False Positives in SC-DAST

I’ve encountered an issue and was hoping to get some insight on it.

 Previously (underWebInspect Enterprise), when customers reported false positives to us, I opened the scan in WebInspect Enterprise, marked the appropriate isses as False Positive and republished the scan to SSC. Having the false positives in WebInspect would allow them to be marked as false positives on future scheduled scans if nothing changed. Moving to SC-DAST, we lost that feature/capability. I can mark them as not an issue in SSC, but they still show up on reports, and in the next scan the scanner flags it as a vulnerability again. Is there any way to have the scanners remember the false positives and flag them as such under SC-DAST? I’m getting lots of customer complaints regarding this.

I tried exporting a scan file from SC-DAST, importing it into WebInspect and marking the issues as false positive, exporting from Webinpsect and reimporting into SC-DAST. Running a new scan got the oginal results with no false positives being marked.

As a side note: I don't see any way to push a scan from the scanner to SC-DAST without the export from WI,move the file, import into SC-DAST routine. Am I missing something there also? 

Current setup:

Software Security Center version 24.2.0.0186

ScanCentral DAST version 24.2.0.127

  • Suggested Answer

    0  

    Working with Suppressed Findings

    Findings in ScanCentral DAST are referred to as issues when they are published to Fortify Software Security Center and managed in the AUDIT page. If you have configured Kafka settings in ScanCentral DAST to provide support for the syncing of audit history changes in Fortify Software Security Center, then when issues are suppressed in the AUDIT page, that action is synced in ScanCentral DAST. For more information on using the AUDIT page, see OpenTextTm Fortify Software Security Center User Guide.

    How Suppressed Issues are Synced

    Suppressed issues are correlated at the application version level. For application versions that are referenced in ScanCentral DAST, a background process requests that audits in Fortify Software Security Center be published to the Kafka message queue. ScanCentral DAST processes the audits and reflects any suppressed issues in its Scans view and scan visualization. For more information about these views, see Understanding the Scans View and Viewing Scan Results.

    Known Limitation with Suppressed Findings

    Suppressed findings do not currently include the full audit history. In ScanCentral DAST, you will see only the latest audit data per tag from Fortify Software Security Center, with no audit history.

    Reference: www.microfocus.com/.../index.htm