Nucleus to PCI Technical ASV Report

This article will tell you all the pieces of a PCI ASV report and where that information comes from in Nucleus.

We recommend reading the PCI ASV Reports support document first if you have not already. Many of these fields are populated based on the actions you take within Nucleus. 

Technical Report Fields

Scan Customer Information

This comes from the client's organization information from Step 1 of the PCI report workflow. Change this by editing the Organization Information for that client. 

Approved Scanning Vendor Information

This comes from the Master Org Information from Step 1 of the PCI Report Workflow. Edit this by editing your organization's details. 

Scan Status

• Date Scan Completed - Calculated automatically based on the latest scan date for each in-scope asset. The earliest latest scan date is used
• Scan Expiration Date - Automatically calculated to be 90 days after the "Date Scan Completed" Field
• Compliance Status - Marked as failed if any in-scope assets have a medium severity vulnerability or higher present
• Scan Report Type - Static field
• Number of Unique in-scope components scanned - Automatically calculated based on vuln scan results
• Number of identified failing vulnerabilities - Automatically calculated based on vuln scan results
• Out of Scope # of Components - Calculated based on the number of assets in the Nucleus project with the "Compliance Scope" attribute marked as "No".
• Scan Customer Attestation - Pre-Filled out paragraph which populates its fields based on the Organization data from step 1 of the PCI workflow
• ASV Attestation - Pre-filled out paragraph that populates based on the Master Organization data from Step 1 of the PCI workflow

Part 1 Scan Information

Populated automatically based on Org Data.

Part 2 Vulnerability Details

Populated from the Active Vulnerability List in Nucleus. This is a list of all vulnerabilities for each asset, along with associated details.

• Asset: The asset which the vulnerability affects
• Services: List of all ports and services detected on the asset. Populated automatically from scan results
• Findings: The list of findings affecting this asset. Each finding has its own table with all associated information
  • Title - The name of the vulnerability in Nucleus
  • Target - The affected asset
  • Base CVSS Score - CVSS score for this vulnerability, if applicable, populated from scan results
  • CVSS Vector - CVSS Vector, if applicable. Populated from scan results. 
  • Risk - Severity attribute of the vulnerability. Populated from the Nucleus Active Vulnerability List
  • Description - The description of the vulnerability, populated automatically from scan results
  • Suggestion - Solution on how to fix the vulnerability, populated automatically from vuln scan results
  • Reference - References that pertain to the vulnerability. Populated automatically from vulnerability scan results
  • Output - Specific output of the finding on that asset, populated automatically from the vulnerability scan results
  • Compliance Status - Automatically a Fail unless the vulnerability was marked as a False Positive, Mitigated via compensating Control, or Accepted Risk in the Nucleus Active Vulnerability List

Each asset has a list of all the vulnerabilities that affect it. And each vulnerability has all the details of the vulnerability for that asset. You should see that most of these fields will populate automatically and should make reporting for PCI ASV technical reports much easier!

Those are all the relevant fields in the PCI Technical report. If you have questions, please submit requests to your Nucleus support representative!