Suppressed findings
This feature lists all URLs that OpenText DAST originally flagged as containing a vulnerability, but which have been marked as "False Positive" or "Ignore" by a user.
Understanding suppressed findings
OpenText DAST allows the following types of suppressed findings:
-
False Positive - A finding that upon further investigation by a developer is determined not to be a vulnerable URL, operation, or parameter.
-
Ignored - A finding that a security lead or developer has chosen to ignore. Generally, these should be low-level or informational findings that carry little risk of exploitation, or have mitigation that is outside the scope of testing.
For example, you perform a scan on a developer machine that is not configured the same way as your server, such as using a self-signed certificate that isn't secure. In production, however, the server uses a real certificate that is secure. During the scan, OpenText DAST flags this vulnerability, but it is not an issue that needs to be fixed, so you ignore it.
Importing suppressed findings
You can import from a previous scan a list of vulnerabilities that were analyzed as being false positive or were ignored. OpenText DAST then correlates these suppressed findings from the previous scan with vulnerabilities detected in the current scan and flags the new occurrences as false positive or ignored.
For example, suppose a cross-site scripting vulnerability was detected in Scan No. 1 at URL http://www.mysite.com/foo/bar and, after further analysis, a developer flagged it as a false positive. If you import false positives from Scan No. 1 into Scan No. 2 of www.mysite.com, and if that second scan detects a cross-site scripting vulnerability at the same URL (http://www.mysite.com/foo/bar), then OpenText DAST automatically changes that vulnerability to a false positive.
Inactive / Active Suppressed Findings lists
Imported suppressed findings are loaded first into a list labeled "Inactive Suppressed Findings." If a suppressed finding in that list is matched with a vulnerability in the current scan, the item is moved from the Inactive Suppressed Findings list to the Active Suppressed Findings list. Unmatched items remain in the Inactive Suppressed Findings list.
Loading suppressed findings during scan configuration
While configuring a scan in the Scan Wizard, you can choose to load suppressed findings from a specific scan or file. During the scan, OpenText DAST correlates the suppressed findings as they are encountered. You can also see on the scan dashboard the false positives matched while the scan is running.
Working with suppressed findings
-
Select Suppressed Findings from the Scan Info panel.
-
If necessary, click the plus sign
next to a vulnerability description to display the associated URLs and state. -
For false positive items, click a URL to view a comment (at the bottom of the Information pane) that may have been entered when the user marked the vulnerability as False Positive.
-
Continue according to the following table:
To... Then... Import suppressed findings from other scans Continue with Selecting a scan to import suppressed findings. Import suppressed findings from a JSON file -
Click Import from File.
A standard Windows file selection dialog box opens.
-
Select the file to import, and then click Open.
Export suppressed findings to a JSON file -
Click Export to File.
A standard Windows save as dialog box opens.
Note: The default directory for suppressed findings exported to a file is
<directory>:\ProgramData\HP\HP WebInspect\Settings\SuppressedFindings. -
In the File name box, type a name for the suppressed findings file.
-
Click Save.
Change a suppressed finding back to a vulnerability -
Select an item from the Active Suppressed Findings list and click Mark as Vulnerability.
The Mark As Vulnerability dialog box opens.
-
Continue with Mark as vulnerability.
Change all suppressed findings back to vulnerabilities -
Click Reset Vulnerabilities.
A confirmation dialog box opens.
-
Click Yes.
The suppressed findings are added back to the Findings tab.
Remove an item from the Inactive Suppressed Findings list Select the item and click Remove From Inactive. Edit the description for a false positive -
Select the item and click Edit Description.
The Edit False Positive Description dialog box opens.
-
Edit the description, and then click OK.
-
See also
For information on how to designate a vulnerability as a false positive, see Navigation pane shortcut menu or Findings tab.
For more information on the OpenText DAST window, see OpenText DAST user interface.