Add optional MITRE ATT&CK classification to findings

[MichaelGrafnetter]

Many infrastructure pentesters use the MITRE ATT&CK framework. The ability to map a vulnerability/attack step to a technique ID, e.g. Account Manipulation: SSH Authorized Keys, would be great.

[aronmolnar]

What you mean is that we provide a predefined field holding all techniques and tactics hierarchically structured?
Similar to what exists with the CWE field?

This shouldn't be too hard to implement. What we must not forget is to include the license/terms of use.

[MichaelGrafnetter]

Yep, that's the idea. Both classifications are actually managed by the same MITRE organization. In the PDF report, the IDs should be hyperlinked to the source material.