{% if logo_image_b64 %} {% endif %}

{% if mode == 'detailed' %}Security Risk Report{% else %}Security Risk Summary{% endif %}

Project Name:
{{ scan_metadata.project_name if scan_metadata else '' }}
Version:
{{ scan_metadata.version_name if scan_metadata else '' }}
Organization:
{{ organization if organization else (scan_metadata.organization if scan_metadata else '') }}
Published:
{{ generated_at }}
CONFIDENTIAL — This document contains proprietary security assessment information.
{% if mode == 'detailed' %}Security Risk Report{% else %}Security Risk Summary{% endif %}
Published: {{ generated_at }}
{{ organization if organization else (scan_metadata.organization if scan_metadata else '') }}
{{ scan_metadata.project_name if scan_metadata else '' }} / {{ scan_metadata.version_name if scan_metadata else '' }}
{% if logo_image_b64 %}{% endif %}

About This Report

Finite State provides comprehensive software supply chain security through automated binary analysis, vulnerability management, and compliance monitoring. Our platform identifies security risks in firmware, embedded systems, and software components.

This report provides a security risk summary for {% if scan_metadata and scan_metadata.project_name %}{{ scan_metadata.project_name }}{% endif %} {% if scan_metadata and scan_metadata.version_name %} version {{ scan_metadata.version_name }}{% endif %}. It includes severity distribution, exploit maturity analysis, component risk rankings, and actionable remediation guidance.

Confidentiality Notice: This report is intended solely for the authorized recipient(s). It contains confidential security assessment data. Unauthorized distribution, copying, or disclosure is prohibited.

Security Brief {% if scan_metadata and scan_metadata.project_name %} {{ scan_metadata.project_name }} {% endif %} {% if scan_metadata and scan_metadata.version_name %} v{{ scan_metadata.version_name }} {% endif %}

Generated: {{ generated_at }}

Security Overview

{% if summary %}
{{ summary.open_count | default(0) }}
Total Open
{{ summary.critical_count | default(0) }}
Critical
{{ summary.high_count | default(0) }}
High
{{ summary.pct_triaged | default(0) }}%
% Triaged
{{ summary.kev_count | default(0) }}
KEV Listed
{{ summary.medium_count | default(0) }}
Medium
{{ summary.low_count | default(0) }}
Low
{{ summary.total_components | default(0) }}
Components
{{ summary.exploit_count | default(0) }}
With Exploits
{% else %}
No data
{% endif %}
{% if severity_distribution %}

Risk Overview

{% endif %} {% if top_findings %}

Top Findings (Critical & High, Open)

{% set status_labels = {"UNKNOWN": "Open", "NO_STATUS": "Open", "OPEN": "Open", "IN_TRIAGE": "In Triage"} %} {% set detail_lookup = {} %} {% if mode == 'detailed' and detailed_findings %} {% for df in detailed_findings %} {% if detail_lookup.update({df.finding_id: df}) %}{% endif %} {% endfor %} {% endif %} {% for f in top_findings %} {% set detail = detail_lookup.get(f.finding_id) if detail_lookup else None %} {% if detail %} {% endif %} {% endfor %}
CVE ID Severity Component Version CVSS Reachability KEV Exploit VEX Status
{% if detail %} {% endif %} {% if domain and f.project_id and f.project_version_id and f.finding_id %} {{ f.cve_id }} {% else %} {{ f.cve_id }} {% endif %} {{ f.severity }} {{ f.component }} {{ f.component_version }} {{ "%.1f"|format(f.cvss_score) if f.cvss_score else "—" }} {% if f.reachability_score is defined %}{% if f.reachability_score > 0 %}Reachable{% elif f.reachability_score < 0 %}Unreachable{% else %}{% endif %}{% else %}{% endif %} {% if f.in_kev %}KEV{% else %}{% endif %} {% if f.has_exploit %}Exploit{% else %}{% endif %} {{ status_labels.get(f.status, f.status) }}
{% if detail.description %}
Description
{{ detail.description[:500] }}{% if detail.description|length > 500 %}…{% endif %}
{% endif %} {% if detail.component_description %}
Component
{{ detail.component }} {{ detail.component_version }} — {{ detail.component_description }}
{% endif %}
Exploit Maturity
{% if detail.exploit_maturity %}{% for em in detail.exploit_maturity %}🔥 {{ em }}{% endfor %}{% else %}None known{% endif %}
Reachability
{{ detail.reachability_label }}
{% if detail.epss_percentile %}
EPSS Percentile
{{ "%.1f"|format(detail.epss_percentile * 100) }}%
{% endif %} {% if detail.attack_vector %}
Attack Vector
{{ detail.attack_vector }}
{% endif %} {% if detail.cve_aliases %}
CVE Aliases
{{ detail.cve_aliases | join(", ") }}
{% endif %} {% if detail.remediation %}
Remediation
{{ detail.remediation }}
{% endif %} {% if detail.mitigation %}
Mitigation
{{ detail.mitigation }}
{% endif %}
{% endif %} {% if mode == 'detailed' and detailed_findings %}

Detailed Findings

{% for f in detailed_findings %}
{% if domain and f.project_id and f.project_version_id and f.finding_id %} {{ f.cve_id }} {% else %} {{ f.cve_id }} {% endif %} {{ f.severity }} CVSS {{ "%.1f"|format(f.cvss_score) }}
Component
{{ f.component }} {{ f.component_version }}{% if f.component_description %} — {{ f.component_description }}{% endif %}
Exploit Maturity
{% if f.exploit_maturity %}{% for em in f.exploit_maturity %}🔥 {{ em }}{% endfor %}{% else %}None known{% endif %}
Reachability
{{ f.reachability_label }}
{% if f.epss_percentile %}
EPSS Percentile
{{ "%.1f"|format(f.epss_percentile * 100) }}%
{% endif %} {% if f.attack_vector %}
Attack Vector
{{ f.attack_vector }}
{% endif %} {% if f.cve_aliases %}
CVE Aliases
{{ f.cve_aliases | join(", ") }}
{% endif %}
{% if f.description %}
{{ f.description[:500] }}{% if f.description|length > 500 %}…{% endif %}
{% endif %} {% if f.remediation %}
Remediation: {{ f.remediation }}
{% endif %} {% if f.mitigation %}
Mitigation: {{ f.mitigation }}
{% endif %}
{% endfor %}
{% endif %} {% if top_security_risks %}

Top Security Risks

{% for f in top_security_risks %} {% endfor %}
CVE ID Severity Component Version CVSS EPSS %ile KEV Exploit
{{ f.cve_id }} {{ f.severity }} {{ f.component }} {{ f.component_version }} {{ "%.1f"|format(f.cvss_score) if f.cvss_score else "—" }} {{ "%.1f"|format(f.epss_percentile * 100) if f.epss_percentile else "—" }}% {% if f.in_kev %}KEV{% else %}{% endif %} {% if f.has_exploit %}Exploit{% else %}{% endif %}
{% endif %} {% if triage_summary %}

Triage Status

{% set ts = triage_summary %} {% set ts_total = (ts.untriaged | default(0)) + (ts.in_triage | default(0)) + (ts.not_affected | default(0)) + (ts.false_positive | default(0)) + (ts.affected | default(0)) + (ts.resolved | default(0)) %} {% if ts_total > 0 %}
{% if ts.untriaged > 0 %}
{{ ts.untriaged }}
{% endif %} {% if ts.in_triage > 0 %}
{{ ts.in_triage }}
{% endif %} {% if ts.not_affected > 0 %}
{{ ts.not_affected }}
{% endif %} {% if ts.false_positive > 0 %}
{{ ts.false_positive }}
{% endif %} {% if ts.affected > 0 %}
{{ ts.affected }}
{% endif %} {% if ts.resolved > 0 %}
{{ ts.resolved }}
{% endif %}
{% endif %}
Untriaged ({{ ts.untriaged | default(0) }}) In Triage ({{ ts.in_triage | default(0) }}) Not Affected ({{ ts.not_affected | default(0) }}) False Positive ({{ ts.false_positive | default(0) }}) Affected ({{ ts.affected | default(0) }}) Resolved ({{ ts.resolved | default(0) }})
{% endif %} {% if exploit_maturity_summary %}

Exploit Maturity

{{ exploit_maturity_summary.total_with_exploits | default(0) }} finding(s) with known exploit intelligence

{% set cats = [ ("kev", "In KEV"), ("vckev", "VulnCheck KEV"), ("weaponized", "Weaponized"), ("poc", "PoC"), ("threatactors", "Threat Actors"), ("ransomware", "Ransomware"), ("botnets", "Botnets"), ("commercial", "Commercial"), ("reported", "Reported") ] %} {% for key, label in cats %} {% set count = exploit_maturity_summary.get(key, 0) if exploit_maturity_summary.get is defined else exploit_maturity_summary[key] | default(0) %} {% if count > 10 %}{% set heat = "heat-3" %} {% elif count > 3 %}{% set heat = "heat-2" %} {% elif count > 0 %}{% set heat = "heat-1" %} {% else %}{% set heat = "heat-0" %}{% endif %}
{{ count }}
{{ label }}
{% endfor %}
{% endif %} {% if reachability_summary and reachability_summary.has_data %}

Reachability Analysis

{{ reachability_summary.reachable | default(0) }}
Reachable
{{ reachability_summary.unreachable | default(0) }}
Unreachable
{{ reachability_summary.inconclusive | default(0) }}
Inconclusive
{% endif %} {% if component_risk_ranking %}

Component Risk Analysis

{% for c in component_risk_ranking %} {% endfor %}
Component Version Critical High Medium Low Total Risk Score
{{ c.component }} {{ c.component_version }} {{ c.critical }} {{ c.high }} {{ c.medium }} {{ c.low }} {{ c.total }} {{ c.risk_score }}
{% endif %} {% if component_license_distribution %}

Component Licenses

{% endif %} {% if remediation_highlights %}

Vulnerable Components

Gate 1 — Reachable + Exploitable/KEV

{% if remediation_highlights.gate_1 %} {% for card in remediation_highlights.gate_1 %}

{{ card.component }}

{{ card.finding_count }} finding(s) · Top CVE: {{ card.top_cve }} · CVSS {{ "%.1f"|format(card.worst_cvss) }}
{% endfor %} {% else %}

No Gate 1 findings identified.

{% endif %}

Gate 2 — Network Vector + High EPSS

{% if remediation_highlights.gate_2 %} {% for card in remediation_highlights.gate_2 %}

{{ card.component }}

{{ card.finding_count }} finding(s) · Top CVE: {{ card.top_cve }} · CVSS {{ "%.1f"|format(card.worst_cvss) }}
{% endfor %} {% else %}

No Gate 2 findings identified.

{% endif %}
{% endif %} {% if sbom_stats %}

SBOM Summary

Total Components: {{ sbom_stats.total_components | default(0) }}

{% endif %} {% if scan_metadata %}

Scan Metadata

{% if scan_metadata.project_name %}Project: {{ scan_metadata.project_name }}{% endif %} {% if scan_metadata.version_name %}Version: {{ scan_metadata.version_name }}{% endif %} {% if scan_metadata.scan_date_range %}Detection Range: {{ scan_metadata.scan_date_range }}{% endif %}
{% endif %}

Glossary

Core Security Terms

Risk Score
A composite score (0–10) indicating the overall risk of a vulnerability, factoring in severity, exploitability, and reachability.
Severity
The CVSS-based classification of a vulnerability's potential impact: Critical, High, Medium, Low, or Informational.
CVE (Common Vulnerabilities and Exposures)
A standardized identifier for publicly known security vulnerabilities (e.g., CVE-2024-3094).
EPSS (Exploit Prediction Scoring System)
A probability score (0–1) predicting the likelihood a vulnerability will be exploited in the wild within 30 days.
CVSS (Common Vulnerability Scoring System)
An industry standard for assessing the severity of vulnerabilities on a 0–10 scale.

Component & Software Terms

SBOM (Software Bill of Materials)
A comprehensive inventory of all software components, libraries, and dependencies in a product.
Component
A discrete software package, library, or module identified in a product's SBOM.
License
The legal terms under which a software component may be used, distributed, or modified (e.g., MIT, GPL, Apache-2.0).

Exploit & Threat Terms

KEV (Known Exploited Vulnerabilities)
CISA's catalog of vulnerabilities confirmed to be actively exploited in the wild.
Weaponized
An exploit that has been packaged into a readily usable attack tool or framework.
PoC (Proof of Concept)
A demonstration exploit that proves a vulnerability can be exploited, but may not be weaponized.
Threat Actors
Vulnerabilities known to be targeted by specific threat groups or APTs.
Ransomware
Vulnerabilities known to be exploited by ransomware campaigns.
Botnets
Vulnerabilities exploited by automated botnet networks for mass compromise.
Commercial
Exploits available in commercial exploit marketplaces or tools.
Reported
Exploits that have been publicly reported but may not yet be weaponized.

Security Analysis Terms

Reachability
Whether a vulnerable code path can actually be reached during normal execution of the software.
VEX (Vulnerability Exploitability eXchange)
A standard for communicating the exploitability status of vulnerabilities in specific products.
Triage
The process of evaluating and prioritizing vulnerabilities based on risk, exploitability, and business impact.
Attack Vector
The method by which a vulnerability can be exploited: Network, Adjacent, Local, or Physical.