Use custom ID mapping and custom scoring to align CVEs to the frameworks on which you report.

Custom scores

Comply allows you to specify a score to an individual CVE. By default, Comply shows the CVSS score.

  1. From the Comply menu, click Setup > Vulnerability.
  2. On the Custom Vulnerability Scores tab, click Create Score Mapping.
  3. In the Upload Vulnerability Score Mapping window, enter a Name, Prefix, and Description.
  4. Click Select File and locate the score mapping file.
  5. Click Save. Your custom score will now show under Custom Vulnerability Scores and be available in the Advanced section of the New Vulnerability Report page when you create a new report.

Use the following file format for a custom score mapping: CVE|score

Example: CVE-2017-8789|11.5

Custom ID mappings

Custom ID mappings allow you to create a custom column on results that associates a specific tag with a CVE.

  1. From the Comply menu, click Setup > Vulnerability
  2. On the Custom Vulnerability IDs tab, click Create ID Mapping.
  3. In the Upload Vulnerability ID Mapping window, enter a Name, Prefix, and Description.
  4. Click Select File and locate the custom vulnerability ID mapping file.
  5. Click Save. Your custom ID will now show under Custom Vulnerability IDs and be available in the Advanced section of the New Vulnerability Report page when you create a new report.

Use the following file format for a custom ID mapping: CVE|custom id

Example: CVE-2014-2814|KB297262

Upload IAVM mapping definitions

Information Assurance Vulnerability Management (IAVM) is a vulnerability source that is managed by the Department of Defense (DOD) and is accessible only with a common access card (CAC).

If you use IAVM mappings, you can upload IAVM mapping definitions in Comply.

  1. From the Comply menu, click Setup > Vulnerability.
  2. On the IAVM Mappings tab, click Upload IAVM Mapping Definitions and select the IAVM mapping file.
  3. Click Save. The last upload time and the count of IAVM ID and score mappings will be listed on the IAVM Mappings page following successful upload.

When you upload new IAVM mapping definitions, they will replace any existing mapping definitions.

After you upload an IAVM mapping file to Comply, click Download IAVM Mapping File on the IAVM Mappings page to download the last file that was uploaded.

To apply the IAVM mappings, you must add both the IAVM ID and score mappings when you create a vulnerability report. In the Advanced section of the New Vulnerability Report page, select IAVM ID Mappings (ID map) to add it. Then click Add Additional Vulnerability Mapping and select IAVM Score Mapping (score map) to add it.

View ID Mappings and Score Mappings in Interact

  1. Obtain the hash for the custom ID for a report by clicking on the report name on the Vulnerability Reports page and expanding More Details. You can click Copy to copy the hash.
  2. In Interact, ask the question that matches the engine type such as Get Comply - CIS-CAT Vulnerabilities from all machines and paste the hash in the Comply bundle hash field.


  3. Use the appropriate Comply sensor for the engine type:

    • Comply - CIS-CAT Vulnerabilities
    • Comply - JovalCM Vulnerabilities
    • Comply - SCC Vulnerabilities
  4. Click Ask Question.
  5. The ID Mappings and Score Mappings columns in the results grid show these mappings.

Download custom ID mapping

In order to view, edit, or reuse a custom ID mapping, you can download it.

Select a custom ID mapping and click export.

Configuring Remote Profiles with Discover

You must have the Discover module to configure this feature. There is background information and detailed instructions for this section in the Tanium Discover User Guide.

For Comply 2.7 or later, you must use Discover 4.0 or later.

  1. From the Comply menu, click Setup > Remote Profile.
  2. Click the Create Profile button.
  3. In the Summary section, enter a Name.
  4. In the Targeting section, enter the following:
    • In Computer Groups, select a group from the list.

    The following fields are optional:

    • Select the check box to Exclude isolated subnets from scans.
    • In the Specific Exclusions field, enter IP addresses or ranges to exclude from scans.
    • In the VPN Exclusions field, enter IP addresses or ranges connected through VPNs to exclude from scans.
    • In the Zone Exclusions field, enter IP addresses or host names connected through DMZ facing networks, home networks, or other remote connections to exclude from scans.
  5. Configure the Scan Frequency.

  6. Under Target Ports, select to target only the Top 1000 Ports or you can target the Top 1000 ports plus specified ports.
    • Optionally, enter ports to exclude from targeting.
    • Optionally, enter a Requested Source Port. Nmap will try to use this port to run scans.
  7. Click Create Profile.