Publishing a Scan (Fortify WebInspect Enterprise Connected)

Note: This topic applies only if Fortify WebInspect Enterprise is integrated with Fortify Software Security Center.

Use the following procedure to transmit scan data from Fortify WebInspect to a Fortify Software Security Center server, via Fortify WebInspect Enterprise.

Note: For information about managing the Fortify Software Security Center status of vulnerabilities when conducting multiple scans of the same Web site or application, see Integrating Vulnerabilities into Fortify Software Security Center.

  1. Configure Fortify WebInspect Enterprise and Fortify Software Security Center.

  2. Run a scan in Fortify WebInspect (or use an imported or downloaded scan). 

  3. Click the Enterprise Server menu and select Connect to WebInspect Enterprise. You will be prompted to submit credentials.

  4. If a scan is open on a tab that has focus, and you want to publish only that scan:

    1. Click .

    2. Select an application and version, then click OK.

    3. Examine the results. Columns will appear in the Summary pane specifying "Published Status" and "Pending Status."  The Published Status is the status of the vulnerability the last time this scan was published to Fortify WebInspect Enterprise.  The Pending Status is what the status of the vulnerability will be after this scan is published.  Depending on the Pending Status, you can modify it to specify whether the vulnerability has been resolved or is still existing (see Step 7 below).  In addition, a new tab named "Not Found" appears; this tab contains vulnerabilities that were detected in previous scans but not in the current scan. You can add screenshots and comments to vulnerabilities or mark vulnerabilities as false positive or ignored. You can also review and retest vulnerabilities, modifying the scan results until you are ready to publish.

    4. Click . Go to Step 7.

  5. To select from a list of scans:

    1. Click the Enterprise Server menu and select Publish Scan.

    2. On the Publish Scan(s) to Software Security Center dialog box, select one or more scans.

    3. Select an application and version.

    4. Click NextFortify WebInspect automatically synchronizes with Fortify Software Security Center.

  6. Fortify WebInspect lists the number of vulnerabilities to be published, categorized by status and severity.

    To determine the status, Fortify WebInspect compares previously submitted vulnerabilities (obtained by synchronizing with Fortify Software Security Center) with those reported in the current scan. If this is the first scan submitted to an application version, all vulnerabilities will be "New."

    If a vulnerability was previously reported, but is not in the current scan, it is marked as "Not Found." You must determine if it was not found because it has been fixed or because the scan was configured differently (for example, you may have used a different scan policy, or you scanned a different portion of the site, or you terminated the scan prematurely). When examining the results (step 4c), you can change the "pending status" of individual vulnerabilities detected by all but the first scan (by right-clicking a vulnerability in the Summary pane). However, when publishing, you must specify how Fortify WebInspect should handle any remaining "Not Found" vulnerabilities.

    To retain these "Not Found" vulnerabilities in Fortify Software Security Center (indicating that they still exist), select Retain: Assume all vulnerabilities still marked "Not Found" in the scan are still present.

    To remove them (implying that they have been fixed), select Resolve: Assume all vulnerabilities still marked "Not Found" in the scan are fixed.

  7. If this scan was conducted in response to a scan request initiated at Fortify Software Security Center, select Associate scan with an "In Progress" scan request for the current application version.

  8. Click Publish.