I’ve encountered an issue and was hoping to get some insight on it.
Previously (underWebInspect Enterprise), when customers reported false positives to us, I opened the scan in WebInspect Enterprise, marked the appropriate isses as False Positive and republished the scan to SSC. Having the false positives in WebInspect would allow them to be marked as false positives on future scheduled scans if nothing changed. Moving to SC-DAST, we lost that feature/capability. I can mark them as not an issue in SSC, but they still show up on reports, and in the next scan the scanner flags it as a vulnerability again. Is there any way to have the scanners remember the false positives and flag them as such under SC-DAST? I’m getting lots of customer complaints regarding this.
I tried exporting a scan file from SC-DAST, importing it into WebInspect and marking the issues as false positive, exporting from Webinpsect and reimporting into SC-DAST. Running a new scan got the oginal results with no false positives being marked.
As a side note: I don't see any way to push a scan from the scanner to SC-DAST without the export from WI,move the file, import into SC-DAST routine. Am I missing something there also?
Current setup:
Software Security Center version 24.2.0.0186
ScanCentral DAST version 24.2.0.127