False Positives

This feature lists all URLs that Fortify WebInspect originally flagged as containing a vulnerability and which a user later determined were false positives.

Importing False Positives

You can also import from a previous scan a list of vulnerabilities that were analyzed as being false positive. Fortify WebInspect then correlates these false positives from a previous scan with vulnerabilities detected in the current scan and flags the new occurrences as false positives.

To illustrate, suppose a cross-site scripting vulnerability was detected in Scan No. 1 at URL http://www.mysite.com/foo/bar and, after further analysis, someone flagged it as a false positive. If you import false positives from Scan No. 1 into Scan No. 2 of www.mysite.com, and if that second scan detects a cross-site scripting vulnerability at the same URL (http://www.mysite.com/foo/bar), then Fortify WebInspect automatically changes that vulnerability to a false positive. 

Inactive / Active False Positives Lists

Imported false positives are loaded first into a list labeled "Inactive False Positives." If a false positive in that list is matched with a vulnerability in the current scan, the item is moved from the Inactive False Positives list to the Active False Positives list. Unmatched items remain in the Inactive False Positives list.

Loading False Positives

False positives from other scans can be manually loaded into the current scan at any time. Alternatively, you may instruct the Scan Wizard, while initiating a scan, that false positives are to be loaded from a specific file; in this case, Fortify WebInspect correlates the false positives as they are encountered during the scan. You can also see (on the scan dashboard) the false positives matched while the scan is running.

Working with False Positives

  1. Select False Positives from the Scan Info panel.

  2. If necessary, click the plus sign   next to a vulnerability description to display the associated URLs and state.

  3. Click a URL to view a comment (at the bottom of the Information pane) that may have been entered when the user removed the vulnerability.

  4. To import false positives from other scans, click Import False Positives.

  5. To change a false positive back to a vulnerability, select an item from the Active False Positive list and click Mark as Vulnerability.

  6. To remove an item from the Inactive False Positive list, select the item and click Remove From Inactive.

  7. To edit a comment associated with a false positive, select the item and click Edit Comment.

For information on how to designate a vulnerability as a false positive, see Navigation Pane Shortcut Menu or Findings Tab.

For more information on the Fortify WebInspect window, see WebInspect User Interface.